Skip to content

Commit

Permalink
Fixed missing json-value-key or made as-type='empty', which resolves #…
Browse files Browse the repository at this point in the history 
…769
  • Loading branch information
@david-waltermire
david-waltermire committed Nov 20, 2020
1 parent 0f6bb00 commit 673f0ee
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 89 deletions.
124 changes: 40 additions & 84 deletions src/metaschema/oscal_assessment-common_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,8 +67,10 @@
<assembly ref="objective" min-occurs="0" max-occurs="unbounded">
<group-as name="objectives" in-json="ARRAY"/>
</assembly>
<assembly ref="method" min-occurs="0" max-occurs="unbounded">
<group-as name="method-definitions" in-json="ARRAY"/>
<assembly ref="assessment-method" min-occurs="0" max-occurs="unbounded">
<!-- CHANGED "method" to "assessment-method" -->
<!-- CHANGED group-as from "method-definitions" to "assessment-methods" -->
<group-as name="assessment-methods" in-json="ARRAY"/>
</assembly>
<field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
</model>
Expand All @@ -93,17 +95,15 @@
<group-as name="links" in-json="ARRAY"/>
</assembly>
<field ref="all" min-occurs="0" max-occurs="1"/>
<define-field name="include-control" min-occurs="0" max-occurs="unbounded">
<define-field name="include-control" as-type="empty" max-occurs="unbounded">
<formal-name>Include Control</formal-name>
<description>Identifies an individual control to include.</description>
<!-- QUESTION: What is the field value for? -->
<group-as name="include-controls" in-json="ARRAY"/>
<flag ref="control-id" required="yes"/>
</define-field>
<define-field name="exclude-control" min-occurs="0" max-occurs="unbounded">
<define-field name="exclude-control" as-type="empty" max-occurs="unbounded">
<formal-name>Exclude Control</formal-name>
<description>Identifies an individual control to exclude.</description>
<!-- QUESTION: What is the field value for? -->
<group-as name="exclude-controls" in-json="ARRAY"/>
<flag ref="control-id" required="yes"/>
</define-field>
Expand Down Expand Up @@ -131,17 +131,15 @@
<group-as name="links" in-json="ARRAY"/>
</assembly>
<field ref="all" min-occurs="0" max-occurs="1"/>
<define-field name="include-objective" min-occurs="0" max-occurs="unbounded">
<define-field name="include-objective" as-type="empty" max-occurs="unbounded">
<formal-name>Include Objective</formal-name>
<description>Identifies an individual control objective to include.</description>
<!-- QUESTION: What is the field value for? -->
<group-as name="include-objectives" in-json="ARRAY"/>
<flag ref="objective-id" required="yes"/>
</define-field>
<define-field name="exclude-objective" min-occurs="0" max-occurs="unbounded">
<define-field name="exclude-objective" as-type="empty" max-occurs="unbounded">
<formal-name>Exclude Objective</formal-name>
<description>Identifies an individual control objective to exclude.</description>
<!-- QUESTION: What is the field value for? -->
<group-as name="exclude-objectives" in-json="ARRAY"/>
<flag ref="objective-id" required="yes"/>
</define-field>
Expand Down Expand Up @@ -180,11 +178,11 @@
<group-as name="links" in-json="ARRAY"/>
</assembly>
<assembly ref="assessment-part" min-occurs="1" max-occurs="1"/>
<define-field name="assessment-method" min-occurs="0" max-occurs="unbounded" as-type="string">
<define-field name="assessment-method" as-type="empty" max-occurs="unbounded">
<formal-name>Assessment Method</formal-name>
<description>Identifies a method for assessing the satisfaction of this objective.</description>
<!-- QUESTION: What is the field value for? -->
<group-as name="methods" in-json="ARRAY"/>
<!-- CHANGED group-as from "methods" to "assessment-methods" -->
<group-as name="assessment-methods" in-json="ARRAY"/>
<define-flag name="method-uuid" required="yes" as-type="uuid">
<formal-name>Method ID</formal-name>
<description>Identifies the assessment method by its UUID value.</description>
Expand All @@ -194,7 +192,7 @@
</model>
</define-assembly>

