NPE in gov.nist.secauto.metaschema.binding.io.xml.XmlUtil.getStreamSource
aj-stein-nist opened this issue ยท 9 comments
Describe the bug
As reported by @thabib-highlight, there is an issue with the FedRAMP SSP template (in OSCAL XML format) in the current master branch that is causing a runtime error with null pointer exception.
Who is the bug affecting?
Developers and system engineers using oscal-cli to validate SSPs in XML.
What is affected by this bug?
Validating SSPs in OSCAL XML format, perhaps the FedRAMP OSCAL SSP XML template in particular.
When does this occur?
Consistently.
How do we replicate the issue?
# Install oscal-cli 1.0.0 first
me@laptop:/tmp/tmp.MIfsDQ12qF$ oscal-cli --version
oscal-cli 1.0.0 built at 2023-08-01 21:11 from branch 42e48d0e9df6680a28b99420d8e4330eb47618ed (42e48d0) at https://github.com/usnistgov/oscal-cli
liboscal-java built at 2023-08-01 17:34 from branch f0639389d4877ca0677fa739adaf1cea2637404d (f063938) at https://github.com/usnistgov/liboscal-java
oscal built at 2023-08-01 17:34 from branch d19aedf7d0e0fba3b780d56c080312379127d7a4 (d19aedf) at https://github.com/usnistgov/OSCAL.git
metaschema-java 0.12.0 built at 2023-07-19T19:53:09+0000 from branch eff03bf387ecd929b921b759acf129e0e69fb463 (eff03bf) at https://github.com/usnistgov/metaschema-java
metaschema v0.9.0 built at 2023-07-19T19:53:09+0000 from branch a36f579e1e30abb2263895242cdbd2cf4bd29513 (a36f579) at https://github.com/usnistgov/metaschema
me@laptop:/tmp/tmp.MIfsDQ12qF$ curl --silent -L -O https://github.com/GSA/fedramp-automation/blob/e1105d062c52e3be18bddc4297fb225cc7261bb4/dist/content/rev5/templates/ssp/xml/FedRAMP-SSP-OSCAL-Template.xml
me@laptop:/tmp/tmp.MIfsDQ12qF$ oscal-cli ssp validate FedRAMP-SSP-OSCAL-Template.xml --show-stack-trace
Validating '/tmp/tmp.MIfsDQ12qF/FedRAMP-SSP-OSCAL-Template.xml' as JSON.
An uncaught runtime error occured. null
java.lang.NullPointerException: null
at gov.nist.secauto.metaschema.model.common.util.ObjectUtils.requireNonNull(ObjectUtils.java:71) ~[gov.nist.secauto.metaschema.metaschema-model-common-0.12.0.jar:?]
at gov.nist.secauto.oscal.tools.cli.core.commands.ssp.ValidateSubcommand.getOscalJsonSchema(ValidateSubcommand.java:63) ~[gov.nist.secauto.oscal.tools.oscal-cli.cli-core-1.0.0.jar:?]
me@laptop:/tmp/tmp.MIfsDQ12qF$ oscal-cli --version
oscal-cli 1.0.0 built at 2023-08-01 21:11 from branch 42e48d0e9df6680a28b99420d8e4330eb47618ed (42e48d0) at https://github.com/usnistgov/oscal-cli
liboscal-java built at 2023-08-01 17:34 from branch f0639389d4877ca0677fa739adaf1cea2637404d (f063938) at https://github.com/usnistgov/liboscal-java
oscal built at 2023-08-01 17:34 from branch d19aedf7d0e0fba3b780d56c080312379127d7a4 (d19aedf) at https://github.com/usnistgov/OSCAL.git
metaschema-java 0.12.0 built at 2023-07-19T19:53:09+0000 from branch eff03bf387ecd929b921b759acf129e0e69fb463 (eff03bf) at https://github.com/usnistgov/metaschema-java
metaschema v0.9.0 built at 2023-07-19T19:53:09+0000 from branch a36f579e1e30abb2263895242cdbd2cf4bd29513 (a36f579) at https://github.com/usnistgov/metaschema
me@laptop:/tmp/tmp.MIfsDQ12qF$ curl --silent -L -O https://github.com/GSA/fedramp-automation/blob/e1105d062c52e3be18bddc4297fb225cc7261bb4/dist/content/rev5/templates/ssp/xml/FedRAMP-SSP-OSCAL-Template.xml^C
me@laptop:/tmp/tmp.MIfsDQ12qF$ oscal-cli ssp validate FedRAMP-SSP-OSCAL-Template.xml --show-stack-trace
Validating '/tmp/tmp.MIfsDQ12qF/FedRAMP-SSP-OSCAL-Template.xml' as XML.
