SARIF output from validation of constraints duplicate error reports #184
Description
Describe the bug
As discussed with @david-waltermire earlier in the week, it appears that oscal-cli's use of the SARIF output capabilities of the libraries are leading to duplicate error reports for a constraint violation with the v1.1.2 of the OSCAL models and the most recent release of the CLI, specific for metatschema-meta-constraints that target a target from a context with two metapath targets that evaluate the same allowed-value rules. I have been unable to reproduce this bug with a smaller notional model for the bug report.
The OSCAL model and relevant constraint security-level are in this branch from a downstream project.
https://github.com/aj-stein-gsa/fedramp-automation/tree/772-pipe-operator-bug-repro
Who is the bug affecting
Proper reporting of constraint validation errors
How do we replicate this issue
- Check out the above branch of OSCAL code from the fork.
- Run
npm init and npm run constraint security-level - Review the output in the following path of that repo:
sarif/ssp-security-level-INVALID.sarif.
Review error output and see some rule errors in SARIF are duplicate for security-level at the same path. In some cases rules are reported with errors missing a ruleId even thought it is defined in the constraint.
Expected behavior (i.e. solution)
Relevant errors reported only once, now twice in some cases.
Other comments
No response