oscal-cli icon indicating copy to clipboard operation
oscal-cli copied to clipboard

Published 20 hours ago verified publisher icon usnistgov

Provide a warning when matching against a group

Open nikitawootten-nist opened this issue 1 year ago • 5 comments

User Story:

As a user, I would like a warning or error to be thrown when attempting to include a group.

As someone new to profile resolution, I would like explicit feedback that profile resolution cannot operate on groups.

As an example, consider the following excerpt:

{
    "profile": {
        "uuid": "c0dc468c-934e-4fe9-b5bf-9fc63f5a2915",
        "metadata": {
            "title": "Sample Security Profile *for Demonstration* and Testing",
            "last-modified": "2023-04-10T10:31:28.355446-04:00",
            "version": "1.0",
            "oscal-version": "1.04",
            "remarks": "The following document is used in the OSCAL Profile Tutorial and builds on the catalog created for the OSCAL Catalog Tutorial"
        },
        "imports": [
            {
                "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/main/examples/catalog/json/basic-catalog.json",
                "include-controls": [
                    {
                        "with-ids": [
                            "s1.1"
                        ],
                        "with-child-controls": "yes"
                    }
                ]
            }
        ]
    }
}

The above profile excerpt will not yield a resolved catalog with all of the children of the group "s1". Instead, the current behavior is to fail silently and omit the import directive entirely:

{
  "catalog" : {
    "uuid" : "7661c744-1a8e-4151-beb3-3bd88e661a71",
    "metadata" : {
      "title" : "Sample Security Profile *for Demonstration* and Testing",
      "last-modified" : "2023-04-10T17:36:52.221809216Z",
      "version" : "1.0",
      "oscal-version" : "1.04",
      "props" : [ {
        "name" : "resolution-tool",
        "value" : "libOSCAL-Java"
      } ],
      "links" : [ {
        "href" : "file:///WORKING/basic-profile%20copy.json",
        "rel" : "source-profile"
      } ]
    }
  }
}%

For catalogs that rely on groups of groups (such as the above example) this can cause quite a bit of confusion.

Goals:

  • [ ] When a user attempts to resolve a profile and an "include-controls" or "exclude-controls" block references a group, throw a warning or error that this inclusion will be ignored/is invalid.

Dependencies:

N/A

Acceptance Criteria

  • [ ] All website and readme documentation affected by the changes in this issue have been updated.
  • [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • [ ] The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

nikitawootten-nist avatar Apr 10 '23 17:04 nikitawootten-nist