From 673f0ee9fab57f6eb79103951654a08cda27033c Mon Sep 17 00:00:00 2001
From: David Waltermire <david.waltermire@nist.gov>
Date: Tue, 3 Nov 2020 14:22:04 -0500
Subject: [PATCH] Fixed missing json-value-key or made as-type='empty', which
 resolves #769

---
 .../oscal_assessment-common_metaschema.xml    | 124 ++++++------------
 src/metaschema/oscal_catalog_metaschema.xml   |   2 +-
 .../oscal_framework-common_metaschema.xml     |   2 +-
 src/metaschema/oscal_profile_metaschema.xml   |   3 -
 4 files changed, 42 insertions(+), 89 deletions(-)

diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml
index 23785e1c23..386fe34cfc 100644
--- a/src/metaschema/oscal_assessment-common_metaschema.xml
+++ b/src/metaschema/oscal_assessment-common_metaschema.xml
@@ -67,8 +67,10 @@
          <assembly ref="objective" min-occurs="0" max-occurs="unbounded">
             <group-as name="objectives" in-json="ARRAY"/>
          </assembly>
-         <assembly ref="method" min-occurs="0" max-occurs="unbounded">
-            <group-as name="method-definitions" in-json="ARRAY"/>
+         <assembly ref="assessment-method" min-occurs="0" max-occurs="unbounded">
+            <!-- CHANGED "method" to "assessment-method" -->
+            <!-- CHANGED group-as from "method-definitions" to "assessment-methods" -->
+            <group-as name="assessment-methods" in-json="ARRAY"/>
          </assembly>
          <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
       </model>
@@ -93,17 +95,15 @@
             <group-as name="links" in-json="ARRAY"/>
          </assembly>
          <field ref="all" min-occurs="0" max-occurs="1"/>
-         <define-field name="include-control" min-occurs="0" max-occurs="unbounded">
+         <define-field name="include-control" as-type="empty" max-occurs="unbounded">
             <formal-name>Include Control</formal-name>
             <description>Identifies an individual control to include.</description>
-            <!-- QUESTION: What is the field value for? -->
             <group-as name="include-controls" in-json="ARRAY"/>
             <flag ref="control-id" required="yes"/>
          </define-field>
-         <define-field name="exclude-control" min-occurs="0" max-occurs="unbounded">
+         <define-field name="exclude-control" as-type="empty" max-occurs="unbounded">
             <formal-name>Exclude Control</formal-name>
             <description>Identifies an individual control to exclude.</description>
-            <!-- QUESTION: What is the field value for? -->
             <group-as name="exclude-controls" in-json="ARRAY"/>
             <flag ref="control-id" required="yes"/>
          </define-field>
@@ -131,17 +131,15 @@
             <group-as name="links" in-json="ARRAY"/>
          </assembly>
          <field ref="all" min-occurs="0" max-occurs="1"/>
-         <define-field name="include-objective" min-occurs="0" max-occurs="unbounded">
+         <define-field name="include-objective" as-type="empty" max-occurs="unbounded">
             <formal-name>Include Objective</formal-name>
             <description>Identifies an individual control objective to include.</description>
-            <!-- QUESTION: What is the field value for? -->
             <group-as name="include-objectives" in-json="ARRAY"/>
             <flag ref="objective-id" required="yes"/>
          </define-field>
-         <define-field name="exclude-objective" min-occurs="0" max-occurs="unbounded">
+         <define-field name="exclude-objective" as-type="empty" max-occurs="unbounded">
             <formal-name>Exclude Objective</formal-name>
             <description>Identifies an individual control objective to exclude.</description>
-            <!-- QUESTION: What is the field value for? -->
             <group-as name="exclude-objectives" in-json="ARRAY"/>
             <flag ref="objective-id" required="yes"/>
          </define-field>
@@ -180,11 +178,11 @@
             <group-as name="links" in-json="ARRAY"/>
          </assembly>
          <assembly ref="assessment-part" min-occurs="1" max-occurs="1"/>
-         <define-field name="assessment-method" min-occurs="0" max-occurs="unbounded" as-type="string"> 
+         <define-field name="assessment-method" as-type="empty" max-occurs="unbounded"> 
             <formal-name>Assessment Method</formal-name>
             <description>Identifies a method for assessing the satisfaction of this objective.</description>
-            <!-- QUESTION: What is the field value for? -->
-            <group-as name="methods" in-json="ARRAY"/>
+            <!-- CHANGED group-as from "methods" to "assessment-methods" -->
