JSON Baseline Profiles Do Not Contain JSON Catalog Links

[rgauss]

Describe the bug

The JSON representation of baseline profiles only contain XML rlinks (example) for the catalog back-matter resource.

There should be an rlink to a JSON representation of that catalog with an application/oscal.catalog+json media type (example with a currently incorrect extension due to reported issue).

Who is the bug affecting?

Anyone using JSON representations of baseline profiles.

What is affected by this bug?

The ability to resolve catalog controls for baseline profiles.

When does this occur?

Always

[ohsh6o]

Thanks for your report, @rgauss. We will look at this in conjunction with usnistgov/oscal-content#59.

[ohsh6o]

@rgauss I (as part of FedRAMP) discussed this with the NIST OSCAL developers. The pipeline work as surfaced here and usnistgov/oscal-content#59 will require significant modifications that will not be addressed by OSCAL tooling, not just FedRAMP's baseline updates using it. I will review a workaround solution and/or manual effort for the 1.0.0 release potentially, but cannot commit to that at this time. I will update this issue and its tracking tags accordingly.

[rgauss]

@ohsh6o, thanks for looking into it! We can implement temporary workarounds on our end in the meantime.

[ohsh6o]

@rgauss I am going to attempt to work on a CI/CD fix that is mutually beneficial in the interim, for our FedRAMP's own 1.0.0 release, that will be beneficial to FedRAMP and NIST. Stay tuned and I will appropriately message in this bug report. Thanks again!

[ohsh6o]

I have been working on this locally on my workstation but it might not be ready for 1.0.0. I published a workaround by publishing all the profile formats in parallel in #103 to address the particular need, but it will continue to write a more programmatic check, and potentially revert this change and not include all formats in the future. :-)