v7.0.0

✨ Highlights

Java Package Namespace Migration

All Java packages have been renamed from gov.nist.secauto.* to dev.metaschema.* to align with the Maven groupId. This is a breaking change requiring import updates in all downstream projects. (#232)

Comprehensive Documentation

Added extensive documentation including installation guides, build instructions, architecture overview, and usage guides for binding context, reading/writing data, profile resolution, Metapath execution, and constraint validation. (#239)

OSCAL 1.2.0 Compatibility

Updated the OSCAL submodule to version 1.2.0, with model changes including the use of ProfileMatching for profile control selection. (#223)

Metaschema Java 3.0.0.M2 Dependency

Updated to metaschema-java 3.0.0.M2, bringing shell completion for Bash/Zsh, improved validation error messages with file location and format-appropriate terminology, experimental parallel validation, and approximately 30% fewer dependencies (Saxon-HE, JDOM2, jaxen, XMLBeans removed). (#224)

⚠️ Breaking Changes

Java Package Rename

All Java packages have been renamed to align with the new Maven groupId:

• gov.nist.secauto.metaschema.* → dev.metaschema.*
• gov.nist.secauto.oscal.* → dev.metaschema.oscal.*

Migration Path: Update all imports in downstream projects from the old gov.nist.secauto namespace to the new dev.metaschema namespace.

(#232) by @david-waltermire

Upstream Breaking Changes (metaschema-java 3.0.0.M2)

• XMLBeans removed from core module: Replace ModuleLoader and XmlConstraintLoader from core with BindingModuleLoader and BindingConstraintLoader from databind.
• Metapath exception hierarchy refactored: Code catching specific Metapath exceptions may need updates.

✨ New Features

• Detailed SARIF security findings - Added collapsible details sections showing individual findings in CodeQL and Trivy scan summaries, with build failure on critical/high severity findings (#237) by @david-waltermire

🐛 Bug Fixes

• Support field nodes in has-oscal-namespace function, returning FALSE for nodes without namespace support instead of throwing an exception (#233) by @david-waltermire
• Make ComponentDefinition and MappingCollection implement IOscalInstance to fix ClassCastException when validating documents with fragment references (#226) by @david-waltermire
• Update for OSCAL 1.2.0 model compatibility, using ProfileMatching for profile control selection (#223) by @david-waltermire
• Exclude oscal submodule from Trivy and CodeQL security scans to avoid duplicate alerts (#235) by @david-waltermire

📚 Documentation Improvements

• Expand website documentation with installation, building, architecture, and comprehensive usage guides (#239) by @david-waltermire

🔧 Build & CI Improvements

• Extract scheduled build into reusable workflow with Trivy security scanning and improved link checker (#234) by @david-waltermire
• Add Claude Code configuration for AI-assisted development (#236) by @david-waltermire

📦 Dependency Updates

Java Libraries

• metaschema-java: 3.0.0.M1-SNAPSHOT → 3.0.0.M2 (#224)

Maven Plugins

• org.sonatype.central:central-publishing-maven-plugin: 0.9.0 → 0.10.0 (#238)

GitHub Actions

• actions/upload-artifact: 5.0.0 → 6.0.0 (#225)
• github/codeql-action: 4.31.8 → 4.31.9 (#227)

v6.0.0

This major release brings OSCAL 1.2.0 support and upgrades to metaschema-java 3.0.0.M1, along with significant API improvements and dependency updates.

✨ Highlights

• OSCAL 1.2.0 Support: Updated to the latest OSCAL model with full compatibility
• metaschema-java 3.0.0.M1: Major framework upgrade with improved module loading and exception handling
• Improved CI/CD: Added workflow concurrency control and nightly builds
• Refined Exception Handling: More specific Metapath exceptions for better error diagnosis

⚠️ Breaking Changes

metaschema-java 3.0.0.M1 Migration

This release requires migrating to the new metaschema-java 3.0.0.M1 APIs. See the metaschema-java v3.0.0.M1 release notes for complete details.

XMLBeans Removal

Old (Removed)	New (Use Instead)
ModuleLoader	IBindingModuleLoader
XmlMetaConstraintLoader	BindingConstraintLoader
IXmlMetaschemaModule	IBindingMetaschemaModule

Lazy Initialization API

Old	New
Lazy.lazy(...)	Lazy.of(...)

