-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some UUIDs are not required where they should be #1044
Comments
This issue was discussed on the 10/21/2020 Lunch with the Devs. We explored the possibility of doing one of the following:
The discussion was split with between both solutions. There was concerns raised about the impact of option 1 to early adopters, which lead to a slight leaning towards option 2. This issue will be kept open for a few days to allow community members to weigh in. If no new information is brought forward, then the intent is to pursue option 2. |
- Added missing allowed values used in the OSCAL NIST catalogs and profiles for SP 800-53. - Added deprecation information for older allowed values for which their use should be discontinued. - Deprecated depends-on in parameter, since this construct only allows a single dependency. - In part deprecated and replaced the following names: objective->assessment-objective, assessment->assessment-method - Deprecated profile merge/combine/@merge since this behavior is not defined in the profile resolution specification. - Added warnings for non-required UUID flags per usnistgov#1044. Resolves usnistgov#1044.
- Added missing allowed values used in the OSCAL NIST catalogs and profiles for SP 800-53. - Added deprecation information for older allowed values for which their use should be discontinued. - Deprecated depends-on in parameter, since this construct only allows a single dependency. - In part deprecated and replaced the following names: objective->assessment-objective, assessment->assessment-method - Deprecated profile merge/combine/@merge since this behavior is not defined in the profile resolution specification. - Added warnings for non-required UUID flags per usnistgov#1044. Resolves usnistgov#1044.
Describe the bug
This issue was brought up on the OSCAL community Gitter.
After reviewing the associated Metaschema files, the following objects do not require a UUID be provided. This list includes only objects where a UUID is declared and excludes entries that reference a UUID declared elsewhere. The catalog and profile models were also excluded from this list, since changing these will break a good deal of existing content.
All of these objects probably should have had a required UUID in the 1.0 release.
Question: Which of these should be required? Is it worth making a compatibility-breaking bug fix to update these?
Who is the bug affecting?
Tools and users producing OSCAL assessment plan, assessment results, and plan of action and milestone models.
What is affected by this bug?
Uses of the OSCAL assessment plan, assessment results, and plan of action and milestone models where there is a need to reference the associated concept by UUID.
Expected behavior (i.e. solution)
These fields could be updated to require a UUID. There would need to be community consensus that this is a bug, since this would result in backwards compatibility breaking changes. More discussion is needed before moving forward with including this in the OSCAL 1.0.1 or later patch release.
The text was updated successfully, but these errors were encountered: