From b567c1e3c831c57b996e37b3d364c39acd0d1553 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Thu, 14 Mar 2024 23:53:51 -0400 Subject: [PATCH 1/5] Some work towards representing the XSLT-based metaschema-composition-check.sch as Metaschema external module constraints. --- .../metaschema-module-constraints.xml | 40 ++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/schema/metaschema/metaschema-module-constraints.xml b/schema/metaschema/metaschema-module-constraints.xml index 5eb90ef8..668e7328 100644 --- a/schema/metaschema/metaschema-module-constraints.xml +++ b/schema/metaschema/metaschema-module-constraints.xml @@ -3,6 +3,44 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../xml/metaschema-meta-constraints.xsd"> - + + + + + Unique Module Short Names + Ensures that the current and all imported modules have a unique short name. + + + + + + + + Require Version for Top-Level Modules + A top-level module, a module that is not marked as @abstract='yes', must have a version specified. + Unless marked as @abstract='yes', a Metaschema module (or an imported module) should have a version. + + + Require Root Assembly for Top-Level Modules + A top-level module, a module that is not marked as @abstract='yes', must have at least one assembly with a root-name. + Unless marked as @abstract='yes', a Metaschema module (or an imported module) should have at least one assembly with a root-name. + + + + + + + + Import is Resolvable + Ensure each import has a resolvable @href. + Unable to access a Metaschema module at '{{ resolve-uri(@href) }}'. + + + Import is Resolvable + Ensure each import is a Metaschema module. + Unable the resource at '{{ resolve-uri(@href) }}' is not a Metaschema module. + + + \ No newline at end of file From d5e81d6317caacf23bb11892d8cbf98c8c8a45af Mon Sep 17 00:00:00 2001 From: Dave Waltermire Date: Sun, 16 Jun 2024 15:59:08 -0400 Subject: [PATCH 2/5] Added Metaschema module based on the Static Analysis Results Interchange Format (SARIF). This uses #519 as a starting point. --- .../metaschema-module-constraints.xml | 4 +- .../metaschema-module-metaschema.xml | 6 +- schema/metaschema/sarif-module.xml | 513 ++++++++++++++++++ 3 files changed, 519 insertions(+), 4 deletions(-) create mode 100644 schema/metaschema/sarif-module.xml diff --git a/schema/metaschema/metaschema-module-constraints.xml b/schema/metaschema/metaschema-module-constraints.xml index 668e7328..c91a1e34 100644 --- a/schema/metaschema/metaschema-module-constraints.xml +++ b/schema/metaschema/metaschema-module-constraints.xml @@ -5,7 +5,7 @@ - + Unique Module Short Names Ensures that the current and all imported modules have a unique short name. @@ -35,7 +35,7 @@ Ensure each import has a resolvable @href. Unable to access a Metaschema module at '{{ resolve-uri(@href) }}'. - + Import is Resolvable Ensure each import is a Metaschema module. Unable the resource at '{{ resolve-uri(@href) }}' is not a Metaschema module. diff --git a/schema/metaschema/metaschema-module-metaschema.xml b/schema/metaschema/metaschema-module-metaschema.xml index 45049c82..0cdd5915 100644 --- a/schema/metaschema/metaschema-module-metaschema.xml +++ b/schema/metaschema/metaschema-module-metaschema.xml @@ -1313,7 +1313,8 @@ - + context + @@ -1334,7 +1335,8 @@ constraints - + context + diff --git a/schema/metaschema/sarif-module.xml b/schema/metaschema/sarif-module.xml new file mode 100644 index 00000000..450ca183 --- /dev/null +++ b/schema/metaschema/sarif-module.xml @@ -0,0 +1,513 @@ + + + + SARIF Metaschema Module + 0.1.0 + sarif + + https://json.schemastore.org/sarif/2.1.0 + + https://json.schemastore.org/sarif-2.1.0.json + + SARIF Model Version + The version of the SARIF Model used for conforming instances. + + + + + + + + + Property Bag + Key/value pairs that provide additional information about the object. + + + Tag + A set of distinct strings that provide additional information. + + + + + + + Tool Component Unique Identifier + A stable, unique identifier for the tool component. + + + + Tool Component Name + The name of the tool component. + + + Tool Component Organization + The organization or company that produced the tool component. + + + Tool Component Product + A product suite to which the tool component belongs. + + + Tool Component Version + The tool component version, in whatever format the component natively provides. + + + Tool Component Semantic Version + The tool component version in the format