Skip to content

Releases: usnistgov/OSCAL

OSCAL v1.1.3 Release

26 Nov 06:55
Compare
Choose a tag to compare

Summary

The latest OSCAL 1.1.3 is a patch release.

What's Changed

New Contributors

Full Changelog: v1.1.2...v1.1.3

OSCAL 1.1.2 Release

06 Dec 18:46
Compare
Choose a tag to compare

Summary

The latest OSCAL 1.1.2 is a patch release.

What's Changed

  • Catalog constraints added in oscal_catalog_metaschema.xml - see issue #1949 OSCAL#1952 into develop.
  • Remove with-parent-controls from implementation OSCAL#1843 into develop.
  • Bump actions/setup-java from 3 to 4 OSCAL#1963 into develop.
  • CI Automation enhancements

Full Changelog: v1.1.1...v1.1.2

Appendix

Detailed Commit Log

git log v1.1.1..v1.1.2 --pretty=oneline --abbrev-commit

e36c374e0 Remove with-parent-controls from implementation (#1843)
7c47f2303 Bump actions/setup-java from 3 to 4 (#1963)
6df1a6b34 Updated version in the release a patch guidance (#1964)
09435aaa3 Catalog constraints added in oscal_catalog_metaschema.xml - see issue #1949  (#1952)
f4785f28a Flatten codeowners (#1962)
77caaeee5 Add tutorials system lifecycle ADR (#1959)
d1706a0dd Bump build/metaschema-xslt from `bd4359a` to `7d9fbfa` (#1955)
3b6edd9c6 Bump actions/checkout from 4.1.0 to 4.1.1 (#1950)
3dc4f6220 Bump org.apache.maven.plugins:maven-dependency-plugin in /build (#1953)
36e2f67e0 Bump actions/setup-node from 3.8.1 to 4.0.0 (#1954)
a3978d6d1 Bump actions/github-script from 6.4.1 to 7.0.1 (#1961)
cf852454e [skip ci] Update status, date before merge. Clarify content is still backwards compatible.
02ba255bb [skip ci] Add missing link to oscal-content per review feedback.
c048d293e [skip ci] Add ADR-0008 for usnistgov/oscal-content#116.
b8633b538 Implementation Agnostic Testing (#1946)
0294ee8d7 Integrate PR feedback and merge updated enum value.
441f6e528 Added hybrid cloud
8cac71b7f Make schema paths react to directory restructuring
5b7cf8e2e Bug fix for selected children of unselected parent
f9415874e Fix expected content of resolving merge-keep_profile.xml
ef2a78933 Bump build/metaschema-xslt from `034e92b` to `bd4359a`
5d17717be Bump actions/checkout from 4.0.0 to 4.1.0
4ff2c922c Updated link for profile resolution
6787fced7 Bump actions/checkout from 3.6.0 to 4.0.0
95f2e89f1 Add transferred issue status
65bc5ea7a Update automation to centralized triage board
90679e6c2 Ignore xmllint man docs on man page mirror for #1926.
f159b2894 Add transferred issue status
52d81d6ee Update automation to centralized triage board
6d7efe0a1 Ignore xmllint man docs on man page mirror for #1926.

OSCAL 1.1.1 Release

12 Sep 19:51
v1.1.1
f24dd56
Compare
Choose a tag to compare

Summary

OSCAL 1.1.1 is a patch release with minor model improvements, documentation, and artifact release changes that are backwards compatible.

Changes: Key Take-aways

Models

  1. Allow non-FISMA/RMF use cases for SSP information type impact levels.
  2. Remove obsolete model documentation for biblio elements in back-matter/resources.

Profile Resolution and Process Specs

  1. Change spec for more practical definition of metadata/last-modified.

Other

  1. Update schema validation links in OSCAL model definitions.
  2. Generate OSCAL model definitions with and without external XML entities (XXEs).

