Describe the bug
I have three OSCAL profiles with two imports each.
They are valid per the specification and pass the NIST instance of the OSCAL-CLI validation.
The Metaschema OSCAL-CLI reports errors on by-ids.
- If I remove one import or the other the profile validates correctly. When both are present, this behavior persists.
- Reversing the two imported catalogs causes the errors to move to whichever catalog is imported second.
The error reported for each by-ids entry is:
[ERROR] [/Q{http://csrc.nist.gov/ns/oscal/1.0}profile/Q{http://csrc.nist.gov/ns/oscal/1.0}import[2]/Q{http://csrc.nist.gov/ns/oscal/1.0}include-controls[1]/Q{http://csrc.nist.gov/ns/oscal/1.0}with-id[100]] oscal-profile-import-has-key-include-exclude-control-id: Key reference [si-18.4] not found in index 'profile-import-index-control-id' for item at path '/profile/import[2]/include-controls[1]/with-id[100]'
Who is the bug affecting
Anyone who needs to validate a profile that imports two or more catalogs.
How do we replicate this issue
(See test files in comment below.)
- Create a profile that imports two different catalogs (ensure different control IDs)
- Include controls by ID (not Include All)
- Attempt to validate the profile with the OSCAL-CLI
Observe all IDs on the second import are flagged as invalid consistent with the example error above.
Expected behavior (i.e. solution)
A profile should be able to import more than one catalog without errors assuming the catalogs are valid OSCAL and there are no control ID conflicts.
Other comments
I suspect the index of controls for the first import is being used to validate IDs in the second import.
Describe the bug
I have three OSCAL profiles with two imports each.
They are valid per the specification and pass the NIST instance of the OSCAL-CLI validation.
The Metaschema OSCAL-CLI reports errors on
by-ids.The error reported for each
by-idsentry is:Who is the bug affecting
Anyone who needs to validate a profile that imports two or more catalogs.
How do we replicate this issue
(See test files in comment below.)
Observe all IDs on the second import are flagged as invalid consistent with the example error above.
Expected behavior (i.e. solution)
A profile should be able to import more than one catalog without errors assuming the catalogs are valid OSCAL and there are no control ID conflicts.
Other comments
I suspect the index of controls for the first import is being used to validate IDs in the second import.