Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When oscal cli crashes during runtime, it does not produce sarif output #67

Closed
wandmagic opened this issue Oct 30, 2024 · 0 comments · Fixed by #68
Closed

When oscal cli crashes during runtime, it does not produce sarif output #67

wandmagic opened this issue Oct 30, 2024 · 0 comments · Fixed by #68
Labels
bug Something isn't working

Comments

@wandmagic
Copy link

Describe the bug

When the OSCAL CLI encounters a runtime error and crashes, it fails to generate the expected SARIF (Static Analysis Results Interchange Format) output file, leaving users without error analysis data.

Who is the bug affecting?

Security engineers, compliance analysts, and developers who use OSCAL CLI for security control assessment automation and need SARIF output for their tooling and analysis pipelines.

What is affected by this bug?

Automated security analysis workflows that depend on SARIF output
Integration with other security tools expecting SARIF format
Error tracking and debugging capabilities
Compliance verification processes

When does this occur?

The issue occurs under the following conditions:

During OSCAL CLI runtime execution
When the CLI encounters an unhandled exception or crashes
Instead of gracefully failing and producing partial SARIF output, the process terminates without generating any output file

run unit tests on this branch to reproduce
GSA/fedramp-automation#736

How do we replicate the issue?

Have a constraint with a metapath that causes a runtime error
execute validation

Screenshot 2024-10-30 at 11 25 15 AM

Expected behavior (i.e. solution)

Even when encountering a runtime error, the OSCAL CLI should:

Catch the exception gracefully
Generate a SARIF file containing:

Information about the error that caused the crash
Any validation results collected up to the point of failure
Stack trace or relevant debug information

Exit with an appropriate error code while still preserving output

Other Comments

This impacts the reliability of automated testing pipelines
Consider implementing a try-catch mechanism around the SARIF output generation
Partial SARIF output would be more useful than no output at all
Related to error handling and graceful degradation of the CLI tool

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant