From b6e50f3613a384ed46982957a341bbb56be1263a Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Tue, 5 May 2026 19:56:10 -0400 Subject: [PATCH 01/12] Npm audit fix to eliminate vulnerable dependencies. --- build/package-lock.json | 120 +++++++++++++++++++--------------------- 1 file changed, 57 insertions(+), 63 deletions(-) diff --git a/build/package-lock.json b/build/package-lock.json index 6f35409ebd..0aebcfe3b0 100644 --- a/build/package-lock.json +++ b/build/package-lock.json @@ -77,15 +77,16 @@ } }, "node_modules/ajv": { - "version": "8.12.0", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.12.0.tgz", - "integrity": "sha512-sRu1kpcO9yLtYxBKvqfTeh9KzZEwO3STyX1HT+4CaDzC6HpTGYhIhPIzj9XuKU7KYDwnaeh5hcOwjy1QuJzBPA==", + "version": "8.20.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.20.0.tgz", + "integrity": "sha512-Thbli+OlOj+iMPYFBVBfJ3OmCAnaSyNn4M1vz9T6Gka5Jt9ba/HIR56joy65tY6kx/FCF5VXNB819Y7/GUrBGA==", "dev": true, + "license": "MIT", "dependencies": { - "fast-deep-equal": "^3.1.1", + "fast-deep-equal": "^3.1.3", + "fast-uri": "^3.0.1", "json-schema-traverse": "^1.0.0", - "require-from-string": "^2.0.2", - "uri-js": "^4.2.2" + "require-from-string": "^2.0.2" }, "funding": { "type": "github", @@ -170,10 +171,11 @@ "dev": true }, "node_modules/basic-ftp": { - "version": "5.2.2", - "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.2.tgz", - "integrity": "sha512-1tDrzKsdCg70WGvbFss/ulVAxupNauGnOlgpyjKzeQxzyllBLS0CGLV7tjIXTK3ZQA9/FBEm9qyFFN1bciA6pw==", + "version": "5.3.1", + "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.1.tgz", + "integrity": "sha512-bopVNp6ugyA150DDuZfPFdt1KZ5a94ZDiwX4hMgZDzF+GttD80lEy8kj98kbyhLXnPvhtIo93mdnLIjpCAeeOw==", "dev": true, + "license": "MIT", "engines": { "node": ">=10.0.0" } @@ -185,10 +187,11 @@ "dev": true }, "node_modules/brace-expansion": { - "version": "1.1.11", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", - "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "version": "1.1.14", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz", + "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==", "dev": true, + "license": "MIT", "dependencies": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" @@ -476,6 +479,23 @@ "dev": true, "license": "MIT" }, + "node_modules/fast-uri": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz", + "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==", + "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/fastify" + }, + { + "type": "opencollective", + "url": "https://opencollective.com/fastify" + } + ], + "license": "BSD-3-Clause" + }, "node_modules/fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", @@ -611,10 +631,11 @@ "dev": true }, "node_modules/ip-address": { - "version": "10.1.0", - "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz", - "integrity": "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==", + "version": "10.2.0", + "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz", + "integrity": "sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA==", "dev": true, + "license": "MIT", "engines": { "node": ">= 12" } @@ -960,15 +981,6 @@ "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==", "dev": true }, - "node_modules/punycode": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.1.1.tgz", - "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==", - "dev": true, - "engines": { - "node": ">=6" - } - }, "node_modules/require-from-string": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz", @@ -1062,15 +1074,6 @@ "node": ">=20.18.1" } }, - "node_modules/uri-js": { - "version": "4.4.1", - "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", - "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", - "dev": true, - "dependencies": { - "punycode": "^2.1.0" - } - }, "node_modules/validator": { "version": "13.15.26", "resolved": "https://registry.npmjs.org/validator/-/validator-13.15.26.tgz", @@ -1192,15 +1195,15 @@ "dev": true }, "ajv": { - "version": "8.12.0", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.12.0.tgz", - "integrity": "sha512-sRu1kpcO9yLtYxBKvqfTeh9KzZEwO3STyX1HT+4CaDzC6HpTGYhIhPIzj9XuKU7KYDwnaeh5hcOwjy1QuJzBPA==", + "version": "8.20.