fix: correct XPath descendant axis (//) in catalog assessment-method constraints (#1951)#2212
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8e8c483...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.2.0 to 6.3.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@6044e13...53b8394) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps com.xmlcalabash:xmlcalabash from 3.0.31 to 3.0.42. --- updated-dependencies: - dependency-name: com.xmlcalabash:xmlcalabash dependency-version: 3.0.42 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [org.apache.maven.plugins:maven-dependency-plugin](https://github.com/apache/maven-dependency-plugin) from 3.9.0 to 3.10.0. - [Release notes](https://github.com/apache/maven-dependency-plugin/releases) - [Commits](apache/maven-dependency-plugin@maven-dependency-plugin-3.9.0...maven-dependency-plugin-3.10.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-dependency-plugin dependency-version: 3.10.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…tion in system-implementation andimplementing abandoned PR 2107 which proposed fixing the validation constraints to properly deference and key on uri-reference values.
There was a problem hiding this comment.
Pull request overview
Fixes catalog metaschema constraint targeting so assessment-method-related constraints apply to nested part/prop descendants (not just direct children), aligning behavior with intended validation for assessment-method structures.
Changes:
- Update four XPath
targetexpressions insrc/metaschema/oscal_catalog_metaschema.xmlto use the descendant axis (//) underassessment-methodparts. - Add an npm
overridesentry inbuild/package.jsonto forcefast-json-patchto>=3.1.1. - Update
build/package-lock.jsonto resolvefast-json-patchto3.1.1.
Reviewed changes
Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/metaschema/oscal_catalog_metaschema.xml | Corrects XPath targeting so constraints validate nested part/prop under assessment-method. |
| build/package.json | Introduces npm override to force a newer fast-json-patch. |
| build/package-lock.json | Locks fast-json-patch to 3.1.1 and adjusts dependency metadata accordingly. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
/cc @iMichaela |
|
@nancysangani - Please note, your branch needs to be rebased. Do you want me to push it or you will do it? |
nancysangani
force-pushed
the
fix/xpath-typo-catalog-assessment-method
branch
from
bbbf511 to
274108a
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <enum value="method">The assessment method to use. This typically appears on | ||
| parts with the name "assessment-method".</enum> | ||
| </allowed-values> | ||
| <expect level="WARNING" id="oscal-method-part-has-method-prop" target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]" test="prop[has-oscal-namespace(('http://csrc.nist.gov/ns/oscal','http://csrc.nist.gov/ns/rmf')) and @name='method']"/> |
There was a problem hiding this comment.
The allowed-values targets were updated to use the descendant axis (//prop[...]) under assessment-method, but the expect constraint oscal-method-part-has-method-prop still checks only a direct child prop[...]. If the method prop can occur under nested parts (the scenario this PR is addressing), this expect will raise false warnings. Consider updating the test XPath to also use a descendant search (e.g., .//prop[...]) so it aligns with the updated constraint targets.
| <expect level="WARNING" id="oscal-method-part-has-method-prop" target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]" test="prop[has-oscal-namespace(('http://csrc.nist.gov/ns/oscal','http://csrc.nist.gov/ns/rmf')) and @name='method']"/> | |
| <expect level="WARNING" id="oscal-method-part-has-method-prop" target="part[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name=('assessment','assessment-method')]" test=".//prop[has-oscal-namespace(('http://csrc.nist.gov/ns/oscal','http://csrc.nist.gov/ns/rmf')) and @name='method']"/> |
nancysangani
force-pushed
the
fix/xpath-typo-catalog-assessment-method
branch
from
274108a to
5f76eb3
Compare
|
@iMichaela Rebased onto latest develop and pushed. |
iMichaela
left a comment
iMichaela
left a comment
There was a problem hiding this comment.
This PR aims to revert the recent update of fast-json-patch to v3.1.1 to eliminate critical vulnerability. Is there an explanation for the suggested change?
|
@nancysangani - The I will also review the issue, to clarify it. 
|
Hi @iMichaela, apologies for the confusion! This PR is only intended to fix the XPath descendant axis bug reported in #1951. The |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Thank you for the clarification! I understand the concern — using I will wait for your review of the issue before making further changes. Please let me know the correct intended behavior and I will update the PR accordingly. |
Thank you, Nancy. I will review #1951 asap and get back to you. The screenshot I inserted reveals some other issues with the declarations we currently have ( prop@name="method" is deprecated for oscal namespace but called under the next statement) |
|
@nancysangani - Thank you again for your contribution. This PR was not approved yet because we are still researching if the proposed updated to use the descendant axis nested for |
Fixes #1951 — Correct XPath descendant axis (
//) in catalog assessment-method constraintsThree constraint
targetexpressions inoscal_catalog_metaschema.xmlused/(child axis) instead of//(descendant axis), causing constraints to silently skip nestedpartandpropelements underassessment-methodparts. An additional fourth instance was identified and fixed as well.File changed:
src/metaschema/oscal_catalog_metaschema.xmlassessment-method')]/part[assessment-method')]//part[assessment-method')]/prop[assessment-method')]//prop[(3 instances)