JSON schema

[anweiss]

We should include a JSON schema as well.

Tracking WIP in #6

[anweiss]

Adding further commentary to this topic. Looking through the current mechanisms for building both the schema and translating existing standards/publications to OSCAL, IMO it seems a bit convoluted and not the most well-suited to supporting JSON schema. It would be great if we could come up with generic approaches for both generating XSD and JSON schema and also for mapping/executing OSCAL translations. Understanding that automated conversion is not straightforward and each case will have to be done ad-hoc, if we can at least document a high-level process for standards bodies and catalog maintainers to follow, that would be incredibly helpful.

From an implementation perspective, given there is really no direct equivalent to XProc and XSLT in the JSON world, it would also be helpful to develop similar tools/mechanisms that can be used to create the necessary declarations from existing standards for use with JSON schema in the same manner.

[anweiss]

Some additional resources:

• From XML Schema to JSON Schema - Comparison and Translation with Constraint Handling Rules
• Jolt - JSON to JSON transformation library
• Do not Emulate XML Namespaces in JSON - Mailing list thread

[wendellpiez]

Bridging between XML and JSON is not a trivial problem although it isn't impossible either, at least as long as we don't expect the same affordances on both sides. In fact I imagine that since "catalog semantics" are often not exposed directly in OSCAL (which offers a basis without constraining much), the naively-corresponding JSON might be especially bad.

But perhaps conversions may be only one way, for example -- even a one-way "reduction" could often be useful, if it makes OSCAL-tagged data available to JSON. So rather than trying to port over constraint sets (which are designed for very different data models) maybe our focus should be on producing JSON 'dumps' of OSCAL data using off-the-shelf tooling such as XPath 3.1 JSON serialization, etc. Even if the JSON so produced is ugly, it would be a place to start and a basis for more refined mappings.

I should think that JSON capable of supporting editing OSCAL, for example, would be very different from JSON for simply querying the data and getting values back. (Round-tripping inline markup etc.) But does there have to be one Rule Them All schema for OSCAL data represented in JSON? (Maybe we need not one JSON schema, but several, describing different forms of JSON. Not being a JSON developer. Cool problem though.)

[anweiss]

Great points @wendellpiez! ... I agree with not taking the approach of porting over constraint sets, but instead getting JSON outputs of existing OSCAL data. I'm personally not as well-versed in XPath as I am with JSON Pointer, but am going to start playing with some extractions.

Having multiple JSON schemas representing various OSCAL uses (e.g. editing vs. querying) would certainly be interesting.

[wendellpiez]

@anweiss that is cool. To pull into JSON using XPath, one could do worse than start with the newest specs at https://www.w3.org/TR/xpath-functions-31/#json (for example, as implemented in Saxon). I also think we will have more joy sooner with the profile format than with the catalog format - they are related, but distinct, and profiles will typically not have gobs of relatively unstructured text (at least as far as I've seen). When it comes to catalogs, there are probably going to have to be conventions such as where to flatten / rewrite as markdown, etc. etc. to make a representation one would want to live with.

When it comes to it, if/as catalogs are very stable (once published they are not likely to change much) it may be useful to define regular mappings not only to JSON 'filtered views' but also a fairly plain-and-simple HTML. Then those things could simply be resources accompanying the catalogs.

[anweiss]

Are we locked in to the semantics of XSLT for defining the translations? Would it be appropriate to also incorporate alternative conversion mechanisms via a more traditional programming language (e.g. JavaScript, C#, Golang, etc)? Or are we reserving such tools as the responsibility of OSCAL consumers to build and maintain?

[wendellpiez]

As a developer I'm using XSLT 'cause that's what I know :-) but I should think/hope/imagine that all the transformations should be implementation-independent wrt their definition. If the functional specs are locked into XSLT for now, that is a problem to be fixed -- everything should be documented and exposed so there are no mysteries. Given an explicit spec, any of the tools should be (re) implementable in another language/form i.e. the spec describes a process, mapping or functional relation, not an algorithm or approach.

