Releases: metaschema-framework/liboscal-java
Releases · metaschema-framework/liboscal-java
v7.1.0
✨ Highlights
This release updates the core framework to metaschema-java 3.0.0.M3 and fixes CI/CD issues with scheduled builds and security scanning.
metaschema-java 3.0.0.M3
Updated the core Metaschema framework dependency to 3.0.0.M3, which brings several significant features and fixes (#253):
- Unmodeled content support (
<any/>) — Assemblies can now capture unmodeled XML elements and JSON/YAML properties during deserialization and write them back with full fidelity, with corresponding code generation support. - Date/time formatting functions — Implements
fn:format-dateTime,fn:format-date,fn:format-time, andfn:format-integerper XPath Functions 3.1 with full picture string parsing. - JSON Schema
json-value-keyfix — Resolves a bug where fields using static<json-value-key>labels produced invalid nested JSON Schema, which was blocking the OSCAL build system migration from XSLT to oscal-cli.
Scheduled Build and Guide CSS Fixes
Added required workflow permissions that were preventing nightly scheduled builds from starting, and inlined custom CSS in site configuration to fix broken styles in guides subdirectory pages. (#251)
Trivy Security Scan Fix
Excluded the maven2/ artifact repository checkout from Trivy security scanning. This transient directory is used only during deployment, and its dependencies (e.g., fast-xml-parser) were triggering false CVE findings (CVE-2026-25128) that should be scanned in the maven2 repository instead. (#252)
🐛 Bug Fixes
- Resolve scheduled build startup failure and missing CSS in guides (#251) by @david-waltermire
🔧 Build & CI Improvements
- Exclude maven2 artifact repo checkout from Trivy scan (#252) by @david-waltermire
Other Changes
- Update to metaschema-java 3.0.0-SNAPSHOT (#250) by @david-waltermire
- Update metaschema-java to 3.0.0.M3 (#253) by @david-waltermire
v7.0.0
✨ Highlights
Java Package Namespace Migration
All Java packages have been renamed from gov.nist.secauto.* to dev.metaschema.* to align with the Maven groupId. This is a breaking change requiring import updates in all downstream projects. (#232)
Comprehensive Documentation
Added extensive documentation including installation guides, build instructions, architecture overview, and usage guides for binding context, reading/writing data, profile resolution, Metapath execution, and constraint validation. (#239)
OSCAL 1.2.0 Compatibility
Updated the OSCAL submodule to version 1.2.0, with model changes including the use of ProfileMatching for profile control selection. (#223)
Metaschema Java 3.0.0.M2 Dependency
Updated to metaschema-java 3.0.0.M2, bringing shell completion for Bash/Zsh, improved validation error messages with file location and format-appropriate terminology, experimental parallel validation, and approximately 30% fewer dependencies (Saxon-HE, JDOM2, jaxen, XMLBeans removed). (#224)
⚠️ Breaking Changes
Java Package Rename
All Java packages have been renamed to align with the new Maven groupId:
gov.nist.secauto.metaschema.*→dev.metaschema.*gov.nist.secauto.oscal.*→dev.metaschema.oscal.*
Migration Path: Update all imports in downstream projects from the old gov.nist.secauto namespace to the new dev.metaschema namespace.
(#232) by @david-waltermire
Upstream Breaking Changes (metaschema-java 3.0.0.M2)
- XMLBeans removed from core module: Replace
ModuleLoaderandXmlConstraintLoaderfrom core withBindingModuleLoaderandBindingConstraintLoaderfrom databind. - Metapath exception hierarchy refactored: Code catching specific Metapath exceptions may need updates.
✨ New Features
- Detailed SARIF security findings - Added collapsible details sections showing individual findings in CodeQL and Trivy scan summaries, with build failure on critical/high severity findings (#237) by @david-waltermire
🐛 Bug Fixes
- Support field nodes in
has-oscal-namespacefunction, returningFALSEfor nodes without namespace support instead of throwing an exception (#233) by @david-waltermire - Make
ComponentDefinitionandMappingCollectionimplementIOscalInstanceto fixClassCastExceptionwhen validating documents with fragment references (#226) by @david-waltermire - Update for OSCAL 1.2.0 model compatibility, using
ProfileMatchingfor profile control selection (#223) by @david-waltermire - Exclude
oscalsubmodule from Trivy and CodeQL security scans to avoid duplicate alerts (#235) by @david-waltermire
📚 Documentation Improvements
- Expand website documentation with installation, building, architecture, and comprehensive usage guides (#239) by @david-waltermire
🔧 Build & CI Improvements
- Extract scheduled build into reusable workflow with Trivy security scanning and improved link checker (#234) by @david-waltermire
- Add Claude Code configuration for AI-assisted development (#236) by @david-waltermire
v6.0.0
This major release brings OSCAL 1.2.0 support and upgrades to metaschema-java 3.0.0.M1, along with significant API improvements and dependency updates.
✨ Highlights
- OSCAL 1.2.0 Support: Updated to the latest OSCAL model with full compatibility
- metaschema-java 3.0.0.M1: Major framework upgrade with improved module loading and exception handling
- Improved CI/CD: Added workflow concurrency control and nightly builds
- Refined Exception Handling: More specific Metapath exceptions for better error diagnosis
⚠️ Breaking Changes
metaschema-java 3.0.0.M1 Migration
This release requires migrating to the new metaschema-java 3.0.0.M1 APIs. See the metaschema-java v3.0.0.M1 release notes for complete details.
XMLBeans Removal
| Old (Removed) | New (Use Instead) |
|---|---|
ModuleLoader |
IBindingModuleLoader |
XmlMetaConstraintLoader |
BindingConstraintLoader |
IXmlMetaschemaModule |
IBindingMetaschemaModule |
Lazy Initialization API
| Old | New |
|---|---|
Lazy.lazy(...) |
Lazy.of(...) |
Exception Hierarchy Refactoring
More specific exception types replace generic MetapathException:
| Old | New |
|---|---|
MetapathException (missing context) |
ContextAbsentDynamicMetapathException |
MetapathException (document errors) |
DocumentFunctionException |
OSCAL 1.2.0 Model Changes
ProfileMatching Class Rename
The Matching class has been renamed to ProfileMatching to disambiguate from other matching assemblies in OSCAL 1.2.0:
| Old | New |
|---|---|
gov.nist.secauto.oscal.lib.model.Matching |
gov.nist.secauto.oscal.lib.model.ProfileMatching |
✨ New Features
- Added
@FunctionalInterfaceannotation toIReferencePolicyenabling lambda expressions (#223) - Enhanced null-safety handling in profile resolution (#223)
🔧 Build & CI Improvements
- Added concurrency configuration to cancel in-progress workflow runs on new commits (#222)
- Added scheduled nightly builds at 3:00 AM UTC (#222)
- Removed deprecated
--exclude-mailflag from lychee-action (#212)
🐛 Bug Fixes
- Fixed
URItoStringconversion forremove.getByNs()inProfileResolver(#223) - Updated OSCAL submodule to fix schxslt submodule URL migration (#211)
What's Changed
Core Changes
- Update metaschema-java to v3.0.0.M1 by @david-waltermire in #224
- fix: update for OSCAL 1.2.0 model compatibility by @david-waltermire in #223
- fix: update for metaschema-java 3.0.0 compatibility by @david-waltermire in #210
- fix: update test for metaschema-java PR #529 compatibility by @david-waltermire in #220
