Skip to content

Commit

Permalink
Fixed improper use of allowed-values/allow-other. Ensured that all pr…
Browse files Browse the repository at this point in the history 
…ops in the OSCAL namespace are properly closed and all link rels are open for extension. (usnistgov#1579)
  • Loading branch information
@david-waltermire @aj-stein-nist
david-waltermire authored and aj-stein-nist committed Jun 29, 2023
1 parent e9920b2 commit a1a31a6
Show file tree
Hide file tree
Showing 9 changed files with 75 additions and 76 deletions.
32 changes: 16 additions & 16 deletions src/metaschema/oscal_assessment-common_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,11 +183,11 @@
</model>
<constraint>
<!-- TODO: Dave to double-check constraints here -->
<allowed-values target="prop/@name" allow-other="yes">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="method">The assessment method to use. This typically appears on parts with the name "assessment".</enum>
</allowed-values>
<has-cardinality target="prop[@name='method']" min-occurs="1"/>
<allowed-values target="prop[@name='method']/@value">
<has-cardinality target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method']" min-occurs="1"/>
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method']/@value">
<enum value="INTERVIEW">The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.</enum>
<enum value="EXAMINE">The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).</enum>
<enum value="TEST">The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.</enum>
Expand Down Expand Up @@ -1272,10 +1272,10 @@
<field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
</model>
<constraint>
<allowed-values target="prop/@name" allow-other="yes">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="type">The type of remediation tracking entry. Can be multi-valued.</enum>
</allowed-values>
<allowed-values target="prop[@name='type']/@value" allow-other="yes">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value" allow-other="yes">
<enum value="vendor-check-in">Contacted vendor to determine the status of a pending fix to a known vulnerability.</enum>
<enum value="status-update">Information related to the current state of response to this risk.</enum>
<enum value="milestone-complete">A significant step in the response plan has been achieved.</enum>
Expand Down Expand Up @@ -1305,13 +1305,13 @@
</define-assembly>
</model>
<constraint>
<allowed-values target="prop/@name">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="false-positive">The risk has been confirmed to be a false positive.</enum>
<enum value="accepted">The risk has been accepted. No further action will be taken.</enum>
<enum value="risk-adjusted">The risk has been adjusted.</enum>
<enum value="priority">A numeric value indicating the sequence in which risks should be addressed. (Lower numbers are higher priority)</enum>
</allowed-values>
<matches target="prop[@name='priority']/@value" datatype="integer" />
<matches target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='priority']/@value" datatype="integer" />
</constraint>
</define-assembly>

Expand Down Expand Up @@ -1401,21 +1401,21 @@
<field ref="remarks" in-xml="WITH_WRAPPER"/>
</model>
<constraint>
<allowed-values target="prop/@name">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="state">Indicates if the facet is 'initial' as first identified, or 'adjusted' indicating that the value has be changed after some adjustments have been made (e.g., to identify residual risk).</enum>
</allowed-values>
<allowed-values target="prop[@name='risk-state']/@value" allow-other="yes"><!-- For values related to initial and residual (mitigated) risk -->
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='state']/@value"><!-- For values related to initial and residual (mitigated) risk -->
<enum value="initial">As first identified.</enum>
<enum value="adjusted">Indicates that residual risk remains after some adjustments have been made.</enum>
</allowed-values>
<!-- TODO: What about "vulnerability-id", "plugin-id"? Should this be added to FedRAMP? -->
<allowed-values target="(.)[@system='http://csrc.nist.gov/ns/oscal']/@name" allow-other="yes">
<allowed-values target="(.)[@system='http://csrc.nist.gov/ns/oscal']/@name">
<enum value="likelihood">General likelihood rating.</enum>
<enum value="impact">General impact rating.</enum>
<enum value="risk">General risk rating.</enum>
<enum value="severity">General severity rating.</enum>
</allowed-values>
<allowed-values target="(.)[@system=('http://fedramp.gov','http://fedramp.gov/ns/oscal')]/@name" allow-other="yes">
<allowed-values target="(.)[@system=('http://fedramp.gov','http://fedramp.gov/ns/oscal')]/@name">
<enum value="likelihood">Likelihood as defined by FedRAMP. The <code>class</code> can be used to specify 'initial' and 'adjusted' risk states.</enum>
<enum value="impact">Impact as defined by FedRAMP. The <code>class</code> can be used to specify 'initial' and 'adjusted' risk states.</enum>
<enum value="risk">Risk as calculated according to FedRAMP. The <code>class</code> can be used to specify 'initial' and 'adjusted' risk states.</enum>
Expand Down Expand Up @@ -1683,10 +1683,10 @@
<field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
</model>
<constraint>
<allowed-values target="prop/@name" allow-other="yes">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="type"></enum>
</allowed-values>
<allowed-values target="prop[@name='type']/@value" allow-other="yes">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value">
<enum value="avoid">The risk will be eliminated.</enum>
<enum value="mitigate">The risk will be reduced.</enum>
<enum value="transfer">The risk will be transferred to another organization or entity.</enum>
Expand Down Expand Up @@ -1766,11 +1766,11 @@
<!-- <any/> -->
</model>
<constraint>
<allowed-values target=".[@name='objective']/prop/@name" allow-other="yes">
<allowed-values target=".[@name='objective']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="method">The assessment method to use. This typically appears on parts with the name "objective".</enum>
</allowed-values>
<has-cardinality target=".[@name='objective']/prop[@name='method']" min-occurs="1"/>
<allowed-values target=".[@name='objective']/prop[@name='method']/@value">
<has-cardinality target=".[@name='objective']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method']" min-occurs="1"/>
<allowed-values target=".[@name='objective']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='method']/@value">
<enum value="INTERVIEW">The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.</enum>
<enum value="EXAMINE">The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).</enum>
<enum value="TEST">The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.</enum>
Expand Down
2 changes: 1 addition & 1 deletion src/metaschema/oscal_assessment-plan_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@
</assembly>
</model>
<constraint>
<allowed-values target="part/@name">
<allowed-values target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<enum value="rules-of-engagement">Defines the circumstances, conditions, degree, and manner in which the use of cyber-attack techniques or actions may be applied to the assessment.</enum>
<enum value="disclosures">Any information the assessor should make known to the system owner or authorizing official. Has child 'item' parts for each individual disclosure.</enum>
<enum value="assessment-inclusions">Defines any assessment activities which the system owner or authorizing official wishes to ensure are performed as part of the assessment.</enum>
Expand Down
2 changes: 1 addition & 1 deletion src/metaschema/oscal_catalog_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
<enum value="resolution-tool">The tool used to produce a resolved profile.</enum>
<enum value="source-profile-uuid">The document-level <code>uuid</code> of the source profile from which the catalog was produced by <a href="https://pages.nist.gov/OSCAL/concepts/processing/profile-resolution/">profile resolution</a>.</enum>
</allowed-values>
<allowed-values target="metadata/link/@rel">
<allowed-values target="metadata/link/@rel" allow-other="yes">
<enum value="source-profile">The profile from which the catalog was produced by <a href="https://pages.nist.gov/OSCAL/concepts/processing/profile-resolution/">profile resolution</a>.</enum>
<enum value="source-profile-uuid">The document-level <code>uuid</code> of the profile from which the catalog was produced by <a href="https://pages.nist.gov/OSCAL/concepts/processing/profile-resolution/">profile resolution</a>.</enum>
</allowed-values>
Expand Down
18 changes: 9 additions & 9 deletions src/metaschema/oscal_component_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@
<field ref="remarks" in-xml="WITH_WRAPPER"/>
</model>
<constraint>
<allowed-values target="prop/@name" allow-other="yes">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
<!-- ========================================================================================================== -->
<!-- = Changes to the following values need to be synced with component in the SSP and component metaschemas. = -->
<!-- CHANGED (BJR): Done -->
Expand Down Expand Up @@ -177,30 +177,30 @@
&allowed-values-responsible-roles-component-production;
</allowed-values>