The reality is however that as of now there is much thinking and many assumptions that are locked into the code at the moment awaiting documentation. Accordingly any help asking questions or documenting answers is appreciated. The code is XSLT so far but the specs do not have to be. (My $0.02 this question is actually way above my pay grade.)

FWIW most of the internals of OSCAL mirror HTML very closely and class is used ubiquitously, partly with an eye to CSS selectors --

[anweiss]

Solid points! I've personally been playing with a couple of parsers (using both Node.js and Go) and methodologies in order to try and identify where the the specific transformation gaps lie.

[wendellpiez]

@anweiss that is awesome. Warning: models are still not completely stable yet (though that doesn't have to be an impediment if you know about it).

[anweiss]

Some updates. So since the source of truth for the schemas as they exist today seems to be the Relax NG Compact files, I've found that it makes more sense to use those .rnc schemas as the source of truth for the JSON schema translations as well. Conducting manual conversions from the Relax NG Compact schemas to JSON schema is far more effective than taking the various OSCAL implementations in XML and trying to reverse-engineer JSON schemas. The JSON schema is much more well-formed and closely aligned with the original constraints defined by Relax NG Compact.

I think this also encourages one to keep the RNC schemas simplistic and concise so as not to warrant the development and/or use of additional tooling simply to spit out JSON schema; in the near-term at least. This also keeps the diffs down to a minimum over time and makes it easier to maintain the JSON schemas by hand.

[anweiss]

Another thing that could be interesting is to define the OSCAL schema in a higher level, abstracted DSL, from which both RNC, JSON schema, etc could be written. Kind of like putting OSCAL in the form of a "behavior driven development"-like style (e.g. Cucumber, Jasmine, etc) where the DSL (written in plain English) defines OSCAL's requirements and RNC, JSON schema, etc represent the implementations.

[wendellpiez]

I am looking at https://dvcs.w3.org/hg/microxml/raw-file/tip/spec/microxml.html. It would be interesting to throw OSCAL data at a MicroXML parser and see if it complains.)

Also we might try a couple of easy tools such as Saxon's implementation of XPath xml-to-json(). I am in no position to evaluate the results but it's a low-cost exercise. Even contemplating the delta between such machine output, and an "optimal mockup" or two, could be interesting.

Also we might keep in mind that different applications or flavors (control and catalog types) of OSCAL may suggest different JSON serializations.

What is not clear to me is what application requirements are served by the JSON schema (either analogous or in contrast to what they do in/for XML). A schema that is optimal for one use may not be for another. (And the same thing is true of the data formats they respectively describe/constrain.)

Meanwhile (or eventually), the DSL you are describing could be defined as a use case of OSCAL with constraint languages embedded.

[anweiss]

Nice! Will take a peek at MicroXML. I have actually started playing with Saxon-JS, but came across a bug with it's implementation of fn:parse-xml -> https://saxonica.plan.io/boards/5/topics/6978?r=6985#message-6985. Haven't touched any of the other SDKs yet but was planning on it.

Per an earlier comment, I've also already got a couple of simple XML-to-JSON serialization/deserialization code samples put together. In this case, the marshaling/unmarshaling has been customized to fit the JSON schema. At the end of the day, the conversion is still one-way. Will publish the samples and generated artifacts to the PR.

Where I'm coming from as far as JSON schema applicability and as a complement to the XML schema is in terms of software and tooling that consumes JSON. For example, JavaScript is a top 10 language (per TIOBE), and since JSON is just a subset of JavaScript, it's easy to consume and well-suited for that development community. The move towards REST has also seen JSON as a more common communication medium; although both XML and JSON can of course be used in that regard. JSON is also a bit more lightweight and ideal-suited for IoT/embedded devices which could possibly consume OSCAL in some capacity in the future.

To your point, each is used in a manner that is optimal for its intended targets. Some sort of high-level DSL that describes constraints could definitely be appealing. Although I'd have to defer to folks more well-versed in that space as it is not one of my areas of expertise lol

[wendellpiez]

I would not be surprised if SaxonJS does not yet support the parse-xml() function as it would ordinarily not be required in its architecture. (In XSLT you would only need this function if your data were not already parsed by the calling application, which it generally is. Interestingly, until XPath 3.0 there was no standard way to parse XML from inside XSLT.)

