iMichaela · iMichaela · Mar 21, 2024 · Sep 12, 2023 · Sep 15, 2023 · Sep 27, 2023
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -19,4 +19,4 @@ By submitting a pull request, you are agreeing to provide this contribution unde
 - [ ] Have you added an explanation of what your changes do and why you'd like us to include them?
 - [ ] Have you written new tests for your core changes, as applicable?
 - [ ] Have you included examples of how to use your new feature(s)?
-- [ ] Have you updated all [OSCAL website](https://pages.nist.gov/OSCAL) and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the docs/content directory of your branch.
+- [ ] Have you updated the [OSCAL website](https://pages.nist.gov/OSCAL) and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the [OSCAL-Pages](https://github.com/usnistgov/OSCAL-Pages) and [OSCAL_Reference](https://github.com/usnistgov/OSCAL-Reference) repositories.
diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml
@@ -12,7 +12,7 @@ jobs:
     name: Add issue to project
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c
+      - uses: actions/add-to-project@0609a2702eefb44781da00f8e04901d6e5cd2b92
         with:
           project-url: https://github.com/orgs/usnistgov/projects/25
           github-token: ${{ secrets.COMMIT_TOKEN }}
diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml
@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           submodules: recursive
-      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
         with:
           node-version-file: "build/.nvmrc"
           cache: "npm"

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,7 +21,7 @@ jobs:
           make -j2 artifacts archives RELEASE=${GITHUB_REF_NAME:1}
         working-directory: build
       - name: Create release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           token: ${{ secrets.COMMIT_TOKEN }}
           draft: true

diff --git a/.github/workflows/status.yml b/.github/workflows/status.yml
@@ -25,7 +25,7 @@ jobs:
         with:
           distribution: "temurin"
           java-version: "17"
-      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
         with:
           node-version-file: "build/.nvmrc"
           cache: "npm"

diff --git a/build/markdown-link-check.json b/build/markdown-link-check.json
@@ -11,7 +11,10 @@
         },
         {
             "pattern": "https://linux.die.net/man/1/xmllint/"
-        }        
+        },
+        {
+            "pattern": "https://csrc.nist.gov/Projects/Open-Security-Controls-Assessment-Language"
+        }       
     ],
     "replacementPatterns": [
         {

diff --git a/build/resolve-entities.xspec b/build/resolve-entities.xspec
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<x:description xmlns:x="http://www.jenitennison.com/xslt/xspec"
+   stylesheet="resolve-entities3.xsl"
+   xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0">
+
+   <x:scenario label="Everything copies:">
+      <x:scenario label="A bare metaschema">
+         <x:context>
+            <METASCHEMA/>
+         </x:context>
+         <x:expect label="copies" select="$x:context"/>
+      </x:scenario>
+      <x:scenario label="With random PIs">
+         <x:context>
+            <?xml-stylesheet href="some.css"?>
+            <METASCHEMA>
+               <title>A test</title>
+               <?random?>
+            </METASCHEMA>
+      </x:context>
+         <x:expect label="copies" select="$x:context"/>
+      </x:scenario>
+      <x:scenario label="A comment" pending="dev"/>
+   </x:scenario>
+
+   <x:scenario label="import/@href is modified:">
+      <x:scenario label="providing a suffix to the base name">
+         <x:context>
+            <METASCHEMA>
+               <import href="some.other.metaschema.xml"/>
+            </METASCHEMA>
+         </x:context>
+         <x:expect label="copies with @href modified">
+            <METASCHEMA>
+               <import href="some.other.metaschema_RESOLVED.xml"/>
+            </METASCHEMA>
+         </x:expect>
+      </x:scenario>
+      <x:scenario label="even when the suffix is not 'xml'">
+         <x:context>
+            <METASCHEMA>
+               <import href="some.other.metaschema"/>
+            </METASCHEMA>
+         </x:context>
+         <x:expect label="copies with @href modified">
+            <METASCHEMA>
+               <import href="some.other_RESOLVED.metaschema"/>
+            </METASCHEMA>
+         </x:expect>
+      </x:scenario>
+      <x:scenario label="or it is missing entirely">
+         <x:context>
+            <METASCHEMA>
+               <import href="some_metaschema"/>
+            </METASCHEMA>
+         </x:context>
+         <x:expect label="copies with @href modified">
+            <METASCHEMA>
+               <import href="some_metaschema_RESOLVED"/>
+            </METASCHEMA>
+         </x:expect>
+      </x:scenario>
+      <x:scenario label="providing a suffix to the base name">
+         <x:context>
+            <x:param name="splice">_NEW</x:param>
+            <METASCHEMA>
+               <import href="some.other.metaschema.xml"/>
+            </METASCHEMA>
+         </x:context>
+         <x:expect label="copies with @href modified">
+            <METASCHEMA>
+               <import href="some.other.metaschema_NEW.xml"/>
+            </METASCHEMA>
+         </x:expect>
+      </x:scenario>
+   </x:scenario>
+
+</x:description>
diff --git a/build/resolve-entities3.xsl b/build/resolve-entities3.xsl
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+   xmlns:xs="http://www.w3.org/2001/XMLSchema"
+   xmlns:math="http://www.w3.org/2005/xpath-functions/math"
+   xpath-default-namespace="http://csrc.nist.gov/ns/oscal/metaschema/1.0"
+   exclude-result-prefixes="xs math"
+   version="3.0">
+
+<!--
+     Purpose: Process XML files through a parsing/serialization that resolves internal parsed entities.
+
+     Also renames file references in METASCHEMA/import/@href
+     using $importHrefSuffix to suffix the base name
+       so for $importHrefSuffix='NEW'
+       import href="a_metaschema_module.xml" becomes href="a_metaschema_module_NEW.xml"
+
+     Otherwise this is an identity transform, so a diff over source and results should show only stated changes.
+
+     Parameter: $importHrefSuffix is 'RESOLVED' by default
+
+     XSpec: See the XSpec resolve-entities.xspec for functional testing, including the edge cases.
+
+     Compared to old resolve-entities.xsl: This XSLT provides the same outputs
+     for 'normal' inputs i.e. when import/@href ends in '.xml'.
+
+     For extraordinary inputs it does a little differently.
+
+   -->
+
+   <!-- since whitespace is retained from input, it provides indenting
+        - if (schema-based) strip-space is operative, switch @indent to 'yes'-->
+   <xsl:output omit-xml-declaration="no" indent="no" encoding="ASCII"/>
+
+   <xsl:param name="importHrefSuffix" select="'RESOLVED'"/>
+
+   <!-- copying everything through -->
+   <xsl:mode on-no-match="shallow-copy"/>
+
+   <xsl:template match="import/@href">
+      <xsl:param     name="splice"   select="'_' || $importHrefSuffix"/>
+
+      <xsl:variable  name="basename" select="replace(.,'\.[^.]*$','')"/>
+      <xsl:attribute name="href"     select="$basename || $splice || substring-after(.,$basename)"/>
+   </xsl:template>
+
+</xsl:stylesheet>
diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml
@@ -679,7 +679,7 @@
         <use-name>prop</use-name>
         <define-flag name="name" as-type="token" required="yes">
             <formal-name>Property Name</formal-name>
-            <description>A textual label, within a namespace, that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.</description>
+            <description>A textual label, within a namespace, that identifies a specific attribute, characteristic, or quality of the property's containing object.</description>
         </define-flag>
         <define-flag name="uuid" as-type="uuid">
             <formal-name>Property Universally Unique Identifier</formal-name>

