$ODV value not replaced correctly in nested dict #82

New Issue

Closed

opened 2026-01-19 18:29:10 +00:00 by michael · 1 comment

michael commented 2026-01-19 18:29:10 +00:00

Owner

Copy Link

Originally created by @adrian-ib on GitHub.

Originally assigned to: @brodjieski on GitHub.

Summary

$ODV value not replaced correctly in nested dict

Steps to reproduce

1. git checkout sonoma
2. run: ./scripts/generate_guidance.py -p baselines/DISA-STIG.yaml
3. check generated profile: com.apple.mobiledevice.passwordpolicy.plist
4. The key customRegex is incorrect

What is the current bug behavior?

The profile com.apple.mobiledevice.passwordpolicy.plist is not generated correctly:

<dict>
	<key>customRegex</key>
	<string>^(?=.*[A-Z])(?=.*[a-z]).*$</string>
	<key>maxFailedAttempts</key>
	<integer>3</integer>
	<key>maxPINAgeInDays</key>
	<integer>60</integer>
	<key>minComplexChars</key>
	<integer>1</integer>
	<key>minLength</key>
	<integer>14</integer>
	<key>minutesUntilFailedLoginReset</key>
	<integer>15</integer>
	<key>pinHistory</key>
	<integer>5</integer>
	<key>requireAlphanumeric</key>
	<true/>
</dict>

What is the expected correct behavior?

If the same profile is generated in the main branch instead of the sonoma branch it works properly:

<dict>
	<key>customRegex</key>
	<dict>
		<key>passwordContentDescription</key>
		<dict>
			<key>default</key>
			<string>Password must match custom regex.</string>
		</dict>
		<key>passwordContentRegex</key>
		<string>^(?=.*[A-Z])(?=.*[a-z]).*$</string>
	</dict>
	<key>maxFailedAttempts</key>
	<integer>3</integer>
	<key>maxPINAgeInDays</key>
	<integer>60</integer>
	<key>minComplexChars</key>
	<integer>1</integer>
	<key>minLength</key>
	<integer>14</integer>
	<key>minutesUntilFailedLoginReset</key>
	<integer>15</integer>
	<key>pinHistory</key>
	<integer>5</integer>
	<key>requireAlphanumeric</key>
	<true/>
</dict>

Possible fixes

Take into account nested dicts when replacing the $ODV value

Originally created by @adrian-ib on GitHub. Originally assigned to: @brodjieski on GitHub. ### Summary $ODV value not replaced correctly in nested dict ### Steps to reproduce 1. git checkout sonoma 2. run: `./scripts/generate_guidance.py -p baselines/DISA-STIG.yaml` 3. check generated profile: `com.apple.mobiledevice.passwordpolicy.plist` 4. The key customRegex is incorrect ### What is the current *bug* behavior? The profile `com.apple.mobiledevice.passwordpolicy.plist` is not generated correctly: ``` <dict> <key>customRegex</key> <string>^(?=.*[A-Z])(?=.*[a-z]).*$</string> <key>maxFailedAttempts</key> <integer>3</integer> <key>maxPINAgeInDays</key> <integer>60</integer> <key>minComplexChars</key> <integer>1</integer> <key>minLength</key> <integer>14</integer> <key>minutesUntilFailedLoginReset</key> <integer>15</integer> <key>pinHistory</key> <integer>5</integer> <key>requireAlphanumeric</key> <true/> </dict> ``` ### What is the expected *correct* behavior? If the same profile is generated in the main branch instead of the sonoma branch it works properly: ``` <dict> <key>customRegex</key> <dict> <key>passwordContentDescription</key> <dict> <key>default</key> <string>Password must match custom regex.</string> </dict> <key>passwordContentRegex</key> <string>^(?=.*[A-Z])(?=.*[a-z]).*$</string> </dict> <key>maxFailedAttempts</key> <integer>3</integer> <key>maxPINAgeInDays</key> <integer>60</integer> <key>minComplexChars</key> <integer>1</integer> <key>minLength</key> <integer>14</integer> <key>minutesUntilFailedLoginReset</key> <integer>15</integer> <key>pinHistory</key> <integer>5</integer> <key>requireAlphanumeric</key> <true/> </dict> ``` ### Possible fixes Take into account nested dicts when replacing the $ODV value

michael closed this issue 2026-01-19 18:29:11 +00:00

michael commented 2026-01-19 18:29:11 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

Regression from syncing branches and our silly system. Fixed now.

@robertgendler commented on GitHub: Regression from syncing branches and our silly system. Fixed now.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev_2.0_generate_mapping

dev_2.0

sequoia

sonoma

nist-pages

nist-pages-docs

ios_18

ios_26

ios_26_cmmc

dev_2.0_compliance_script

tahoe

visionos_26

dev_ios_26_stig

dev_visionOS_26_stig

dev_tahoe_adjustments

ios_17

dev_sequoia_bio

tahoe_578-typo-in-os_sshd_fips_compliantyaml-fix-code

ventura

ios_16

visionos_2

505-create-python-scp-library

monterey

big_sur

catalina

tahoe_rev2

sequoia_rev4

visionos26_rev2

ios26_rev2

tahoe_rev1

visionos26_rev1

ios26_rev1

sonoma_rev5

sequoia_rev3

ios18_rev3

ios17_rev4

ventura_rev6

sonoma_rev4

sequoia_rev2

visionos_rev2

ios18_rev2.0

ios16_rev4

sequoia_rev1.1

ventura_rev5.1

ios18_rev1.1

sonoma_rev3.1

sequoia_rev1

visionos_rev1

ios18_rev1

ios17_rev3

ios16_rev3

ventura_rev5

sonoma_rev3

ventura_rev4

sonoma_rev2

ios17_rev2

ios16_rev2

monterey_rev6

sonoma_rev1

ventura_rev3

monterey_rev5

ios16_rev1

ios17_rev1

big_sur_rev7

monterey_rev4

ventura_rev2

ventura_rev1.1

monterey_rev3.1

big_sur_rev6.1

ventura_rev1

monterey_rev3

big_sur_rev6

monterey_rev2

catalina_rev6

big_sur_rev5

monterey_rev1

big_sur_rev4

catalina_rev5

big_sur_rev3

catalina_rev4

big_sur_rev2

catalina_rev3

big_sur_rev1

catalina_rev2

catalina_rev1

v0.9

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#82