- Refactored package names to better organize binding related code and to distinguish provided model bindings.

- Added support for capturing parsed location information in bound objects. This will be useful for producing context for validation results.
- Fixed bugs causing the ordering of generated classes to be chaotic. Also fixed bugs causing binding configurations to match based on minor URI differences caused by inconsistent behavior between file and path URI productions.
- Updated Metaschema module binding to incorporate latest module changes.
- Added support for exposing parse locations in validation results.
- Added support for producing Static Analysis Results Interchange Format (SARIF) results based on schema and constraint validation results.
  - Added SARIF CLI output option to validate command.
  - Added support for including rules and artifact information in SARIF results. SARIF files now work on commonly available viewers.
  - Added constraint formal-name and description to SARIF output, allowing human readers to better understand why the result was produced.
  - Added a GUID to SARIF output for each rule.
- Adjusted constraint result production to allow for pass results to be produced, which supports producing SARIF result that include both pass and fail statuses using an API-level configuration.
- Added methods to handle making URIs relative to another URI.
- Ensured proper handling of Metapath errors during validation. Resolves usnistgov/oscal-cli#292
- Fixed compile and PMD warnings.
- Added some Javadocs.

Author: david-waltermire

cli-processor/src/main/java/gov/nist/secauto/metaschema/cli/processor/AbstractExitStatus.java

@@ -106,10 +106,10 @@ public void generateMessage(boolean showStackTrace) {
 
       if (message != null && !message.isEmpty()) {
         logBuilder.log(message);
-      } else if (throwable != null && showStackTrace) {
+      } else if (showStackTrace && throwable != null) {
         // log the throwable
         logBuilder.log();
-      }
+      } // otherwise there is nothing to log
     }
   }
 

cli-processor/src/main/java/gov/nist/secauto/metaschema/cli/processor/CLIProcessor.java

@@ -110,12 +110,14 @@ public class CLIProcessor {
       SHOW_STACK_TRACE_OPTION,
       VERSION_OPTION);
 
+  public static final String COMMAND_VERSION = "http://csrc.nist.gov/ns/metaschema-java/cli/command-version";
+
   @NonNull
   private final List<ICommand> commands = new LinkedList<>();
   @NonNull
   private final String exec;
   @NonNull
-  private final List<IVersionInfo> versionInfos;
+  private final Map<String, IVersionInfo> versionInfos;
 
   public static void main(String... args) {
     System.setProperty("java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager");
@@ -130,10 +132,10 @@ public static void main(String... args) {
 
   @SuppressWarnings("null")
   public CLIProcessor(@NonNull String exec) {
-    this(exec, List.of());
+    this(exec, Map.of());
   }
 
-  public CLIProcessor(@NonNull String exec, @NonNull List<IVersionInfo> versionInfos) {
+  public CLIProcessor(@NonNull String exec, @NonNull Map<String, IVersionInfo> versionInfos) {
     this.exec = exec;
     this.versionInfos = versionInfos;
     AnsiConsole.systemInstall();
@@ -155,7 +157,7 @@ public String getExec() {
    * @return the versionInfo
    */
   @NonNull
-  public List<IVersionInfo> getVersionInfos() {
+  public Map<String, IVersionInfo> getVersionInfos() {
     return versionInfos;
   }
 
@@ -207,7 +209,6 @@ private static void handleNoColor() {
     AnsiConsole.systemUninstall();
   }
 
-  @SuppressWarnings("resource")
   public static void handleQuiet() {
     LoggerContext ctx = (LoggerContext) LogManager.getContext(false); // NOPMD not closable here
     Configuration config = ctx.getConfiguration();
@@ -221,7 +222,7 @@ public static void handleQuiet() {
 
   protected void showVersion() {
     @SuppressWarnings("resource") PrintStream out = AnsiConsole.out(); // NOPMD - not owner
-    getVersionInfos().stream().forEach(info -> {
+    getVersionInfos().values().stream().forEach(info -> {
       out.println(ansi()
           .bold().a(info.getName()).boldOff()
           .a(" ")
@@ -309,6 +310,11 @@ public CallingContext(@NonNull List<String> args) {
       this.extraArgs = extraArgs;
     }
 
+    @NonNull
+    public CLIProcessor getCLIProcessor() {
+      return CLIProcessor.this;
+    }
+
     @Nullable
     public ICommand getTargetCommand() {
       return calledCommands.peekLast();

core/metaschema

@@ -130,7 +130,7 @@ private static Stream<Class<? extends IItem>> getItemInterfaces(@NonNull Class<?
 
     Class<?>[] interfaces = clazz.getInterfaces();
     if (interfaces.length > 0) {
-      retval = Stream.concat(retval, Arrays.stream(interfaces).flatMap(intf -> getItemInterfaces(intf)));
+      retval = Stream.concat(retval, Arrays.stream(interfaces).flatMap(TypeSystem::getItemInterfaces));
     }
 
     return retval;

core/src/main/java/gov/nist/secauto/metaschema/core/metapath/item/TypeSystem.java

@@ -30,8 +30,6 @@
 import gov.nist.secauto.metaschema.core.model.IFlagDefinition;
 import gov.nist.secauto.metaschema.core.model.IFlagInstance;
 
-import java.net.URI;
-
 import edu.umd.cs.findbugs.annotations.NonNull;
 
 /**
@@ -72,11 +70,6 @@ public IFlagInstance getInstance() {
     return parent;
   }
 
-  @Override
-  public URI getBaseUri() {
-    return getDefinition().getContainingModule().getLocation();
-  }
-
   @Override
   public String toString() {
     StringBuilder builder = new StringBuilder()

core/src/main/java/gov/nist/secauto/metaschema/core/metapath/item/node/AbstractFlagInstanceNodeItem.java

@@ -27,6 +27,7 @@
 package gov.nist.secauto.metaschema.core.metapath.item.node;
 
 import gov.nist.secauto.metaschema.core.model.IAssemblyDefinition;
+import gov.nist.secauto.metaschema.core.model.IResourceLocation;
 import gov.nist.secauto.metaschema.core.util.ObjectUtils;
 
 import java.net.URI;
@@ -80,4 +81,9 @@ public ModelContainer getModel() {
   public Object getValue() {
     return getRootAssemblyNodeItem().getValue();
   }
+
+  @Override
+  public IResourceLocation getLocation() {
+    return getRootAssemblyNodeItem().getLocation();
+  }
 }

core/src/main/java/gov/nist/secauto/metaschema/core/metapath/item/node/DocumentNodeItemImpl.java

@@ -28,13 +28,15 @@
 
 import gov.nist.secauto.metaschema.core.model.IDefinition;
 import gov.nist.secauto.metaschema.core.model.INamedInstance;
+import gov.nist.secauto.metaschema.core.model.IResourceLocation;
 import gov.nist.secauto.metaschema.core.util.ObjectUtils;
 
 import java.net.URI;
 
 import javax.xml.namespace.QName;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.Nullable;
 
 public interface IDefinitionNodeItem<D extends IDefinition, I extends INamedInstance> extends INodeItem {
   /**
@@ -69,4 +71,11 @@ default URI getNamespace() {
    * @return the instance of the segment, or {@code null} if it doesn't have one
    */
   I getInstance();
+
+  @Override
+  @Nullable
+  default IResourceLocation getLocation() {
+    Object value = getValue();
+    return value == null ? null : getDefinition().getLocation(value);
+  }
 }

core/src/main/java/gov/nist/secauto/metaschema/core/metapath/item/node/IDefinitionNodeItem.java

@@ -29,6 +29,7 @@
 import gov.nist.secauto.metaschema.core.metapath.format.IPathFormatter;
 import gov.nist.secauto.metaschema.core.metapath.format.IPathSegment;
 import gov.nist.secauto.metaschema.core.metapath.item.IItem;
+import gov.nist.secauto.metaschema.core.model.IResourceLocation;
 import gov.nist.secauto.metaschema.core.util.ObjectUtils;
 
 import java.net.URI;
@@ -300,4 +301,7 @@ default Stream<? extends IFlagNodeItem> flags() {
   default Stream<? extends IModelNodeItem<?, ?>> modelItems() {
     return getModelItems().stream().flatMap(Collection::stream);
   }
+
+  @Nullable
+  IResourceLocation getLocation();
 }

core/src/main/java/gov/nist/secauto/metaschema/core/metapath/item/node/INodeItem.java

@@ -27,6 +27,7 @@
 package gov.nist.secauto.metaschema.core.metapath.item.node;
 
 import gov.nist.secauto.metaschema.core.model.IModule;
+import gov.nist.secauto.metaschema.core.model.IResourceLocation;
 import gov.nist.secauto.metaschema.core.util.ObjectUtils;
 
 import java.net.URI;
@@ -65,4 +66,9 @@ public ModelContainer getModel() {
     return model.get();
   }
 
+  @Override
+  public IResourceLocation getLocation() {
+    // no location
+    return null;
+  }
 }

core/src/main/java/gov/nist/secauto/metaschema/core/metapath/item/node/ModuleNodeItemImpl.java

@@ -92,7 +92,8 @@ public T load(@NonNull URI resource) throws MetaschemaException, IOException {
   @Override
   @NonNull
   public T load(@NonNull Path path) throws MetaschemaException, IOException {
-    return loadInternal(ObjectUtils.notNull(path.toAbsolutePath().normalize().toUri()), new LinkedList<>());
+    // use toURL to normalize the URI
+    return load(ObjectUtils.notNull(path.toAbsolutePath().normalize().toUri().toURL()));
   }
 
   /**
@@ -153,7 +154,7 @@ protected T loadInternal(@NonNull URI resource, @NonNull Deque<URI> visitedResou
 
     T retval = cache.get(resource);
     if (retval == null) {
-      LOGGER.info("Loading module '{}'", resource);
+      LOGGER.info("Loading '{}'", resource);
 
       try {
         visitedResources.push(resource);

core/src/main/java/gov/nist/secauto/metaschema/core/model/AbstractLoader.java

@@ -0,0 +1,34 @@
+/*
+ * Portions of this software was developed by employees of the National Institute
+ * of Standards and Technology (NIST), an agency of the Federal Government and is
+ * being made available as a public service. Pursuant to title 17 United States
+ * Code Section 105, works of NIST employees are not subject to copyright
+ * protection in the United States. This software may be subject to foreign
+ * copyright. Permission in the United States and in foreign countries, to the
+ * extent that NIST may hold copyright, to use, copy, modify, create derivative
+ * works, and distribute this software and its documentation without fee is hereby
+ * granted on a non-exclusive basis, provided that this notice and disclaimer
+ * of warranty appears in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER
+ * EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY
+ * THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM
+ * INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE
+ * SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE.  IN NO EVENT
+ * SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT,
+ * INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM,
+ * OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY,
+ * CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR
+ * PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT
+ * OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER.
+ */
+
+package gov.nist.secauto.metaschema.core.model;
+
+import edu.umd.cs.findbugs.annotations.Nullable;
+
+public interface IBoundObject {
+  @Nullable
+  IMetaschemaData getMetaschemaData();
+}

core/src/main/java/gov/nist/secauto/metaschema/core/model/IBoundObject.java

@@ -33,6 +33,7 @@
 import javax.xml.namespace.QName;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.Nullable;
 
 public interface IDefinition extends INamedModelElement, IAttributable, IFeatureValueConstrained {
 
@@ -107,4 +108,8 @@ default String toCoordinates() {
         hashCode());
   }
 
+  @Nullable
+  default IResourceLocation getLocation(@NonNull Object itemValue) {
+    return itemValue instanceof IBoundObject ? ((IBoundObject) itemValue).getMetaschemaData() : null;
+  }
 }

core/src/main/java/gov/nist/secauto/metaschema/core/model/IDefinition.java

@@ -0,0 +1,31 @@
+/*
+ * Portions of this software was developed by employees of the National Institute
+ * of Standards and Technology (NIST), an agency of the Federal Government and is
+ * being made available as a public service. Pursuant to title 17 United States
+ * Code Section 105, works of NIST employees are not subject to copyright
+ * protection in the United States. This software may be subject to foreign
+ * copyright. Permission in the United States and in foreign countries, to the
+ * extent that NIST may hold copyright, to use, copy, modify, create derivative
+ * works, and distribute this software and its documentation without fee is hereby
+ * granted on a non-exclusive basis, provided that this notice and disclaimer
+ * of warranty appears in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER
+ * EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY
+ * THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM
+ * INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE
+ * SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE.  IN NO EVENT
+ * SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT,
+ * INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM,
+ * OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY,
+ * CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR
+ * PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT
+ * OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER.
+ */
+
+package gov.nist.secauto.metaschema.core.model;
+
+public interface IMetaschemaData extends IResourceLocation {
+  // no additional methods
+}

core/src/main/java/gov/nist/secauto/metaschema/core/model/IMetaschemaData.java

@@ -0,0 +1,47 @@
+/*
+ * Portions of this software was developed by employees of the National Institute
+ * of Standards and Technology (NIST), an agency of the Federal Government and is
+ * being made available as a public service. Pursuant to title 17 United States
+ * Code Section 105, works of NIST employees are not subject to copyright
+ * protection in the United States. This software may be subject to foreign
+ * copyright. Permission in the United States and in foreign countries, to the
+ * extent that NIST may hold copyright, to use, copy, modify, create derivative
+ * works, and distribute this software and its documentation without fee is hereby
+ * granted on a non-exclusive basis, provided that this notice and disclaimer
+ * of warranty appears in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER
+ * EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY
+ * THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM
+ * INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE
+ * SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE.  IN NO EVENT
+ * SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT,
+ * INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM,
+ * OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY,
+ * CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR
+ * PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT
+ * OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER.
+ */
+
+package gov.nist.secauto.metaschema.core.model;
+
+public interface IResourceLocation {
+  /**
+   * Get the line for a location within a resource.
+   *
+   * @return the line number or {@code -1} if unknown
+   */
+  int getLine();
+
+  /**
+   * Get the line column for a location within a resource.
+   *
+   * @return the column number or {@code -1} if unknown
+   */
+  int getColumn();
+
+  long getCharOffset();
+
+  long getByteOffset();
+}

core/src/main/java/gov/nist/secauto/metaschema/core/model/IResourceLocation.java

@@ -261,14 +261,14 @@ protected String newMatchDatatypeViolationMessage(
    */
   @SuppressWarnings("null")
   @NonNull
-  protected CharSequence newExpectViolationMessage(
+  protected String newExpectViolationMessage(
       @NonNull IExpectConstraint constraint,
       @SuppressWarnings("unused") @NonNull INodeItem node,
       @NonNull INodeItem target,
       @NonNull DynamicContext dynamicContext) {
-    CharSequence message;
+    String message;
     if (constraint.getMessage() != null) {
-      message = constraint.generateMessage(target, dynamicContext);
+      message = constraint.generateMessage(target, dynamicContext).toString();
     } else {
       message = String.format("Expect constraint '%s' did not match the data at path '%s'",
           constraint.getTest(),
@@ -289,7 +289,7 @@ protected CharSequence newExpectViolationMessage(
    */
   @SuppressWarnings("null")
   @NonNull
-  protected CharSequence newAllowedValuesViolationMessage(
+  protected String newAllowedValuesViolationMessage(
       @NonNull List<IAllowedValuesConstraint> constraints,
       @NonNull INodeItem target) {
 
@@ -318,7 +318,7 @@ protected CharSequence newAllowedValuesViolationMessage(
    */
   @SuppressWarnings("null")
   @NonNull
-  protected CharSequence newIndexDuplicateViolationMessage(
+  protected String newIndexDuplicateViolationMessage(
       @NonNull IIndexConstraint constraint,
       @NonNull INodeItem node) {
     return String.format("Duplicate index named '%s' found at path '%s'",
@@ -342,7 +342,7 @@ protected CharSequence newIndexDuplicateViolationMessage(
    */
   @SuppressWarnings("null")
   @NonNull
-  protected CharSequence newIndexMissMessage(
+  protected String newIndexMissMessage(
       @NonNull IIndexHasKeyConstraint constraint,
       @NonNull INodeItem node,
       @NonNull INodeItem target,
@@ -372,7 +372,7 @@ protected CharSequence newIndexMissMessage(
    */
   @SuppressWarnings("null")
   @NonNull
-  protected CharSequence newGenericValidationViolationMessage(
+  protected String newGenericValidationViolationMessage(
       @NonNull IConstraint constraint,
       @NonNull INodeItem node,
       @NonNull INodeItem target,