From ade02452952cebf07978be5a43ba4631e7b19e15 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Thu, 9 Dec 2021 08:39:33 -0500 Subject: [PATCH] Release 1.0 metaschema adjustments (#1065) * Many fixes to the constraints in the OSCAL metaschemas to repair broken Metapaths. * fixing defects in metaschema constraints * Updating to latest Metaschema toolchain. Removed use of the "require" constraint. * updating readme with current links --- build/metaschema | 2 +- .../oscal_assessment-common_metaschema.xml | 20 +++++------ src/metaschema/oscal_catalog_metaschema.xml | 2 +- .../oscal_control-common_metaschema.xml | 20 +++++------ src/metaschema/oscal_metadata_metaschema.xml | 36 ++++++++----------- src/metaschema/oscal_profile_metaschema.xml | 26 ++++---------- src/utils/util/readme.md | 6 ++-- 7 files changed, 45 insertions(+), 67 deletions(-) diff --git a/build/metaschema b/build/metaschema index 25a56e7810..9c884726d9 160000 --- a/build/metaschema +++ b/build/metaschema @@ -1 +1 @@ -Subproject commit 25a56e7810d3f4602ddd09c7feac528d4c6326de +Subproject commit 9c884726d926dba8f2a3c7ce6c3f1e89d5bab6a4 diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml index bff93b60b4..ed3b1d4d1f 100644 --- a/src/metaschema/oscal_assessment-common_metaschema.xml +++ b/src/metaschema/oscal_assessment-common_metaschema.xml @@ -1677,17 +1677,15 @@ - - - The assessment method to use. This typically appears on parts with the name "assessment". - - - - The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. - The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). - The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. - - + + The assessment method to use. This typically appears on parts with the name "objective". + + + + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. + The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). + The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. +

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index 92385a917a..dd7743ca85 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -166,7 +166,7 @@ - + &allowed-values-control-group-property-name; The status of a control. For example, a value of 'withdrawn' can indicate that the control has been withdrawn and should no longer be used. diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index 29e616be61..dc03e9e7da 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -84,17 +84,15 @@ &allowed-values-control-group-property-name; - - - The assessment method to use. This typically appears on parts with the name "assessment". - - - - The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. - The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). - The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. - - + + The assessment method to use. This typically appears on parts with the name "assessment". + + + + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. + The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). + The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. +

A part provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A part can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A part can contain prop objects that allow for enriching prose text with structured name/value information.

diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index 760e2e5760..f20a00a3db 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -125,7 +125,7 @@ - + @@ -136,7 +136,9 @@ - + The link identifies the authoritative location for this file. Defined by RFC 6596. The link identifies an alternative location or format for this file. Defined by the HTML Living Standard @@ -252,7 +254,7 @@ - + Party Name The full name of the party. This is typically the legal name associated with the party. @@ -541,13 +543,11 @@

- - - -

A title is required when a citation is provided.

- - - + + +

A title is required when a citation is provided.

+ +

A resource can be used in two ways. 1) it may point to an specific retrievable network resource using a rlink, or 2) it may be included as an attachment using a base64. A resource may contain multiple rlink and base64 entries that represent alternative download locations (rlink) and attachments (base64) for the same resource. Both rlink and base64 allow for a media-type to be specified, which is used to distinguish between different representations of the same resource (e.g., Microsoft Word, PDF). When multiple rlink and base64 items are included for a given resource, all items must contain equivalent information. This allows the document consumer to choose a preferred item to process based on a the selected item's media-type. This is extremely important when the items represent OSCAL content that is represented in alternate formats (i.e., XML, JSON, YAML), allowing the same OSCAL data to be processed from any of the available formats indicated by the items.

@@ -669,17 +669,11 @@ - - - - - - - - - - - + + + + +

To provide a cryptographic hash for a remote target resource, a local reference to a back matter resource is needed. The resource allows one or more hash values to be provided using the rlink/hash object.

diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index f26f615c2e..a573ee5ef5 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -91,15 +91,8 @@ - - Flat - Use the flat structuring method. - - - As is - An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes. - - + + @@ -116,7 +109,10 @@

This setting permits a profile designer to apply a rule for the resolution of such cases. In a well-designed profile, such collisions would ordinarily be avoided, but this setting can be useful for defining what to do when it occurs.

 - + + As is + An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes. + Combination method How clashing controls should be handled @@ -250,14 +246,6 @@ - - - - -

Since multiple set-parameter entries can be provided, each parameter must be set only once.

- - - @@ -438,7 +426,7 @@ Include child controls with an included control. - (default) When importing a control, only include child controls that are also explicitly called. + When importing a control, only include child controls that are also explicitly called. diff --git a/src/utils/util/readme.md b/src/utils/util/readme.md index 7f24e3f061..bb741d6612 100644 --- a/src/utils/util/readme.md +++ b/src/utils/util/readme.md @@ -1,10 +1,10 @@ # OSCAL Utilities -Current best tooling for OSCAL can be found listed on our web site: +The OSCAL project maintains [a list of tools for OSCAL on our web site](https://pages.nist.gov/OSCAL/tools/ "OSCAL tools page"). -See in particular the repository at https://github.com/usnistgov/oscal-tools +Additionally, we maintain a repository of tools at https://github.com/usnistgov/oscal-tools; and members of the community offer OSCAL tools, frequently in open repositories free to use, which we do not maintain. -Functionality maintained here includes: +Functionality archived here includes: `resolver-pipeline` a demonstration implementation of OSCAL Profile resolution.