Validation component index-has-key constraints do not reformat value before key lookups

[aj-stein-gsa]

Describe the bug

In the OSCAL v1.1.3 models, there are several constraints related to link[@href]s in validation components with a syntax error. Given @href should be URI or URI reference types, in the latter case "document-local" references to a back-matter/resource are URI references that must be prefixed with a #, they cannot be only a UUID. Therefore, a value that is valid from the perspective of the constraint is invalid for the data type and value that is valid for the data type will violate the constraint.

These constraints need a minor adjustment to fix the syntax error and remove a presumed # before index-has-key lookups.

https://github.com/usnistgov/OSCAL/blob/v1.1.3/src/metaschema/oscal_ssp_metaschema.xml#L618-L626

Who is the bug affecting

Engineers using OSCAL data and developers of OSCAL-enabled tooling.

What is affected by this bug

Metaschema, Modeling

How do we replicate this issue

1. Use oscal-cli to validate the following example content in a SSP.

<component uuid="11111111-0000-4000-a000-000000000001" type="hardware">
   <title>Product Name</title>
   <description>
      <p>Describe the product's function.</p>
   </description>
   <link rel="validation" href="#22222222-0000-4000-a000-000000000002" />
   <status state="operational" />
</component>
<component uuid="22222222-0000-4000-a000-000000000002" type="validation">
   <title>Validation Name</title>
   <description>
      <p>Describe the validation.</p>
   </description>
   <prop name="validation-type" value="fips-140-2" />
   <prop name="validation-reference" value="xxxx" />
   <link rel="validation-details" href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/xxxx" />
   <status state="operational" />
</component>

2. Review errors that

Expected behavior (i.e. solution)

1. The following data should validate and not violate a constraint to throw a error validation report.

<component uuid="11111111-0000-4000-a000-000000000001" type="hardware">
   <title>Product Name</title>
   <description>
      <p>Describe the product's function.</p>
   </description>
   <link rel="validation" href="#22222222-0000-4000-a000-000000000002" />
   <status state="operational" />
</component>
<component uuid="22222222-0000-4000-a000-000000000002" type="validation">
   <title>Validation Name</title>
   <description>
      <p>Describe the validation.</p>
   </description>
   <prop name="validation-type" value="fips-140-2" />
   <prop name="validation-reference" value="xxxx" />
   <link rel="validation-details" href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/xxxx" />
   <status state="operational" />
</component>

Other comments

No response

Revisions

No response

[iMichaela]

The snippet of OSCAL SSP provided in this issue is taken from a tutorial and it si valid. oscal-cli release 1.0.3 validates with no errors the sample provided:

<component uuid="11111111-0000-4000-a000-000000000001" type="hardware">
   <title>Product Name</title>
   <description>
      <p>Describe the product's function.</p>
   </description>
   <link rel="validation" href="#22222222-0000-4000-a000-000000000002" />
   <status state="operational" />
</component>
<component uuid="22222222-0000-4000-a000-000000000002" type="validation">
   <title>Validation Name</title>
   <description>
      <p>Describe the validation.</p>
   </description>
   <prop name="validation-type" value="fips-140-2" />
   <prop name="validation-reference" value="xxxx" />
   <link rel="validation-details" href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/xxxx" />
   <status state="operational" />
</component>

The faulty constraint definitions are not exercised since it is not using component/link[@rel='validated-by'] or component/link[@rel='proof-of-compliance'] in the component with type="validation"

Errors are returned when validating an SSP with the following information:

<component uuid="11111111-0000-4000-a000-000000000001" type="hardware">
   <title>Product Name</title>
   <description>
      <p>Describe the product's function.</p>
   </description>
   <link rel="validated-by" href="#22222222-0000-4000-a000-000000000002" />
   <status state="operational" />
</component>
<component uuid="22222222-0000-4000-a000-000000000002" type="validation">
   <title>Validation Name</title>
   <description>
      <p>Describe the validation.</p>
   </description>
   <prop name="validation-type" value="fips-140-2" />
   <prop name="validation-reference" value="xxxx" />
   <link rel="proof-of-concept" href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/xxxx" />
   <status state="operational" />
</component>

I agree that an href should not point to a "raw" `uuid.

[aj-stein-gsa]

I will review tomorrow morning because it seems the one thing I didn't copy-paste was the error message to reproduce the issue.

If using the older NIST variant of the CLI, it is also possible there are regressions or lacking improvements to the index key checks, but I need to update the issue to confirm with you tomorrow.