Defined additional allowed values for the control 'status' property

.github/workflows/periodic.yml

@@ -12,10 +12,10 @@ jobs:
       # Needed to post comments and issues
       issues: write
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           submodules: recursive
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           node-version-file: "build/.nvmrc"
           cache: "npm"

.github/workflows/release.yml

@@ -8,7 +8,7 @@ jobs:
     name: Package Release
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           submodules: recursive
       - uses: actions/setup-java@v5

.github/workflows/status.yml

@@ -18,14 +18,14 @@ jobs:
     name: Status Checks
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           submodules: recursive
       - uses: actions/setup-java@v5
         with:
           distribution: "temurin"
           java-version: "17"
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           node-version-file: "build/.nvmrc"
           cache: "npm"

CONTRIBUTING.md

@@ -71,6 +71,11 @@ The OSCAL project uses a typical GitHub fork and pull request [workflow](https:/
     - Please allow the NIST OSCAL maintainers to make changes to your pull request, to efficiently merge it, by selecting on your fork the setting to [always allow edits from the maintainers](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork).
     - Review [the OSCAL release and versioning strategy](./versioning-and-branching.md) and [choose the base branch](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-base-branch-of-a-pull-request) accordingly. Normally, you should target the `develop` branch or a `release-x.y` as the base branch unless asked to use a different branch. Please select the appropriate branch before requesting a review from a maintainer so delays in approving your pull request are avoided.
 
+## Contributing to Pull Request Reviews
+The OSCAL project thrives on collaboration. While NIST staff and automated tools like Dependabot maintain the core repositories, community participation is essential for a robust and secure standard. This guidance outlines the procedure for community members' review of Pull Requests (PRs), whether they are submitted by automated dependency updates or contributor-submitted enhancements.
+
+Detailed guidance on community participation in PR Reviews is available on OSCAL Wiki[here](https://github.com/usnistgov/OSCAL/wiki/Contributing-to-Pull-Request-Reviews)
+
 ## Repository structure
 
 This repository consists of the following directories and files pertaining to the OSCAL project:

README.md

@@ -6,7 +6,7 @@ NIST is developing the [Open Security Controls Assessment Language](https://csrc
 
 With this effort, we are stressing the agile development of a set of *minimal* formats that are both generic enough to capture the breadth of data in scope (controls specifications), while also capable of ad-hoc tuning and extension to support peculiarities of both (industry or sector) standard and new control types.
 
-The [OSCAL website](https://www.nist.gov/oscal) provides an overview of the OSCAL project, including an XML and JSON [schema reference](https://pages.nist.gov/OSCAL/reference/), [examples](https://pages.nist.gov/OSCAL/concepts/examples/), and other resources.
+The [OSCAL website](https://www.nist.gov/oscal) provides an overview of the OSCAL project, including an XML and JSON [schema reference](https://pages.nist.gov/OSCAL/reference/), [examples](https://pages.nist.gov/OSCAL/resources/examples/), and other resources.
 
 If you are interested in contributing to the development of OSCAL, refer to the [contributor guidance](https://github.com/usnistgov/OSCAL/blob/main/CONTRIBUTING.md) for more information.
 

build/package.json

@@ -6,5 +6,8 @@
         "ajv-cli": "^5.0.0",
         "ajv-formats": "^3.0.1",
         "markdown-link-check": "3.14.2"
+    },
+    "overrides": {
+        "fast-json-patch": "3.1.1"
     }
 }

build/pom.xml

@@ -39,7 +39,7 @@
         <dependency>
             <groupId>com.xmlcalabash</groupId>
             <artifactId>xmlcalabash</artifactId>
-            <version>3.0.31</version>
+            <version>3.0.42</version>
         </dependency>
     </dependencies>
 
@@ -48,7 +48,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-dependency-plugin</artifactId>
-                <version>3.9.0</version>
+                <version>3.10.0</version>
                 <executions>
                     <execution>
                         <id>copy-dependencies</id>

src/metaschema/oscal_catalog_metaschema.xml

@@ -286,11 +286,16 @@
                               value of 'withdrawn' can indicate that the <code>control</code> has
                               been withdrawn and should no longer be used.</enum>
                   </allowed-values>
-                  <allowed-values id="oscal-control-prop-status-value"
+                  <allowed-values id="oscal-control-prop-status-value" allow-other="yes"
                         target="prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='status']/@value">
-                        <enum value="withdrawn">The control is no longer used.</enum>
-                        <enum value="Withdrawn" deprecated="1.0.0">**(deprecated)*** Use 'withdrawn'
-                              instead.</enum>
+                        <enum value="withdrawn">The control is no longer used. It may have been retired, incorporated into another control, or moved to a different control.</enum>
+                        <enum value="normal">[Default] This control exists as intended.</enum>
+                        <enum value="reserved">This is a placeholder for a future control.</enum>
+                        <enum value="deprecated">This control will be withdrawn. The withdrawn timeline or milestone may be describe the remarks.</enum>
+                        <enum value="conditional">This control is only applicable under certain conditions described in the remarks.</enum>
+                        <enum value="superseded">This control has been superseded by the artifact indicated by one or more "superseded-by" links or as described in the remarks.</enum>
+                        <enum value="modified">This control has been updated from a prior version, as described in the remarks.</enum>
+                        <enum value="experimental">This control is a pilot or proposed control; not yet required.</enum>
                   </allowed-values>
                   <allowed-values id="oscal-control-link-rel-type" target="link/@rel" allow-other="yes">
                         <enum value="reference">The link cites an external resource related to this

src/metaschema/oscal_ssp_metaschema.xml

@@ -618,12 +618,16 @@
       <index id="oscal-system-implementation-component-validation-uuid-index" name="index-system-implementation-component-uuid-validation" target="component[@type='validation']">
         <key-field target="@uuid"/>
       </index>
-      <index-has-key id="oscal-system-implementation-validated-by-index" name="index-system-implementation-component-uuid-validation" target="component/link[@rel='validated-by']">
+      <!-- "validated-by" was replaced with "validation" in allowed-values-component_component_link-rel.ent but the change was not propagated at that time.
+      Propagating the change to the index-has-key below, which was missed in the original change, to align with the new rel value of "validation" 
+      while also implementing the PR #2107 which has been abandoned by the author.
+      PR #2107 was adding `and starts-with(@href,'#')` to the index-has-key for the "validated-by" rel value which is no longer valid. The proposed change is included below.
+      NOTE: By propagating the old change that renamed "validated-by" with "validation" and implementing the link/@rel=`validation`, 
+      the "validation" value is intentionally now used by the component/@type="validation" and link/@rel="validation". This is a feature not a bug.
+      -->
+      <index-has-key id="oscal-system-implementation-validation-index" name="index-system-implementation-component-uuid-validation" target="component/link[@rel='validation' and starts-with(@href,'#')]">
         <key-field target="@href"/>
       </index-has-key>
-      <!-- index-has-key id="oscal-system-implementation-proof-of-compliance-index" name="index-system-implementation-component-uuid-validation" target="component/link[@rel='proof-of-compliance']">
-        <key-field target="@href"/>
-      </index-has-key -->
 
       <!-- References to components of @type="service" -->
       <index id="oscal-index-system-implementation-component-uuid-service" name="index-system-implementation-component-uuid-service" target="component[@type='service']">
@@ -729,7 +733,7 @@
       <index-has-key id="oscal-implemented-requirement-index-metadata-role-id"  name="index-metadata-role-id" target="responsible-role|statement/responsible-role|.//by-component//responsible-role">
         <key-field target="@role-id"/>
       </index-has-key>
-      <index-has-key id="oscal-implemented-requirement-index-metadata-party-uuid" name="index-metadata-party-uuid" target="responsible-role|statement/responsible-role|.//by-component//responsible-role">
+      <index-has-key id="oscal-implemented-requirement-index-metadata-party-uuid" name="index-metadata-party-uuid" target="responsible-role[party-uuid]|statement/responsible-role[party-uuid]|.//by-component//responsible-role[party-uuid]">
         <key-field target="party-uuid"/>
       </index-has-key>
       <has-cardinality id="oscal-implemented-requirement-by-component-cardinality" target=".//by-component" min-occurs="1">

src/specifications/profile-resolution/readme.md

@@ -23,7 +23,7 @@ need a process for this - also Github Issues?
 
 ## Providing feedback on this specification
 
-The OSCAL team welcomes feedback on the work in progress in this subdirectory, whether it be questions, points for clarification, critiques or suggestions. A rendered version of the Profile Resolution specification maintained here [appears](https://pages.nist.gov/OSCAL/resources/concepts/processing/profile-resolution/) on the OSCAL web site.
+The OSCAL team welcomes feedback on the work in progress in this subdirectory, whether it be questions, points for clarification, critiques or suggestions. A rendered version of the Profile Resolution specification maintained here [appears](https://pages.nist.gov/OSCAL/learn/concepts/processing/profile-resolution/) on the OSCAL web site.
 
 Please post Issues in Github or questions to the OSCAL mailing list, or ask about them on our [Gitter channel](https://gitter.im/usnistgov-OSCAL/Lobby). (See https://pages.nist.gov/OSCAL/contact/ for links.)