<allowed-values target="prop[@name='asset-type']/@value">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-type']/@value">
&allowed-values-property-name-asset-type-values;
</allowed-values>

<!-- ========================================================================================================== -->
<!-- = TODO: The following was copied from implementation-common as-is and should probably be setup with = -->
<!-- = shared constraints; however, the values are highly static (yes/no, internal/external). -->
<!-- = Can be changed later with no breaking impact. -->
<allowed-values target="prop[@name='allows-authenticated-scan']/@value">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='allows-authenticated-scan']/@value">
<enum value="yes">The component allows an authenticated scan.</enum>
<enum value="no">The component does not allow an authenticated scan.</enum>
</allowed-values>

<allowed-values target="prop[@name='virtual']/@value">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='virtual']/@value">
<enum value="yes">The component is virtualized.</enum>
<enum value="no">The component is not virtualized.</enum>
</allowed-values>

<allowed-values target="prop[@name='public']/@value">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='public']/@value">
<enum value="yes">The component is publicly accessible.</enum>
<enum value="no">The component is not publicly accessible.</enum>
</allowed-values>

<allowed-values target="prop[@name='implementation-point']/@value">
<allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='implementation-point']/@value">
<enum value="internal">The component is implemented within the system boundary.</enum>
<enum value="external">The component is implemented outside the system boundary.</enum>
</allowed-values>
Expand All @@ -210,8 +210,8 @@
<key-field target="@value"/>
</index-has-key>

<matches target="prop[@name='inherited-uuid']/@value" datatype="uuid" />
<matches target="prop[@name='release-date']/@value" datatype="date"/>
<matches target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='inherited-uuid']/@value" datatype="uuid" />
<matches target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='release-date']/@value" datatype="date"/>

<!-- ========================================================================================================== -->
<!-- = Changes to the following values need to be synced with component in the SSP and component metaschemas. = -->
Expand All @@ -221,7 +221,7 @@
<!-- ========================================================================================================== -->
<!-- = SOFTWARE: type='software' constraints = -->
<!-- ========================================================================================================== -->
<allowed-values target="(.)[@type='software']/prop/@name" allow-other="yes">
<allowed-values target="(.)[@type='software']/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
&allowed-values-component_component_software;
</allowed-values>

Expand Down
2 changes: 1 addition & 1 deletion src/metaschema/oscal_control-common_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,7 @@
<formal-name>Parameter Cardinality</formal-name>
<description>Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.</description>
<constraint>
<allowed-values allow-other="no">
<allowed-values>
<enum value="one">Only one value is permitted.</enum>
<enum value="one-or-more">One or more values are permitted.</enum>
</allowed-values>
Expand Down
Loading

0 comments on commit a1a31a6

Please sign in to comment.