Releases: metaschema-framework/oscal-cli
Releases · metaschema-framework/oscal-cli
v2.6.0
Download the OSCAL CLI tool. (GPG Signature)
This major release brings OSCAL 1.2.0 support and upgrades to metaschema-java 3.0.0.M1 and liboscal-java 6.0.0, along with a new --pretty-print option for profile resolution and CI/CD improvements.
✨ Highlights
- OSCAL 1.2.0 Support: Updated to the latest OSCAL model with full compatibility
- New
--pretty-printoption: Format profile resolution output for XML, JSON, and YAML files - metaschema-java 3.0.0.M1: Major framework upgrade with improved module loading and exception handling
- liboscal-java 6.0.0: Updated to latest OSCAL library
- Improved CI/CD: Added workflow concurrency control and scheduled nightly builds
⚠️ Breaking Changes
metaschema-java 3.0.0.M1 Migration
This release requires migrating to the new metaschema-java 3.0.0.M1 APIs. See the metaschema-java v3.0.0.M1 release notes for complete details.
| Dependency | Previous Version | New Version |
|---|---|---|
| metaschema-java | 2.2.0 | 3.0.0.M1 |
| liboscal-java | 5.2.1 | 6.0.0 |
API Changes
The IBindingContext.registerModule() method signature changed in metaschema-java 3.0.0 to throw a checked MetaschemaException. Error handling has been improved to provide more descriptive error messages and proper exit codes when module registration fails.
✨ New Features
- Add
--pretty-printoption for profile resolution output (#193) - Originally contributed by Mahesh Kumar Gaddam (@ermahesh) in usnistgov/oscal-cli#295
🔧 Build & CI Improvements
- Added concurrency configuration to cancel in-progress workflow runs on new commits (#206)
- Added scheduled nightly builds at 4:00 AM UTC (#206)
- Removed deprecated
--exclude-mailflag from lychee-action (#194)
What's Changed
Features
- Add --pretty-print option for profile resolution output by @david-waltermire in #193
Core Changes
- Update to metaschema-java 3.0.0.M1-SNAPSHOT by @david-waltermire in #204
- Update dependencies to latest releases by @david-waltermire in #207
Build & CI
- Add concurrency and nightly build support to GitHub workflows by @david-waltermire in #206
- Remove deprecated --exclude-mail flag from lychee-action by @david-waltermire in #194
Full Changelog: v2.5.1...v2.6.0
📦 Dependency Updates
Java Libraries
- gov.nist.secauto.metaschema:metaschema-java: 2.2.0 → 3.0.0.M1 (#204, #207)
- gov.nist.secauto.oscal:liboscal-java: 5.2.1 → 6.0.0 (#204, #207)
- commons-io:commons-io: 2.18.0 → 2.21.0 (#195)
- org.json:json: 20250107 → 20250517 (#153)
- org.junit:junit-bom: 5.12.1 → 6.0.1 (#199)
- org.apache.logging.log4j:log4j-bom: 2.24.3 → 2.25.2 (#180)
- org.xmlresolver:xmlresolver: 6.0.14 → 6.0.19 (#203)
- org.fusesource.jansi:jansi: 2.4.1 → 2.4.2
- com.github.erosb:everit-json-schema: 1.14.5 → 1.14.6
Maven Plugins
- org.codehaus.mojo:license-maven-plugin: 2.5.0 → 2.7.0 (#179)
- org.sonatype.central:central-publishing-maven-plugin: updates (#181)
- io.github.git-commit-id:git-commit-id-maven-plugin: updates (#157)
- me.fabriciorby:maven-surefire-junit5-tree-reporter: updates (#202)
GitHub Actions
- actions/checkout: 4.2.2 → 6.0.1 (#168, #197)
- actions/setup-java: 4.7.1 → 5.1.0 (#170, #201)
- actions/upload-artifact: 4.6.2 → 5.0.0 (#196)
- actions/github-script: 7.0.1 → 8.0.0 (#175)
- github/codeql-action: 3.28.17 → 4.31.8 (#191, #200, #205)
- peter-evans/create-issue-from-file: 5.0.1 → 6.0.0 (#198)
- lycheeverse/lychee-action: 2.4.1 → 2.7.0 (#190)
Contributors
david-waltermire
Assets 2
v2.5.1
Download the OSCAL CLI tool. (GPG Signature)
This patch release incorporates the liboscal-java 5.2.0 patch and build environment updates.
What's Changed
- Update workflow runner OS from Ubuntu 20.04 to 24.04 by @aj-stein in #143
- Bumping liboscal-java version from 5.2.0 to 5.2.1 by @david-waltermire in #145
- Bump lycheeverse/lychee-action from 2.4.0 to 2.4.1 by @dependabot in #141
- Bump github/codeql-action from 3.28.13 to 3.28.17 by @dependabot in #140
- Bump actions/setup-java from 4.7.0 to 4.7.1 by @dependabot in #135
New Contributors
Full Changelog: v2.5.0...v2.5.1
Contributors
david-waltermire, dependabot, and aj-stein
Assets 2
v2.5.0
Download the OSCAL CLI tool. (GPG Signature)
This minor release incorporates feature improvements and bug fixes from metaschema-framework/metaschema-java v2.2.0 and metaschema-framework/liboscal-java v5.2.0.
The OSCAL version used by this tool is v1.1.3.
New and Noteworthy
- Added support for resolved relative links produced during profile resolution using the
--relative-to=URIargument to the resolve command, supported by metaschema-framework/liboscal-java#94, resolving #84 and usnistgov/oscal-cli#78. (#88) - JUnit tests run during the build are now run using multiple threads. This dramatically speeds up build duration. (#119)
- Use of extra constraints that support cross checking controls directly referenced in a profile exist in the referenced catalog. Reports non-existence as a validation error. This addresses usnistgov/oscal-cli#126, supported by metaschema-framework/liboscal-java#133.
- Adjusted profile resolution reference warnings to be logged at debug instead of warning. This will reduce a ton of noise in the CLI output. This addresses usnistgov/oscal-cli#270, supported by metaschema-framework/liboscal-java#133.
Important Bug Fixes
- Ensured that controls defined at the catalog level are not duplicated during profile resolution. This fixes a bug (#60) caused during the import handling phase of profile resolution, which was "promoting" controls defined at the catalog level, causing a second copy of the control to be added. This was fixed by making controls at the catalog level always eligible for selection. Supported by metaschema-framework/liboscal-java#92.
- Added missing functionality for the
DEBUGconstraint level adderessing bug #92, based on metaschema-framework/metaschema-java#307.
What's Changed
- Bump github/codeql-action from 3.27.5 to 3.27.7 by @dependabot in #89
- oscal-cli resolve --relative-to=URI by @david-waltermire in #88
- Bump lycheeverse/lychee-action from 2.1.0 to 2.2.0 by @dependabot in #97
- Bump actions/setup-java from 4.5.0 to 4.6.0 by @dependabot in #96
- Bump actions/upload-artifact from 4.4.3 to 4.5.0 by @dependabot in #95
- Bump org.apache.xmlbeans:xmlbeans from 5.2.2 to 5.3.0 by @dependabot in #94
- Bump org.junit:junit-bom from 5.11.3 to 5.11.4 by @dependabot in #93
- Bump org.apache.logging.log4j:log4j-bom from 2.24.2 to 2.24.3 by @dependabot in #91
- Bump org.json:json from 20240303 to 20241224 by @dependabot in #99
- Bump github/codeql-action from 3.27.7 to 3.28.0 by @dependabot in #98
- Bump org.codehaus.mojo:license-maven-plugin from 2.4.0 to 2.5.0 by @dependabot in #86
- Feature/build tuneup by @david-waltermire in #119
- Bump actions/upload-artifact from 4.5.0 to 4.6.2 by @dependabot in #126
- Bump actions/setup-java from 4.6.0 to 4.7.0 by @dependabot in #110
- Bump lycheeverse/lychee-action from 2.2.0 to 2.3.0 by @dependabot in #113
- Bump github/codeql-action from 3.28.0 to 3.28.13 by @dependabot in #127
- Bump org.sonatype.central:central-publishing-maven-plugin from 0.6.0 to 0.7.0 by @dependabot in #102
- Bump org.xmlresolver:xmlresolver from 6.0.12 to 6.0.14 by @dependabot in #123
- Bump org.junit:junit-bom from 5.12.0 to 5.12.1 by @dependabot in #124
- Update README.md by @david-waltermire in #130
- Bump lycheeverse/lychee-action from 2.3.0 to 2.4.0 by @dependabot in #131
- Tune-up CLI unit tests by @david-waltermire in #132
Full Changelog: v2.4.0...v2.5.0
Contributors
david-waltermire and dependabot
Assets 2
v2.4.0
Download the OSCAL CLI tool. (GPG Signature)
This minor release incorporates feature improvements and bug fixes from metaschema-java.
The OSCAL version used by this tool has been updated to v1.1.3.
What's Changed
- Code cleanup by @david-waltermire in #82
- Bump org.sonatype.central:central-publishing-maven-plugin from 0.5.0 to 0.6.0 by @dependabot in #74
- Bump commons-io:commons-io from 2.17.0 to 2.18.0 by @dependabot in #78
- Bump github/codeql-action from 3.27.1 to 3.27.5 by @dependabot in #79
- Bump org.apache.logging.log4j:log4j-bom from 2.24.1 to 2.24.2 by @dependabot in #81
Full Changelog: v2.3.1...v2.4.0
Contributors
david-waltermire and dependabot
Assets 2
v2.3.1
Download the OSCAL CLI tool. (GPG Signature)
This patch release incorporates bug fixes from metaschema-java.
What's Changed
- Add unit tests for a bug causing error messages to be silently dropped by @david-waltermire in #69
Full Changelog: v2.3.0...v2.3.1
Contributors
david-waltermire
Assets 2
v2.3.0
Download the OSCAL CLI tool. (GPG Signature)
This minor release integrates changes from metaschema-framework/metaschema-java v2.0.0. A major release was chosen here since this release only adds functionality to and fixes bugs in the CLI.