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.20.0.tgz", + "integrity": "sha512-Thbli+OlOj+iMPYFBVBfJ3OmCAnaSyNn4M1vz9T6Gka5Jt9ba/HIR56joy65tY6kx/FCF5VXNB819Y7/GUrBGA==", "dev": true, "requires": { - "fast-deep-equal": "^3.1.1", + "fast-deep-equal": "^3.1.3", + "fast-uri": "^3.0.1", "json-schema-traverse": "^1.0.0", - "require-from-string": "^2.0.2", - "uri-js": "^4.2.2" + "require-from-string": "^2.0.2" } }, "ajv-cli": { @@ -1258,9 +1261,9 @@ "dev": true }, "basic-ftp": { - "version": "5.2.2", - "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.2.tgz", - "integrity": "sha512-1tDrzKsdCg70WGvbFss/ulVAxupNauGnOlgpyjKzeQxzyllBLS0CGLV7tjIXTK3ZQA9/FBEm9qyFFN1bciA6pw==", + "version": "5.3.1", + "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.1.tgz", + "integrity": "sha512-bopVNp6ugyA150DDuZfPFdt1KZ5a94ZDiwX4hMgZDzF+GttD80lEy8kj98kbyhLXnPvhtIo93mdnLIjpCAeeOw==", "dev": true }, "boolbase": { @@ -1270,9 +1273,9 @@ "dev": true }, "brace-expansion": { - "version": "1.1.11", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", - "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "version": "1.1.14", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz", + "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==", "dev": true, "requires": { "balanced-match": "^1.0.0", @@ -1470,6 +1473,12 @@ "integrity": "sha512-vf6IHUX2SBcA+5/+4883dsIjpBTqmfBjmYiWK1savxQmFk4JfBMLa7ynTYOs1Rolp/T1betJxHiGD3g1Mn8lUQ==", "dev": true }, + "fast-uri": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz", + "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==", + "dev": true + }, "fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", @@ -1576,9 +1585,9 @@ "dev": true }, "ip-address": { - "version": "10.1.0", - "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz", - "integrity": "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==", + "version": "10.2.0", + "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz", + "integrity": "sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA==", "dev": true }, "is-absolute-url": { @@ -1840,12 +1849,6 @@ "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==", "dev": true }, - "punycode": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.1.1.tgz", - "integrity": "sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==", - "dev": true - }, "require-from-string": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz", @@ -1916,15 +1919,6 @@ "integrity": "sha512-eJdUmK/Wrx2d+mnWWmwwLRyA7OQCkLap60sk3dOK4ViZR7DKwwptwuIvFBg2HaiP9ESaEdhtpSymQPvytpmkCA==", "dev": true }, - "uri-js": { - "version": "4.4.1", - "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", - "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", - "dev": true, - "requires": { - "punycode": "^2.1.0" - } - }, "validator": { "version": "13.15.26", "resolved": "https://registry.npmjs.org/validator/-/validator-13.15.26.tgz", From efa0f5c0108d8c5e538d5aa5d1622c6f591440b0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 May 2026 01:59:37 +0000 Subject: [PATCH 02/12] Bump actions/add-to-project from 1.0.2 to 2.0.0 Bumps [actions/add-to-project](https://github.com/actions/add-to-project) from 1.0.2 to 2.0.0. - [Release notes](https://github.com/actions/add-to-project/releases) - [Commits](https://github.com/actions/add-to-project/compare/244f685bbc3b7adfa8466e08b698b5577571133e...5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd) --- updated-dependencies: - dependency-name: actions/add-to-project dependency-version: 2.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/issue-triage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/issue-triage.yml b/.github/workflows/issue-triage.yml index a605304f38..f65087b891 100644 --- a/.github/workflows/issue-triage.yml +++ b/.github/workflows/issue-triage.yml @@ -12,7 +12,7 @@ jobs: name: Add issue to project runs-on: ubuntu-22.04 steps: - - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e + - uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd with: project-url: https://github.com/orgs/usnistgov/projects/25 github-token: ${{ secrets.COMMIT_TOKEN }} From 40d3d8b5bdd819da413a5b9cdb4d7066b87e8346 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Mon, 2 Mar 2026 16:20:11 -0500 Subject: [PATCH 03/12] defined additional allowed values for the control 'status' property --- src/metaschema/oscal_catalog_metaschema.xml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index 82803e3aca..94ecacb856 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -286,11 +286,19 @@ value of 'withdrawn' can indicate that the control has been withdrawn and should no longer be used. - The control is no longer used. **(deprecated)*** Use 'withdrawn' instead. + [Default] This control is currently in force. + This control was incorporated into another control as identified by one or more "incorporated" links. + This control was moved as identified by a "moved" link. + This is a placeholder for a future control. + This control will be withdrawn. The withdrawn timeline or milestone may be describe the remarks. + This control is only applicable under certain conditions described in the remarks. + This control has been superseded by the artifact indicated by one or more "superseded-by" links or as described in the remarks. + This control is a pilot or proposed control; not yet required. The link cites an external resource related to this From e4e218a89ca4e5feb8b7a80c8f28dc20a4f11a17 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Tue, 17 Mar 2026 15:04:52 -0400 Subject: [PATCH 04/12] revised the allowed values list per comments in PR usnistgov/OSCAL#2022 --- src/metaschema/oscal_catalog_metaschema.xml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index 94ecacb856..98f4ac76a6 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -288,16 +288,13 @@ - The control is no longer used. - **(deprecated)*** Use 'withdrawn' - instead. - [Default] This control is currently in force. - This control was incorporated into another control as identified by one or more "incorporated" links. - This control was moved as identified by a "moved" link. + The control is no longer used. It may have been retired, incorporated into another control, or moved to a different control. + [Default] This control exists as intended. This is a placeholder for a future control. This control will be withdrawn. The withdrawn timeline or milestone may be describe the remarks. This control is only applicable under certain conditions described in the remarks. This control has been superseded by the artifact indicated by one or more "superseded-by" links or as described in the remarks. + This control has been updated from a prior version, as described in the remarks. This control is a pilot or proposed control; not yet required. From 3bed5327e9d2d110d2afe691537796e9d5f4dc02 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Sun, 12 Apr 2026 17:22:31 -0400 Subject: [PATCH 05/12] removed status. Adjusted constraint on to be absent for additional status values beyond --- src/metaschema/oscal_catalog_metaschema.xml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index 98f4ac76a6..6f3a51f9c5 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -278,7 +278,7 @@ + test="prop[@name='status']/@value=('withdrawn','Withdrawn', 'reserved', 'deprecated', 'superseded') or part[@name='statement']"/> &allowed-values-control-group-property-name; @@ -289,7 +289,6 @@ The control is no longer used. It may have been retired, incorporated into another control, or moved to a different control. - [Default] This control exists as intended. This is a placeholder for a future control. This control will be withdrawn. The withdrawn timeline or milestone may be describe the remarks. This control is only applicable under certain conditions described in the remarks. From 0fcbd37e578cc7f18c3ae5ca736dce1c2cef1cfe Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Mon, 13 Apr 2026 13:22:08 -0400 Subject: [PATCH 06/12] adjustments based on automated copilot review --- src/metaschema/oscal_catalog_metaschema.