All directory references are local to the fedramp-automation/src/validations
bin
has the validation script.docs/adr
has a list of Architectural Decision Records in which the product team documented technical decisions for the project.report/test
for XSpec and SCH test outputsreport/schematron
for the final validations in Schematron SVRL reporting format.rules
has the Schematron files for the SSP.styleguides
for XSpec and Schematron styling Schematron.target
for intermediary and complied artifacs, e.g. XSLT stylesheets, etc.test
for any XSpec or other testing artifacts.test/demo
has the demo XML file.
Prerequesite: To ensure that you have all required dependencies (see .gitmodules), run the following command:
git submodule update --init --recursive
The command is:
./bin/validate_with_schematron.sh
It has many optional parameters. If the command is run without any parameters, it will download the Saxon HE JAR file in the vendor
directory.
The validation command has many parameters; all parameters are optional.
-f fileName
is the input file to be tested, ex: -f test/demo/FedRAMP-SSP-OSCAL-Template.xml
. If omitted, the XSLT transform will be compiled, but it will not be applied to a document.
-s directoryName
Schematron directory used to validate the file, ex: -o ~/mySchematronDirectory
. Each .sch
document found within the specified directory will be compliled and generate a separate report. If omitted, defaults to the src relative to the parent of the bin directory where this script is located.
-o outputRootDirectory
is the root directory of the report output, ex: -o ~/dev/report
.
-v saxonVersionNumber
is used to override the default version (currently 10.8) of SAXON HE
, that is downloaded and used if SAXON_CP
is not specified, ex: -v 10.2
. Note that if SAXON_CP
is set as an environment variable and this parameter is specified, then the script will terminate due to inability to determine priority.
-b baseDirectory
specifies the base directory of the location of this project (for relative references to target, bin
and dependencies like OSCAL definiitions), ex: -b /dev/fedramp-automation/resources/validations
. If omitted, defaults to the current directory.
-t
is used to skip the Schematron compilation and used for tranform-only.
-h
outputs the help/usage for the script.
A typical usage of the validation command:
./bin/validate_with_schematron.sh -f ./test/demo/FedRAMP-SSP-OSCAL-Template.xml -o ~/dev/report
Using the command with a different version of Saxon HE. Note that you must download the different version first.
./bin/validate_with_schematron.sh -v 10.8
./bin/validate_with_schematron.sh -f test/demo/FedRAMP-SSP-OSCAL-Template.xml -o ~/dev/report -v 10.8
Alternatively, you can also use docker compose
to execute the validation script, like so:
docker compose run \
-w /root/src/validations \
validator \
./bin/validate_with_schematron.sh -f ./test/demo/FedRAMP-SSP-OSCAL-Template.xml
Unit tests consist of:
- src/validations/test/*.xspec
- src/validations/styleguides/sch.sch
A make target is provided to run all unit tests:
# If you haven't done so previously: initialize your workspace.
make init
# Run xspec and Schematron tests
make test-validations
Alternately, you may follow the instructions below to run the tests manually.
Run the unit tests from with ./fedramp-automation/src/validations
directory. The SAXON_CP
and TEST_DIR
environment variables must be set to the Saxon HE and test report directories, respectively. Note that you may choose to run your preferred version of the Saxon HE JAR file.
The following code assumes that the user is in the ./fedramp-automation/src/validations
directory.
export SAXON_CP=$(pwd)/../../vendor/Saxon-HE-10.5.jar
export TEST_DIR=$(pwd)/report/test
../../vendor/xspec/bin/xspec.sh -s -j test/test_all.xspec
The JUnit XML report will be stored in the path set in the TEST_DIR
environment variable.
Alternatively, you can also use docker compose
to execute the test harness, like so:
docker compose run \
-w /root/src/validations \
validator \
/root/vendor/xspec/bin/xspec.sh -s -j ./test/test_all.xspec
To add new tests, add an import to the ./test/test_all.xpec
file. For example:
<x:description schematron="../rules/ssp.sch"
xmlns:x="http://www.jenitennison.com/xslt/xspec">
<x:import href="ssp.xspec" />
<x:import href="new_test.xspec" />
</x:description>
OSCAL has abstract information models that are converted into concrete data models into XML and JSON.
As a developer, you can look at individual OSCAL files that must conform to schemas for these data models, including SSPs, Components, SAPs, SARs, and POA&Ms. However, looking at individual examples for each respective model will be exhaustive and time-consuming.
The schemas for the models themselves are designed and programmatically designed, cross-referenced between JSON and XML, and generated with appropriate schema validation tools by way of the NIST Metaschema project. Therefore, it is most prudent to focus analysis on the changes in the version-controlled Metaschema declarations, as they define the abstract information model. This information model is used to generate concrete data models in JSON and XML, to be validated by JSON Schema and XSD, respectively.
Developers ought to review the following relevant information sources, in order of least to most effort.
- Release notes from the NIST OSCAL Development Team, where they summarize model changes in their own words from version to version.
- XSLT "up-convert" transforms give specific declarative detail on how to modify the OSCAL XML data models.
- The source code of the Metaschema models, filtering on the release tags. Developers can use the Github web interface to compare Metaschema files, such as this example comparison between release candidate versions
1.0.0-rc1
and1.0.0-rc2
. Focus on the files in thesrc/metaschema
directory.
Per 18F/fedramp-automation#61, programmatic diff utilities to semantically analyze the differences between OSCAL versions requires resources not available at this time.
When contributing, please use the following indentation and formatting settings. Formatting options are chosen for readability, and for clean git diffs.
For Oxygen XML Editor:
- Indent size 4
- 150 character line width (folding threshold)
- Preserve empty lines
- Preserve line breaks in attributes
- Indent inline elements
- Sort attributes
- Add space before slash in empty elements
- Break line before an attribute name
An XSL transform sample-ssp.xsl
can be used to produce a (rather rudimentary) OSCAL SSP document in XML form. The transform uses one of the resolved catalogs as input.
Saxon-PE or Saxon-EE is required (such as within oXygen XML Editor). Saxon-HE is not supported, due to extension usage.