SAR: Identified Vulnerabilities - 4.7.1, 4.7.2

[markXLIX]

Extended Description As an ASAP Developer, in order to reduce time FedRAMP reviewers require to ensure all risk-metric fields are properly identified, I want to check the Discovery Scans and Identified Vulnerabilities of an OSCAL SAR.

Preconditions Ensure that Issue 662 is complete and correct. It is possible only minor tweaks are required to complete these sections.

Acceptance Criteria

• [ ] All Schematron assertion messages are declarative statements which affirm the positive test outcome.
• [ ] All Schematron assertion diagnostic messages are declarative statements which explain the negative test outcome.
• [ ] The Schematron code has no assertion failures when validated using src/validations/styleguides/sch.sch using the basic phase.
• [ ] XSpec unit tests for positive and negative Schematron assertion outcomes accompany all Schematron assertions (where feasible).
• [ ] ADD CRITERIA AFTER REVIEW OF PRECONDITION

Definition of Done

• [ ] Acceptance criteria met
• [ ] Unit test coverage of our code > 95%
• [ ] Automated code quality checks passed
• [ ] Security reviewed and reported
• [ ] Reviewed against plain language guidelines
• [ ] Code must be self-documenting
• [ ] No local tech debt
• [ ] Load/performance tests passed – needs to be created/automated
• [ ] Documentation updated
• [ ] Architectural Decision Record completed as necessary for significant design choices
• [ ] PR reviewed & approved
• [ ] Source code merged