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index 6f3a51f9c5..cdb2f0fdf4 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -277,7 +277,7 @@ - @@ -290,7 +290,7 @@ target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='status']/@value"> The control is no longer used. It may have been retired, incorporated into another control, or moved to a different control. This is a placeholder for a future control. - This control will be withdrawn. The withdrawn timeline or milestone may be describe the remarks. + This control will be withdrawn. The withdrawn timeline or milestone may be described in the remarks. This control is only applicable under certain conditions described in the remarks. This control has been superseded by the artifact indicated by one or more "superseded-by" links or as described in the remarks. This control has been updated from a prior version, as described in the remarks. From 1e0435f50e3f4b9380aac7ab99413e6f0cd6e4c7 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Thu, 14 May 2026 21:07:53 -0400 Subject: [PATCH 07/12] removed depricated from constraint exception as required by NIST --- src/metaschema/oscal_catalog_metaschema.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index cdb2f0fdf4..0c5deb5383 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -278,7 +278,7 @@ + test="prop[@name='status']/@value=('withdrawn','Withdrawn', 'reserved', 'superseded') or part[@name='statement']"/> &allowed-values-control-group-property-name; From 731a685c4969f57f69edb6815466121ba5c1e0da Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Tue, 19 May 2026 16:54:09 -0400 Subject: [PATCH 08/12] Adding new component types per issue #2214. --- src/metaschema/oscal_implementation-common_metaschema.xml | 2 +- .../shared-constraints/allowed-values-component-type.ent | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml index ea96c74f59..429ac6a9d1 100644 --- a/src/metaschema/oscal_implementation-common_metaschema.xml +++ b/src/metaschema/oscal_implementation-common_metaschema.xml @@ -242,7 +242,7 @@ The system as a whole. An external system, which may be a leveraged system or the other side of an interconnection. &allowed-values-component-type; - A physical or virtual network. + A physical or virtual capability that provides connectivity, segmentation, routing, traffic distribution, name resolution, or network boundary control. diff --git a/src/metaschema/shared-constraints/allowed-values-component-type.ent b/src/metaschema/shared-constraints/allowed-values-component-type.ent index 7f4f680f47..9503e69505 100644 --- a/src/metaschema/shared-constraints/allowed-values-component-type.ent +++ b/src/metaschema/shared-constraints/allowed-values-component-type.ent @@ -4,9 +4,12 @@ A service that may provide APIs. An enforceable policy. A tangible asset used to provide physical protections or countermeasures. - + A list of steps or actions to take to achieve some end result. An applicable plan. Any guideline or recommendation. Any organizational or industry standard. An external assessment performed on some other component, that has been validated by a third-party. +An isolated geographic area where a cloud service provider (CSP) operates a cluster of data centers. +A fault-isolated cloud computing data center group within a region, connected by low-latency links. +A logical administrative, governance, billing, or resource-scoping boundary used to organize cloud resources. From afe816cddcaae06cbf3bb1b20729eebcccc6faaf Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Wed, 20 May 2026 10:45:30 -0400 Subject: [PATCH 09/12] Moved allowed-value for component type to make it available in component definition as well not just ssp. --- src/metaschema/oscal_implementation-common_metaschema.xml | 1 - .../shared-constraints/allowed-values-component-type.ent | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml index 429ac6a9d1..8a93405ebd 100644 --- a/src/metaschema/oscal_implementation-common_metaschema.xml +++ b/src/metaschema/oscal_implementation-common_metaschema.xml @@ -242,7 +242,6 @@ The system as a whole. An external system, which may be a leveraged system or the other side of an interconnection. &allowed-values-component-type; - A physical or virtual capability that provides connectivity, segmentation, routing, traffic distribution, name resolution, or network boundary control. diff --git a/src/metaschema/shared-constraints/allowed-values-component-type.ent b/src/metaschema/shared-constraints/allowed-values-component-type.ent index 9503e69505..66c6310c8f 100644 --- a/src/metaschema/shared-constraints/allowed-values-component-type.ent +++ b/src/metaschema/shared-constraints/allowed-values-component-type.ent @@ -13,3 +13,4 @@ An isolated geographic area where a cloud service provider (CSP) operates a cluster of data centers. A fault-isolated cloud computing data center group within a region, connected by low-latency links. A logical administrative, governance, billing, or resource-scoping boundary used to organize cloud resources. +A physical or virtual capability that provides connectivity, segmentation, routing, traffic distribution, name resolution, or network boundary control. \ No newline at end of file From 2df346d356ba269b0a7c3cf1667d26864cc2669e Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Tue, 2 Jun 2026 11:19:00 +0900 Subject: [PATCH 10/12] fix: correct context selector in @opr:id merge test The "Tests for match=@opr:id template" scenario used with inline content . XSpec evaluates the select against the document node that wraps the inline content, and a document node has no attributes, so the context was an empty sequence and the scenario aborted with XTMM9000 ("Context is an empty sequence"), the failure reported in #2166. Select the attribute through its element instead. Because merge.xspec declares the default namespace http://csrc.nist.gov/ns/oscal/1.0, the inline is in that namespace, so the selector uses the o: prefix already bound in the file (as in existing scenarios like //o:selection): o:foo/@opr:id. The attribute node then dispatches to the no-op template match="@opr:id" in oscal-profile-resolve-merge.xsl, producing nothing, which matches the scenario's . This is a test-case defect, not a profile-resolver defect: the @opr:id scrub template is correct and is relied on across the merge suite (the several "@opr:id omitted" expectations). Only the test's context selector changes. Refs #2166 Signed-off-by: Arpit Jain --- src/utils/resolver-pipeline/testing/3_merged/merge.xspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/utils/resolver-pipeline/testing/3_merged/merge.xspec b/src/utils/resolver-pipeline/testing/3_merged/merge.xspec index a20f188339..0cf42c4894 100644 --- a/src/utils/resolver-pipeline/testing/3_merged/merge.xspec +++ b/src/utils/resolver-pipeline/testing/3_merged/merge.xspec @@ -845,7 +845,7 @@ - + From 52cb8bc220b585c46ee7b576514ffdb4646bceaf Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Tue, 2 Jun 2026 10:40:33 +0900 Subject: [PATCH 11/12] fix: account for resource-fragment in link uniqueness constraint oscal-unique-metadata-link keyed uniqueness on @href, @rel, and @media-type only. Two links referencing the same back-matter resource by UUID but citing different fragments via @resource-fragment collided and produced a false uniqueness violation, while the equivalent direct-link form (distinct @href) validated cleanly. Add @resource-fragment to the key so links differing only by fragment are treated as distinct. Relax the constraint from ERROR to WARNING since these links are citations rather than addressable keys; WARNING is already used for comparable advisory constraints in the metaschema. Refs #2228 Signed-off-by: Arpit Jain --- src/metaschema/oscal_metadata_metaschema.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index f72013a310..b6e4966afd 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -365,10 +365,11 @@ - + + From a3f57829d31069763b2804043868c5113e0055d7 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Wed, 3 Jun 2026 10:13:15 +0900 Subject: [PATCH 12/12] Correct by-item-name description to not list title as removable The by-item-name flag description gave 'title' as an example item-name to remove, but the oscal-profile-alter-by-item-name-values constraint intentionally does not allow 'title' (a control title is required, cardinality 1, and removing it would permit substituting a control's identity while keeping its id). Per the discussion in #2155, the description text is the inconsistency, not the constraint. Replace the title example with valid removable item-names (prop, link). Signed-off-by: Arpit Jain --- src/metaschema/oscal_profile_metaschema.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index efed615372..1404ee2ac5 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -313,8 +313,8 @@ Item Name Reference Identify items to remove by the name of the item's information object name, e.g. - title or - prop. + prop or + link. A descendant parameter and all of its descendants.