<define-assembly name="method">
<define-assembly name="assessment-method">
<formal-name>Assessment Method</formal-name>
<description>A local definition of a control objective. Uses catalog syntax for control objective and assessment actions.</description>
<define-flag name="uuid" required="yes" as-type="uuid">
Expand Down Expand Up @@ -869,7 +867,7 @@
<define-field name="result">
<formal-name>Result</formal-name>
<description>A brief indication as to whether the objective is satisfied or not.</description>
<!-- QUESTION: What should the json value key be? -->
<json-value-key>value</json-value-key>
<flag ref="system"/>
</define-field>
<define-field name="implementation-status">
Expand Down Expand Up @@ -934,27 +932,23 @@
<p>Identifies who was interviewed, or what was tested or inspected.</p>
</remarks>
</assembly>
<define-field name="origin" min-occurs="0" max-occurs="unbounded">
<formal-name>origin field</formal-name>
<define-field name="origin" as-type="empty" max-occurs="unbounded">
<formal-name>Origin</formal-name>
<description>Identifies the source of the finding, such as a tool, interviewed person,
or activity.</description>
<group-as name="origins" in-json="ARRAY"/>
<flag ref="uuid-ref" required="yes"/>
<define-flag name="type" required="yes">
<!-- TODO: need to update this -->
<formal-name>type flag</formal-name>
<description>type flag ... </description>
<constraint>
<allowed-values allow-other="no">
<enum value="tool">An assessment tool, defined in the assets section of the
assessment plan or results.</enum>
<enum value="test-method">A test method defined in the assessment-activities
section of the assessment plan or results.</enum>
<enum value="task">A task defined in the schedule of the assessment plan or
results.</enum>
<enum value="included-activity">An assessment activity defined in the
assessment-activities section of the assessment plan or results.</enum>
<enum value="other">The UUID points elsewhere in the this file or an imported
file.</enum>
<enum value="tool">An assessment tool, defined in the assets section of the assessment plan or results.</enum>
<enum value="test-method">A test method defined in the assessment-activities section of the assessment plan or results.</enum>
<enum value="task">A task defined in the schedule of the assessment plan or results.</enum>
<enum value="included-activity">An assessment activity defined in the assessment-activities section of the assessment plan or results.</enum>
<enum value="other">The UUID points elsewhere in the this file or an imported file.</enum>
</allowed-values>
</constraint>
</define-flag>
Expand Down Expand Up @@ -999,36 +993,15 @@
<field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
</model>
</define-assembly>
<define-field name="assessor">
<define-field name="assessor" as-type="empty">
<formal-name>Assessor</formal-name>
<description>Identifies an individual who gathered the evidence resulting in the observation or risk identification.</description>
<!-- QUESTION: What is the json value key? Also, why not use responsible-party? -->
<!-- QUESTION: Also, why not use responsible-party? -->
<define-flag name="party-uuid" required="yes">
<formal-name>Party UUID</formal-name>
<description>The UUID of the assessor who collected the evidence or made the observation.</description>
</define-flag>
</define-field>

<define-field name="origin">
<formal-name>Origin</formal-name>
<description>Identifies the tool or activity that resulted in the observation.</description>
<!-- QUESTION: What is the json value key? -->
<flag ref="uuid-ref" required="yes"/>
<define-flag name="type" required="yes">
<!-- TODO: This documentation needs to be improved -->
<formal-name>type flag</formal-name>
<description>type flag ... </description>
<constraint>
<allowed-values allow-other="no">
<enum value="tool">An assessment tool, defined in the assets section of the assessment plan or results.</enum>
<enum value="test-method">A test method defined in the assessment-activities section of the assessment plan or results.</enum>
<enum value="task">A task defined in the schedule of the assessment plan or results.</enum>
<enum value="included-activity">An assessment activity defined in the assessment-activities section of the assessment plan or results.</enum>
<enum value="other">The UUID points elsewhere in the this file or an imported file.</enum>
</allowed-values>
</constraint>
</define-flag>
</define-field>
<define-flag name="uuid-ref" as-type="uuid">
<formal-name>UUID Reference</formal-name>
<description>A pointer to a relevant item, using it's UUID.</description>
Expand Down Expand Up @@ -1064,6 +1037,7 @@
<!-- This is an id because it is an externally provided identifier -->
<formal-name>Threat ID</formal-name>
<description>A pointer, by ID, to an externally-defined threat.</description>
<json-value-key>id</json-value-key>
<define-flag name="system" required="yes">
<formal-name>Threat Type Identification System</formal-name>
<description>Specifies the source of the threat information.</description>
Expand All @@ -1074,8 +1048,9 @@
</allowed-values>
</constraint>
</define-flag>
<define-flag name="uri" as-type="uri" required="no">
<formal-name>URI</formal-name>
<!-- CHANGED "uri" to "href" -->
<define-flag name="href" as-type="uri-reference">
<formal-name>Threat Information Resource Reference</formal-name>
<description>An optional location for the threat data, from which this ID originates.</description>
</define-flag>
</define-field>
Expand Down Expand Up @@ -1137,13 +1112,19 @@
<define-field name="risk-metric">
<formal-name>Risk Metric</formal-name>
<description>An individual risk metric from a specified system.</description>
<!-- QUESTION: What is the json value key? -->
<json-value-key>value</json-value-key>
<define-flag name="name" required="yes">
<!-- TODO: this documentation needs to be improved -->
<!-- TODO: We need to reduce this to a core set for OSCAL -->
<formal-name>name flag</formal-name>
<description>name flag ... </description>
<constraint>
<allowed-values allow-other="yes">
<enum value="cve-id">An identifier managed by the CVE program (see <a>https://cve.mitre.org/</a>).</enum>
<enum value="cvss-2-AV">Access Vector</enum>
<enum value="cvss-3-AV">Attack Vector</enum>
<enum value="cvss-3.1-AV">Attack Vector</enum>
<enum value="fedramp-likelihood">Likelihood as defined by FedRAMP. The class can be used to specifiy 'inital' and 'adjusted'.</enum>
<enum value="impacted-control">Impacted Control</enum>
<enum value="vulnerability-id">Vulnerability ID</enum>
<enum value="source-id">Source ID</enum>
Expand Down Expand Up @@ -1412,22 +1393,14 @@
<assembly ref="link" max-occurs="unbounded">
<group-as name="links" in-json="ARRAY"/>
</assembly>
<define-field name="remediation-origin" min-occurs="0" max-occurs="unbounded">
<formal-name>remediation-origin field</formal-name>
<description>Points to the source of the recommendation</description>
<!-- QUESTION: What is the json value key? -->
<define-field name="origin" as-type="empty" max-occurs="unbounded">
<!-- CHANGED "remediation-origin" to "origin" -->
<formal-name>Remediation Origin</formal-name>
<description>Points to the source of the recommendation.</description>
<group-as name="origins" in-json="ARRAY"/>
<flag ref="uuid-ref" required="yes"/>
<define-flag name="type">
<formal-name>type flag</formal-name>
<description>type flag ... </description>
<constraint>
<allowed-values allow-other="yes">
<enum value="party">The UUID of the person or organization who made the recommendation</enum>
<enum value="tool">The UUID of the tool that made the recommendation</enum>
</allowed-values>
</constraint>
</define-flag>
<!-- CHANGED removed @type -->
<!-- TODO: document the UUID space that can be referenced. Currently part and tool. -->
</define-field>
<assembly ref="required" min-occurs="0" max-occurs="unbounded">
<group-as name="requirements" in-json="ARRAY"/>
Expand All @@ -1437,23 +1410,6 @@
</model>
</define-assembly>

<define-field name="remediation-origin">
<formal-name>Remediation Origin</formal-name>
<description>Points to the source of the remediation recommendation or plan</description>
<!-- QUESTION: What is the json value key? -->
<flag ref="uuid-ref" required="yes"/>
<define-flag name="type">
<formal-name>type flag</formal-name>
<description>type flag ... </description>
<constraint>
<allowed-values allow-other="yes">
<enum value="party">The UUID of the person or organization who made the recommendation</enum>
<enum value="tool">The UUID of the tool that made the recommendation</enum>
</allowed-values>
</constraint>
</define-flag>
</define-field>

<define-field name="risk-statement" as-type="markup-multiline">
<formal-name>Risk Statement</formal-name>
<description>Describes the risk.</description>
Expand Down
2 changes: 1 addition & 1 deletion src/metaschema/oscal_catalog_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
<formal-name>Control Group</formal-name>
<description>A group of controls, or of groups of controls.</description>
<define-flag name="id" as-type="NCName">
<!-- This is an id because the idenfier is managed externally. -->
<!-- This is an id because the idenfier is assigned and managed externally by humans. -->
<formal-name>Group Identifier</formal-name>
<description>A unique identifier for a specific group instance that can be used to reference the group within this and in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same group across minor revisions of the document.</description>
</define-flag>
Expand Down
2 changes: 1 addition & 1 deletion src/metaschema/oscal_framework-common_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
<formal-name>Control mapping</formal-name>
<description>A mapping of a control or control statement to one or more other concepts.</description>
<model>
<assembly ref="import-catalog" required="yes"/>
<assembly ref="import-catalog" min-occurs="1"/>
<assembly ref="implemented-requirement" min-occurs="1" max-occurs="unbounded">
<group-as name="implemented-requirements" in-json="ARRAY"/>
</assembly>
Expand Down
3 changes: 0 additions & 3 deletions src/metaschema/oscal_profile_metaschema.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -226,7 +226,6 @@
<define-field name="call" as-type="empty">
<formal-name>Call</formal-name>
<description>Call a control by its ID</description>
<!-- QUESTION: What is the json value key? -->
<flag ref="control-id" required="yes"/>
<flag ref="with-child-controls"/>
<remarks>
Expand All @@ -236,7 +235,6 @@
<define-field name="match" as-type="empty">
<formal-name>Match controls by identifier</formal-name>
<description>Select controls by (regular expression) match on ID</description>
<!-- QUESTION: What is the json value key? -->
<flag ref="pattern"/>
<flag ref="order"/>
<flag ref="with-child-controls"/>
Expand Down Expand Up @@ -336,7 +334,6 @@
<define-field name="remove" as-type="empty">
<formal-name>Removal</formal-name>
<description>Specifies elements to be removed from a control, in resolution</description>
<!-- QUESTION: What is the json value key? -->
<define-flag name="name-ref" as-type="NCName">
<formal-name>Reference by (assigned) name</formal-name>
<description>Items to remove, by assigned name</description>
Expand Down

0 comments on commit 673f0ee

Please sign in to comment.