Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some UUIDs are not required where they should be #1044

Closed
david-waltermire opened this issue Oct 20, 2021 · 1 comment
Closed

Some UUIDs are not required where they should be #1044

david-waltermire opened this issue Oct 20, 2021 · 1 comment
Assignees
@david-waltermire
Labels
bug
Milestone
OSCAL 1.0.1

Comments

@david-waltermire
Copy link
Contributor

david-waltermire commented Oct 20, 2021
edited
Loading

Describe the bug

This issue was brought up on the OSCAL community Gitter.

After reviewing the associated Metaschema files, the following objects do not require a UUID be provided. This list includes only objects where a UUID is declared and excludes entries that reference a UUID declared elsewhere. The catalog and profile models were also excluded from this list, since changing these will break a good deal of existing content.

All of these objects probably should have had a required UUID in the 1.0 release.

Question: Which of these should be required? Is it worth making a compatibility-breaking bug fix to update these?

Who is the bug affecting?

Tools and users producing OSCAL assessment plan, assessment results, and plan of action and milestone models.

What is affected by this bug?

Uses of the OSCAL assessment plan, assessment results, and plan of action and milestone models where there is a need to reference the associated concept by UUID.

Expected behavior (i.e. solution)

These fields could be updated to require a UUID. There would need to be community consensus that this is a bug, since this would result in backwards compatibility breaking changes. More discussion is needed before moving forward with including this in the OSCAL 1.0.1 or later patch release.
@david-waltermire
Copy link
Contributor Author

This issue was discussed on the 10/21/2020 Lunch with the Devs. We explored the possibility of doing one of the following:

  1. Update a subset of these to make the UUID required as part of a patch release (i.e., 1.0.1). This would be a backwards compatibility breaking change that would be made to correct this defect. It was suggested that the following might be considered for updating in this way:
  2. Defer these changes to an OSCAL 2.0 release, where a backwards compatibility breaking change is expected. In the interim, a constraint with a warning that a UUID should be provided for all of these. Adding a constraint to 1.x would not break backwards compatibility and could be deployed in either a patch or minor release.

The discussion was split with between both solutions. There was concerns raised about the impact of option 1 to early adopters, which lead to a slight leaning towards option 2.

This issue will be kept open for a few days to allow community members to weigh in. If no new information is brought forward, then the intent is to pursue option 2.

@david-waltermire david-waltermire self-assigned this Oct 22, 2021
@david-waltermire david-waltermire added this to the OSCAL 1.0.1 milestone Jan 13, 2022
iMichaela pushed a commit to iMichaela/OSCAL that referenced this issue Apr 7, 2022
@david-waltermire @iMichaela
Many adjustments to the OSCAL Metaschema models.
beb63e0 
- Added missing allowed values used in the OSCAL NIST catalogs and profiles for SP 800-53.
- Added deprecation information for older allowed values for which their use should be discontinued.
- Deprecated depends-on in parameter, since this construct only allows a single dependency.
- In part deprecated and replaced the following names: objective->assessment-objective, assessment->assessment-method
- Deprecated profile merge/combine/@merge since this behavior is not defined in the profile resolution specification.
- Added warnings for non-required UUID flags per usnistgov#1044. Resolves usnistgov#1044.
Rene2mt pushed a commit to Rene2mt/OSCAL that referenced this issue May 17, 2022
@david-waltermire @Rene2mt
Many adjustments to the OSCAL Metaschema models.
8aca3bc 
- Added missing allowed values used in the OSCAL NIST catalogs and profiles for SP 800-53.
- Added deprecation information for older allowed values for which their use should be discontinued.
- Deprecated depends-on in parameter, since this construct only allows a single dependency.
- In part deprecated and replaced the following names: objective->assessment-objective, assessment->assessment-method
- Deprecated profile merge/combine/@merge since this behavior is not defined in the profile resolution specification.
- Added warnings for non-required UUID flags per usnistgov#1044. Resolves usnistgov#1044.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@david-waltermire david-waltermire

Labels
bug
Projects
None yet
Milestone
OSCAL 1.0.1
Development

No branches or pull requests
1 participant
@david-waltermire