From 1e19a2a21c1e94303183d3235a8e4ce545ca91ca Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Wed, 13 Nov 2024 10:17:10 -0500
Subject: [PATCH 01/19] all valid test

---
 features/fedramp_extensions.feature           | 242 +++++++++---------
 features/steps/fedramp_extensions_steps.ts    |  74 +++---
 package-lock.json                             |   8 +-
 package.json                                  |   2 +-
 .../constraints/content/ssp-all-VALID.xml     |  15 +-
 .../fedramp-external-constraints.xml          |   2 +-
 src/validations/module.mk                     |   2 +-
 7 files changed, 178 insertions(+), 167 deletions(-)

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index f79e6ea3c..6704a85c6 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -3,7 +3,120 @@ Feature: OSCAL Document Constraints
 @style-guide
 Scenario Outline: Validating OSCAL constraints with metaschema constraints
   Then I should verify that all constraints follow the style guide constraint
-  
+
+@style-guide
+Scenario Outline: Documents that should be valid are pass
+  Then I should have valid results "<valid_file>"
+Examples:
+| valid_file     |
+| ssp-ALL-VALID.xml |
+# | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml |
+# | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml |
+
+@full-coverage
+Scenario: Preparing constraint coverage analysis
+Given I have loaded all Metaschema extensions documents
+And I have collected all YAML test files in the test directory
+When I extract all constraint IDs from the Metaschema extensions
+And I analyze the YAML test files for each constraint ID
+
+@full-coverage
+Scenario Outline: Ensuring full test coverage for "<constraint_id>"
+Then I should have both FAIL and PASS tests for constraint ID "<constraint_id>"
+Examples:
+| constraint_id |
+#BEGIN_DYNAMIC_CONSTRAINT_IDS
+  | address-type |
+  | attachment-type |
+  | authorization-type |
+  | categorization-has-correct-system-attribute |
+  | categorization-has-information-type-id |
+  | cia-impact-has-adjustment-justification |
+  | cia-impact-has-selected |
+  | cloud-service-model |
+  | component-type |
+  | control-implementation-status |
+  | data-center-alternate |
+  | data-center-count |
+  | data-center-country-code |
+  | data-center-primary |
+  | data-center-us |
+  | deployment-model |
+  | fedramp-version |
+  | has-authenticator-assurance-level |
+  | has-authorization-boundary-diagram |
+  | has-authorization-boundary-diagram-caption |
+  | has-authorization-boundary-diagram-description |
+  | has-authorization-boundary-diagram-link |
+  | has-authorization-boundary-diagram-link-rel |
+  | has-authorization-boundary-diagram-link-rel-allowed-value |
+  | has-cloud-deployment-model |
+  | has-cloud-deployment-model-remarks |
+  | has-cloud-service-model |
+  | has-cloud-service-model-remarks |
+  | has-configuration-management-plan |
+  | has-data-flow |
+  | has-data-flow-description |
+  | has-data-flow-diagram |
+  | has-data-flow-diagram-caption |
+  | has-data-flow-diagram-description |
+  | has-data-flow-diagram-link |
+  | has-data-flow-diagram-link-rel |
+  | has-data-flow-diagram-link-rel-allowed-value |
+  | has-data-flow-diagram-uuid |
+  | has-federation-assurance-level |
+  | has-identity-assurance-level |
+  | has-incident-response-plan |
+  | has-information-system-contingency-plan |
+  | has-network-architecture |
+  | has-network-architecture-diagram |
+  | has-network-architecture-diagram-caption |
+  | has-network-architecture-diagram-description |
+  | has-network-architecture-diagram-link |
+  | has-network-architecture-diagram-link-rel |
+  | has-network-architecture-diagram-link-rel-allowed-value |
+  | has-rules-of-behavior |
+  | has-security-impact-level |
+  | has-security-sensitivity-level |
+  | has-separation-of-duties-matrix |
+  | has-system-id |
+  | has-system-name-short |
+  | has-user-guide |
+  | import-profile-has-available-document |
+  | import-profile-resolves-to-fedramp-content |
+  | information-type-800-60-v2r1 |
+  | information-type-has-availability-impact |
+  | information-type-has-confidentiality-impact |
+  | information-type-has-integrity-impact |
+  | information-type-system |
+  | interconnection-direction |
+  | interconnection-security |
+  | inventory-item-allows-authenticated-scan |
+  | inventory-item-public |
+  | inventory-item-virtual |
+  | missing-response-components |
+  | party-has-name |
+  | privilege-level |
+  | prop-response-point-has-cardinality-one |
+  | resource-has-base64-or-rlink |
+  | resource-has-title |
+  | responsible-party-is-person |
+  | role-defined-authorizing-official-poc |
+  | role-defined-information-system-security-officer |
+  | role-defined-system-owner |
+  | scan-type |
+  | security-level |
+  | security-sensitivity-level-matches-security-impact-level |
+  | user-has-authorized-privilege |
+  | user-has-privilege-level |
+  | user-has-role-id |
+  | user-has-sensitivity-level |
+  | user-has-user-type |
+  | user-privilege-level |
+  | user-sensitivity-level |
+  | user-type |
+#END_DYNAMIC_CONSTRAINT_IDS
+
 @constraints
 Scenario Outline: Validating OSCAL documents with metaschema constraints
   Given I have Metaschema extensions documents
@@ -53,10 +166,6 @@ Examples:
   | deployment-model-PASS.yaml |
   | fedramp-version-FAIL.yaml |
   | fedramp-version-PASS.yaml |
-  | fully-operational-date-is-valid-FAIL.yaml |
-  | fully-operational-date-is-valid-PASS.yaml |
-  | fully-operational-date-type-FAIL.yaml |
-  | fully-operational-date-type-PASS.yaml |
   | has-authenticator-assurance-level-FAIL.yaml |
   | has-authenticator-assurance-level-PASS.yaml |
   | has-authorization-boundary-diagram-FAIL.yaml |
@@ -101,8 +210,6 @@ Examples:
   | has-data-flow-diagram-uuid-PASS.yaml |
   | has-federation-assurance-level-FAIL.yaml |
   | has-federation-assurance-level-PASS.yaml |
-  | has-fully-operational-date-FAIL.yaml |
-  | has-fully-operational-date-PASS.yaml |
   | has-identity-assurance-level-FAIL.yaml |
   | has-identity-assurance-level-PASS.yaml |
   | has-incident-response-plan-FAIL.yaml |
@@ -123,8 +230,6 @@ Examples:
   | has-network-architecture-diagram-link-rel-PASS.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml |
-  | has-published-date-FAIL.yaml |
-  | has-published-date-PASS.yaml |
   | has-rules-of-behavior-FAIL.yaml |
   | has-rules-of-behavior-PASS.yaml |
   | has-security-impact-level-FAIL.yaml |
@@ -163,8 +268,6 @@ Examples:
   | inventory-item-public-PASS.yaml |
   | inventory-item-virtual-FAIL.yaml |
   | inventory-item-virtual-PASS.yaml |
-  | marking-FAIL.yaml |
-  | marking-PASS.yaml |
   | missing-response-components-FAIL.yaml |
   | missing-response-components-PASS.yaml |
   | party-has-name-FAIL.yaml |
@@ -179,16 +282,10 @@ Examples:
   | response-point-PASS.yaml |
   | responsible-party-is-person-FAIL.yaml |
   | responsible-party-is-person-PASS.yaml |
-  | responsible-party-prepared-by-FAIL.yaml |
-  | responsible-party-prepared-by-PASS.yaml |
-  | responsible-party-prepared-by-location-valid-FAIL.yaml |
-  | responsible-party-prepared-by-location-valid-PASS.yaml |
   | role-defined-authorizing-official-poc-FAIL.yaml |
   | role-defined-authorizing-official-poc-PASS.yaml |
   | role-defined-information-system-security-officer-FAIL.yaml |
   | role-defined-information-system-security-officer-PASS.yaml |
-  | role-defined-prepared-by-FAIL.yaml |
-  | role-defined-prepared-by-PASS.yaml |
   | role-defined-system-owner-FAIL.yaml |
   | role-defined-system-owner-PASS.yaml |
   | scan-type-FAIL.yaml |
@@ -215,114 +312,3 @@ Examples:
   | user-type-PASS.yaml |
 #END_DYNAMIC_TEST_CASES
 
-@full-coverage
-Scenario: Preparing constraint coverage analysis
-Given I have loaded all Metaschema extensions documents
-And I have collected all YAML test files in the test directory
-When I extract all constraint IDs from the Metaschema extensions
-And I analyze the YAML test files for each constraint ID
-
-@full-coverage
-Scenario Outline: Ensuring full test coverage for "<constraint_id>"
-Then I should have both FAIL and PASS tests for constraint ID "<constraint_id>"
-Examples:
-| constraint_id |
-#BEGIN_DYNAMIC_CONSTRAINT_IDS
-  | address-type |
-  | attachment-type |
-  | authorization-type |
-  | categorization-has-correct-system-attribute |
-  | categorization-has-information-type-id |
-  | cia-impact-has-adjustment-justification |
-  | cia-impact-has-selected |
-  | cloud-service-model |
-  | component-type |
-  | control-implementation-status |
-  | data-center-alternate |
-  | data-center-count |
-  | data-center-country-code |
-  | data-center-primary |
-  | data-center-us |
-  | deployment-model |
-  | fedramp-version |
-  | fully-operational-date-is-valid |
-  | fully-operational-date-type |
-  | has-authenticator-assurance-level |
-  | has-authorization-boundary-diagram |
-  | has-authorization-boundary-diagram-caption |
-  | has-authorization-boundary-diagram-description |
-  | has-authorization-boundary-diagram-link |
-  | has-authorization-boundary-diagram-link-rel |
-  | has-authorization-boundary-diagram-link-rel-allowed-value |
-  | has-cloud-deployment-model |
-  | has-cloud-deployment-model-remarks |
-  | has-cloud-service-model |
-  | has-cloud-service-model-remarks |
-  | has-configuration-management-plan |
-  | has-data-flow |
-  | has-data-flow-description |
-  | has-data-flow-diagram |
-  | has-data-flow-diagram-caption |
-  | has-data-flow-diagram-description |
-  | has-data-flow-diagram-link |
-  | has-data-flow-diagram-link-rel |
-  | has-data-flow-diagram-link-rel-allowed-value |
-  | has-data-flow-diagram-uuid |
-  | has-federation-assurance-level |
-  | has-fully-operational-date |
-  | has-identity-assurance-level |
-  | has-incident-response-plan |
-  | has-information-system-contingency-plan |
-  | has-network-architecture |
-  | has-network-architecture-diagram |
-  | has-network-architecture-diagram-caption |
-  | has-network-architecture-diagram-description |
-  | has-network-architecture-diagram-link |
-  | has-network-architecture-diagram-link-rel |
-  | has-network-architecture-diagram-link-rel-allowed-value |
-  | has-published-date |
-  | has-rules-of-behavior |
-  | has-security-impact-level |
-  | has-security-sensitivity-level |
-  | has-separation-of-duties-matrix |
-  | has-system-id |
-  | has-system-name-short |
-  | has-user-guide |
-  | import-profile-has-available-document |
-  | import-profile-resolves-to-fedramp-content |
-  | information-type-800-60-v2r1 |
-  | information-type-has-availability-impact |
-  | information-type-has-confidentiality-impact |
-  | information-type-has-integrity-impact |
-  | information-type-system |
-  | interconnection-direction |
-  | interconnection-security |
-  | inventory-item-allows-authenticated-scan |
-  | inventory-item-public |
-  | inventory-item-virtual |
-  | marking |
-  | missing-response-components |
-  | party-has-name |
-  | privilege-level |
-  | prop-response-point-has-cardinality-one |
-  | resource-has-base64-or-rlink |
-  | resource-has-title |
-  | responsible-party-is-person |
-  | responsible-party-prepared-by |
-  | responsible-party-prepared-by-location-valid |
-  | role-defined-authorizing-official-poc |
-  | role-defined-information-system-security-officer |
-  | role-defined-prepared-by |
-  | role-defined-system-owner |
-  | scan-type |
-  | security-level |
-  | security-sensitivity-level-matches-security-impact-level |
-  | user-has-authorized-privilege |
-  | user-has-privilege-level |
-  | user-has-role-id |
-  | user-has-sensitivity-level |
-  | user-has-user-type |
-  | user-privilege-level |
-  | user-sensitivity-level |
-  | user-type |
-#END_DYNAMIC_CONSTRAINT_IDS
\ No newline at end of file
diff --git a/features/steps/fedramp_extensions_steps.ts b/features/steps/fedramp_extensions_steps.ts
index b2d4f6d89..51d967655 100644
--- a/features/steps/fedramp_extensions_steps.ts
+++ b/features/steps/fedramp_extensions_steps.ts
@@ -16,9 +16,9 @@ import { Exception, Log, Result } from "sarif";
 import { fileURLToPath } from "url";
 import { parseString } from "xml2js";
 import { promisify } from "util";
-import {formatSarifOutput} from 'oscal'
-
+import {formatSarifOutput,fedrampValidationOptions} from 'oscal'
 let executor: 'oscal-cli'|'oscal-server' = process.env.OSCAL_EXECUTOR as 'oscal-cli'|'oscal-server' || 'oscal-cli'
+let quiet= true
 
 const parseXmlString = promisify(parseString);
 const DEFAULT_TIMEOUT = 60000;
@@ -191,8 +191,8 @@ Then("the constraint unit test should pass", async function () {
 });
 
 async function processTestCase({ "test-case": testCase }: any) {
-  console.log(`Processing test case:${testCase.name}`);
-  console.log(`Description: ${testCase.description}`);
+  !quiet && console.log(`Processing test case:${testCase.name}`);
+  !quiet && console.log(`Description: ${testCase.description}`);
 
   // Load the content file
   const contentFiles = Array.isArray(testCase.content) ? testCase.content : [testCase.content];
@@ -210,7 +210,7 @@ async function processTestCase({ "test-case": testCase }: any) {
       "content",
       contentFile
     );
-    console.log(`Loaded content from: ${contentPath}`);
+    !quiet && console.log(`Loaded content from: ${contentPath}`);
   const cacheKey = (typeof testCase.pipeline === 'undefined' ? "" : "resolved-") + parse(contentPath).name;
 
 
@@ -227,9 +227,10 @@ async function processTestCase({ "test-case": testCase }: any) {
           contentPath,
           processedContentPath,
           {
+            quiet,
             outputFormat:'xml'
           },executor)
-        console.log("Profile resolved");
+        !quiet && console.log("Profile resolved");
       }
       // Add other pipeline steps as needed
     }
@@ -243,14 +244,14 @@ async function processTestCase({ "test-case": testCase }: any) {
     let sarifResponse;
     
     if (validationCache.has(cacheKey)) {
-      console.log("Using cached validation result from "+cacheKey);
+      !quiet && console.log("Using cached validation result from "+cacheKey);
       sarifResponse = validationCache.get(cacheKey)!;
     }else{
       let flags = [];
       if(currentTestCaseFileName.includes("FAIL")){
         flags.push("disable-schema")
       }
-    const {isValid,log} = await validateDocument(resolve(processedContentPath),{quiet:true,
+    const {isValid,log} = await validateDocument(resolve(processedContentPath),{quiet,
       extensions:metaschemaDocuments.flatMap((x) => resolve(x)),
       flags},executor)
       sarifResponse=log;
@@ -322,7 +323,7 @@ async function checkConstraints(
     for (const expectation of constraints) {
       const constraint_id = expectation["constraint-id"];
       const expectedResult = expectation.result;
-      console.log(
+      !quiet && console.log(
         `Checking status of constraint: ${constraint_id} expecting: ${
           expectedResult || "mixed"
         }`
@@ -356,15 +357,15 @@ async function checkConstraints(
         return kind;
       }, "initial");
 
-      console.log(
+      !quiet && console.log(
         `Received: ${constraintResults.length} matching ${result} results (${passCount} pass, ${failCount} fail)`
       );
       if(warnCount>0)
-        console.log(
+        !quiet && console.log(
           `Received: ${warnCount} warn)`
         );
         if(infoCount>0)
-          console.log(
+          !quiet && console.log(
             `Received: ${infoCount} informational)`
           );
       
@@ -458,7 +459,7 @@ Given("I have loaded all Metaschema extensions documents", function () {
   metaschemaDocuments = files
     .filter((file) => file.endsWith(".xml")).sort()
     .map((file) => join(constraintDir, file))
-  console.log(
+  !quiet && console.log(
     `Loaded ${metaschemaDocuments.length} Metaschema extension documents`
   );
 });
@@ -478,8 +479,8 @@ When(
     }
     constraintIds = [...new Set(constraintIds)].sort();
 
-    console.log(`Extracted ${constraintIds.length} unique constraint IDs`);
-    console.log(`Extracted ${constraintIds.length} unique constraint IDs`);
+    !quiet && console.log(`Extracted ${constraintIds.length} unique constraint IDs`);
+    !quiet && console.log(`Extracted ${constraintIds.length} unique constraint IDs`);
   }
 );
 function extractConstraints(xmlObject: any): string[] {
@@ -515,16 +516,16 @@ Then(
       const testCoverage = testResults[constraintId];
 
       if (!testCoverage) {
-        console.log(`${constraintId}: No tests found`);
+        !quiet && console.log(`${constraintId}: No tests found`);
         expect.fail(`Constraint ${constraintId} has no tests`);
       } else if (!testCoverage.pass) {
-        console.log(`${constraintId}: Missing positive test`);
+        !quiet && console.log(`${constraintId}: Missing positive test`);
         expect.fail(`Constraint ${constraintId} is missing a positive test`);
       } else if (!testCoverage.fail) {
-        console.log(`${constraintId}: Missing negative test`);
+        !quiet && console.log(`${constraintId}: Missing negative test`);
         expect.fail(`Constraint ${constraintId} is missing a negative test`);
       } else {
-        console.log(`${constraintId}: Fully covered`);
+        !quiet && console.log(`${constraintId}: Fully covered`);
       }
 
       expect(reportedConstraints).to.include(
@@ -551,7 +552,7 @@ Then(
       .map((row) => row["Constraint ID"]);
 
     for (const constraintId of constraintIds) {
-      console.log(`${constraintId}: Status to be determined`);
+      !quiet && console.log(`${constraintId}: Status to be determined`);
       expect(reportedConstraints).to.include(constraintId);
     }
   }
@@ -572,7 +573,7 @@ Given(
     yamlTestFiles = readdirSync(testDir)
       .filter((file) => file.endsWith(".yaml") || file.endsWith(".yml")).sort()
       .map((file) => join(testDir, file));
-    console.log(`Collected ${yamlTestFiles.length} YAML test files`);
+    !quiet && console.log(`Collected ${yamlTestFiles.length} YAML test files`);
   }
 );
 
@@ -641,8 +642,8 @@ When("I analyze the YAML test files for each constraint ID", function () {
     }
   }
 
-  console.log(`Analyzed ${yamlTestFiles.length} YAML test files`);
-  console.log("Test results:", testResults);
+  !quiet && console.log(`Analyzed ${yamlTestFiles.length} YAML test files`);
+  !quiet && console.log("Test results:", testResults);
 });
 
 // New step definition for the "Ensuring full test coverage for "<constraint_id>"" scenario
@@ -650,16 +651,16 @@ Then("I should have both FAIL and PASS tests for constraint ID {string}", functi
   const testCoverage = testResults[constraintId];
 
   if (!testCoverage) {
-    console.log(`${constraintId}: No tests found`);
+    !quiet && console.log(`${constraintId}: No tests found`);
     expect.fail(`Constraint ${constraintId} has no tests`);
   } else if (!testCoverage.pass) {
-    console.log(`${constraintId}: Missing at least one positive test`);
+    !quiet && console.log(`${constraintId}: Missing at least one positive test`);
     expect.fail(`Constraint ${constraintId} is missing a positive test`);
   } else if (!testCoverage.fail) {
-    console.log(`${constraintId}: Missing at least one negative test`);
+    !quiet && console.log(`${constraintId}: Missing at least one negative test`);
     expect.fail(`Constraint ${constraintId} is missing a negative test`);
   } else {
-    console.log(`${constraintId}: Has minimal required coverage`);
+    !quiet && console.log(`${constraintId}: Has minimal required coverage`);
   }
 
   expect(constraintIds).to.include(
@@ -668,6 +669,19 @@ Then("I should have both FAIL and PASS tests for constraint ID {string}", functi
   );
 });
 
+Then('I should have valid results {string}', async function (fileToValidate) {
+  const fullPath = resolve(
+    __dirname,
+    "..",
+    "..",
+    "src",
+    "validations","constraints","content",fileToValidate
+  );
+  const {isValid,log}=await validateDocument(fullPath,{quiet,...fedrampValidationOptions},executor);
+  expect(isValid,formatSarifOutput(log)).to.be.true;
+});
+
+
 Then('I should verify that all constraints follow the style guide constraint', async function () {
   const baseDir = join(__dirname, '..', '..');
   const constraintDir = join(baseDir, 'src', 'validations', 'constraints');
@@ -683,7 +697,7 @@ Then('I should verify that all constraints follow the style guide constraint', a
   for (const file_name of constraint_files) {
     const filePath = join(constraintDir, file_name.trim());
     try {
-      const {isValid,log} = await validateDocument(filePath,{flags:['disable-schema'],quiet:true,extensions:[styleGuidePath],module:"http://csrc.nist.gov/ns/oscal/metaschema/1.0"},executor)
+      const {isValid,log} = await validateDocument(filePath,{flags:['disable-schema'],quiet,extensions:[styleGuidePath],module:"http://csrc.nist.gov/ns/oscal/metaschema/1.0"},executor)
       writeFileSync(
         join(
           __dirname,
@@ -692,7 +706,7 @@ Then('I should verify that all constraints follow the style guide constraint', a
         ),JSON.stringify(log, null,"\t"))  
       const formattedErrors = (formatSarifOutput(log));
       
-      console.log(`Validation result for ${file_name}:`, isValid?"valid":"invalid");
+      !quiet && console.log(`Validation result for ${file_name}:`, isValid?"valid":"invalid");
       if (!isValid) {
         console.error("\n"+formattedErrors);
       }
@@ -707,8 +721,6 @@ Then('I should verify that all constraints follow the style guide constraint', a
   // Display all errors at the end
   if (errors.length > 0) {
     console.error("Validation errors found:");
-    
-    throw new Error("Style guide validation failed. "+errors.join("\n"));
   }
 
   expect(errors, "No style guide validation errors should be found").to.be.empty;
diff --git a/package-lock.json b/package-lock.json
index 462475c1b..56eb32a98 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -15,7 +15,7 @@
         "inquirer": "^10.1.8",
         "js-yaml": "^4.1.0",
         "jsdom": "^25.0.0",
-        "oscal": "2.0.5",
+        "oscal": "2.0.6-rc-2",
         "ts-node": "^10.9.2",
         "xml-formatter": "^3.6.3",
         "xml2js": "^0.6.2"
@@ -2694,9 +2694,9 @@
       }
     },
     "node_modules/oscal": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/oscal/-/oscal-2.0.5.tgz",
-      "integrity": "sha512-S19CxjK9dYAE/5CYGFF/M1J9z24oIA/WX5Lkk84BzTvmeAa6qWzwIYEnmoeXRCnJnsLP5sNh/9VSFGfvY97omw==",
+      "version": "2.0.6-rc-2",
+      "resolved": "https://registry.npmjs.org/oscal/-/oscal-2.0.6-rc-2.tgz",
+      "integrity": "sha512-gTnzX4GgaolcjEAXcSH71ULtCjH55wWBFGZ6BKaezl7rI1fvq72w67ZYE3UJ4STkK54ov48lmpfNsZRnnBUpRg==",
       "license": "MIT",
       "dependencies": {
         "@terascope/fetch-github-release": "^0.8.10",
diff --git a/package.json b/package.json
index 5a28f0a68..00389f658 100644
--- a/package.json
+++ b/package.json
@@ -26,7 +26,7 @@
     "inquirer": "^10.1.8",
     "js-yaml": "^4.1.0",
     "jsdom": "^25.0.0",
-    "oscal": "2.0.5",
+    "oscal": "2.0.6-rc-2",
     "ts-node": "^10.9.2",
     "xml-formatter": "^3.6.3",
     "xml2js": "^0.6.2"
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 4aaa49c80..37bc5d50f 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -10,6 +10,7 @@
     <version>1.1</version>
     <oscal-version>1.1.2</oscal-version>
     <document-id scheme="https://example.com/identifiers">SSP-2024-002</document-id>
+    <prop name="marking" value="marked"></prop>
     <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="fedramp-3.0.0rc1-oscal-1.1.2"/>
     <prop name="marking" value="cui"/>
     
@@ -33,6 +34,9 @@
     </role>
     <role id="system-owner">
       <title>System Owner</title>
+    </role>
+    <role id="prepared-by">
+      <title>Document Preparer</title>
     </role>
      <role id="authorizing-official-poc">
        <title>Authorizing Official Point of Contact</title>
@@ -99,7 +103,13 @@
     <party uuid="22222222-0000-4000-9000-000000000002" type="person">
       <name>Jane Doe</name>
       <email-address>jane.doe@example.com</email-address>
-    <address type="work"  />
+    <address type="work">
+      <addr-line>123 main</addr-line>
+      <city>new york</city>
+      <state>NY</state>
+      <postal-code>10001</postal-code>
+      <country>US</country>
+    </address>
     </party>
 
     <responsible-party role-id="prepared-by">
@@ -133,6 +143,9 @@
     <responsible-party role-id="information-system-security-officer">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>
+    <responsible-party role-id="prepared-by">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
 
     <remarks>
       <p>This SSP is an example for demonstration purposes.</p>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 407ea2cdb..b88385625 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -488,7 +488,7 @@
             <expect id="party-has-name" target="." test="exists(name)" level="ERROR">
                 <formal-name>Party Has a Name</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/oscal-metadata/#working-with-party-assemblies"/>
-                <message>Every FedRAMP document MUST define a party with a name.</message>
+                <message>Every FedRAMP document must define a party with a name.</message>
             </expect>
         </constraints>
     </context>
diff --git a/src/validations/module.mk b/src/validations/module.mk
index 2413741da..c0f2a834a 100644
--- a/src/validations/module.mk
+++ b/src/validations/module.mk
@@ -1,5 +1,5 @@
 # Variables
-OSCAL_CLI = npx oscal@2.0.5
+OSCAL_CLI = npx oscal@next
 SRC_DIR = ./src
 DIST_DIR = ./dist
 REV5_BASELINES = ./dist/content/rev5/baselines

From f382bd5e45adfd14e8a6217cdd200cc44d2a00e5 Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Wed, 13 Nov 2024 10:22:18 -0500
Subject: [PATCH 02/19] make ssp all valid

Co-Authored-By: Gabeblis <gabriel.rodriguez@gsa.gov>
---
 features/fedramp_extensions.feature           |  24 +++++
 .../constraints/content/ssp-all-VALID.xml     | 101 +++++++-----------
 2 files changed, 64 insertions(+), 61 deletions(-)

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index 6704a85c6..2be3f8b73 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -43,6 +43,8 @@ Examples:
   | data-center-us |
   | deployment-model |
   | fedramp-version |
+  | fully-operational-date-is-valid |
+  | fully-operational-date-type |
   | has-authenticator-assurance-level |
   | has-authorization-boundary-diagram |
   | has-authorization-boundary-diagram-caption |
@@ -65,6 +67,7 @@ Examples:
   | has-data-flow-diagram-link-rel-allowed-value |
   | has-data-flow-diagram-uuid |
   | has-federation-assurance-level |
+  | has-fully-operational-date |
   | has-identity-assurance-level |
   | has-incident-response-plan |
   | has-information-system-contingency-plan |
@@ -75,6 +78,7 @@ Examples:
   | has-network-architecture-diagram-link |
   | has-network-architecture-diagram-link-rel |
   | has-network-architecture-diagram-link-rel-allowed-value |
+  | has-published-date |
   | has-rules-of-behavior |
   | has-security-impact-level |
   | has-security-sensitivity-level |
@@ -94,6 +98,7 @@ Examples:
   | inventory-item-allows-authenticated-scan |
   | inventory-item-public |
   | inventory-item-virtual |
+  | marking |
   | missing-response-components |
   | party-has-name |
   | privilege-level |
@@ -101,8 +106,11 @@ Examples:
   | resource-has-base64-or-rlink |
   | resource-has-title |
   | responsible-party-is-person |
+  | responsible-party-prepared-by |
+  | responsible-party-prepared-by-location-valid |
   | role-defined-authorizing-official-poc |
   | role-defined-information-system-security-officer |
+  | role-defined-prepared-by |
   | role-defined-system-owner |
   | scan-type |
   | security-level |
@@ -166,6 +174,10 @@ Examples:
   | deployment-model-PASS.yaml |
   | fedramp-version-FAIL.yaml |
   | fedramp-version-PASS.yaml |
+  | fully-operational-date-is-valid-FAIL.yaml |
+  | fully-operational-date-is-valid-PASS.yaml |
+  | fully-operational-date-type-FAIL.yaml |
+  | fully-operational-date-type-PASS.yaml |
   | has-authenticator-assurance-level-FAIL.yaml |
   | has-authenticator-assurance-level-PASS.yaml |
   | has-authorization-boundary-diagram-FAIL.yaml |
@@ -210,6 +222,8 @@ Examples:
   | has-data-flow-diagram-uuid-PASS.yaml |
   | has-federation-assurance-level-FAIL.yaml |
   | has-federation-assurance-level-PASS.yaml |
+  | has-fully-operational-date-FAIL.yaml |
+  | has-fully-operational-date-PASS.yaml |
   | has-identity-assurance-level-FAIL.yaml |
   | has-identity-assurance-level-PASS.yaml |
   | has-incident-response-plan-FAIL.yaml |
@@ -230,6 +244,8 @@ Examples:
   | has-network-architecture-diagram-link-rel-PASS.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml |
+  | has-published-date-FAIL.yaml |
+  | has-published-date-PASS.yaml |
   | has-rules-of-behavior-FAIL.yaml |
   | has-rules-of-behavior-PASS.yaml |
   | has-security-impact-level-FAIL.yaml |
@@ -268,6 +284,8 @@ Examples:
   | inventory-item-public-PASS.yaml |
   | inventory-item-virtual-FAIL.yaml |
   | inventory-item-virtual-PASS.yaml |
+  | marking-FAIL.yaml |
+  | marking-PASS.yaml |
   | missing-response-components-FAIL.yaml |
   | missing-response-components-PASS.yaml |
   | party-has-name-FAIL.yaml |
@@ -282,10 +300,16 @@ Examples:
   | response-point-PASS.yaml |
   | responsible-party-is-person-FAIL.yaml |
   | responsible-party-is-person-PASS.yaml |
+  | responsible-party-prepared-by-FAIL.yaml |
+  | responsible-party-prepared-by-PASS.yaml |
+  | responsible-party-prepared-by-location-valid-FAIL.yaml |
+  | responsible-party-prepared-by-location-valid-PASS.yaml |
   | role-defined-authorizing-official-poc-FAIL.yaml |
   | role-defined-authorizing-official-poc-PASS.yaml |
   | role-defined-information-system-security-officer-FAIL.yaml |
   | role-defined-information-system-security-officer-PASS.yaml |
+  | role-defined-prepared-by-FAIL.yaml |
+  | role-defined-prepared-by-PASS.yaml |
   | role-defined-system-owner-FAIL.yaml |
   | role-defined-system-owner-PASS.yaml |
   | scan-type-FAIL.yaml |
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 37bc5d50f..995fb34c9 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -12,14 +12,8 @@
     <document-id scheme="https://example.com/identifiers">SSP-2024-002</document-id>
     <prop name="marking" value="marked"></prop>
     <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="fedramp-3.0.0rc1-oscal-1.1.2"/>
-    <prop name="marking" value="cui"/>
     
-    <role id="prepared-by">
-      <title>Prepared By</title>
-      <description>
-        <p>This party prepared the SSP.</p>
-      </description>
-    </role>
+    <!-- Unique role definitions -->
     <role id="creator">
       <title>Document Creator</title>
     </role>
@@ -38,63 +32,51 @@
     <role id="prepared-by">
       <title>Document Preparer</title>
     </role>
-     <role id="authorizing-official-poc">
-       <title>Authorizing Official Point of Contact</title>
-     </role>
-     <role id="information-system-security-officer">
-       <title>Information System Security Officer (or Equivalent)</title>
-     </role>
-     <role id="system-poc-management">
+    <role id="authorizing-official">
+      <title>Authorizing Official</title>
+      <description>
+        <p>The senior official with the authority to formally assume responsibility.</p>
+      </description>
+    </role>
+    <role id="authorizing-official-poc">
+      <title>Authorizing Official Point of Contact</title>
+    </role>
+    <role id="information-system-security-officer">
+      <title>Information System Security Officer (or Equivalent)</title>
+    </role>
+    <role id="system-poc-management">
       <title>Information System Management Point of Contact (POC)</title>
       <description>
-         <p>The highest level manager who is responsible for system operation on behalf of the System Owner.</p>
+        <p>The highest level manager who is responsible for system operation on behalf of the System Owner.</p>
+      </description>
+    </role>
+    <role id="system-poc-technical">
+      <title>Information System Technical Point of Contact</title>
+      <description>
+        <p>The individual or individuals leading the technical operation of the system.</p>
+      </description>
+    </role>
+    <role id="system-poc-other">
+      <title>General Point of Contact (POC)</title>
+      <description>
+        <p>A general point of contact for the system, designated by the system owner.</p>
       </description>
-      </role>
-      <role id="system-poc-technical">
-          <title>Information System Technical Point of Contact</title>
-          <description>
-            <p>The individual or individuals leading the technical operation of the system.</p>
-          </description>
-      </role>
-      <role id="system-poc-other">
-          <title>General Point of Contact (POC)</title>
-          <description>
-            <p>A general point of contact for the system, designated by the system owner.</p>
-          </description>
-      </role>
+    </role>
 
-    <location uuid="27b78960-59ef-4619-82b0-ae20b9c709ac">
-      <title>CSP HQ</title>
-      <address type="work">
-        <addr-line>Suite 0000</addr-line>
-        <addr-line>1234 Some Street</addr-line>
-        <city>Haven</city>
-        <state>ME</state>
-        <postal-code>00000</postal-code>
-        <country>US</country>
-      </address>
-    </location>
     <location uuid="11111112-0000-4000-9001-000000000009">
-      <address >
+      <address>
         <country>US</country>
       </address>
       <prop name="type" value="data-center" class="primary"/>
     </location>
     <location uuid="11111112-0000-4000-9000-000000000003">
-      <address >
+      <address>
         <country>US</country>
       </address>
       <prop name="type" value="data-center" class="alternate"/>
     </location>
-    <party uuid="3360e343-9860-4bda-9dfc-ff427c3dfab6" type="person">
-      <name>Person Name 1</name>
-      <prop name="job-title" value="Individual's Title"/>
-      <prop name="mail-stop" value="Mailstop A-1"/>
-      <email-address>name@example.com</email-address>
-      <telephone-number>2020000001</telephone-number>
-      <location-uuid>27b78960-59ef-4619-82b0-ae20b9c709ac</location-uuid>
-      <member-of-organization>6b286b5d-8f07-4fa7-8847-1dd0d88f73fb</member-of-organization>
-    </party>
+
+    <!-- Party definitions -->
     <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
       <name>Example Organization</name>
       <short-name>ExOrg</short-name>
@@ -103,25 +85,22 @@
     <party uuid="22222222-0000-4000-9000-000000000002" type="person">
       <name>Jane Doe</name>
       <email-address>jane.doe@example.com</email-address>
-    <address type="work">
-      <addr-line>123 main</addr-line>
-      <city>new york</city>
-      <state>NY</state>
-      <postal-code>10001</postal-code>
-      <country>US</country>
-    </address>
+      <address type="work">
+        <addr-line>123 main</addr-line>
+        <city>new york</city>
+        <state>NY</state>
+        <postal-code>10001</postal-code>
+        <country>US</country>
+      </address>
     </party>
 
-    <responsible-party role-id="prepared-by">
-      <party-uuid>3360e343-9860-4bda-9dfc-ff427c3dfab6</party-uuid>
-    </responsible-party>
+    <!-- Unique responsible party assignments -->
     <responsible-party role-id="creator">
       <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
     </responsible-party>
     <responsible-party role-id="content-approver">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>
-
     <responsible-party role-id="system-owner">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>

From e91eed175513973e6fda60b7541b0ab9627b9926 Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Wed, 13 Nov 2024 10:25:30 -0500
Subject: [PATCH 03/19] update oscal version

Co-Authored-By: Gabeblis <gabriel.rodriguez@gsa.gov>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 56eb32a98..698520ddb 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -15,7 +15,7 @@
         "inquirer": "^10.1.8",
         "js-yaml": "^4.1.0",
         "jsdom": "^25.0.0",
-        "oscal": "2.0.6-rc-2",
+        "oscal": "2.0.6",
         "ts-node": "^10.9.2",
         "xml-formatter": "^3.6.3",
         "xml2js": "^0.6.2"
@@ -2694,9 +2694,9 @@
       }
     },
     "node_modules/oscal": {
-      "version": "2.0.6-rc-2",
-      "resolved": "https://registry.npmjs.org/oscal/-/oscal-2.0.6-rc-2.tgz",
-      "integrity": "sha512-gTnzX4GgaolcjEAXcSH71ULtCjH55wWBFGZ6BKaezl7rI1fvq72w67ZYE3UJ4STkK54ov48lmpfNsZRnnBUpRg==",
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/oscal/-/oscal-2.0.6.tgz",
+      "integrity": "sha512-+hSDqr7Ddi3qqvAaSN8XRsrrgxrsORfvLVZIpgrTz/AzWum0R+PnCFlxQ9+KMuptxXW9kAcfAwyXmhdIjaZV8g==",
       "license": "MIT",
       "dependencies": {
         "@terascope/fetch-github-release": "^0.8.10",
diff --git a/package.json b/package.json
index 00389f658..90e64d08e 100644
--- a/package.json
+++ b/package.json
@@ -26,7 +26,7 @@
     "inquirer": "^10.1.8",
     "js-yaml": "^4.1.0",
     "jsdom": "^25.0.0",
-    "oscal": "2.0.6-rc-2",
+    "oscal": "2.0.6",
     "ts-node": "^10.9.2",
     "xml-formatter": "^3.6.3",
     "xml2js": "^0.6.2"

From 56464d50bc181e8bde944c316e7e5490165f9b0c Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Wed, 13 Nov 2024 10:36:10 -0500
Subject: [PATCH 04/19] Update fedramp_extensions.feature

Co-Authored-By: Gabeblis <gabriel.rodriguez@gsa.gov>
---
 features/fedramp_extensions.feature | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index 2be3f8b73..466b8e703 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -9,7 +9,7 @@ Scenario Outline: Documents that should be valid are pass
   Then I should have valid results "<valid_file>"
 Examples:
 | valid_file     |
-| ssp-ALL-VALID.xml |
+| ssp-all-VALID.xml |
 # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml |
 # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml |
 

From 03e79c238a21653e684c5ac39eacb9e2768b0463 Mon Sep 17 00:00:00 2001
From: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date: Thu, 14 Nov 2024 00:26:22 -0500
Subject: [PATCH 05/19] Update fedramp_extensions.feature

Co-authored-by: A.J. Stein <aj@gsa.gov>
---
 features/fedramp_extensions.feature | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index 466b8e703..0e73b0a74 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -4,7 +4,7 @@ Feature: OSCAL Document Constraints
 Scenario Outline: Validating OSCAL constraints with metaschema constraints
   Then I should verify that all constraints follow the style guide constraint
 
-@style-guide
+@integration
 Scenario Outline: Documents that should be valid are pass
   Then I should have valid results "<valid_file>"
 Examples:

From 98fcff0fadf37d64f1bfff075e1d03c54d5a9c88 Mon Sep 17 00:00:00 2001
From: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date: Thu, 14 Nov 2024 00:26:45 -0500
Subject: [PATCH 06/19] Update module.mk

Co-authored-by: A.J. Stein <aj@gsa.gov>
---
 src/validations/module.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/validations/module.mk b/src/validations/module.mk
index c0f2a834a..a6958e664 100644
--- a/src/validations/module.mk
+++ b/src/validations/module.mk
@@ -1,5 +1,5 @@
 # Variables
-OSCAL_CLI = npx oscal@next
+OSCAL_CLI = npx oscal@2.0.6
 SRC_DIR = ./src
 DIST_DIR = ./dist
 REV5_BASELINES = ./dist/content/rev5/baselines

From b1fdefbde4340ffe6731879f627cd9e03d669787 Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Thu, 14 Nov 2024 09:54:05 -0500
Subject: [PATCH 07/19] add integration npm commands

---
 features/steps/fedramp_extensions_steps.ts | 2 +-
 package.json                               | 2 ++
 src/validations/module.mk                  | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/features/steps/fedramp_extensions_steps.ts b/features/steps/fedramp_extensions_steps.ts
index 51d967655..21a7f1df9 100644
--- a/features/steps/fedramp_extensions_steps.ts
+++ b/features/steps/fedramp_extensions_steps.ts
@@ -18,7 +18,7 @@ import { parseString } from "xml2js";
 import { promisify } from "util";
 import {formatSarifOutput,fedrampValidationOptions} from 'oscal'
 let executor: 'oscal-cli'|'oscal-server' = process.env.OSCAL_EXECUTOR as 'oscal-cli'|'oscal-server' || 'oscal-cli'
-let quiet= true
+let quiet= false
 
 const parseXmlString = promisify(parseString);
 const DEFAULT_TIMEOUT = 60000;
diff --git a/package.json b/package.json
index 90e64d08e..91480fb81 100644
--- a/package.json
+++ b/package.json
@@ -14,7 +14,9 @@
     "test:constraints": "cross-env NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @constraints",
     "test:coverage": "cross-env NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @full-coverage",
     "test:style": "cross-env-shell NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @style-guide",
+    "test:integration": "cross-env-shell NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @integration",
     "lint:server": "cross-env-shell OSCAL_EXECUTOR='oscal-server' NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @style-guide",
+    "test:integration:server": "cross-env-shell OSCAL_EXECUTOR='oscal-server' NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @integration",
     "mq": "node ./src/scripts/dev-metaschema-eval.js",
     "constraint": "node ./src/scripts/dev-constraint.js"
   },
diff --git a/src/validations/module.mk b/src/validations/module.mk
index a6958e664..d89558c4b 100644
--- a/src/validations/module.mk
+++ b/src/validations/module.mk
@@ -23,6 +23,7 @@ lint-validations:
 .PHONY: build-validations
 build-validations:
 	@echo "Running Cucumber Tests"
+	$(OSCAL_CLI) server stop
 	$(OSCAL_CLI) server start -bg
 	@npm run test:server
 	$(OSCAL_CLI) server stop

From 753b40087d250930c05ba3a822c1e6bfec42c65b Mon Sep 17 00:00:00 2001
From: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date: Thu, 14 Nov 2024 16:44:22 -0500
Subject: [PATCH 08/19] Update fedramp-external-constraints.xml

Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>
---
 src/validations/constraints/fedramp-external-constraints.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index b88385625..407ea2cdb 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -488,7 +488,7 @@
             <expect id="party-has-name" target="." test="exists(name)" level="ERROR">
                 <formal-name>Party Has a Name</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/oscal-metadata/#working-with-party-assemblies"/>
-                <message>Every FedRAMP document must define a party with a name.</message>
+                <message>Every FedRAMP document MUST define a party with a name.</message>
             </expect>
         </constraints>
     </context>

From ec9273bcf86aec84df9a29a708e982e95f086528 Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Thu, 14 Nov 2024 16:50:41 -0500
Subject: [PATCH 09/19] get latest ssp-all valid

---
 .../constraints/content/ssp-all-VALID.xml     | 129 +++++++++++-------
 1 file changed, 77 insertions(+), 52 deletions(-)

diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 995fb34c9..bd009f2e9 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -10,10 +10,26 @@
     <version>1.1</version>
     <oscal-version>1.1.2</oscal-version>
     <document-id scheme="https://example.com/identifiers">SSP-2024-002</document-id>
-    <prop name="marking" value="marked"></prop>
     <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="fedramp-3.0.0rc1-oscal-1.1.2"/>
-    
-    <!-- Unique role definitions -->
+    <prop name="marking" value="cui"/>
+    <role id="authorizing-official">
+      <title>Authorizing Official</title>
+      <description>
+        <p>Senior official with authority to formally assume responsibility for operating a system at an acceptable level of risk.</p>
+      </description>
+    </role>
+    <role id="prepared-by">
+      <title>Prepared By</title>
+      <description>
+        <p>This party prepared the SSP.</p>
+      </description>
+    </role>
+    <role id="prepared-for">
+      <title>Prepared For</title>
+      <description>
+        <p>The organization for which this SSP was prepared. Typically the CSP.</p>
+      </description>
+    </role>
     <role id="creator">
       <title>Document Creator</title>
     </role>
@@ -29,54 +45,69 @@
     <role id="system-owner">
       <title>System Owner</title>
     </role>
-    <role id="prepared-by">
-      <title>Document Preparer</title>
-    </role>
-    <role id="authorizing-official">
-      <title>Authorizing Official</title>
-      <description>
-        <p>The senior official with the authority to formally assume responsibility.</p>
-      </description>
-    </role>
-    <role id="authorizing-official-poc">
-      <title>Authorizing Official Point of Contact</title>
-    </role>
-    <role id="information-system-security-officer">
-      <title>Information System Security Officer (or Equivalent)</title>
-    </role>
-    <role id="system-poc-management">
+     <role id="authorizing-official-poc">
+       <title>Authorizing Official Point of Contact</title>
+     </role>
+     <role id="information-system-security-officer">
+       <title>Information System Security Officer (or Equivalent)</title>
+     </role>
+     <role id="system-poc-management">
       <title>Information System Management Point of Contact (POC)</title>
       <description>
-        <p>The highest level manager who is responsible for system operation on behalf of the System Owner.</p>
-      </description>
-    </role>
-    <role id="system-poc-technical">
-      <title>Information System Technical Point of Contact</title>
-      <description>
-        <p>The individual or individuals leading the technical operation of the system.</p>
+         <p>The highest level manager who is responsible for system operation on behalf of the System Owner.</p>
       </description>
-    </role>
-    <role id="system-poc-other">
-      <title>General Point of Contact (POC)</title>
-      <description>
-        <p>A general point of contact for the system, designated by the system owner.</p>
-      </description>
-    </role>
+      </role>
+      <role id="system-poc-technical">
+          <title>Information System Technical Point of Contact</title>
+          <description>
+            <p>The individual or individuals leading the technical operation of the system.</p>
+          </description>
+      </role>
+      <role id="system-poc-other">
+          <title>General Point of Contact (POC)</title>
+          <description>
+            <p>A general point of contact for the system, designated by the system owner.</p>
+          </description>
+      </role>
 
+    <location uuid="27b78960-59ef-4619-82b0-ae20b9c709ac">
+      <title>CSP HQ</title>
+      <address type="work">
+        <addr-line>Suite 0000</addr-line>
+        <addr-line>1234 Some Street</addr-line>
+        <city>Haven</city>
+        <state>ME</state>
+        <postal-code>00000</postal-code>
+        <country>US</country>
+      </address>
+    </location>
     <location uuid="11111112-0000-4000-9001-000000000009">
-      <address>
+      <address >
         <country>US</country>
       </address>
       <prop name="type" value="data-center" class="primary"/>
     </location>
     <location uuid="11111112-0000-4000-9000-000000000003">
-      <address>
+      <address >
         <country>US</country>
       </address>
       <prop name="type" value="data-center" class="alternate"/>
     </location>
-
-    <!-- Party definitions -->
+    <party uuid="3360e343-9860-4bda-9dfc-ff427c3dfab6" type="person">
+      <name>Person Name 1</name>
+      <prop name="job-title" value="Individual's Title"/>
+      <prop name="mail-stop" value="Mailstop A-1"/>
+      <email-address>name@example.com</email-address>
+      <telephone-number>2020000001</telephone-number>
+      <location-uuid>27b78960-59ef-4619-82b0-ae20b9c709ac</location-uuid>
+      <member-of-organization>6b286b5d-8f07-4fa7-8847-1dd0d88f73fb</member-of-organization>
+    </party>
+    <party uuid="6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" type="organization">
+      <name>Cloud Service Provider (CSP) Name</name>
+      <short-name>CSP Acronym/Short Name</short-name>
+      <link href="#31a46c4f-2959-4287-bc1c-67297d7da60b" rel="logo"/>
+      <location-uuid>27b78960-59ef-4619-82b0-ae20b9c709ac</location-uuid>
+    </party>
     <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
       <name>Example Organization</name>
       <short-name>ExOrg</short-name>
@@ -85,22 +116,22 @@
     <party uuid="22222222-0000-4000-9000-000000000002" type="person">
       <name>Jane Doe</name>
       <email-address>jane.doe@example.com</email-address>
-      <address type="work">
-        <addr-line>123 main</addr-line>
-        <city>new york</city>
-        <state>NY</state>
-        <postal-code>10001</postal-code>
-        <country>US</country>
-      </address>
+    <address type="work"  />
     </party>
 
-    <!-- Unique responsible party assignments -->
+    <responsible-party role-id="prepared-by">
+      <party-uuid>3360e343-9860-4bda-9dfc-ff427c3dfab6</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="prepared-for">
+      <party-uuid>6b286b5d-8f07-4fa7-8847-1dd0d88f73fb</party-uuid>
+    </responsible-party>
     <responsible-party role-id="creator">
       <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
     </responsible-party>
     <responsible-party role-id="content-approver">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>
+
     <responsible-party role-id="system-owner">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>
@@ -122,9 +153,6 @@
     <responsible-party role-id="information-system-security-officer">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>
-    <responsible-party role-id="prepared-by">
-      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
-    </responsible-party>
 
     <remarks>
       <p>This SSP is an example for demonstration purposes.</p>
@@ -473,8 +501,5 @@
      <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
   </remarks>
 </resource>
-
-
-
   </back-matter>
-</system-security-plan>
+</system-security-plan>
\ No newline at end of file

From deb1fd47c8388a43091b635e824e588e17e60617 Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Wed, 13 Nov 2024 10:17:10 -0500
Subject: [PATCH 10/19] all valid test

---
 features/fedramp_extensions.feature           | 260 ++++++++----------
 features/steps/fedramp_extensions_steps.ts    |  74 ++---
 package-lock.json                             |   8 +-
 package.json                                  |   2 +-
 .../constraints/content/ssp-all-VALID.xml     |  15 +-
 .../fedramp-external-constraints.xml          |   2 +-
 src/validations/module.mk                     |   2 +-
 7 files changed, 178 insertions(+), 185 deletions(-)

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index 050442acd..6704a85c6 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -3,7 +3,120 @@ Feature: OSCAL Document Constraints
 @style-guide
 Scenario Outline: Validating OSCAL constraints with metaschema constraints
   Then I should verify that all constraints follow the style guide constraint
-  
+
+@style-guide
+Scenario Outline: Documents that should be valid are pass
+  Then I should have valid results "<valid_file>"
+Examples:
+| valid_file     |
+| ssp-ALL-VALID.xml |
+# | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml |
+# | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml |
+
+@full-coverage
+Scenario: Preparing constraint coverage analysis
+Given I have loaded all Metaschema extensions documents
+And I have collected all YAML test files in the test directory
+When I extract all constraint IDs from the Metaschema extensions
+And I analyze the YAML test files for each constraint ID
+
+@full-coverage
+Scenario Outline: Ensuring full test coverage for "<constraint_id>"
+Then I should have both FAIL and PASS tests for constraint ID "<constraint_id>"
+Examples:
+| constraint_id |
+#BEGIN_DYNAMIC_CONSTRAINT_IDS
+  | address-type |
+  | attachment-type |
+  | authorization-type |
+  | categorization-has-correct-system-attribute |
+  | categorization-has-information-type-id |
+  | cia-impact-has-adjustment-justification |
+  | cia-impact-has-selected |
+  | cloud-service-model |
+  | component-type |
+  | control-implementation-status |
+  | data-center-alternate |
+  | data-center-count |
+  | data-center-country-code |
+  | data-center-primary |
+  | data-center-us |
+  | deployment-model |
+  | fedramp-version |
+  | has-authenticator-assurance-level |
+  | has-authorization-boundary-diagram |
+  | has-authorization-boundary-diagram-caption |
+  | has-authorization-boundary-diagram-description |
+  | has-authorization-boundary-diagram-link |
+  | has-authorization-boundary-diagram-link-rel |
+  | has-authorization-boundary-diagram-link-rel-allowed-value |
+  | has-cloud-deployment-model |
+  | has-cloud-deployment-model-remarks |
+  | has-cloud-service-model |
+  | has-cloud-service-model-remarks |
+  | has-configuration-management-plan |
+  | has-data-flow |
+  | has-data-flow-description |
+  | has-data-flow-diagram |
+  | has-data-flow-diagram-caption |
+  | has-data-flow-diagram-description |
+  | has-data-flow-diagram-link |
+  | has-data-flow-diagram-link-rel |
+  | has-data-flow-diagram-link-rel-allowed-value |
+  | has-data-flow-diagram-uuid |
+  | has-federation-assurance-level |
+  | has-identity-assurance-level |
+  | has-incident-response-plan |
+  | has-information-system-contingency-plan |
+  | has-network-architecture |
+  | has-network-architecture-diagram |
+  | has-network-architecture-diagram-caption |
+  | has-network-architecture-diagram-description |
+  | has-network-architecture-diagram-link |
+  | has-network-architecture-diagram-link-rel |
+  | has-network-architecture-diagram-link-rel-allowed-value |
+  | has-rules-of-behavior |
+  | has-security-impact-level |
+  | has-security-sensitivity-level |
+  | has-separation-of-duties-matrix |
+  | has-system-id |
+  | has-system-name-short |
+  | has-user-guide |
+  | import-profile-has-available-document |
+  | import-profile-resolves-to-fedramp-content |
+  | information-type-800-60-v2r1 |
+  | information-type-has-availability-impact |
+  | information-type-has-confidentiality-impact |
+  | information-type-has-integrity-impact |
+  | information-type-system |
+  | interconnection-direction |
+  | interconnection-security |
+  | inventory-item-allows-authenticated-scan |
+  | inventory-item-public |
+  | inventory-item-virtual |
+  | missing-response-components |
+  | party-has-name |
+  | privilege-level |
+  | prop-response-point-has-cardinality-one |
+  | resource-has-base64-or-rlink |
+  | resource-has-title |
+  | responsible-party-is-person |
+  | role-defined-authorizing-official-poc |
+  | role-defined-information-system-security-officer |
+  | role-defined-system-owner |
+  | scan-type |
+  | security-level |
+  | security-sensitivity-level-matches-security-impact-level |
+  | user-has-authorized-privilege |
+  | user-has-privilege-level |
+  | user-has-role-id |
+  | user-has-sensitivity-level |
+  | user-has-user-type |
+  | user-privilege-level |
+  | user-sensitivity-level |
+  | user-type |
+#END_DYNAMIC_CONSTRAINT_IDS
+
 @constraints
 Scenario Outline: Validating OSCAL documents with metaschema constraints
   Given I have Metaschema extensions documents
@@ -53,10 +166,6 @@ Examples:
   | deployment-model-PASS.yaml |
   | fedramp-version-FAIL.yaml |
   | fedramp-version-PASS.yaml |
-  | fully-operational-date-is-valid-FAIL.yaml |
-  | fully-operational-date-is-valid-PASS.yaml |
-  | fully-operational-date-type-FAIL.yaml |
-  | fully-operational-date-type-PASS.yaml |
   | has-authenticator-assurance-level-FAIL.yaml |
   | has-authenticator-assurance-level-PASS.yaml |
   | has-authorization-boundary-diagram-FAIL.yaml |
@@ -67,8 +176,6 @@ Examples:
   | has-authorization-boundary-diagram-description-PASS.yaml |
   | has-authorization-boundary-diagram-link-FAIL.yaml |
   | has-authorization-boundary-diagram-link-PASS.yaml |
-  | has-authorization-boundary-diagram-link-href-target-FAIL.yaml |
-  | has-authorization-boundary-diagram-link-href-target-PASS.yaml |
   | has-authorization-boundary-diagram-link-rel-FAIL.yaml |
   | has-authorization-boundary-diagram-link-rel-PASS.yaml |
   | has-authorization-boundary-diagram-link-rel-allowed-value-FAIL.yaml |
@@ -95,8 +202,6 @@ Examples:
   | has-data-flow-diagram-description-PASS.yaml |
   | has-data-flow-diagram-link-FAIL.yaml |
   | has-data-flow-diagram-link-PASS.yaml |
-  | has-data-flow-diagram-link-href-target-FAIL.yaml |
-  | has-data-flow-diagram-link-href-target-PASS.yaml |
   | has-data-flow-diagram-link-rel-FAIL.yaml |
   | has-data-flow-diagram-link-rel-PASS.yaml |
   | has-data-flow-diagram-link-rel-allowed-value-FAIL.yaml |
@@ -105,8 +210,6 @@ Examples:
   | has-data-flow-diagram-uuid-PASS.yaml |
   | has-federation-assurance-level-FAIL.yaml |
   | has-federation-assurance-level-PASS.yaml |
-  | has-fully-operational-date-FAIL.yaml |
-  | has-fully-operational-date-PASS.yaml |
   | has-identity-assurance-level-FAIL.yaml |
   | has-identity-assurance-level-PASS.yaml |
   | has-incident-response-plan-FAIL.yaml |
@@ -123,14 +226,10 @@ Examples:
   | has-network-architecture-diagram-description-PASS.yaml |
   | has-network-architecture-diagram-link-FAIL.yaml |
   | has-network-architecture-diagram-link-PASS.yaml |
-  | has-network-architecture-diagram-link-href-target-FAIL.yaml |
-  | has-network-architecture-diagram-link-href-target-PASS.yaml |
   | has-network-architecture-diagram-link-rel-FAIL.yaml |
   | has-network-architecture-diagram-link-rel-PASS.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml |
-  | has-published-date-FAIL.yaml |
-  | has-published-date-PASS.yaml |
   | has-rules-of-behavior-FAIL.yaml |
   | has-rules-of-behavior-PASS.yaml |
   | has-security-impact-level-FAIL.yaml |
@@ -169,8 +268,6 @@ Examples:
   | inventory-item-public-PASS.yaml |
   | inventory-item-virtual-FAIL.yaml |
   | inventory-item-virtual-PASS.yaml |
-  | marking-FAIL.yaml |
-  | marking-PASS.yaml |
   | missing-response-components-FAIL.yaml |
   | missing-response-components-PASS.yaml |
   | party-has-name-FAIL.yaml |
@@ -185,22 +282,10 @@ Examples:
   | response-point-PASS.yaml |
   | responsible-party-is-person-FAIL.yaml |
   | responsible-party-is-person-PASS.yaml |
-  | responsible-party-prepared-by-FAIL.yaml |
-  | responsible-party-prepared-by-PASS.yaml |
-  | responsible-party-prepared-by-location-valid-FAIL.yaml |
-  | responsible-party-prepared-by-location-valid-PASS.yaml |
-  | responsible-party-prepared-for-FAIL.yaml |
-  | responsible-party-prepared-for-PASS.yaml |
-  | responsible-party-prepared-for-location-valid-FAIL.yaml |
-  | responsible-party-prepared-for-location-valid-PASS.yaml |
   | role-defined-authorizing-official-poc-FAIL.yaml |
   | role-defined-authorizing-official-poc-PASS.yaml |
   | role-defined-information-system-security-officer-FAIL.yaml |
   | role-defined-information-system-security-officer-PASS.yaml |
-  | role-defined-prepared-by-FAIL.yaml |
-  | role-defined-prepared-by-PASS.yaml |
-  | role-defined-prepared-for-FAIL.yaml |
-  | role-defined-prepared-for-PASS.yaml |
   | role-defined-system-owner-FAIL.yaml |
   | role-defined-system-owner-PASS.yaml |
   | scan-type-FAIL.yaml |
@@ -227,120 +312,3 @@ Examples:
   | user-type-PASS.yaml |
 #END_DYNAMIC_TEST_CASES
 
-@full-coverage
-Scenario: Preparing constraint coverage analysis
-Given I have loaded all Metaschema extensions documents
-And I have collected all YAML test files in the test directory
-When I extract all constraint IDs from the Metaschema extensions
-And I analyze the YAML test files for each constraint ID
-
-@full-coverage
-Scenario Outline: Ensuring full test coverage for "<constraint_id>"
-Then I should have both FAIL and PASS tests for constraint ID "<constraint_id>"
-Examples:
-| constraint_id |
-#BEGIN_DYNAMIC_CONSTRAINT_IDS
-  | address-type |
-  | attachment-type |
-  | authorization-type |
-  | categorization-has-correct-system-attribute |
-  | categorization-has-information-type-id |
-  | cia-impact-has-adjustment-justification |
-  | cia-impact-has-selected |
-  | cloud-service-model |
-  | component-type |
-  | control-implementation-status |
-  | data-center-alternate |
-  | data-center-count |
-  | data-center-country-code |
-  | data-center-primary |
-  | data-center-us |
-  | deployment-model |
-  | fedramp-version |
-  | fully-operational-date-is-valid |
-  | fully-operational-date-type |
-  | has-authenticator-assurance-level |
-  | has-authorization-boundary-diagram |
-  | has-authorization-boundary-diagram-caption |
-  | has-authorization-boundary-diagram-description |
-  | has-authorization-boundary-diagram-link |
-  | has-authorization-boundary-diagram-link-href-target |
-  | has-authorization-boundary-diagram-link-rel |
-  | has-authorization-boundary-diagram-link-rel-allowed-value |
-  | has-cloud-deployment-model |
-  | has-cloud-deployment-model-remarks |
-  | has-cloud-service-model |
-  | has-cloud-service-model-remarks |
-  | has-configuration-management-plan |
-  | has-data-flow |
-  | has-data-flow-description |
-  | has-data-flow-diagram |
-  | has-data-flow-diagram-caption |
-  | has-data-flow-diagram-description |
-  | has-data-flow-diagram-link |
-  | has-data-flow-diagram-link-href-target |
-  | has-data-flow-diagram-link-rel |
-  | has-data-flow-diagram-link-rel-allowed-value |
-  | has-data-flow-diagram-uuid |
-  | has-federation-assurance-level |
-  | has-fully-operational-date |
-  | has-identity-assurance-level |
-  | has-incident-response-plan |
-  | has-information-system-contingency-plan |
-  | has-network-architecture |
-  | has-network-architecture-diagram |
-  | has-network-architecture-diagram-caption |
-  | has-network-architecture-diagram-description |
-  | has-network-architecture-diagram-link |
-  | has-network-architecture-diagram-link-href-target |
-  | has-network-architecture-diagram-link-rel |
-  | has-network-architecture-diagram-link-rel-allowed-value |
-  | has-published-date |
-  | has-rules-of-behavior |
-  | has-security-impact-level |
-  | has-security-sensitivity-level |
-  | has-separation-of-duties-matrix |
-  | has-system-id |
-  | has-system-name-short |
-  | has-user-guide |
-  | import-profile-has-available-document |
-  | import-profile-resolves-to-fedramp-content |
-  | information-type-800-60-v2r1 |
-  | information-type-has-availability-impact |
-  | information-type-has-confidentiality-impact |
-  | information-type-has-integrity-impact |
-  | information-type-system |
-  | interconnection-direction |
-  | interconnection-security |
-  | inventory-item-allows-authenticated-scan |
-  | inventory-item-public |
-  | inventory-item-virtual |
-  | marking |
-  | missing-response-components |
-  | party-has-name |
-  | privilege-level |
-  | prop-response-point-has-cardinality-one |
-  | resource-has-base64-or-rlink |
-  | resource-has-title |
-  | responsible-party-is-person |
-  | responsible-party-prepared-by |
-  | responsible-party-prepared-by-location-valid |
-  | responsible-party-prepared-for |
-  | responsible-party-prepared-for-location-valid |
-  | role-defined-authorizing-official-poc |
-  | role-defined-information-system-security-officer |
-  | role-defined-prepared-by |
-  | role-defined-prepared-for |
-  | role-defined-system-owner |
-  | scan-type |
-  | security-level |
-  | security-sensitivity-level-matches-security-impact-level |
-  | user-has-authorized-privilege |
-  | user-has-privilege-level |
-  | user-has-role-id |
-  | user-has-sensitivity-level |
-  | user-has-user-type |
-  | user-privilege-level |
-  | user-sensitivity-level |
-  | user-type |
-#END_DYNAMIC_CONSTRAINT_IDS
\ No newline at end of file
diff --git a/features/steps/fedramp_extensions_steps.ts b/features/steps/fedramp_extensions_steps.ts
index b2d4f6d89..51d967655 100644
--- a/features/steps/fedramp_extensions_steps.ts
+++ b/features/steps/fedramp_extensions_steps.ts
@@ -16,9 +16,9 @@ import { Exception, Log, Result } from "sarif";
 import { fileURLToPath } from "url";
 import { parseString } from "xml2js";
 import { promisify } from "util";
-import {formatSarifOutput} from 'oscal'
-
+import {formatSarifOutput,fedrampValidationOptions} from 'oscal'
 let executor: 'oscal-cli'|'oscal-server' = process.env.OSCAL_EXECUTOR as 'oscal-cli'|'oscal-server' || 'oscal-cli'
+let quiet= true
 
 const parseXmlString = promisify(parseString);
 const DEFAULT_TIMEOUT = 60000;
@@ -191,8 +191,8 @@ Then("the constraint unit test should pass", async function () {
 });
 
 async function processTestCase({ "test-case": testCase }: any) {
-  console.log(`Processing test case:${testCase.name}`);
-  console.log(`Description: ${testCase.description}`);
+  !quiet && console.log(`Processing test case:${testCase.name}`);
+  !quiet && console.log(`Description: ${testCase.description}`);
 
   // Load the content file
   const contentFiles = Array.isArray(testCase.content) ? testCase.content : [testCase.content];
@@ -210,7 +210,7 @@ async function processTestCase({ "test-case": testCase }: any) {
       "content",
       contentFile
     );
-    console.log(`Loaded content from: ${contentPath}`);
+    !quiet && console.log(`Loaded content from: ${contentPath}`);
   const cacheKey = (typeof testCase.pipeline === 'undefined' ? "" : "resolved-") + parse(contentPath).name;
 
 
@@ -227,9 +227,10 @@ async function processTestCase({ "test-case": testCase }: any) {
           contentPath,
           processedContentPath,
           {
+            quiet,
             outputFormat:'xml'
           },executor)
-        console.log("Profile resolved");
+        !quiet && console.log("Profile resolved");
       }
       // Add other pipeline steps as needed
     }
@@ -243,14 +244,14 @@ async function processTestCase({ "test-case": testCase }: any) {
     let sarifResponse;
     
     if (validationCache.has(cacheKey)) {
-      console.log("Using cached validation result from "+cacheKey);
+      !quiet && console.log("Using cached validation result from "+cacheKey);
       sarifResponse = validationCache.get(cacheKey)!;
     }else{
       let flags = [];
       if(currentTestCaseFileName.includes("FAIL")){
         flags.push("disable-schema")
       }
-    const {isValid,log} = await validateDocument(resolve(processedContentPath),{quiet:true,
+    const {isValid,log} = await validateDocument(resolve(processedContentPath),{quiet,
       extensions:metaschemaDocuments.flatMap((x) => resolve(x)),
       flags},executor)
       sarifResponse=log;
@@ -322,7 +323,7 @@ async function checkConstraints(
     for (const expectation of constraints) {
       const constraint_id = expectation["constraint-id"];
       const expectedResult = expectation.result;
-      console.log(
+      !quiet && console.log(
         `Checking status of constraint: ${constraint_id} expecting: ${
           expectedResult || "mixed"
         }`
@@ -356,15 +357,15 @@ async function checkConstraints(
         return kind;
       }, "initial");
 
