POA&M conversion from XML to JSON creates an assessment-plan
GaryGapinski opened this issue · 6 comments
Describe the bug
Attempted a conversion of an OSCAL plan-of-action-and-milestones document from XML to JSON. Output document was assessment-plan.
I was interested in the problem discussed in usnistgov/OSCAL#961.
Who is the bug affecting?
oscal-cli users.
What is affected by this bug?
OSCAL POA&M XML to JSON conversion.
When does this occur?
Using oscal-cli version 0.3.0 built on 2023-01-26 17:30 on commit 627d772.
How do we replicate the issue?
Something analogous to the following.
cd /tmp
git clone --recurse-submodules https://github.com/usnistgov/oscal-cli.git
cd oscal-cli
mvn install
alias oscal-cli=/tmp/oscal-cli/cli-core/target/cli-core-0.3.0-oscal-cli/bin/oscal-cli
cd /tmp
curl --output poam.xml https://raw.githubusercontent.com/GSA/fedrampautomation/master/src/validations/test/rules/rev4/poam.xml
oscal-cli poam convert --overwrite --to json poam.xml poam.json
cat poam.json
The output document is
{
"assessment-plan" : {
"uuid" : "eaa872ba-9212-4112-ab05-60a2d0e1aded",
"metadata" : {
"title" : "POA\\&M Unit Test",
"last-modified" : "2022-06-02T11:38:29Z",
"version" : "latest",
"oscal-version" : "1.0.4"
},
"import-ssp" : {
"href" : "ssp.xml"
}
}
}%
Contrast that output with
alias xslt='java -cp ~/saxon/saxon-he-12.0.jar net.sf.saxon.Transform'
xslt -xsl:https://raw.githubusercontent.com/usnistgov/OSCAL/main/json/convert/oscal_poam_xml-to-json-converter.xsl -s:poam.xml | jq
Expected behavior (i.e. solution)
The converted document should be an OSCAL plan-of-action-and-milestones document in JSON format.
Thanks for this report, I and the team will look at this when we have time and bandwidth. I appreciate it, Gary.
@GaryGapinski thanks for this. I had a few developers resurface this bug in a different context and it appears it is something I will have to troubleshoot and look for a fix.
/cc @volpet2014
I talked with Dave and found one example of the issue:
Next steps:
- Fix it
- Build regressions tests around it, prevent it from happening again
I added some tests and merged into develop branch to stage a snapshot release for testing, more to follow.
This appears to be corrected.
I ran mvn install against a copy of the develop branch.
Using a copy of https://raw.githubusercontent.com/GSA/fedrampautomation/master/src/validations/test/rules/rev4/poam.xml:
gapinski@flexion-mac-C02FCBVSMD6N rev4 % alias oscal-cli=/Users/gapinski/Projects/github/usnistgov/oscal-cli/cli-core/target/cli-core-0.3.3-SNAPSHOT-oscal-cli/bin/oscal-cli
gapinski@flexion-mac-C02FCBVSMD6N rev4 % oscal-cli --version
oscal-cli version 0.3.3-SNAPSHOT built on 2023-02-22 05:31 on commit 564c276
OSCAL version @oscal-git.closest.tag.name@ on commit @oscal-git.commit.id.abbrev@
gapinski@flexion-mac-C02FCBVSMD6N rev4 % oscal-cli poam convert --to json poam.xml
ERROR: (/plan-of-action-and-milestones/risk[1]/characterization[1]/origin[1]/actor[1]/@type) Value 'nemesis' doesn't match one of 'assessment-platform, party, or tool' at path '/plan-of-action-and-milestones/risk[1]/characterization[1]/origin[1]/actor[1]/@type'
ERROR: (/plan-of-action-and-milestones/risk[1]/response[2]/task[1]/timing[1]/at-frequency[1]/@unit) Value 'week' doesn't match one of 'days, hours, minutes, months, seconds, or years' at path '/plan-of-action-and-milestones/risk[1]/response[2]/task[1]/timing[1]/at-frequency[1]/@unit'
WARNING: (/plan-of-action-and-milestones/poam-item[1]) It is a best practice to provide a UUID.
{
"plan-of-action-and-milestones" : {
"uuid" : "eaa872ba-9212-4112-ab05-60a2d0e1aded",
"metadata" : {
"title" : "POA\\&M Unit Test",
"last-modified" : "2022-06-02T11:38:29Z",
"version" : "latest",
"oscal-version" : "1.0.4"
},
"import-ssp" : {
"href" : "ssp.xml"
},
"observations" : [ {
"uuid" : "034fd2a1-ef2d-41a7-b131-1878593dbc1d",
"methods" : [ "test twice" ],
"types" : [ "finding" ],
"collected" : "2022-06-02T11:38:29Z"
} ],
"risks" : [ {
"uuid" : "f85976a4-c5e8-44a1-b7bd-36c0ef1509b9",
"status" : "open",
"characterizations" : [ {
"origin" : {
"actors" : [ {
"type" : "nemesis",
"actor-uuid" : "4e6b380e-4c43-4d02-af7c-a07711f98403"
} ]
},
"facets" : [ {
"name" : "impact",
"system" : "https://fedramp.gov",
"value" : "high",
"props" : [ {
"name" : "state",
"value" : "initial"
} ]
}, {
"name" : "impact",
"system" : "https://fedramp.gov",
"value" : "moderate",
"props" : [ {
"name" : "state",
"value" : "adjusted"
} ],
"remarks" : "nemesis is an old pal."
} ]
} ],
"deadline" : "2022-11-29T13:37:22Z",
"remediations" : [ {
"uuid" : "8bea3be1-96a4-475f-a991-096ae19587a2",
"lifecycle" : "recommendation"
}, {
"uuid" : "0ae485ea-e372-4eb8-8d67-ee486f1b99f7",
"lifecycle" : "planned",
"tasks" : [ {
"uuid" : "658b179b-36c9-489c-8faa-2f35e595063f",
"type" : "fret",
"timing" : {
"at-frequency" : {
"period" : 1,
"unit" : "week"
}
}
}, {
"uuid" : "eb485f28-df57-48d4-a65b-60481c85cc38",
"type" : "milestone",
"timing" : {
"within-date-range" : {
"start" : "2022-06-02T11:38:29Z",
"end" : "2022-08-01T13:25:59Z"
}
}
}, {
"uuid" : "118bda4c-9d45-454e-b0e7-a1cf6ff06235",
"type" : "milestone",
"timing" : {
"within-date-range" : {
"start" : "2022-06-02T11:38:29Z",
"end" : "2022-09-30T13:25:14Z"
}
}
}, {
"uuid" : "1f5fcf35-8e8c-499e-bd26-1141c8b52890",
"type" : "milestone",
"title" : "Close POA\\&M",
"timing" : {
"on-date" : {
"date" : "2022-11-29T13:37:22Z"
}
}
} ]
} ],
"risk-log" : {
"entries" : [ {
"uuid" : "e5ed128c-3c2d-4d42-9151-f460020c0687",
"start" : "2022-06-02T11:38:29Z"
} ]
},
"related-observations" : [ {
"observation-uuid" : "034fd2a1-ef2d-41a7-b131-1878593dbc1d"
} ]
} ],
"poam-items" : [ {
"related-observations" : [ {
"observation-uuid" : "034fd2a1-ef2d-41a7-b131-1878593dbc1d"
} ],
"related-risks" : [ {
"risk-uuid" : "f85976a4-c5e8-44a1-b7bd-36c0ef1509b9"
} ]
} ]
}
}% gapinski@flexion-mac-C02FCBVSMD6N rev4 %
I will close this for now but will need to prepare a release later in the week. Thanks for your quick feedback, @GaryGapinski.