From 89e7acbb22752af7ee39b2be157dc2a990662339 Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <alexander.stein@nist.gov>
Date: Thu, 21 Sep 2023 16:44:17 -0400
Subject: [PATCH 01/25] [maven-release-plugin] prepare for next development
 iteration

---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 04c74efc..4ba57b0f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -9,7 +9,7 @@
 
 	<groupId>gov.nist.secauto.oscal</groupId>
 	<artifactId>liboscal-java</artifactId>
-	<version>3.0.2</version>
+	<version>3.0.3-SNAPSHOT</version>
 	<packaging>jar</packaging>
 
 	<name>OSCAL Java Library</name>
@@ -27,7 +27,7 @@
 		<url>https://github.com/usnistgov/liboscal-java</url>
 		<connection>scm:git:git@github.com:usnistgov/liboscal-java.git</connection>
 		<developerConnection>scm:git:git@github.com:usnistgov/liboscal-java.git</developerConnection>
-	  <tag>v3.0.2</tag>
+	  <tag>HEAD</tag>
     </scm>
 
 	<distributionManagement>

From 3250810e6f201714c81cff6760c40116645a63b1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 25 Sep 2023 08:59:45 -0400
Subject: [PATCH 02/25] Bump actions/setup-java from 3.12.0 to 3.13.0 (#184)

Bumps [actions/setup-java](https://github.com/actions/setup-java) from 3.12.0 to 3.13.0.
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](https://github.com/actions/setup-java/compare/cd89f46ac9d01407894225f350157564c9c7cee2...0ab4596768b603586c0de567f2430c30f5b0d2b0)

---
updated-dependencies:
- dependency-name: actions/setup-java
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fdaecaec..d43ce699 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -35,14 +35,14 @@ jobs:
         maven-version: 3.9.3
     - name: Set up JDK 11 (build only)
       if: ${{ !((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref_name == 'develop') }}
-      uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2
+      uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0
       with:
         java-version: 11
         distribution: 'temurin'
         cache: 'maven'
     - name: Set up JDK 11 (deploy)
       if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref_name == 'develop'
-      uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2
+      uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0
       with:
         java-version: 11
         distribution: 'temurin'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ef07bca1..5d6d93f0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
       with:
         maven-version: 3.9.3
     - name: Set up JDK 11
-      uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2
+      uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0
       with:
         java-version: 11
         distribution: 'temurin'

From 2e703fdc5cca43ab01b9d0d2c2b57e11c8ab2459 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 25 Sep 2023 09:01:11 -0400
Subject: [PATCH 03/25] Bump actions/checkout from 4.0.0 to 4.1.0 (#185)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/3df4ab11eba7bda6032a0b82a6bb43b11571feac...8ade135a41bc03ea155e62e844d188df1ea18608)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml   | 2 +-
 .github/workflows/release.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d43ce699..9e5437cf 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -21,7 +21,7 @@ jobs:
       contents: read
       security-events: write
     steps:
-    - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
       with:
         token: ${{ github.token }}
         submodules: recursive
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5d6d93f0..1ed686a5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,7 +12,7 @@ jobs:
       actions: read
       contents: write
     steps:
-    - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
       with:
         token: ${{ github.token }}
         submodules: recursive

From 25650acc782e4a2a6e03405738014c5229a3020b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 3 Oct 2023 23:45:23 -0400
Subject: [PATCH 04/25] Bump github/codeql-action from 2.21.8 to 2.21.9 (#186)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.8 to 2.21.9.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/6a28655e3dcb49cb0840ea372fd6d17733edd8a4...ddccb873888234080b77e9bc2d4764d5ccaaccf9)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9e5437cf..6872447c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -54,7 +54,7 @@ jobs:
         gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
     - name: Initialize CodeQL
       if: github.event_name == 'push'
-      uses: github/codeql-action/init@6a28655e3dcb49cb0840ea372fd6d17733edd8a4
+      uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9
       with:
         languages: java
     # -------------------------
@@ -74,7 +74,7 @@ jobs:
         MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
     - name: Perform CodeQL Analysis
       if: github.event_name == 'push'
-      uses: github/codeql-action/analyze@6a28655e3dcb49cb0840ea372fd6d17733edd8a4
+      uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9
     - name: Test Website
       run: |
         # this needs to be run as a second build to ensure source is fully generated by the previous step

From 6457c0f57a431d2f9881b3a80c966711bb42f5e2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 26 Oct 2023 16:22:52 -0400
Subject: [PATCH 05/25] Bump dependency.log4j2.version from 2.20.0 to 2.21.1
 (#199)

Bumps `dependency.log4j2.version` from 2.20.0 to 2.21.1.

Updates `org.apache.logging.log4j:log4j-api` from 2.20.0 to 2.21.1

Updates `org.apache.logging.log4j:log4j-core` from 2.20.0 to 2.21.1

---
updated-dependencies:
- dependency-name: org.apache.logging.log4j:log4j-api
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.apache.logging.log4j:log4j-core
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 4ba57b0f..5004256d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -129,7 +129,7 @@
 		<dependency.infinispan.version>13.0.10.Final</dependency.infinispan.version>
 		<dependency.jetbrains-annotation.version>23.0.0</dependency.jetbrains-annotation.version>
 		<dependency.jmock-junit5.version>2.12.0</dependency.jmock-junit5.version>
-		<dependency.log4j2.version>2.20.0</dependency.log4j2.version>
+		<dependency.log4j2.version>2.21.1</dependency.log4j2.version>
 		<dependency.saxon.version>12.3</dependency.saxon.version>
 		<dependency.spotbugs-annotations.version>4.7.3</dependency.spotbugs-annotations.version>
 		<dependency.xmlresolver.version>4.6.0</dependency.xmlresolver.version>

From f70907eb7d401c2f27d6aa12d6bb98cdd2f624a8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 26 Oct 2023 16:23:43 -0400
Subject: [PATCH 06/25] Bump github/codeql-action from 2.21.9 to 2.22.4 (#197)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.9 to 2.22.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/ddccb873888234080b77e9bc2d4764d5ccaaccf9...49abf0ba24d0b7953cb586944e918a0b92074c80)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6872447c..74e63ead 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -54,7 +54,7 @@ jobs:
         gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
     - name: Initialize CodeQL
       if: github.event_name == 'push'
-      uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9
+      uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80
       with:
         languages: java
     # -------------------------
@@ -74,7 +74,7 @@ jobs:
         MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
     - name: Perform CodeQL Analysis
       if: github.event_name == 'push'
-      uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9
+      uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80
     - name: Test Website
       run: |
         # this needs to be run as a second build to ensure source is fully generated by the previous step

From 36b3feac509281a7cb451cb37ae0de002db8ce65 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 26 Oct 2023 16:24:28 -0400
Subject: [PATCH 07/25] Bump actions/checkout from 4.1.0 to 4.1.1 (#194)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...b4ffde65f46336ab88eb53be808477a3936bae11)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml   | 2 +-
 .github/workflows/release.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 74e63ead..6ea10a9a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -21,7 +21,7 @@ jobs:
       contents: read
       security-events: write
     steps:
-    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       with:
         token: ${{ github.token }}
         submodules: recursive
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1ed686a5..8d7e5071 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,7 +12,7 @@ jobs:
       actions: read
       contents: write
     steps:
-    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       with:
         token: ${{ github.token }}
         submodules: recursive

From 4fe3be4f57cccbfd0986b560055d9b0dfd8ccda4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 26 Oct 2023 16:24:49 -0400
Subject: [PATCH 08/25] Bump io.github.git-commit-id:git-commit-id-maven-plugin
 (#196)

Bumps [io.github.git-commit-id:git-commit-id-maven-plugin](https://github.com/git-commit-id/git-commit-id-maven-plugin) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/git-commit-id/git-commit-id-maven-plugin/releases)
- [Commits](https://github.com/git-commit-id/git-commit-id-maven-plugin/compare/v6.0.0...v7.0.0)

---
updated-dependencies:
- dependency-name: io.github.git-commit-id:git-commit-id-maven-plugin
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 5004256d..63efcbfd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -398,7 +398,7 @@
 			<plugin>
 				<groupId>io.github.git-commit-id</groupId>
 				<artifactId>git-commit-id-maven-plugin</artifactId>
-				<version>6.0.0</version>
+				<version>7.0.0</version>
 				<configuration>
 					<useNativeGit>false</useNativeGit>
 				</configuration>

From 63d944015d2c6b34c1482fa1a18b2613a42c03a3 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 30 Nov 2023 16:15:22 -0500
Subject: [PATCH 09/25] Bump github/codeql-action from 2.22.4 to 2.22.8 (#206)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.4 to 2.22.8.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/49abf0ba24d0b7953cb586944e918a0b92074c80...407ffafae6a767df3e0230c3df91b6443ae8df75)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6ea10a9a..51b44ed1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -54,7 +54,7 @@ jobs:
         gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
     - name: Initialize CodeQL
       if: github.event_name == 'push'
-      uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80
+      uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75
       with:
         languages: java
     # -------------------------
@@ -74,7 +74,7 @@ jobs:
         MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
     - name: Perform CodeQL Analysis
       if: github.event_name == 'push'
-      uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80
+      uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75
     - name: Test Website
       run: |
         # this needs to be run as a second build to ensure source is fully generated by the previous step

From 036b7e0bb296cc95b797129112b647a61385fd58 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 30 Nov 2023 16:16:04 -0500
Subject: [PATCH 10/25] Bump actions/setup-java from 3.13.0 to 4.0.0 (#207)

Bumps [actions/setup-java](https://github.com/actions/setup-java) from 3.13.0 to 4.0.0.
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](https://github.com/actions/setup-java/compare/0ab4596768b603586c0de567f2430c30f5b0d2b0...387ac29b308b003ca37ba93a6cab5eb57c8f5f93)

---
updated-dependencies:
- dependency-name: actions/setup-java
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 51b44ed1..5a5ed1d8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -35,14 +35,14 @@ jobs:
         maven-version: 3.9.3
     - name: Set up JDK 11 (build only)
       if: ${{ !((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref_name == 'develop') }}
-      uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0
+      uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
       with:
         java-version: 11
         distribution: 'temurin'
         cache: 'maven'
     - name: Set up JDK 11 (deploy)
       if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref_name == 'develop'
-      uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0
+      uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
       with:
         java-version: 11
         distribution: 'temurin'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8d7e5071..101520d0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
       with:
         maven-version: 3.9.3
     - name: Set up JDK 11
-      uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0
+      uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
       with:
         java-version: 11
         distribution: 'temurin'

From a85440e979ce26d3727b8960b01d9a87bf3e4088 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 30 Nov 2023 16:16:20 -0500
Subject: [PATCH 11/25] Bump org.apache.commons:commons-lang3 from 3.13.0 to
 3.14.0 (#205)

Bumps org.apache.commons:commons-lang3 from 3.13.0 to 3.14.0.

---
updated-dependencies:
- dependency-name: org.apache.commons:commons-lang3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 63efcbfd..984daf51 100644
--- a/pom.xml
+++ b/pom.xml
@@ -125,7 +125,7 @@
 		<dependency.metaschema-framework.version>0.12.2</dependency.metaschema-framework.version>
 
 		<dependency.auto-service.version>1.0.1</dependency.auto-service.version>
-		<dependency.commons-lang3.version>3.13.0</dependency.commons-lang3.version>
+		<dependency.commons-lang3.version>3.14.0</dependency.commons-lang3.version>
 		<dependency.infinispan.version>13.0.10.Final</dependency.infinispan.version>
 		<dependency.jetbrains-annotation.version>23.0.0</dependency.jetbrains-annotation.version>
 		<dependency.jmock-junit5.version>2.12.0</dependency.jmock-junit5.version>

From 96cb559595b24743f7eef40762f2eca5586880a4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 30 Nov 2023 16:16:35 -0500
Subject: [PATCH 12/25] Bump dependency.log4j2.version from 2.21.1 to 2.22.0
 (#204)

Bumps `dependency.log4j2.version` from 2.21.1 to 2.22.0.

Updates `org.apache.logging.log4j:log4j-api` from 2.21.1 to 2.22.0

Updates `org.apache.logging.log4j:log4j-core` from 2.21.1 to 2.22.0

---
updated-dependencies:
- dependency-name: org.apache.logging.log4j:log4j-api
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.apache.logging.log4j:log4j-core
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 984daf51..80303e3d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -129,7 +129,7 @@
 		<dependency.infinispan.version>13.0.10.Final</dependency.infinispan.version>
 		<dependency.jetbrains-annotation.version>23.0.0</dependency.jetbrains-annotation.version>
 		<dependency.jmock-junit5.version>2.12.0</dependency.jmock-junit5.version>
-		<dependency.log4j2.version>2.21.1</dependency.log4j2.version>
+		<dependency.log4j2.version>2.22.0</dependency.log4j2.version>
 		<dependency.saxon.version>12.3</dependency.saxon.version>
 		<dependency.spotbugs-annotations.version>4.7.3</dependency.spotbugs-annotations.version>
 		<dependency.xmlresolver.version>4.6.0</dependency.xmlresolver.version>

From f60b79a67c0d2af5328bf43177a4699d34e205ad Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 1 Dec 2023 09:26:11 -0500
Subject: [PATCH 13/25] Bump net.sf.saxon:Saxon-HE from 12.3 to 12.4 (#208)

Bumps net.sf.saxon:Saxon-HE from 12.3 to 12.4.

