Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate and Publish OSCAL Metaschema without XML Entities #1665

Closed
6 of 7 tasks
aj-stein-nist opened this issue Feb 22, 2023 · 2 comments · Fixed by #1901
Closed
6 of 7 tasks

Generate and Publish OSCAL Metaschema without XML Entities #1665

aj-stein-nist opened this issue Feb 22, 2023 · 2 comments · Fixed by #1901
Assignees
@nikitawootten-nist
Labels
Developer Experience Issues around enhancing and optimizing work for development of NIST OSCAL artifacts enhancement Scope: CI/CD Enhancements to the project's Continuous Integration and Continuous Delivery pipeline. Scope: Metaschema Issues targeted at the metaschema pipeline
Milestone
v1.1.1

Comments

@aj-stein-nist
Copy link
Contributor

aj-stein-nist commented Feb 22, 2023
edited
Loading

User Story

As a NIST or community OSCAL developer, in order to more efficiently develop tooling that can statically or dynamically generate the Metaschema source files in ./src/metaschema (at that location at the time of this request) and potentially publish copies without the XML entities to reduce the burden of working with the current XML source version of the Metaschema definitions.

Goals

  • Minimize or eliminate the burden of developing Metaschema-technology for OSCAL libraries (specifically for oscal-cli-nodejs (usnistgov/oscal-cli-nodejs#21), metaschema-node, and community libraries hindered by this choice, such as this PR discussed here and
  • Improve compile and run-time security for different NIST and community libraries that must use software that support XML entity resolution

Dependencies

No response

Acceptance Criteria

  • A spike is performed to determine:
    • review and select the simplest and fastest solution to implement, XSLT or otherwise (prototype code if necessary, PR merged into repo not mandatory)
    • write a spec document on how and when in the CI/CD pipeline process this is to be inserted (prototype code if necessary, PR merged into repo not mandatory)
    • consult the team and determine if the most appropriate or efficient approach is to 1) commit these versions into a directory in the repo adjacent to ./src/metaschema or 2) prefer another mechanism. Make this decision based on which decision is easier and faster than the other.
  • Draft ADR and get team to review and approve
  • Create follow-on issue to make this work "go to prod" and end up in main branch after ADR and spike is complete, before marking this issue as closed or resolved
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
@aj-stein-nist aj-stein-nist added enhancement Scope: Metaschema Issues targeted at the metaschema pipeline Scope: CI/CD Enhancements to the project's Continuous Integration and Continuous Delivery pipeline. Developer Experience Issues around enhancing and optimizing work for development of NIST OSCAL artifacts labels Feb 22, 2023
@nikitawootten-nist nikitawootten-nist self-assigned this Aug 24, 2023
@nikitawootten-nist
Copy link
Contributor

@aj-stein-nist regarding the first AC item:

  • A minimal approach for resolving XML entities exists in this repository: https://github.com/nikitawootten-nist/oscal-resolved. This approach uses a simple identity transform to resolve the entities.
    • Depending on the approach taken for releasing these artifacts, additional processing may have to take place (such as adjusting the <import/> @href's to include a suffix (oscal-metadata-metaschema-RESOLVED.xml` as an example)
  • Approach wise, I can see two:
    1. Publish the resolved metaschemas in a second repository with CI tooling to listen for new tags (on a new published release, push a new commit)
    2. Add the resolved metaschemas as release artifacts on the core OSCAL repository
      • These artifacts would likely need a suffix added to differentiate them from the source metaschemas (as discussed above)

Approach 2 is the simplest. With that in mind would an ADR and follow up issue be necessary?

nikitawootten-nist added a commit to nikitawootten-nist/OSCAL that referenced this issue Aug 24, 2023
@nikitawootten-nist
Produce Metaschemas without XXEs (usnistgov#1665)
5694f41
@nikitawootten-nist nikitawootten-nist mentioned this issue Aug 24, 2023
Merged
8 tasks
@nikitawootten-nist nikitawootten-nist linked a pull request Aug 24, 2023 that will close this issue
Produce Metaschemas without XXEs (#1665) #1901
Merged
8 tasks
aj-stein-nist added a commit that referenced this issue Aug 25, 2023
@nikitawootten-nist @aj-stein-nist
Produce Metaschemas without XXEs (#1665) (#1901)
ac6397d 
* Produce Metaschemas without XXEs (#1665)

* ADR for XXE resolution

* Accepted ADR 5

* Apply suggestions from code review

Co-authored-by: A.J. Stein <alexander.stein@nist.gov>

* Revert release artifact archive readme extension change

---------

Co-authored-by: A.J. Stein <alexander.stein@nist.gov>
@nikitawootten-nist
Copy link
Contributor

Fixed via #1901

@nikitawootten-nist nikitawootten-nist added this to the Next milestone Aug 25, 2023
@aj-stein-nist aj-stein-nist modified the milestones: Next, Ready Now Aug 25, 2023
@github-actions github-actions bot mentioned this issue Sep 6, 2023
Open
aj-stein-nist added a commit that referenced this issue Sep 12, 2023
@nikitawootten-nist @aj-stein-nist
Produce Metaschemas without XXEs (#1665) (#1901)
46d6527 
* Produce Metaschemas without XXEs (#1665)

* ADR for XXE resolution

* Accepted ADR 5

* Apply suggestions from code review

Co-authored-by: A.J. Stein <alexander.stein@nist.gov>

* Revert release artifact archive readme extension change

---------

Co-authored-by: A.J. Stein <alexander.stein@nist.gov>
Arminta-Jenkins-NIST pushed a commit that referenced this issue Sep 12, 2023
@nikitawootten-nist @aj-stein-nist @Arminta-Jenkins-NIST
Produce Metaschemas without XXEs (#1665) (#1901)
9486f38 
* Produce Metaschemas without XXEs (#1665)

* ADR for XXE resolution

* Accepted ADR 5

* Apply suggestions from code review

Co-authored-by: A.J. Stein <alexander.stein@nist.gov>

* Revert release artifact archive readme extension change

---------

Co-authored-by: A.J. Stein <alexander.stein@nist.gov>
@github-actions github-actions bot mentioned this issue Sep 14, 2023
Closed
@xee5ch xee5ch mentioned this issue Sep 20, 2023
Open
@aj-stein-nist aj-stein-nist modified the milestones: Ready Now, v1.1.1 Sep 20, 2023
@github-actions github-actions bot mentioned this issue Dec 21, 2023
Closed
@github-actions github-actions bot mentioned this issue Feb 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikitawootten-nist nikitawootten-nist

Labels
Developer Experience Issues around enhancing and optimizing work for development of NIST OSCAL artifacts enhancement Scope: CI/CD Enhancements to the project's Continuous Integration and Continuous Delivery pipeline. Scope: Metaschema Issues targeted at the metaschema pipeline
Projects
NIST OSCAL Work Board
Status: Done
Milestone
v1.1.1
Development

Successfully merging a pull request may close this issue.

Produce Metaschemas without XXEs (#1665) nikitawootten-nist/OSCAL
2 participants
@nikitawootten-nist @aj-stein-nist