+            <group-as name="assessment-methods" in-json="ARRAY"/>
             <define-flag name="method-uuid" required="yes" as-type="uuid">
                <formal-name>Method ID</formal-name>
                <description>Identifies the assessment method by its UUID value.</description>
@@ -194,7 +192,7 @@
       </model>
    </define-assembly>
    
-   <define-assembly name="method">
+   <define-assembly name="assessment-method">
       <formal-name>Assessment Method</formal-name>
       <description>A local definition of a control objective. Uses catalog syntax for control objective and assessment actions.</description>
       <define-flag name="uuid" required="yes" as-type="uuid">
@@ -869,7 +867,7 @@
    <define-field name="result">
       <formal-name>Result</formal-name>
       <description>A brief indication as to whether the objective is satisfied or not.</description>
-      <!-- QUESTION: What should the json value key be? -->
+      <json-value-key>value</json-value-key>
       <flag ref="system"/>
    </define-field>
    <define-field name="implementation-status">
@@ -934,27 +932,23 @@
                <p>Identifies who was interviewed, or what was tested or inspected.</p>
             </remarks>
          </assembly>
-         <define-field name="origin" min-occurs="0" max-occurs="unbounded">
-            <formal-name>origin field</formal-name>
+         <define-field name="origin" as-type="empty" max-occurs="unbounded">
+            <formal-name>Origin</formal-name>
             <description>Identifies the source of the finding, such as a tool, interviewed person,
                or activity.</description>
             <group-as name="origins" in-json="ARRAY"/>
             <flag ref="uuid-ref" required="yes"/>
             <define-flag name="type" required="yes">
+               <!-- TODO: need to update this -->
                <formal-name>type flag</formal-name>
                <description>type flag ... </description>
                <constraint>
                   <allowed-values allow-other="no">
-                     <enum value="tool">An assessment tool, defined in the assets section of the
-                        assessment plan or results.</enum>
-                     <enum value="test-method">A test method defined in the assessment-activities
-                        section of the assessment plan or results.</enum>
-                     <enum value="task">A task defined in the schedule of the assessment plan or
-                        results.</enum>
-                     <enum value="included-activity">An assessment activity defined in the
-                        assessment-activities section of the assessment plan or results.</enum>
-                     <enum value="other">The UUID points elsewhere in the this file or an imported
-                        file.</enum>
+                     <enum value="tool">An assessment tool, defined in the assets section of the assessment plan or results.</enum>
+                     <enum value="test-method">A test method defined in the assessment-activities section of the assessment plan or results.</enum>
+                     <enum value="task">A task defined in the schedule of the assessment plan or results.</enum>
+                     <enum value="included-activity">An assessment activity defined in the assessment-activities section of the assessment plan or results.</enum>
+                     <enum value="other">The UUID points elsewhere in the this file or an imported file.</enum>
                   </allowed-values>
                </constraint>
             </define-flag>
@@ -999,36 +993,15 @@
          <field ref="remarks" in-xml="WITH_WRAPPER" min-occurs="0" max-occurs="1"/>
       </model>
    </define-assembly>
-   <define-field name="assessor">
+   <define-field name="assessor" as-type="empty">
       <formal-name>Assessor</formal-name>
       <description>Identifies an individual who gathered the evidence resulting in the observation or risk identification.</description>
-      <!-- QUESTION: What is the json value key? Also, why not use responsible-party? -->
+      <!-- QUESTION: Also, why not use responsible-party? -->
       <define-flag name="party-uuid" required="yes">
          <formal-name>Party UUID</formal-name>
          <description>The UUID of the assessor who collected the evidence or made the observation.</description>
       </define-flag>
    </define-field>
-   
-   <define-field name="origin">
-      <formal-name>Origin</formal-name>
-      <description>Identifies the tool or activity that resulted in the observation.</description>
-      <!-- QUESTION: What is the json value key? -->
-      <flag ref="uuid-ref" required="yes"/>
-      <define-flag name="type" required="yes">
-         <!-- TODO: This documentation needs to be improved -->
-         <formal-name>type flag</formal-name>
-         <description>type flag ... </description>
-         <constraint>
-            <allowed-values allow-other="no">
-               <enum value="tool">An assessment tool, defined in the assets section of the assessment plan or results.</enum>
-               <enum value="test-method">A test method defined in the assessment-activities section of the assessment plan or results.</enum>
-               <enum value="task">A task defined in the schedule of the assessment plan or results.</enum>
-               <enum value="included-activity">An assessment activity defined in the assessment-activities section of the assessment plan or results.</enum>
-               <enum value="other">The UUID points elsewhere in the this file or an imported file.</enum>
-            </allowed-values>
-         </constraint>
-      </define-flag>
-   </define-field>
    <define-flag name="uuid-ref" as-type="uuid">
       <formal-name>UUID Reference</formal-name>
       <description>A pointer to a relevant item, using it's UUID.</description>
@@ -1064,6 +1037,7 @@
       <!-- This is an id because it is an externally provided identifier -->
       <formal-name>Threat ID</formal-name>
       <description>A pointer, by ID, to an externally-defined threat.</description>
+      <json-value-key>id</json-value-key>
       <define-flag name="system" required="yes">
          <formal-name>Threat Type Identification System</formal-name>
          <description>Specifies the source of the threat information.</description>
@@ -1074,8 +1048,9 @@
             </allowed-values>
          </constraint>
       </define-flag>
-      <define-flag name="uri" as-type="uri" required="no">
-         <formal-name>URI</formal-name>
+      <!-- CHANGED "uri" to "href" -->
+      <define-flag name="href" as-type="uri-reference">
+         <formal-name>Threat Information Resource Reference</formal-name>
          <description>An optional location for the threat data, from which this ID originates.</description>
       </define-flag>
    </define-field>
@@ -1137,13 +1112,19 @@
    <define-field name="risk-metric">
       <formal-name>Risk Metric</formal-name>
       <description>An individual risk metric from a specified system.</description>
-      <!-- QUESTION: What is the json value key? -->
+      <json-value-key>value</json-value-key>
       <define-flag name="name" required="yes">
          <!-- TODO: this documentation needs to be improved -->
+         <!-- TODO: We need to reduce this to a core set for OSCAL -->
          <formal-name>name flag</formal-name>
          <description>name flag ... </description>
          <constraint>
             <allowed-values allow-other="yes">
+               <enum value="cve-id">An identifier managed by the CVE program (see <a>https://cve.mitre.org/</a>).</enum>
+               <enum value="cvss-2-AV">Access Vector</enum>
+               <enum value="cvss-3-AV">Attack Vector</enum>
+               <enum value="cvss-3.1-AV">Attack Vector</enum>
+               <enum value="fedramp-likelihood">Likelihood as defined by FedRAMP. The class can be used to specifiy 'inital' and 'adjusted'.</enum>
                <enum value="impacted-control">Impacted Control</enum>
                <enum value="vulnerability-id">Vulnerability ID</enum>
                <enum value="source-id">Source ID</enum>
@@ -1412,22 +1393,14 @@
          <assembly ref="link" max-occurs="unbounded">
             <group-as name="links" in-json="ARRAY"/>
          </assembly>
-         <define-field name="remediation-origin" min-occurs="0" max-occurs="unbounded">
-            <formal-name>remediation-origin field</formal-name>
-            <description>Points to the source of the recommendation</description>
-            <!-- QUESTION: What is the json value key? -->
+         <define-field name="origin" as-type="empty" max-occurs="unbounded">
+            <!-- CHANGED "remediation-origin" to "origin" -->
+            <formal-name>Remediation Origin</formal-name>
+            <description>Points to the source of the recommendation.</description>
             <group-as name="origins" in-json="ARRAY"/>
             <flag ref="uuid-ref" required="yes"/>
-            <define-flag name="type">
-               <formal-name>type flag</formal-name>
-               <description>type flag ... </description>
-               <constraint>
-                  <allowed-values allow-other="yes">
-                     <enum value="party">The UUID of the person or organization who made the recommendation</enum>
-                     <enum value="tool">The UUID of the tool that made the recommendation</enum>
-                  </allowed-values>
-               </constraint>
-            </define-flag>
+            <!-- CHANGED removed @type -->
+            <!-- TODO: document the UUID space that can be referenced. Currently part and tool. -->
          </define-field>
          <assembly ref="required" min-occurs="0" max-occurs="unbounded">
             <group-as name="requirements" in-json="ARRAY"/>
@@ -1437,23 +1410,6 @@
       </model>
    </define-assembly>
    
-   <define-field name="remediation-origin">
-      <formal-name>Remediation Origin</formal-name>
-      <description>Points to the source of the remediation recommendation or plan</description>
-      <!-- QUESTION: What is the json value key? -->
-      <flag ref="uuid-ref" required="yes"/>
-      <define-flag name="type">
-         <formal-name>type flag</formal-name>
-         <description>type flag ... </description>
-         <constraint>
-            <allowed-values allow-other="yes">
-               <enum value="party">The UUID of the person or organization who made the recommendation</enum>
-               <enum value="tool">The UUID of the tool that made the recommendation</enum>
-            </allowed-values>
-         </constraint>
-      </define-flag>
-   </define-field>
-   
    <define-field name="risk-statement" as-type="markup-multiline">
       <formal-name>Risk Statement</formal-name>
       <description>Describes the risk.</description>
diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml
index 8473af7522..1dc89486ea 100644
--- a/src/metaschema/oscal_catalog_metaschema.xml
+++ b/src/metaschema/oscal_catalog_metaschema.xml
@@ -64,7 +64,7 @@
       <formal-name>Control Group</formal-name>
       <description>A group of controls, or of groups of controls.</description>
       <define-flag name="id" as-type="NCName">
-         <!-- This is an id because the idenfier is managed externally. -->
+         <!-- This is an id because the idenfier is assigned and managed externally by humans. -->
          <formal-name>Group Identifier</formal-name>
          <description>A unique identifier for a specific group instance that can be used to reference the group within this and in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same group across minor revisions of the document.</description>
       </define-flag>
diff --git a/src/metaschema/oscal_framework-common_metaschema.xml b/src/metaschema/oscal_framework-common_metaschema.xml
index 9cee1dc859..c2983d9493 100644
--- a/src/metaschema/oscal_framework-common_metaschema.xml
+++ b/src/metaschema/oscal_framework-common_metaschema.xml
@@ -24,7 +24,7 @@
       <formal-name>Control mapping</formal-name>
       <description>A mapping of a control or control statement to one or more other concepts.</description>
       <model>
-         <assembly ref="import-catalog" required="yes"/>
+        <assembly ref="import-catalog" min-occurs="1"/>
         <assembly ref="implemented-requirement" min-occurs="1" max-occurs="unbounded">
             <group-as name="implemented-requirements" in-json="ARRAY"/>
         </assembly>
diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml
index c116c38267..115e81da7b 100644
--- a/src/metaschema/oscal_profile_metaschema.xml
+++ b/src/metaschema/oscal_profile_metaschema.xml
@@ -226,7 +226,6 @@
    <define-field name="call" as-type="empty">
       <formal-name>Call</formal-name>
       <description>Call a control by its ID</description>
-      <!-- QUESTION: What is the json value key? -->
       <flag ref="control-id" required="yes"/>
       <flag ref="with-child-controls"/>
       <remarks>
@@ -236,7 +235,6 @@
    <define-field name="match" as-type="empty">
       <formal-name>Match controls by identifier</formal-name>
       <description>Select controls by (regular expression) match on ID</description>
-      <!-- QUESTION: What is the json value key? -->
       <flag ref="pattern"/>
       <flag ref="order"/>
       <flag ref="with-child-controls"/>
@@ -336,7 +334,6 @@
    <define-field name="remove" as-type="empty">
       <formal-name>Removal</formal-name>
       <description>Specifies elements to be removed from a control, in resolution</description>
-      <!-- QUESTION: What is the json value key? -->
       <define-flag name="name-ref" as-type="NCName">
          <formal-name>Reference by (assigned) name</formal-name>
          <description>Items to remove, by assigned name</description>