usnistgov/oscal-cli

IPv6 validation error

Rene2mt opened this issue · 2 comments

Rene2mt commented

Describe the bug

OSCAL CLI throws error when trying to validate ipv6 address of components where there is an ip segment that starts with a zero.

Who is the bug affecting?

FedRAMP

What is affected by this bug?

When does this occur?

When validating sample (FedRAMP) OSCAL SSP template

How do we replicate the issue?

Run OSCAL-CLI v0.3.3 on the template as follows

{What are the steps to reproduce the behavior?

  1. Download attached sample SSP template (contains sample IPv6 address)
  2. Run command: oscal-cli ssp validate --as=xml /ssp/xml/FedRAMP-SSP-OSCAL-Template.xml
  3. See output error:

[ERROR] [/system-security-plan/system-implementation[1]/component[13]] Value '2001:0000:0000:0000:0000:ffff:0a02:0202' did not conform to the data type 'ip-v6-address' at path '/system-security-plan/system-implementation[1]/component[13]/prop[4]/@value'
java.lang.IllegalArgumentException: 2001:0000:0000:0000:0000:ffff:0a02:0202 IP Address error: segment value starts with zero

Expected behavior (i.e. solution)

Sample IPv6 address above should validate successfully. Per RFC5952 section 2.1 (see https://www.rfc-editor.org/rfc/rfc5952#section-2.1), addresses can have leading zeros.

Other Comments

Additionally, as a feature enhancement, allow for IPv6 addresses with zero compression (e.g., 2001::ffff:0a02:0202 ). Use this xpath query to find the ipv-6 props that are failing validation: /system-security-plan/system-implementation/inventory-item/prop[@name="ipv6-address"]

{Add any other context about the problem here.}
FedRAMP-SSP-OSCAL-Template.txt

aj-stein-nist commented

This is a metaschema-java issue based on the underlying inet.ipaddr.ipv6.IPv6Address library and classes being configured in that library to now allow trailing zeros, as confirmed with the maintainer when reviewing this code preliminarily.

https://github.com/usnistgov/metaschema-java/blob/develop/metaschema-model-common/src/main/java/gov/nist/secauto/metaschema/model/common/datatype/adapter/IPv6AddressAdapter.java#L51C6-L55

This will be fixed in usnistgov/metaschema-java#156 and the metaschema-java submodule will need to be updated to fix this issue in the CLI. Thanks for your report!

david-waltermire-nist commented

Fixed by incorporating latest from metaschema-java (PR usnistgov/metaschema-java#158).