usnistgov · iMichaela · Sep 12, 2023 · Sep 15, 2023 · Sep 27, 2023 · Sep 27, 2023
@@ -19,4 +19,4 @@ By submitting a pull request, you are agreeing to provide this contribution unde
 - [ ] Have you added an explanation of what your changes do and why you'd like us to include them?
 - [ ] Have you written new tests for your core changes, as applicable?
 - [ ] Have you included examples of how to use your new feature(s)?
-- [ ] Have you updated all [OSCAL website](https://pages.nist.gov/OSCAL) and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the docs/content directory of your branch.
+- [ ] Have you updated the [OSCAL website](https://pages.nist.gov/OSCAL) and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the [OSCAL-Pages](https://github.com/usnistgov/OSCAL-Pages) and [OSCAL_Reference](https://github.com/usnistgov/OSCAL-Reference) repositories.
@@ -12,7 +12,7 @@ jobs:
  name: Add issue to project
  runs-on: ubuntu-20.04
  steps:
- - uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c
+ - uses: actions/add-to-project@0609a2702eefb44781da00f8e04901d6e5cd2b92
  with:
  project-url: https://github.com/orgs/usnistgov/projects/25
  github-token: ${{ secrets.COMMIT_TOKEN }}
@@ -15,7 +15,7 @@ jobs:
  - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
  with:
  submodules: recursive
- - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
+ - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
  with:
  node-version-file: "build/.nvmrc"
  cache: "npm"

@@ -21,7 +21,7 @@ jobs:
  make -j2 artifacts archives RELEASE=${GITHUB_REF_NAME:1}
  working-directory: build
  - name: Create release
- uses: softprops/action-gh-release@v1
+ uses: softprops/action-gh-release@v2
  with:
  token: ${{ secrets.COMMIT_TOKEN }}
  draft: true

@@ -25,7 +25,7 @@ jobs:
  with:
  distribution: "temurin"
  java-version: "17"
- - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
+ - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
  with:
  node-version-file: "build/.nvmrc"
  cache: "npm"

@@ -11,7 +11,10 @@
  },
  {
  "pattern": "https://linux.die.net/man/1/xmllint/"
- } 
+ },
+ {
+ "pattern": "https://csrc.nist.gov/Projects/Open-Security-Controls-Assessment-Language"
+ } 
  ],
  "replacementPatterns": [
  {

@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<x:description xmlns:x="http://www.jenitennison.com/xslt/xspec"
+ stylesheet="resolve-entities3.xsl"
+ xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0">
+
+ <x:scenario label="Everything copies:">
+ <x:scenario label="A bare metaschema">
+ <x:context>
+ <METASCHEMA/>
+ </x:context>
+ <x:expect label="copies" select="$x:context"/>
+ </x:scenario>
+ <x:scenario label="With random PIs">
+ <x:context>
+ <?xml-stylesheet href="some.css"?>
+ <METASCHEMA>
+ <title>A test</title>
+ <?random?>
+ </METASCHEMA>
+ </x:context>
+ <x:expect label="copies" select="$x:context"/>
+ </x:scenario>
+ <x:scenario label="A comment" pending="dev"/>
+ </x:scenario>
+
+ <x:scenario label="import/@href is modified:">
+ <x:scenario label="providing a suffix to the base name">
+ <x:context>
+ <METASCHEMA>
+ <import href="some.other.metaschema.xml"/>
+ </METASCHEMA>
+ </x:context>
+ <x:expect label="copies with @href modified">
+ <METASCHEMA>
+ <import href="some.other.metaschema_RESOLVED.xml"/>
+ </METASCHEMA>
+ </x:expect>
+ </x:scenario>
+ <x:scenario label="even when the suffix is not 'xml'">
+ <x:context>
+ <METASCHEMA>
+ <import href="some.other.metaschema"/>
+ </METASCHEMA>
+ </x:context>
+ <x:expect label="copies with @href modified">
+ <METASCHEMA>
+ <import href="some.other_RESOLVED.metaschema"/>
+ </METASCHEMA>
+ </x:expect>
+ </x:scenario>
+ <x:scenario label="or it is missing entirely">
+ <x:context>
+ <METASCHEMA>
+ <import href="some_metaschema"/>
+ </METASCHEMA>
+ </x:context>
+ <x:expect label="copies with @href modified">
+ <METASCHEMA>
+ <import href="some_metaschema_RESOLVED"/>
+ </METASCHEMA>
+ </x:expect>
+ </x:scenario>
+ <x:scenario label="providing a suffix to the base name">
+ <x:context>
+ <x:param name="splice">_NEW</x:param>
+ <METASCHEMA>
+ <import href="some.other.metaschema.xml"/>
+ </METASCHEMA>
+ </x:context>
+ <x:expect label="copies with @href modified">
+ <METASCHEMA>
+ <import href="some.other.metaschema_NEW.xml"/>
+ </METASCHEMA>
+ </x:expect>
+ </x:scenario>
+ </x:scenario>
+
+</x:description>
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns:math="http://www.w3.org/2005/xpath-functions/math"
+ xpath-default-namespace="http://csrc.nist.gov/ns/oscal/metaschema/1.0"
+ exclude-result-prefixes="xs math"
+ version="3.0">
+
+<!--
+ Purpose: Process XML files through a parsing/serialization that resolves internal parsed entities.
+
+ Also renames file references in METASCHEMA/import/@href
+ using $importHrefSuffix to suffix the base name
+ so for $importHrefSuffix='NEW'
+ import href="a_metaschema_module.xml" becomes href="a_metaschema_module_NEW.xml"
+
+ Otherwise this is an identity transform, so a diff over source and results should show only stated changes.
+
+ Parameter: $importHrefSuffix is 'RESOLVED' by default
+
+ XSpec: See the XSpec resolve-entities.xspec for functional testing, including the edge cases.
+
+ Compared to old resolve-entities.xsl: This XSLT provides the same outputs
+ for 'normal' inputs i.e. when import/@href ends in '.xml'.
+
+ For extraordinary inputs it does a little differently.
+
+ -->
+
+ <!-- since whitespace is retained from input, it provides indenting
+ - if (schema-based) strip-space is operative, switch @indent to 'yes'-->
+ <xsl:output omit-xml-declaration="no" indent="no" encoding="ASCII"/>
+
+ <xsl:param name="importHrefSuffix" select="'RESOLVED'"/>
+
+ <!-- copying everything through -->
+ <xsl:mode on-no-match="shallow-copy"/>
+
+ <xsl:template match="import/@href">
+ <xsl:param name="splice" select="'_' || $importHrefSuffix"/>
+
+ <xsl:variable name="basename" select="replace(.,'\.[^.]*$','')"/>
+ <xsl:attribute name="href" select="$basename || $splice || substring-after(.,$basename)"/>
+ </xsl:template>
+
+</xsl:stylesheet>
@@ -26,8 +26,9 @@
  <p>The root of the OSCAL Implementation Layer Component Definition model is <code>component-definition</code>.</p>
  </remarks>
 
- <import href="oscal_implementation-common_metaschema.xml"/>
- <import href="oscal_responsibility-common_metaschema.xml"/>
+ <!-- IMPORTS -->
+ <import href="oscal_implementation-common_metaschema.xml"/> 
+ <!-- <import href="oscal_responsibility-common_metaschema.xml"/> -->
 
  <define-assembly name="component-definition">
  <formal-name>Component Definition</formal-name>
@@ -134,7 +135,6 @@
  <p>Used for <code>service</code> components to define the protocols supported by the service.</p>
  </remarks>
  </assembly>
-
  <assembly ref="control-implementation" max-occurs="unbounded">
  <group-as name="control-implementations" in-json="ARRAY"/>
  </assembly>
@@ -312,6 +312,7 @@
  <!-- Feature Request: add constraint ensuring a capability's incorporates-component references //component-definition/component/@uuid in the same component definition instance or an imported instance-->
  </constraint>
  </define-assembly>
+
  <define-assembly name="incorporates-component">
  <formal-name>Incorporates Component</formal-name>
  <!-- TODO: needs a description -->
@@ -329,6 +330,68 @@
  </model>
  </define-assembly>
 
+ <define-assembly name="responsibility" scope="local">
+ <formal-name>Control Implementation Responsibility</formal-name>
+ <description>Describes a control implementation responsibility imposed on a leveraging system.</description>
+ <!-- <group-as name="responsibilities" in-json="ARRAY"/> -->
+ <define-flag name="uuid" as-type="uuid" required="yes">
+ <formal-name>Responsibility Universally Unique Identifier</formal-name>
+ <!-- Identifier Declaration -->
+ <description>A <a href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented">
+ machine-oriented</a>, <a
+ href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique">globally
+ unique</a> identifier with <a
+ href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance">cross-instance</a>
+ scope that can be used to reference this responsibility elsewhere in <a
+ href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#ssp-identifiers">this or other
+ OSCAL instances</a>. The locally defined <em>UUID</em> of the <code>responsibility</code>
+ can be used to reference the data item locally or globally (e.g., in an imported OSCAL
+ instance). This UUID should be assigned <a
+ href="https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency">per-subject</a>,
+ which means it should be consistently used to identify the same subject across revisions of
+ the document.</description>
+ </define-flag>
+ <!-- The following flags make no sense in the context of a Component Definition 
+ since the control are implemented by the current component.
+ <flag ref="provided-uuid" required="no" />
+ <flag ref="implemented-by" required="no" />
+ -->
+ <flag ref="exportable" />
+ <model>
+ <define-field name="description" as-type="markup-multiline" min-occurs="1"
+ in-xml="WITH_WRAPPER">
+ <formal-name>Control Implementation Responsibility Description</formal-name>
+ <description>An implementation statement that describes the aspects of the control or
+ control statement implementation that a customer must implement to satisfy the
+ control provided by the component.</description>
+ </define-field>
+ <assembly ref="property" max-occurs="unbounded">
+ <group-as name="props" in-json="ARRAY" />
+ </assembly>
+ <assembly ref="link" max-occurs="unbounded">
+ <group-as name="links" in-json="ARRAY" />
+ <!-- TODO: Model specific link relationships -->
+ </assembly>
+ <assembly ref="responsible-role" min-occurs="0" max-occurs="unbounded">
+ <group-as name="responsible-roles" in-json="ARRAY" />
+ <remarks>
+ <p>A role defined at the by-component level takes precedence over the same role defined on
