SaxonJS OSCAL applications
OSCAL is the Open Security Controls Assessment Language.
For examples of XML documents designed to showcase functionalities of the OSCAL applications, download and unzip the file oscal-examples.zip
Current applications:
- Baseline matrix - paints your OSCAL profile’s coverage of 800-53 control families, following look/feel of the official NIST publication (SP800-53B).
- Import examiner - validates your OSCAL profile’s imports against known public baselines
- Baseline Reviewer - presents controls from the SP 800-53 catalog, marked for selection by an OSCAL profile (selected or loaded by the user)
- Catalog Validator - tag validation of OSCAL catalog contents, emulating schema validation
- (experimental!) XML to JSON and JSON to XML OSCAL catalog converters (demonstrations / PoC of this conversion in a browser)
Further applications (tbd):
- “Control landscape” Catalog mapper - use D3 (bubbles) also CSS to present summary/snapshot views
- Unresolved profile analytical display
- rendered view of unresolved profile
- shows selections, modifications, remarks
- errors for broken links etc.
- profile resolution (display)
- XML - JSON conversion
- wrap fn:transform() dynamically per document type?
- Preview
- spreadsheet to OSCAL profile converter
- reads (zip) and permits mappings from grid into values?
- or, reads an exported file
Security posture of SaxonJS applications:
- No client data is moved off the client system or uploaded (anywhere)
- No cookies are placed on the system; state is maintained only for the runtime
- Runtime code is all downloaded and (once cached) can be run off line
- Distributed from a plain generic web server delivering HTML, XML, Javascript and JSON (SEF)
- Code is auditable
- SEF is machine-generated JSON produced by ‘compiling’ XSLT
- Original XSLT sources are also public
- Executed transformations originate as W3C-compliant XSLT
- in principle, this makes all these capabilities also portable to other XSLT processors
- also, open source and declarative
- Architecture is documented:
- Browser parses HTML file that loads resources
- SaxonJS
- SEF (templates)
- catalog(s) from server
- Initial transformation over base catalog is rendered with UI
- The user loads a file from the system into the browser
- Page is refreshed with rendered outputs from processing this input through template set for viewer to inspect
- Nothing is saved (a user would have to take a screenshot or scrape contents)