From f01bf6fa00064e30eae4a6281b09f0dc5fe1e2ef Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Mon, 2 Mar 2026 16:20:11 -0500 Subject: [PATCH 01/18] defined additional allowed values for the control 'status' property --- src/metaschema/oscal_catalog_metaschema.xml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index 78dc556eb0..dee6f62a24 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -286,11 +286,19 @@ value of 'withdrawn' can indicate that the control has been withdrawn and should no longer be used. - The control is no longer used. **(deprecated)*** Use 'withdrawn' instead. + [Default] This control is currently in force. + This control was incorporated into another control as identified by one or more "incorporated" links. + This control was moved as identified by a "moved" link. + This is a placeholder for a future control. + This control will be withdrawn. The withdrawn timeline or milestone may be describe the remarks. + This control is only applicable under certain conditions described in the remarks. + This control has been superseded by the artifact indicated by one or more "superseded-by" links or as described in the remarks. + This control is a pilot or proposed control; not yet required. The link cites an external resource related to this From 2d4dc06e4ef5d1fc07664c6617aba84226884e6a Mon Sep 17 00:00:00 2001 From: Nancy <9d.24.nancy.sangani@gmail.com> Date: Wed, 11 Mar 2026 21:43:14 +0530 Subject: [PATCH 02/18] fix: resolve Prototype Pollution in fast-json-patch (GHSA-8gh8-hqwg-xf34) --- build/package-lock.json | 40 +++++++++------------------------------- build/package.json | 3 +++ 2 files changed, 12 insertions(+), 31 deletions(-) diff --git a/build/package-lock.json b/build/package-lock.json index 37c39d2ab9..8be7b8c24c 100644 --- a/build/package-lock.json +++ b/build/package-lock.json @@ -470,22 +470,11 @@ "dev": true }, "node_modules/fast-json-patch": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/fast-json-patch/-/fast-json-patch-2.2.1.tgz", - "integrity": "sha512-4j5uBaTnsYAV5ebkidvxiLUYOwjQ+JSFljeqfTxCrH9bDmlCQaOJFS84oDJ2rAXZq2yskmk3ORfoP9DCwqFNig==", + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/fast-json-patch/-/fast-json-patch-3.1.1.tgz", + "integrity": "sha512-vf6IHUX2SBcA+5/+4883dsIjpBTqmfBjmYiWK1savxQmFk4JfBMLa7ynTYOs1Rolp/T1betJxHiGD3g1Mn8lUQ==", "dev": true, - "dependencies": { - "fast-deep-equal": "^2.0.1" - }, - "engines": { - "node": ">= 0.4.0" - } - }, - "node_modules/fast-json-patch/node_modules/fast-deep-equal": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-2.0.1.tgz", - "integrity": "sha512-bCK/2Z4zLidyB4ReuIsvALH6w31YfAQDmXMqMx6FyfHqvBxtjC0eRumeSu4Bs3XtXwpyIywtSTrVT99BxY1f9w==", - "dev": true + "license": "MIT" }, "node_modules/fs.realpath": { "version": "1.0.0", @@ -1221,7 +1210,7 @@ "dev": true, "requires": { "ajv": "^8.0.0", - "fast-json-patch": "^2.0.0", + "fast-json-patch": ">=3.1.1", "glob": "^7.1.0", "js-yaml": "^3.14.0", "json-schema-migrate": "^2.0.0", @@ -1476,21 +1465,10 @@ "dev": true }, "fast-json-patch": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/fast-json-patch/-/fast-json-patch-2.2.1.tgz", - "integrity": "sha512-4j5uBaTnsYAV5ebkidvxiLUYOwjQ+JSFljeqfTxCrH9bDmlCQaOJFS84oDJ2rAXZq2yskmk3ORfoP9DCwqFNig==", - "dev": true, - "requires": { - "fast-deep-equal": "^2.0.1" - }, - "dependencies": { - "fast-deep-equal": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-2.0.1.tgz", - "integrity": "sha512-bCK/2Z4zLidyB4ReuIsvALH6w31YfAQDmXMqMx6FyfHqvBxtjC0eRumeSu4Bs3XtXwpyIywtSTrVT99BxY1f9w==", - "dev": true - } - } + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/fast-json-patch/-/fast-json-patch-3.1.1.tgz", + "integrity": "sha512-vf6IHUX2SBcA+5/+4883dsIjpBTqmfBjmYiWK1savxQmFk4JfBMLa7ynTYOs1Rolp/T1betJxHiGD3g1Mn8lUQ==", + "dev": true }, "fs.realpath": { "version": "1.0.0", diff --git a/build/package.json b/build/package.json index 948d4af6f7..d4a43a3497 100644 --- a/build/package.json +++ b/build/package.json @@ -6,5 +6,8 @@ "ajv-cli": "^5.0.0", "ajv-formats": "^3.0.1", "markdown-link-check": "3.14.2" + }, + "overrides": { + "fast-json-patch": ">=3.1.1" } } \ No newline at end of file From a2b3859948023cfec8f4c7d443b6c1e47a8c4c82 Mon Sep 17 00:00:00 2001 From: Nancy <9d.24.nancy.sangani@gmail.com> Date: Fri, 13 Mar 2026 00:31:10 +0530 Subject: [PATCH 03/18] fix: resolve fast-json-patch Prototype Pollution vulnerability (GHSA-8gh8-hqwg-xf34) --- build/package-lock.json | 2 +- build/package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/package-lock.json b/build/package-lock.json index 8be7b8c24c..028eca02d0 100644 --- a/build/package-lock.json +++ b/build/package-lock.json @@ -1210,7 +1210,7 @@ "dev": true, "requires": { "ajv": "^8.0.0", - "fast-json-patch": ">=3.1.1", + "fast-json-patch": "3.1.1", "glob": "^7.1.0", "js-yaml": "^3.14.0", "json-schema-migrate": "^2.0.0", diff --git a/build/package.json b/build/package.json index d4a43a3497..d4dce81c57 100644 --- a/build/package.json +++ b/build/package.json @@ -8,6 +8,6 @@ "markdown-link-check": "3.14.2" }, "overrides": { - "fast-json-patch": ">=3.1.1" + "fast-json-patch": "3.1.1" } } \ No newline at end of file From 62118bbaea05b0bc6ca2dbb440a57cfe79f59fc9 Mon Sep 17 00:00:00 2001 From: Nancy <9d.24.nancy.sangani@gmail.com> Date: Fri, 13 Mar 2026 20:08:29 +0530 Subject: [PATCH 04/18] Fix responsible-role party-uuid constraint to only check when present, fixes #2122 --- src/metaschema/oscal_ssp_metaschema.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml index 90068ca090..6d8f3b446a 100644 --- a/src/metaschema/oscal_ssp_metaschema.xml +++ b/src/metaschema/oscal_ssp_metaschema.xml @@ -729,7 +729,7 @@ - + From 346344efe34efcff2dad0138509934949503c747 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 15 Mar 2026 04:10:32 +0000 Subject: [PATCH 05/18] Bump actions/checkout from 6.0.1 to 6.0.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8e8c483db84b4bee98b60c0593521ed34d9990e8...de0fac2e4500dabe0009e67214ff5f5447ce83dd) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/periodic.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/status.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml index e7c0cf4053..8d2ff8cfac 100644 --- a/.github/workflows/periodic.yml +++ b/.github/workflows/periodic.yml @@ -12,7 +12,7 @@ jobs: # Needed to post comments and issues issues: write steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: submodules: recursive - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7a13b3a845..2bfff9da07 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,7 +8,7 @@ jobs: name: Package Release runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: submodules: recursive - uses: actions/setup-java@v5 diff --git a/.github/workflows/status.yml b/.github/workflows/status.yml index 0a0dbf402a..94f10346ad 100644 --- a/.github/workflows/status.yml +++ b/.github/workflows/status.yml @@ -18,7 +18,7 @@ jobs: name: Status Checks runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: submodules: recursive - uses: actions/setup-java@v5 From 4d71697d7627f67720963e4ea0fc20d719f5fdb5 Mon Sep 17 00:00:00 2001 From: Nancy <9d.24.nancy.sangani@gmail.com> Date: Wed, 11 Mar 2026 21:43:14 +0530 Subject: [PATCH 06/18] fix: resolve Prototype Pollution in fast-json-patch (GHSA-8gh8-hqwg-xf34) --- build/package-lock.json | 40 +++++++++------------------------------- build/package.json | 3 +++ 2 files changed, 12 insertions(+), 31 deletions(-) diff --git a/build/package-lock.json b/build/package-lock.json index 8361212c06..292fede316 100644 --- a/build/package-lock.json +++ b/build/package-lock.json @@ -470,22 +470,11 @@ "dev": true }, "node_modules/fast-json-patch": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/fast-json-patch/-/fast-json-patch-2.2.1.tgz", - "integrity": "sha512-4j5uBaTnsYAV5ebkidvxiLUYOwjQ+JSFljeqfTxCrH9bDmlCQaOJFS84oDJ2rAXZq2yskmk3ORfoP9DCwqFNig==", + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/fast-json-patch/-/fast-json-patch-3.1.1.tgz", + "integrity": "sha512-vf6IHUX2SBcA+5/+4883dsIjpBTqmfBjmYiWK1savxQmFk4JfBMLa7ynTYOs1Rolp/T1betJxHiGD3g1Mn8lUQ==", "dev": true, - "dependencies": { - "fast-deep-equal": "^2.0.1" - }, - "engines": { - "node": ">= 0.4.0" - } - }, - "node_modules/fast-json-patch/node_modules/fast-deep-equal": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-2.0.1.tgz", - "integrity": "sha512-bCK/2Z4zLidyB4ReuIsvALH6w31YfAQDmXMqMx6FyfHqvBxtjC0eRumeSu4Bs3XtXwpyIywtSTrVT99BxY1f9w==", - "dev": true + "license": "MIT" }, "node_modules/fs.realpath": { "version": "1.0.0", @@ -1221,7 +1210,7 @@ "dev": true, "requires": { "ajv": "^8.0.0", - "fast-json-patch": "^2.0.0", + "fast-json-patch": ">=3.1.1", "glob": "^7.1.0", "js-yaml": "^3.14.0", "json-schema-migrate": "^2.0.0", @@ -1476,21 +1465,10 @@ "dev": true }, "fast-json-patch": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/fast-json-patch/-/fast-json-patch-2.2.1.tgz", - "integrity": "sha512-4j5uBaTnsYAV5ebkidvxiLUYOwjQ+JSFljeqfTxCrH9bDmlCQaOJFS84oDJ2rAXZq2yskmk3ORfoP9DCwqFNig==", - "dev": true, - "requires": { - "fast-deep-equal": "^2.0.1" - }, - "dependencies": { - "fast-deep-equal": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-2.0.1.tgz", - "integrity": "sha512-bCK/2Z4zLidyB4ReuIsvALH6w31YfAQDmXMqMx6FyfHqvBxtjC0eRumeSu4Bs3XtXwpyIywtSTrVT99BxY1f9w==", - "dev": true - } - } + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/fast-json-patch/-/fast-json-patch-3.1.1.tgz", + "integrity": "sha512-vf6IHUX2SBcA+5/+4883dsIjpBTqmfBjmYiWK1savxQmFk4JfBMLa7ynTYOs1Rolp/T1betJxHiGD3g1Mn8lUQ==", + "dev": true }, "fs.realpath": { "version": "1.0.0", diff --git a/build/package.json b/build/package.json index 948d4af6f7..d4a43a3497 100644 --- a/build/package.json +++ b/build/package.json @@ -6,5 +6,8 @@ "ajv-cli": "^5.0.0", "ajv-formats": "^3.0.1", "markdown-link-check": "3.14.2" + }, + "overrides": { + "fast-json-patch": ">=3.1.1" } } \ No newline at end of file From e0eb529a39c472c2b6dd5d83c2a7a8c5f4f3e30c Mon Sep 17 00:00:00 2001 From: Nancy <9d.24.nancy.sangani@gmail.com> Date: Fri, 13 Mar 2026 00:31:10 +0530 Subject: [PATCH 07/18] fix: resolve fast-json-patch Prototype Pollution vulnerability (GHSA-8gh8-hqwg-xf34) --- build/package-lock.json | 2 +- build/package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/package-lock.json b/build/package-lock.json index 292fede316..a9cd36ac85 100644 --- a/build/package-lock.json +++ b/build/package-lock.json @@ -1210,7 +1210,7 @@ "dev": true, "requires": { "ajv": "^8.0.0", - "fast-json-patch": ">=3.1.1", + "fast-json-patch": "3.1.1", "glob": "^7.1.0", "js-yaml": "^3.14.0", "json-schema-migrate": "^2.0.0", diff --git a/build/package.json b/build/package.json index d4a43a3497..d4dce81c57 100644 --- a/build/package.json +++ b/build/package.json @@ -8,6 +8,6 @@ "markdown-link-check": "3.14.2" }, "overrides": { - "fast-json-patch": ">=3.1.1" + "fast-json-patch": "3.1.1" } } \ No newline at end of file From 76ef0cbc27ee1a88c4f311429c36b6a2e077c658 Mon Sep 17 00:00:00 2001 From: Nancy <9d.24.nancy.sangani@gmail.com> Date: Fri, 13 Mar 2026 20:08:29 +0530 Subject: [PATCH 08/18] Fix responsible-role party-uuid constraint to only check when present, fixes #2122 --- src/metaschema/oscal_ssp_metaschema.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml index 90068ca090..6d8f3b446a 100644 --- a/src/metaschema/oscal_ssp_metaschema.xml +++ b/src/metaschema/oscal_ssp_metaschema.xml @@ -729,7 +729,7 @@ - + From ff6a2696687806910c2be829480afca013f48793 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 15 Mar 2026 04:10:32 +0000 Subject: [PATCH 09/18] Bump actions/checkout from 6.0.1 to 6.0.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8e8c483db84b4bee98b60c0593521ed34d9990e8...de0fac2e4500dabe0009e67214ff5f5447ce83dd) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/periodic.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/status.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml index e7c0cf4053..8d2ff8cfac 100644 --- a/.github/workflows/periodic.yml +++ b/.github/workflows/periodic.yml @@ -12,7 +12,7 @@ jobs: # Needed to post comments and issues issues: write steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: submodules: recursive - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7a13b3a845..2bfff9da07 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,7 +8,7 @@ jobs: name: Package Release runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: submodules: recursive - uses: actions/setup-java@v5 diff --git a/.github/workflows/status.yml b/.github/workflows/status.yml index 0a0dbf402a..94f10346ad 100644 --- a/.github/workflows/status.yml +++ b/.github/workflows/status.yml @@ -18,7 +18,7 @@ jobs: name: Status Checks runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: submodules: recursive - uses: actions/setup-java@v5 From 26bf22d6475f87c1bf8c89c026ed494bfe018e32 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 15 Mar 2026 04:30:47 +0000 Subject: [PATCH 10/18] Bump actions/setup-node from 6.2.0 to 6.3.0 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.2.0 to 6.3.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/6044e13b5dc448c55e2357c09f80417699197238...53b83947a5a98c8d113130e565377fae1a50d02f) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/periodic.yml | 2 +- .github/workflows/status.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml index 8d2ff8cfac..e46c42c9dd 100644 --- a/.github/workflows/periodic.yml +++ b/.github/workflows/periodic.yml @@ -15,7 +15,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: submodules: recursive - - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: node-version-file: "build/.nvmrc" cache: "npm" diff --git a/.github/workflows/status.yml b/.github/workflows/status.yml index 94f10346ad..303a4cc05a 100644 --- a/.github/workflows/status.yml +++ b/.github/workflows/status.yml @@ -25,7 +25,7 @@ jobs: with: distribution: "temurin" java-version: "17" - - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: node-version-file: "build/.nvmrc" cache: "npm" From 59b59d248a0040c2400196d45fb994a7fdb92290 Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Sun, 15 Mar 2026 23:07:00 -0400 Subject: [PATCH 11/18] Corrected broken link to the profile-resolution spec. --- src/specifications/profile-resolution/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/specifications/profile-resolution/readme.md b/src/specifications/profile-resolution/readme.md index 6e877e6c65..f05370f498 100644 --- a/src/specifications/profile-resolution/readme.md +++ b/src/specifications/profile-resolution/readme.md @@ -23,7 +23,7 @@ need a process for this - also Github Issues? ## Providing feedback on this specification -The OSCAL team welcomes feedback on the work in progress in this subdirectory, whether it be questions, points for clarification, critiques or suggestions. A rendered version of the Profile Resolution specification maintained here [appears](https://pages.nist.gov/OSCAL/resources/concepts/processing/profile-resolution/) on the OSCAL web site. +The OSCAL team welcomes feedback on the work in progress in this subdirectory, whether it be questions, points for clarification, critiques or suggestions. A rendered version of the Profile Resolution specification maintained here [appears](https://pages.nist.gov/OSCAL/learn/concepts/processing/profile-resolution/) on the OSCAL web site. Please post Issues in Github or questions to the OSCAL mailing list, or ask about them on our [Gitter channel](https://gitter.im/usnistgov-OSCAL/Lobby). (See https://pages.nist.gov/OSCAL/contact/ for links.) From bf6e3a01496a8804e13a7f295905e81b1f8df4ef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 03:48:42 +0000 Subject: [PATCH 12/18] Bump com.xmlcalabash:xmlcalabash from 3.0.31 to 3.0.42 in /build Bumps com.xmlcalabash:xmlcalabash from 3.0.31 to 3.0.42. --- updated-dependencies: - dependency-name: com.xmlcalabash:xmlcalabash dependency-version: 3.0.42 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- build/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pom.xml b/build/pom.xml index c1daf5507d..7180aa78bb 100644 --- a/build/pom.xml +++ b/build/pom.xml @@ -39,7 +39,7 @@ com.xmlcalabash xmlcalabash - 3.0.31 + 3.0.42 From 6bf9c8072fa8ddff0640e1f6bc8b6863b21c9358 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 15:30:50 +0000 Subject: [PATCH 13/18] Bump org.apache.maven.plugins:maven-dependency-plugin in /build Bumps [org.apache.maven.plugins:maven-dependency-plugin](https://github.com/apache/maven-dependency-plugin) from 3.9.0 to 3.10.0. - [Release notes](https://github.com/apache/maven-dependency-plugin/releases) - [Commits](https://github.com/apache/maven-dependency-plugin/compare/maven-dependency-plugin-3.9.0...maven-dependency-plugin-3.10.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-dependency-plugin dependency-version: 3.10.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- build/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pom.xml b/build/pom.xml index 7180aa78bb..25fc9ebfec 100644 --- a/build/pom.xml +++ b/build/pom.xml @@ -48,7 +48,7 @@ org.apache.maven.plugins maven-dependency-plugin - 3.9.0 + 3.10.0 copy-dependencies From b10d13d4f0518d81e3011dd4685b9276019e18d8 Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Tue, 17 Mar 2026 14:16:08 -0400 Subject: [PATCH 14/18] Fixes broken URL --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 43297eb42b..ca5a872c2a 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ NIST is developing the [Open Security Controls Assessment Language](https://csrc With this effort, we are stressing the agile development of a set of *minimal* formats that are both generic enough to capture the breadth of data in scope (controls specifications), while also capable of ad-hoc tuning and extension to support peculiarities of both (industry or sector) standard and new control types. -The [OSCAL website](https://www.nist.gov/oscal) provides an overview of the OSCAL project, including an XML and JSON [schema reference](https://pages.nist.gov/OSCAL/reference/), [examples](https://pages.nist.gov/OSCAL/concepts/examples/), and other resources. +The [OSCAL website](https://www.nist.gov/oscal) provides an overview of the OSCAL project, including an XML and JSON [schema reference](https://pages.nist.gov/OSCAL/reference/), [examples](https://pages.nist.gov/OSCAL/resources/examples/), and other resources. If you are interested in contributing to the development of OSCAL, refer to the [contributor guidance](https://github.com/usnistgov/OSCAL/blob/main/CONTRIBUTING.md) for more information. From 026b8b5304c73af8f4d7f0fad023855b2a772a12 Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Tue, 17 Mar 2026 14:33:30 -0400 Subject: [PATCH 15/18] Propagating older constraint value change from validated-by to validation in system-implementation andimplementing abandoned PR 2107 which proposed fixing the validation constraints to properly deference and key on uri-reference values. --- src/metaschema/oscal_ssp_metaschema.xml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml index 6d8f3b446a..a130dc5ee5 100644 --- a/src/metaschema/oscal_ssp_metaschema.xml +++ b/src/metaschema/oscal_ssp_metaschema.xml @@ -618,12 +618,16 @@ - + + - From 39087b11c741a62c88bba6a5826e8e1ebf6c06d9 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Tue, 17 Mar 2026 15:04:52 -0400 Subject: [PATCH 16/18] revised the allowed values list per comments in PR usnistgov/OSCAL#2022 --- src/metaschema/oscal_catalog_metaschema.xml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index 3d9312233b..3067474223 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -288,16 +288,13 @@ - The control is no longer used. - **(deprecated)*** Use 'withdrawn' - instead. - [Default] This control is currently in force. - This control was incorporated into another control as identified by one or more "incorporated" links. - This control was moved as identified by a "moved" link. + The control is no longer used. It may have been retired, incorporated into another control, or moved to a different control. + [Default] This control exists as intended. This is a placeholder for a future control. This control will be withdrawn. The withdrawn timeline or milestone may be describe the remarks. This control is only applicable under certain conditions described in the remarks. This control has been superseded by the artifact indicated by one or more "superseded-by" links or as described in the remarks. + This control has been updated from a prior version, as described in the remarks. This control is a pilot or proposed control; not yet required. From 2325f365124508b379d91530d35a122fd5e360d6 Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Tue, 24 Mar 2026 21:37:51 -0400 Subject: [PATCH 17/18] Updated CONTRIBUTING.md --- CONTRIBUTING.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3cba2b4ebf..9585d85bad 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -71,6 +71,11 @@ The OSCAL project uses a typical GitHub fork and pull request [workflow](https:/ - Please allow the NIST OSCAL maintainers to make changes to your pull request, to efficiently merge it, by selecting on your fork the setting to [always allow edits from the maintainers](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork). - Review [the OSCAL release and versioning strategy](./versioning-and-branching.md) and [choose the base branch](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-base-branch-of-a-pull-request) accordingly. Normally, you should target the `develop` branch or a `release-x.y` as the base branch unless asked to use a different branch. Please select the appropriate branch before requesting a review from a maintainer so delays in approving your pull request are avoided. +## Contributing to Pull Request Reviews +The OSCAL project thrives on collaboration. While NIST staff and automated tools like Dependabot maintain the core repositories, community participation is essential for a robust and secure standard. This guidance outlines the procedure for community members' review of Pull Requests (PRs), whether they are submitted by automated dependency updates or contributor-submitted enhancements. + +Detailed guidance on community participation in PR Reviews is available on OSCAL Wiki[here](https://github.com/usnistgov/OSCAL/wiki/Contributing-to-Pull-Request-Reviews) + ## Repository structure This repository consists of the following directories and files pertaining to the OSCAL project: From c73ccfec5463d8040ffdca6aff145599f3a4dbb8 Mon Sep 17 00:00:00 2001 From: Michaela Iorga Date: Tue, 5 May 2026 13:57:45 -0400 Subject: [PATCH 18/18] Fixed conflict in pom.xml --- build/pom.xml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/build/pom.xml b/build/pom.xml index 4cbe9bf0a3..3c68a7f8ca 100644 --- a/build/pom.xml +++ b/build/pom.xml @@ -39,11 +39,7 @@ com.xmlcalabash xmlcalabash -<<<<<<< control-status - 3.0.42 -======= 3.0.45 ->>>>>>> develop