Skip to content

links with @rel "proof-of-compliance" constraint conflicting with @rel "validation" #2102

New issue
New issue
Open
Open
links with @rel "proof-of-compliance" constraint conflicting with @rel "validation"#2102
Labels
bug
@aj-stein-gsa

Description

@aj-stein-gsa
aj-stein-gsa
opened on Feb 13, 2025

Describe the bug

There appear to be a series of constraints that overlap or conflict with one another in relation to validation and testing components. Different portions of documentation for the implementation layer discuss "proof of compliance" versus validation information for cryptographic components.

https://pages.nist.gov/OSCAL/learn/tutorials/implementation/validation-modeling/

https://pages.nist.gov/OSCAL/resources/concepts/layer/implementation/component-definition/

Given the structure of the example components in the former link and narrative in t, it would appear the link[@rel="proof-of-compliance" constraint is overlapping or conflicting with link[@rel="validation"] with an overly specific index lookup.

https://github.com/usnistgov/OSCAL/blob/v1.1.3/src/metaschema/oscal_ssp_metaschema.xml#L618-L626

the last constraint ensures you cannot have a URL to a CMVP FIPS-140 record, but it must cross-reference to a sibling component of type validation by UUID with a URI reference. This constraint does not seem optimal, and it is advisable to remove it or model it with a different approach. The former is more expedient.

Who is the bug affecting

Processing OSCAL data with OSCAL-enabled software to cross-reference cryptographic validation records.

What is affected by this bug

Metaschema

How do we replicate this issue

  1. Make an example SSP with a component that has link[@rel="proof-of-compliance"] that is not a URI reference to a sibling component.
  2. Run oscal-cli validations.
  3. Review errors from not defining the value with the URL as implied by documentation.

See an example and discussion of the FedRAMP constraint modeling with oscal-cli validation failures in CI/CD via the links below.

GSA/fedramp-automation#1158 (review)

https://github.com/GSA/fedramp-automation/actions/runs/13288489054/job/37103011171?pr=1158

Expected behavior (i.e. solution)

Constraints permit URI data that is not specifically indexed to a component[@type="validation"].

Other comments

No response

Revisions

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    NIST OSCAL Work Board

    Status

    Needs Triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions