compliance-trestle icon indicating copy to clipboard operation
compliance-trestle copied to clipboard

Published 20 hours ago verified publisher icon oscal-compass

`trestle author jinja` cannot utilize jinja tags within the oscal data.

Open rahearn opened this issue 5 months ago • 0 comments

Describe the bug

When using trestle author jinja to create documents from an ssp/profile combination, any jinja tags within the OSCAL result in jinja errors.

To Reproduce

SSP 
{
  "system-security-plan": {
    "uuid": "fa4533f0-d342-406b-ba9e-8e6801702062",
    "metadata": {
      "title": "REPLACE_ME",
      "last-modified": "2024-09-20T13:11:51.791835+00:00",
      "version": "REPLACE_ME",
      "oscal-version": "1.1.2"
    },
    "import-profile": {
      "href": "trestle://profiles/jinja-bug/profile.json"
    },
    "system-characteristics": {
      "system-ids": [
        {
          "id": "REPLACE_ME"
        }
      ],
      "system-name": "REPLACE_ME",
      "description": "{% mdsection_include 'description.md' '## Heading' heading_level=3 %}",
      "system-information": {
        "information-types": [
          {
            "title": "REPLACE_ME",
            "description": "REPLACE_ME"
          }
        ]
      },
      "status": {
        "state": "operational"
      },
      "authorization-boundary": {
        "description": "REPLACE_ME"
      }
    },
    "system-implementation": {
      "users": [
        {
          "uuid": "07637b05-6cd4-429e-bd72-2d39a1d94415"
        }
      ],
      "components": [
        {
          "uuid": "9e88a72c-3056-4c4f-8aad-ca92e76d8add",
          "type": "this-system",
          "title": "This System",
          "description": "",
          "status": {
            "state": "operational"
          }
        }
      ]
    },
    "control-implementation": {
      "description": "This is the control implementation for the system.",
      "implemented-requirements": [
        {
          "uuid": "e7a41c1c-718d-4841-ba5d-0de785fbeeb0",
          "control-id": "sc-8",
          "set-parameters": [
            {
              "param-id": "tls_version",
              "values": [
                "1.3"
              ]
            }
          ],
          "by-components": [
            {
              "component-uuid": "9e88a72c-3056-4c4f-8aad-ca92e76d8add",
              "uuid": "75944c14-aca6-4d8f-aed1-3f62e0108f0b",
              "description": "All transmitted data is protected by TLS {{ insert param: tls_version }} encryption.",
              "implementation-status": {
                "state": "implemented"
              }
            }
          ]
        }
      ]
    }
  }
}
Profile 
{
  "profile": {
    "uuid": "7c1c75b5-64f5-4c5a-9a11-2c34145508b4",
    "metadata": {
      "title": "Jinja bug reproduction",
      "last-modified": "2024-06-24T15:57:03Z",
      "version": "2021.09.15",
      "oscal-version": "1.1.2"
    },
    "imports": [
      {
        "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json",
        "include-controls": [
          {
            "with-ids": [
              "sc-8"
            ]
          }
        ]
      }
    ],
    "modify": {
      "set-parameters": [
        {
          "param-id": "sc-08_odp",
          "values": [
            "confidentiality",
            "integrity"
          ]
        }
      ]
    }
  }
}
Jinja templates template.md: 
# Example issue:

## mdsection include that works:

{% mdsection_include 'description.md' '## Heading' heading_level=3 %}

## layered mdsection include that causes an issue:

{{ ssp.system_characteristics.description }}

## embedded moustache templates dont work:

{% for control in catalog_interface.get_all_controls_from_catalog(false) %}

{{ ssp_md_writer.get_control_response(control.id, 2, true) }}

{% endfor %}

description.md:

# Description of System

File to include in authored output.

## Heading

Include this part

Steps to reproduce the behavior:

  1. Copy above files into the appropriate places in a trestle root
  2. Run trestle author jinja -i template.md -ssp ssp -p profile -o output.md
  3. See error related to the {{ ssp.system_characteristics.description }} include: trestle.core.commands.author.jinja:94 ERROR: Error while generating markdown via Jinja template: unexpected char '&' at 156
  4. Update that description in the SSP to be: "{ mdsection_include 'author-output/description.md' '## Heading' heading_level=3 %}"
  5. Run trestle author jinja again with the same parameters
  6. See error related to the control response: trestle.core.commands.author.jinja:94 ERROR: Error while generating markdown via Jinja template: expected token 'end of print statement', got 'param'
  7. Update the control response in the SSP to remove one of the opening {
  8. Run trestle author jinja again with the same parameters
  9. This time, output will complete and you will see at least a hint as to why the mdsection_include didn't work, with the quotes around the filename and heading to include being escaped. I do not know why the control response template didn't work.

Expected behavior

I should be able to use jinja templates within oscal fields, especially those that insert parameters that are set on the control.

Environment

  • OS: [e.g. iOS] docker
  • Python version: 3.11.9
  • Installed packages: compliance-trestle 3.4.0

rahearn avatar Sep 20 '24 13:09 rahearn