From a1a31a6597dfecc18509b169702742afb2b7cd63 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Wed, 7 Dec 2022 14:16:10 -0500 Subject: [PATCH] Fixed improper use of allowed-values/allow-other. Ensured that all props in the OSCAL namespace are properly closed and all link rels are open for extension. (#1579) --- .../oscal_assessment-common_metaschema.xml | 32 ++++++------ .../oscal_assessment-plan_metaschema.xml | 2 +- src/metaschema/oscal_catalog_metaschema.xml | 2 +- src/metaschema/oscal_component_metaschema.xml | 18 +++---- .../oscal_control-common_metaschema.xml | 2 +- ...oscal_implementation-common_metaschema.xml | 50 +++++++++---------- src/metaschema/oscal_metadata_metaschema.xml | 14 +++--- src/metaschema/oscal_profile_metaschema.xml | 2 +- src/metaschema/oscal_ssp_metaschema.xml | 29 +++++------ 9 files changed, 75 insertions(+), 76 deletions(-) diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml index a96a51fb79..47dbbe28b2 100644 --- a/src/metaschema/oscal_assessment-common_metaschema.xml +++ b/src/metaschema/oscal_assessment-common_metaschema.xml @@ -183,11 +183,11 @@ - + The assessment method to use. This typically appears on parts with the name "assessment". - - + + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. @@ -1272,10 +1272,10 @@ - + The type of remediation tracking entry. Can be multi-valued. - + Contacted vendor to determine the status of a pending fix to a known vulnerability. Information related to the current state of response to this risk. A significant step in the response plan has been achieved. @@ -1305,13 +1305,13 @@ - + The risk has been confirmed to be a false positive. The risk has been accepted. No further action will be taken. The risk has been adjusted. A numeric value indicating the sequence in which risks should be addressed. (Lower numbers are higher priority) - + @@ -1401,21 +1401,21 @@ - + Indicates if the facet is 'initial' as first identified, or 'adjusted' indicating that the value has be changed after some adjustments have been made (e.g., to identify residual risk). - + As first identified. Indicates that residual risk remains after some adjustments have been made. - + General likelihood rating. General impact rating. General risk rating. General severity rating. - + Likelihood as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states. Impact as defined by FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states. Risk as calculated according to FedRAMP. The class can be used to specify 'initial' and 'adjusted' risk states. @@ -1683,10 +1683,10 @@ - + - + The risk will be eliminated. The risk will be reduced. The risk will be transferred to another organization or entity. @@ -1766,11 +1766,11 @@ - + The assessment method to use. This typically appears on parts with the name "objective". - - + + The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. diff --git a/src/metaschema/oscal_assessment-plan_metaschema.xml b/src/metaschema/oscal_assessment-plan_metaschema.xml index 5e2306939a..2c58c68cc4 100644 --- a/src/metaschema/oscal_assessment-plan_metaschema.xml +++ b/src/metaschema/oscal_assessment-plan_metaschema.xml @@ -91,7 +91,7 @@ - + Defines the circumstances, conditions, degree, and manner in which the use of cyber-attack techniques or actions may be applied to the assessment. Any information the assessor should make known to the system owner or authorizing official. Has child 'item' parts for each individual disclosure. Defines any assessment activities which the system owner or authorizing official wishes to ensure are performed as part of the assessment. diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index ef63cef286..fc2a4d25a2 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -54,7 +54,7 @@ The tool used to produce a resolved profile. The document-level uuid of the source profile from which the catalog was produced by profile resolution. - + The profile from which the catalog was produced by profile resolution. The document-level uuid of the profile from which the catalog was produced by profile resolution. diff --git a/src/metaschema/oscal_component_metaschema.xml b/src/metaschema/oscal_component_metaschema.xml index c579e43750..b5812a32dc 100644 --- a/src/metaschema/oscal_component_metaschema.xml +++ b/src/metaschema/oscal_component_metaschema.xml @@ -148,7 +148,7 @@ - + @@ -177,7 +177,7 @@ &allowed-values-responsible-roles-component-production; - + &allowed-values-property-name-asset-type-values; @@ -185,22 +185,22 @@ - + The component allows an authenticated scan. The component does not allow an authenticated scan. - + The component is virtualized. The component is not virtualized. - + The component is publicly accessible. The component is not publicly accessible. - + The component is implemented within the system boundary. The component is implemented outside the system boundary. @@ -210,8 +210,8 @@ - - + + @@ -221,7 +221,7 @@ - + &allowed-values-component_component_software; diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml index 68fcc07a66..f755b4e130 100644 --- a/src/metaschema/oscal_control-common_metaschema.xml +++ b/src/metaschema/oscal_control-common_metaschema.xml @@ -244,7 +244,7 @@ Parameter Cardinality Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted. - + Only one value is permitted. One or more values are permitted. diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml index c17bdeccdf..f4d5eab2e5 100644 --- a/src/metaschema/oscal_implementation-common_metaschema.xml +++ b/src/metaschema/oscal_implementation-common_metaschema.xml @@ -87,7 +87,7 @@ - + Relative placement of component ('internal' or 'external') to the system. UUID of the related leveraged-authorization assembly in this SSP. @@ -120,26 +120,26 @@ &allowed-values-responsible-roles-component-production; - + &allowed-values-property-name-asset-type-values; - + The component allows an authenticated scan. The component does not allow an authenticated scan. - + The component is publicly accessible. The component is not publicly accessible. - + The component is virtualized. The component is not virtualized. - + The component is implemented within the system boundary. The component is implemented outside the system boundary. @@ -148,14 +148,14 @@ - - + + - + The name of the company or organization @@ -172,7 +172,7 @@ - + &allowed-values-component_component_software; @@ -188,7 +188,7 @@ - + Title of the Interconnection Security Agreement (ISA). Date of the Interconnection Security Agreement (ISA). The name of the remote interconnected system. @@ -196,7 +196,7 @@ An Internet Protocol Version 6 interconnection address An Internet Protocol Version 6 interconnection address - + The identified IP address is for this system. The identified IP address is for the remote system to which this system is connected. @@ -210,10 +210,10 @@ Interconnection Security Agreement (ISA) authorizing official for this system. Interconnection Security Agreement (ISA) authorizing official for the remote interconnected system. - - - - + + + + Data from the remote system flows into this system. Data from this system flows to the remote system. @@ -377,16 +377,16 @@ - + The type of user, such as internal, external, or general-public. The user's privilege level within the system, such as privileged, non-privileged, no-logical-access. - + A user account for a person or entity that is part of the organization who owns or operates the system. A user account for a person or entity that is not part of the organization who owns or operates the system. A user of the system considered to be outside - + This role has elevated access to the system, such as a group or system administrator. This role has typical user-level access to the system without elevated access. This role has no access to the system, such as a manager who approves access as part of a process. @@ -506,13 +506,13 @@ - + &allowed-values-component_component_property-name; &allowed-values-component_inventory-item_property-name; - + @@ -532,7 +532,7 @@ - + The Internet Protocol v4 Address of the asset. The Internet Protocol v6 Address of the asset. The full-qualified domain name (FQDN) of the asset. @@ -564,16 +564,16 @@ &allowed-values-component_inventory-item_property-name; - + &allowed-values-property-name-asset-type-values; - + The name of the company or organization - + The asset is included in periodic vulnerability scanning. The asset is not included in periodic vulnerability scanning. diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index e87a0a841c..3c665a32e6 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -600,7 +600,7 @@ - + Identifies the type of resource represented. The most specific appropriate type value SHOULD be used. For resources representing a published document, this represents the version number of that document. For resources representing a published document, this represents the publication date of that document. @@ -696,13 +696,6 @@ Property Name A textual label, within a namespace, that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object. - - - - - A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value. - - Property Universally Unique Identifier @@ -740,6 +733,11 @@ + + + A label or descriptor that is tied to a sensitivity or classification marking system. An optional class can be used to define the specific marking system used for the associated value. + +

Properties permit the deployment and management of arbitrary controlled values, within OSCAL objects. A property can be included for any purpose useful to an application or implementation. Typically, properties will be used to sort, filter, select, order, and arrange OSCAL content objects, to relate OSCAL objects to one another, or to associate an OSCAL object to class hierarchies, taxonomies, or external authorities. Thus, the lexical composition of properties may be constrained by external processes to ensure consistency.

Property allows for associated remarks that describe why the specific property value was applied to the containing object, or the significance of the value in the context of the containing object.

diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index 5d3ea80e06..f60103e09b 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -377,7 +377,7 @@ - + &allowed-values-control-group-property-name; diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml index a7bb0a1294..d311b2af0a 100644 --- a/src/metaschema/oscal_ssp_metaschema.xml +++ b/src/metaschema/oscal_ssp_metaschema.xml @@ -129,7 +129,7 @@ - + A value of 1, 2, or 3 as defined by SP 800-63-3. A value of 1, 2, or 3 as defined by SP 800-63-3. @@ -145,11 +145,11 @@ As defined by SP 800-63-3. - + The associated value is one of: public-cloud, private-cloud, community-cloud, government-only-cloud, hybrid-cloud, or other. The associated value is one of: saas, paas, iaas, or other. - + The public cloud deployment model as defined by The NIST Definition of Cloud Computing. The private cloud deployment model as defined by The NIST Definition of Cloud Computing. @@ -163,7 +163,7 @@

The hybrid cloud deployment model, as defined by The NIST Definition of Cloud Computing, can be supported by selecting two or more of the existing deployment models.

 - + Software as a service (SaaS) cloud service model as defined by The NIST Definition of Cloud Computing. Platform as a service (PaaS) cloud service model as defined by The NIST Definition of Cloud Computing. @@ -269,14 +269,14 @@ - + Is this a privacy sensitive system? yes or no - + The system is privacy sensitive. The system is not privacy sensitive. - + A link to the privacy impact assessment. @@ -439,7 +439,7 @@ - + A reference to the diagram image. @@ -564,7 +564,7 @@ - + A reference to the system security plan for the leveraged authorization. @@ -639,7 +639,8 @@ - + + The component allows an authenticated scan. The component does not allow an authenticated scan. @@ -718,17 +719,17 @@ - + Identifies the source of the implemented control. Any control-origination prop defined in a child context will override the parent value. - + The control is implemented by the organization owning the system, but is not specific to the system itself. The control is implemented specifically to this system. The control is provided by the system, but must be configured by the customer. The control must be implemented by the customer. This control is inherited from an underlying system. - + Indicates all or some portion of this control is inherited from an underlying authorized system. @@ -1048,7 +1049,7 @@ - + A reference to the UUID of a control or statement by-component object that is used as evidence of implementation.