Provide JSON mechanism to represent XML-equivalent prose

[david-waltermire]

Goals:

1. Ensure that the JSON representation of OSCAL is equivalent in all functionality to the XML representation. This means that content can be round-tripped between the XML-JSON-XML representations. Whitespace preservation may not be possible,
2. Develop a prose markup capability in JSON to support the equivalent features in XML (e.g., parameter insertion, etc.). Consider using markdown to do this, with some extensions.
3. Answer how namespaces will be handled in JSON. OSCAL currently has a single namespace.

Dependencies:

1. Examples of OSCAL XML-based catalog and profile content. These examples are SP 800-53 based.
2. Pull request (Add JSON schema and examples #63) is merged into the sprint-5 branch,

Acceptance Criteria:

1. Demonstrate that content can be round-tripped. Content can be converted from XML-to-JSON-to-XML without any semantic loss of information. (Addresses JSON data sources as well? #59)
2. Demonstrate that OSCAL JSON content can be validated to be well-formed. (JSON schema #10)

[anweiss]

Prose conversion taking shape. You can see how JSON escapes the XML prose in the latest generated JSON here. This allows us to retain the original semantics for round-tripping while still providing well-formed JSON. The same escaping mechanism applies whether or not we leave prose syntax as is, decide to leverage Markdown or utilize some other format for representing prose.

If need be, we can also easily retain both the raw prose as an escaped-JSON string and also extract the prose syntax in to additional JSON properties where it makes sense (i.e. <insert> tags, etc)

[akarmel]

11/7/2017 - Sprint 5 Progress Notes

• See comment above.
• Wendell's mini-testing examples (unit tests) in Generate examples leveraging OSCAL #40 are designed to feed this User Story.

[wendellpiez]

@anweiss it'd be great to see this one rendered into JSON: /examples/mini-testing/mini-testing-catalog.xml (in the Sprint 5 branch). It's considerably smaller than the catalogs so far, but shows some inline markup etc. (And eventually, the profiles you see alongside it.)

[anweiss]

@wendellpiez -> mini-testing-catalog.json

Note that I've retained the line break characters and all prose tags. The original lexical order isn't currently maintained, but that's an easy tweak.

I'm currently putting prose under a literal JSON key named prose, but this is certainly up for discussion.

[wendellpiez]

@anweiss, nice. Neatly illustrates a few issues (some already noted) including:

• Some information loss in prose, including list contents, class attributes
• Maintaining lexical order and whether/where this matters
• Inline markup and sufficiency of current strategy vis-a-vis possible alternatives e.g. Markdown

Note that these are all critical if we aim for round-tripping. (If not perhaps we should focus on application requirements?)

Also there are now example profiles, including a couple with patches as well as parameters:

https://github.com/usnistgov/OSCAL/blob/sprint-5/examples/mini-testing/30_patched-profile.xml
https://github.com/usnistgov/OSCAL/blob/sprint-5/examples/mini-testing/31_patched-messy-profile.xml

[anweiss]

@wendellpiez thanks, yea making a few tweaks to the tool as the loss of those elements and the class attributes was not intended.

[anweiss]

@wendellpiez just updated the example -> mini-testing-catalog.json ... retains raw elements and inner XML.

[anweiss]

Also, regardless of what inline markup we use (XML, Markdown, etc) to represent prose, we'll still have the same requirement of having to escape newlines and any special characters in the JSON string value to retain the originally intended format. So while it may seem like Markdown, or similar might provide for synchronous visibility between XML- and JSON-formatted OSCAL, it may not be sufficient still.

[anweiss]

@wendellpiez added JSON examples for entirety of contents in mini-testing/ directory -> https://github.com/usnistgov/OSCAL/tree/bee9009a1e35b47c0dc66d067497041fc7f80db6/examples/mini-testing

[wendellpiez]

Excellent point, Andrew.

[wendellpiez]

(I mean, about the mapping of MD into JSON.) Oh thanks! Those folders are still thrashing, of course ...

[anweiss]

No worries. Updated mini-testing-catalog.json which keeps prose in same lexical order as XML

[anweiss]

@wendellpiez Added JSON equivalents for all of the FedRAMP, mini-testing and SP800-53 examples ... https://github.com/usnistgov/OSCAL/pull/63/files

Question for you on the following property_decl definition:

value = element value { attribute xml:space { 'preserve' }?, ( \inherit | autonum | text )* }
\inherit = element inherit { attribute from { text }?, text }
autonum = element autonum { text }

Is there a scenario where you envision more than one occurrence of <inherit>, <autonum> and/or text elements within a <value> element? All of the examples I've seen only depict self-closing <inherit> elements with a single <autonum> element. But the RNC schema seems to allow for one or more occurrences via the * denotation. This will impact how JSON is outputted for these particular elements.

[wendellpiez]

Andrew, thanks for the very perspicacious question. :-)

The short answer is that I'm actually not altogether happy with this model currently: it's been on my come-back-to list. However, the problem is also worse than you suggest, as RNC text is an indicator not of an element named 'text', but of text content (#PCDATA in old DTD-speak), i.e. simply <value>TEXT</value> -- and more often than not, in the data, value is even whitespace sensitive, which is why that (xml:space attribute) switch is there to provide a signal warning against ws munging. Since bits of text might occur anywhere within the value (before, after, between any autonum or inherit that happens to be present) -- order becomes important, as well as cardinality/repeatability (of the text if not of the elements).

As for your question as put -- yes, we do envision such scenarios, or at least we haven't ruled them out -- while at the same time we haven't been focused on testing these functionalities. (They have been developed to the point where they are demonstrably useful on actual data "in the lab". However, exactly how they will be useful "in the field", and to whom, are very much still open questions.)

Is there a way we can sequester this until a user story addresses functionality/testing (as well as by implication, modeling) of OSCAL declarations? Their role within the entire JSON processing ecosystem is a lot less clear to me than in XML. (There they serve as control points for Schematron validation of the data with which they are associated. What is the JSON/Javascript analogue?) At the same time, they are not yet fully worked out even on the XML side....

[anweiss]

Thanks for the explanation @wendellpiez! This helps a ton. Yea, let's push this to a future user story until we flush out the JSON elements.

[wendellpiez]

So I spoke too soon, I wasn't quite able to put this down.

The latest commit changes the model for declarations somewhat, improving and simplifying things. (See https://github.com/usnistgov/OSCAL/blob/sprint-5/schema/xml/RNC/oscal-core.rnc lines 54-59 and 81ff.)

In the new model, the requirement for preservation of order/repeatability of element contents no longer applies to thevalue element (anywhere), which will never be more than a string (in schema-valid OSCAL). Instead, it affects only the (new) calc element (available only as an alternative to value inside declarations and not elsewhere).

This does not solve the problem with representing calc in JSON but at least it no longer applies to value. (And it addresses other issues that were bothering me.)

Note we may be coming back to this when the "OSCAL declarations" mechanism becomes more salient.

[anweiss]

Sounds good. Will generate it nonetheless and we can revisit when appropriate. Thanks!

[anweiss]

@wendellpiez squashed PR and updated with equivalent JSON for all XML ... also included a couple of roundtripped examples ... https://github.com/usnistgov/OSCAL/pull/63/files

[wendellpiez]

Awesome @anweiss, looks really nice.

In addition to other issues noted elsewhere, here's one small adjustment to improve the output of the XML serializer -- when attribute values are null (for example, when there is no value for class or control-id), then avoid emitting the attribute. I.e. do not write class="" or control-id="".

This would clean up things in general and avoid a validation error on profiles

<call control-id="ac.7" subcontrol-id=""/>

Where the rule given by the schema is that (on class elements) one only of control-id and subcontrol-id is permitted (and required) -- so this is invalid as given.

I imagine this should not be difficult to accomplish. In general, I should think writing an attribute with an empty string would be a special case, not the ordinary case, and a tool should not do this by default. (Or, the switch to make it happen should be easy, and switched on in these cases.)

[anweiss]

Yep, agreed. I've actually been doing this already but missed a couple of fields. Will make sure to clean this up in the tool.

[wendellpiez]

NB for future reference: a good example for showing issues/weaknesses in component ordering and arbitrarily ordered (and mixed) content is /mini-testing/mini-testing-catalog-roundtrip.xml.

[wendellpiez]

(Oh we need that round trip I think! 😄 👍 )

[anweiss]

mini-testing-catalog-roundtripped.xml ... some spacing and line break nuances, but otherwise not bad

[akarmel]

11/21/2017 - Sprint 5 Progress Notes

• Keeping up with Wendell on XML/JSON synchronization
• Couple of tweaks/nuances remaining to be addressed with final code reminiscent of the original XML
  • Comments can be included if desired in JSON which should mirror XML

[akarmel]

11/28/2017 - Sprint 5 Acceptance Notes

• We have a solid set of JSON equivalents with some open issues to be addressed in future sprints.
• JSON could use some design work around what the final form of the output should look like.