fix: update for OSCAL 1.2.0 model compatibility

[david-waltermire]

Summary

• Update OSCAL submodule to version 1.2.0
• Use ProfileMatching instead of Matching for profile control selection (disambiguates from other matching assemblies)
• Add metaschema bindings to map matching assembly to distinct class names
• Convert URI to String for remove.getByNs() in ProfileResolver

Test Plan

• All existing tests pass

Summary by CodeRabbit

• Refactor

  • Replaced generic type with more specific type for control profile matching logic.
  • Enhanced null-safety handling in profile resolution.
  • Added functional interface annotations to enable lambda expressions.

• Chores

  • Updated parent project version from 9-SNAPSHOT to 9.
  • Updated submodule commit reference.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates type references from Matching to ProfileMatching across profile selection logic, adds @FunctionalInterface annotations to filter interfaces, adjusts nullability annotations on filter methods, improves null-safe handling in ProfileResolver, and updates metaschema binding configurations to define the new ProfileMatching type.

Changes

Cohort / File(s)	Summary
Type refactoring from Matching to ProfileMatching AbstractProfileSelectControlById.java, IProfileSelectControlById.java, DefaultControlSelectionFilter.java, DefaultControlSelectionFilterTest.java	Updated imports and type references from Matching to ProfileMatching in profile control selection logic. Updated method signatures and mock field declarations accordingly.
Metaschema binding configuration src/main/metaschema-bindings/oscal-metaschema-bindings.xml	Added two new define-assembly-binding entries for "matching": one mapping to MappedControlMatching for mapping-common metaschema, and one mapping to ProfileMatching for profile metaschema.
Functional interface annotations IReferencePolicy.java, IControlSelectionFilter.java	Added @FunctionalInterface annotation to policy and selection filter interfaces to enable lambda expression support.
Nullability annotation adjustments IControlFilter.java, IControlSelectionFilter.java, IIdentifierMapper.java	Removed or relocated @NonNull annotations on return types in anonymous filter implementations and method declarations; relocated @NonNull from return-type position to method-level annotations.
Null-safety improvement ProfileResolver.java	Added null-safe handling for remove target namespace by computing removeNS from remove.getByNs() before passing to RemoveVisitor.remove().
Build configuration update pom.xml	Updated parent POM version from 9-SNAPSHOT to 9.
Submodule update oscal	Updated submodule commit hash from 909b75583dc77f847097730e5259fc0e3ea05383 to 8064bf7f09648505c57c5ca54a1ac409c98f92a0.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Areas requiring attention:

• Verify that all type references from Matching to ProfileMatching have been consistently updated across the codebase, particularly in the selection filter chain
• Confirm that the null-safety improvement in ProfileResolver.java correctly handles all edge cases where remove.getByNs() may return null
• Review the metaschema binding configuration to ensure the new ProfileMatching binding is correctly mapped within both metaschemas
• Validate that removal of @NonNull annotations on filter return types does not introduce unintended nullability risks in client code

Suggested reviewers

• aj-stein

Poem

🐰 A rabbit hops through matching types so fine,
ProfileMatching now shines in place of Matching's line,
With @FunctionalInterface to lambda we aspire,
Null-safe and eager, the refactoring climbs higher!
✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.88% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: update for OSCAL 1.2.0 model compatibility' clearly summarizes the main objective of the changeset: updating the library for compatibility with OSCAL 1.2.0, which is reflected across all the changes including submodule updates, type replacements (Matching to ProfileMatching), metaschema bindings, and ProfileResolver modifications.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f27f543 and 5e5e36b.

📒 Files selected for processing (8)

• oscal (1 hunks)
• src/main/java/gov/nist/secauto/oscal/lib/model/control/profile/AbstractProfileSelectControlById.java (2 hunks)
• src/main/java/gov/nist/secauto/oscal/lib/model/control/profile/IProfileSelectControlById.java (2 hunks)
• src/main/java/gov/nist/secauto/oscal/lib/profile/resolver/ProfileResolver.java (1 hunks)
• src/main/java/gov/nist/secauto/oscal/lib/profile/resolver/alter/RemoveVisitor.java (1 hunks)
• src/main/java/gov/nist/secauto/oscal/lib/profile/resolver/selection/DefaultControlSelectionFilter.java (3 hunks)
• src/main/metaschema-bindings/oscal-metaschema-bindings.xml (2 hunks)
• src/test/java/gov/nist/secauto/oscal/lib/profile/resolver/selection/DefaultControlSelectionFilterTest.java (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Website
• GitHub Check: Code

🔇 Additional comments (6)

oscal (1)

1-1: CI correctly fetches submodules, but verify the OSCAL commit hash.
The GitHub Actions workflows in .github/workflows/build.yml and release.yml both use submodules: recursive in their checkout steps, so CI will correctly initialize submodules. However, please confirm that commit 8064bf7f09648505c57c5ca54a1ac409c98f92a0 corresponds to OSCAL 1.2.0—web searches on the OSCAL release pages did not return a match for this commit hash, so it may be an unlabeled or development commit rather than a release tag.

src/test/java/gov/nist/secauto/oscal/lib/profile/resolver/selection/DefaultControlSelectionFilterTest.java (1)

11-13: Test migration to ProfileMatching is consistent and low-risk.

Also applies to: 38-44

src/main/java/gov/nist/secauto/oscal/lib/model/control/profile/AbstractProfileSelectControlById.java (1)

8-10: Builder now emits ProfileMatching as intended for OSCAL 1.2.0 compatibility.

Also applies to: 61-67

src/main/java/gov/nist/secauto/oscal/lib/profile/resolver/selection/DefaultControlSelectionFilter.java (1)

8-10: Selection logic updated cleanly to ProfileMatching with no functional drift.

Also applies to: 92-95, 150-158

src/main/metaschema-bindings/oscal-metaschema-bindings.xml (1)

34-45: These class name bindings are correct. MappedControlMatching and ProfileMatching are assembly names defined in external metaschema files (oscal_mapping-common_metaschema.xml and profile metaschema) that will be generated as Java classes during the metaschema code generation phase. The unqualified class names with <use-package-name>gov.nist.secauto.oscal.lib.model</use-package-name> follow the standard metaschema binding pattern and will correctly generate the classes in the specified package. No changes needed.

src/main/java/gov/nist/secauto/oscal/lib/model/control/profile/IProfileSelectControlById.java (1)

8-19: No action needed. All usages of IProfileSelectControlById.getMatching() in the codebase already expect the List<ProfileMatching> return type, including test mocks and the DefaultControlSelectionFilter consumer. There are no unupdated implementers or callers.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

src/main/java/gov/nist/secauto/oscal/lib/profile/resolver/selection/IControlSelectionFilter.java (1)

20-46: Harden matchIds/apply null-contracts (or document them).
Today matchIds(null) will NPE at Arrays.stream(identifiers), and apply(null) will NPE at control.getId(). If nulls are invalid inputs, consider making that explicit by annotating parameters as @NonNull (including apply(@NonNull IControl control)), or defensively handling nulls in the factory.

 public interface IControlSelectionFilter extends Function<IControl, Pair<Boolean, Boolean>> {
@@
-  static IControlSelectionFilter matchIds(@NonNull String... identifiers) {
+  static IControlSelectionFilter matchIds(@NonNull String... identifiers) {
     return new IControlSelectionFilter() {
       private final Set<String> keys = Arrays.stream(identifiers).collect(Collectors.toUnmodifiableSet());
@@
-      public Pair<Boolean, Boolean> apply(IControl control) {
+      public Pair<Boolean, Boolean> apply(@NonNull IControl control) {
         return ObjectUtils.notNull(Pair.of(keys.contains(control.getId()), false));
       }
     };
   }
@@
-  Pair<Boolean, Boolean> apply(IControl control);
+  Pair<Boolean, Boolean> apply(@NonNull IControl control);
 }

src/main/java/gov/nist/secauto/oscal/lib/profile/resolver/selection/IControlFilter.java (1)

22-62: Good: explicit @NonNull return contracts on the anonymous implementations.
Small consistency nit: consider also adding @NonNull to IControlFilter.Filter.match(...)’s return to match the interface contract and avoid tool noise.

@@
-    public Pair<Boolean, Boolean> match(@NonNull IControl control, boolean defaultMatch) {
+    @Override
+    @NonNull
+    public Pair<Boolean, Boolean> match(@NonNull IControl control, boolean defaultMatch) {
       @NonNull
       Pair<Boolean, Boolean> result = getInclusionFilter().apply(control);
@@
       return result;
     }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5e5e36b and b04c633.

📒 Files selected for processing (5)

• pom.xml (1 hunks)
• src/main/java/gov/nist/secauto/oscal/lib/profile/resolver/policy/IReferencePolicy.java (1 hunks)
• src/main/java/gov/nist/secauto/oscal/lib/profile/resolver/selection/IControlFilter.java (2 hunks)
• src/main/java/gov/nist/secauto/oscal/lib/profile/resolver/selection/IControlSelectionFilter.java (2 hunks)
• src/main/java/gov/nist/secauto/oscal/lib/profile/resolver/support/IIdentifierMapper.java (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-13T15:28:58.145Z

Learnt from: david-waltermire
Repo: metaschema-framework/liboscal-java PR: 222
File: .github/workflows/build.yml:30-32
Timestamp: 2025-12-13T15:28:58.145Z
Learning: In the liboscal-java repository, nightly builds are managed independently using GitHub Actions schedule triggers (cron), not via repository_dispatch from metaschema-java. Each repo in the metaschema-framework manages its own nightly builds.

Applied to files:

• pom.xml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Code
• GitHub Check: Website

🔇 Additional comments (2)

src/main/java/gov/nist/secauto/oscal/lib/profile/resolver/support/IIdentifierMapper.java (1)

34-38: Annotation move is fine; keep return-contract style consistent across overrides.
This aligns the anonymous override with the “method-level @NonNull” style used elsewhere in this PR; just make sure the team sticks to one approach (method vs return-type type-use) for SpotBugs consistency.

src/main/java/gov/nist/secauto/oscal/lib/profile/resolver/policy/IReferencePolicy.java (1)

13-14: @FunctionalInterface is appropriate here.
Guards the contract (single abstract method) and matches the PR’s functional-style direction.