Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage of $ref to point to external OSCAL Catalogs causing errors #104

Open
pjavan opened this issue Aug 31, 2024 · 2 comments
Open

Usage of $ref to point to external OSCAL Catalogs causing errors #104

pjavan opened this issue Aug 31, 2024 · 2 comments

Comments

@pjavan
Copy link

pjavan commented Aug 31, 2024
edited
Loading

Describe the problem
Current usage of $ref is attempting to point to external OSCAL schemas that are not OpenAPI formatted. $ref attempts to import the specific OpenAPI schema and results in an error in various tools and number of the sources are valid JSON schemas, but not OpenAPI.

Example Starting at Line 13623. In this example, the reference must be a valid OpenAPI formatted to be imported correctly.

  "components": {
    "schemas": {
      "OSCALCatalog": {
        "type": "object",
        "properties": {
          "catalog": {
            "$ref": "https://raw.githubusercontent.com/EasyDynamics/OSCAL/json-schema-ref-by-path/json/schema/oscal_catalog_schema.json#/definitions/assembly_oscal-catalog_catalog"
          }
        }

Additional context
Tested in VSCode with OpenAPI (Swagger) Editor and Doc360 API Import resulted in reference error. These components are being referenced in other areas without warning but suspect any real schema resolution is not working properly.

        "requestBody": {
          "required" : true,
          "content" : 
            {
              "application/json" : {
                "schema" : {
                  "$ref" : "#/components/schemas/OSCALCatalog"
                }
              },

Proposed solution
Instead of Reference Object being used, External Documentation Object should be used to reference an external, non OpenAPI JSON file.

Proposed reference to external documentation:

  "components": {
    "schemas": {
      "OSCALCatalog": {
        "type": "object",
        "properties": {
            "externalDocs": {
                "type": "object",
                "properties": {
                    "description": {
                        "type": "string",
                        "default": "OSCAL JSON Catalog Schema"
                    },
                    "url": {
                        "type" :"string",
                        "format": "uri",
                        "default": "https://raw.githubusercontent.com/EasyDynamics/OSCAL/json-schema-ref-by-path/json/schema/oscal_catalog_schema.json#/definitions/assembly_oscal-catalog_catalog"
                    }
                },
                "required": ["url"]        
            }
          }
        },
DonaldBradleyDev added a commit to DonaldBradleyDev/oscal-rest that referenced this issue Sep 3, 2024
@DonaldBradleyDev
see EasyDynamics#104
817eb99 
Fixed all issues in Swagger Editor and issue 104.
brian-comply0 pushed a commit that referenced this issue Sep 3, 2024
@DonaldBradleyDev
see #104 Fixed all issues in Swagger Editor and issue 104. (#106)
8a72be4 
**Swagger Editor Issues:**
1. When I opened the file in Swagger Editor, I noticed three errors in
the inspector.
- The first error was resolved by changing the `openapi` version from
`3.1.0` to `3.0.0` or `3.1.1`. If you want to keep version `3.1.0`, it
needs to be updated to `3.1.1`. According to the official OpenAPI
documentation, there's no difference between the two versions.
- The second error was a semantic issue: **GET operations cannot have a
requestBody.** I fixed this by removing the requestBody in line 1688.
- The third issue was a structural error: **additionalProperty: ref$**.
I corrected this by changing `ref$` to `$ref` in line 14355.

**Issue 104:**
In OpenAPI, external URLs should be approved for reference. To meet this
requirement, I added `https://raw.githubusercontent.com` to the servers
section of the specification at line 25.
@fulldev0418
Copy link

fulldev0418 commented Sep 3, 2024
edited
Loading

The issue arises because the OpenAPI specification expects $ref to point to OpenAPI-formatted schemas, but the current usage is referencing external OSCAL JSON schemas that are not in OpenAPI format. This causes errors in various tools that expect OpenAPI-compliant references.

To resolve this issue, we need to modify the schema definitions in the components section. Instead of using $ref to directly reference external schemas, we should define the schema structure within the OpenAPI document and use externalDocs to provide a link to the full OSCAL schema for additional information.

Here's where you should update the code:

  1. Starting at line 13623, replace the OSCALCatalog schema definition with:
"OSCALCatalog": {
  "type": "object",
  "properties": {
    "catalog": {
      "type": "object",
      "description": "OSCAL Catalog",
      "externalDocs": {
        "description": "Full OSCAL Catalog Schema",
        "url": "https://raw.githubusercontent.com/EasyDynamics/OSCAL/json-schema-ref-by- path/json/schema/oscal_catalog_schema.json#/definitions/assembly_oscal-catalog_catalog"
      }
    }
  }
}
  1. Similarly, update the other schema definitions (OSCALProfile, OSCALComponentDefinition, etc.) following the same pattern.
  2. For the XML versions of schemas (like OSCALCatalogXML), we can use:
"OSCALCatalogXML": {
  "type": "object",
  "description": "OSCAL Catalog in XML format",
  "externalDocs": {
    "description": "Full OSCAL Catalog Schema",
    "url": "https://raw.githubusercontent.com/EasyDynamics/OSCAL/json-schema-ref-by-path/json/schema/oscal_catalog_schema.json#/definitions/assembly_oscal-catalog_catalog"
  },
  "xml": {
    "name": "catalog"
  }
}

By making these changes, we are defining the basic structure of the schemas within the OpenAPI document while providing links to the full OSCAL schemas for reference. This approach can resolve the issues with tools that expect OpenAPI-compliant references while still maintaining the connection to the detailed OSCAL schemas.

@bluepinepcs810
Copy link

Instead of Reference Object being used, External Documentation Object should be used to reference an external.
In order to do it, you have to add some domain approved hostnames in the OpenAPI file.
In OpenAPI, specifying domain-approved hostnames can be done in the servers section of the specification.
The servers section lists one or more server URLs that your API can be accessed through, which effectively represent the domain-approved hostnames.

You have to add your external object url (https://raw.githubusercontent.com/EasyDynamics/OSCAL) in the server list of OpenAPI file.
You can see the server tag in the head part of file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pjavan @bluepinepcs810 @fulldev0418