An uncaught runtime error occured. null
java.lang.NullPointerException: null
at gov.nist.secauto.metaschema.binding.io.xml.XmlUtil.getStreamSource(XmlUtil.java:43) ~[gov.nist.secauto.metaschema.metaschema-java-binding-0.12.0.jar:?]
at gov.nist.secauto.oscal.tools.cli.core.commands.ssp.ValidateSubcommand.getOscalXmlSchemas(ValidateSubcommand.java:56) ~[gov.nist.secauto.oscal.tools.oscal-cli.cli-core-1.0.0.jar:?]
at gov.nist.secauto.oscal.tools.cli.core.commands.oscal.AbstractOscalValidationSubcommand$OscalCommandExecutor.getXmlSchemas(AbstractOscalValidationSubcommand.java:78) ~[gov.nist.secauto.oscal.tools.oscal-cli.cli-core-1.0.0.jar:?]
at gov.nist.secauto.metaschema.binding.IBindingContext.validate(IBindingContext.java:311) ~[gov.nist.secauto.metaschema.metaschema-java-binding-0.12.0.jar:?]
at gov.nist.secauto.metaschema.cli.commands.AbstractValidateContentCommand$AbstractValidationCommandExecutor.execute(AbstractValidateContentCommand.java:255) ~[gov.nist.secauto.metaschema.metaschema-cli-0.12.0.jar:?]
at gov.nist.secauto.metaschema.cli.processor.CLIProcessor$CallingContext.invokeCommand(CLIProcessor.java:403) ~[gov.nist.secauto.metaschema.cli-processor-0.12.0.jar:?]
at gov.nist.secauto.metaschema.cli.processor.CLIProcessor$CallingContext.processCommand(CLIProcessor.java:374) [gov.nist.secauto.metaschema.cli-processor-0.12.0.jar:?]
at gov.nist.secauto.metaschema.cli.processor.CLIProcessor.parseCommand(CLIProcessor.java:192) [gov.nist.secauto.metaschema.cli-processor-0.12.0.jar:?]
at gov.nist.secauto.metaschema.cli.processor.CLIProcessor.process(CLIProcessor.java:176) [gov.nist.secauto.metaschema.cli-processor-0.12.0.jar:?]
at gov.nist.secauto.oscal.tools.cli.core.CLI.runCli(CLI.java:78) [gov.nist.secauto.oscal.tools.oscal-cli.cli-core-1.0.0.jar:?]
at gov.nist.secauto.oscal.tools.cli.core.CLI.main(CLI.java:55) [gov.nist.secauto.oscal.tools.oscal-cli.cli-core-1.0.0.jar:?]
Expected behavior (i.e. solution)
An error is caught, handled. It is either reported or the program continues processing, but very likely the former.
Other Comments
N/A
ssp validation fails for this file as well:
FedRAMP_rev5_HIGH-baseline_profile.zip
I get the following for FedRAMP_rev5_HIGH-baseline_profile.xml (which is an OSCAL profile instance document).
gapinski@flexion-mac-C02FCBVSMD6N oscal-cli % oscal-cli --version
oscal-cli 1.0.0 built at 2023-08-03 13:06 from branch main (42e48d0) at https://github.com/usnistgov/oscal-cli.git
liboscal-java built at 2023-08-01 17:34 from branch f0639389d4877ca0677fa739adaf1cea2637404d (f063938) at https://github.com/usnistgov/liboscal-java
oscal built at 2023-08-01 17:34 from branch d19aedf7d0e0fba3b780d56c080312379127d7a4 (d19aedf) at https://github.com/usnistgov/OSCAL.git
metaschema-java 0.12.0 built at 2023-07-19T19:53:09+0000 from branch eff03bf387ecd929b921b759acf129e0e69fb463 (eff03bf) at https://github.com/usnistgov/metaschema-java
metaschema v0.9.0 built at 2023-07-19T19:53:09+0000 from branch a36f579e1e30abb2263895242cdbd2cf4bd29513 (a36f579) at https://github.com/usnistgov/metaschema
gapinski@flexion-mac-C02FCBVSMD6N oscal-cli %
gapinski@flexion-mac-C02FCBVSMD6N oscal-cli %
gapinski@flexion-mac-C02FCBVSMD6N oscal-cli % oscal-cli profile validate --as=xml FedRAMP_rev5_HIGH-baseline_profile.xml
Validating '/Users/gapinski/Projects/github/usnistgov/oscal-cli/FedRAMP_rev5_HIGH-baseline_profile.xml' as XML.
An uncaught runtime error occured. null
gapinski@flexion-mac-C02FCBVSMD6N oscal-cli %This problem is caused by missing bundled OSCAL schemas. The OSCAL schemas get generated and bundled by liboscal-java, but it looks like in the v3.0.0 release these files did not get bundled during the build. I'll look into this more to find the cause/fix.
I am also noticing there is an issue with emitting the versions of liboscal-java and oscal in the version command. This might have something to do with the checkout command and the commit depth it is using, since these values are pulled from the git repo commit history.
Thank you Gary/David.
@david-waltermire-nist Acknowledged. I think this is in the ValidateSubcommand class in getOscalXmlSchemas method. xsd file location is invalid.
Appreciate you guys looking into it!
Gary just didn't run with --show-stack-trace but I expect the expanded error will be same. I will work on a fix with Dave and get it out as soon as feasible.
@aj-stein-nist You are correct. Just noticed it now.
thank you again for responding and looking into it.
Also reported by FedRAMP developers via email and vitg-gsa-automation/earlyadopters#5.
This can be closed when an official liboscal-java 3.0.1 release is published and changed in the pom.xml declaration.
This has been fixed in the 1.0.1 release.