---
updated-dependencies:
- dependency-name: net.sf.saxon:Saxon-HE
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 80303e3d..2feb6f46 100644
--- a/pom.xml
+++ b/pom.xml
@@ -130,7 +130,7 @@
 		<dependency.jetbrains-annotation.version>23.0.0</dependency.jetbrains-annotation.version>
 		<dependency.jmock-junit5.version>2.12.0</dependency.jmock-junit5.version>
 		<dependency.log4j2.version>2.22.0</dependency.log4j2.version>
-		<dependency.saxon.version>12.3</dependency.saxon.version>
+		<dependency.saxon.version>12.4</dependency.saxon.version>
 		<dependency.spotbugs-annotations.version>4.7.3</dependency.spotbugs-annotations.version>
 		<dependency.xmlresolver.version>4.6.0</dependency.xmlresolver.version>
 

From 35f8969b70959dfa1dce37c0c660b6f6ba2e7b31 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 30 Jan 2024 18:03:45 -0500
Subject: [PATCH 14/25] Bump github/codeql-action from 2.22.8 to 3.23.2 (#224)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.8 to 3.23.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/407ffafae6a767df3e0230c3df91b6443ae8df75...b7bf0a3ed3ecfa44160715d7c442788f65f0f923)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5a5ed1d8..ed585010 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -54,7 +54,7 @@ jobs:
         gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
     - name: Initialize CodeQL
       if: github.event_name == 'push'
-      uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75
+      uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923
       with:
         languages: java
     # -------------------------
@@ -74,7 +74,7 @@ jobs:
         MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
     - name: Perform CodeQL Analysis
       if: github.event_name == 'push'
-      uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75
+      uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923
     - name: Test Website
       run: |
         # this needs to be run as a second build to ensure source is fully generated by the previous step

From 13e5c25d8819141918d06d28c73dc33106a23cb6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 30 Jan 2024 18:30:01 -0500
Subject: [PATCH 15/25] Bump org.xmlresolver:xmlresolver from 4.6.0 to 5.2.3
 (#223)

Bumps [org.xmlresolver:xmlresolver](https://github.com/xmlresolver/xmlresolver) from 4.6.0 to 5.2.3.
- [Release notes](https://github.com/xmlresolver/xmlresolver/releases)
- [Commits](https://github.com/xmlresolver/xmlresolver/compare/4.6.0...5.2.3)

---
updated-dependencies:
- dependency-name: org.xmlresolver:xmlresolver
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 2feb6f46..06ac0c72 100644
--- a/pom.xml
+++ b/pom.xml
@@ -132,7 +132,7 @@
 		<dependency.log4j2.version>2.22.0</dependency.log4j2.version>
 		<dependency.saxon.version>12.4</dependency.saxon.version>
 		<dependency.spotbugs-annotations.version>4.7.3</dependency.spotbugs-annotations.version>
-		<dependency.xmlresolver.version>4.6.0</dependency.xmlresolver.version>
+		<dependency.xmlresolver.version>5.2.3</dependency.xmlresolver.version>
 
 		<plugin.cyclonedx.version>2.7.3</plugin.cyclonedx.version>
         <plugin.maven-toolchains.version>3.1.0</plugin.maven-toolchains.version>

From 49075baeb2f421e3832b4c56b804db2ff503d2b7 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 30 Jan 2024 18:31:10 -0500
Subject: [PATCH 16/25] Bump org.cyclonedx:cyclonedx-maven-plugin from 2.7.3 to
 2.7.11 (#221)

Bumps [org.cyclonedx:cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin) from 2.7.3 to 2.7.11.
- [Release notes](https://github.com/CycloneDX/cyclonedx-maven-plugin/releases)
- [Commits](https://github.com/CycloneDX/cyclonedx-maven-plugin/compare/cyclonedx-maven-plugin-2.7.3...cyclonedx-maven-plugin-2.7.11)

---
updated-dependencies:
- dependency-name: org.cyclonedx:cyclonedx-maven-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 06ac0c72..1d7674cf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -134,7 +134,7 @@
 		<dependency.spotbugs-annotations.version>4.7.3</dependency.spotbugs-annotations.version>
 		<dependency.xmlresolver.version>5.2.3</dependency.xmlresolver.version>
 
-		<plugin.cyclonedx.version>2.7.3</plugin.cyclonedx.version>
+		<plugin.cyclonedx.version>2.7.11</plugin.cyclonedx.version>
         <plugin.maven-toolchains.version>3.1.0</plugin.maven-toolchains.version>
 
 		<cyclonedx.schema.version>1.3</cyclonedx.schema.version>

From 3e91c095adc8a552392c33f083554c9e2fa2ffc1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 30 Jan 2024 19:02:26 -0500
Subject: [PATCH 17/25] Bump
 com.googlecode.maven-download-plugin:download-maven-plugin (#219)

Bumps [com.googlecode.maven-download-plugin:download-maven-plugin](https://github.com/maven-download-plugin/maven-download-plugin) from 1.6.8 to 1.8.0.
- [Release notes](https://github.com/maven-download-plugin/maven-download-plugin/releases)
- [Commits](https://github.com/maven-download-plugin/maven-download-plugin/compare/1.6.8...1.8.0)

---
updated-dependencies:
- dependency-name: com.googlecode.maven-download-plugin:download-maven-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 1d7674cf..136ea1d2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -482,7 +482,7 @@
 			<plugin>
 				<groupId>com.googlecode.maven-download-plugin</groupId>
 				<artifactId>download-maven-plugin</artifactId>
-				<version>1.6.8</version>
+				<version>1.8.0</version>
 				<configuration>
 					<skipCache>true</skipCache>
 					<overwrite>false</overwrite>

From b7fb926218432e3cd7e857ab0b88585391394257 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 30 Jan 2024 19:03:07 -0500
Subject: [PATCH 18/25] Bump org.xmlunit:xmlunit-core from 2.9.0 to 2.9.1
 (#214)

Bumps [org.xmlunit:xmlunit-core](https://github.com/xmlunit/xmlunit) from 2.9.0 to 2.9.1.
- [Release notes](https://github.com/xmlunit/xmlunit/releases)
- [Changelog](https://github.com/xmlunit/xmlunit/blob/main/RELEASE_NOTES.md)
- [Commits](https://github.com/xmlunit/xmlunit/compare/v2.9.0...v2.9.1)

---
updated-dependencies:
- dependency-name: org.xmlunit:xmlunit-core
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 136ea1d2..b5e16a60 100644
--- a/pom.xml
+++ b/pom.xml
@@ -279,7 +279,7 @@
 		<dependency>
 			<groupId>org.xmlunit</groupId>
 			<artifactId>xmlunit-core</artifactId>
-			<version>2.9.0</version>
+			<version>2.9.1</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>

From b098a86697f93cafd120c9d3054db78a9e0f5b16 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 30 Jan 2024 19:04:56 -0500
Subject: [PATCH 19/25] Bump gov.nist.secauto:oss-parent from 26 to 27 (#212)

Bumps gov.nist.secauto:oss-parent from 26 to 27.

---
updated-dependencies:
- dependency-name: gov.nist.secauto:oss-parent
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index b5e16a60..b47e11e8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>gov.nist.secauto</groupId>
 		<artifactId>oss-parent</artifactId>
-		<version>26</version>
+		<version>27</version>
 	</parent>
 
 	<groupId>gov.nist.secauto.oscal</groupId>

From 9484c63c03e54f3504c9ecedf6d4d81bced366fb Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 31 Jan 2024 09:45:47 -0500
Subject: [PATCH 20/25] Bump com.google.auto.service:auto-service from 1.0.1 to
 1.1.1 (#225)

Bumps [com.google.auto.service:auto-service](https://github.com/google/auto) from 1.0.1 to 1.1.1.
- [Release notes](https://github.com/google/auto/releases)
- [Commits](https://github.com/google/auto/compare/auto-common-1.0.1...auto-service-1.1.1)

---
updated-dependencies:
- dependency-name: com.google.auto.service:auto-service
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index b47e11e8..6e126b39 100644
--- a/pom.xml
+++ b/pom.xml
@@ -124,7 +124,7 @@
 
 		<dependency.metaschema-framework.version>0.12.2</dependency.metaschema-framework.version>
 
-		<dependency.auto-service.version>1.0.1</dependency.auto-service.version>
+		<dependency.auto-service.version>1.1.1</dependency.auto-service.version>
 		<dependency.commons-lang3.version>3.14.0</dependency.commons-lang3.version>
 		<dependency.infinispan.version>13.0.10.Final</dependency.infinispan.version>
 		<dependency.jetbrains-annotation.version>23.0.0</dependency.jetbrains-annotation.version>

