Produce Metaschemas without XXEs (#1665)

[nikitawootten-nist]

Committer Notes

Fixes #1665

Also in this PR:

• Added list-release-artifacts utility makefile target for use in OSCAL-Reference;
• Renamed src/release/README.txt to a more descriptive name to prevent confusion in the future (see Rename README.txt to README.md #1891);
• The archive generation target includes the XXE-less metaschema modules.

All Submissions:

• Have you selected the correct base branch per Contributing guidance?
• Have you set "Allow edits and access to secrets by maintainers"?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Have you squashed any non-relevant commits and commit messages? [instructions]
• Do all automated CI/CD checks pass?

By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.

(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)

Changes to Core Features:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your core changes, as applicable?
• Have you included examples of how to use your new feature(s)?
• Have you updated all OSCAL website and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the docs/content directory of your branch.

[nikitawootten-nist]

Example output

Running make resolved-metaschemas produces the following files:

 ➜ tree generated | grep RESOLVED
├── oscal_assessment-common_metaschema_RESOLVED.xml
├── oscal_assessment-plan_metaschema_RESOLVED.xml
├── oscal_assessment-results_metaschema_RESOLVED.xml
├── oscal_catalog_metaschema_RESOLVED.xml
├── oscal_complete_metaschema_RESOLVED.xml
├── oscal_component_metaschema_RESOLVED.xml
├── oscal_control-common_metaschema_RESOLVED.xml
├── oscal_implementation-common_metaschema_RESOLVED.xml
├── oscal_metadata_metaschema_RESOLVED.xml
├── oscal_poam_metaschema_RESOLVED.xml
├── oscal_profile_metaschema_RESOLVED.xml
├── oscal_ssp_metaschema_RESOLVED.xml

The resolved metaschemas are identical to the source ones but with two crucial differences:

1. XXEs have been resolved
2. The import/@hrefs have been transformed with the appropriate suffix added.

Example:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="../../build/metaschema-xslt/src/validate/metaschema-composition-check.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
<!-- OSCAL GRAND UNIFIED MEGALOMETASCHEMA -->
<!-- validate with XSD and Schematron (linked) -->
<METASCHEMA xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0">
   <schema-name>OSCAL Unified Model of Models</schema-name>
   <schema-version>1.1.0</schema-version>
   <short-name>oscal-complete</short-name>
   <namespace>http://csrc.nist.gov/ns/oscal/1.0</namespace>
   <json-base-uri>http://csrc.nist.gov/ns/oscal/1.0</json-base-uri>
   <remarks>
      <p>This format represents a combination of all of the OSCAL models.</p>
   </remarks>
   <import href="oscal_catalog_metaschema_RESOLVED.xml"/>
   <import href="oscal_profile_metaschema_RESOLVED.xml"/>
   <import href="oscal_component_metaschema_RESOLVED.xml"/>
   <import href="oscal_ssp_metaschema_RESOLVED.xml"/>
   <import href="oscal_assessment-plan_metaschema_RESOLVED.xml"/>
   <import href="oscal_assessment-results_metaschema_RESOLVED.xml"/>
   <import href="oscal_poam_metaschema_RESOLVED.xml"/>
</METASCHEMA>

[wendellpiez]

Nice concept, nice simple implementation--

[aj-stein-nist]

This is a great addition, thank you very much. All I would ask is that you add an ADR and then I can approve.