Skip to content

Commit

Permalink
Metaschema enhancements to string-based datatypes (#936)
Browse files Browse the repository at this point in the history
* Adjusted metaschemas: new 'version'; json-base-uri
* Added 'complete' metaschema
* Changes to OSCAL metaschemas in view of enhancements addressing #805, #911, #67, #868.
  • Loading branch information
wendellpiez authored May 21, 2021
1 parent cb97d08 commit 82ec272
Show file tree
Hide file tree
Showing 12 changed files with 113 additions and 73 deletions.
37 changes: 19 additions & 18 deletions src/metaschema/oscal_assessment-common_metaschema.xml
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<METASCHEMA xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" abstract="yes">
<schema-name>OSCAL Assessment Layer Format -- Common Modules</schema-name>
<schema-version>1.0.0-rc2</schema-version>
<schema-version>1.0.0</schema-version>
<short-name>oscal-assessment-common</short-name>
<namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
<json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
<remarks>
<p>This contains all modules common to the assessment plan, assessment results, and POAM models. </p>
<p>The root of the OSCAL Assessment Plan format is <code>assessment-plan</code>.</p>
Expand Down Expand Up @@ -214,7 +215,7 @@
<formal-name>Task Universally Unique Identifier</formal-name>
<description>Uniquely identifies this assessment task. </description>
</define-flag>
<define-flag name="type" required="yes" as-type="NCName">
<define-flag name="type" required="yes" as-type="token">
<formal-name>Task Type</formal-name>
<description>The type of task.</description>
<constraint>
Expand Down Expand Up @@ -493,7 +494,7 @@
<description>Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.</description>
<flag ref="control-id" required="yes"/>
<model>
<define-field name="statement-id" as-type="NCName" min-occurs="0" max-occurs="unbounded" >
<define-field name="statement-id" as-type="token" min-occurs="0" max-occurs="unbounded" >
<formal-name>Include Specific Statements</formal-name>
<description>Used to constrain the selection to only specificity identified statements.</description>
<group-as name="statement-ids" in-json="ARRAY"/>
Expand Down Expand Up @@ -543,7 +544,7 @@
<formal-name>Subject of Assessment</formal-name>
<description>Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.</description>
<!-- CHANGED: "name" to "type" -->
<define-flag name="type" as-type="NCName" required="yes">
<define-flag name="type" as-type="token" required="yes">
<formal-name>Subject Type</formal-name>
<description>Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.</description>
<constraint>
Expand Down Expand Up @@ -626,7 +627,7 @@
<description>A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.</description>
</define-flag>

<define-flag name="subject-type" as-type="NCName" scope="local">
<define-flag name="subject-type" as-type="token" scope="local">
<formal-name>Subject Universally Unique Identifier Reference Type</formal-name>
<description>Used to indicate the type of object pointed to by the <code>uuid-ref</code> within a subject.</description>
<constraint>
Expand Down Expand Up @@ -764,7 +765,7 @@
<p>The target will always be a reference to: 1) a control statement, or 2) a control objective. In the former case, there is always a single top-level statement within a control. Thus, if the entire control is targeted, this statement identifier can be used.</p>
</remarks>
</define-flag>
<define-flag name="target-id" as-type="NCName" required="yes">
<define-flag name="target-id" as-type="token" required="yes">
<formal-name>Finding Target Identifier Reference</formal-name>
<description>Identifies the specific target qualified by the <code>type</code>.</description>
</define-flag>
Expand All @@ -784,7 +785,7 @@
<assembly ref="link" max-occurs="unbounded">
<group-as name="links" in-json="ARRAY"/>
</assembly>
<define-field name="status" as-type="NCName" min-occurs="1" max-occurs="1">
<define-field name="status" as-type="token" min-occurs="1" max-occurs="1">
<formal-name>Objective Status</formal-name>
<description>A brief indication as to whether the objective is satisfied or not within a given system.</description>
<!-- CHANGED: removed @system flag -->
Expand Down Expand Up @@ -845,7 +846,7 @@
</constraint>
</define-field>

<define-field name="type" as-type="NCName" max-occurs="unbounded">
<define-field name="type" as-type="token" max-occurs="unbounded">
<!-- CHANGED "observation-type" to "type" -->
<formal-name>Observation Type</formal-name>
<description>Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.</description>
Expand Down Expand Up @@ -945,7 +946,7 @@
<define-assembly name="origin-actor">
<formal-name>Originating Actor</formal-name>
<description>The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.</description>
<define-flag name="type" as-type="NCName" required="yes">
<define-flag name="type" as-type="token" required="yes">
<formal-name>Actor Type</formal-name>
<description>The kind of actor.</description>
<constraint>
Expand All @@ -961,7 +962,7 @@
<formal-name>Actor Universally Unique Identifier Reference</formal-name>
<description>A pointer to the tool or person based on the associated type.</description>
</define-flag>
<define-flag name="role-id" as-type="NCName">
<define-flag name="role-id" as-type="token">
<formal-name>Actor Role</formal-name>
<description>For a party, this can optionally be used to specify the role the actor was performing.</description>
</define-flag>
Expand Down Expand Up @@ -1084,7 +1085,7 @@
<assembly ref="link" max-occurs="unbounded">
<group-as name="links" in-json="ARRAY"/>
</assembly>
<define-field name="status" as-type="NCName" min-occurs="1">
<define-field name="status" as-type="token" min-occurs="1">
<!-- CHANGED: from "risk-status" to "status" -->
<formal-name>Status</formal-name>
<description>Describes the status of the associated risk.</description>
Expand Down Expand Up @@ -1286,13 +1287,13 @@
<formal-name>Party UUID Reference</formal-name>
<description>A pointer to the party who is making the log entry.</description>
</define-flag>
<define-flag name="role-id" as-type="NCName">
<define-flag name="role-id" as-type="token">
<formal-name>Actor Role</formal-name>
<description>A point to the role-id of the role in which the party is making the log entry.</description>
</define-flag>
</define-assembly>

<define-field name="risk-status" as-type="NCName">
<define-field name="risk-status" as-type="token">
<!-- CHANGED: from "risk-status" to "status" -->
<formal-name>Risk Status</formal-name>
<description>Describes the status of the associated risk.</description>
Expand Down Expand Up @@ -1327,7 +1328,7 @@
<formal-name>Facet</formal-name>
<description>An individual characteristic that is part of a larger set produced by the same actor.</description>
<group-as name="facets" in-json="ARRAY"/>
<define-flag name="name" as-type="NCName" required="yes">
<define-flag name="name" as-type="token" required="yes">
<formal-name>Facet Name</formal-name>
<description>The name of the risk metric within the specified system.</description>
</define-flag>
Expand Down Expand Up @@ -1574,7 +1575,7 @@
<description>Uniquely identifies this remediation. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given remediation across revisions.</description>
</define-flag>
<!-- CHANGED: type to lifecycle -->
<define-flag name="lifecycle" as-type="NCName" required="yes">
<define-flag name="lifecycle" as-type="token" required="yes">
<formal-name>Remediation Intent</formal-name>
<description>Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.</description>
<constraint>
Expand Down Expand Up @@ -1674,7 +1675,7 @@
</constraint>
</define-assembly>

<define-flag name="objective-id" as-type="NCName" scope="local">
<define-flag name="objective-id" as-type="token" scope="local">
<!-- This is an id to sync with control syntax -->
<formal-name>Objective ID</formal-name>
<description>Points to an assessment objective.</description>
Expand All @@ -1690,7 +1691,7 @@
<formal-name>Part Identifier</formal-name>
<description>A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document.</description>
</define-flag>
<define-flag name="name" as-type="NCName" required="yes">
<define-flag name="name" as-type="token" required="yes">
<formal-name>Part Name</formal-name>
<description>A textual label that uniquely identifies the part's semantic type.</description>
<constraint>
Expand All @@ -1712,7 +1713,7 @@
<p>When a <code>ns</code> is not provided, its value should be assumed to be <code>http://csrc.nist.gov/ns/oscal</code> and the name should be a name defined by the associated OSCAL model.</p>
</remarks>
</define-flag>
<define-flag name="class" as-type="NCName">
<define-flag name="class" as-type="token">
<formal-name>Part Class</formal-name>
<description>A textual label that provides a sub-type or characterization of the part's <code>name</code>. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same <code>name</code> and <code>ns</code>.</description>
<remarks>
Expand Down
3 changes: 2 additions & 1 deletion src/metaschema/oscal_assessment-plan_metaschema.xml
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<METASCHEMA xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0">
<schema-name>OSCAL Assessment Plan Model</schema-name>
<schema-version>1.0.0-rc2</schema-version>
<schema-version>1.0.0</schema-version>
<short-name>oscal-ap</short-name>
<namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
<json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
<remarks>
<p>The OSCAL assessment plan format is used to describe the information typically provided by an assessor during the preparation for an assessment.</p>
<p>The root of the OSCAL assessment plan format is <code>assessment-plan</code>.
Expand Down
3 changes: 2 additions & 1 deletion src/metaschema/oscal_assessment-results_metaschema.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@
<METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema/toolchains/xslt-M4/validate/metaschema.xsd">
<schema-name>OSCAL Assessment Results Model</schema-name>
<schema-version>1.0.0-rc2</schema-version>
<schema-version>1.0.0</schema-version>
<short-name>oscal-ar</short-name>
<namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
<json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
<remarks>
<p>The OSCAL assessment results format is used to describe the information typically provided by an assessor following an assessment.</p>
<p>The root of the OSCAL assessment results format is <code>assessment-results</code>.
Expand Down
11 changes: 6 additions & 5 deletions src/metaschema/oscal_catalog_metaschema.xml
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@
<METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema/toolchains/xslt-M4/validate/metaschema.xsd">
<schema-name>OSCAL Control Catalog Model</schema-name>
<schema-version>1.0.0-rc2</schema-version>
<schema-version>1.0.0</schema-version>
<short-name>oscal-catalog</short-name>
<namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
<json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
<remarks>
<p>The OSCAL Control Catalog format can be used to describe a collection of security controls and related control enhancements, along with contextualizing documentation and metadata. The root of the Control Catalog format is <code>catalog</code>.
</p>
Expand Down Expand Up @@ -64,12 +65,12 @@
<define-assembly name="group">
<formal-name>Control Group</formal-name>
<description>A group of controls, or of groups of controls.</description>
<define-flag name="id" as-type="NCName">
<define-flag name="id" as-type="token">
<!-- This is an id because the idenfier is assigned and managed externally by humans. -->
<formal-name>Group Identifier</formal-name>
<description>A unique identifier for a specific group instance that can be used to reference the group within this and in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same group across minor revisions of the document.</description>
</define-flag>
<define-flag name="class" as-type="NCName">
<define-flag name="class" as-type="token">
<formal-name>Group Class</formal-name>
<description>A textual label that provides a sub-type or characterization of the group.</description>
<remarks>
Expand Down Expand Up @@ -129,12 +130,12 @@
<define-assembly name="control">
<formal-name>Control</formal-name>
<description>A structured information object representing a security or privacy control. Each security or privacy control within the Catalog is defined by a distinct control instance.</description>
<define-flag name="id" as-type="NCName" required="yes">
<define-flag name="id" as-type="token" required="yes">
<!-- This is an id because the idenfier is managed externally. -->
<formal-name>Control Identifier</formal-name>
<description>A unique identifier for a specific control instance that can be used to reference the control in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same control across minor revisions of the document.</description>
</define-flag>
<define-flag name="class" as-type="NCName">
<define-flag name="class" as-type="token">
<formal-name>Control Class</formal-name>
<description>A textual label that provides a sub-type or characterization of the control.</description>
<remarks>
Expand Down
26 changes: 26 additions & 0 deletions src/metaschema/oscal_complete_metaschema.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--<?xml-model href="../../build/metaschema/toolchains/xslt-M4/validate/metaschema-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>-->
<!-- OSCAL GRAND UNIFIED MEGALOMETASCHEMA -->
<!-- validate with XSD and Schematron (linked) -->
<!DOCTYPE METASCHEMA [
<!ENTITY allowed-values-control-group-property-name SYSTEM "shared-constraints/allowed-values-control-group-property-name.ent">
]>
<METASCHEMA xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0">
<schema-name>OSCAL Unified Model of Models</schema-name>
<schema-version>1.0.0</schema-version>
<short-name>oscal-complete</short-name>
<namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
<json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
<remarks>
<p>The OSCAL Control Catalog format can be used to describe a collection of security controls and related control enhancements, along with contextualizing documentation and metadata. The root of the Control Catalog format is <code>catalog</code>.
</p>
</remarks>
<import href="oscal_catalog_metaschema.xml"/>
<import href="oscal_profile_metaschema.xml"/>
<import href="oscal_ssp_metaschema.xml"/>
<import href="oscal_component_metaschema.xml"/>
<import href="oscal_poam_metaschema.xml"/>
<import href="oscal_assessment-plan_metaschema.xml"/>
<import href="oscal_assessment-results_metaschema.xml"/>

</METASCHEMA>
3 changes: 2 additions & 1 deletion src/metaschema/oscal_component_metaschema.xml
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,10 @@
<METASCHEMA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 ../../build/metaschema/toolchains/xslt-M4/validate/metaschema.xsd">
<schema-name>OSCAL Component Definition Model</schema-name>
<schema-version>1.0.0-rc1</schema-version>
<schema-version>1.0.0</schema-version>
<short-name>oscal-component-definition</short-name>
<namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
<json-base-uri>http://csrc.nist.gov/ns/oscal</json-base-uri>
<remarks>
<p>The OSCAL Component Definition Model can be used to describe the implementation of controls in a <code>component</code> or a set of components grouped as a <code>capability</code>. A component can be either a <em>technical component</em>, or a <em>documentary component</em>. A technical component is a component that is implemented in hardware (physical or virtual) or software. A documentary component is a component implemented in a document, such as a process, procedure, or policy.</p>
<p>The root of the OSCAL Implementation Component format is <code>component-definition</code>.
Expand Down
Loading

0 comments on commit 82ec272

Please sign in to comment.