diff --git a/src/utils/resolver-pipeline/testing/1_selected/select-mapping-controls.xspec b/src/utils/resolver-pipeline/testing/1_selected/select-mapping-controls.xspec
@@ -23,8 +23,8 @@
         https://github.com/usnistgov/OSCAL/discussions/1114
         When this is determined, tests can be added for those sections. -->
 
-    <!-- Location of sample files, relative to compiled test in xspec/ subdirectory -->
-    <x:variable name="ov:filedir" as="xs:string" select="resolve-uri('../../../../../../specifications/profile-resolution/profile-resolution-examples')"/>
+    <!-- Location of sample files, relative to this test file -->
+    <x:variable name="ov:filedir" as="xs:string" select="resolve-uri('../../../../specifications/profile-resolution/profile-resolution-examples',$x:xspec-uri)"/>
 
     <x:scenario label="Import controls using ID mapping">
         <x:scenario label="Basic case" pending="Mapping is not implemented yet">

diff --git a/src/utils/resolver-pipeline/testing/1_selected/select-rlink.xspec b/src/utils/resolver-pipeline/testing/1_selected/select-rlink.xspec
@@ -6,8 +6,8 @@
     xmlns:xs="http://www.w3.org/2001/XMLSchema"
     stylesheet="../../oscal-profile-resolve-select.xsl">
 
-    <!-- Location of sample files, relative to compiled test in xspec/ subdirectory -->
-    <x:variable name="ov:filedir" as="xs:string" select="resolve-uri('../../../../../../specifications/profile-resolution/profile-resolution-examples')"/>
+    <!-- Location of sample files, relative to this test file -->
+    <x:variable name="ov:filedir" as="xs:string" select="resolve-uri('../../../../specifications/profile-resolution/profile-resolution-examples',$x:xspec-uri)"/>
 
     <x:scenario label="Direct import by file href">
         <x:context>

diff --git a/src/utils/resolver-pipeline/testing/1_selected/select.xspec b/src/utils/resolver-pipeline/testing/1_selected/select.xspec
@@ -8,8 +8,8 @@
     stylesheet="../../oscal-profile-resolve-select.xsl"
     xslt-version="3.0">
 
-    <!-- Location of sample files, relative to compiled test in xspec/ subdirectory -->
-    <x:variable name="ov:filedir" as="xs:string" select="resolve-uri('../../../../../../specifications/profile-resolution/profile-resolution-examples')"/>
+    <!-- Location of sample files, relative to this test file -->
+    <x:variable name="ov:filedir" as="xs:string" select="resolve-uri('../../../../specifications/profile-resolution/profile-resolution-examples',$x:xspec-uri)"/>
 
     <x:variable name="ov:unique" as="function(*)"
         select="function($seq as xs:string*) as xs:boolean {

diff --git a/src/utils/resolver-pipeline/testing/2_metadata/uuid-method-choice.xspec b/src/utils/resolver-pipeline/testing/2_metadata/uuid-method-choice.xspec
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <x:description xmlns:x="http://www.jenitennison.com/xslt/xspec"
+    xmlns:javaUUID="java.util.UUID"
     xmlns:ov="http://csrc.nist.gov/ns/oscal/xspec/variable"
     xmlns:u="http://csrc.nist.gov/ns/uuid"
     xmlns:xs="http://www.w3.org/2001/XMLSchema"
@@ -8,7 +9,7 @@
     <x:scenario label="Tests for u:determine-uuid template">
         <x:variable name="ov:fixed" as="xs:string" select="'00000000-0000-4000-B000-000000000000'"/>
         <x:variable name="ov:specified" as="xs:string" select="'f0ad1e6c-5de5-44cd-b92e-a4c507805f0f'"/>
-        <x:variable name="ov:service" as="xs:string" select="resolve-uri('../uuid-value.txt')"/>
+        <x:variable name="ov:service" as="xs:string" select="resolve-uri('uuid-value.txt',$x:xspec-uri)"/>
         <x:scenario label="Valid user-provided UUID">
             <x:call template="u:determine-uuid">
                 <x:param name="top-uuid" select="$ov:specified"/>
@@ -37,16 +38,22 @@
             <x:expect label="UUID is neither fixed one nor specified one"
                 test="$x:result ne $ov:specified and $x:result ne $ov:fixed"/>
         </x:scenario>
-        <x:scenario label="Random UUID using Java">
+        <x:scenario label="Random UUID using Java (Note: Not available in CI/CD)">
             <x:call template="u:determine-uuid">
                 <x:param name="top-uuid" select="$ov:specified"/>
                 <x:param name="uuid-method" select="'random-java'"/>
             </x:call>
-            <x:expect label="Nonempty string"
-                test="$x:result instance of xs:string and $x:result != ''"/>
+            <x:variable name="ov:java-fcn-available" as="xs:boolean"
+                select="function-available('javaUUID:randomUUID')"/>
+            <x:expect label="Nonempty"
+                test="if ($ov:java-fcn-available)
+                then (string($x:result) != '')
+                else true()"/>
             <x:expect label="UUID is neither fixed one nor specified one"
-                test="$x:result ne $ov:specified and $x:result ne $ov:fixed"/>
-        </x:scenario>
+                test="if ($ov:java-fcn-available)
+                then (string($x:result) ne $ov:specified and string($x:result) ne $ov:fixed)
+                else true()"/>
+            </x:scenario>
         <!-- FYI: Because the transform relies on use-when, which is evaluated at
             compile time, the same test invocation cannot check both
             when the XSLT and Java random number generators are available

diff --git a/src/utils/resolver-pipeline/testing/3_merged/merge-custom.xspec b/src/utils/resolver-pipeline/testing/3_merged/merge-custom.xspec
@@ -574,7 +574,8 @@
                 </control>
             </x:expect>
         </x:scenario>
-        <x:scenario label="include-controls with parent controls (default choice)">
+        <x:scenario label="include-controls with parent controls (default choice)"
+          pending="Needs confirmation about latest expected result">
             <x:context mode="o:custom-merge" select="//o:include-controls">
                 <catalog uuid="xyz-tiny_catalog">
                     <selection>

diff --git a/src/utils/resolver-pipeline/testing/4_modified/modify.xspec b/src/utils/resolver-pipeline/testing/4_modified/modify.xspec
@@ -300,7 +300,7 @@
 
     <x:scenario label="Tests for match=set-parameter template">
         <x:scenario label="set-param child does not match anything">
-            <x:context select="//set-parameter">
+            <x:context select="//o:set-parameter">
                 <catalog id="abc">
                     <param id="p1">
                         <label>Parameter #1</label>
@@ -1158,7 +1158,7 @@
         </x:scenario>
         <x:scenario label="Edge case: Empty $modifications param">
             <x:call function="oscal:patches-to-id-targeting-ancestor">
-                <x:param name="here" select="id('a1-stmt')">
+                <x:param name="here" select="//*[@id='a1-stmt']">
                     <catalog id="abc">
                         <control id="a1">
                             <title>Control A</title>
-Original file line number
+Diff line change
@@ Expand Up / @@ -11,7 +11,10 @@ @@
             },
             {
                 "pattern": "https://linux.die.net/man/1/xmllint/"
-            }
+            },
+            {
+                "pattern": "https://csrc.nist.gov/Projects/Open-Security-Controls-Assessment-Language"
+            }
         ],
         "replacementPatterns": [
             {
@@ Expand Down @@