This release fixes #67 based on metaschema-java changes. See metaschema-framework/metaschema-java#232.
What's Changed
- Bump org.xmlresolver:xmlresolver from 6.0.10 to 6.0.11 by @dependabot in #66
- Bump actions/setup-java from 4.4.0 to 4.5.0 by @dependabot in #65
- Bump actions/checkout from 4.2.1 to 4.2.2 by @dependabot in #64
- Bump github/codeql-action from 3.26.12 to 3.27.0 by @dependabot in #62
- Bump org.junit:junit-bom from 5.11.1 to 5.11.3 by @dependabot in #61
- Bump lycheeverse/lychee-action from 1.10.0 to 2.0.2 by @dependabot in #59
- Bump actions/upload-artifact from 4.4.2 to 4.4.3 by @dependabot in #56
- Update to metaschema-java 2.0.0 by @david-waltermire in #68
Full Changelog: v2.2.0...v2.3.0
Contributors
david-waltermire and dependabot
Assets 2
v2.2.0
Download the OSCAL CLI tool. (GPG Signature)
Changelog
- Features, bug fixes, and dependency updates from metaschema-java v1.2.0.
- Documentation changes and dependency updates from liboscal-java v4.2.0.
What's Changed
- Update .lycheeignore by @david-waltermire in #47
- Bump commons-io:commons-io from 2.16.1 to 2.17.0 by @dependabot in #36
- Bump actions/setup-java from 4.3.0 to 4.4.0 by @dependabot in #42
- Bump peter-evans/create-issue-from-file from 5.0.0 to 5.0.1 by @dependabot in #43
- Bump actions/checkout from 4.1.7 to 4.2.0 by @dependabot in #44
- Bump github/codeql-action from 3.26.7 to 3.26.10 by @dependabot in #46
- Bump org.xmlresolver:xmlresolver from 6.0.9 to 6.0.10 by @dependabot in #39
- Bump github/codeql-action from 3.26.10 to 3.26.11 by @dependabot in #49
- Bump actions/checkout from 4.2.0 to 4.2.1 by @dependabot in #52
- Bump actions/upload-artifact from 4.4.0 to 4.4.1 by @dependabot in #51
- Bump github/codeql-action from 3.26.11 to 3.26.12 by @dependabot in #50
- Bump actions/upload-artifact from 4.4.1 to 4.4.2 by @dependabot in #53
- Bump to v2.2.0 by @david-waltermire in #48
Full Changelog: v2.1.0...v2.2.0
Contributors
david-waltermire and dependabot
Assets 2
v2.1.0
Download the OSCAL CLI tool. (GPG Signature)
What's new
This minor release adds the oscal-cli list-allowed-values command, which lists all allowed values constraints associated with a given node in the OSCAL model graph.
usage: oscal-cli list-allowed-values [<options>] [<destination-file>]
-c <URL> additional constraint definitions
-h,--help display this help message
--no-color do not colorize output
--overwrite overwrite the destination if it exists
-q,--quiet minimize output to include only errors
--show-stack-trace display the stack trace associated with an error
--version display the application version
This release also adds new commands under the oscal-cli metaschema command path, which are provided by metaschema-java.
These include:
oscal-cli metaschema metapath evaloscal-cli metaschema generate-diagram
Additionally, all content validation commands now allow you to disable schema or constraint validation using arguments.
--disable-constraint-validation do not perform constraint validation
--disable-schema-validation do not perform schema validation
What's Changed
- Bump org.xmlresolver:xmlresolver from 6.0.8 to 6.0.9 by @dependabot in #14
- Bump github/codeql-action from 3.26.0 to 3.26.3 by @dependabot in #12
- Update .lycheeignore by @david-waltermire in #23
- Bump github/codeql-action from 3.26.3 to 3.26.7 by @dependabot in #28
- Bump actions/setup-java from 4.2.2 to 4.3.0 by @dependabot in #25
- Bump actions/upload-artifact from 4.3.6 to 4.4.0 by @dependabot in #20
- Adjust README instructions with community feedback by @aj-stein-gsa in #21
- Bump dependencies and code cleanup by @david-waltermire in #29
- Add list-allowed-values command by @david-waltermire in #30
- Allowed Values Command Cleanup by @david-waltermire in #31
New Contributors
- @aj-stein-gsa made their first contribution in #21
Full Changelog: v2.0.2...v2.1.0
Contributors
david-waltermire, dependabot, and aj-stein-gsa
Assets 2
v2.0.2
Download the OSCAL CLI tool. (GPG Signature)
What's Changed
- Bump liboscal java to 4.0.2 by @david-waltermire in #15
Full Changelog: v2.0.1...v2.0.2
Contributors
david-waltermire
Assets 2
v2.0.1
Download the OSCAL CLI tool. (GPG Signature)
What's Changed
- Bumping liboscal-java from 4.0.0 to 4.0.1. by @david-waltermire in #9
- Recreate CNAME file to ensure it is not removed. by @david-waltermire in #10
New Contributors
- @david-waltermire made their first contribution in #9
Full Changelog: v2.0.0...v2.0.1
Contributors
david-waltermire