Remove Catalog group choice #2002
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change ensures Catalog's JSON schema remains backwards compatible after the fix to choice generation
nikitawootten-nist
changed the title
iMichaela
reviewed
Mar 30, 2024
There was a problem hiding this comment.
@nikitawootten-nist - The implemented correction for the reported bug is good.
I would have just comment it out with a reminder so we can put it back in OSCAL 2.0.
There are the following other places where The list is below, but with the exception of the one fixed in here and possibly the ones in metadata, and control-common files where coexistence of the elements makes no logical sense for anyone using JSON buggy schema to have used all elements wrapped in instead of a selection, I think that the other ones needs to stay and this will cause backwards compatibility issue when fixing the JSON schema generation pipeline.
The community interviews were highlighting that JSON adopters are 70%-80% of current OSCAL users and many Catalogs have beed developed already. To our knowledge, profiles are only NIST's and FedRAMP's that are generated in XML and then converted to JSON so no issues here.
LIST:
- oscal_metadata_metaschema.xml
<choice>
<assembly ref="address" max-occurs="unbounded">
<group-as name="addresses" in-json="ARRAY"/>
</assembly>
<field ref="location-uuid" max-occurs="unbounded">
<group-as name="location-uuids" in-json="ARRAY"/>
</field>
</choice>
- oscal_control-common_metaschema.xml
<choice>
<field ref="parameter-value" max-occurs="unbounded">
<use-name>value</use-name>
<group-as name="values" in-json="ARRAY"/>
<remarks>
<p>A set of values [..snip..] models.</p>
</remarks>
</field>
<assembly ref="parameter-selection">
<use-name>select</use-name>
<remarks>
<p>The OSCAL parameter [..snip..] options that <strong>may</strong> be set.</p>
<p>A set of allowed [..snip..] for the parameter value.</p>
<p>When the value of [..snip..] one choice.</p>
</remarks>
</assembly>
</choice>
- oscal_profile_metaschema.xml
<choice>
<assembly ref="include-all" min-occurs="1">
<remarks>
<p>Identifies that all controls are to be included from the imported catalog or profile.</p>
</remarks>
</assembly>
<assembly ref="select-control-by-id" min-occurs="1" max-occurs="unbounded">
<use-name>include-controls</use-name>
<group-as name="include-controls" in-json="ARRAY"/>
<remarks>
<p>If <code>with-child-controls</code> is <q>yes</q> on the call to a control, any controls appearing within it (child controls) will be selected, with no additional <code>call</code> directives required. This flag provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.</p>
</remarks>
</assembly>
</choice>
<choice>
<define-assembly name="flat" min-occurs="1">
<formal-name>Flat Without Grouping</formal-name>
<description>Directs that controls appear without any grouping structure.</description>
</define-assembly>
<define-field name="as-is" as-type="boolean" min-occurs="1">
<formal-name>Group As-Is</formal-name>
<description>Indicates that the controls selected should retain their original grouping as defined in the import source.</description>
</define-field>
<define-assembly name="custom" min-occurs="1">
<formal-name>Custom Grouping</formal-name>
<description>Provides an alternate grouping structure that selected controls will be placed in.</description>
<model>
<assembly ref="group" max-occurs="unbounded">
<group-as name="groups" in-json="ARRAY"/>
</assembly>
<assembly ref="insert-controls" max-occurs="unbounded">
<group-as name="insert-controls" in-json="ARRAY"/>
</assembly>
</model>
<remarks>
<p>The <code>custom</code> element represents a custom arrangement or organization of controls in the resolution of a catalog. This structuring directive gives the profile author the ability to define an entirely different organization of controls as compared to their source catalog(s).</p>
</remarks>
</define-assembly>
</choice>
<choice>
<assembly ref="group" max-occurs="unbounded">
<group-as name="groups" in-json="ARRAY"/>
</assembly>
<assembly ref="insert-controls" max-occurs="unbounded">
<group-as name="insert-controls" in-json="ARRAY"/>
</assembly>
</choice>
<choice>
<field ref="parameter-value" max-occurs="unbounded">
<use-name>value</use-name>
<group-as name="values" in-json="ARRAY"/>
<remarks>
<p>Used to (re)define a parameter value.</p>
</remarks>
</field>
<assembly ref="parameter-selection">
<use-name>select</use-name>
</assembly>
</choice>
<choice>
<assembly ref="include-all" min-occurs="1"/>
<assembly ref="select-control-by-id" min-occurs="1" max-occurs="unbounded">
<use-name>include-controls</use-name>
<group-as name="include-controls" in-json="ARRAY"/>
</assembly>
</choice>
- oscal_assessment-common_metaschema.xml
<choice>
<define-assembly name="on-date" min-occurs="1">
<formal-name>On Date Condition</formal-name>
<description>The task is intended to occur on the specified date.</description>
<define-flag name="date" as-type="dateTime-with-timezone" required="yes">
<formal-name>On Date Condition</formal-name>
<description>The task must occur on the specified date.</description>
</define-flag>
</define-assembly>
<define-assembly name="within-date-range" min-occurs="1">
<formal-name>On Date Range Condition</formal-name>
<description>The task is intended to occur within the specified date range.</description>
<define-flag name="start" as-type="dateTime-with-timezone" required="yes">
<formal-name>Start Date Condition</formal-name>
<description>The task must occur on or after the specified date.</description>
</define-flag>
<define-flag name="end" as-type="dateTime-with-timezone" required="yes">
<formal-name>End Date Condition</formal-name>
<description>The task must occur on or before the specified date.</description>
</define-flag>
</define-assembly>
<define-assembly name="at-frequency" min-occurs="1">
<formal-name>Frequency Condition</formal-name>
<description>The task is intended to occur at the specified frequency.</description>
<define-flag name="period" as-type="positiveInteger" required="yes">
<formal-name>Period</formal-name>
<description>The task must occur after the specified period has elapsed.</description>
</define-flag>
<define-flag name="unit" as-type="string" required="yes">
<formal-name>Time Unit</formal-name>
<description>The unit of time for the period.</description>
<constraint>
<allowed-values>
<enum value="seconds">The period is specified in seconds.</enum>
<enum value="minutes">The period is specified in minutes.</enum>
<enum value="hours">The period is specified in hours.</enum>
<enum value="days">The period is specified in days.</enum>
<enum value="months">The period is specified in calendar months.</enum>
<enum value="years">The period is specified in calendar years.</enum>
</allowed-values>
</constraint>
</define-flag>
</define-assembly>
</choice>
<choice>
<assembly ref="include-all" min-occurs="1"/>
<assembly ref="select-control-by-id" min-occurs="1" max-occurs="unbounded">
<use-name>include-control</use-name>
<group-as name="include-controls" in-json="ARRAY"/>
<remarks>
<p>Used to select a control for inclusion by the control's identifier. Specific control statements can be selected by their statement identifier.</p>
</remarks>
</assembly>
</choice>
<choice>
<assembly ref="include-all" min-occurs="1"/>
<assembly ref="select-objective-by-id" min-occurs="1" max-occurs="unbounded">
<use-name>include-objective</use-name>
<group-as name="include-objectives" in-json="ARRAY"/>
<remarks>
<p>Used to select a control objective for inclusion by the control objective's identifier.</p>
</remarks>
</assembly>
</choice>
<choice>
<assembly ref="include-all" min-occurs="1"/>
<assembly ref="select-subject-by-id" min-occurs="1" max-occurs="unbounded">
<use-name>include-subject</use-name>
<group-as name="include-subjects" in-json="ARRAY"/>
</assembly>
</choice>
@david-waltermire, @Rene2mt - What is FedRAMP's perspective? Is FedRAMP supporting today JSON formats?
Other JSON adopters: @vmangat @brian-ruf @Telos-sa @bradh @ancatri @degenaro @openprivacy @gregelin @butler54 ... Rob, Travis, Allan, Tom N., Kenny, others ?
|
After discussing with @iMichaela, I think our position is to keep the choices in all metaschemas as is. The old JSON schema behavior was not consistent with the XSDs and would fail to validate using the CLI. We will lean on the community to comment on the impact of the corrected JSON schema with the RC. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Committer Notes
This change ensures Catalog's JSON schema remains backwards compatible after the fix to choice generation
All Submissions:
By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.
(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)
Changes to Core Features: