-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oscal_complete_schema.xsd (v1.0.4) lacks with-parent-controls attribute of include-controls element #1662
Comments
Moved inline to bug report description. |
Requesting clarification: why is the attribute defined in the schema not working? OSCAL/xml/schema/oscal_complete_schema.xsd Line 2146 in f87dcb1
This can also be tested by trying a schema against a suitable document e.g. in an editor. |
The
Using https://raw.githubusercontent.com/galtm/OSCAL/saxon11/src/utils/util/resolver-pipeline/oscal-profile-RESOLVE.xsl
|
@GaryGapinski thanks for clarification: it is terrible what the brain does to prevent the eyes from seeing. Agreed, @galtm @aj-stein-nist let's take note that the scope of definition here (semantics to be settled, documented, mocked up and tested) includes both |
Now retracing Gary's steps, I am able to confirm some kind of regression in the schema. The flag Suggest we look at the commit history of the profile metaschema to determine if this flag was not removed at some point - if only because my test harnesses include data that is now invalid -- suggesting they were valid at some point. If we can confirm when this flag was pulled from the schema we are in a better position to judge whether the schema is in error (this should be replaced) or maybe the change was made purposefully (and the spec should catch up). If there is no flag for toggling this behavior we also need to determine whether controls can be included by implication (by virtue of a descendant control being included) at any rate in |
OK this appears to have been easier to figure out than I had expected. It appears that work was done to add To conduct the search I did the following on both $ git branch --show-current
develop
$ git rev-parse HEAD
e3c4432e74eae1fabaaa6ecf9d29df0915a887f2
$ git log -S with-parent-controls --oneline
539fd730a Requirement Tagging - Profile Resolution Specification (#1089)
8c662395c Publishing Generated Website Content [ci skip]
2c4354709 Profile specification (#1017)
$ git branch --show-current
main
$ git rev-parse HEAD
0dfb7123488576b016ca58806033bfc9b6be8e0b
$ git log -S with-parent-controls --oneline
539fd730a Requirement Tagging - Profile Resolution Specification (#1089)
8c662395c Publishing Generated Website Content [ci skip]
2c4354709 Profile specification (#1017)
So you are correct, @wendellpiez, good hunch, can you draft a PR (we will discuss where to point the branch in a little bit, rebasing will be simple with a small change like this, and if I am wrong I will help you): please add
I will review the profile resolution spec again later today, but I had trouble understanding the current perspective on this for |
I also checked @wendellpiez, looks like we have an immediate game plan to add |
Yup, sounds good. I will make this change over There may be some crafting of language for |
@wendellpiez, can you write up the challenges with the schema modifications in a comment to this issue before the sprint review and we discuss further then? I would like to address this work, but I assume we should have the team brief one another on blockers and things. I presume there will not be a lot of movement in the next hour. |
Quick version:
In summary:
Finally - working this could also be easier with unit tests such as are behind the draft PR here: #1479 I think that covers it for now -- |
For Sprint 65, @wendellpiez is the driver for this issue. |
@nikitawootten-nist you want to pair on this later today? |
@wendellpiez one of the main concerns I have with the comment regard alignment with the profile resolution specification is what is written: "Exclusions work the same way as inclusions, except with the opposite effect - the indicated control(s) do not appear in the target catalog." So I think we are going to have to, in the short-term, make the semantics of include and exclude align, and I still think your point about Does that sound good? |
Current thinking:
I will do my work in oXygen (both editing and production) but you can pick whatever you like, as long as you can validate metaschema instances and produce schemas from your new or edited metaschema. (Validation does include Schematron.) My work should include at least some test data including valid and known-invalid samples. After doing this (ask for help?) we convene, compare notes, and start to talk about the remodeling, with potential solutions. Bonus: if we could generate schemas using |
Based on comment issue feedback in #1662 (comment).
Sounds good, where is the working branch? |
It is here: https://github.com/wendellpiez/OSCAL/tree/issue1662-adding-with-parent-controls-flag But the only thing in it so far is a working copy of the profile metaschema (not yet being worked) -- rsn. |
…mo schema and test instances
New demo profile metaschema: https://github.com/wendellpiez/OSCAL/blob/issue1662-adding-with-parent-controls-flag/src/metaschema/oscal_profile1662_metaschema.xml This is the same as the profile metaschema (sitting next to it for comparison) except with a little rearranging of definitions to achieve the exact mod wanted, namely to add a flag It also includes three XML test instances for testing validation in a generated schema (XSD). Next up for @aj-stein-nist and @nikitawootten-nist -- either bring this stuff down and check it out, or let me know where you are stuck:
We can also work on this together if it's useful. Let me know if this isn't the best way to support distribution of temporary WIP - I am assuming commit histories can be squeezed. |
@aj-stein-nist this refactoring attempts to thread the needle in the spec by interpolating into the Profile Resolution spec the idea that the semantics of exclusion are the same insofar as they are applicable, which includes not only that they have the opposite effect, but also that not all the capabilities are there (such as being able to exclude an entire branch of a control hierarchy by listing one of its descendants) because not all the features are there (no This reflects the original intent and I do not believe it contradicts the spec, which doesn't actually say that exclusions are identical to inclusion every way except excluding. (It says they 'work the same'.) If we must edit the Spec to clarify this, I would prefer that than to have a leaky semantic asking for trouble, unit tests and agreement somewhere down the line. |
So yesterday, @nikitawootten-nist, @wendellpiez, and I did a deep dive and Wendell broke down specific points on the the implications of a custom merge directive and how including Yesterday, I committed to pair with Nikita to interpret what Wendell said and the approach he presented. I will try with Nikita to achieve the same thing with specifically copy his branch to check my understanding when we pair today or tomorrow, more to come. Then we will need to update and align the spec. |
Add it for insert-controls, but not exclusion or merge, based upon team review and analysis of current profile resolution specification.
Add it for insert-controls, but not exclusion or merge, based upon team review and analysis of current profile resolution specification.
Add it for insert-controls, but not exclusion or merge, based upon team review and analysis of current profile resolution specification.
* with-parent-controls for import only for #1662 Add it for insert-controls, but not exclusion or merge, based upon team review and analysis of current profile resolution specification. * Clarify spec for #1662. * Apply suggestions from code review Co-authored-by: Wendell Piez <[email protected]> * Update src/specifications/profile-resolution/profile-resolution-specml.xml * Apply suggestions from code review Co-authored-by: Wendell Piez <[email protected]> --------- Co-authored-by: Wendell Piez <[email protected]>
…in the profile resolution spec that didn't exist in the model. Instead of updating the model, this PR removes the "with-parent-controls" feature from the profile resolution spec. This developmental feature should be removed for the following reasons. - This feature is not implemented in any of the current XSLT or Java implementations. - This feature is not being requested from a significant segment of the user community. The related issue usnistgov#1662 has support from 1 community member outside the NIST team. - This feature is extremely difficult to implement along with with-child-controls, which works on the opposite axis. - IMHO, profile resolution doesn't need to be made more complicated than it already is.
…in the profile resolution spec that didn't exist in the model. Instead of updating the model, this PR removes the "with-parent-controls" feature from the profile resolution spec. This developmental feature should be removed for the following reasons. - This feature is not implemented in any of the current XSLT or Java implementations. - This feature is not being requested from a significant segment of the user community. The related issue usnistgov#1662 has support from 1 community member outside the NIST team. - This feature is extremely difficult to implement along with with-child-controls, which works on the opposite axis. - IMHO, profile resolution doesn't need to be made more complicated than it already is.
* Revert changes from #1717 that address a documented feature in the profile resolution spec that didn't exist in the model. Instead of updating the model, this PR removes the "with-parent-controls" feature from the profile resolution spec. This developmental feature should be removed for the following reasons. - This feature is not implemented in any of the current XSLT or Java implementations. - This feature is not being requested from a significant segment of the user community. The related issue #1662 has support from 1 community member outside the NIST team. - This feature is extremely difficult to implement along with with-child-controls, which works on the opposite axis. - IMHO, profile resolution doesn't need to be made more complicated than it already is. * PR review, delete dangling with-parent-controls flag. --------- Co-authored-by: A.J. Stein <[email protected]>
* with-parent-controls for import only for usnistgov/OSCAL#1662 Add it for insert-controls, but not exclusion or merge, based upon team review and analysis of current profile resolution specification. * Clarify spec for usnistgov/OSCAL#1662. * Apply suggestions from code review Co-authored-by: Wendell Piez <[email protected]> * Update src/specifications/profile-resolution/profile-resolution-specml.xml * Apply suggestions from code review Co-authored-by: Wendell Piez <[email protected]> --------- Co-authored-by: Wendell Piez <[email protected]>
* Revert changes from usnistgov/OSCAL#1717 that address a documented feature in the profile resolution spec that didn't exist in the model. Instead of updating the model, this PR removes the "with-parent-controls" feature from the profile resolution spec. This developmental feature should be removed for the following reasons. - This feature is not implemented in any of the current XSLT or Java implementations. - This feature is not being requested from a significant segment of the user community. The related issue usnistgov/OSCAL#1662 has support from 1 community member outside the NIST team. - This feature is extremely difficult to implement along with with-child-controls, which works on the opposite axis. - IMHO, profile resolution doesn't need to be made more complicated than it already is. * PR review, delete dangling with-parent-controls flag. --------- Co-authored-by: A.J. Stein <[email protected]>
* with-parent-controls for import only for usnistgov/OSCAL#1662 Add it for insert-controls, but not exclusion or merge, based upon team review and analysis of current profile resolution specification. * Clarify spec for usnistgov/OSCAL#1662. * Apply suggestions from code review Co-authored-by: Wendell Piez <[email protected]> * Update src/specifications/profile-resolution/profile-resolution-specml.xml * Apply suggestions from code review Co-authored-by: Wendell Piez <[email protected]> --------- Co-authored-by: Wendell Piez <[email protected]>
* Revert changes from usnistgov/OSCAL#1717 that address a documented feature in the profile resolution spec that didn't exist in the model. Instead of updating the model, this PR removes the "with-parent-controls" feature from the profile resolution spec. This developmental feature should be removed for the following reasons. - This feature is not implemented in any of the current XSLT or Java implementations. - This feature is not being requested from a significant segment of the user community. The related issue usnistgov/OSCAL#1662 has support from 1 community member outside the NIST team. - This feature is extremely difficult to implement along with with-child-controls, which works on the opposite axis. - IMHO, profile resolution doesn't need to be made more complicated than it already is. * PR review, delete dangling with-parent-controls flag. --------- Co-authored-by: A.J. Stein <[email protected]>
* with-parent-controls for import only for usnistgov#1662 Add it for insert-controls, but not exclusion or merge, based upon team review and analysis of current profile resolution specification. * Clarify spec for usnistgov#1662. * Apply suggestions from code review Co-authored-by: Wendell Piez <[email protected]> * Update src/specifications/profile-resolution/profile-resolution-specml.xml * Apply suggestions from code review Co-authored-by: Wendell Piez <[email protected]> --------- Co-authored-by: Wendell Piez <[email protected]>
* Revert changes from usnistgov#1717 that address a documented feature in the profile resolution spec that didn't exist in the model. Instead of updating the model, this PR removes the "with-parent-controls" feature from the profile resolution spec. This developmental feature should be removed for the following reasons. - This feature is not implemented in any of the current XSLT or Java implementations. - This feature is not being requested from a significant segment of the user community. The related issue usnistgov#1662 has support from 1 community member outside the NIST team. - This feature is extremely difficult to implement along with with-child-controls, which works on the opposite axis. - IMHO, profile resolution doesn't need to be made more complicated than it already is. * PR review, delete dangling with-parent-controls flag. --------- Co-authored-by: A.J. Stein <[email protected]>
Describe the bug
The
include-controls
definition has a typeoscal-complete:oscal-profile-select-control-by-id-ASSEMBLY
which has a definition which lacks thewith-parent-controls
attribute described here in the OSCAL Profile Resolution Specification Draft.Who is the bug affecting
Scrutinizers of the OSCAL Profile Resolution Specification Draft who eschew the inclusion of ancestor controls during profile resolution.
What is affected by this bug
Metaschema
How do we replicate this issue
Inspect the
oscal-profile-select-control-by-id-ASSEMBLY
assembly inoscal_complete_schema.xsd
.Expected behavior (i.e. solution)
include-controls
should have an optionalwith-parent-controls
attribute.Other comments
The
with-child-controls
attribute fortunate enough to be included is not constrained to the documented values of `'yes' and 'no'.Acceptance Criteria
develop
, thenmain
to check if the schema is correctly or incorrectly missing the relevant fields.The text was updated successfully, but these errors were encountered: