… will likely change over time to become better and more complete as an example.

Not all, but many, actions were pinned to old versions by tag and to an
explicit SHA1 hash from the repo that are old enough to cause GHA
error notices. Upgraded from these to current SHA1 hash for the most
(692973e3d937129bcbf40652eb9f2f61becf3332) for recent v4.1.7 release.

> The following actions uses node12 which is deprecated and will be forced to run on node16: actions/checkout@v2. For more info: https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/

> The following actions use a deprecated Node.js version and will be forced to run on node20: actions/checkout@v2. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/

Source: https://github.com/GSA/fedramp-automation/actions/runs/10783353551

This directive is now obsolete, causes more noise in the GHA workflow
run logs.

https://forums.docker.com/t/docker-compose-yml-version-is-obsolete/141313

Dependabot still stinks about switching the target branch to rebase,
recreate, or do whatever. More details in the longstanding issue. I give
up! I cherry-picked the #673 commit because the related docker command
issues that fail those builds would be better fixed here, go figure.

dependabot/dependabot-core#6692

Signed-off-by: dependabot[bot] <support@github.com>

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 3.2.7 to 3.2.11.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v3.2.11/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v3.2.11/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ts for use with OSCAL-cli.

…errors.

* Introduce cucumber testing of yaml unit tests
* introduce content generation and validation via CLI
* use junit
* eslint format

* Draft allowed values metaschema and YAML unit test.
* automate content generation and validation via CLI (#614)
* Introduce cucumber testing of yaml unit tests
* introduce content generation and validation via CLI
* better test summary reporting
* introduce constraint coverage checking + improve coverage
* throw an error if we do not find the matching rule
* store output in .sarif folder
* update constraints & test strategy, allow for mixed results as failure test
* pretty print sarif & correct file name output
* add time to sarif output file
* introduce validation-cache for performance

Co-authored-by: David Waltermire <davewaltermire@gmail.com>
Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>
Co-authored-by: DimitriZhurkin <dimitri.zhurkin@noblis.org>

* Improve constraint coverage tests
* Update features/steps/fedramp_extensions_steps.ts

---------
Co-authored-by: David Waltermire <davewaltermire@gmail.com>

* Add README.md to OSCAL CLI instructions

* Implemented reviewers' comments

* make test runner aware of informational constraint results

* Update features/steps/fedramp_extensions_steps.ts

Co-authored-by: A.J. Stein <aj@gsa.gov>

* improve test runner to handle warn and informational tests better

* Update fedramp_extensions_steps.ts

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

* add make update command

* add make constraint

* improve first run on fresh constraint

* Constraint-specific CONTRIBUTING to its own dir

Add the diagram of the constraint and testing
components specific to this area of code base here
and outline other sections to follow.

* Reference prerequisites in README for install

* Reorder CONTRIBUTING sections, add Metaschema one

* Add references to relevant Metaschema docs

* Add docs for new constraint tests

* Sigh, whitespace from code blocks break numbering

* Add detailed docs on modifying existing constraint

* Shorten and clean up explanatory copy

* Explain purpose of oscal-external constraints

* Clarify oscal file for generic constraints only

* Add guidance for using which FR constraints file

* [skip ci] Docs for deleting tests, links to PR docs

* Add @Rene2mt's feedback about testing one constraint by ID

Clearly this guy constraints!

Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>

* [skip ci] Clean up typos, grammar, and missing info per @Rene2mt's PR feedback

Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>

---------

Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>

* Added constraints and tests for resource-has-(title/rlink)

* metapath cleanup

* Add comment

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Add comment

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Added or base64 condition

* Cleanup

* Edit constraint name

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

)

* [skip ci] More appropriate README title for #659

* [skip ci] Context for constraints, tools for #659

Be sure to talk about the constraints and their relationship to the tool,
do not just talk about the `oscal-cli` without context. Re-order some of
the info, talk about target audience before install instructions.

* [skip ci] Remove dupe copy of 'who for?' for #659

* [skip ci] Subject is FR not only FR devs in #659

* [skip ci] No more header numbers, add headers #659

* [skip ci] Better intro and simple diagram for #659

* [skip ci] Docker install prerequisites for #659

* [skip ci] More install and command docs for #659

* [skip ci] Clearer wording on OCI tool for #659

* [skip ci]  Feedback for #659, re manual clone step

* [skip ci] Remove dangling this for #659

Thanks to @david-waltermire for catching that.

* [skip ci]  Align arguments docs, examples for #659

Based on some more detailed feedback from @Rene2mt that matched other
comments from Dave in the PR.

* Good catch, @gabelis, fix numbering for #659

* introduce data center constraints

* complete data center constraints

* Update src/validations/constraints/content/ssp-all-INVALID.xml

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Update src/validations/constraints/content/ssp-all-VALID.xml

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Update src/validations/constraints/content/ssp-location-INVALID.xml

Co-authored-by: A.J. Stein <aj@gsa.gov>

* remove allowed-type data center country code

* Late review feedback: align country code example with constraint

* Fix the correction that broke negative testing, sorry Paul

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

…write perms dropping (#665)

* Add initial OCI spec for container for #655

* Now add FR constraint files for #655

* Woops, fix typo in clone path for fd_data_dl scratch container

* Constraints in /opt/fedramp sudir, make it WORKDIR

* Switch to Alpine Maven scratch image not Debian

* Switch to Node for final image, install oscaljs

* Add checkout data to final image

* Fix missed parameterization of git image

* Add non-default OCI image build target for make

* Verify GPG signaure of oscal-cli build

* Add clean target for OCI image builds

* Allow for TLS bypass and proxy in Makefile

Disable cert-checking for the local version that is built on laptops for
GSA staff who make use of a VPN/proxy solution that intercept all TLS
communication for security monitoring. This includes not just Docker,
but also the containers as they build an image. Since production images
will be made in GitHub Actions without the Makefile, these directives
will be ignored.

* Do not do slow git clone, use local COPY instead

For speed, ease of access, and leave commit metadata from the container
ID linked to the commit hash itself, just copy from the outside context
of the image build.

* Add publish target to Makefile with useful tags

Also try docker push to GHCR to start before moving on the "in pipeline"
build with GitHub Actions.

* Fix repeat docker commands for correct tag-n-push

* Correct the org.opencontainers.image.source label

* Actions: perms for writing packages (ghcr.io)

* Actions: follow GH tutorial, more perms added

* Actions: build, sign, push, attest and OCI image

This workflow change is the first attempt at building, pushing, and
signing the validation-tools image to push to the ghcr.io registry.

* Actions: ref_name for image tags problematic

For both PRs and non-PR branches, that seems to cause problems for tags
that we ought to avoid for now.

* Actions: use action correctly, no manual labels

* Actions: remove metadata from Dockerfile, use GHA

* Actions: woops, forgot explicit checkout path

Our GHA CI/CD checks out to `./git-content`, `.` by default so the action
directive looking for context did not find the Dockerfile.

* Actions: check if least privilege perms block push

See more details in this reply and the larger context from others who
cannot push a built container to ghcr.io.

https://github.com/orgs/community/discussions/57724#discussioncomment-7779731

* Actions: scratch that, `write-all` blocked by org

The github.com/GSA organization still blocks the write to an org-level
package in very permissive move. Tips from the discussions posts did not
help here.

https://github.com/orgs/community/discussions/57724#discussioncomment-7779731

* Actions: add metadata action SHA options

We need to force SHA1 long (not seven-digit short version to avoid
collisions), remove both `sha-` prefix and remove suffix explicitly.

* Actions, sigh, really remove `sha256` prefix again

It seems that didn't stick the last time, so I will try this config
again and follow the official custom hash label strategy from the action
example from the official README.

* Support MVP platforms, arm64 and amd64

If not we will only support modern Apple computers with modern M1 chips,
not Intel environments for PC and older Macs. We need broad support for
these top platforms.

* Explicit platform option for buildx too for #656

It seems this may be needed because I still get similar but different
warnings on multi-platform docker builds when using on macOS on an Apple
laptop with a M1 processor and amd64 processor for personal computers
with Windows and Linux operating systems respectively.

> WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v3) and no specific platform was requested

* Pin metadata action and update configs for #656

- Had a slightly wrong version of docker/metadata-action that could not
use annotations properly, hence no annotations on image.
- Use annotations instead of custom override labels with that action.
- Update docker/build-push-registry action to retrieve those labels as
well.
- Change subject name for attestation to end with `-attestation` suffix
to make the GHCR registry entries less confusing.

* Woops, attestation subject === image name for #656

I re-read the dogs. Attestations will be uploaded to Sigstore but I will
not busy up the registry with them every moment as it will make it even
more confusing for novice users and advanced developers what data they
are looking for by content-addressable git commit hash ID.

* Explanatory comments on Dockerfile lint for #656

For future analysis or assessment, I am leaving information in the
Dockerfile as comments to address warning output in docker build and
push flagging a potential finding re secrets based on variable names.

```sh
 4 warnings found (use docker --debug to expand):
 - SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "OSCAL_CLI_GPG_KEY") (line 20)
 - SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "TEMURIN_APK_KEY_URL") (line 45)
 - FromAsCasing: 'as' and 'FROM' keywords' casing do not match (line 17)
 - FromAsCasing: 'as' and 'FROM' keywords' casing do not match (line 43)
```

 They are IDs to secrets, not actually secrets, now I have documented it.

* Attestations need explicit reg push off for #656

Just removing it may not have done the trick.

* Added back-matter 'has' constraints

* Set levels to 'ERROR'

* Actions: tighten when docker build runs and how

- We do not want to fails build when staff and community make fork PRs.
- We want to make sure the latest feature branch is tagged and deployed
for now, stop push PR container builds before merge.

* Actions: more explicit branch targeting

I am not sure that syntax is air-tight with var == 'value1' || 'value2',
so make it more explicit and have var on left side and right side of the
boolean OR check.

* Actions: even more explicit use startsWith syntax

* Actions: one last attempt to force annotations

I had incorrectly put it on workflow_dispatch which will not help as
needed.

* Add system-owner role

* Adjust wording to be more friendly to users with less OSCAL knowledge.

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

* introduce missing-response-components constraint

* Add review feedback from AJ before merge

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Update SSP metadata role constraints

* Adjust message text to be more approachable, per PR feedback

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Added system-characteristics 'categorization-has constraints and tests

* Adjust path style and message wording per my PR feedback

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Add system-characteristics 'has-assurance-level' constraints & tests

* Make uniform wording for informational findings per PR review

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

* introduce metaquery script

* Update CONTRIBUTING.md

* Tweak header for mq explanation in CONTRIBUTING.md

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Added   constraints & tests

* Corrected message

…702)

* Added system-characteristics 'has-authorization-boundary' constraints & tests

* Style corrections

* Rephrase

* Fix IAL-FAL acronym typo and wrap up review.

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Fixed targets, created separate invalid files where necessary, redirected yaml fail test files where necessary, removed 2 constraints that are handled by the schema

* Fixed targets, created separate invalid files where necessary, redirected yaml fail test files where necessary, removed 1 constraint that is handled by the schema

* cleanup

* Introduce test data optimization ADR

* Correction: only scaffold invalid test data file

* Provide more detail in ADR

* Date correction

* Add solution & consequences

* Add reference to #710.

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

* add option to specify test content be made from template or use all invalid

* improve scaffolding for negative test cases

* introduce re-run script

* update contributing docs for rerun info

* improve scaffolding

* adjust constraint script to match feedback

* Update dev-constraint.js

* Created separate invalid test data file and edited the yaml fail case file to reference the new invalid test data file for each constraint in

* Created separate invalid test data file and edited the yaml fail case file to reference the new invalid test data file for each constraint in

* Removed deprecated invalid test data files

* Rename invalid test data files

* Delete ssp-all-INVALID.xml (obviously)

* [skip ci] Fix Makefile menu items for #697

* [skip ci] Add container debug approach for #697

* [skip ci] Fix docker cmd formatting for #697

* [skip ci] Fix docs, add entrypoint info for #697

* [skip ci] Path important for docker mounts in #697

* Add allowed-values (virtual, public, allows-authenticated-scan)

* Add YAML and ssp-virtual-INVALID..xml

* Add YAML and INVALID for public and authorized-scan allowed values.