Exception Hierarchy Refactoring

More specific exception types replace generic MetapathException:

Old	New
MetapathException (missing context)	ContextAbsentDynamicMetapathException
MetapathException (document errors)	DocumentFunctionException

OSCAL 1.2.0 Model Changes

ProfileMatching Class Rename

The Matching class has been renamed to ProfileMatching to disambiguate from other matching assemblies in OSCAL 1.2.0:

Old	New
gov.nist.secauto.oscal.lib.model.Matching	gov.nist.secauto.oscal.lib.model.ProfileMatching

✨ New Features

• Added @FunctionalInterface annotation to IReferencePolicy enabling lambda expressions (#223)
• Enhanced null-safety handling in profile resolution (#223)

🔧 Build & CI Improvements

• Added concurrency configuration to cancel in-progress workflow runs on new commits (#222)
• Added scheduled nightly builds at 3:00 AM UTC (#222)
• Removed deprecated --exclude-mail flag from lychee-action (#212)

🐛 Bug Fixes

• Fixed URI to String conversion for remove.getByNs() in ProfileResolver (#223)
• Updated OSCAL submodule to fix schxslt submodule URL migration (#211)

What's Changed

Core Changes

• Update metaschema-java to v3.0.0.M1 by @david-waltermire in #224
• fix: update for OSCAL 1.2.0 model compatibility by @david-waltermire in #223
• fix: update for metaschema-java 3.0.0 compatibility by @david-waltermire in #210
• fix: update test for metaschema-java PR #529 compatibility by @david-waltermire in #220

Build & CI

• Add concurrency and nightly build support to GitHub workflows by @david-waltermire in #222
• Remove deprecated --exclude-mail flag from lychee-action by @david-waltermire in #212
• chore: update OSCAL submodule to latest develop by @david-waltermire in #211

Full Changelog: v5.2.1...v6.0.0

📦 Dependency Updates

Java Libraries

• gov.nist.secauto.metaschema:metaschema-java: 2.x → 3.0.0.M1 (#224)
• net.sf.saxon:Saxon-HE: 12.5 → 12.9 (#195)
• org.apache.commons:commons-lang3: 3.17.0 → 3.19.0 (#200)
• org.apache.logging.log4j:log4j-bom: 2.24.3 → 2.25.2 (#197)
• org.xmlresolver:xmlresolver: 6.0.14 → 6.0.19 (#176)
• dependency.xmlunit.version: 2.10.0 → 2.11.0 (#219)
• org.assertj:assertj-core: 3.27.3 → 3.27.6 (#198)
• nl.talsmasoftware:lazy4j: 2.0.0 → 2.0.1 (#384)

Maven Plugins

• org.sonatype.central:central-publishing-maven-plugin: updates (#214)
• io.github.git-commit-id:git-commit-id-maven-plugin: updates
• me.fabriciorby:maven-surefire-junit5-tree-reporter: updates (#217)

GitHub Actions

• actions/checkout: 4.2.2 → 6.0.1 (#183, #213)
• actions/setup-java: 4.7.1 → 5.1.0 (#187, #215)
• actions/upload-artifact: 4.6.2 → 5.0.0 (#216)
• actions/github-script: 7.0.1 → 8.0.0 (#191)
• github/codeql-action: 3.28.13 → 4.31.8 (#208, #221)
• lycheeverse/lychee-action: 2.4.0 → 2.7.0 (#209)
• peter-evans/create-issue-from-file: 5.0.1 → 6.0.0 (#218)

v5.2.1

This patch release incorporates the following bug fixes.

• Correct inline constraint oscal-unique-link-in-context-location for #155 (#156)
• Updated OS version used in GitHub actions to Ubuntu 24.04 (#157)

The OSCAL version used by this tool is v1.1.3.

Full Changelog: v5.2.0...v5.2.1

v5.2.0

This minor release incorporates feature improvements and bug fixes from metaschema-java v2.2.0.

The OSCAL version used by this tool is v1.1.3.

New and Noteworthy

• Added support for relative resource resolution for links generated by the profile resolver. Supports metaschema-framework/oscal-cli#84 and resolution of usnistgov/oscal-cli#78 (#94)
• Improved profile exception handling involving throw IOException instances during profile resolution. The underlying cause will now be reported. (#93)
• JUnit tests run during the build are now run using multiple threads. This dramatically speeds up build duration. (#129)
• Added external constraints to check that controls directly referenced in a profile exist in the referenced catalog. Reports non-existence as a validation error. This addresses usnistgov/oscal-cli#126. (#133)
• Adjusted profile resolution reference warnings to be logged at debug instead of warning. This will reduce a ton of noise in the CLI output. This addresses usnistgov/oscal-cli#270. (#142)
• Changed handleIndexMiss() logging from ERROR to WARN. This silences the reporting of dangling anchor references in the CLI as requested in #144 . (#145)

Important Bug Fixes

• Ensure that controls defined at the catalog level are not duplicated during profile resolution. This fixes a bug (metaschema-framework/oscal-cli#60) caused during the import handling phase of profile resolution, which was "promoting" controls defined at the catalog level, causing a second copy of the control to be added. This was fixed by making controls at the catalog level always eligible for selection. (#92)
• Fixed a bug (#112) in the collection of allowed-values constraints. let statements are processed properly now, avoiding an exeption. This code supports the metaschema-framework/oscal-cli list-allowed-values command (#131)
• Adjusted the resolve-profile Metapath function 1-arg variant focus independent. This will dramatically improve execution cache performance, since resutls can now be cached. This builds on metaschema-frameworm/metaschema-java#399. (#141)
• Fixed a binding error causing improper generation of some bound classes. (#143)

What's Changed

• Updates based on latest metaschema-java refactoring by @david-waltermire in #91
• Improve profile resolution exceptions by @david-waltermire in #93
• Support generation of relative links during profile resolution by @david-waltermire in #94
• Bump github/codeql-action from 3.27.5 to 3.27.7 by @dependabot in #95
• Bump org.cyclonedx:cyclonedx-maven-plugin from 2.9.0 to 2.9.1 by @dependabot in #89
• Address duplicate controls at catalog level in profile resolution by @david-waltermire in #92
• Bump actions/upload-artifact from 4.4.3 to 4.5.0 by @dependabot in #100
• Bump actions/setup-java from 4.5.0 to 4.6.0 by @dependabot in #99
• Bump org.apache.xmlbeans:xmlbeans from 5.2.2 to 5.3.0 by @dependabot in #98
• Bump org.apache.logging.log4j:log4j-bom from 2.24.2 to 2.24.3 by @dependabot in #97
• Bump lycheeverse/lychee-action from 2.1.0 to 2.2.0 by @dependabot in #102
• Bump github/codeql-action from 3.27.7 to 3.28.0 by @dependabot in #103
• Bump org.assertj:assertj-core from 3.26.3 to 3.27.1 by @dependabot in #104
• Cleanup null warnings by @david-waltermire in #105
• Bump actions/setup-java from 4.6.0 to 4.7.0 by @dependabot in #120
• Bump lycheeverse/lychee-action from 2.2.0 to 2.3.0 by @dependabot in #123
• Bump actions/upload-artifact from 4.5.0 to 4.6.1 by @dependabot in #126
• Bump github/codeql-action from 3.28.0 to 3.28.10 by @dependabot in #127
• Multithread build and update dependencies by @david-waltermire in #129
• Bump org.assertj:assertj-core from 3.27.1 to 3.27.3 by @dependabot in #113
• Bump org.sonatype.central:central-publishing-maven-plugin from 0.6.0 to 0.7.0 by @dependabot in #108
• Properly support let statements in the AllowedValueCollectingNodeItemVisitor. by @david-waltermire in #131
• Bump org.xmlresolver:xmlresolver from 6.0.12 to 6.0.14 by @dependabot in #135
• Bump actions/upload-artifact from 4.6.1 to 4.6.2 by @dependabot in #137
• Bump github/codeql-action from 3.28.10 to 3.28.13 by @dependabot in #138
• Bump dev.metaschema:oss-parent from 7 to 8 by @dependabot in #139
• Bump lycheeverse/lychee-action from 2.3.0 to 2.4.0 by @dependabot in #140
• Provide a validation error when a profile import references a non-existent control by @david-waltermire in #133
• Make resolve-profile 1-arg variant focus independent. by @david-waltermire in #141
• Adjust reference warnings to debug level by @david-waltermire in #142
• Fixed a binding error causing improper generation of some bound class… by @david-waltermire in #143
• Change handleIndexMiss logging from ERROR to WARN for #144 by @aj-stein-gsa in #145

Full Changelog: v5.1.0...v5.2.0

v5.1.0

This minor release incorporates feature improvements and bug fixes from metaschema-java.

The OSCAL version used by this tool has been updated to v1.1.3.

What's Changed

• Integrate metaschema-java improvements by @david-waltermire in #87
• Bump org.apache.logging.log4j:log4j-bom from 2.24.1 to 2.24.2 by @dependabot in #86
• Bump github/codeql-action from 3.27.0 to 3.27.5 by @dependabot in #84
• Bump com.googlecode.maven-download-plugin:download-maven-plugin from 1.11.2 to 1.13.0 by @dependabot in #85
• Bump org.sonatype.central:central-publishing-maven-plugin from 0.5.0 to 0.6.0 by @dependabot in #76

Full Changelog: v5.0.1...v5.1.0

v5.0.1

This patch release incorporates bug fixes from metaschema-java.

Full Changelog: v5.0.0...v5.0.1

v5.0.0

This major release integrates changes from metaschema-framework/metaschema-java v2.0.0. A major release was chosen here due to backwards compatibility breaking changes in the metaschema-java release that affect the APIs of this library.

What's Changed

• Bump com.googlecode.maven-download-plugin:download-maven-plugin from 1.10.0 to 1.11.2 by @dependabot in #71
• Bump org.apache.maven.plugins:maven-jxr-plugin from 3.5.0 to 3.6.0 by @dependabot in #70
• Bump org.xmlresolver:xmlresolver from 6.0.10 to 6.0.11 by @dependabot in #68
• Bump actions/setup-java from 4.4.0 to 4.5.0 by @dependabot in #67
• Bump actions/checkout from 4.2.1 to 4.2.2 by @dependabot in #66
• Bump github/codeql-action from 3.26.12 to 3.27.0 by @dependabot in #65
• Bump lycheeverse/lychee-action from 1.10.0 to 2.0.2 by @dependabot in #62
• Bump actions/upload-artifact from 4.4.1 to 4.4.3 by @dependabot in #61
• Bump org.cyclonedx:cyclonedx-maven-plugin from 2.8.2 to 2.9.0 by @dependabot in #55
• Update to metaschema-java 2.0.0 by @david-waltermire in #72

Full Changelog: v4.2.0...v5.0.0

v4.2.0

Changelog

This minor release adds the following new features:

• Documented how to identify which Metapath functions are supported by this library. (#41)
• Features, bug fixes, and dependency updates from metaschema-java v1.2.0.

What's Changed

• Update .lycheeignore to exclude broken link by @david-waltermire in #49
• Bump org.xmlresolver:xmlresolver from 6.0.9 to 6.0.10 by @dependabot in #43
• Bump actions/setup-java from 4.3.0 to 4.4.0 by @dependabot in #44
• Bump peter-evans/create-issue-from-file from 5.0.0 to 5.0.1 by @dependabot in #45
• Bump actions/checkout from 4.1.7 to 4.2.0 by @dependabot in #47
• Bump org.cyclonedx:cyclonedx-maven-plugin from 2.8.1 to 2.8.2 by @dependabot in #48
• Bump github/codeql-action from 3.26.7 to 3.26.10 by @dependabot in #51
• Bump dependency.log4j2.version from 2.23.1 to 2.24.1 by @dependabot in #50
• Document where to find OSCAL-specific custom metaschema functions not in metaschema java by @aj-stein-gsa in #41
• Bump github/codeql-action from 3.26.10 to 3.26.11 by @dependabot in #53
• Bump com.googlecode.maven-download-plugin:download-maven-plugin from 1.9.0 to 1.10.0 by @dependabot in #54
• Bump to v4.2.0 by @david-waltermire in #52
• Bump actions/upload-artifact from 4.4.0 to 4.4.1 by @dependabot in #58
• Bump actions/checkout from 4.2.0 to 4.2.1 by @dependabot in #57
• Bump github/codeql-action from 3.26.11 to 3.26.12 by @dependabot in #56

New Contributors

• @aj-stein-gsa made their first contribution in #41

Full Changelog: v4.1.0...v4.2.0

v4.1.0

Changelog

This minor release incorporates improvements from the underlying metaschema-java library.

What's Changed

• Bump org.xmlresolver:xmlresolver from 6.0.8 to 6.0.9 by @dependabot in #27
• Bump github/codeql-action from 3.26.2 to 3.26.3 by @dependabot in #26
• Bump actions/upload-artifact from 4.3.6 to 4.4.0 by @dependabot in #33
• Bump org.apache.commons:commons-lang3 from 3.16.0 to 3.17.0 by @dependabot in #32
• Bump github/codeql-action from 3.26.3 to 3.26.6 by @dependabot in #31
• Bump org.apache.maven.plugins:maven-jxr-plugin from 3.4.0 to 3.5.0 by @dependabot in #29
• Bump actions/setup-java from 4.2.2 to 4.3.0 by @dependabot in #35
• Bump github/codeql-action from 3.26.6 to 3.26.7 by @dependabot in #36
• Bump metaschema-java version from 1.0.2 to 1.1.0 by @david-waltermire in #37
• Prepare for 4.1.0 release by @david-waltermire in #38

Full Changelog: v4.0.2...v4.1.0

v4.0.2

What's Changed

• Cleanup and Metaschema Java patch by @david-waltermire in #25

Full Changelog: v4.0.1...v4.0.2