Support for SARIF-based validation results

.gitattributes

@@ -0,0 +1,5 @@
+# To list all file extensions:
+# git ls-files | awk -F . {'print $NF'}|sort -u
+#
+# Set the default behavior, in case people don't have core.autocrlf set.
+* text=auto

pom.xml

@@ -1,14 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<parent>
 		<groupId>gov.nist.secauto</groupId>
 		<artifactId>oss-parent</artifactId>
-		<version>27</version>
+		<version>28-SNAPSHOT</version>
 	</parent>
 	<groupId>gov.nist.secauto.oscal.tools.oscal-cli</groupId>
 	<artifactId>cli-core</artifactId>
-	<version>1.0.4-SNAPSHOT</version>
+	<version>1.1.0-SNAPSHOT</version>
 
 	<packaging>jar</packaging>
 
@@ -78,8 +80,8 @@
 	</mailingLists>
 	<properties>
 		<!-- metaschema dependencies -->
-		<dependency.metaschema-framework.version>0.12.2</dependency.metaschema-framework.version>
-		<dependency.liboscal-java.version>3.0.3</dependency.liboscal-java.version>
+		<dependency.metaschema-framework.version>1.0.0-M2-SNAPSHOT</dependency.metaschema-framework.version>
+		<dependency.liboscal-java.version>3.0.4-SNAPSHOT</dependency.liboscal-java.version>
 
 		<!-- site configuration -->
 		<site.url>https://pages.nist.gov/metaschema-java/</site.url>
@@ -109,16 +111,23 @@
 
 		<!-- other dependencies -->
 		<dependency.auto-service.version>1.1.1</dependency.auto-service.version>
-		<dependency.commons-cli.version>1.5.0</dependency.commons-cli.version>
-		<dependency.commons-io.version>2.15.1</dependency.commons-io.version>
+		<dependency.commons-cli.version>1.7.0</dependency.commons-cli.version>
+		<dependency.commons-io.version>2.16.1</dependency.commons-io.version>
 		<dependency.everit-json.version>1.14.4</dependency.everit-json.version>
+		<dependency.jansi.version>2.4.1</dependency.jansi.version>
 		<dependency.jline.version>3.21.0</dependency.jline.version>
-		<dependency.log4j2.version>2.20.0</dependency.log4j2.version>
-		<dependency.spotbugs-annotations.version>4.7.3</dependency.spotbugs-annotations.version>
+		<dependency.json.version>20240303</dependency.json.version>
+		<dependency.log4j2.version>2.23.1</dependency.log4j2.version>
+		<dependency.pmd.version>7.1.0</dependency.pmd.version>
+		<dependency.spotbugs-annotations.version>4.8.3</dependency.spotbugs-annotations.version>
 		<dependency.saxon-he.version>12.4</dependency.saxon-he.version>
-		<dependency.xmlresolver.version>6.0.2</dependency.xmlresolver.version>
+		<dependency.xmlbeans.version>5.2.0</dependency.xmlbeans.version>
+		<dependency.xmlresolver.version>5.2.2</dependency.xmlresolver.version>
 
 		<plugin.license.version>4.2</plugin.license.version>
+		<plugin.maven-toolchains.version>3.1.0</plugin.maven-toolchains.version>
+		<plugin.pmd.version>3.22.0</plugin.pmd.version>
+		<plugin.spotbugs.version>4.8.4.0</plugin.spotbugs.version>
 	</properties>
 	<repositories>
 		<repository>
@@ -215,11 +224,22 @@
 			<classifier>data</classifier>
 			<version>${dependency.xmlresolver.version}</version>
 		</dependency>
+		<dependency>
+			<groupId>org.apache.xmlbeans</groupId>
+			<artifactId>xmlbeans</artifactId>
+			<version>${dependency.xmlbeans.version}</version>
+		</dependency>
 		<dependency>
 			<groupId>com.github.erosb</groupId>
 			<artifactId>everit-json-schema</artifactId>
 			<version>${dependency.everit-json.version}</version>
 		</dependency>
+		<dependency>
+			<!-- for dependency convergence -->
+			<groupId>org.json</groupId>
+			<artifactId>json</artifactId>
+			<version>${dependency.json.version}</version>
+		</dependency>
 		<dependency>
 			<groupId>com.github.spotbugs</groupId>
 			<artifactId>spotbugs-annotations</artifactId>
@@ -228,12 +248,7 @@
 		</dependency>
 		<dependency>
 			<groupId>org.junit.jupiter</groupId>
-			<artifactId>junit-jupiter-api</artifactId>
-			<scope>test</scope>
-		</dependency>
-		<dependency>
-			<groupId>org.junit.jupiter</groupId>
-			<artifactId>junit-jupiter-engine</artifactId>
+			<artifactId>junit-jupiter</artifactId>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
@@ -260,6 +275,27 @@
 
 		<pluginManagement>
 			<plugins>
+				<plugin>
+					<groupId>org.apache.maven.plugins</groupId>
+					<artifactId>maven-toolchains-plugin</artifactId>
+					<version>${plugin.maven-toolchains.version}</version>
+					<executions>
+						<execution>
+							<goals>
+								<goal>toolchain</goal>
+							</goals>
+						</execution>
+					</executions>
+					<configuration>
+						<toolchains>
+							<jdk>
+								<version>11</version>
+								<vendor>temurin</vendor>
+							</jdk>
+						</toolchains>
+					</configuration>
+				</plugin>
+
 				<plugin>
 					<groupId>org.apache.maven.plugins</groupId>
 					<artifactId>maven-site-plugin</artifactId>
@@ -282,13 +318,50 @@
 				<plugin>
 					<groupId>com.github.spotbugs</groupId>
 					<artifactId>spotbugs-maven-plugin</artifactId>
+					<version>${plugin.spotbugs.version}</version>
 					<configuration>
 						<excludeFilterFile>spotbugs-exclude.xml</excludeFilterFile>
 					</configuration>
 				</plugin>
+				<plugin>
+					<groupId>org.apache.maven.plugins</groupId>
+					<artifactId>maven-pmd-plugin</artifactId>
+					<version>${plugin.pmd.version}</version>
+					<dependencies>
+						<dependency>
+							<groupId>net.sourceforge.pmd</groupId>
+							<artifactId>pmd-core</artifactId>
+							<version>${dependency.pmd.version}</version>
+						</dependency>
+						<dependency>
+							<groupId>net.sourceforge.pmd</groupId>
+							<artifactId>pmd-java</artifactId>
+							<version>${dependency.pmd.version}</version>
+						</dependency>
+					</dependencies>
+					<executions>
+						<execution>
+							<id>pmd-verify</id>
+							<goals>
+								<goal>check</goal>
+							</goals>
+							<configuration>
+								<failurePriority>2</failurePriority>
+								<!-- fail on error for all builds -->
+								<failOnViolation>true</failOnViolation>
+								<printFailingErrors>true</printFailingErrors>
+								<format>sarif</format>
+							</configuration>
+						</execution>
+					</executions>
+				</plugin>
 			</plugins>
 		</pluginManagement>
 		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-toolchains-plugin</artifactId>
+			</plugin>
 			<plugin>
 				<groupId>io.github.git-commit-id</groupId>
 				<artifactId>git-commit-id-maven-plugin</artifactId>
@@ -428,9 +501,8 @@
 							<thirdPartyFilename>LICENSE-THIRD-PARTY.txt</thirdPartyFilename>
 							<licenseMerges>
 								<licenseMerge>The Apache Software License,
-									Version 2.0|Apache
-									License, Version 2.0|Apache Public License
-									2.0</licenseMerge>
+									Version 2.0|Apache License, Version
+									2.0|Apache Public License 2.0</licenseMerge>
 							</licenseMerges>
 						</configuration>
 					</execution>

src/main/assembly/bin.xml

@@ -14,6 +14,9 @@
 			<outputDirectory>/lib</outputDirectory>
 			<outputFileNameMapping>${artifact.groupId}.${artifact.artifactId}-${artifact.version}.${artifact.extension}</outputFileNameMapping>
 			<useProjectArtifact>true</useProjectArtifact>
+			<excludes>
+				<exclude>org.jetbrains:annotations</exclude>
+			</excludes>
 		</dependencySet>
 	</dependencySets>
 	<fileSets>

src/main/java-templates/gov/nist/secauto/oscal/tools/cli/core/OscalCliVersion.java

@@ -26,7 +26,7 @@
 
 package gov.nist.secauto.oscal.tools.cli.core;
 
-import gov.nist.secauto.metaschema.model.common.util.IVersionInfo;
+import gov.nist.secauto.metaschema.core.util.IVersionInfo;
 
 public class OscalCliVersion implements IVersionInfo {
 

src/main/java/gov/nist/secauto/oscal/tools/cli/core/CLI.java

@@ -28,12 +28,15 @@
 
 import gov.nist.secauto.metaschema.cli.processor.CLIProcessor;
 import gov.nist.secauto.metaschema.cli.processor.ExitStatus;
-import gov.nist.secauto.metaschema.model.MetaschemaVersion;
-import gov.nist.secauto.metaschema.model.common.util.IVersionInfo;
-import gov.nist.secauto.metaschema.model.common.util.MetaschemaJavaVersion;
-import gov.nist.secauto.metaschema.model.common.util.ObjectUtils;
+import gov.nist.secauto.metaschema.core.MetaschemaJavaVersion;
+import gov.nist.secauto.metaschema.core.model.MetaschemaVersion;
+import gov.nist.secauto.metaschema.core.util.IVersionInfo;
+import gov.nist.secauto.metaschema.core.util.ObjectUtils;
 import gov.nist.secauto.oscal.lib.LibOscalVersion;
 import gov.nist.secauto.oscal.lib.OscalVersion;
+import gov.nist.secauto.oscal.tools.cli.core.commands.ConvertCommand;
+import gov.nist.secauto.oscal.tools.cli.core.commands.ResolveCommand;
+import gov.nist.secauto.oscal.tools.cli.core.commands.ValidateCommand;
 import gov.nist.secauto.oscal.tools.cli.core.commands.assessmentplan.AssessmentPlanCommand;
 import gov.nist.secauto.oscal.tools.cli.core.commands.assessmentresults.AssessmentResultsCommand;
 import gov.nist.secauto.oscal.tools.cli.core.commands.catalog.CatalogCommand;
@@ -43,7 +46,8 @@
 import gov.nist.secauto.oscal.tools.cli.core.commands.profile.ProfileCommand;
 import gov.nist.secauto.oscal.tools.cli.core.commands.ssp.SystemSecurityPlanCommand;
 
-import java.util.List;
+import java.util.LinkedHashMap;
+import java.util.Map;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
 
@@ -59,13 +63,16 @@ public static void main(String[] args) {
 
   @NonNull
   public static ExitStatus runCli(String... args) {
-    List<IVersionInfo> versions = ObjectUtils.notNull(
-        List.of(
-            new OscalCliVersion(),
-            new LibOscalVersion(),
-            new OscalVersion(),
-            new MetaschemaJavaVersion(),
-            new MetaschemaVersion()));
+    @SuppressWarnings("serial") Map<String, IVersionInfo> versions = ObjectUtils.notNull(
+        new LinkedHashMap<>() {
+          {
+            put(CLIProcessor.COMMAND_VERSION, new OscalCliVersion());
+            put("https://github.com/usnistgov/liboscal-java", new LibOscalVersion());
+            put("https://github.com/usnistgov/OSCAL", new OscalVersion());
+            put("https://github.com/usnistgov/metaschema-java", new MetaschemaJavaVersion());
+            put("https://github.com/usnistgov/metaschema", new MetaschemaVersion());
+          }
+        });
     CLIProcessor processor = new CLIProcessor("oscal-cli", versions);
     processor.addCommandHandler(new CatalogCommand());
     processor.addCommandHandler(new ProfileCommand());
@@ -75,6 +82,9 @@ public static ExitStatus runCli(String... args) {
     processor.addCommandHandler(new AssessmentResultsCommand());
     processor.addCommandHandler(new PlanOfActionsAndMilestonesCommand());
     processor.addCommandHandler(new MetaschemaCommand());
+    processor.addCommandHandler(new ValidateCommand());
+    processor.addCommandHandler(new ConvertCommand());
+    processor.addCommandHandler(new ResolveCommand());
     return processor.process(args);
   }
 

src/main/java/gov/nist/secauto/oscal/tools/cli/core/commands/AbstractOscalConvertSubcommand.java

@@ -0,0 +1,90 @@
+/*
+ * Portions of this software was developed by employees of the National Institute
+ * of Standards and Technology (NIST), an agency of the Federal Government and is
+ * being made available as a public service. Pursuant to title 17 United States
+ * Code Section 105, works of NIST employees are not subject to copyright
+ * protection in the United States. This software may be subject to foreign
+ * copyright. Permission in the United States and in foreign countries, to the
+ * extent that NIST may hold copyright, to use, copy, modify, create derivative
+ * works, and distribute this software and its documentation without fee is hereby
+ * granted on a non-exclusive basis, provided that this notice and disclaimer
+ * of warranty appears in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER
+ * EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY
+ * THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM
+ * INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE
+ * SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE.  IN NO EVENT
+ * SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT,
+ * INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM,
+ * OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY,
+ * CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR
+ * PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT
+ * OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER.
+ */
+
+package gov.nist.secauto.oscal.tools.cli.core.commands;
+
+import gov.nist.secauto.metaschema.cli.commands.AbstractConvertSubcommand;
+import gov.nist.secauto.metaschema.cli.processor.CLIProcessor.CallingContext;
+import gov.nist.secauto.metaschema.cli.processor.ExitStatus;
+import gov.nist.secauto.metaschema.cli.processor.command.ICommandExecutor;
+import gov.nist.secauto.metaschema.core.model.IBoundObject;
+import gov.nist.secauto.metaschema.databind.IBindingContext;
+import gov.nist.secauto.metaschema.databind.io.Format;
+import gov.nist.secauto.metaschema.databind.io.IBoundLoader;
+import gov.nist.secauto.oscal.lib.OscalBindingContext;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.Writer;
+import java.net.URI;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+
+public abstract class AbstractOscalConvertSubcommand
+    extends AbstractConvertSubcommand {
+  private static final Logger LOGGER = LogManager.getLogger(AbstractOscalConvertSubcommand.class);
+
+  @NonNull
+  public abstract Class<? extends IBoundObject> getOscalClass();
+
+  @Override
+  public ICommandExecutor newExecutor(CallingContext callingContext, CommandLine commandLine) {
+    return new OscalCommandExecutor(callingContext, commandLine);
+  }
+
+  private final class OscalCommandExecutor
+      extends AbstractConversionCommandExecutor {
+
+    private OscalCommandExecutor(
+        @NonNull CallingContext callingContext,
+        @NonNull CommandLine commandLine) {
+      super(callingContext, commandLine);
+    }
+
+    @Override
+    protected IBindingContext getBindingContext() {
+      return OscalBindingContext.instance();
+    }
+
+    @Override
+    public ExitStatus execute() {
+      LOGGER.atWarn().log("This command path is deprecated. Please use 'convert'.");
+
+      return super.execute();
+    }
+
+    @Override
+    protected void handleConversion(URI source, Format toFormat, Writer writer, IBoundLoader loader)
+        throws FileNotFoundException, IOException {
+      Class<? extends IBoundObject> clazz = getOscalClass();
+      loader.convert(source, writer, toFormat, clazz);
+    }
+  }
+}