Details

  1. ac6397d68 Produce Metaschemas without XXEs (#1665) (#1901)
  2. 563ecb305 Adjusted language for metadata:last-modified (#1900)
  3. e78291b87 Bump build/metaschema-xslt from ac4bd7e to 10f72aa (#1886)
  4. bb454ed44 Adjusted information-type/*-impact constraints (#1888)
  5. 1680e13ff Corrects references identified in #1883 (#1884)

Appendix

Detailed Commit Log

Note for NIST developers: the output below is from executing the following command against the release branch (main) on a developer workstation: git log origin/main..origin/develop --pretty=oneline --abbrev-commit.

  1. 8bc3c0045 Bump build/metaschema-xslt from 10f72aa to 034e92b (#1902)
  2. ac6397d68 Produce Metaschemas without XXEs (#1665) (#1901)
  3. 563ecb305 Adjusted language for metadata:last-modified (#1900)
  4. 5b187b26b Bump actions/checkout from 3.5.3 to 3.6.0 (#1903)
  5. 53cbe3d00 Bump org.apache.maven.plugins:maven-dependency-plugin in /build (#1878)
  6. e78291b87 Bump build/metaschema-xslt from ac4bd7e to 10f72aa (#1886)
  7. 01a985003 Add --quiet to the resolver test mvn download (#1898)
  8. 54f25db65 Bump actions/setup-node from 3.7.0 to 3.8.1 (#1894)
  9. bb454ed44 Adjusted information-type/*-impact constraints (#1888)
  10. 1680e13ff Corrects references identified in #1883 (#1884)
  11. e5b6e790b Bump markdown-link-check from 3.10.2 to 3.11.2 in /build (#1864)
  12. 948e88ad0 Bump actions/checkout from 3.3.0 to 3.5.3 (#1863)
  13. 2a908809d Bump actions/setup-node from 3.6.0 to 3.7.0 (#1854)

OSCAL 1.1.0 Release

25 Jul 21:28
Compare
Choose a tag to compare

Summary

1.1.0 will be a minor release with important backwards-compatible enhances and bug-fixes around SSP, POA&M, profile, and cross-model metadata. Many of these feature enhancements have been pending release for over 12 months with neutral or positive community support.

Key takeaways and full details are below.

Changes: Key Takeaways

Models

  1. SSP: Change certain elements from required to optional for non-RMF use cases.
  2. SSP: improve constraints of links for cross-referencing components and indicating where components were imported from.
  3. POAM: add related-findings assembly.
  4. Profile: Remove with-parent-controls from the profile model.
  5. Metadata: add group attribute to props
  6. Metadata: add resource fragment to links (very useful for deep-linking into elements by UUID and point to sub-element UUID)
  7. Metadata: add actions assembly to track approvals or request for changes status.
  8. Metadata: correct how cross-references between controls and their parts are handled.
  9. ⚠️ Mapping: re previous discussion, mapping, by itself or within catalog, has been moved out of the v1.1.0 release.

Profile Resolution and Process Specs

  1. Aligning with model, remove with-parent-controls feature from Profile Resolution spec and unit tests.

Other

  1. Website updates to reference model docs to improve performance.
  2. ⚠️ We are going to include the website migration as part of the release (because of how GitHub works).

Details

Below is a list of every change that will be promoted from develop to a 1.1.0 release branch. The changes to models, docs, and code can be reviewed. All dependency changes from Dependabot and auto-committed website changes are excluded.

  1. defe67ee0 Mapping model relocation 1/2: delete from develop (#1850)
  2. 2d502f9b1 Added changes for #1798 (#1842)
  3. bc7efd38b 1797 allow local definition of asset type prop values (#1821)
  4. e5d24f910 Remove with-parent-controls developmental feature (#1819)
  5. be98b429c Removed default-mode to avoid apply-template loop when the stylesheet is applied to a document. (#1804)
  6. 7f5bf8051 Validating the current SP 800-53 catalog in oscal-content results in a missing key violation. This fixes that. (#1808)
  7. 7e43b9a92 Only build and test with container on upstream (#1817)
  8. 10c5efbb9 Add missing $ in Linux build setup steps (#1779)
  9. 97dcbc1ac Update Style for Generating Reference Model Anchors at Build Time (#1789)
  10. ff951bd00 Feature profile resolution unittesting a (#1770)
  11. d43713a59 Specify classpath for Saxon under XSpec for #1743. (#1744)
  12. 574def6d0 Remove optional leveraged-authorization prop on implemented req. (#1729)
  13. e1861c198 Add the with-parent-controls for #1662. (#1717)
  14. adfae0828 Fix CSS for choice elements in outline docs (#1687)
  15. d54cf495c Profile resolution how-to readmes (#1666)
  16. 59ef15d23 Compatibility with Saxon 10 and 11 (#1685)
  17. b267c6a0f Require (Warn) port start and end when protocol is specified. (#1674)
  18. fb8a0833c Fix Docker container build for local dev and debugging (#1598)
  19. 95461753e Fix rel path from XSLT transform source issue, fix #1603. (#1604)
  20. d92a3b0cd Fixed improper use of allowed-values/allow-other. Ensured that all props in the OSCAL namespace are properly closed and all link rels are open for extension. (#1579)
  21. 49ba917ad Fixed syntax errors in metapaths (#1574)
  22. 48a24583a Adds a constraint and index of by-component objects to support provided-by relation in links #1022 (#1452)
  23. 0889a5a0c Added resource-fragment flag to link. (#1527)
  24. 30fae9d13 Add possible Schematron documentation checks (#1501)
  25. 9a1583e25 reduced the amount of 'OSCAL' references in data type documentation. (#1531)
  26. 354fe57ea Add profile checks with Schematron for usnistgov/oscal-content#128. (#1513)
  27. a332ff061 Fix broken uri-use page links in updated reference docs of develop branch (#1518)
  28. f3371cc35 POAM related finding support, fixes #1120 (#1478)
  29. 9e5793701 Support additional control-origination props #784 (#1460)
  30. 61e19ef6f Updated data type documentation adding a note about why NCName was deprecated. Fixes #1105 (#1480)
  31. d5b66f6b0 Test modify phase, plus minor XSLT enhancements (#1321)
  32. 988817c4b Updates to OSCAL Metaschema documentation and constraints (#1263)
  33. e5fa65f2b Implement opr:oscal-version and v:compare functions. (#1420)
  34. 22f423e7a Add actions assembly to encode an action (i.e. approval) and its role, party, and approval date. (#1052) (#1429)
  35. 46e21da20 Added JSON value key for relationship type. This missing value key was discovered as part of #1458. (#1462)
  36. 0ed533b5e Update metaschema submodule for #1454. (#1455)
  37. e93f12bb0 Fixed errors in profile resolution top-level tests based on content errors.
  38. bc7b89206 imported-from relations for #1023. (#1403)
  39. b43142a80 Create <define-assembly name="impact"> (fix #1129) (#1171)
  40. d3e475abc Adding link to whitelist
  41. b8d5eccac More broken link fixes.
  42. 6fb55e948 Fixed broken links.
  43. 63b6e8688 Fixing broken links
  44. b4f048501 Add assessment-assets assembly to local-definitions assembly in POAM model. #1291 (#1417)
  45. 6c80f4f9a Updates mapping model documentation to fix a copy and paste error. (#1409)
  46. 3a75b0f0c Add grouping construct to props for #1064. (#1412)
  47. 4ef21bbd6 Added legacy Withdrawn status with deprecation entry (#1419)
  48. b972ec3f9 Profile alter model adjustments (#1418)
  49. 1f01b5be2 Add remarks field to Profile model modify.alter (add/remove). #1018 (#1404)
  50. 3ca36fbae Follow keep instruction for back-matter resources (#1378)
  51. 76ff697a6 Test finish phase, plus minor XSLT enhancements and fixes (#1377)
  52. dfb56e077 Profile Resolution spec: updated names of 'remove' directives (#1381)
  53. 0dcc24319 Clarify how to determine target catalog oscal-version (#1386)
  54. dc6a9b5d5 Profile Resolution Spec clarification: validation of imported catalogs and profiles (#1380)
  55. 35798154f Update metaschema-docs
  56. 6a7375b6c Fixes to correct metaschema validation errors.
  57. feec035ef Update metaschema
  58. d145dfe47 Support for control mapping (#1150)
  59. ef28023d2 Test merge phase, plus minor XSLT enhancements (#1207)
  60. e88369d80 Profile resolver: Metadata tests and way of determining top UUID (#1175)
  61. 48af7dcb3 Iterate over sequence of characters, not positions (#1163)
  62. [9c0e21a](https://gith...
Read more

OSCAL 1.0.6 Release

30 Jun 18:31
Compare
Choose a tag to compare

What's Changed

Full Changelog: v1.0.5...v1.0.6

OSCAL 1.0.5 Release

18 Apr 23:37
Compare
Choose a tag to compare
OSCAL 1.0.5 Release Pre-release
Pre-release

What's Changed

Full Changelog: v1.0.4...v1.0.5

OSCAL 1.0.4 Release

16 May 18:10
Compare
Choose a tag to compare

Note: This patch release fixes a defect in the JSON schemas released with OSCAL 1.0.3. Please use this release instead of the 1.0.3 release.

What's Changed

New Contributors

Notable Changes

This release corrects defects in the JSON schemas released with OSCAL 1.0.3. The previously released schemas did not contain the correct regular expressions required to properly constrain data based on the specific data type for a given field. As a result, under the old schemas some data might be allowed to be provided that is invalid. The new JSON schemas in this release correct this defect by restoring the proper regular expressions.

Full Changelog: v1.0.3...v1.0.4

OSCAL 1.0.3 Release

09 May 23:20
Compare
Choose a tag to compare

Note: This release contains defective JSON schemas that are missing required regular expressions. This has been corrected in the OSCAL 1.0.4 release. Please use the 1.0.4 release instead of this release.

What's Changed

Notable Changes

To fix a number of data type related issues, the underlying type system used in the generated OSCAL XML and JSON schemas was replaced. This change resulted in different names for simple and complex types for data types in XML schemas and some adjustments in data type definitions in JSON schemas. This may cause some issues with schema binding approaches that generate code from the XML or JSON schemas. In such instances, you may need to further customize your binding configurations or make some code adjustments resulting from differently generated code.

Full Changelog: v1.0.2...v1.0.3

OSCAL 1.0.2 Release

20 Mar 18:27
Compare
Choose a tag to compare

The NIST Open Security Controls Assessment Language (OSCAL) team is pleased to announce the release of OSCAL 1.0.2. This patch release of OSCAL 1.0 provides bug fixes and documentation enhancements.

This release incorporates changes based on feedback from the OSCAL community. The NIST OSCAL team is very thankful for all of the great ideas and feedback we have received to date.

Looking forward, the NIST OSCAL team is excited to continue to work with the OSCAL community to enhance OSCAL through additional minor releases.

For additional information on the OSCAL project, please see the NIST’s Cybersecurity Insights blog: “The Foundation for Interoperable and Portable Security Automation is Revealed in NIST’s OSCAL Project” and the OSCAL website.

For documentation on the OSCAL models included in this release, please visit the v1.0.2 model reference.

What's Changed

The following changes were made in this patch release.

  • #1035 Upgrade Saxon version used in CI/CD to 10.6 (#PR 1187) @david-waltermire-nist
  • #1093 Parameterize insertion of xsi:schemaLocation attribute in the content upgrader XSLTs; this feature is disabled by default (#1162) @aj-stein-nist, @wendellpiez
    • Parameterized insertion of xsi:schemaLocation in RC2->1.0.0 content upgrader.
    • Created README for content upgraders, document schema-location param.
    • Added pointer from README.txt to content-upgrade docs, per @david-waltermire-nist's sync meeting review.
  • #1121 Added embeded diagram of CI/CD workflow. (PR #1165) @aj-stein-nist
  • #1130 Changed remarks fields from define-field to ref. (PR #1138) @guyzyl
  • #1137 Replace define-assembly for include-all with assembly ref (PR #1144) @guyzyl, @david-waltermire-nist
  • A bunch of updates to the Profile Resolution Specififcation to clarify and improve the specification. (PR #1172) @stephenbanghart, @aj-stein-nist
    • #1140 Significant improvements around resolution of internal references. Behavior is now defined for resolving resources with different combinations of "rlink" and "base64". As these /should/ all be equal to one another, there is no standardized order or priority given in the specification at this time.
    • #1141 Enhanced prose around Group handling, especially around expected behavior of the "keep always" prop.
    • #1142 Core issue obsoleted by general OSCAL requirements on valid OSCAL documents. Cleaned up prose in the formats section.
    • #1152 Added Metaschema entries for the new Mapping assembly and it's associated fields/flags. Verified the veracity of existing Profile documentation, making minor-moderate edits to bring documentation up to speed with the current specification.
    • #1155 Fixed incorrect notation in metadata section: props are now properly refereed to as such, rather than using the value of their "name" field.
  • #1153 Added README explaining content validation concepts. (PR #1170) @aj-stein-nist, @wendellpiez, @david-waltermire-nist
  • #1153 Added information about content well-formedness and validation to the website. (PR #1169) @aj-stein-nist, @wendellpiez, @david-waltermire-nist
  • #1176 Removed stale NEW CONTENT, END NEW CONTENT, and NEW comment blocks from Metaschemas. (PR #1179) @guyzyl
  • Multiple changes to the Profile Resolution Specification. (PR #1089) @stephenbanghart, @aj-stein-nist
    • Tagged Requirements (updated .rnc), Added Draft Status, several small fixes in modify section
    • Applying AJ's fixes, other various small fixes - pending larger automated formating
    • Intro purpose rewrite. Editorial fixes from comments. Small edits to "Processing" page on site.
  • Added DRT Strategies Inc GRC tool to tools page (PR #1122) @vmangat
  • Add Rules Presentation from January 21, 2022 Meeting (PR #1125) @aj-stein-nist
  • Add tool oscal4neo4j to tools page (#1128) @Agh42, @bradh
  • Remove extra > which shows in the built schemas (PRs #1133, #1147) @guyzyl
  • Fix broken links to FedRAMP baselines (PR #1143) @rosskarchner
  • Bumped nokogiri from 1.12.5 to 1.13.3 in /docs (PR #1154) @dependabot
  • Updated core repo documentation (PR #1157) @david-waltermire-nist, @aj-stein-nist
    • Updated readmes with more current and relevant information.
    • Added CODEOWNERS to drive reviews.
    • Updated .github/PULL_REQUEST_TEMPLATE.md
  • Removed duplicated risk status construct in the assessment commonm Metaschema (PR #1159) @david-waltermire-nist
  • Updated Tools with Additional Open Source Projects (PR #1164) @rgauss
  • Fixed broken links in README.md (PR #1181) @guyzyl
  • Renamed .github/README.md file to ABOUT.md to fix the main index page in the GitHub repo (#1182) @guyzyl
  • Added mailing list names to contact page.

The following compatibility breaking change was made:

  • In all JSON schemas, the name "props" is used to signify the list of metadata properties. There was one case where the name prop is used instead of props. Fixes this obvious typo in the assessment results metaschema. (PR #1148) @guyzyl

New Contributors

Full Changelog: v1.0.1...v1.0.2

OSCAL 1.0.1 Release

30 Jan 22:56
Compare
Choose a tag to compare

The NIST Open Security Controls Assessment Language (OSCAL) team is pleased to announce the release of OSCAL 1.0.1. This first patch release of OSCAL 1.0 provides bug fixes and documentation enhancements.

This release incorporates changes based on feedback from the OSCAL community. The NIST OSCAL team is very thankful for all of the great ideas and feedback we have received to date.

Looking forward, the NIST OSCAL team is excited to continue to work with the OSCAL community to enhance OSCAL through additional minor releases.

For additional information on the OSCAL project, please see the NIST’s Cybersecurity Insights blog: “The Foundation for Interoperable and Portable Security Automation is Revealed in NIST’s OSCAL Project” and the OSCAL website.

For documentation on the OSCAL models included in this release, please visit the v1.0.1 model reference.

The following changes were made in this patch release.

The following additional changes were made that affect the OSCAL website.

New Contributors

We deeply appreciate all the contributions made by these and other community members.

Full Changelog: v1.0.0...v1.0.1