+ the parent implemented-requirement or on the referenced component. </p>
+ </remarks>
+ </assembly>
+ <field ref="remarks" in-xml="WITH_WRAPPER" />
+ </model>
+ <constraint>
+ <is-unique id="unique-responsibility-responsible-role" target="responsible-role">
+ <key-field target="@role-id" />
+ <remarks>
+ <p>Since <code>responsible-role</code> associates multiple <code>party-uuid</code> entries
+ with a single <code>role-id</code>, each role-id must be referenced only once.</p>
+ </remarks>
+ </is-unique>
+ </constraint>
+ </define-assembly>
+
  <define-assembly name="control-implementation" scope="local">
  <formal-name>Control Implementation Set</formal-name>
  <description>Defines how the component or capability supports a set of controls.</description>
@@ -412,37 +475,20 @@
  <assembly ref="set-parameter" max-occurs="unbounded">
  <group-as name="set-parameters" in-json="ARRAY"/>
  </assembly>
- <assembly ref="responsible-role" max-occurs="unbounded">
- <group-as name="responsible-roles" in-json="ARRAY"/>
- </assembly>
-
- <!-- ADDED for CRM/SSRM: Implementation Status and Shared Responsibility Assembly -->
- <!-- <assembly ref="implementation-status">
+ <assembly ref="implementation-status">
  <remarks>
- <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the control is implemented.</p>
+ <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the control is implemented by this component when the component is integrated into a system (e.g. a cloud service).</p>
  </remarks>
  </assembly>
-
- <assembly ref="provided">
- <group-as name="provided" in-json="ARRAY"/>
- </assembly>
- <assembly ref="responsibility">
- <group-as name="responsibility" in-json="ARRAY"/>
- </assembly>
- <assembly ref="inherited">
- <group-as name="inherited" in-json="ARRAY"/>
- </assembly>
- <assembly ref="satisfied">
- <group-as name="satisfied" in-json="ARRAY"/>
- </assembly>
-
- <assembly ref="export" max-occurs="1">
+ <assembly ref="responsibility" max-occurs="unbounded">
+ <group-as name="responsibilities" in-json="ARRAY"/>
  <remarks>
- <p>TODO: Documentation</p>
+ <p>The <code>responsibility</code> in the context of a <code>component-definition</code> instance documents the customer's responsibilities when this component becomes part of a system, and it is expected to provide the declared <code>implementation-status</code> of the <code>implemented-requirement</code>.</p>
  </remarks>
- </assembly> -->
- <!-- END ADDED -->
-
+ </assembly>
+ <assembly ref="responsible-role" max-occurs="unbounded">
+ <group-as name="responsible-roles" in-json="ARRAY"/>
+ </assembly>
  <assembly ref="statement" max-occurs="unbounded">
  <group-as name="statements" in-json="ARRAY"/>
  </assembly>
@@ -497,6 +543,17 @@
  <assembly ref="link" max-occurs="unbounded">
  <group-as name="links" in-json="ARRAY"/>
  </assembly>
+ <assembly ref="implementation-status">
+ <remarks>
+ <p>The <code>implementation-status</code> is used to qualify the <code>status</code> value to indicate the degree to which the statement of a control is implemented by this component when the component is integrated into a system (e.g. a cloud service).</p>
+ </remarks>
+ </assembly>
+ <assembly ref="responsibility" max-occurs="unbounded">
+ <group-as name="responsibilities" in-json="ARRAY"/>
+ <remarks>
+ <p>The <code>responsibility</code> in the context of a <code>component-definition</code> instance documents the customer's responsibilities when this component becomes part of a system, and is expected to provide the declared <code>implementation-status</code> of the <code>statement</code>.</p>
+ </remarks>
+ </assembly>
  <assembly ref="responsible-role" max-occurs="unbounded">
  <group-as name="responsible-roles" in-json="ARRAY"/>
  </assembly>