4 minutes
GoComply with OSCAL & FedRAMP :: Introduction to metaschema
This is the fourth post of the GoComply series that introduces open source pipeline to produce and process OSCAL and FedRAMP documents. If You want to achieve continuous compliance at the lowest possible cost, GoComply project is here to help. With GoComply, You will rely on open source tooling and your data will be stored in standardized formats and thus you will have a enough head room and knee room to achieve your organizational goals.
Metaschema
This blog post is about meta markup modeling language developed by NIST called Metaschema. This topic is fairly esoteric so my dear readers are advised to close this window and take a short stroll instead.
The Metaschema language is designed and primarily used to develop OSCAL language. Metaschema language is not dissimilar to XSD, it describes elements, its attributes and cardinalities. When compared to XSD, Metaschema is bit more focused on the process of modeling the new language and it allows to model not only XML, but also JSON and YAML or all at once. Metaschema can then generate XSDs, JSON schemas, Markdown documentation, XSL converters and more.
Original NIST Metaschema project is still under active development and it is tightly couple with development of OSCAL (the language)
GoComply/Metaschema
GoComply/metaschema is community driven add-on on top of the NIST’s metaschema. This add-on parses any metaschema content (describing a given language) and produces valid Go models and parsers (for a given language). GoComply/metaschema implements the parser of the original NIST Metaschema language as well as templates to produce valid Go code.
GoComply/Metaschema is sister project to GoComply/xsd2go. Both projects generate go code, the former parses metaschema, while the latter parses XSDs to generate go code.
Example Usage
Let’s now get our hands dirty and let’s take a look on how all the following project integrate
and generate good part of the gocomply/oscalkit project.
We will start by opening gocomply container that contains all the tools we need.
$ podman run -it quay.io/gocomply/gocomply
GoComply Tools:
- gocomply_fedramp - Open source tool for processing OSCAL based FedRAMP SSPs
- gocomply_metaschema - Golang implementation of NIST's metaschema modeling language
- gocomply_oscalkit - OSCAL toolkit for basic operations with OSCAL assets
- gocomply_xsd2go - Automatically generate golang xml parser based on XSD
- golie - ROLIE Implementation
- masonry - OpenControl implementation to construct certification documentation
Next, we will need to fetch the latest greatest version of the OSCAL
# git clone --depth 1 https://github.com/usnistgov/OSCAL
Cloning into 'OSCAL'...
remote: Enumerating objects: 581, done.
remote: Counting objects: 100% (581/581), done.
remote: Compressing objects: 100% (423/423), done.
remote: Total 581 (delta 206), reused 326 (delta 130), pack-reused 0
Receiving objects: 100% (581/581), 13.16 MiB | 4.34 MiB/s, done.
Resolving deltas: 100% (206/206), done.
Then, we ask gocomply/metaschema to read the metaschema that fully describes the OSCAL language and generate Go code for parsing it
# gocomply_metaschema generate ./OSCAL/src/metaschema github.com/gocomply/oscalkit types/oscal
Processing oscal_assessment-common_metaschema.xml
Processing oscal_assessment-plan_metaschema.xml
Processing oscal_assessment-results_metaschema.xml
Processing oscal_catalog_metaschema.xml
Processing oscal_component_metaschema.xml
Processing oscal_control-common_metaschema.xml
Processing oscal_implementation-common_metaschema.xml
Processing oscal_metadata_metaschema.xml
Processing oscal_poam_metaschema.xml
Processing oscal_profile_metaschema.xml
Processing oscal_ssp_metaschema.xml
Lastly, we can investigate how the generated go code looks like
# find types/oscal -type f
types/oscal/profile/generated_models.go
types/oscal/profile/generated_multiplexers.go
types/oscal/assessment_plan/generated_models.go
types/oscal/validation_common_root/generated_models.go
types/oscal/validation_common_root/generated_multiplexers.go
types/oscal/nominal_catalog/generated_models.go
types/oscal/catalog/generated_models.go
types/oscal/assessment_common/generated_models.go
types/oscal/assessment_common/generated_multiplexers.go
types/oscal/system_security_plan/generated_models.go
types/oscal/system_security_plan/generated_multiplexers.go
types/oscal/validation_root/generated_models.go
types/oscal/validation_root/generated_multiplexers.go
types/oscal/plan_of_action_and_milestones/generated_models.go
types/oscal/component_definition/generated_models.go
types/oscal/component_definition/generated_multiplexers.go
types/oscal/assessment_results/generated_models.go
types/oscal/assessment_results/generated_multiplexers.go
The process we just went through is repeated periodically at oscalkit upstream and hence any change in the upstream usnistgov/oscal project is soon reflected in the gocomply/oscalkit code base.
Conclusion
Metaschema is efficient way of modeling new markup languages such us OSCAL. GoComply/Metaschema is efficient way to keep track of changes in OSCAL, so our OSCAL implementation is kept up to date.
Exhibit A: Cross references between projects
usnistgov/metaschema
| Input | Output | ||
|---|---|---|---|
| Format: | Metaschema | -> | XSD, JSON Schema, Markdown, XSL converters |
| Example: | OSCAL Source Metaschema | -> | OSCAL Language Schemas & Documentation |
gocomply/metaschema
| Input | Output | ||
|---|---|---|---|
| Format: | Metaschema | -> | Go Models, JSON & XML parsers & marshalers |
| Example: | OSCAL Source Metaschema | -> | GoComply/oscalkit SDK |
gocomply/xsd2go
| Input | Output | ||
|---|---|---|---|
| Format: | XSD | -> | Go Models, XML parsers & marshalers |
| Example: | SCAP XSD schemas | -> | GoComply/scap SDK |