-      console.log(
+      !quiet && console.log(
         `Received: ${constraintResults.length} matching ${result} results (${passCount} pass, ${failCount} fail)`
       );
       if(warnCount>0)
-        console.log(
+        !quiet && console.log(
           `Received: ${warnCount} warn)`
         );
         if(infoCount>0)
-          console.log(
+          !quiet && console.log(
             `Received: ${infoCount} informational)`
           );
       
@@ -458,7 +459,7 @@ Given("I have loaded all Metaschema extensions documents", function () {
   metaschemaDocuments = files
     .filter((file) => file.endsWith(".xml")).sort()
     .map((file) => join(constraintDir, file))
-  console.log(
+  !quiet && console.log(
     `Loaded ${metaschemaDocuments.length} Metaschema extension documents`
   );
 });
@@ -478,8 +479,8 @@ When(
     }
     constraintIds = [...new Set(constraintIds)].sort();
 
-    console.log(`Extracted ${constraintIds.length} unique constraint IDs`);
-    console.log(`Extracted ${constraintIds.length} unique constraint IDs`);
+    !quiet && console.log(`Extracted ${constraintIds.length} unique constraint IDs`);
+    !quiet && console.log(`Extracted ${constraintIds.length} unique constraint IDs`);
   }
 );
 function extractConstraints(xmlObject: any): string[] {
@@ -515,16 +516,16 @@ Then(
       const testCoverage = testResults[constraintId];
 
       if (!testCoverage) {
-        console.log(`${constraintId}: No tests found`);
+        !quiet && console.log(`${constraintId}: No tests found`);
         expect.fail(`Constraint ${constraintId} has no tests`);
       } else if (!testCoverage.pass) {
-        console.log(`${constraintId}: Missing positive test`);
+        !quiet && console.log(`${constraintId}: Missing positive test`);
         expect.fail(`Constraint ${constraintId} is missing a positive test`);
       } else if (!testCoverage.fail) {
-        console.log(`${constraintId}: Missing negative test`);
+        !quiet && console.log(`${constraintId}: Missing negative test`);
         expect.fail(`Constraint ${constraintId} is missing a negative test`);
       } else {
-        console.log(`${constraintId}: Fully covered`);
+        !quiet && console.log(`${constraintId}: Fully covered`);
       }
 
       expect(reportedConstraints).to.include(
@@ -551,7 +552,7 @@ Then(
       .map((row) => row["Constraint ID"]);
 
     for (const constraintId of constraintIds) {
-      console.log(`${constraintId}: Status to be determined`);
+      !quiet && console.log(`${constraintId}: Status to be determined`);
       expect(reportedConstraints).to.include(constraintId);
     }
   }
@@ -572,7 +573,7 @@ Given(
     yamlTestFiles = readdirSync(testDir)
       .filter((file) => file.endsWith(".yaml") || file.endsWith(".yml")).sort()
       .map((file) => join(testDir, file));
-    console.log(`Collected ${yamlTestFiles.length} YAML test files`);
+    !quiet && console.log(`Collected ${yamlTestFiles.length} YAML test files`);
   }
 );
 
@@ -641,8 +642,8 @@ When("I analyze the YAML test files for each constraint ID", function () {
     }
   }
 
-  console.log(`Analyzed ${yamlTestFiles.length} YAML test files`);
-  console.log("Test results:", testResults);
+  !quiet && console.log(`Analyzed ${yamlTestFiles.length} YAML test files`);
+  !quiet && console.log("Test results:", testResults);
 });
 
 // New step definition for the "Ensuring full test coverage for "<constraint_id>"" scenario
@@ -650,16 +651,16 @@ Then("I should have both FAIL and PASS tests for constraint ID {string}", functi
   const testCoverage = testResults[constraintId];
 
   if (!testCoverage) {
-    console.log(`${constraintId}: No tests found`);
+    !quiet && console.log(`${constraintId}: No tests found`);
     expect.fail(`Constraint ${constraintId} has no tests`);
   } else if (!testCoverage.pass) {
-    console.log(`${constraintId}: Missing at least one positive test`);
+    !quiet && console.log(`${constraintId}: Missing at least one positive test`);
     expect.fail(`Constraint ${constraintId} is missing a positive test`);
   } else if (!testCoverage.fail) {
-    console.log(`${constraintId}: Missing at least one negative test`);
+    !quiet && console.log(`${constraintId}: Missing at least one negative test`);
     expect.fail(`Constraint ${constraintId} is missing a negative test`);
   } else {
-    console.log(`${constraintId}: Has minimal required coverage`);
+    !quiet && console.log(`${constraintId}: Has minimal required coverage`);
   }
 
   expect(constraintIds).to.include(
@@ -668,6 +669,19 @@ Then("I should have both FAIL and PASS tests for constraint ID {string}", functi
   );
 });
 
+Then('I should have valid results {string}', async function (fileToValidate) {
+  const fullPath = resolve(
+    __dirname,
+    "..",
+    "..",
+    "src",
+    "validations","constraints","content",fileToValidate
+  );
+  const {isValid,log}=await validateDocument(fullPath,{quiet,...fedrampValidationOptions},executor);
+  expect(isValid,formatSarifOutput(log)).to.be.true;
+});
+
+
 Then('I should verify that all constraints follow the style guide constraint', async function () {
   const baseDir = join(__dirname, '..', '..');
   const constraintDir = join(baseDir, 'src', 'validations', 'constraints');
@@ -683,7 +697,7 @@ Then('I should verify that all constraints follow the style guide constraint', a
   for (const file_name of constraint_files) {
     const filePath = join(constraintDir, file_name.trim());
     try {
-      const {isValid,log} = await validateDocument(filePath,{flags:['disable-schema'],quiet:true,extensions:[styleGuidePath],module:"http://csrc.nist.gov/ns/oscal/metaschema/1.0"},executor)
+      const {isValid,log} = await validateDocument(filePath,{flags:['disable-schema'],quiet,extensions:[styleGuidePath],module:"http://csrc.nist.gov/ns/oscal/metaschema/1.0"},executor)
       writeFileSync(
         join(
           __dirname,
@@ -692,7 +706,7 @@ Then('I should verify that all constraints follow the style guide constraint', a
         ),JSON.stringify(log, null,"\t"))  
       const formattedErrors = (formatSarifOutput(log));
       
-      console.log(`Validation result for ${file_name}:`, isValid?"valid":"invalid");
+      !quiet && console.log(`Validation result for ${file_name}:`, isValid?"valid":"invalid");
       if (!isValid) {
         console.error("\n"+formattedErrors);
       }
@@ -707,8 +721,6 @@ Then('I should verify that all constraints follow the style guide constraint', a
   // Display all errors at the end
   if (errors.length > 0) {
     console.error("Validation errors found:");
-    
-    throw new Error("Style guide validation failed. "+errors.join("\n"));
   }
 
   expect(errors, "No style guide validation errors should be found").to.be.empty;
diff --git a/package-lock.json b/package-lock.json
index 462475c1b..56eb32a98 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -15,7 +15,7 @@
         "inquirer": "^10.1.8",
         "js-yaml": "^4.1.0",
         "jsdom": "^25.0.0",
-        "oscal": "2.0.5",
+        "oscal": "2.0.6-rc-2",
         "ts-node": "^10.9.2",
         "xml-formatter": "^3.6.3",
         "xml2js": "^0.6.2"
@@ -2694,9 +2694,9 @@
       }
     },
     "node_modules/oscal": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/oscal/-/oscal-2.0.5.tgz",
-      "integrity": "sha512-S19CxjK9dYAE/5CYGFF/M1J9z24oIA/WX5Lkk84BzTvmeAa6qWzwIYEnmoeXRCnJnsLP5sNh/9VSFGfvY97omw==",
+      "version": "2.0.6-rc-2",
+      "resolved": "https://registry.npmjs.org/oscal/-/oscal-2.0.6-rc-2.tgz",
+      "integrity": "sha512-gTnzX4GgaolcjEAXcSH71ULtCjH55wWBFGZ6BKaezl7rI1fvq72w67ZYE3UJ4STkK54ov48lmpfNsZRnnBUpRg==",
       "license": "MIT",
       "dependencies": {
         "@terascope/fetch-github-release": "^0.8.10",
diff --git a/package.json b/package.json
index 5a28f0a68..00389f658 100644
--- a/package.json
+++ b/package.json
@@ -26,7 +26,7 @@
     "inquirer": "^10.1.8",
     "js-yaml": "^4.1.0",
     "jsdom": "^25.0.0",
-    "oscal": "2.0.5",
+    "oscal": "2.0.6-rc-2",
     "ts-node": "^10.9.2",
     "xml-formatter": "^3.6.3",
     "xml2js": "^0.6.2"
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index d54b618ef..7e4967688 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -10,6 +10,7 @@
     <version>1.1</version>
     <oscal-version>1.1.2</oscal-version>
     <document-id scheme="https://example.com/identifiers">SSP-2024-002</document-id>
+    <prop name="marking" value="marked"></prop>
     <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="fedramp-3.0.0rc1-oscal-1.1.2"/>
     <prop name="marking" value="cui"/>
     
@@ -39,6 +40,9 @@
     </role>
     <role id="system-owner">
       <title>System Owner</title>
+    </role>
+    <role id="prepared-by">
+      <title>Document Preparer</title>
     </role>
      <role id="authorizing-official-poc">
        <title>Authorizing Official Point of Contact</title>
@@ -111,7 +115,13 @@
     <party uuid="22222222-0000-4000-9000-000000000002" type="person">
       <name>Jane Doe</name>
       <email-address>jane.doe@example.com</email-address>
-    <address type="work"  />
+    <address type="work">
+      <addr-line>123 main</addr-line>
+      <city>new york</city>
+      <state>NY</state>
+      <postal-code>10001</postal-code>
+      <country>US</country>
+    </address>
     </party>
 
     <responsible-party role-id="prepared-by">
@@ -148,6 +158,9 @@
     <responsible-party role-id="information-system-security-officer">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>
+    <responsible-party role-id="prepared-by">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
 
     <remarks>
       <p>This SSP is an example for demonstration purposes.</p>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 31db9427e..bb48a6206 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -525,7 +525,7 @@
             <expect id="party-has-name" target="." test="exists(name)" level="ERROR">
                 <formal-name>Party Has a Name</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/oscal-metadata/#working-with-party-assemblies"/>
-                <message>Every FedRAMP document MUST define a party with a name.</message>
+                <message>Every FedRAMP document must define a party with a name.</message>
             </expect>
         </constraints>
     </context>
diff --git a/src/validations/module.mk b/src/validations/module.mk
index 2413741da..c0f2a834a 100644
--- a/src/validations/module.mk
+++ b/src/validations/module.mk
@@ -1,5 +1,5 @@
 # Variables
-OSCAL_CLI = npx oscal@2.0.5
+OSCAL_CLI = npx oscal@next
 SRC_DIR = ./src
 DIST_DIR = ./dist
 REV5_BASELINES = ./dist/content/rev5/baselines

From b67d4c75764dce29fbed6efaa91e24c16d3fccf7 Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Wed, 13 Nov 2024 10:22:18 -0500
Subject: [PATCH 11/19] make ssp all valid

Co-Authored-By: Gabeblis <gabriel.rodriguez@gsa.gov>
---
 features/fedramp_extensions.feature           |  24 ++++
 .../constraints/content/ssp-all-VALID.xml     | 116 ++++++------------
 2 files changed, 64 insertions(+), 76 deletions(-)

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index 6704a85c6..2be3f8b73 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -43,6 +43,8 @@ Examples:
   | data-center-us |
   | deployment-model |
   | fedramp-version |
+  | fully-operational-date-is-valid |
+  | fully-operational-date-type |
   | has-authenticator-assurance-level |
   | has-authorization-boundary-diagram |
   | has-authorization-boundary-diagram-caption |
@@ -65,6 +67,7 @@ Examples:
   | has-data-flow-diagram-link-rel-allowed-value |
   | has-data-flow-diagram-uuid |
   | has-federation-assurance-level |
+  | has-fully-operational-date |
   | has-identity-assurance-level |
   | has-incident-response-plan |
   | has-information-system-contingency-plan |
@@ -75,6 +78,7 @@ Examples:
   | has-network-architecture-diagram-link |
   | has-network-architecture-diagram-link-rel |
   | has-network-architecture-diagram-link-rel-allowed-value |
+  | has-published-date |
   | has-rules-of-behavior |
   | has-security-impact-level |
   | has-security-sensitivity-level |
@@ -94,6 +98,7 @@ Examples:
   | inventory-item-allows-authenticated-scan |
   | inventory-item-public |
   | inventory-item-virtual |
+  | marking |
   | missing-response-components |
   | party-has-name |
   | privilege-level |
@@ -101,8 +106,11 @@ Examples:
   | resource-has-base64-or-rlink |
   | resource-has-title |
   | responsible-party-is-person |
+  | responsible-party-prepared-by |
+  | responsible-party-prepared-by-location-valid |
   | role-defined-authorizing-official-poc |
   | role-defined-information-system-security-officer |
+  | role-defined-prepared-by |
   | role-defined-system-owner |
   | scan-type |
   | security-level |
@@ -166,6 +174,10 @@ Examples:
   | deployment-model-PASS.yaml |
   | fedramp-version-FAIL.yaml |
   | fedramp-version-PASS.yaml |
+  | fully-operational-date-is-valid-FAIL.yaml |
+  | fully-operational-date-is-valid-PASS.yaml |
+  | fully-operational-date-type-FAIL.yaml |
+  | fully-operational-date-type-PASS.yaml |
   | has-authenticator-assurance-level-FAIL.yaml |
   | has-authenticator-assurance-level-PASS.yaml |
   | has-authorization-boundary-diagram-FAIL.yaml |
@@ -210,6 +222,8 @@ Examples:
   | has-data-flow-diagram-uuid-PASS.yaml |
   | has-federation-assurance-level-FAIL.yaml |
   | has-federation-assurance-level-PASS.yaml |
+  | has-fully-operational-date-FAIL.yaml |
+  | has-fully-operational-date-PASS.yaml |
   | has-identity-assurance-level-FAIL.yaml |
   | has-identity-assurance-level-PASS.yaml |
   | has-incident-response-plan-FAIL.yaml |
@@ -230,6 +244,8 @@ Examples:
   | has-network-architecture-diagram-link-rel-PASS.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml |
+  | has-published-date-FAIL.yaml |
+  | has-published-date-PASS.yaml |
   | has-rules-of-behavior-FAIL.yaml |
   | has-rules-of-behavior-PASS.yaml |
   | has-security-impact-level-FAIL.yaml |
@@ -268,6 +284,8 @@ Examples:
   | inventory-item-public-PASS.yaml |
   | inventory-item-virtual-FAIL.yaml |
   | inventory-item-virtual-PASS.yaml |
+  | marking-FAIL.yaml |
+  | marking-PASS.yaml |
   | missing-response-components-FAIL.yaml |
   | missing-response-components-PASS.yaml |
   | party-has-name-FAIL.yaml |
@@ -282,10 +300,16 @@ Examples:
   | response-point-PASS.yaml |
   | responsible-party-is-person-FAIL.yaml |
   | responsible-party-is-person-PASS.yaml |
+  | responsible-party-prepared-by-FAIL.yaml |
+  | responsible-party-prepared-by-PASS.yaml |
+  | responsible-party-prepared-by-location-valid-FAIL.yaml |
+  | responsible-party-prepared-by-location-valid-PASS.yaml |
   | role-defined-authorizing-official-poc-FAIL.yaml |
   | role-defined-authorizing-official-poc-PASS.yaml |
   | role-defined-information-system-security-officer-FAIL.yaml |
   | role-defined-information-system-security-officer-PASS.yaml |
+  | role-defined-prepared-by-FAIL.yaml |
+  | role-defined-prepared-by-PASS.yaml |
   | role-defined-system-owner-FAIL.yaml |
   | role-defined-system-owner-PASS.yaml |
   | scan-type-FAIL.yaml |
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 7e4967688..995fb34c9 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -12,20 +12,8 @@
     <document-id scheme="https://example.com/identifiers">SSP-2024-002</document-id>
     <prop name="marking" value="marked"></prop>
     <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="fedramp-3.0.0rc1-oscal-1.1.2"/>
-    <prop name="marking" value="cui"/>
     
-    <role id="prepared-by">
-      <title>Prepared By</title>
-      <description>
-        <p>This party prepared the SSP.</p>
-      </description>
-    </role>
-    <role id="prepared-for">
-      <title>Prepared For</title>
-      <description>
-        <p>The organization for which this SSP was prepared. Typically the CSP.</p>
-      </description>
-    </role>
+    <!-- Unique role definitions -->
     <role id="creator">
       <title>Document Creator</title>
     </role>
@@ -44,69 +32,51 @@
     <role id="prepared-by">
       <title>Document Preparer</title>
     </role>
-     <role id="authorizing-official-poc">
-       <title>Authorizing Official Point of Contact</title>
-     </role>
-     <role id="information-system-security-officer">
-       <title>Information System Security Officer (or Equivalent)</title>
-     </role>
-     <role id="system-poc-management">
+    <role id="authorizing-official">
+      <title>Authorizing Official</title>
+      <description>
+        <p>The senior official with the authority to formally assume responsibility.</p>
+      </description>
+    </role>
+    <role id="authorizing-official-poc">
+      <title>Authorizing Official Point of Contact</title>
+    </role>
+    <role id="information-system-security-officer">
+      <title>Information System Security Officer (or Equivalent)</title>
+    </role>
+    <role id="system-poc-management">
       <title>Information System Management Point of Contact (POC)</title>
       <description>
-         <p>The highest level manager who is responsible for system operation on behalf of the System Owner.</p>
+        <p>The highest level manager who is responsible for system operation on behalf of the System Owner.</p>
+      </description>
+    </role>
+    <role id="system-poc-technical">
+      <title>Information System Technical Point of Contact</title>
+      <description>
+        <p>The individual or individuals leading the technical operation of the system.</p>
       </description>
-      </role>
-      <role id="system-poc-technical">
-          <title>Information System Technical Point of Contact</title>
-          <description>
-            <p>The individual or individuals leading the technical operation of the system.</p>
-          </description>
-      </role>
-      <role id="system-poc-other">
-          <title>General Point of Contact (POC)</title>
-          <description>
-            <p>A general point of contact for the system, designated by the system owner.</p>
-          </description>
-      </role>
+    </role>
+    <role id="system-poc-other">
+      <title>General Point of Contact (POC)</title>
+      <description>
+        <p>A general point of contact for the system, designated by the system owner.</p>
+      </description>
+    </role>
 
-    <location uuid="27b78960-59ef-4619-82b0-ae20b9c709ac">
-      <title>CSP HQ</title>
-      <address type="work">
-        <addr-line>Suite 0000</addr-line>
-        <addr-line>1234 Some Street</addr-line>
-        <city>Haven</city>
-        <state>ME</state>
-        <postal-code>00000</postal-code>
-        <country>US</country>
-      </address>
-    </location>
     <location uuid="11111112-0000-4000-9001-000000000009">
-      <address >
+      <address>
         <country>US</country>
       </address>
       <prop name="type" value="data-center" class="primary"/>
     </location>
     <location uuid="11111112-0000-4000-9000-000000000003">
-      <address >
+      <address>
         <country>US</country>
       </address>
       <prop name="type" value="data-center" class="alternate"/>
     </location>
-    <party uuid="3360e343-9860-4bda-9dfc-ff427c3dfab6" type="person">
-      <name>Person Name 1</name>
-      <prop name="job-title" value="Individual's Title"/>
-      <prop name="mail-stop" value="Mailstop A-1"/>
-      <email-address>name@example.com</email-address>
-      <telephone-number>2020000001</telephone-number>
-      <location-uuid>27b78960-59ef-4619-82b0-ae20b9c709ac</location-uuid>
-      <member-of-organization>6b286b5d-8f07-4fa7-8847-1dd0d88f73fb</member-of-organization>
-    </party>
-    <party uuid="6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" type="organization">
-      <name>Cloud Service Provider (CSP) Name</name>
-      <short-name>CSP Acronym/Short Name</short-name>
-      <link href="#31a46c4f-2959-4287-bc1c-67297d7da60b" rel="logo"/>
-      <location-uuid>27b78960-59ef-4619-82b0-ae20b9c709ac</location-uuid>
-    </party>
+
+    <!-- Party definitions -->
     <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
       <name>Example Organization</name>
       <short-name>ExOrg</short-name>
@@ -115,28 +85,22 @@
     <party uuid="22222222-0000-4000-9000-000000000002" type="person">
       <name>Jane Doe</name>
       <email-address>jane.doe@example.com</email-address>
-    <address type="work">
-      <addr-line>123 main</addr-line>
-      <city>new york</city>
-      <state>NY</state>
-      <postal-code>10001</postal-code>
-      <country>US</country>
-    </address>
+      <address type="work">
+        <addr-line>123 main</addr-line>
+        <city>new york</city>
+        <state>NY</state>
+        <postal-code>10001</postal-code>
+        <country>US</country>
+      </address>
     </party>
 
-    <responsible-party role-id="prepared-by">
-      <party-uuid>3360e343-9860-4bda-9dfc-ff427c3dfab6</party-uuid>
-    </responsible-party>
-    <responsible-party role-id="prepared-for">
-      <party-uuid>6b286b5d-8f07-4fa7-8847-1dd0d88f73fb</party-uuid>
-    </responsible-party>
+    <!-- Unique responsible party assignments -->
     <responsible-party role-id="creator">
       <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
     </responsible-party>
     <responsible-party role-id="content-approver">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>
-
     <responsible-party role-id="system-owner">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>

From 2df64a49568857257efa6ec4454b692d7c473cc6 Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Wed, 13 Nov 2024 10:25:30 -0500
Subject: [PATCH 12/19] update oscal version

Co-Authored-By: Gabeblis <gabriel.rodriguez@gsa.gov>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 56eb32a98..698520ddb 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -15,7 +15,7 @@
         "inquirer": "^10.1.8",
         "js-yaml": "^4.1.0",
         "jsdom": "^25.0.0",
-        "oscal": "2.0.6-rc-2",
+        "oscal": "2.0.6",
         "ts-node": "^10.9.2",
         "xml-formatter": "^3.6.3",
         "xml2js": "^0.6.2"
@@ -2694,9 +2694,9 @@
       }
     },
     "node_modules/oscal": {
-      "version": "2.0.6-rc-2",
-      "resolved": "https://registry.npmjs.org/oscal/-/oscal-2.0.6-rc-2.tgz",
-      "integrity": "sha512-gTnzX4GgaolcjEAXcSH71ULtCjH55wWBFGZ6BKaezl7rI1fvq72w67ZYE3UJ4STkK54ov48lmpfNsZRnnBUpRg==",
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/oscal/-/oscal-2.0.6.tgz",
+      "integrity": "sha512-+hSDqr7Ddi3qqvAaSN8XRsrrgxrsORfvLVZIpgrTz/AzWum0R+PnCFlxQ9+KMuptxXW9kAcfAwyXmhdIjaZV8g==",
       "license": "MIT",
       "dependencies": {
         "@terascope/fetch-github-release": "^0.8.10",
diff --git a/package.json b/package.json
index 00389f658..90e64d08e 100644
--- a/package.json
+++ b/package.json
@@ -26,7 +26,7 @@
     "inquirer": "^10.1.8",
     "js-yaml": "^4.1.0",
     "jsdom": "^25.0.0",
-    "oscal": "2.0.6-rc-2",
+    "oscal": "2.0.6",
     "ts-node": "^10.9.2",
     "xml-formatter": "^3.6.3",
     "xml2js": "^0.6.2"

From 646eb73735f3bcea033301d7d20242aaa5a360c8 Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Wed, 13 Nov 2024 10:36:10 -0500
Subject: [PATCH 13/19] Update fedramp_extensions.feature

Co-Authored-By: Gabeblis <gabriel.rodriguez@gsa.gov>
---
 features/fedramp_extensions.feature | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index 2be3f8b73..466b8e703 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -9,7 +9,7 @@ Scenario Outline: Documents that should be valid are pass
   Then I should have valid results "<valid_file>"
 Examples:
 | valid_file     |
-| ssp-ALL-VALID.xml |
+| ssp-all-VALID.xml |
 # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP1.xml |
 # | ../../../content/awesome-cloud/xml/AwesomeCloudSSP2.xml |
 

From bd4ee17a6049968e7d4e40b7e5e5b61d4952480c Mon Sep 17 00:00:00 2001
From: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date: Thu, 14 Nov 2024 00:26:22 -0500
Subject: [PATCH 14/19] Update fedramp_extensions.feature

Co-authored-by: A.J. Stein <aj@gsa.gov>
---
 features/fedramp_extensions.feature | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index 466b8e703..0e73b0a74 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -4,7 +4,7 @@ Feature: OSCAL Document Constraints
 Scenario Outline: Validating OSCAL constraints with metaschema constraints
   Then I should verify that all constraints follow the style guide constraint
 
-@style-guide
+@integration
 Scenario Outline: Documents that should be valid are pass
   Then I should have valid results "<valid_file>"
 Examples:

From 4283e071975f764147655a93931bba4ed6b73498 Mon Sep 17 00:00:00 2001
From: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date: Thu, 14 Nov 2024 00:26:45 -0500
Subject: [PATCH 15/19] Update module.mk

Co-authored-by: A.J. Stein <aj@gsa.gov>
---
 src/validations/module.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/validations/module.mk b/src/validations/module.mk
index c0f2a834a..a6958e664 100644
--- a/src/validations/module.mk
+++ b/src/validations/module.mk
@@ -1,5 +1,5 @@
 # Variables
-OSCAL_CLI = npx oscal@next
+OSCAL_CLI = npx oscal@2.0.6
 SRC_DIR = ./src
 DIST_DIR = ./dist
 REV5_BASELINES = ./dist/content/rev5/baselines

From 184b625f412bfd9396b5536ebf3e4e749523f87a Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Thu, 14 Nov 2024 09:54:05 -0500
Subject: [PATCH 16/19] add integration npm commands

---
 features/steps/fedramp_extensions_steps.ts | 2 +-
 package.json                               | 2 ++
 src/validations/module.mk                  | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/features/steps/fedramp_extensions_steps.ts b/features/steps/fedramp_extensions_steps.ts
index 51d967655..21a7f1df9 100644
--- a/features/steps/fedramp_extensions_steps.ts
+++ b/features/steps/fedramp_extensions_steps.ts
@@ -18,7 +18,7 @@ import { parseString } from "xml2js";
 import { promisify } from "util";
 import {formatSarifOutput,fedrampValidationOptions} from 'oscal'
 let executor: 'oscal-cli'|'oscal-server' = process.env.OSCAL_EXECUTOR as 'oscal-cli'|'oscal-server' || 'oscal-cli'
-let quiet= true
+let quiet= false
 
 const parseXmlString = promisify(parseString);
 const DEFAULT_TIMEOUT = 60000;
diff --git a/package.json b/package.json
index 90e64d08e..91480fb81 100644
--- a/package.json
+++ b/package.json
@@ -14,7 +14,9 @@
     "test:constraints": "cross-env NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @constraints",
     "test:coverage": "cross-env NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @full-coverage",
     "test:style": "cross-env-shell NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @style-guide",
+    "test:integration": "cross-env-shell NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @integration",
     "lint:server": "cross-env-shell OSCAL_EXECUTOR='oscal-server' NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @style-guide",
+    "test:integration:server": "cross-env-shell OSCAL_EXECUTOR='oscal-server' NODE_OPTIONS=\"--loader ts-node/esm --no-warnings --experimental-specifier-resolution=node\" cucumber-js --tags @integration",
     "mq": "node ./src/scripts/dev-metaschema-eval.js",
     "constraint": "node ./src/scripts/dev-constraint.js"
   },
diff --git a/src/validations/module.mk b/src/validations/module.mk
index a6958e664..d89558c4b 100644
--- a/src/validations/module.mk
+++ b/src/validations/module.mk
@@ -23,6 +23,7 @@ lint-validations:
 .PHONY: build-validations
 build-validations:
 	@echo "Running Cucumber Tests"
+	$(OSCAL_CLI) server stop
 	$(OSCAL_CLI) server start -bg
 	@npm run test:server
 	$(OSCAL_CLI) server stop

From 4f93113028fb8f6470cbf5ddd648a7e024a44f6b Mon Sep 17 00:00:00 2001
From: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date: Thu, 14 Nov 2024 16:44:22 -0500
Subject: [PATCH 17/19] Update fedramp-external-constraints.xml

Co-authored-by: Gabeblis <gabriel.rodriguez@gsa.gov>
---
 src/validations/constraints/fedramp-external-constraints.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index bb48a6206..31db9427e 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -525,7 +525,7 @@
             <expect id="party-has-name" target="." test="exists(name)" level="ERROR">
                 <formal-name>Party Has a Name</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/oscal-metadata/#working-with-party-assemblies"/>
-                <message>Every FedRAMP document must define a party with a name.</message>
+                <message>Every FedRAMP document MUST define a party with a name.</message>
             </expect>
         </constraints>
     </context>

From f7ad94ef406378c07ab295b8f19aa248fc1f289c Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Thu, 14 Nov 2024 16:50:41 -0500
Subject: [PATCH 18/19] get latest ssp-all valid

---
 .../constraints/content/ssp-all-VALID.xml     | 129 +++++++++++-------
 1 file changed, 77 insertions(+), 52 deletions(-)

diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 995fb34c9..bd009f2e9 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -10,10 +10,26 @@
     <version>1.1</version>
     <oscal-version>1.1.2</oscal-version>
     <document-id scheme="https://example.com/identifiers">SSP-2024-002</document-id>
-    <prop name="marking" value="marked"></prop>
     <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="fedramp-3.0.0rc1-oscal-1.1.2"/>
-    
-    <!-- Unique role definitions -->
+    <prop name="marking" value="cui"/>
+    <role id="authorizing-official">
+      <title>Authorizing Official</title>
+      <description>
+        <p>Senior official with authority to formally assume responsibility for operating a system at an acceptable level of risk.</p>
+      </description>
+    </role>
+    <role id="prepared-by">
+      <title>Prepared By</title>
+      <description>
+        <p>This party prepared the SSP.</p>
+      </description>
+    </role>
+    <role id="prepared-for">
+      <title>Prepared For</title>
+      <description>
+        <p>The organization for which this SSP was prepared. Typically the CSP.</p>
+      </description>
+    </role>
     <role id="creator">
       <title>Document Creator</title>
     </role>
@@ -29,54 +45,69 @@
     <role id="system-owner">
       <title>System Owner</title>
     </role>
-    <role id="prepared-by">
-      <title>Document Preparer</title>
-    </role>
-    <role id="authorizing-official">
-      <title>Authorizing Official</title>
-      <description>
-        <p>The senior official with the authority to formally assume responsibility.</p>
-      </description>
-    </role>
-    <role id="authorizing-official-poc">
-      <title>Authorizing Official Point of Contact</title>
-    </role>
-    <role id="information-system-security-officer">
-      <title>Information System Security Officer (or Equivalent)</title>
-    </role>
-    <role id="system-poc-management">
+     <role id="authorizing-official-poc">
+       <title>Authorizing Official Point of Contact</title>
+     </role>
+     <role id="information-system-security-officer">
+       <title>Information System Security Officer (or Equivalent)</title>
+     </role>
+     <role id="system-poc-management">
       <title>Information System Management Point of Contact (POC)</title>
       <description>
-        <p>The highest level manager who is responsible for system operation on behalf of the System Owner.</p>
-      </description>
-    </role>
-    <role id="system-poc-technical">
-      <title>Information System Technical Point of Contact</title>
-      <description>
-        <p>The individual or individuals leading the technical operation of the system.</p>
+         <p>The highest level manager who is responsible for system operation on behalf of the System Owner.</p>
       </description>
-    </role>
-    <role id="system-poc-other">
-      <title>General Point of Contact (POC)</title>
-      <description>
-        <p>A general point of contact for the system, designated by the system owner.</p>
-      </description>
-    </role>
+      </role>
+      <role id="system-poc-technical">
+          <title>Information System Technical Point of Contact</title>
+          <description>
+            <p>The individual or individuals leading the technical operation of the system.</p>
+          </description>
+      </role>
+      <role id="system-poc-other">
+          <title>General Point of Contact (POC)</title>
+          <description>
+            <p>A general point of contact for the system, designated by the system owner.</p>
+          </description>
+      </role>
 
+    <location uuid="27b78960-59ef-4619-82b0-ae20b9c709ac">
+      <title>CSP HQ</title>
+      <address type="work">
+        <addr-line>Suite 0000</addr-line>
+        <addr-line>1234 Some Street</addr-line>
+        <city>Haven</city>
+        <state>ME</state>
+        <postal-code>00000</postal-code>
+        <country>US</country>
+      </address>
+    </location>
     <location uuid="11111112-0000-4000-9001-000000000009">
-      <address>
+      <address >
         <country>US</country>
       </address>
       <prop name="type" value="data-center" class="primary"/>
     </location>
     <location uuid="11111112-0000-4000-9000-000000000003">
-      <address>
+      <address >
         <country>US</country>
       </address>
       <prop name="type" value="data-center" class="alternate"/>
     </location>
-
-    <!-- Party definitions -->
+    <party uuid="3360e343-9860-4bda-9dfc-ff427c3dfab6" type="person">
+      <name>Person Name 1</name>
+      <prop name="job-title" value="Individual's Title"/>
+      <prop name="mail-stop" value="Mailstop A-1"/>
+      <email-address>name@example.com</email-address>
+      <telephone-number>2020000001</telephone-number>
+      <location-uuid>27b78960-59ef-4619-82b0-ae20b9c709ac</location-uuid>
+      <member-of-organization>6b286b5d-8f07-4fa7-8847-1dd0d88f73fb</member-of-organization>
+    </party>
+    <party uuid="6b286b5d-8f07-4fa7-8847-1dd0d88f73fb" type="organization">
+      <name>Cloud Service Provider (CSP) Name</name>
+      <short-name>CSP Acronym/Short Name</short-name>
+      <link href="#31a46c4f-2959-4287-bc1c-67297d7da60b" rel="logo"/>
+      <location-uuid>27b78960-59ef-4619-82b0-ae20b9c709ac</location-uuid>
+    </party>
     <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
       <name>Example Organization</name>
       <short-name>ExOrg</short-name>
@@ -85,22 +116,22 @@
     <party uuid="22222222-0000-4000-9000-000000000002" type="person">
       <name>Jane Doe</name>
       <email-address>jane.doe@example.com</email-address>
-      <address type="work">
-        <addr-line>123 main</addr-line>
-        <city>new york</city>
-        <state>NY</state>
-        <postal-code>10001</postal-code>
-        <country>US</country>
-      </address>
+    <address type="work"  />
     </party>
 
-    <!-- Unique responsible party assignments -->
+    <responsible-party role-id="prepared-by">
+      <party-uuid>3360e343-9860-4bda-9dfc-ff427c3dfab6</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="prepared-for">
+      <party-uuid>6b286b5d-8f07-4fa7-8847-1dd0d88f73fb</party-uuid>
+    </responsible-party>
     <responsible-party role-id="creator">
       <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
     </responsible-party>
     <responsible-party role-id="content-approver">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>
+
     <responsible-party role-id="system-owner">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>
@@ -122,9 +153,6 @@
     <responsible-party role-id="information-system-security-officer">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>
-    <responsible-party role-id="prepared-by">
-      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
-    </responsible-party>
 
     <remarks>
       <p>This SSP is an example for demonstration purposes.</p>
@@ -473,8 +501,5 @@
      <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
   </remarks>
 </resource>
-
-
-
   </back-matter>
-</system-security-plan>
+</system-security-plan>
\ No newline at end of file

From e80d90d13eca763aba6538ecfa2cd769100708e5 Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Thu, 14 Nov 2024 16:52:45 -0500
Subject: [PATCH 19/19] Update fedramp_extensions.feature

Co-Authored-By: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>
---
 features/fedramp_extensions.feature | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index 0e73b0a74..503e732c6 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -50,6 +50,7 @@ Examples:
   | has-authorization-boundary-diagram-caption |
   | has-authorization-boundary-diagram-description |
   | has-authorization-boundary-diagram-link |
+  | has-authorization-boundary-diagram-link-href-target |
   | has-authorization-boundary-diagram-link-rel |
   | has-authorization-boundary-diagram-link-rel-allowed-value |
   | has-cloud-deployment-model |
@@ -63,6 +64,7 @@ Examples:
   | has-data-flow-diagram-caption |
   | has-data-flow-diagram-description |
   | has-data-flow-diagram-link |
+  | has-data-flow-diagram-link-href-target |
   | has-data-flow-diagram-link-rel |
   | has-data-flow-diagram-link-rel-allowed-value |
   | has-data-flow-diagram-uuid |
@@ -76,6 +78,7 @@ Examples:
   | has-network-architecture-diagram-caption |
   | has-network-architecture-diagram-description |
   | has-network-architecture-diagram-link |
+  | has-network-architecture-diagram-link-href-target |
   | has-network-architecture-diagram-link-rel |
   | has-network-architecture-diagram-link-rel-allowed-value |
   | has-published-date |
@@ -108,9 +111,12 @@ Examples:
   | responsible-party-is-person |
   | responsible-party-prepared-by |
   | responsible-party-prepared-by-location-valid |
+  | responsible-party-prepared-for |
+  | responsible-party-prepared-for-location-valid |
   | role-defined-authorizing-official-poc |
   | role-defined-information-system-security-officer |
   | role-defined-prepared-by |
+  | role-defined-prepared-for |
   | role-defined-system-owner |
   | scan-type |
   | security-level |
@@ -188,6 +194,8 @@ Examples:
   | has-authorization-boundary-diagram-description-PASS.yaml |
   | has-authorization-boundary-diagram-link-FAIL.yaml |
   | has-authorization-boundary-diagram-link-PASS.yaml |
+  | has-authorization-boundary-diagram-link-href-target-FAIL.yaml |
+  | has-authorization-boundary-diagram-link-href-target-PASS.yaml |
   | has-authorization-boundary-diagram-link-rel-FAIL.yaml |
   | has-authorization-boundary-diagram-link-rel-PASS.yaml |
   | has-authorization-boundary-diagram-link-rel-allowed-value-FAIL.yaml |
@@ -214,6 +222,8 @@ Examples:
   | has-data-flow-diagram-description-PASS.yaml |
   | has-data-flow-diagram-link-FAIL.yaml |
   | has-data-flow-diagram-link-PASS.yaml |
+  | has-data-flow-diagram-link-href-target-FAIL.yaml |
+  | has-data-flow-diagram-link-href-target-PASS.yaml |
   | has-data-flow-diagram-link-rel-FAIL.yaml |
   | has-data-flow-diagram-link-rel-PASS.yaml |
   | has-data-flow-diagram-link-rel-allowed-value-FAIL.yaml |
@@ -240,6 +250,8 @@ Examples:
   | has-network-architecture-diagram-description-PASS.yaml |
   | has-network-architecture-diagram-link-FAIL.yaml |
   | has-network-architecture-diagram-link-PASS.yaml |
+  | has-network-architecture-diagram-link-href-target-FAIL.yaml |
+  | has-network-architecture-diagram-link-href-target-PASS.yaml |
   | has-network-architecture-diagram-link-rel-FAIL.yaml |
   | has-network-architecture-diagram-link-rel-PASS.yaml |
   | has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml |
@@ -304,12 +316,18 @@ Examples:
   | responsible-party-prepared-by-PASS.yaml |
   | responsible-party-prepared-by-location-valid-FAIL.yaml |
   | responsible-party-prepared-by-location-valid-PASS.yaml |
+  | responsible-party-prepared-for-FAIL.yaml |
+  | responsible-party-prepared-for-PASS.yaml |
+  | responsible-party-prepared-for-location-valid-FAIL.yaml |
+  | responsible-party-prepared-for-location-valid-PASS.yaml |
   | role-defined-authorizing-official-poc-FAIL.yaml |
   | role-defined-authorizing-official-poc-PASS.yaml |
   | role-defined-information-system-security-officer-FAIL.yaml |
   | role-defined-information-system-security-officer-PASS.yaml |
   | role-defined-prepared-by-FAIL.yaml |
   | role-defined-prepared-by-PASS.yaml |
+  | role-defined-prepared-for-FAIL.yaml |
+  | role-defined-prepared-for-PASS.yaml |
   | role-defined-system-owner-FAIL.yaml |
   | role-defined-system-owner-PASS.yaml |
   | scan-type-FAIL.yaml |