compliance-framework · jonathandavies-CS · Oct 15, 2025 · Oct 15, 2025 · Oct 15, 2025 · Oct 15, 2025
diff --git a/go.mod b/go.mod
@@ -12,6 +12,7 @@ require (
 	github.com/labstack/echo-contrib v0.17.4
 	github.com/labstack/echo/v4 v4.13.3
 	github.com/prometheus/client_golang v1.22.0
+	github.com/santhosh-tekuri/jsonschema v1.2.4
 	github.com/schollz/progressbar/v3 v3.18.0
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/viper v1.20.1

diff --git a/go.sum b/go.sum
@@ -342,6 +342,8 @@ github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo=
 github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
+github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis=
+github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4=
 github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 h1:PKK9DyHxif4LZo+uQSgXNqs0jj5+xZwwfKHgph2lxBw=
 github.com/santhosh-tekuri/jsonschema/v6 v6.0.1/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
 github.com/schollz/progressbar/v3 v3.18.0 h1:uXdoHABRFmNIjUfte/Ex7WtuyVslrw2wVPQmCN62HpA=

diff --git a/internal/api/error.go b/internal/api/error.go
@@ -28,7 +28,7 @@ func NewError(err error) Error {
 	return e
 }
 
-func Validator(err error, invalidObj any) Error {
+func FormatTagValidationError(err error, invalidObj any) Error {
 	e := Error{}
 	e.Errors = make(map[string]interface{})
 	var errs validator.ValidationErrors
@@ -62,6 +62,10 @@ func Validator(err error, invalidObj any) Error {
 	return e
 }
 
+func FormatOscalValidatorError(errors map[string]any) Error {
+	return Error{Errors: errors}
+}
+
 func AccessForbidden() Error {
 	e := Error{}
 	e.Errors = make(map[string]any)

diff --git a/internal/api/handler/evidence.go b/internal/api/handler/evidence.go
@@ -179,7 +179,7 @@ func (h *EvidenceHandler) Create(ctx echo.Context) error {
 
 	err := ctx.Validate(input)
 	if err != nil {
-		return ctx.JSON(http.StatusBadRequest, api.Validator(err, input))
+		return ctx.JSON(http.StatusBadRequest, api.FormatTagValidationError(err, input))
 	}
 
 	components := []relational.SystemComponent{}

diff --git a/internal/api/handler/filter.go b/internal/api/handler/filter.go
@@ -137,7 +137,7 @@ func (h *FilterHandler) Create(ctx echo.Context) error {
 		return ctx.JSON(http.StatusBadRequest, api.NewError(err))
 	}
 	if err := ctx.Validate(req); err != nil {
-		return ctx.JSON(http.StatusBadRequest, api.Validator(err, req))
+		return ctx.JSON(http.StatusBadRequest, api.FormatTagValidationError(err, req))
 	}
 
 	filter := relational.Filter{
@@ -191,7 +191,7 @@ func (h *FilterHandler) Update(ctx echo.Context) error {
 		return ctx.JSON(http.StatusBadRequest, api.NewError(err))
 	}
 	if err := ctx.Validate(req); err != nil {
-		return ctx.JSON(http.StatusBadRequest, api.Validator(err, req))
+		return ctx.JSON(http.StatusBadRequest, api.FormatTagValidationError(err, req))
 	}
 
 	var filter relational.Filter

diff --git a/internal/api/handler/heartbeat.go b/internal/api/handler/heartbeat.go
@@ -55,7 +55,7 @@ func (h *HeartbeatHandler) Create(ctx echo.Context) error {
 
 	err := ctx.Validate(heartbeat)
 	if err != nil {
-		return ctx.JSON(http.StatusBadRequest, api.Validator(err, heartbeat))
+		return ctx.JSON(http.StatusBadRequest, api.FormatTagValidationError(err, heartbeat))
 	}
 
 	if err := h.db.Create(&service.Heartbeat{

diff --git a/internal/api/handler/oscal/activity.go b/internal/api/handler/oscal/activity.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/compliance-framework/api/internal/api"
 	"github.com/compliance-framework/api/internal/api/handler"
+	"github.com/compliance-framework/api/internal/oscalvalidator"
 	"github.com/compliance-framework/api/internal/service/relational"
 	oscalTypes_1_1_3 "github.com/defenseunicorns/go-oscal/src/types/oscal-1-1-3"
 )
@@ -36,20 +37,6 @@ func (h *ActivityHandler) Register(api *echo.Group) {
 	api.DELETE("/:id", h.DeleteActivity)
 }
 
-// validateActivityInput validates activity input
-func (h *ActivityHandler) validateActivityInput(activity *oscalTypes_1_1_3.Activity) error {
-	if activity.UUID == "" {
-		return fmt.Errorf("UUID is required")
-	}
-	if _, err := uuid.Parse(activity.UUID); err != nil {
-		return fmt.Errorf("invalid UUID format: %v", err)
-	}
-	if activity.Description == "" {
-		return fmt.Errorf("description is required")
-	}
-	return nil
-}
-
 // CreateActivity godoc
 //
 //	@Summary		Create an Activity
@@ -70,10 +57,13 @@ func (h *ActivityHandler) CreateActivity(ctx echo.Context) error {
 		return ctx.JSON(http.StatusBadRequest, api.NewError(err))
 	}
 
-	// Validate input
-	if err := h.validateActivityInput(&activity); err != nil {
+	errMap, err := oscalvalidator.ValidateOscalAgainstSchema(activity, "oscal-complete-oscal-assessment-common", "activity")
+	if err != nil {
 		return ctx.JSON(http.StatusBadRequest, api.NewError(err))
 	}
+	if errMap != nil {
+		return ctx.JSON(http.StatusBadRequest, api.FormatOscalValidatorError(errMap))
+	}
 
 	// Convert to relational model
 	relationalActivity := &relational.Activity{}
@@ -151,11 +141,6 @@ func (h *ActivityHandler) UpdateActivity(ctx echo.Context) error {
 		return ctx.JSON(http.StatusBadRequest, api.NewError(err))
 	}
 
-	// Validate input
-	if err := h.validateActivityInput(&activity); err != nil {
-		return ctx.JSON(http.StatusBadRequest, api.NewError(err))
-	}
-
 	// Load the existing activity (with steps)
 	var dbActivity relational.Activity
 	if err := h.db.Preload("Steps").First(&dbActivity, "id = ?", id).Error; err != nil {

diff --git a/internal/api/handler/oscal/activity_integration_test.go b/internal/api/handler/oscal/activity_integration_test.go
@@ -189,3 +189,15 @@ func (suite *ActivityApiIntegrationSuite) TestUpdateActivityRemovesSteps() {
 	suite.Require().NotNil(resp.Data, "No activity returned from get")
 	suite.Require().Len(*resp.Data.Steps, 1)
 }
+
+// Test that updating steps in an activity does not currently update the database (expected to fail)
+func (suite *ActivityApiIntegrationSuite) TestCreateInvalidActivity() {
+	// Create an activity with initial steps
+	activity := &oscalTypes_1_1_3.Activity{
+		UUID: "bad",
+	}
+
+	rec, req := suite.createRequest(http.MethodPost, "/api/oscal/activities", activity)
+	suite.server.E().ServeHTTP(rec, req)
+	suite.Require().Equal(http.StatusBadRequest, rec.Code, "Failed to create activity")
+}
diff --git a/internal/api/handler/oscal/assessment_results.go b/internal/api/handler/oscal/assessment_results.go
@@ -15,6 +15,7 @@ import (
 
 	"github.com/compliance-framework/api/internal/api"
 	"github.com/compliance-framework/api/internal/api/handler"
+	"github.com/compliance-framework/api/internal/oscalvalidator"
 	"github.com/compliance-framework/api/internal/service/relational"
 	oscalTypes_1_1_3 "github.com/defenseunicorns/go-oscal/src/types/oscal-1-1-3"
 )
@@ -116,29 +117,6 @@ func (h *AssessmentResultsHandler) Register(api *echo.Group) {
 	api.DELETE("/:id/back-matter/resources/:resourceId", h.DeleteBackMatterResource)
 }
 
-// validateAssessmentResultsInput validates Assessment Results input following OSCAL requirements
-func (h *AssessmentResultsHandler) validateAssessmentResultsInput(ar *oscalTypes_1_1_3.AssessmentResults) error {
-	if ar.UUID == "" {
-		return fmt.Errorf("UUID is required")
-	}
-	if _, err := uuid.Parse(ar.UUID); err != nil {
-		return fmt.Errorf("invalid UUID format: %v", err)
-	}
-	if ar.Metadata.Title == "" {
-		return fmt.Errorf("metadata.title is required")
-	}
-	if ar.Metadata.Version == "" {
-		return fmt.Errorf("metadata.version is required")
-	}
-	if ar.ImportAp.Href == "" {
-		return fmt.Errorf("import-ap.href is required")
-	}
-	if len(ar.Results) == 0 {
-		return fmt.Errorf("at least one result is required")
-	}
-	return nil
-}
-
 // validateResultInput validates Result input
 func (h *AssessmentResultsHandler) validateResultInput(result *oscalTypes_1_1_3.Result) error {
 	if result.UUID == "" {
@@ -327,6 +305,8 @@ func (h *AssessmentResultsHandler) Full(ctx echo.Context) error {
 		Preload("Results.Observations").
 		Preload("Results.Risks").
 		Preload("Results.Findings").
+		Preload("Results.ReviewedControls").
+		Preload("Results.ReviewedControls.ControlSelections").
 		Preload("BackMatter").
 		Preload("BackMatter.Resources").
 		First(&ar, "id = ?", id).Error; err != nil {
@@ -359,17 +339,21 @@ func (h *AssessmentResultsHandler) Create(ctx echo.Context) error {
 		return ctx.JSON(http.StatusBadRequest, api.NewError(err))
 	}
 
-	// Validate input
-	if err := h.validateAssessmentResultsInput(&oscalAR); err != nil {
-		h.sugar.Warnw("Invalid assessment results input", "error", err)
+	now := time.Now()
+
+	oscalAR.Metadata.LastModified = now
+	oscalAR.Metadata.OscalVersion = versioning.GetLatestSupportedVersion()
+
+	errMap, err := oscalvalidator.ValidateOscalAgainstSchema(oscalAR, "oscal-complete-oscal-ar", "assessment-results")
+	if err != nil {
 		return ctx.JSON(http.StatusBadRequest, api.NewError(err))
 	}
+	if errMap != nil {
+		return ctx.JSON(http.StatusBadRequest, api.FormatOscalValidatorError(errMap))
+	}
 
-	now := time.Now()
 	relAR := &relational.AssessmentResult{}
 	relAR.UnmarshalOscal(oscalAR)
-	relAR.Metadata.LastModified = &now
-	relAR.Metadata.OscalVersion = versioning.GetLatestSupportedVersion()
 
 	if err := h.db.Create(relAR).Error; err != nil {
 		h.sugar.Errorf("Failed to create assessment results: %v", err)
@@ -408,11 +392,18 @@ func (h *AssessmentResultsHandler) Update(ctx echo.Context) error {
 		return ctx.JSON(http.StatusBadRequest, api.NewError(err))
 	}
 
-	// Validate required fields
-	if err := h.validateAssessmentResultsInput(&oscalAR); err != nil {
-		h.sugar.Warnw("Invalid assessment results input", "error", err)
+	now := time.Now()
+
+	oscalAR.Metadata.LastModified = now
+	oscalAR.Metadata.OscalVersion = versioning.GetLatestSupportedVersion()
+
+	errMap, err := oscalvalidator.ValidateOscalAgainstSchema(oscalAR, "oscal-complete-oscal-ar", "assessment-results")
+	if err != nil {
 		return ctx.JSON(http.StatusBadRequest, api.NewError(err))
 	}
+	if errMap != nil {
+		return ctx.JSON(http.StatusBadRequest, api.FormatOscalValidatorError(errMap))
+	}
 
 	// Begin a transaction
 	tx := h.db.Begin()
@@ -433,7 +424,6 @@ func (h *AssessmentResultsHandler) Update(ctx echo.Context) error {
 	}
 
 	// Update assessment results
-	now := time.Now()
 	relAR := &relational.AssessmentResult{}
 	relAR.UnmarshalOscal(oscalAR)
 	relAR.ID = &id // Ensure ID is set correctly

diff --git a/internal/api/handler/oscal/assessment_results_integration_test.go b/internal/api/handler/oscal/assessment_results_integration_test.go
@@ -91,7 +91,8 @@ func (suite *AssessmentResultsApiIntegrationSuite) createBasicAssessmentResults(
 				Description: "Test result description",
 				Start:       time.Now(),
 				ReviewedControls: oscaltypes.ReviewedControls{
-					Description: "Controls reviewed",
+					Description:       "Controls reviewed",
+					ControlSelections: []oscaltypes.AssessedControls{{Description: "Test assessed control"}},
 				},
 			},
 		},
@@ -109,8 +110,10 @@ func (suite *AssessmentResultsApiIntegrationSuite) TestCreateAssessmentResults()
 	testAR := oscaltypes.AssessmentResults{
 		UUID: uuid.New().String(),
 		Metadata: oscaltypes.Metadata{
-			Title:   "Test Assessment Results",
-			Version: "1.0.0",
+			Title:        "Test Assessment Results",
+			Version:      "1.0.0",
+			LastModified: time.Now(),
+			OscalVersion: "1.1.3",
 		},
 		ImportAp: oscaltypes.ImportAp{
 			Href: "https://example.com/assessment-plan.json",
@@ -122,7 +125,8 @@ func (suite *AssessmentResultsApiIntegrationSuite) TestCreateAssessmentResults()
 				Description: "Test result description",
 				Start:       time.Now(),
 				ReviewedControls: oscaltypes.ReviewedControls{
-					Description: "Controls reviewed",
+					Description:       "Controls reviewed",
+					ControlSelections: []oscaltypes.AssessedControls{{Description: "Test assessed control"}},
 				},
 			},
 		},
@@ -456,7 +460,18 @@ func (suite *AssessmentResultsApiIntegrationSuite) TestCreateAssessmentResultsWi
 		ImportAp: oscaltypes.ImportAp{
 			Href: "https://example.com/ap.json",
 		},
-		Results: []oscaltypes.Result{},
+		Results: []oscaltypes.Result{
+			{
+				UUID:        uuid.New().String(),
+				Title:       "Test Result",
+				Description: "Test result description",
+				Start:       time.Now(),
+				ReviewedControls: oscaltypes.ReviewedControls{
+					Description:       "Controls reviewed",
+					ControlSelections: []oscaltypes.AssessedControls{{Description: "Test assessed control"}},
+				},
+			},
+		},
 	}
 	rec, req := suite.createRequest(http.MethodPost, "/api/oscal/assessment-results", invalidAR)
 	suite.server.E().ServeHTTP(rec, req)
@@ -504,7 +519,8 @@ func (suite *AssessmentResultsApiIntegrationSuite) TestUpdateNonExistentAssessme
 				Description: "Test result description",
 				Start:       time.Now(),
 				ReviewedControls: oscaltypes.ReviewedControls{
-					Description: "Controls reviewed",
+					Description:       "Controls reviewed",
+					ControlSelections: []oscaltypes.AssessedControls{{Description: "Test assessed control"}},
 				},
 			},
 		},
@@ -1181,7 +1197,7 @@ func (suite *AssessmentResultsApiIntegrationSuite) TestResultAssociationEndpoint
 				Description: "Initial result for testing",
 				Start:       time.Now().Add(-2 * time.Hour),
 				ReviewedControls: oscaltypes.ReviewedControls{
-					ControlSelections: []oscaltypes.AssessedControls{},
+					ControlSelections: []oscaltypes.AssessedControls{{Description: "Test assessed control"}},
 				},
 			},
 		},
@@ -1407,7 +1423,7 @@ func (suite *AssessmentResultsApiIntegrationSuite) TestGetAllObservationsRisksFi
 				Description: "First result with observations",
 				Start:       time.Now().Add(-2 * time.Hour),
 				ReviewedControls: oscaltypes.ReviewedControls{
-					ControlSelections: []oscaltypes.AssessedControls{},
+					ControlSelections: []oscaltypes.AssessedControls{{Description: "Test assessed control"}},
 				},
 			},
 			{
@@ -1416,7 +1432,7 @@ func (suite *AssessmentResultsApiIntegrationSuite) TestGetAllObservationsRisksFi
 				Description: "Second result with risks",
 				Start:       time.Now().Add(-1 * time.Hour),
 				ReviewedControls: oscaltypes.ReviewedControls{
-					ControlSelections: []oscaltypes.AssessedControls{},
+					ControlSelections: []oscaltypes.AssessedControls{{Description: "Test assessed control"}},
 				},
 			},
 		},