From fbe7ea9c6fc299d084119c212cb3d34f32be4aca Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 31 Jan 2024 09:48:16 -0500
Subject: [PATCH 21/25] Bump org.assertj:assertj-core from 3.24.2 to 3.25.2
 (#229)

Bumps [org.assertj:assertj-core](https://github.com/assertj/assertj) from 3.24.2 to 3.25.2.
- [Release notes](https://github.com/assertj/assertj/releases)
- [Commits](https://github.com/assertj/assertj/compare/assertj-build-3.24.2...assertj-build-3.25.2)

---
updated-dependencies:
- dependency-name: org.assertj:assertj-core
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 6e126b39..65872465 100644
--- a/pom.xml
+++ b/pom.xml
@@ -273,7 +273,7 @@
 		<dependency>
 			<groupId>org.assertj</groupId>
 			<artifactId>assertj-core</artifactId>
-			<version>3.24.2</version>
+			<version>3.25.2</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>

From 272ab189cc139c2e0247072f6d0bdbcf4124db7b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 31 Jan 2024 16:27:16 -0500
Subject: [PATCH 22/25] Bump org.xmlunit:xmlunit-assertj3 from 2.9.0 to 2.9.1
 (#226)

Bumps [org.xmlunit:xmlunit-assertj3](https://github.com/xmlunit/xmlunit) from 2.9.0 to 2.9.1.
- [Release notes](https://github.com/xmlunit/xmlunit/releases)
- [Changelog](https://github.com/xmlunit/xmlunit/blob/main/RELEASE_NOTES.md)
- [Commits](https://github.com/xmlunit/xmlunit/compare/v2.9.0...v2.9.1)

---
updated-dependencies:
- dependency-name: org.xmlunit:xmlunit-assertj3
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 65872465..fcc0853d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -285,7 +285,7 @@
 		<dependency>
 			<groupId>org.xmlunit</groupId>
 			<artifactId>xmlunit-assertj3</artifactId>
-			<version>2.9.0</version>
+			<version>2.9.1</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>

From a758ccec816ff701eee6f6312acae3cc73c07ec0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 1 Feb 2024 08:20:26 -0500
Subject: [PATCH 23/25] Bump org.codehaus.mojo:templating-maven-plugin from
 1.0.0 to 3.0.0 (#230)

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index fcc0853d..8e29c40d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -469,7 +469,7 @@
 			<plugin>
 				<groupId>org.codehaus.mojo</groupId>
 				<artifactId>templating-maven-plugin</artifactId>
-				<version>1.0.0</version>
+				<version>3.0.0</version>
 				<executions>
 					<execution>
 						<id>filter-src</id>

From e6597978b7bb1cac27f4e03d6d5fbaa69598c959 Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <alexander.stein@nist.gov>
Date: Thu, 1 Feb 2024 12:14:22 -0500
Subject: [PATCH 24/25] Update OSCAL models to v1.1.2 for #234. (#235)

---
 oscal | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oscal b/oscal
index f24dd56d..4f02dac6 160000
--- a/oscal
+++ b/oscal
@@ -1 +1 @@
-Subproject commit f24dd56d5569ade8489924cf6fc2640dc297bfbe
+Subproject commit 4f02dac6f698efda387cc5f55bc99581eaf494b6

From bc4c35981305bd3ae7f626d3b8042ea216a02392 Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <alexander.stein@nist.gov>
Date: Thu, 1 Feb 2024 14:15:51 -0500
Subject: [PATCH 25/25] [maven-release-plugin] prepare release v3.0.3

---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 8e29c40d..1bb5a7eb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -9,7 +9,7 @@
 
 	<groupId>gov.nist.secauto.oscal</groupId>
 	<artifactId>liboscal-java</artifactId>
-	<version>3.0.3-SNAPSHOT</version>
+	<version>3.0.3</version>
 	<packaging>jar</packaging>
 
 	<name>OSCAL Java Library</name>
@@ -27,7 +27,7 @@
 		<url>https://github.com/usnistgov/liboscal-java</url>
 		<connection>scm:git:git@github.com:usnistgov/liboscal-java.git</connection>
 		<developerConnection>scm:git:git@github.com:usnistgov/liboscal-java.git</developerConnection>
-	  <tag>HEAD</tag>
+	  <tag>v3.0.3</tag>
     </scm>
 
 	<distributionManagement>