From 465a1d0cf2578eaa575aff32b847bb5ac5b8f828 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Thu, 29 Jun 2023 11:13:48 -0400 Subject: [PATCH] Remove with-parent-controls developmental feature (#1819) * Revert changes from usnistgov/OSCAL#1717 that address a documented feature in the profile resolution spec that didn't exist in the model. Instead of updating the model, this PR removes the "with-parent-controls" feature from the profile resolution spec. This developmental feature should be removed for the following reasons. - This feature is not implemented in any of the current XSLT or Java implementations. - This feature is not being requested from a significant segment of the user community. The related issue usnistgov/OSCAL#1662 has support from 1 community member outside the NIST team. - This feature is extremely difficult to implement along with with-child-controls, which works on the opposite axis. - IMHO, profile resolution doesn't need to be made more complicated than it already is. * PR review, delete dangling with-parent-controls flag. --------- Co-authored-by: A.J. Stein --- src/metaschema/oscal_profile_metaschema.xml | 31 +++---------------- .../profile-resolution-specml.xml | 19 +----------- 2 files changed, 6 insertions(+), 44 deletions(-) diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index 54455ddbc..0d9b1a4f2 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -81,24 +81,13 @@

Identifies that all controls are to be included from the imported catalog or profile.

- - Select Control - Select a control or controls from an imported control set. - - - - - - - - - - + + include-controls +

If with-child-controls is yes on the call to a control, any controls appearing within it (child controls) will be selected, with no additional call directives required. This flag provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.

-

If with-parent-controls is "yes" on the call to a control, it will not be selected and removed from (shown without) a parent control, but instead will be copied with its parent in the source. This flag provides a way to include controls with all their ancestor controls (enhancements) without having to call them individually.

 - + exclude-controls @@ -416,7 +405,7 @@ - Select Controls + Insert Controls Specifies which controls to use in the containing context. Order @@ -476,16 +465,6 @@ - - Include Parent Controls with Control - When a control is included, whether its parent (ancestor) controls are also included. - - - Include parent controls with an included control. - When importing a control, only include parent controls that are also explicitly called. - - - Pattern A glob expression matching the IDs of one or more controls to be selected. diff --git a/src/specifications/profile-resolution/profile-resolution-specml.xml b/src/specifications/profile-resolution/profile-resolution-specml.xml index baa59f466..4ec60df70 100644 --- a/src/specifications/profile-resolution/profile-resolution-specml.xml +++ b/src/specifications/profile-resolution/profile-resolution-specml.xml @@ -562,7 +562,7 @@ include-controls:
Dealing with Nested Controls and Groups

In OSCAL, controls may contain child controls. For instance, in SP 800-53 many controls are supplemented with control enhancements; in OSCAL these are represented as child controls within parent controls. So parent AC-2 (in a given catalog) has children AC-2(1) through AC-2(13), for example.

-

By default, inclusion of a control also causes any of that control's ancestors (or parents) to also be included. By default, inclusion of a control DOES NOT cause the inclusion of any descendants (or children) of that control to be included. This applies to both controls and groups.

+

By default, inclusion of a control also causes any of that control's ancestors to also be included. By default, inclusion of a control DOES NOT cause the inclusion of any descendants of that control to be included. This applies to both controls and groups.

This default behavior can be modified by the following two optional children of the include-controls object.

@@ -580,23 +580,6 @@ include-controls: directive as being equivalent to one having with-child-controls:no.

-
- with-parent-controls -

Although similar to the above - with-child-controls, the optional - with-parent-controls applies to parents of the included control, and has the opposite default behavior. In order to maintain the structure of the source catalog, profile resolution includes all parents of an included control by default. If a profile author wants to change this structure, they should use an exclude directive that lists all of the undesired parents. As a shortcut for this, - with-parent-controls provides the following functionality: -

-

A with-parent-controls: - yes directive on an include-controls indicates that all parent - controls of the included control MUST also be included.

-

A with-parent-controls: - no directive on an include-controls indicates that ONLY the - matching control is included, any parent MUST NOT be included.

-

If no with-parent-controls is provided, the processor MUST - consider the directive as being equivalent to one having - with-parent-controls:yes.

-
exclude-controls