Build & CI
- Add concurrency and nightly build support to GitHub workflows by @david-waltermire in #222
- Remove deprecated --exclude-mail flag from lychee-action by @david-waltermire in #212
- chore: update OSCAL submodule to latest develop by @david-waltermire in #211
Full Changelog: v5.2.1...v6.0.0
📦 Dependency Updates
Java Libraries
- gov.nist.secauto.metaschema:metaschema-java: 2.x → 3.0.0.M1 (#224)
- net.sf.saxon:Saxon-HE: 12.5 → 12.9 (#195)
- org.apache.commons:commons-lang3: 3.17.0 → 3.19.0 (#200)
- org.apache.logging.log4j:log4j-bom: 2.24.3 → 2.25.2 (#197)
- org.xmlresolver:xmlresolver: 6.0.14 → 6.0.19 (#176)
- dependency.xmlunit.version: 2.10.0 → 2.11.0 (#219)
- org.assertj:assertj-core: 3.27.3 → 3.27.6 (#198)
- nl.talsmasoftware:lazy4j: 2.0.0 → 2.0.1 (#384)
Maven Plugins
- org.sonatype.central:central-publishing-maven-plugin: updates (#214)
- io.github.git-commit-id:git-commit-id-maven-plugin: updates
- me.fabriciorby:maven-surefire-junit5-tree-reporter: updates (#217)
GitHub Actions
- actions/checkout: 4.2.2 → 6.0.1 (#183, #213)
- actions/setup-java: 4.7.1 → 5.1.0 (#187, #215)
- actions/upload-artifact: 4.6.2 → 5.0.0 (#216)
- actions/github-script: 7.0.1 → 8.0.0 (#191)
- github/codeql-action: 3.28.13 → 4.31.8 (#208, #221)
- lycheeverse/lychee-action: 2.4.0 → 2.7.0 (#209)
- peter-evans/create-issue-from-file: 5.0.1 → 6.0.0 (#218)
Contributors
david-waltermire
Assets 2
v5.2.1
v5.2.0
This minor release incorporates feature improvements and bug fixes from metaschema-java v2.2.0.
The OSCAL version used by this tool is v1.1.3.
New and Noteworthy
- Added support for relative resource resolution for links generated by the profile resolver. Supports metaschema-framework/oscal-cli#84 and resolution of usnistgov/oscal-cli#78 (#94)
- Improved profile exception handling involving throw IOException instances during profile resolution. The underlying cause will now be reported. (#93)
- JUnit tests run during the build are now run using multiple threads. This dramatically speeds up build duration. (#129)
- Added external constraints to check that controls directly referenced in a profile exist in the referenced catalog. Reports non-existence as a validation error. This addresses usnistgov/oscal-cli#126. (#133)
- Adjusted profile resolution reference warnings to be logged at debug instead of warning. This will reduce a ton of noise in the CLI output. This addresses usnistgov/oscal-cli#270. (#142)
- Changed
handleIndexMiss()logging from ERROR to WARN. This silences the reporting of dangling anchor references in the CLI as requested in #144 . (#145)
Important Bug Fixes
- Ensure that controls defined at the catalog level are not duplicated during profile resolution. This fixes a bug (metaschema-framework/oscal-cli#60) caused during the import handling phase of profile resolution, which was "promoting" controls defined at the catalog level, causing a second copy of the control to be added. This was fixed by making controls at the catalog level always eligible for selection. (#92)
- Fixed a bug (#112) in the collection of allowed-values constraints. let statements are processed properly now, avoiding an exeption. This code supports the metaschema-framework/oscal-cli
list-allowed-valuescommand (#131) - Adjusted the resolve-profile Metapath function 1-arg variant focus independent. This will dramatically improve execution cache performance, since resutls can now be cached. This builds on metaschema-frameworm/metaschema-java#399. (#141)
- Fixed a binding error causing improper generation of some bound classes. (#143)
What's Changed
- Updates based on latest metaschema-java refactoring by @david-waltermire in #91
- Improve profile resolution exceptions by @david-waltermire in #93
- Support generation of relative links during profile resolution by @david-waltermire in #94
- Bump github/codeql-action from 3.27.5 to 3.27.7 by @dependabot in #95
- Bump org.cyclonedx:cyclonedx-maven-plugin from 2.9.0 to 2.9.1 by @dependabot in #89
- Address duplicate controls at catalog level in profile resolution by @david-waltermire in #92
- Bump actions/upload-artifact from 4.4.3 to 4.5.0 by @dependabot in #100
- Bump actions/setup-java from 4.5.0 to 4.6.0 by @dependabot in #99
- Bump org.apache.xmlbeans:xmlbeans from 5.2.2 to 5.3.0 by @dependabot in #98
- Bump org.apache.logging.log4j:log4j-bom from 2.24.2 to 2.24.3 by @dependabot in #97
- Bump lycheeverse/lychee-action from 2.1.0 to 2.2.0 by @dependabot in #102
- Bump github/codeql-action from 3.27.7 to 3.28.0 by @dependabot in #103
- Bump org.assertj:assertj-core from 3.26.3 to 3.27.1 by @dependabot in #104
- Cleanup null warnings by @david-waltermire in #105
- Bump actions/setup-java from 4.6.0 to 4.7.0 by @dependabot in #120
- Bump lycheeverse/lychee-action from 2.2.0 to 2.3.0 by @dependabot in #123
- Bump actions/upload-artifact from 4.5.0 to 4.6.1 by @dependabot in #126
- Bump github/codeql-action from 3.28.0 to 3.28.10 by @dependabot in #127
- Multithread build and update dependencies by @david-waltermire in #129
- Bump org.assertj:assertj-core from 3.27.1 to 3.27.3 by @dependabot in #113
- Bump org.sonatype.central:central-publishing-maven-plugin from 0.6.0 to 0.7.0 by @dependabot in #108
- Properly support let statements in the AllowedValueCollectingNodeItemVisitor. by @david-waltermire in #131
- Bump org.xmlresolver:xmlresolver from 6.0.12 to 6.0.14 by @dependabot in #135
- Bump actions/upload-artifact from 4.6.1 to 4.6.2 by @dependabot in #137
- Bump github/codeql-action from 3.28.10 to 3.28.13 by @dependabot in #138
- Bump dev.metaschema:oss-parent from 7 to 8 by @dependabot in #139
- Bump lycheeverse/lychee-action from 2.3.0 to 2.4.0 by @dependabot in #140
- Provide a validation error when a profile import references a non-existent control by @david-waltermire in #133
- Make resolve-profile 1-arg variant focus independent. by @david-waltermire in #141
- Adjust reference warnings to debug level by @david-waltermire in #142
- Fixed a binding error causing improper generation of some bound class… by @david-waltermire in #143
- Change handleIndexMiss logging from ERROR to WARN for #144 by @aj-stein-gsa in #145
Full Changelog: v5.1.0...v5.2.0
Contributors
david-waltermire, dependabot, and aj-stein-gsa
Assets 2
v5.1.0
This minor release incorporates feature improvements and bug fixes from metaschema-java.
The OSCAL version used by this tool has been updated to v1.1.3.
What's Changed
- Integrate metaschema-java improvements by @david-waltermire in #87
- Bump org.apache.logging.log4j:log4j-bom from 2.24.1 to 2.24.2 by @dependabot in #86
- Bump github/codeql-action from 3.27.0 to 3.27.5 by @dependabot in #84
- Bump com.googlecode.maven-download-plugin:download-maven-plugin from 1.11.2 to 1.13.0 by @dependabot in #85
- Bump org.sonatype.central:central-publishing-maven-plugin from 0.5.0 to 0.6.0 by @dependabot in #76
Full Changelog: v5.0.1...v5.1.0
Contributors
david-waltermire and dependabot
Assets 2
v5.0.1
This patch release incorporates bug fixes from metaschema-java.
Full Changelog: v5.0.0...v5.0.1
v5.0.0
This major release integrates changes from metaschema-framework/metaschema-java v2.0.0. A major release was chosen here due to backwards compatibility breaking changes in the metaschema-java release that affect the APIs of this library.
What's Changed
- Bump com.googlecode.maven-download-plugin:download-maven-plugin from 1.10.0 to 1.11.2 by @dependabot in #71
- Bump org.apache.maven.plugins:maven-jxr-plugin from 3.5.0 to 3.6.0 by @dependabot in #70
- Bump org.xmlresolver:xmlresolver from 6.0.10 to 6.0.11 by @dependabot in #68
- Bump actions/setup-java from 4.4.0 to 4.5.0 by @dependabot in #67
- Bump actions/checkout from 4.2.1 to 4.2.2 by @dependabot in #66
- Bump github/codeql-action from 3.26.12 to 3.27.0 by @dependabot in #65
- Bump lycheeverse/lychee-action from 1.10.0 to 2.0.2 by @dependabot in #62
- Bump actions/upload-artifact from 4.4.1 to 4.4.3 by @dependabot in #61
- Bump org.cyclonedx:cyclonedx-maven-plugin from 2.8.2 to 2.9.0 by @dependabot in #55
- Update to metaschema-java 2.0.0 by @david-waltermire in #72
Full Changelog: v4.2.0...v5.0.0
Contributors
david-waltermire and dependabot
Assets 2
v4.2.0
Changelog
This minor release adds the following new features:
- Documented how to identify which Metapath functions are supported by this library. (#41)
- Features, bug fixes, and dependency updates from metaschema-java v1.2.0.
What's Changed
- Update .lycheeignore to exclude broken link by @david-waltermire in #49
- Bump org.xmlresolver:xmlresolver from 6.0.9 to 6.0.10 by @dependabot in #43
- Bump actions/setup-java from 4.3.0 to 4.4.0 by @dependabot in #44
- Bump peter-evans/create-issue-from-file from 5.0.0 to 5.0.1 by @dependabot in #45
- Bump actions/checkout from 4.1.7 to 4.2.0 by @dependabot in #47
- Bump org.cyclonedx:cyclonedx-maven-plugin from 2.8.1 to 2.8.2 by @dependabot in #48
- Bump github/codeql-action from 3.26.7 to 3.26.10 by @dependabot in #51
- Bump dependency.log4j2.version from 2.23.1 to 2.24.1 by @dependabot in #50
- Document where to find OSCAL-specific custom metaschema functions not in metaschema java by @aj-stein-gsa in #41
- Bump github/codeql-action from 3.26.10 to 3.26.11 by @dependabot in #53
- Bump com.googlecode.maven-download-plugin:download-maven-plugin from 1.9.0 to 1.10.0 by @dependabot in #54
- Bump to v4.2.0 by @david-waltermire in #52
- Bump actions/upload-artifact from 4.4.0 to 4.4.1 by @dependabot in #58
- Bump actions/checkout from 4.2.0 to 4.2.1 by @dependabot in #57
- Bump github/codeql-action from 3.26.11 to 3.26.12 by @dependabot in #56
New Contributors
- @aj-stein-gsa made their first contribution in #41
Full Changelog: v4.1.0...v4.2.0
Contributors
david-waltermire, dependabot, and aj-stein-gsa
Assets 2
v4.1.0
Changelog
This minor release incorporates improvements from the underlying metaschema-java library.
What's Changed
- Bump org.xmlresolver:xmlresolver from 6.0.8 to 6.0.9 by @dependabot in #27
- Bump github/codeql-action from 3.26.2 to 3.26.3 by @dependabot in #26
- Bump actions/upload-artifact from 4.3.6 to 4.4.0 by @dependabot in #33
- Bump org.apache.commons:commons-lang3 from 3.16.0 to 3.17.0 by @dependabot in #32
- Bump github/codeql-action from 3.26.3 to 3.26.6 by @dependabot in #31
- Bump org.apache.maven.plugins:maven-jxr-plugin from 3.4.0 to 3.5.0 by @dependabot in #29
- Bump actions/setup-java from 4.2.2 to 4.3.0 by @dependabot in #35
- Bump github/codeql-action from 3.26.6 to 3.26.7 by @dependabot in #36
- Bump metaschema-java version from 1.0.2 to 1.1.0 by @david-waltermire in #37
- Prepare for 4.1.0 release by @david-waltermire in #38
Full Changelog: v4.0.2...v4.1.0
Contributors
david-waltermire and dependabot