usnistgov · rosskarchner · Dec 9, 2021 · Jan 31, 2022 · Feb 4, 2022 · Feb 10, 2022
@@ -91,6 +91,6 @@ Multiple examples of baselines expressed using the OSCAL profile model can be fo
 |:---|:---|
 | NIST SP 800-53 rev 5 | \[[XML]({{< param "contentRepoPath" >}}/nist.gov/SP800-53/rev5/xml/)\] \[[JSON]({{< param "contentRepoPath" >}}/nist.gov/SP800-53/rev5/json/)\] \[[YAML]({{< param "contentRepoPath" >}}/nist.gov/SP800-53/rev5/yaml/)\]
 | NIST SP 800-53 rev 4 | \[[XML]({{< param "contentRepoPath" >}}/nist.gov/SP800-53/rev4/xml/)\] \[[JSON]({{< param "contentRepoPath" >}}/nist.gov/SP800-53/rev4/json/)\] \[[YAML]({{< param "contentRepoPath" >}}/nist.gov/SP800-53/rev4/yaml/)\]
-| FedRAMP Baselines | \[[XML](https://github.com/gsa/fedramp-automation/blob/master/baselines/rev4/xml/)\] \[[JSON](https://github.com/gsa/fedramp-automation/blob/master/baselines/rev4/json/)\] \[[YAML](https://github.com/gsa/fedramp-automation/blob/master/baselines/rev4/yaml/)\]
+| FedRAMP Baselines | \[[XML](https://github.com/GSA/fedramp-automation/tree/master/dist/content/baselines/rev4/xml)\] \[[JSON](https://github.com/GSA/fedramp-automation/tree/master/dist/content/baselines/rev4/json)\] \[[YAML](https://github.com/GSA/fedramp-automation/tree/master/dist/content/baselines/rev4/yaml/)\]
 
 You will also find the "resolved" version of each profile. These files end with the suffix `-resolved-profile_catalog` to indicate that the profile [resolution process](/concepts/processing/profile-resolution/) has been performed to generate a catalog containing only the selected and tailored controls defined by the profile.
@@ -39,3 +39,4 @@ See the [NIST Software Disclaimer](https://www.nist.gov/disclaimer) for more inf
 | [Xacta 360](https://www.telos.com/offerings/xacta-360-continuous-compliance-assessment/) | Telos | Xacta 360 is a cyber risk management and compliance analytics platform that enables users to create and submit FedRAMP system security plans (SSPs) in OSCAL format. Future OSCAL capabilities are forthcoming as the standard evolves. | [license](https://cdn.telos.com/wp-content/uploads/2021/06/22150746/Xacta-360-EULA-US.pdf) |
 | [Atlasity: Continuous Compliance Automation](https://atlasity.io/partnership/) | C2 Labs | Atlasity CE (release 2.0) runs in any environment and supports the development of OSCAL v1.0 content for Catalogs, Profiles, System Security Plans and Components. Additional detail can be found in this blog post: [Atlasity Delivers Free Tools to Create OSCAL Content](https://www.c2labs.com/post/atlasity-delivers-free-tools-to-create-oscal-content). | community edition |
 | [control_freak](https://controlfreak.risk-redux.io/) | Risk Redux | This tool seeks to provide folks with a searchable and easy-to-navigate reference for NIST SP 800-53 Revision 5. It is [an open-source application from the Risk Redux project](https://github.com/risk-redux/control_freak), built using parsed content directly from the OSCAL repositories. | open-source |
+| [OSCAL4NEO4J](https://github.com/Agh42/oscal4neo4j) | The OSCAL4NEO4J Project | This project features a set of Neo4J cypher scripts which will import OSCAL catalogs and profiles directly from the official Github-repositories into a Neo4J database. Once imported, the information can be queried to gain insight into the structure of those catalogs and baselines. The project aims to add tool support for the implementation and assessment layers by allowing generation of component definitions, system security plans, assessment-plans, assessment-results and POA&Ms. | open source |
diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml
@@ -21,7 +21,7 @@
       <description>Used by the assessment plan and POA&amp;M to import information about the system.</description>
       <define-flag name="href" required="yes" as-type="uri-reference">
          <formal-name>System Security Plan Reference</formal-name>
-         <description>>A resolvable URL reference to the system security plan for the system being assessed.</description>
+         <description>A resolvable URL reference to the system security plan for the system being assessed.</description>
          <remarks>
             <p>The value of the <code>href</code> can be an internet resource, or a local reference using a fragment e.g. #fragment that points to a <code>back-matter</code> <code>resource</code> in the same document.</p>
             <p>If a local reference using a fragment is used, this will be indicated by a fragment "#" followed by an identifier which references an identified <code>resource</code> in the document's <code>back-matter</code> or another object that is <a href="/concepts/layer/assessment/assessment-plan/#key-concepts">within the scope of the containing OSCAL document</a>.</p>