As for JSON, what interests me is not the case for JSON (which is clear enough) as an interface to OSCAL data (both catalog and profile), but for how/why we want a JSON schema as such. For example, it seems to me that a schema that is useful as a gateway application to validate data across organizational boundary lines, is not necessarily the same as a schema that is used to configure tooling, etc. One might put the question another way: in use, when or why is a schema referenced and by whom, to what purpose and effect -- and is the binding to the data consequently a loose one (no formal schema validation or only at checkpoints) or tight (no application at all without the schema). In XML, it can be either/both - though for OSCAL it does appear that loose bindings should suffice. I don't wish to make too much of these questions however.

BTW it may be a myth that JSON is more lightweight in general ... it seems it can be more lightweight for some applications and the question is more whether/which applications of OSCAL (with its requirements for representing "documentary data") fall into that category. (See http://www.balisage.net/Proceedings/vol10/html/Lee01/BalisageVol10-Lee01.html for an actual study not just reporting what's "obvious".) I am not arguing that a lightweight OSCAL that happened to be in JSON does not have a use case; it definitely does. Just that modeling the optimal JSON for those purposes as well as aligning it with XML OSCAL, may entail questions that go beyond the schema alone - I bet you agree. 😈

[anweiss]

Couldn't agree more! What might help is to simply highlight a list of use cases for the OSCAL JSON schema and include those in the initial documentation. Especially in the early phases, we can at least get something out the door and let the community decide how best to implement/incorporate JSON schema and contribute to the relevant feedback loops

[wendellpiez]

Totally makes sense.

Yeah, was going to add, other use cases for schemas (esp under "loose binding" scenarios) include serving as specification of interfaces for us developers. In the extreme case the only reason to actually run validation is to test the schema against data known to be correct. The main reason to have it is not to run validation processes, but to (be able to) refer to it. Once tools are properly designed and configured, validation becomes only a formality.

To the extent that's the case, we might be able to get away with a period of playing-around-with-JSON before developing any actual validation model (architecturally) and/or runtime constraint model (in an implementation). In other words, experiment more with mappings into JSON than the modeling question head-on, then think about JSON schemas more bottom up. (I bet in doing this the actual mapping issues would emerge quickly.)

On the other hand, if a JSON schema is needed for more than documentation (i.e. explaining what the heck is going on) this approach might not work.

+1 to listing use cases

I bet there are also user stories for "exposing OSCAL data in JSON" not just for a JSON schema.

[anweiss]

@wendellpiez I've started pushing some sample JSON generated from OSCAL-formatted XML. I built a little utility that does the conversions that we could include in the upstream once we start to come to a consensus on the JSON schemas.

• fedramp-simple-profile.json
  • one-way conversion from fedramp-simple-profile.xml based on oscal-profile.json JSON schema

[wendellpiez]

Awesome! But I am getting a 404, is there a problem on my side? (Hrm do I have to be added to the repo to see that?)

But anyway that sounds perfect. The utility can be a place to "anchor" the XML-JSON mapping as requirements become clearer.

Of course, if turnabout is fair play you will also write up what the utility does so we can (also) reimplement it in XSLT. :-)

[anweiss]

Whoops ... fixed the link. Give it a go now.

And indeed, will get it documented!

[anweiss]

Added a couple of additional JSON samples to the PR:

• SP800-53-declarations.json
• SP800-53-OSCAL-refined.json
• fedramp-annotated-wrt-SP800-53catalog.json
• fedramp-refined-profile.json

[anweiss]

@wendellpiez see #60

[anweiss]

@wendellpiez something I think we should revisit is that of a "lightweight", JSON-only variant of the catalog schema. As it is, the equivalent OSCAL-formatted JSON for the SP800-53-rev-4-catalog.xml is nearly 138k lines (which includes properly-formatted line breaks) and is 6.1MB in size. IMO, that is way too big for many use cases. I think it would be great if we could come up with a list of elements that we could strip from the full schema and in turn, create an alternative "lightweight" rendition that significantly reduces the size of OSCAL-formatted JSON. This allows us to retain the core model, but gives folks the ability to more easily build OSCAL-formatted JSON artifacts. Furthermore, communities like OpenControl can create and maintain YAML equivalents based on the "lightweight" JSON model.

[wendellpiez]

@anweiss Totally agree. We might also want some help from a subject expert to come up with the list of elements at least for a plausible use case or two. (Unless this is a no-brainer of course: you tell me!)

But the solution might not be in the schema. I am taking you to mean "define ways of exposing catalog data in well-described slices or subsets", not just reducing granularity of data description (i.e. still exposing the entire data set but reducing "tag overhead" at the cost of machine readability) -- which is one thing that might be meant by "remove elements from the schema". In other words, we are talking about permitting catalogs or their representations to be optimized for low data footprint not just by selecting controls, but by 'semantic' filtering of the contents of controls and subcontrols, to pull only what we know we want. (This is what, in other domains, we might call a "profiling" mechanism. Heh.) FWIW, this is a capability that both the publishers/producers of catalogs, and their consumers, will be wanting.

[anweiss]

You are correct. Not looking to remove elements from the original scheme. Just looking to select only a core set of elements that would be sufficient for a “lightweight” variant

[david-waltermire]

We need to sort out what parity means between the XML and JSON versions of OSCAL. In my mind, we need a way to represent everything that can be represented in XML in JSON. Granted, not everything will be represented in XML and JSON schema, but the content models should be equivalent. On a related note, we also need to figure out a content integrity (signing) approach for both XML and JSON. We can use signing capabilities in XMLDSIG and JOSE for this purpose.

[wendellpiez]

Agree 100% . To me, parity implies * we can port our data losslessly both ways * XML schemas and validation strategies are adequate to processing requirements on the XML side * Same on the JSON side * The two constraint sets* are consistent and kept in sync. This does not mean they are informationally equivalent - they may not constrain the same things all the time. But they do not contradict one another. * I say "constraint set" because not all relevant constraints are enforced or enforceable with any single schema technology. Parity to me does not imply that the two stacks each be expected to do everything done on the other. I think the user communities also have different needs and requirements for the data and there needs to be synergy. It's in view of this last point that I'd like to see what "bottom up" schema-design tooling exists on the JSON side such as JSON schema inferencers etc. Having a target model on the JSON side (even just provisionally and made by hand) would give us a way to start mapping the constraints across -- along with tasks to be performed by a PoC schema-generation from an OSCAL Constraint Specification meta-schema.

…

On Fri, Mar 30, 2018 at 1:47 PM, David Waltermire ***@***.***> wrote: We need to sort out what parity means between the XML and JSON versions of OSCAL. In my mind, we need a way to represent everything that can be represented in XML in JSON. Granted, not everything will be represented in XML and JSON schema, but the content models should be equivalent. On a related note, we also need to figure out a content integrity (signing) approach for both XML and JSON. We can use signing capabilities in XMLDSIG and JOSE for this purpose. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#10 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABg8BFv6dSrCPNVn251OeIn9nCRgFJ-wks5tjm-7gaJpZM4Ow1yu> .

-- Wendell Piez | http://www.wendellpiez.com XML | XSLT | electronic publishing Eat Your Vegetables _____oo_________o_o___ooooo____ooooooo_^

[anweiss]

To your last statement about schema design tooling, this is actually relatively sparse. In fact, there isn't much JSON schema design guidance out there altogether. Other than syntactical guidance (e.g. Google's JSON style guide), JSON schema modeling and design guidance is hard to come by and dependent on repetition and day-to-day usage in different scenarios. NSA's Information Assurance Directorate published some recommendations on JSON and JSON schema usage last year -> https://www.iad.gov/iad/library/supporting-documents/security-guidance-use-json-andjson-schemas.cfm#aboutMenu ... which contains some valuable tidbits but is more aligned with developing very explicit constraints on your JSON.

[anweiss]

@david-waltermire-nist we can probably close this issue