Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: usnistgov/OSCAL
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: usnistgov/OSCAL
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: develop
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 12 commits
  • 8 files changed
  • 4 contributors

Commits on May 22, 2026

  1. Npm audit fix to eliminate vulnerable dependencies.

    Michaela Iorga committed May 22, 2026
    Configuration menu
    Copy the full SHA
    b6e50f3 View commit details
    Browse the repository at this point in the history

  2. Bump actions/add-to-project from 1.0.2 to 2.0.0 

    Bumps [actions/add-to-project](https://github.com/actions/add-to-project) from 1.0.2 to 2.0.0.
- [Release notes](https://github.com/actions/add-to-project/releases)
- [Commits](actions/add-to-project@244f685...5afcf98)

---
updated-dependencies:
- dependency-name: actions/add-to-project
  dependency-version: 2.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
    @dependabot
    dependabot[bot] authored and Michaela Iorga committed May 22, 2026
    Configuration menu
    Copy the full SHA
    efa0f5c View commit details
    Browse the repository at this point in the history

  3. defined additional allowed values for the control 'status' property

    @brian-ruf
    brian-ruf authored and Michaela Iorga committed May 22, 2026
    Configuration menu
    Copy the full SHA
    40d3d8b View commit details
    Browse the repository at this point in the history

  4. revised the allowed values list per comments in PR #2022

    @brian-ruf
    brian-ruf authored and Michaela Iorga committed May 22, 2026
    Configuration menu
    Copy the full SHA
    e4e218a View commit details
    Browse the repository at this point in the history

  5. removed status. Adjusted constraint on to be absent for additional st… 

    …atus values beyond
    @brian-ruf
    brian-ruf authored and Michaela Iorga committed May 22, 2026
    Configuration menu
    Copy the full SHA
    3bed532 View commit details
    Browse the repository at this point in the history

  6. adjustments based on automated copilot review

    @brian-ruf
    brian-ruf authored and Michaela Iorga committed May 22, 2026
    Configuration menu
    Copy the full SHA
    0fcbd37 View commit details
    Browse the repository at this point in the history

  7. removed depricated from constraint exception as required by NIST

    @brian-ruf
    brian-ruf authored and Michaela Iorga committed May 22, 2026
    Configuration menu
    Copy the full SHA
    1e0435f View commit details
    Browse the repository at this point in the history

  8. Adding new component types per issue #2214.

    Michaela Iorga committed May 22, 2026
    Configuration menu
    Copy the full SHA
    731a685 View commit details
    Browse the repository at this point in the history

  9. Moved allowed-value for component type to make it available in compon… 

    …ent definition as well not just ssp.
    Michaela Iorga committed May 22, 2026
    Configuration menu
    Copy the full SHA
    afe816c View commit details
    Browse the repository at this point in the history

Commits on Jun 2, 2026

  1. fix: correct context selector in @opr:id merge test 

    The "Tests for match=@opr:id template" scenario used
<x:context select="@opr:id"> with inline content <foo opr:id="..."/>.
XSpec evaluates the select against the document node that wraps the inline
content, and a document node has no attributes, so the context was an empty
sequence and the scenario aborted with XTMM9000 ("Context is an empty
sequence"), the failure reported in #2166.

Select the attribute through its element instead. Because merge.xspec declares
the default namespace http://csrc.nist.gov/ns/oscal/1.0, the inline <foo> is in
that namespace, so the selector uses the o: prefix already bound in the file
(as in existing scenarios like //o:selection): o:foo/@opr:id. The attribute
node then dispatches to the no-op template match="@opr:id" in
oscal-profile-resolve-merge.xsl, producing nothing, which matches the
scenario's <x:expect select="()"/>.

This is a test-case defect, not a profile-resolver defect: the @opr:id scrub
template is correct and is relied on across the merge suite (the several
"@opr:id omitted" expectations). Only the test's context selector changes.

Refs #2166

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
    @arpitjain099 @iMichaela
    arpitjain099 authored and iMichaela committed Jun 2, 2026
    Configuration menu
    Copy the full SHA
    2df346d View commit details
    Browse the repository at this point in the history

Commits on Jun 3, 2026

  1. fix: account for resource-fragment in link uniqueness constraint 

    oscal-unique-metadata-link keyed uniqueness on @href, @rel, and @media-type
only. Two links referencing the same back-matter resource by UUID but citing
different fragments via @resource-fragment collided and produced a false
uniqueness violation, while the equivalent direct-link form (distinct @href)
validated cleanly.

Add @resource-fragment to the key so links differing only by fragment are
treated as distinct. Relax the constraint from ERROR to WARNING since these
links are citations rather than addressable keys; WARNING is already used for
comparable advisory constraints in the metaschema.

Refs #2228

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
    @arpitjain099 @iMichaela
    arpitjain099 authored and iMichaela committed Jun 3, 2026
    Configuration menu
    Copy the full SHA
    52cb8bc View commit details
    Browse the repository at this point in the history

Commits on Jun 5, 2026

  1. Correct by-item-name description to not list title as removable 

    The by-item-name flag description gave 'title' as an example item-name to remove, but the oscal-profile-alter-by-item-name-values constraint intentionally does not allow 'title' (a control title is required, cardinality 1, and removing it would permit substituting a control's identity while keeping its id). Per the discussion in #2155, the description text is the inconsistency, not the constraint. Replace the title example with valid removable item-names (prop, link).

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
    @arpitjain099 @iMichaela
    arpitjain099 authored and iMichaela committed Jun 5, 2026
    Configuration menu
    Copy the full SHA
    a3f5782 View commit details
    Browse the repository at this point in the history
Loading