Merge branch 'master' into dependabot/npm_and_yarn/src/examples/javascript/npm_and_yarn-2415dc3285

Author: Ron Sherfey

.github/CODEOWNERS

@@ -2,4 +2,4 @@
 # the repo. Unless a later match takes precedence,
 # global-owner1 and global-owner2 will be requested for
 # review when someone opens a pull request.
-*       @GSA/fedramp-automation-admins
+*       @GSA/fedramp-oscal-contributors

.github/ISSUE_TEMPLATE/3-action-item.yaml

@@ -22,19 +22,15 @@ body:
   - type: checkboxes
     attributes:
       label: This relates to ...
-      description: Select all things this feedback relates to.
+      description: Select all things this feedback relates to. (For changes to the FedRAMP OSCAL guidance document, please submit an issue [in the automate.fedramp.gov repository](https://github.com/GSA/automate.fedramp.gov/issues).)
       options:
-      - label: the **FedRAMP OSCAL Registry**
       - label: the **FedRAMP OSCAL baselines**
-      - label: the **Guide to OSCAL-based FedRAMP Content**
-      - label: the **Guide to OSCAL-based FedRAMP System Security Plans (SSP)**
-      - label: the **Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)**
-      - label: the **Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)**
-      - label: the **Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)**
-      - label: the **FedRAMP SSP OSCAL Template** (JSON or XML Format)
-      - label: the **FedRAMP SAP OSCAL Template** (JSON or XML Format)
-      - label: the **FedRAMP SAR OSCAL Template** (JSON or XML Format)
-      - label: the **FedRAMP POA&M OSCAL Template** (JSON or XML Format)
+      - label: the **FedRAMP SSP OSCAL Example** 
+      - label: the **FedRAMP SAP OSCAL Example** 
+      - label: the **FedRAMP SAR OSCAL Example**
+      - label: the **FedRAMP POA&M OSCAL Example**
+      - label: the **FedRAMP OSCAL Validations**
+      - label: the **Not sure** 
   - type: textarea
     id: user-story
     attributes:

.github/ISSUE_TEMPLATE/4-constraint-work.yaml

@@ -0,0 +1,114 @@
+name: Add, Change, or Remove a Constraint
+description: Define work to be performed specifically related to the adding, changing, or removing constraints.
+labels: ["enhancement"]
+body:
+  - type: textarea
+    id: user-story
+    attributes:
+      label: Constraint Task
+      description: Identify the constraint 
+      placeholder: |
+        Consistent with the parent/tracked-by issue, this constraint work focuses on ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: intended-outcome
+    attributes:
+      label: Intended Outcome
+      description: Describe the reason for the constraint 
+      placeholder: |
+        Ensure the {*content*} is ...
+    validations:
+      required: true
+
+  - type: markdown
+    attributes:
+      value: OSCAL Content Details
+      
+  - type: dropdown
+    attributes:
+      label: Syntax Type
+      options:
+      - This is required core OSCAL syntax.
+      - This is optional core OSCAL syntax.
+      - This is a FedRAMP constraint in the FedRAMP-specific namespace.
+      - This is a mix of required, optional, and/or extended syntax.
+      - Not sure, can maintainers help me choose?
+    validations:
+      required: true
+
+  - type: dropdown
+    attributes:
+      label: Allowed Values
+      options:
+      - There are no relevant allowed values.
+      - There are only NIST-defined allowed values.
+      - FedRAMP allowed values must be defined or verified.
+      - NIST-allowed values must be extended with FedRAMP allowed values.
+      - Not sure, can maintainers help me choose?
+    validations:
+      required: true
+
+  - type: textarea
+    id: metapath
+    attributes:
+      label: Metapath(s) to Content
+      description: Provide the metapath/xpath to the OSCAL conent. This will be automatically formatted into code, so no need for backticks.
+      render: xslt
+    validations:
+      required: true
+
+
+  - type: textarea
+    id: purpose
+    attributes:
+      label: Purpose of the OSCAL Content
+      description: Describe how the OSCAL content is used by FedRAMP Reviewers.
+      placeholder: |
+        Provide information that explains why the constraint is important 
+    validations:
+      required: false
+
+  - type: textarea
+    id: dependencies
+    attributes:
+      label: Dependencies
+      description: Describe any previous issues or related work that must be completed to start or complete this issue.
+      placeholder: |
+        Link to any previous issues or related work.
+    validations:
+      required: false
+
+  - type: textarea
+    id: acceptance-criteria
+    attributes:
+      label: Acceptance Criteria
+      description: Describe the artifacts and additional work that must be completed to resolve this issue.
+      placeholder: |
+        The items below are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.
+      value: |
+        - [ ] All [OSCAL adoption content](http://automate.fedramp.gov/) affected by the change in this issue have been updated in accordance with the Documentation Standards.
+          - [ ] Explanation is present and accurate
+          - [ ] sample content is present and accurate
+          - [ ] [Metapath](https://pages.nist.gov/metaschema/specification/syntax/metapath/) is present,  accurate, and does not throw a syntax exception using `oscal-cli metaschema metapath eval -e "expression"`. 
+        - [ ] All constraints associated with the review task have been created
+        - [ ] The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
+        - [ ] The constraint conforms to the FedRAMP Constraint Style Guide. 
+          - [ ] All automated and manual review items that identify non-conformance are addressed; **or** technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
+        - [ ] Known good test content is created for unit testing.
+        - [ ] Known bad test content is created for unit testing.
+        - [ ] Unit testing is configured to run both known good and known bad test content examples.
+        - [ ] Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
+        - [ ] A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue. 
+        - [ ] This issue is referenced in the PR.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Other information
+      description: Provide any other relevant information.
+      placeholder: |
+        detailed explanation, suggestions how to fix, reference to related issues, links providing context, etc.
+

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"

.github/workflows/docker-image.yml

@@ -0,0 +1,18 @@
+name: Docker Image CI
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+
+jobs:
+
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Build the Docker image
+      run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)

.github/workflows/ibm.yml

@@ -0,0 +1,75 @@
+# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when there is a push to the "master" branch.
+#
+# To configure this workflow:
+#
+# 1. Ensure that your repository contains a Dockerfile
+# 2. Setup secrets in your repository by going to settings: Create ICR_NAMESPACE and IBM_CLOUD_API_KEY
+# 3. Change the values for the IBM_CLOUD_REGION, REGISTRY_HOSTNAME, IMAGE_NAME, IKS_CLUSTER, DEPLOYMENT_NAME, and PORT
+
+name: Build and Deploy to IKS
+
+on:
+  push:
+    branches: [ "master" ]
+
+# Environment variables available to all jobs and steps in this workflow
+env:
+  GITHUB_SHA: ${{ github.sha }}
+  IBM_CLOUD_API_KEY: ${{ secrets.IBM_CLOUD_API_KEY }}
+  IBM_CLOUD_REGION: us-south
+  ICR_NAMESPACE: ${{ secrets.ICR_NAMESPACE }}
+  REGISTRY_HOSTNAME: us.icr.io
+  IMAGE_NAME: iks-test
+  IKS_CLUSTER: example-iks-cluster-name-or-id
+  DEPLOYMENT_NAME: iks-test
+  PORT: 5001
+
+jobs:
+  setup-build-publish-deploy:
+    name: Setup, Build, Publish, and Deploy
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    # Download and Install IBM Cloud CLI
+    - name: Install IBM Cloud CLI
+      run: |
+        curl -fsSL https://clis.cloud.ibm.com/install/linux | sh
+        ibmcloud --version
+        ibmcloud config --check-version=false
+        ibmcloud plugin install -f kubernetes-service
+        ibmcloud plugin install -f container-registry
+
+    # Authenticate with IBM Cloud CLI
+    - name: Authenticate with IBM Cloud CLI
+      run: |
+        ibmcloud login --apikey "${IBM_CLOUD_API_KEY}" -r "${IBM_CLOUD_REGION}" -g default
+        ibmcloud cr region-set "${IBM_CLOUD_REGION}"
+        ibmcloud cr login
+
+    # Build the Docker image
+    - name: Build with Docker
+      run: |
+        docker build -t "$REGISTRY_HOSTNAME"/"$ICR_NAMESPACE"/"$IMAGE_NAME":"$GITHUB_SHA" \
+          --build-arg GITHUB_SHA="$GITHUB_SHA" \
+          --build-arg GITHUB_REF="$GITHUB_REF" .
+
+    # Push the image to IBM Container Registry
+    - name: Push the image to ICR
+      run: |
+        docker push $REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA
+
+    # Deploy the Docker image to the IKS cluster
+    - name: Deploy to IKS
+      run: |
+        ibmcloud ks cluster config --cluster $IKS_CLUSTER
+        kubectl config current-context
+        kubectl create deployment $DEPLOYMENT_NAME --image=$REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA --dry-run -o yaml > deployment.yaml
+        kubectl apply -f deployment.yaml
+        kubectl rollout status deployment/$DEPLOYMENT_NAME
+        kubectl create service loadbalancer $DEPLOYMENT_NAME --tcp=80:$PORT --dry-run -o yaml > service.yaml
+        kubectl apply -f service.yaml
+        kubectl get services -o wide

.github/workflows/npm-grunt.yml

@@ -0,0 +1,28 @@
+name: NodeJS with Grunt
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [14.x, 16.x, 18.x]
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v3
+      with:
+        node-version: ${{ matrix.node-version }}
+
+    - name: Build
+      run: |
+        npm install
+        grunt

.gitignore

@@ -13,7 +13,7 @@ src/validations/lib/**.jar
 src/validations/report
 src/validations/src/ssp.xsl
 src/validations/target
-utils
+utils/*.xsl
 /node_modules
 
 # XSpec reports (from OxygenXML XSpec use)

azure-pipelines.yml

@@ -0,0 +1,29 @@
+# Docker
+# Build a Docker image
+# https://docs.microsoft.com/azure/devops/pipelines/languages/docker
+
+trigger:
+- master
+
+resources:
+- repo: self
+
+variables:
+  tag: '$(Build.BuildId)'
+
+stages:
+- stage: Build
+  displayName: Build image
+  jobs:
+  - job: Build
+    displayName: Build
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+    - task: Docker@2
+      displayName: Build an image
+      inputs:
+        command: build
+        dockerfile: '$(Build.SourcesDirectory)/src/examples/java/Dockerfile'
+        tags: |
+          $(tag)

dist/content/rev4/README.md

@@ -0,0 +1,5 @@
+# REV4 CONTENTS DEPRECATED
+
+FedRAMP has updated its documentation and templates to align with NIST Special Publication 800-53 Revision 5 (see https://www.fedramp.gov/rev5-transition/). All authorization and continuous monitoring activities going forward will be based on requirements in Revision 5, so FedRAMP Revision 4 baselines, resources, and templates are deprecated, as described in [ADR #007](/documents/adr/007-signal-unsupportent-content-in-github.md).
+
+**NOTE - CONTENT IN THIS FOLDER OR SUBFOLDER IS DEPRECATED. SUBSEQUENT RELEASES WILL NOT INCLUDE THIS CONTENT.**

dist/content/rev4/baselines/json/FedRAMP_rev4_HIGH-baseline-resolved-profile_catalog-min.json

@@ -1,11 +1,11 @@
 {
   "catalog": {
-    "uuid": "bb77868b-4a08-4677-8f3a-67d9b3c46d38",
+    "uuid": "47c4e518-da88-4a9f-815e-cdc40c4c327f",
     "metadata": {
       "title": "FedRAMP Rev 4 High Baseline",
-      "published": "2021-02-05T00:00:00.000-04:00",
-      "last-modified": "2024-03-07T07:53:34.410816-05:00",
-      "version": "fedramp1.1.1-oscal1.0.4",
+      "published": "2024-09-24T02:24:00Z",
+      "last-modified": "2024-09-23T22:00:18.266792-04:00",
+      "version": "fedramp2.1.0-oscal1.0.4",
       "oscal-version": "1.0.4",
       "links": [
         {

dist/content/rev4/baselines/json/FedRAMP_rev4_HIGH-baseline-resolved-profile_catalog.json

@@ -1,11 +1,11 @@
 {
   "catalog": {
-    "uuid": "bb77868b-4a08-4677-8f3a-67d9b3c46d38",
+    "uuid": "47c4e518-da88-4a9f-815e-cdc40c4c327f",
     "metadata": {
       "title": "FedRAMP Rev 4 High Baseline",
-      "published": "2021-02-05T00:00:00.000-04:00",
-      "last-modified": "2024-03-07T07:53:34.410816-05:00",
-      "version": "fedramp1.1.1-oscal1.0.4",
+      "published": "2024-09-24T02:24:00Z",
+      "last-modified": "2024-09-23T22:00:18.266792-04:00",
+      "version": "fedramp2.1.0-oscal1.0.4",
       "oscal-version": "1.0.4",
       "links": [
         {

dist/content/rev4/baselines/json/FedRAMP_rev4_HIGH-baseline_profile-min.json

@@ -3,9 +3,9 @@
     "uuid": "a96528f4-ced6-4711-b394-509b7042dfa5",
     "metadata": {
       "title": "FedRAMP Rev 4 High Baseline",
-      "published": "2021-02-05T00:00:00.000-04:00",
-      "last-modified": "2023-06-23T00:00:00.000-04:00",
-      "version": "fedramp1.1.1-oscal1.0.4",
+      "published": "2024-09-24T02:24:00Z",
+      "last-modified": "2024-09-24T02:24:00Z",
+      "version": "fedramp2.1.0-oscal1.0.4",
       "oscal-version": "1.0.4",
       "roles": [
         {

dist/content/rev4/baselines/json/FedRAMP_rev4_HIGH-baseline_profile.json

@@ -3,9 +3,9 @@
     "uuid": "a96528f4-ced6-4711-b394-509b7042dfa5",
     "metadata": {
       "title": "FedRAMP Rev 4 High Baseline",
-      "published": "2021-02-05T00:00:00.000-04:00",
-      "last-modified": "2023-06-23T00:00:00.000-04:00",
-      "version": "fedramp1.1.1-oscal1.0.4",
+      "published": "2024-09-24T02:24:00Z",
+      "last-modified": "2024-09-24T02:24:00Z",
+      "version": "fedramp2.1.0-oscal1.0.4",
       "oscal-version": "1.0.4",
       "roles": [
         {