Design Method and Example for Applicable Profile Resolution Requirements as OSCAL Constraints

[aj-stein-nist]

User Story

As an OSCAL tools developer, in order to clearly understand how to define profile elements in a coherent way that effectively and correctly is executed by a specification-conformant profile resolution tool, I want OSCAL constraints that will give me informational, warning, and error information when a profile uses bad syntax or resolution patterns that are problematic.

Goals

This idea was surfaced in a model review meeting when reviewing one item in the PR around this as part of usnistgov/OSCAL#1066. It is not clear if this completely viable and desirable (pending prioritization).

The goals of this spike:

• [ ] Determine what are the key profile resolution requirements that would be high value as OSCAL constraints
• [ ] Implement these MVP requirements in OSCAL constraints in the profile model, mapping ids of constraints back to profile resolution requirement ID

Dependencies

N/A at this time.

Acceptance Criteria

• [ ] All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
• [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• [ ] The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

[wendellpiez]

Some ideas towards this are implicit in my profile import examiner application. It tests some of the constraints on profiles, specifically referential integrity (on the assumption of particular catalog or profile imports).