Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

links with @rel "proof-of-compliance" constraint conflicting with @rel "validation" #2102

Open
aj-stein-gsa opened this issue Feb 13, 2025 · 0 comments
Open

links with @rel "proof-of-compliance" constraint conflicting with @rel "validation" #2102

aj-stein-gsa opened this issue Feb 13, 2025 · 0 comments
Labels
bug

Comments

@aj-stein-gsa
Copy link
Contributor

aj-stein-gsa commented Feb 13, 2025
edited
Loading

Describe the bug

There appear to be a series of constraints that overlap or conflict with one another in relation to validation and testing components. Different portions of documentation for the implementation layer discuss "proof of compliance" versus validation information for cryptographic components.

https://pages.nist.gov/OSCAL/learn/tutorials/implementation/validation-modeling/

https://pages.nist.gov/OSCAL/resources/concepts/layer/implementation/component-definition/

Given the structure of the example components in the former link and narrative in t, it would appear the link[@rel="proof-of-compliance" constraint is overlapping or conflicting with link[@rel="validation"] with an overly specific index lookup.

https://github.com/usnistgov/OSCAL/blob/v1.1.3/src/metaschema/oscal_ssp_metaschema.xml#L618-L626

the last constraint ensures you cannot have a URL to a CMVP FIPS-140 record, but it must cross-reference to a sibling component of type validation by UUID with a URI reference. This constraint does not seem optimal, and it is advisable to remove it or model it with a different approach. The former is more expedient.

Who is the bug affecting

Processing OSCAL data with OSCAL-enabled software to cross-reference cryptographic validation records.

What is affected by this bug

Metaschema

How do we replicate this issue

  1. Make an example SSP with a component that has link[@rel="proof-of-compliance"] that is not a URI reference to a sibling component.
  2. Run oscal-cli validations.
  3. Review errors from not defining the value with the URL as implied by documentation.

See an example and discussion of the FedRAMP constraint modeling with oscal-cli validation failures in CI/CD via the links below.

GSA/fedramp-automation#1158 (review)

https://github.com/GSA/fedramp-automation/actions/runs/13288489054/job/37103011171?pr=1158

Expected behavior (i.e. solution)

Constraints permit URI data that is not specifically indexed to a component[@type="validation"].

Other comments

No response

Revisions

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
NIST OSCAL Work Board
Status: Needs Triage
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aj-stein-gsa