diff --git a/src/metaschema/oscal_control-common_metaschema.xml b/src/metaschema/oscal_control-common_metaschema.xml
@@ -73,7 +73,16 @@
                         <allowed-values target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name">
             &allowed-values-control-group-property-name;
                         </allowed-values>
-                </constraint>
+<!--                        <allowed-values target=".[@name='assessment']/prop/@name" allow-other="yes">
+                                <enum value="method">The assessment method to use. This typically appears on parts with the name "assessment".</enum>
+                        </allowed-values>
+                        <has-cardinality target=".[@name='assessment']/prop[@name='method']" min-occurs="1"/>
+                        <allowed-values target=".[@name='assessment']/prop[@name='method']/@value">
+                                <enum value="INTERVIEW">The process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.</enum>
+                                <enum value="EXAMINE">The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities).</enum>
+                                <enum value="TEST">The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.</enum>
+                        </allowed-values>
+-->                </constraint>
                 <remarks>
                         <p>A <code>part</code> provides for logical partitioning of prose, and can be thought of as a grouping structure (e.g., section). A <code>part</code> can have child parts allowing for arbitrary nesting of prose content (e.g., statement hierarchy). A <code>part</code> can contain <code>prop</code> objects that allow for enriching prose text with structured name/value information.</p>
                         <p>A <code>part</code> can be assigned an optional <code>id</code>, which allows for internal and external references to the textual concept contained within a <code>part</code>. A <code>id</code> provides a means for an OSCAL profile, or a higher layer OSCAL model to reference a specific part within a <code>catalog</code>. For example, an <code>id</code> can be used to reference or to make modifications to a control statement in a profile.</p>

diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml
@@ -122,7 +122,7 @@
                               <formal-name>As-Is Structuring Directive</formal-name>
                               <description>An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes.</description>
                         </define-field>
-                        <define-assembly name="custom">
+                        <define-assembly name="custom" min-occurs="1">
                               <formal-name>Custom grouping</formal-name>
                               <description>A Custom element frames a structure for embedding represented controls in resolution.</description>
                               <model>

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<xsl:stylesheet version="2.0"
+<xsl:stylesheet version="3.0"
     xmlns="http://csrc.nist.gov/ns/oscal/1.0"
     xmlns:o="http://csrc.nist.gov/ns/oscal/1.0"
     xmlns:opr="http://csrc.nist.gov/ns/oscal/profile-resolution"
@@ -10,7 +10,7 @@
     xpath-default-namespace="http://csrc.nist.gov/ns/oscal/1.0">
 
     <!-- Purpose: perform operations supporting the selection stage of OSCAL profile resolution. -->
-    <!-- XSLT version: 2.0 -->
+    <!-- XSLT version: 3.0 -->
 
     <xsl:strip-space elements="catalog group control param guideline select part
         metadata back-matter annotation party person org rlink address resource role responsible-party citation
@@ -83,7 +83,6 @@
         </metadata>
     </xsl:template>-->
 
-    <xsl:key name="cross-reference" match="resource" use="'#' || @id"/>
     <xsl:key name="cross-reference" match="resource" use="'#' || @uuid"/>
 
     <xsl:template priority="2" mode="o:select" match="import[starts-with(@href,'#')]">
@@ -94,7 +93,16 @@
 
     <xsl:template match="resource" mode="o:import">
         <xsl:variable name="linked-xml" select="child::rlink[ends-with(@href,'.xml') or matches(@media-type,'xml')][1]"/>
-        <xsl:apply-templates mode="o:select" select="o:resource-or-warning($linked-xml/@href)"/>
+        <xsl:choose>
+            <xsl:when test="exists($linked-xml)">
+        <xsl:apply-templates mode="o:select" select="o:resource-or-error($linked-xml/@href)"/>
+            </xsl:when>
+            <xsl:otherwise>
+                <xsl:message terminate="yes"
+                    expand-text="yes">Document not acquired for resource with uuid {@uuid
+                    }: No rlink with media-type='xml' or href ending with '.xml'</xsl:message>
+            </xsl:otherwise>
+        </xsl:choose>
     </xsl:template>
 
     <xsl:template priority="1" mode="o:select" match="import">
@@ -104,7 +112,7 @@
         <xsl:apply-templates select="$linked-resource" mode="o:import">
             <xsl:with-param name="import-instruction" select="." tunnel="yes"/>
         </xsl:apply-templates>
-        <xsl:apply-templates mode="#current" select="o:resource-or-warning(@href)">
+        <xsl:apply-templates mode="#current" select="o:resource-or-error(@href)">
             <xsl:with-param name="import-instruction" select="." tunnel="yes"/>
         </xsl:apply-templates>
     </xsl:template>
@@ -118,10 +126,11 @@
         </xsl:copy>
     </xsl:template>
 
-    <xsl:template name="add-process-id">
+    <xsl:template name="add-process-id" as="attribute(opr:id)">
+        <xsl:param name="context" select="." as="element()"/>
         <xsl:attribute name="opr:id" namespace="http://csrc.nist.gov/ns/oscal/profile-resolution">
             <xsl:value-of
-                select="concat(opr:catalog-identifier(/o:catalog), '#', (@id, generate-id())[1])"/>
+                select="concat(opr:catalog-identifier($context/root()/o:catalog), '#', $context/(@id, generate-id())[1])"/>
         </xsl:attribute>
     </xsl:template>
 
@@ -131,7 +140,7 @@
     </xsl:function>
 
     <!-- A control is included if it is selected by the provided import instruction -->
-    <xsl:template match="control" mode="o:select">
+    <xsl:template match="control" mode="o:select" as="element(o:control)?">
         <xsl:param name="import-instruction" tunnel="yes" required="yes"/>
         <xsl:if test="o:selects($import-instruction,.)">
             <xsl:copy copy-namespaces="no">
@@ -174,22 +183,30 @@
             <xsl:sequence select="exists($importing/include-all)"/>
             <xsl:sequence select="some $c in ($importing/include-controls/with-id)
                                   satisfies ($c = $candidate/@id)"/>
+            <xsl:sequence select="some $c in ($importing/include-controls[o:calls-parents(.)]/with-id)
+                satisfies ($c = $candidate/descendant::control/@id)"/>
             <xsl:sequence select="some $c in ($importing/include-controls[o:calls-children(.)]/with-id)
                 satisfies ($c = $candidate/ancestor::control/@id)"/>
-            <xsl:sequence select="some $m in ($importing/include-controls/matching)
+            <xsl:sequence select="some $m in ($importing/include-controls/matching[@pattern != ''])
                                   satisfies (matches($candidate/@id,$m/@pattern/o:glob-as-regex(string(.)) ))"/>
-            <xsl:sequence select="some $m in ($importing/include/matching[o:calls-children(.)])
-                satisfies (matches($candidate/ancestor::control/@id,$m/@pattern/o:glob-as-regex(string(.))))"/>
+            <xsl:sequence select="some $m in ($importing/include-controls[o:calls-parents(.)]/matching[@pattern != '']), $a in $candidate/descendant::control 
+                satisfies (matches($a/@id,$m/@pattern/o:glob-as-regex(string(.))))"/>
+            <xsl:sequence select="some $m in ($importing/include-controls[o:calls-children(.)]/matching[@pattern != '']), $a in $candidate/ancestor::control 
+                satisfies (matches($a/@id,$m/@pattern/o:glob-as-regex(string(.))))"/>
         </xsl:variable>
         <xsl:variable name="exclude-reasons" as="xs:boolean+">
             <xsl:sequence select="exists($candidate/parent::control) and $importing/include-all/@with-child-controls='no'"/>
             <xsl:sequence select="some $c in ($importing/exclude-controls/with-id) satisfies ($c = $candidate/@id)"/>
+            <xsl:sequence select="some $c in ($importing/exclude-controls[o:calls-parents(.)]/with-id)
+                satisfies ($c = $candidate/descendant::control/@id)"/>
             <xsl:sequence select="some $c in ($importing/exclude-controls[o:calls-children(.)]/with-id)
                 satisfies ($c = $candidate/ancestor::control/@id)"/>
-            <xsl:sequence select="some $m in ($importing/exclude-controls/matching)
+            <xsl:sequence select="some $m in ($importing/exclude-controls/matching[@pattern != ''])
                 satisfies (matches($candidate/@id,$m/@pattern/o:glob-as-regex(string(.))))"/>
-            <xsl:sequence select="some $m in ($importing/exclude-controls[o:calls-children(.)]/matcjomg)
-                satisfies (matches($candidate/ancestor::control/@id,$m/@pattern/o:glob-as-regex(string(.))))"/>
+            <xsl:sequence select="some $m in ($importing/exclude-controls[o:calls-parents(.)]/matching[@pattern != '']), $a in $candidate/descendant::control
+                satisfies (matches($a/@id,$m/@pattern/o:glob-as-regex(string(.))))"/>
+            <xsl:sequence select="some $m in ($importing/exclude-controls[o:calls-children(.)]/matching[@pattern != '']), $a in $candidate/ancestor::control
+                satisfies (matches($a/@id,$m/@pattern/o:glob-as-regex(string(.))))"/>
         </xsl:variable>
         <!-- predicate [.] filters reasons as booleans -->
         <xsl:sequence select="exists($include-reasons[.]) and empty($exclude-reasons[.])"/>
@@ -200,26 +217,19 @@
         <xsl:sequence select="$caller/@with-child-controls='yes'"/>
     </xsl:function>
 
-    <!-- Returns a document when found, a <opr:warning> element when not. -->
-    <xsl:function name="o:resource-or-warning" as="document-node()">
+    <xsl:function name="o:calls-parents" as="xs:boolean">
+        <xsl:param name="caller" as="element()"/>
+        <xsl:sequence select="not($caller/@with-parent-controls='no')"/>
+    </xsl:function>
+
+    <!-- Returns a document when found, a fatal error when not. -->
+    <xsl:function name="o:resource-or-error" as="document-node()">
         <xsl:param name="href" as="attribute(href)"/>
         <xsl:variable name="resolved-href" select="resolve-uri($href,$href/base-uri())"/>
-        <xsl:choose>
-            <xsl:when test="doc-available($resolved-href)">
-                <xsl:sequence select="document($resolved-href)"/>
-            </xsl:when>
-            <xsl:otherwise>
-                <xsl:document>
-                    <opr:WARNING>
-                        <xsl:text>Document not acquired: '</xsl:text>
-                        <xsl:value-of select="$href"/>
-                        <xsl:text>' resolved as '</xsl:text>
-                        <xsl:value-of select="$resolved-href"/>
-                        <xsl:text>' (as OSCAL XML)</xsl:text>
-                    </opr:WARNING>
-                </xsl:document>
-            </xsl:otherwise>
-        </xsl:choose>
+        <xsl:assert test="doc-available($resolved-href)"
+            expand-text="yes">Document not acquired: {$href} resolved as {
+            $resolved-href} (as OSCAL XML)</xsl:assert>
+        <xsl:sequence select="document($resolved-href)"/>
     </xsl:function>
 
