Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NPE when resolving profile selecting catalog children controls without parent #232

Open
GaryGapinski opened this issue Feb 19, 2023 · 3 comments · May be fixed by #233
Open

NPE when resolving profile selecting catalog children controls without parent #232

GaryGapinski opened this issue Feb 19, 2023 · 3 comments · May be fixed by #233
Assignees
Labels
bug Something isn't working
Milestone

Comments

@GaryGapinski
Copy link

Describe the bug

oscal-cli throws Exception in thread "main" java.lang.NullPointerException when resolving a profile.

Who is the bug affecting?

Users of oscal-cli who wish to resolve a profile.

What is affected by this bug?

oscal-cli fails during execution.

When does this occur?

macOS Ventura 13.2.1 MacBook Pro Intel hardware.

How do we replicate the issue?

Build oscal-cli using main branch of cloned repo.

Create an OSCAL profile instance document.

gapinski@flexion-mac-C02FCBVSMD6N resolver-pipeline % cat c-ce-p.xml                                                         
<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="https://github.com/usnistgov/OSCAL/raw/v1.0.4/xml/schema/oscal_complete_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema" ?>
<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="3353e8e1-3eef-42ef-8163-1f71616bafca">
    <metadata>
        <title />
        <last-modified>2023-02-18T13:06:18Z</last-modified>
        <version>2023-02-18T13:06:18Z</version>
        <oscal-version>1.0.4</oscal-version>
    </metadata>
    <import href="c-ce-c.xml">
        <include-controls>
            <with-id>c1.1</with-id>
        </include-controls>
    </import>
</profile>

Create an OSCAL catalog instance document.

gapinski@flexion-mac-C02FCBVSMD6N resolver-pipeline % cat c-ce-c.xml
<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="https://github.com/usnistgov/OSCAL/raw/v1.0.4/xml/schema/oscal_complete_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema" ?>
<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="37b7acd4-ab3f-4217-99d1-2ab9e490db49">
    <metadata>
        <title />
        <last-modified>2023-02-18T13:06:18Z</last-modified>
        <version>2023-02-18T13:06:18Z</version>
        <oscal-version>1.0.4</oscal-version>
    </metadata>
    <control id="c1">
        <title />
        <control id="c1.1">
            <title />
        </control>
    </control>
</catalog>

Perform a profile resolution. Receive exception.

gapinski@flexion-mac-C02FCBVSMD6N resolver-pipeline % alias oscal-cli=/Users/gapinski/Projects/github/usnistgov/oscal-cli/cli-core/target/cli-core-0.3.2-oscal-cli/bin/oscal-cli
gapinski@flexion-mac-C02FCBVSMD6N resolver-pipeline % oscal-cli --version
oscal-cli version 0.3.2 built on 2023-02-19 12:19 on commit d652eac
OSCAL version @oscal-git.closest.tag.name@ on commit @oscal-git.commit.id.abbrev@
gapinski@flexion-mac-C02FCBVSMD6N resolver-pipeline % oscal-cli profile resolve c-ce-p.xml
Exception in thread "main" java.lang.NullPointerException
	at gov.nist.secauto.oscal.lib.profile.resolver.merge.FlatteningStructuringVisitor.visitControl(FlatteningStructuringVisitor.java:123)
	at gov.nist.secauto.oscal.lib.profile.resolver.merge.FlatteningStructuringVisitor.visitControl(FlatteningStructuringVisitor.java:55)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogEntityVisitor.visitControlInternal(AbstractCatalogEntityVisitor.java:168)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.visitControlItem(AbstractCatalogVisitor.java:145)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.lambda$visitControlContainer$2(AbstractCatalogVisitor.java:127)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
	at java.base/java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:720)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.reduce(ReferencePipeline.java:553)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.visitControlContainer(AbstractCatalogVisitor.java:129)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogEntityVisitor.visitControlContainer(AbstractCatalogEntityVisitor.java:120)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.visitGroupContainer(AbstractCatalogVisitor.java:73)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogEntityVisitor.visitGroupContainer(AbstractCatalogEntityVisitor.java:108)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogVisitor.visitCatalog(AbstractCatalogVisitor.java:50)
	at gov.nist.secauto.oscal.lib.profile.resolver.support.AbstractCatalogEntityVisitor.visitCatalog(AbstractCatalogEntityVisitor.java:96)
	at gov.nist.secauto.oscal.lib.profile.resolver.merge.FlatteningStructuringVisitor.visitCatalog(FlatteningStructuringVisitor.java:84)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.structureFlat(ProfileResolver.java:485)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.handleMerge(ProfileResolver.java:449)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolveProfile(ProfileResolver.java:205)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:234)
	at gov.nist.secauto.oscal.lib.profile.resolver.ProfileResolver.resolve(ProfileResolver.java:219)
	at gov.nist.secauto.oscal.tools.cli.core.commands.profile.ResolveSubcommand.executeCommand(ResolveSubcommand.java:250)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.invokeCommand(CLIProcessor.java:259)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.parseCommand(CLIProcessor.java:235)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.processCommand(CLIProcessor.java:195)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.parseCommand(CLIProcessor.java:143)
	at gov.nist.secauto.oscal.tools.cli.framework.CLIProcessor.process(CLIProcessor.java:127)
	at gov.nist.secauto.oscal.tools.cli.core.CLI.parse(CLI.java:64)
	at gov.nist.secauto.oscal.tools.cli.core.CLI.main(CLI.java:46)
gapinski@flexion-mac-C02FCBVSMD6N resolver-pipeline % 

Expected behavior (i.e. solution)

A resolved profile catalog document should be produced.

Other Comments

The specimen instance documents are in the attached archive.
c-ce.zip

@GaryGapinski GaryGapinski added the bug Something isn't working label Feb 19, 2023
@aj-stein-nist aj-stein-nist self-assigned this Feb 22, 2023
@aj-stein-nist
Copy link
Collaborator

I have investigated this further but I need to review the current profile resolution specification and debug further with additional test cases locally. That said, given the additional reports of usnistgov/OSCAL#1662 and usnistgov/OSCAL#1663, I might need to be straightened out to know what should change here, and what should change in XSLT, and what is correct after re-reading the specification.

Thanks again for this report.

@aj-stein-nist
Copy link
Collaborator

I will be out on leave next week but will keep this assigned for the time being. If others clear the sprint board rapidly, they can feel free to pick this up.

@aj-stein-nist
Copy link
Collaborator

First off, I need to transfer this issue where applicable, the core liboscal-java library, not the CLI repo itself where it currently is. I am assessing the viability of fixing this for an upcoming patch release or later after I transfer the issue. More to follow.

@aj-stein-nist aj-stein-nist transferred this issue from usnistgov/oscal-cli Feb 1, 2024
aj-stein-nist added a commit to aj-stein-nist/liboscal-java that referenced this issue Feb 1, 2024
aj-stein-nist added a commit to aj-stein-nist/liboscal-java that referenced this issue Feb 1, 2024
This may be a business logic error or perhaps at one time there was/is
a valid reason, but as it stands the BasicIndexer would detect
unselected controls for resolution of the profile but only drop them
when their parent was selected for the default strategy of flattening.
For simple trees where c1 is the root control and c1.1 is the child, so
c1 -> c1.1, c1 was not being correctly removed.

NOTE: Logging indicates a double index of c1.1 even with this change
so that still needs to be fixed most likely to resolve this issue.
aj-stein-nist added a commit to aj-stein-nist/liboscal-java that referenced this issue Feb 1, 2024
This may be a business logic error or perhaps at one time there was/is
a valid reason, but as it stands the BasicIndexer would detect
unselected controls for resolution of the profile but only drop them
when their parent was selected for the default strategy of flattening.
For simple trees where c1 is the root control and c1.1 is the child, so
c1 -> c1.1, c1 was not being correctly removed.

NOTE: Logging indicates a double index of c1.1 even with this change
so that still needs to be fixed most likely to resolve this issue.
@aj-stein-nist aj-stein-nist changed the title oscal-cli version 0.3.2 throws exception during profile resolution NPE when resolving profile selecting catalog children controls without parent Feb 1, 2024
@aj-stein-nist aj-stein-nist moved this from Todo to In Progress in NIST OSCAL Work Board Feb 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: In Progress
Development

Successfully merging a pull request may close this issue.

2 participants