NPE when resolving profile selecting catalog children controls without parent

[GaryGapinski]

Describe the bug

oscal-cli throws Exception in thread "main" java.lang.NullPointerException when resolving a profile.

Who is the bug affecting?

Users of oscal-cli who wish to resolve a profile.

What is affected by this bug?

oscal-cli fails during execution.

When does this occur?

macOS Ventura 13.2.1 MacBook Pro Intel hardware.

How do we replicate the issue?

Build oscal-cli using main branch of cloned repo.

Create an OSCAL profile instance document.

gapinski@flexion-mac-C02FCBVSMD6N resolver-pipeline % cat c-ce-p.xml                                                         
<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="https://github.com/usnistgov/OSCAL/raw/v1.0.4/xml/schema/oscal_complete_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema" ?>
<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="3353e8e1-3eef-42ef-8163-1f71616bafca">
    <metadata>
        <title />
        <last-modified>2023-02-18T13:06:18Z</last-modified>
        <version>2023-02-18T13:06:18Z</version>
        <oscal-version>1.0.4</oscal-version>
    </metadata>
    <import href="c-ce-c.xml">
        <include-controls>
            <with-id>c1.1</with-id>
        </include-controls>
    </import>
</profile>

Create an OSCAL catalog instance document.

gapinski@flexion-mac-C02FCBVSMD6N resolver-pipeline % cat c-ce-c.xml
<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="https://github.com/usnistgov/OSCAL/raw/v1.0.4/xml/schema/oscal_complete_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema" ?>
<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="37b7acd4-ab3f-4217-99d1-2ab9e490db49">
    <metadata>
        <title />
        <last-modified>2023-02-18T13:06:18Z</last-modified>
        <version>2023-02-18T13:06:18Z</version>
        <oscal-version>1.0.4</oscal-version>
    </metadata>
    <control id="c1">
        <title />
        <control id="c1.1">
            <title />
        </control>
    </control>
</catalog>

Perform a profile resolution. Receive exception.

gapinski@flexion-mac-C02FCBVSMD6N resolver-pipeline % alias oscal-cli=/Users/gapinski/Projects/github/usnistgov/oscal-cli/cli-core/target/cli-core-0.3.2-oscal-cli/bin/oscal-cli
gapinski@flexion-mac-C02FCBVSMD6N resolver-pipeline % oscal-cli --version
oscal-cli version 0.3.2 built on 2023-02-19 12:19 on commit d652eac
OSCAL version @oscal-git.closest.tag.name@ on commit @oscal-git.commit.id.abbrev@
gapinski@flexion-mac-C02FCBVSMD6N resolver-pipeline % oscal-cli profile resolve c-ce-p.xml
Exception in thread "main" java.lang.NullPointerException
	at gov.nist.secauto.oscal.lib.profile.resolver.merge.FlatteningStructuringVisitor.visitControl(FlatteningStructuringVisitor.java:123)
	at gov.nist.secauto.oscal.lib.profile.resolver.merge.FlatteningStructuringVisitor.visitControl(FlatteningStructuringVisitor.java:55)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogEntityVisitor.visitControlInternal(AbstractCatalogEntityVisitor.java:168)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.visitControlItem(AbstractCatalogVisitor.java:145)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.lambda$visitControlContainer$2(AbstractCatalogVisitor.java:127)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
	at java.base/java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:720)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.reduce(ReferencePipeline.java:553)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.visitControlContainer(AbstractCatalogVisitor.java:129)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogEntityVisitor.visitControlContainer(AbstractCatalogEntityVisitor.java:120)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.visitGroupContainer(AbstractCatalogVisitor.java:73)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogEntityVisitor.visitGroupContainer(AbstractCatalogEntityVisitor.java:108)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.visitCatalog(AbstractCatalogVisitor.java:50)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogEntityVisitor.visitCatalog(AbstractCatalogEntityVisitor.java:96)
	at gov.nist.secauto.oscal.lib.profile.resolver.merge.FlatteningStructuringVisitor.visitCatalog(FlatteningStructuringVisitor.java:84)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.structureFlat(ProfileResolver.java:485)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.handleMerge(ProfileResolver.java:449)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolveProfile(ProfileResolver.java:205)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:234)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:219)
	at gov.nist.secauto.oscal.tools.cli.core.commands.profile.ResolveSubcommand.executeCommand(ResolveSubcommand.java:250)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.invokeCommand(CLIProcessor.java:259)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.parseCommand(CLIProcessor.java:235)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.processCommand(CLIProcessor.java:195)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.parseCommand(CLIProcessor.java:143)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.process(CLIProcessor.java:127)
	at gov.nist.secauto.oscal.tools.cli.core.CLI.parse(CLI.java:64)
	at gov.nist.secauto.oscal.tools.cli.core.CLI.main(CLI.java:46)
gapinski@flexion-mac-C02FCBVSMD6N resolver-pipeline % 

Expected behavior (i.e. solution)

A resolved profile catalog document should be produced.

Other Comments

The specimen instance documents are in the attached archive. c-ce.zip

[aj-stein-nist]

I have investigated this further but I need to review the current profile resolution specification and debug further with additional test cases locally. That said, given the additional reports of usnistgov/OSCAL#1662 and usnistgov/OSCAL#1663, I might need to be straightened out to know what should change here, and what should change in XSLT, and what is correct after re-reading the specification.

Thanks again for this report.

[aj-stein-nist]

I will be out on leave next week but will keep this assigned for the time being. If others clear the sprint board rapidly, they can feel free to pick this up.

[aj-stein-nist]

First off, I need to transfer this issue where applicable, the core liboscal-java library, not the CLI repo itself where it currently is. I am assessing the viability of fixing this for an upcoming patch release or later after I transfer the issue. More to follow.