* Rebase the branch and add "inventory-item" to constraints

* Fix feature inventory of tests per feedback

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

* hotfix post scaffold run

* Update dev-constraint.js

* remove conflicting legacy files

* [skip ci] No dupe ADR 6, properly number ADR 8

* [skip ci] Rename file from ADR 6 -> ADR 8

* [skip ci] 0-pad ADR 7 filename to match others

* Updated ADR #8 status

---------

Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>

* Add security level constraints

* Reduce out-of-context data not needed by security-level

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

* hotfix constraint script for windows

* Update test-scripts.yml

* remove debug log

* Update test-scripts.yml

* update dev constraint

* Update dev-constraint.js

* sort files listed from directories

…d results output (#735)

* [skip ci] Start up ADR 9 from template for #720

* [skip ci] Add context for decision in #720

* [skip ci] Add possible solutions for #720

* [skip ci] Hyperlink oscal-cli for bg in #720 PR

* [skip ci] Fix Metachema->Metaschema typos for #720

* [skip ci] Add consequences of decisions for #720

* [skip ci] Spacing and style guide for S4 in #720

* [skip ci] Recommend Solution 4 for #720

* [skip ci] Reorg and improve decision rec for #720

* [skip ci] Missed or required for decision in #720

* [skip ci] Clarify backporting and new dev for #720

* [skip ci] Clarify Metaschema data-types and structure per out-of-band PR review

* [skip ci] Correct namespace per PR feedbacm.

Co-authored-by: David Waltermire <davewaltermire@gmail.com>

* [skip ci] Correct grammar, editing-edit per review

Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>

* [skip ci] Clarify team vetted ahead of community

Per valid PR feedback, we should clarify that AJ and the team drafted
and reviewed the PR ahead of soliciting community review and feedback.

* [skip ci] Add newlines for `help-markdown` per final feedback

Co-authored-by: David Waltermire <davewaltermire@gmail.com>

---------

Co-authored-by: David Waltermire <davewaltermire@gmail.com>
Co-authored-by: Kylie Hunter <kylie.hunter@gsa.gov>
Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>

While working on #729, I realized we have filtered out some image builds targeting dev now that the feature branch is gone. This change will allow more pre-release evaluation of constraints as they are developed.

I should have PRed this or delegated it after we merged in the long-standing feature/external-constraints branch, but this miss was an oversight on my part.

* Add  constraint and tests

* Add help-url prop

I worked on the metaschema-framework/oscal-cli release but I was unable to finish a native OCI container build there. So, we need to update here manually again. This PR quickly addresses that.

* Add information-type-800-60-v2r1

* In target, add system URL ([@System='https://doi.org/10.6028/NIST.SP.800-60v2r1'])

* In ssp-information-type-id-INVALID.xml, add another invalid information-type-id

We need to reviews from at least three members of the team, we should
reconfigure the repo to use CODEOWNERS with not only admins, but the
group that includes all the team.

* fix informational constraint handling and make ssp-all valid correct

* revert external constraint changes

* Update fedramp-external-constraints.xml

* Update fedramp_extensions_steps.ts

* update info handling

* Update fedramp-external-constraints.xml

Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>

* Update fedramp-external-constraints.xml

Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>

* Update fedramp-external-constraints.xml

Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>

* Update fedramp-external-constraints.xml

Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>

* Update dev-constraint.js

---------

Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>

* Add allowed-values metadata fedramp-version

* Add fedramp-external-constraints.xml, ssp-fedramp-version-INVALID.xml, fedramp-version-FAIL.yaml, fedramp-version-PASS.yaml

* Implement reviewers' comments

* Add remarks

* Update help-url

* Add security-sensitivity-level-matches-security-impact-level

* Modify the message wording

* In the message, change MUST to SHOULD

* fixed data center property arguments in ssp-all-VALID

* changed data-center constraints to point to name = type, value = data-center

* made unit tests much more specific to their file name, AKA only one error occurs in each file

* Update src/validations/constraints/content/ssp-data-center-US-INVALID.xml

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

* Update src/validations/constraints/content/ssp-data-center-alternate-INVALID.xml

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

* Update src/validations/constraints/content/ssp-data-center-country-code-INVALID.xml

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

* Update src/validations/constraints/content/ssp-data-center-primary-INVALID.xml

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

* Update src/validations/constraints/content/ssp-data-center-primary-INVALID.xml

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

* Update src/validations/constraints/content/ssp-data-center-US-INVALID.xml

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

* Update src/validations/constraints/content/ssp-data-center-count-INVALID.xml

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

---------

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

* Add responsible-party-is-person constraint

* Add help-url

* Update constraint to only validate required roles

* Make updates resolving review feedback comments

* [skip ci] Metaschema module for unit test struct

We are proposing changes to the structure of the JSON/YAML unit test
file used for all constraints test suite management. This version
documents the model of that YAML file before the proposed change in the
comments of the #817 PR, linked below.

#817 (comment)

* [skip ci] Document unit test metaschema elements

* [skip ci] Do not explicitly use default types

* [skip ci] Add missing `@id` and `@level` to model

* [skip ci] Add pipeline to pipeline, thx @wandmagic

* [skip ci] Backport #219 docs into model remarks

* [skip ci] Fix max-occurs re bad model cardinality

This addresses changes that should be handled as determined by upstream
guidance from metaschema-framework maintainers.

metaschema-framework/metaschema-java#221
metaschema-framework/metaschema#44

* [skip ci] Is a pipeline with a ref even a pipeline at all?

Thanks to @Rene2mt for PR feedback about the missing ref to the assembly definition of pipeline in the model.

Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>

---------

Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>

* Add import-profile constraints and tests

* Add different valid tests

* Add descriptions to test files to distinguish test cases

* Add functionality to run mutliple content files. Deleted extra yaml files, and preserved 1 pass/fail yaml file per constraint structure

* Constraint test & test file cleanup

* fixed error in the OSCAL deprecation strategy section that implied that an oscal version 1.0.0 would not support 1.0.1 +

* updated Rev 4 to Rev 5 under Dependencies

* fixed broken link

* Removed Rules Documentation Section

* Removed Implementation Details

* Enclosed manual install instructions in a drop down

* Enclosed manual install instructions in a drop down

* Enclosed container upgrade instructions in a drop down

* Updated NIST OSCAL version in dependencies

* Dual overhaul of the overview and addition of information about validation tooling

* Changed the order of the sections on main readme

* removed out of date information about release of rev 5 guidance

* Some general cleanup

* Cleaning up some things, and adding a table?

* cleaning up pt 2

* cleaning up pt 3

* Picking up from yesterday. Cleaning up wording, adding some drop downs

* added .bash_profile to path information

* changed to OSCAL syntax generaly instead of just SSPs

* Update README.md

Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>

* Update README.md

Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>

* Update README.md

Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>

* cleaning up introduction, implementing AJ's feedback, and adding a portion about visiting the automation website for our documentation

* no need to have a table with different resources if our only resource is the tooling. Correct me if I'm wrong

* this information will all be deprecated soon so no need to explicitly discuss it.

* deleted per AJ's advice

* made this link relative

* deleted per AJ's advice

* fixing typos and awkward wording in the versioning and deprecation section

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

* Fixing spacing

Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

* changed build requirements to latest version of Java, removed Python

---------

Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>
Co-authored-by: A.J. Stein <alexander.stein@gsa.gov>

…targets

…traints (#689)

* Added system-characteristics 'cia-impact' and 'has-system-name-short' constraints and tests

* rephrase for clarity

* Create separate invalid tests

* Add more detailed test descriptions

* Adjust ssp-all-VALID.xml to have valid security levels

* Cleanup metapath

* Add help-url props

* Capitalize things

* add n

* introduce user constraints

* introduce help props

* adjust help uri coverage

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: A.J. Stein <aj@gsa.gov>

* see GSA/automate.fedramp.gov#98

* merge same invalid samples

* Update user-type-FAIL.yaml

* Update user-type-FAIL.yaml

* update tests

* Update src/validations/constraints/fedramp-external-allowed-values.xml

Co-authored-by: A.J. Stein <aj@gsa.gov>

* Update src/validations/constraints/content/ssp-all-VALID.xml

Co-authored-by: A.J. Stein <aj@gsa.gov>

* update tests

---------

Co-authored-by: A.J. Stein <aj@gsa.gov>

* [skip ci] Delete deprecated code for #738

* [skip ci] Remove oscal submodule and deps for #738

* [skip ci] Remove Makefile for #738