Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POA&M conversion from XML to JSON creates an assessment-plan #96

Closed
GaryGapinski opened this issue Jan 27, 2023 · 6 comments · Fixed by #108
Closed

POA&M conversion from XML to JSON creates an assessment-plan #96

GaryGapinski opened this issue Jan 27, 2023 · 6 comments · Fixed by #108
Assignees
@aj-stein-nist
Labels
bug Something isn't working

Comments

@GaryGapinski
Copy link

Describe the bug

Attempted a conversion of an OSCAL plan-of-action-and-milestones document from XML to JSON. Output document was assessment-plan.

I was interested in the problem discussed in usnistgov/OSCAL#961.

Who is the bug affecting?

oscal-cli users.

What is affected by this bug?

OSCAL POA&M XML to JSON conversion.

When does this occur?

Using oscal-cli version 0.3.0 built on 2023-01-26 17:30 on commit 627d772.

How do we replicate the issue?

Something analogous to the following.

cd /tmp
git clone --recurse-submodules https://github.com/usnistgov/oscal-cli.git
cd oscal-cli
mvn install
alias oscal-cli=/tmp/oscal-cli/cli-core/target/cli-core-0.3.0-oscal-cli/bin/oscal-cli
cd /tmp
curl --output poam.xml https://raw.githubusercontent.com/GSA/fedrampautomation/master/src/validations/test/rules/rev4/poam.xml
oscal-cli poam convert --overwrite --to json poam.xml poam.json
cat poam.json

The output document is

{
  "assessment-plan" : {
    "uuid" : "eaa872ba-9212-4112-ab05-60a2d0e1aded",
    "metadata" : {
      "title" : "POA\\&M Unit Test",
      "last-modified" : "2022-06-02T11:38:29Z",
      "version" : "latest",
      "oscal-version" : "1.0.4"
    },
    "import-ssp" : {
      "href" : "ssp.xml"
    }
  }
}%

Contrast that output with

alias xslt='java -cp ~/saxon/saxon-he-12.0.jar net.sf.saxon.Transform'
xslt -xsl:https://raw.githubusercontent.com/usnistgov/OSCAL/main/json/convert/oscal_poam_xml-to-json-converter.xsl -s:poam.xml | jq

Expected behavior (i.e. solution)

The converted document should be an OSCAL plan-of-action-and-milestones document in JSON format.
@GaryGapinski GaryGapinski added the bug Something isn't working label Jan 27, 2023
@aj-stein-nist
Copy link
Collaborator

Thanks for this report, I and the team will look at this when we have time and bandwidth. I appreciate it, Gary.

@aj-stein-nist
Copy link
Collaborator

@GaryGapinski thanks for this. I had a few developers resurface this bug in a different context and it appears it is something I will have to troubleshoot and look for a fix.

/cc @volpet2014

@aj-stein-nist aj-stein-nist self-assigned this Feb 17, 2023
@aj-stein-nist
Copy link
Collaborator

aj-stein-nist commented Feb 21, 2023
edited
Loading

I talked with Dave and found one example of the issue:

https://github.com/usnistgov/oscal-cli/blob/main/cli-core/src/main/java/gov/nist/secauto/oscal/tools/cli/core/commands/assessmentresults/ConvertSubcommand.java#L41

Next steps:

  • Fix it
  • Build regressions tests around it, prevent it from happening again

@aj-stein-nist aj-stein-nist mentioned this issue Feb 21, 2023
Merged
7 tasks
@aj-stein-nist aj-stein-nist linked a pull request Feb 21, 2023 that will close this issue
Fix bad class loaders for AR and POA&M in ConvertSubcommand #108
Merged
7 tasks
aj-stein-nist added a commit that referenced this issue Feb 21, 2023
@aj-stein-nist
Fix bad class loaders for AR and POA&M in ConvertSubcommand classes for
5d5d39e 
#96.
aj-stein-nist added a commit that referenced this issue Feb 22, 2023
@aj-stein-nist
Add regression tests and public access function for loaded class name…
264b994 
… for #96.
aj-stein-nist added a commit that referenced this issue Feb 22, 2023
@aj-stein-nist
Add regression tests and public access function for loaded class name…
fb97f53 
… for #96.
aj-stein-nist added a commit that referenced this issue Feb 22, 2023
@aj-stein-nist
Add regression tests and public access function for loaded class name…
4c33d25 
… for #96.
aj-stein-nist added a commit that referenced this issue Feb 22, 2023
@aj-stein-nist
Fix bad class loaders for AR and POA&M in ConvertSubcommand (#108)
564c276 
* Fix bad class loaders for AR and POA&M in ConvertSubcommand classes for #96.