specified by Semantic Versioning 2.0. + + + Tool Component Information URI + The absolute URI at which information about this version of the tool component can be found. + + + Rule + An array of reportingDescriptor objects relevant to the analysis performed by the tool component. + rule + + + + + + Reporting Descriptor + Metadata that describes a specific report produced by the tool, as part of the analysis it provides or its runtime reporting. + + Reporting Descriptor Identifier + A stable, opaque identifier for the report. + + + Reporting Descriptor Unique Identifier + A stable, unique identifier for the reporting descriptor. + + + + Reporting Descriptor Name + A report identifier that is understandable to an end user. + + + Short Description + A concise description of the report. Should be a single sentence that is understandable when visible space is limited to a single line of text. + shortDescription + + + Full Description + A description of the report. Should, as far as possible, provide details sufficient to enable resolution of any problem indicated by the result. + fullDescription + + + Help URI + A URI where the primary documentation for the report can be found. + + + + + Multi-format Message String + A message string or message format string rendered in multiple formats. + + + Text + A plain text message string or format string. + + + Markdown + A Markdown message string or format string. + + + + + Tool + The analysis tool used. + + + driver + + + + + + Artifacts + Artifacts analyzed by the tool to yield results. + + + Artifact Location + The location of the artifact. + location + + + + + Results + Results from the run of a tool. + + Rule Identifier + The stable, unique identifier of the rule, if any, to which this result is relevant. + + + Rule Identifier + The stable, unique identifier of the rule, if any, to which this result is relevant. + + + Result Unique Identifier + A stable, unique identifier for the result. + + + + A reference used to locate the rule descriptor relevant to this result. + rule + + + Result Kind + A value that categorizes results by evaluation state. + + + + + + + + + + + + + Severity Level + A value specifying the severity level of the result. + + + + + + + + + + + Result Message + A message that describes the result. The first sentence of the message only will be displayed when visible space is limited. + + + Scanned Artifact + Identifies the artifact that the analysis tool was instructed to scan. This need not be the same as the artifact where the result actually occurred. + analysisTarget + + + Result Location + The set of locations where the result was detected. Specify only one location unless the problem indicated by the result can only be corrected by making a change at every specified location. + location + + + + Occurrence Count + A positive integer specifying the number of times this logically unique result was observed in this run. + + + Result Related Location + A set of locations relevant to this result. + relatedLocation + + + + Result Provenance + Information about how and when the result was detected. + provenance + + + + + The value '{ . }' is not greater than or equal to '-1'. + + + + + + Reporting Descriptor Reference + Information about how to locate a relevant reporting descriptor. + + Reporting Descriptor Identifier + The id of the descriptor. + + + Reporting Descriptor Unique Identifier + A stable, unique identifier for the reporting descriptor. + + + + Index + The index into an array of descriptors in toolComponent.ruleDescriptors, toolComponent.notificationDescriptors, or toolComponent.taxonomyDescriptors, depending on context. + + + + + At least one id, guid, or index must be provided. + + + + + Message + Encapsulates a message intended to be read by the end user. + + Message Identifier + The id of the message. + + + + Text + A plain text message string. + + + Markdown + A Markdown message string. + + + Argument + A sequence of strings to substitute into the message string. + + + + + + At least one id or text must be provided. + + + + + Artifact Location + Specifies the location of an artifact. + + + URI + A valid relative or absolute URI. + + + Index + The index within the run artifacts array of the artifact object associated with the artifact location. + + + The index '{ . }' is not greater than or equal to '-1'. + + + + + Description + A short description of the artifact location. + description + + + + + Location + A location within a programming artifact. + + Location Identifier + A value that distinguishes this location from all other locations within a single result object. + + + + Physical Location + A physical location relevant to a result. Specifies a reference to a programming artifact together with a range of bytes or characters within that artifact. + + + Logical Location + The logical locations associated with the result. + + + Location Message + A message relevant to the location. + + + + + The id '{ . }' is not greater than or equal to '-1'. + + + + + + Physical Location + A physical location relevant to a result. Specifies a reference to a programming artifact together with a range of bytes or characters within that artifact. + + + Address + A physical or virtual address, or a range of addresses, in an 'addressable region' (memory or a binary file). + + + + The location of the artifact. + + + Region + Specifies a portion of the artifact. + + + Context Region + Specifies a portion of the artifact that encloses the region. Allows a viewer to display additional context around the region. + contextRegion + + + + + At least one address or artifactLocation must be provided. + + + + + Logical Location + A logical location of a construct that produced a result. + + + Logical Location Name + Identifies the construct in which the result occurred. For example, this property might contain the name of a class or a method. + + + Index + The index within the logical locations array. + + + The index '{ . }' is not greater than or equal to '-1'. + + + + + Fully Qualified Name + The human-readable fully qualified name of the logical location. + + + Decorated Name + The machine-readable name for the logical location, such as a mangled function name provided by a C++ compiler that encodes calling convention, return type and other details along with the function name. + + + Parent Index + Identifies the index of the immediate parent of the construct in which the result was detected. For example, this property might point to a logical location that represents the namespace that holds a type. + + + The index '{ . }' is not greater than or equal to '-1'. + + + + + Kind + The type of construct this logical location component refers to. Should be one of 'function', 'member', 'module', 'namespace', 'parameter', 'resource', 'returnType', 'type', 'variable', 'object', 'array', 'property', 'value', 'element', 'text', 'attribute', 'comment', 'declaration', 'dtd' or 'processingInstruction', if any of those accurately describe the construct. + + + + + Region + A region within an artifact where a result was detected. + + + Start Line + The line number of the first character in the region. + + + + Start Column + The column number of the first character in the region. + + + + End Line + The line number of the last character in the region. + + + + End Column + The column number of the character following the end of the region. + + + + Character Offset + The zero-based offset from the beginning of the artifact of the first character in the region. + + + The offset '{ . }' is not greater than or equal to '-1'. + + + + + + Character Length + The length of the region in characters. + + + + Byte Offset + The zero-based offset from the beginning of the artifact of the first byte in the region + + + The offset '{ . }' is not greater than or equal to '-1'. + + + + + + Byte Length + The length of the region in bytes. + + + + Region Message + A message relevant to the region. + + + + + At least a startLine, charOffset, or byteOffset must be provided. + + + + + Result Provanance + Contains information about how and when a result was detected. + + + First Detection Time + The Coordinated Universal Time (UTC) date and time at which the result was first detected. See \"Date/time properties\" in the SARIF spec for the required format. + + + + Last Detection Time + The Coordinated Universal Time (UTC) date and time at which the result was most recently detected. See \"Date/time properties\" in the SARIF spec for the required format. + + + + Conversion Source + An sequence of physicalLocation objects which specify the portions of an analysis tool's output that a converter transformed into the result. + conversionSource + + + + + + Run + Describes a single run of an analysis tool, and contains the reported output of that run. + + + Tool + Information about the tool or tool pipeline that generated the results in this run. A run can only contain results produced by a single tool or tool pipeline. A run can aggregate results from multiple log files, as long as context around the tool run (tool command-line arguments and the like) is identical for all aggregated files. + + + Artifact + A sequence of artifacts relevant to the run. + + + + Result + The set of results contained in an SARIF log. The results array can be omitted when a run is solely exporting rules metadata. It must be present (but may be empty) if a log file represents an actual scan. + + + + + + Static Analysis Results Interchange Format + A standard format for the output of static analysis tools. + sarif + + + + + + + +

Note, Metaschema does not support an anonymous top-level assembly without a key name in JSON and YAML, which is required for SARIF.

+ + + \ No newline at end of file From 5ec40667a81cc9baffb36a14603945b2e972d228 Mon Sep 17 00:00:00 2001 From: Dave Waltermire Date: Thu, 11 Jul 2024 08:59:58 -0400 Subject: [PATCH 3/5] Added support for prefix to namespace bindings for use in Metapath modules and external constraints for supporting multiple models and Metapath types and functions with colliding names that are in different namespaces. This better aligns Metapath with the XPath 3.1 specification. --- .../metaschema-module-constraints.xml | 62 +++++++++++++------ .../metaschema-module-metaschema.xml | 27 ++++++++ schema/xml/metaschema-meta-constraints.xsd | 1 + schema/xml/metaschema.xsd | 19 ++++++ 4 files changed, 89 insertions(+), 20 deletions(-) diff --git a/schema/metaschema/metaschema-module-constraints.xml b/schema/metaschema/metaschema-module-constraints.xml index c91a1e34..c0084ee7 100644 --- a/schema/metaschema/metaschema-module-constraints.xml +++ b/schema/metaschema/metaschema-module-constraints.xml @@ -5,37 +5,43 @@ - - - Unique Module Short Names + + + Index Module Short Names Ensures that the current and all imported modules have a unique short name. + + Require Version for Top-Level Modules + A top-level module, a module that is not marked as @abstract='yes', must have a version specified. + Unless marked as @abstract='yes', a Metaschema module (or an imported module) should have a version. + + + Require Root Assembly for Top-Level Modules + A top-level module, a module that is not marked as @abstract='yes', must have at least one assembly with a root-name. + Unless marked as @abstract='yes', a Metaschema module (or an imported module) should have at least one assembly with a root-name. + + + Require Unique Namespace Entries + Ensures that all declared namespace entries are unique. + + + + + Require Unique Namespace Entry Prefixes + Ensures that all declared namespace entries have a unique prefix. + + - - - - - Require Version for Top-Level Modules - A top-level module, a module that is not marked as @abstract='yes', must have a version specified. - Unless marked as @abstract='yes', a Metaschema module (or an imported module) should have a version. - - - Require Root Assembly for Top-Level Modules - A top-level module, a module that is not marked as @abstract='yes', must have at least one assembly with a root-name. - Unless marked as @abstract='yes', a Metaschema module (or an imported module) should have at least one assembly with a root-name. - - - - + Import is Resolvable Ensure each import has a resolvable @href. Unable to access a Metaschema module at '{{ resolve-uri(@href) }}'. - + Import is Resolvable Ensure each import is a Metaschema module. Unable the resource at '{{ resolve-uri(@href) }}' is not a Metaschema module. @@ -43,4 +49,20 @@ + + + + + Require Unique Namespace Entries + Ensures that all declared namespace entries are unique. + + + + + Require Unique Namespace Entry Prefixes + Ensures that all declared namespace entries have a unique prefix. + + + + \ No newline at end of file diff --git a/schema/metaschema/metaschema-module-metaschema.xml b/schema/metaschema/metaschema-module-metaschema.xml index 0cdd5915..b80b818d 100644 --- a/schema/metaschema/metaschema-module-metaschema.xml +++ b/schema/metaschema/metaschema-module-metaschema.xml @@ -52,6 +52,9 @@ A relative or absolute URI for retrieving an out-of-line Metaschema definition. + + + object-type @@ -183,6 +186,21 @@ + + Metapath Namespace Declaration + Assigns a Metapath namespace to a prefix for use in a Metapath expression in a lexical qualified name. + namespace-binding + + Metapath Namespace URI + The namespace URI to bind to the prefix. + + + Metapath Namespace Prefix + The prefix that is bound to the namespace. + + + + Inline Assembly Definition define-assembly @@ -1238,6 +1256,11 @@ A relative or absolute URI for retrieving an out-of-line Metaschema constraint definition. + + + + + @@ -1302,6 +1325,10 @@ Defines constraint rules to be applied to an existing set of Metaschema module-based models. metaschema-meta-constraints + + + + diff --git a/schema/xml/metaschema-meta-constraints.xsd b/schema/xml/metaschema-meta-constraints.xsd index 287eb2e1..ea0b74d5 100644 --- a/schema/xml/metaschema-meta-constraints.xsd +++ b/schema/xml/metaschema-meta-constraints.xsd @@ -11,6 +11,7 @@ + diff --git a/schema/xml/metaschema.xsd b/schema/xml/metaschema.xsd index d12822a4..fa16238b 100644 --- a/schema/xml/metaschema.xsd +++ b/schema/xml/metaschema.xsd @@ -45,6 +45,8 @@ + + @@ -80,6 +82,22 @@ + + + Assigns a Metapath namespace to a prefix for use in a Metapath expression in a lexical qualified name. + + + + The prefix that is bound to the namespace. + + + + + The namespace URI to bind to the prefix. + + + + @@ -1303,6 +1321,7 @@ + From 7df6b6b92e1c50613c3b4c10954dabcf1e358c63 Mon Sep 17 00:00:00 2001 From: Dave Waltermire Date: Fri, 19 Jul 2024 00:19:21 -0400 Subject: [PATCH 4/5] Added back legacy data types removed in usnistgov/metaschema#561 and usnistgov/metaschema#562 to restore use of these types, which are used in OSCAL. Refactored module constraints to fix Metapath errors. Removed keyword checks in names added by usnistgov/metaschema#542, which is not needed, since these names are allowed. --- .../metaschema-module-constraints.xml | 54 ++++++++++++------- .../metaschema-module-metaschema.xml | 26 ++++----- schema/xml/metaschema.xsd | 8 +++ 3 files changed, 55 insertions(+), 33 deletions(-) diff --git a/schema/metaschema/metaschema-module-constraints.xml b/schema/metaschema/metaschema-module-constraints.xml index c0084ee7..e5e04fc6 100644 --- a/schema/metaschema/metaschema-module-constraints.xml +++ b/schema/metaschema/metaschema-module-constraints.xml @@ -11,12 +11,16 @@ Ensures that the current and all imported modules have a unique short name. - - Require Version for Top-Level Modules - A top-level module, a module that is not marked as @abstract='yes', must have a version specified. - Unless marked as @abstract='yes', a Metaschema module (or an imported module) should have a version. + + Require Schema Version for Top-Level Modules + A top-level module, a module that is not marked as @abstract='yes', must have a schema version specified. + Unless marked as @abstract='yes', a Metaschema module (or an imported module) should have a schema version. - + Require Root Assembly for Top-Level Modules A top-level module, a module that is not marked as @abstract='yes', must have at least one assembly with a root-name. Unless marked as @abstract='yes', a Metaschema module (or an imported module) should have at least one assembly with a root-name. @@ -32,22 +36,32 @@ Ensures that all declared namespace entries have a unique prefix. + + Import is Resolvable + Ensure each import has a resolvable @href. + Unable to access a Metaschema module at '{{ resolve-uri(@href) }}'. + + + Import is a Metaschema module + Ensure each import is a Metaschema module. + Unable the resource at '{{ resolve-uri(@href) }}' is not a Metaschema module. + + + + + + + + + + + Avoid Deprecated Data Type Use + Ensure that the data type specified is not one of the legacy Metaschema data types which have been deprecated (i.e. base64Binary, dateTime, dateTime-with-timezone, email, nonNegativeInteger, positiveInteger). + Use of the type '{ . }' is deprecated. Use '{ $deprecated-type-map(.)}' instead. + - - - - - Import is Resolvable - Ensure each import has a resolvable @href. - Unable to access a Metaschema module at '{{ resolve-uri(@href) }}'. - - - Import is Resolvable - Ensure each import is a Metaschema module. - Unable the resource at '{{ resolve-uri(@href) }}' is not a Metaschema module. - - - diff --git a/schema/metaschema/metaschema-module-metaschema.xml b/schema/metaschema/metaschema-module-metaschema.xml index b80b818d..57fbec65 100644 --- a/schema/metaschema/metaschema-module-metaschema.xml +++ b/schema/metaschema/metaschema-module-metaschema.xml @@ -181,9 +181,6 @@ - - - @@ -642,11 +639,6 @@ Definition Name name - - - Names cannot be non-delimiting terminal symbols in Metapath syntax. - - @@ -702,6 +694,12 @@ + + + + + + @@ -731,6 +729,13 @@ + + + + + + + @@ -804,11 +809,6 @@ Allows the name of the definition to be overridden. name - - - Names cannot be non-delimiting terminal symbols in Metapath syntax. - - diff --git a/schema/xml/metaschema.xsd b/schema/xml/metaschema.xsd index fa16238b..02670b55 100644 --- a/schema/xml/metaschema.xsd +++ b/schema/xml/metaschema.xsd @@ -809,6 +809,14 @@ + + + + + + + + From 894b2238764c8732623a3894f0c236625ca5a686 Mon Sep 17 00:00:00 2001 From: Dave Waltermire Date: Wed, 24 Jul 2024 08:24:57 -0400 Subject: [PATCH 5/5] Added support for Metaschema module imports in meta constraints that will allow for more flexible organization of constraints in multiple files. Fixed metapaths in module constraints. --- .../metaschema-module-constraints.xml | 14 ++++++------- .../metaschema-module-metaschema.xml | 8 ++++++++ schema/metaschema/sarif-module.xml | 20 +++++++++---------- 3 files changed, 25 insertions(+), 17 deletions(-) diff --git a/schema/metaschema/metaschema-module-constraints.xml b/schema/metaschema/metaschema-module-constraints.xml index e5e04fc6..91346dc5 100644 --- a/schema/metaschema/metaschema-module-constraints.xml +++ b/schema/metaschema/metaschema-module-constraints.xml @@ -5,7 +5,7 @@ - + Index Module Short Names Ensures that the current and all imported modules have a unique short name. @@ -20,18 +20,18 @@ + test="exists($all-imports/define-assembly/root-name)"> Require Root Assembly for Top-Level Modules A top-level module, a module that is not marked as @abstract='yes', must have at least one assembly with a root-name. Unless marked as @abstract='yes', a Metaschema module (or an imported module) should have at least one assembly with a root-name. - + Require Unique Namespace Entries Ensures that all declared namespace entries are unique. - + Require Unique Namespace Entry Prefixes Ensures that all declared namespace entries have a unique prefix. @@ -54,7 +54,7 @@ - Avoid Deprecated Data Type Use @@ -66,13 +66,13 @@ - + Require Unique Namespace Entries Ensures that all declared namespace entries are unique. - + Require Unique Namespace Entry Prefixes Ensures that all declared namespace entries have a unique prefix. diff --git a/schema/metaschema/metaschema-module-metaschema.xml b/schema/metaschema/metaschema-module-metaschema.xml index 57fbec65..4bc4becc 100644 --- a/schema/metaschema/metaschema-module-metaschema.xml +++ b/schema/metaschema/metaschema-module-metaschema.xml @@ -1325,6 +1325,14 @@ Defines constraint rules to be applied to an existing set of Metaschema module-based models. metaschema-meta-constraints + + Declares a set of Metaschema constraints from an out-of-line resource to import, supporting composition of constraint sets. + + + A relative or absolute URI for retrieving an out-of-line Metaschema constraint definition. + + + diff --git a/schema/metaschema/sarif-module.xml b/schema/metaschema/sarif-module.xml index 450ca183..0bccfbe2 100644 --- a/schema/metaschema/sarif-module.xml +++ b/schema/metaschema/sarif-module.xml @@ -212,7 +212,7 @@ - + The value '{ . }' is not greater than or equal to '-1'. @@ -264,7 +264,7 @@ - + At least one id or text must be provided. @@ -281,7 +281,7 @@ Index The index within the run artifacts array of the artifact object associated with the artifact location. - + The index '{ . }' is not greater than or equal to '-1'. @@ -315,7 +315,7 @@ - + The id '{ . }' is not greater than or equal to '-1'. @@ -344,7 +344,7 @@ - + At least one address or artifactLocation must be provided. @@ -361,7 +361,7 @@ Index The index within the logical locations array. - + The index '{ . }' is not greater than or equal to '-1'. @@ -378,7 +378,7 @@ Parent Index Identifies the index of the immediate parent of the construct in which the result was detected. For example, this property might point to a logical location that represents the namespace that holds a type. - + The index '{ . }' is not greater than or equal to '-1'. @@ -417,7 +417,7 @@ Character Offset The zero-based offset from the beginning of the artifact of the first character in the region. - + The offset '{ . }' is not greater than or equal to '-1'. @@ -432,7 +432,7 @@ Byte Offset The zero-based offset from the beginning of the artifact of the first byte in the region - + The offset '{ . }' is not greater than or equal to '-1'. @@ -449,7 +449,7 @@ - + At least a startLine, charOffset, or byteOffset must be provided.