     <xsl:include href="oscal-profile-resolve-functions.xsl"/>
@@ -237,7 +247,7 @@
         <xsl:variable name="runtime" as="map(xs:string, item())">
             <xsl:map>
                 <xsl:map-entry key="'xslt-version'"        select="3.0"/>
-                <xsl:map-entry key="'stylesheet-location'" select="'../oscal-profile-RESOLVE.xsl'"/>
+                <xsl:map-entry key="'stylesheet-location'" select="'oscal-profile-RESOLVE.xsl'"/>
                 <xsl:map-entry key="'source-node'"         select="root($profile)"/>
                 <xsl:map-entry key="'stylesheet-params'"   select="$runtime-params"/>
             </xsl:map>

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"/>
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="xmlcat"/>
@@ -1,12 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE x:description [
-<!ENTITY filedir "file:/C:/Users/wap1/Documents/usnistgov/OSCAL/src/specifications/profile-resolution/profile-resolution-examples/catalogs" >
-]>
 <x:description xmlns="http://csrc.nist.gov/ns/oscal/1.0"
     xmlns:o="http://csrc.nist.gov/ns/oscal/1.0"
     xmlns:opr="http://csrc.nist.gov/ns/oscal/profile-resolution"
     xmlns:x="http://www.jenitennison.com/xslt/xspec"
     stylesheet="../../oscal-profile-resolve-select.xsl">
+    <x:scenario label="Tests for o:glob-as-regex function">
     <x:scenario label="Simple string">
         <x:call function="o:glob-as-regex">
             <x:param>ac</x:param>
@@ -30,5 +28,12 @@
             <x:param>ac-1(*)</x:param>
         </x:call>
         <x:expect label="Anchored and escaped with substitution" select="'^ac-1\(.*\)$'"/>
+        </x:scenario>
+        <x:scenario label="Empty string (degenerate case)">
+            <x:call function="o:glob-as-regex">
+                <x:param select="''"/>
+            </x:call>
+            <x:expect label="Anchored empty string" select="'^$'"/>
+        </x:scenario>
     </x:scenario>
 </x:description>
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-model href="../../../../../specifications/profile-resolution/example-checkup.sch" type="application/xml" schematypens="http://purl.oclc.org/dsdl/schematron"?>
+<!-- Modified by conversion XSLT 2021-04-05T11:22:08.131-04:00 - RC2 OSCAL becomes RC3 OSCAL -->
+<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+         uuid="427f8c54-c3af-4ca3-a92c-f6abaa015ba5">
+   <metadata>
+      <title>Test Profile with Nonstandard File Name Extension in resource/rlink</title>
+      <last-modified>2020-05-30T14:39:37.3-04:00</last-modified>
+      <version>1.0</version>
+      <oscal-version>1.0.0-rc2</oscal-version>
+   </metadata>
+   <import href="#0050231f-4fd0-43d6-8fa0-431367cd83e1">
+      <include-all/>
+   </import>
+   <back-matter>
+      <resource uuid="0050231f-4fd0-43d6-8fa0-431367cd83e1">
+         <rlink href="https://some-non-xml-url"/>
+         <rlink href="catalog-nonstandard-file-name-ext.xmlcat" media-type="xml"/>
+      </resource>
+      <resource uuid="0050231f-4fd0-43d6-8fa0-431367cd83e1">
+         <!-- Duplicate uuid is intentional, for testing template with
+            mode="o:select" match="import[starts-with(@href,'#')]" -->
+         <rlink href="catalog-nonstandard-file-name-ext.xmlcat" media-type="xml"/>
+      </resource>
+   </back-matter>
+</profile>