Add the with-parent-controls for #1662.

[aj-stein-nist]

Committer Notes

Add with-parent-controls to the OSCAL Profile metaschema to match current specification requirements for #1662.

All Submissions:

• Have you selected the correct base branch per Contributing guidance?
• Have you set "Allow edits and access to secrets by maintainers
  "?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Have you squashed any non-relevant commits and commit messages? [instructions]
• Do all automated CI/CD checks pass?

By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.

Changes to Core Features:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your core changes, as applicable?
• Have you included examples of how to use your new feature(s)?
• Have you updated all OSCAL website and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the docs/content directory of your branch.

[GaryGapinski]

While this isn't the only location, I'll point out that 'true' cast as xs:boolean returns true but 'yes' cast as xs:boolean returns a failure — 'yes' castable as xs:boolean returns false. 'no' castable as xs:boolean returns false.

"yes" and "no" found here and elsewhere were unfortunate choices when XML+XPath should have been considered.

However, the "yes" and "no" values are in accord with the OSCAL Profile Resolution Specification Draft and symmetric with with-child-controls.

[aj-stein-nist]

While this isn't the only location, I'll point out that 'true' cast as xs:boolean returns true but 'yes' cast as xs:boolean returns a failure — 'yes' castable as xs:boolean returns false. 'no' castable as xs:boolean returns false.

"yes" and "no" found here and elsewhere were unfortunate choices when XML+XPath should have been considered.

OK, that's a good point that is very much worth calling out. I know "truthiness" and "falsiness" vary a lot in other data formats and programming languages too.

I would like to think about that outside this issue and PR, that requires a more significant analysis and conclusion.

[GaryGapinski]

I would like to think about that outside this issue and PR, that requires a more significant analysis and conclusion.

Elsewhere is correct. The concept is essentially "Is it boolean or enumerated", as well as "The attribute values seem to (in English) relate to the element name rather than the attribute".

[aj-stein-nist]

Nikita and I have some spec work to do, but we made the necessary prelim changes to the model in the profile metaschemas based on what Wendell proposed.

@wendellpiez we do have some questions about how the spec and the inline metaschema docs document singular or plural and how it reflects the tree. Perhaps we discuss tomorrow?

[aj-stein-nist]

@wendellpiez I think I am comfortable with you reviewing this now. I tried to simplify and go with a "less is more approach" to specification edits. Also, @GaryGapinski, let me know if you have any questions, comments, or concerns when you review.

[GaryGapinski]

While preparing to review this PR and looking at oscal_profile_metaschema.xml I noticed no XML Schema association for the document. Was a bit surprised as that seemed to be a deficit of rigor. Then looked in https://github.com/usnistgov/OSCAL/tree/main/build and found a reference to metaschema @ 973790d, followed that and found (circuitously) toolchains/xslt-M4/validate/metaschema.xsd and used that to validate oscal_profile_metaschema.xml and got a few failed validations.

Realized I should have looked relative to my local clone at the 1662… branch, looked in buiid and found no metaschema reference. Looked in https://github.com/usnistgov/OSCAL/tree/1662-oscal_complete_schemaxsd-v104-lacks-with-parent-controls-attribute-of-include-controls-element/build and found metaschema @ d3d5394 which is accompanied by the somewhat unsettling warning "This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository." An attempt to force a local clone of https://github.com/usnistgov/metaschema to that commit came to no avail.

Switching to the develop branch of https://github.com/usnistgov/metaschema reveals a schema directory with metaschema.xsd.

When that metaschema.xsd is used to validate oscal_profile_metaschema.xml the validation succeeds. The presumptive success is tarnished a bit by the local clone's 1662… branch lack of a reliable pointer to metaschema and also lacks a local build/metaschema/schema.

All that was to satisfy a desire to look at the metaschema to find out why the old <assembly ref="select-control-by-id" min-occurs="1" max-occurs="unbounded"> min-occurs replaced by the new <define-assembly name="include-controls"> had a min-occurs="1".

A look at xml/schema/oscal_profile_schema.xsd in the local clone's 1662… branch as well as the same branch in the repository shows no change, so I must not be aware of the method by which the metaschema change can be verified.

[aj-stein-nist]

@GaryGapinski, nice call outs. I thought our pipeline checks that stuff, but oh well, I guess not! 🤦 I will work on the XSD failures, that was careless of me. OK I had to reread this before some coffee. You can reply here or message in Gitter, is the problem the submodule pointer and showing the derived XML Schema and JSON Schemas to verify.

There is a gap between develop and main that would need pulling up for a release. This PR is pointed at for develop for now, but it seems you figured out that detail based on summary. Is there still some confusion or something I missed besides the <assembly ref="select-control-by-id" max-occurs="unbounded"> versus <assembly ref="select-control-by-id" min-occurs="1" max-occurs="unbounded"> feedback? That's good I need to look into that this morning.

[GaryGapinski]

Is there still some confusion or something I missed besides the <assembly ref="select-control-by-id" max-occurs="unbounded"> versus <assembly ref="select-control-by-id" min-occurs="1" max-occurs="unbounded"> feedback?

No: nothing need be done. I just wanted to check the absence of min-occurs found in the previous version by using the metaschema XML Schema. The diff is difficult to review because the metaschema changed the related constructs.

[wendellpiez]

Happy to help work this further or contribute to due diligence thanks!

[wendellpiez]

BTW, if lack of an explicit schema binding is really considered a problem, please consider using the PI-based mechanism described at https://www.w3.org/TR/xml-model/ instead of a more cumbersome and confusing method?

[aj-stein-nist]

OK, @wendellpiez, I integrated changes given your feedback and clarification in today's pairing session, removing only redundancies in regards to the bullets below with-parent-controls that call out the same info, and shortened some portions of your edits. Let me know when you have a chance if this good enough.

[wendellpiez]

Caught a couple of small things please look