* Add regression tests and public access function for loaded class name for #96.
@aj-stein-nist
Copy link
Collaborator

I added some tests and merged into develop branch to stage a snapshot release for testing, more to follow.

@GaryGapinski
Copy link
Author

This appears to be corrected.
I ran mvn install against a copy of the develop branch.
Using a copy of https://raw.githubusercontent.com/GSA/fedrampautomation/master/src/validations/test/rules/rev4/poam.xml:

gapinski@flexion-mac-C02FCBVSMD6N rev4 % alias oscal-cli=/Users/gapinski/Projects/github/usnistgov/oscal-cli/cli-core/target/cli-core-0.3.3-SNAPSHOT-oscal-cli/bin/oscal-cli
gapinski@flexion-mac-C02FCBVSMD6N rev4 % oscal-cli --version
oscal-cli version 0.3.3-SNAPSHOT built on 2023-02-22 05:31 on commit 564c276
OSCAL version @oscal-git.closest.tag.name@ on commit @oscal-git.commit.id.abbrev@
gapinski@flexion-mac-C02FCBVSMD6N rev4 % oscal-cli poam convert --to json poam.xml                                                                              
ERROR: (/plan-of-action-and-milestones/risk[1]/characterization[1]/origin[1]/actor[1]/@type) Value 'nemesis' doesn't match one of 'assessment-platform, party, or tool' at path '/plan-of-action-and-milestones/risk[1]/characterization[1]/origin[1]/actor[1]/@type'
ERROR: (/plan-of-action-and-milestones/risk[1]/response[2]/task[1]/timing[1]/at-frequency[1]/@unit) Value 'week' doesn't match one of 'days, hours, minutes, months, seconds, or years' at path '/plan-of-action-and-milestones/risk[1]/response[2]/task[1]/timing[1]/at-frequency[1]/@unit'
WARNING: (/plan-of-action-and-milestones/poam-item[1]) It is a best practice to provide a UUID.
{
  "plan-of-action-and-milestones" : {
    "uuid" : "eaa872ba-9212-4112-ab05-60a2d0e1aded",
    "metadata" : {
      "title" : "POA\\&M Unit Test",
      "last-modified" : "2022-06-02T11:38:29Z",
      "version" : "latest",
      "oscal-version" : "1.0.4"
    },
    "import-ssp" : {
      "href" : "ssp.xml"
    },
    "observations" : [ {
      "uuid" : "034fd2a1-ef2d-41a7-b131-1878593dbc1d",
      "methods" : [ "test twice" ],
      "types" : [ "finding" ],
      "collected" : "2022-06-02T11:38:29Z"
    } ],
    "risks" : [ {
      "uuid" : "f85976a4-c5e8-44a1-b7bd-36c0ef1509b9",
      "status" : "open",
      "characterizations" : [ {
        "origin" : {
          "actors" : [ {
            "type" : "nemesis",
            "actor-uuid" : "4e6b380e-4c43-4d02-af7c-a07711f98403"
          } ]
        },
        "facets" : [ {
          "name" : "impact",
          "system" : "https://fedramp.gov",
          "value" : "high",
          "props" : [ {
            "name" : "state",
            "value" : "initial"
          } ]
        }, {
          "name" : "impact",
          "system" : "https://fedramp.gov",
          "value" : "moderate",
          "props" : [ {
            "name" : "state",
            "value" : "adjusted"
          } ],
          "remarks" : "nemesis is an old pal."
        } ]
      } ],
      "deadline" : "2022-11-29T13:37:22Z",
      "remediations" : [ {
        "uuid" : "8bea3be1-96a4-475f-a991-096ae19587a2",
        "lifecycle" : "recommendation"
      }, {
        "uuid" : "0ae485ea-e372-4eb8-8d67-ee486f1b99f7",
        "lifecycle" : "planned",
        "tasks" : [ {
          "uuid" : "658b179b-36c9-489c-8faa-2f35e595063f",
          "type" : "fret",
          "timing" : {
            "at-frequency" : {
              "period" : 1,
              "unit" : "week"
            }
          }
        }, {
          "uuid" : "eb485f28-df57-48d4-a65b-60481c85cc38",
          "type" : "milestone",
          "timing" : {
            "within-date-range" : {
              "start" : "2022-06-02T11:38:29Z",
              "end" : "2022-08-01T13:25:59Z"
            }
          }
        }, {
          "uuid" : "118bda4c-9d45-454e-b0e7-a1cf6ff06235",
          "type" : "milestone",
          "timing" : {
            "within-date-range" : {
              "start" : "2022-06-02T11:38:29Z",
              "end" : "2022-09-30T13:25:14Z"
            }
          }
        }, {
          "uuid" : "1f5fcf35-8e8c-499e-bd26-1141c8b52890",
          "type" : "milestone",
          "title" : "Close POA\\&M",
          "timing" : {
            "on-date" : {
              "date" : "2022-11-29T13:37:22Z"
            }
          }
        } ]
      } ],
      "risk-log" : {
        "entries" : [ {
          "uuid" : "e5ed128c-3c2d-4d42-9151-f460020c0687",
          "start" : "2022-06-02T11:38:29Z"
        } ]
      },
      "related-observations" : [ {
        "observation-uuid" : "034fd2a1-ef2d-41a7-b131-1878593dbc1d"
      } ]
    } ],
    "poam-items" : [ {
      "related-observations" : [ {
        "observation-uuid" : "034fd2a1-ef2d-41a7-b131-1878593dbc1d"
      } ],
      "related-risks" : [ {
        "risk-uuid" : "f85976a4-c5e8-44a1-b7bd-36c0ef1509b9"
      } ]
    } ]
  }
}%                                                                                                                                                                                                      gapinski@flexion-mac-C02FCBVSMD6N rev4 %

@aj-stein-nist
Copy link
Collaborator

I will close this for now but will need to prepare a release later in the week. Thanks for your quick feedback, @GaryGapinski.

@aj-stein-nist aj-stein-nist mentioned this issue Apr 17, 2023
Closed
aj-stein-nist added a commit that referenced this issue Apr 17, 2023
@aj-stein-nist
Fix bad class loaders for AR and POA&M in ConvertSubcommand (#108)
49ad368 
* Fix bad class loaders for AR and POA&M in ConvertSubcommand classes for #96.

* Add regression tests and public access function for loaded class name for #96.
david-waltermire added a commit to david-waltermire/oscal-cli that referenced this issue Jul 14, 2023
@david-waltermire
Integrated new version handling in CLI from metaschema-java.
c31c72a 
Refactored CLI handling based on a number of metaschema-java improvments, to include better exit code handling, and improved command re-usability across projects.
Added support for the "metaschema validate-content" command.
Included test code for usnistgov#96, and testing YAML nulls.
Some code formatting cleanup.
aj-stein-nist pushed a commit that referenced this issue Jul 15, 2023
@david-waltermire
Integrate metaschema java cli improvements (#163)
12dea3f 
* Integrated new version handling in CLI from metaschema-java.
Refactored CLI handling based on a number of metaschema-java improvments, to include better exit code handling, and improved command re-usability across projects.
Added support for the "metaschema validate-content" command.
Included test code for #96, and testing YAML nulls.
Some code formatting cleanup.

* Improve the GHA build. Similar to liboscal-java.
aj-stein-nist pushed a commit that referenced this issue Jul 22, 2023
@david-waltermire @aj-stein-nist
Integrate metaschema java cli improvements (#163)
72e3d6c 
* Integrated new version handling in CLI from metaschema-java.
Refactored CLI handling based on a number of metaschema-java improvments, to include better exit code handling, and improved command re-usability across projects.
Added support for the "metaschema validate-content" command.
Included test code for #96, and testing YAML nulls.
Some code formatting cleanup.

* Improve the GHA build. Similar to liboscal-java.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aj-stein-nist aj-stein-nist

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix bad class loaders for AR and POA&M in ConvertSubcommand usnistgov/oscal-cli
2 participants
@GaryGapinski @aj-stein-nist