-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Profile resolution flattens nested control structure #1663
Comments
First up in Sprint 64, we need to confirm if this is an issue (or actually a bug) in the profile resolver itself, the specification, or both.
We would like to loop in @galtm from the community for feedback as she has recently worked on components of the profile resolver that pertain to this issue. |
We do indeed have some unit tests in a WIP branch here: https://github.com/wendellpiez/OSCAL/tree/feature-profile-resolution-unittestingA (needs rebasing). Suggest we spike merging all that outstanding specification-and-testing work, then come back to this. This branch needs rebasing plus resolving of conflicts, which we can do expeditiously (I think I know what needs to be done). Then we have a basis for more/better tests, as well as a better sense of where we are with test coverage. |
The first step in the checklist was confirming the bug exists in the XSLT profile resolver. Does it exist in the current version in the |
Sorry, I was trying to be 'efficient'. I trust that what Gary reports over his data is true, although I have not made a perfect repro nor diagnosed the cause. I can see from static examination that the However, there are three other unstable pieces: (1) draft Profile Resolution Specification (which defines usage), (2) schemas missing this flag (#1662), and (3) oscal-cli Java implementation (not just XSLT implementation). I mention (3) because in order to be fully stable, we need not only a clear specification of the correct behavior, schema models and tests, but also the tools. And one explanation for the missing flag in the schema is that it was removed on purpose. If oscal-cli has no support for this, we should know about it. Should I continue to diagnose/assess the XSLT resolver in light of tests (which I could find or make) constructed against the Specification as currently drafted? Enabling us to float issues and fix 'bugs' without engaging the question of other profile resolver(s)? In doing so I might bring more issues to light (if the spec is faulty) but we presumably need to address (and test) them across implementations, as well. Picking up Gary's demo sample as a model for a test or two certainly makes sense. Here is testing for
At least one interpretation here is that the bug is in the schemas (metaschema) -- assuming the behavior defined by the current Spec is also what is tested and implemented. If it is not, then the question is, is the Spec wrong to have this at all and is the correction to remove all support? |
No worries, I appreciate that!
OK this is a good summary, it seems we are heading in a good direction and I think we should focus on that.
OK, this is super important for bringing up, thanks for calling it out. Let's look into 2 first. Once we hammer that out, we can check for alignment on this bug report in conjunction with 3 (that is issue 106 in oscal-cli, also reported by Gary and soon to be tracked), and then we can tighten up 1 later. But for now, let's head over to 1662.
I do not disagree, we just have to focus on one manageable piece at a time, so let's go to 1662, then the other things in that order (over the next several sprints).
Let's hold off on this stuff for 1662 for now. If we do not make headway there before end of sprint, we come back to this.
Thanks for the reference.
I guess once we have a handle on 1662, we can come back to answering this question. It seems that based on some others issues and comments by Dave, we need to track down "is the issue in the metaschemas or in the resulting schema generation?" first before the spec issue (as backwards as it sounds), but I do agree: it is an important material question to this issue. |
Describe the bug
Profile resolution of a nested control includes ancestor control but the control nesting is not maintained.
Who is the bug affecting
Users of
oscal-profile-RESOLVE.xsl
.What is affected by this bug
Tooling & API
How do we replicate this issue
I was wondering if inclusion of a control enhancement would include the parent control.
It does. This is in accord with SP 800-53 rev5 (§2.2 ¶2 final sentence) and the profile resolution specification. However, the nested control structure is flattened.
Using this profile
and catalog
perform a profile resolution.
Note that the resolution is faulty when operating on
main
branch of the usnistgov/OSCAL repo.In order to demonstrate the problem, use
oscal-profile-RESOLVE.xsl
from #1639.The controls are not nested. This flattening seems at odds with the (explicit)
with-parent-controls
attribute description.Worse, the the OSCAL XML Schema lacks the
with-parent-controls
attribute for theinclude-controls
element (#1662).Expected behavior (i.e. solution)
The nesting structure of the controls in the catalog should be preserved.
Other comments
The specimen instance documents are in the attached archive.
c-ce.zip
The text was updated successfully, but these errors were encountered: