Support for SARIF-based validation results

.gitattributes

@@ -0,0 +1,9 @@
+# To list all file extensions:
+# git ls-files | awk -F . {'print $NF'}|sort -u
+#
+# Set the default behavior, in case people don't have core.autocrlf set.
+* text=auto
+
+# files that are binary
+*.png
+*.jpg

.github/workflows/release.yml

@@ -3,6 +3,18 @@ on:
     tags:
     - "v*"
   workflow_dispatch:
+    inputs:
+      release:
+        description: 'Delpoy release?'
+        type: boolean
+        default: false
+      website:
+        description: 'Deploy website?'
+        type: boolean
+        default: false
+      pages-branch:
+        description: 'Pages branch name'
+        default: nist-pages
 name: Deploy Tagged Release
 jobs:
   deploy-to-nexus:
@@ -38,6 +50,7 @@ jobs:
     # Maven Deploy
     # -------------------------
     - name: Deploy Maven Artifacts
+      if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && contains('true', github.event.inputs.release))
       run: |
         mvn -B -e -Pgpg -Prelease -Preporting deploy
         # mvn -Pgpg -Prelease nexus-staging:close -DstagingDescription="closing to release"
@@ -46,6 +59,7 @@ jobs:
         MAVEN_CENTRAL_TOKEN: ${{ secrets.SONATYPE_PASSWORD }}
         MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
     - name: Create release
+      if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && contains('true', github.event.inputs.release))
       uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564
       with:
         draft: true
@@ -57,9 +71,14 @@ jobs:
     # Maven Site
     # -------------------------
     - name: Build Website
+      if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && contains('true', github.event.inputs.website))
       run: |
         mvn -B -e -Prelease -Preporting install site site:stage
-    - name: Run Website Deploy Script
-      run: |
-        touch target/staging/.nojekyll
-        bash .github/workflows/deploy.sh --push-only -v -m "Deploying website [ci skip]"
+    - name: Website Deploy
+      uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847
+      if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && contains('true', github.event.inputs.website))
+      with:
+        personal_token: ${{ secrets.COMMIT_TOKEN }}
+        publish_dir: ./target/staging
+        external_repository: ${{ github.repository }}
+        publish_branch: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.pages-branch) || 'nist-pages' }}

cli-processor/src/main/java/gov/nist/secauto/metaschema/cli/processor/AbstractExitStatus.java

@@ -106,10 +106,10 @@ public void generateMessage(boolean showStackTrace) {
 
       if (message != null && !message.isEmpty()) {
         logBuilder.log(message);
-      } else if (throwable != null && showStackTrace) {
+      } else if (showStackTrace && throwable != null) {
         // log the throwable
         logBuilder.log();
-      }
+      } // otherwise there is nothing to log
     }
   }
 

cli-processor/src/main/java/gov/nist/secauto/metaschema/cli/processor/CLIProcessor.java

@@ -66,6 +66,7 @@
 
 import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.Nullable;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 
 public class CLIProcessor {
   private static final Logger LOGGER = LogManager.getLogger(CLIProcessor.class);
@@ -109,12 +110,14 @@ public class CLIProcessor {
       SHOW_STACK_TRACE_OPTION,
       VERSION_OPTION);
 
+  public static final String COMMAND_VERSION = "http://csrc.nist.gov/ns/metaschema-java/cli/command-version";
+
   @NonNull
   private final List<ICommand> commands = new LinkedList<>();
   @NonNull
   private final String exec;
   @NonNull
-  private final List<IVersionInfo> versionInfos;
+  private final Map<String, IVersionInfo> versionInfos;
 
   public static void main(String... args) {
     System.setProperty("java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager");
@@ -129,10 +132,10 @@ public static void main(String... args) {
 
   @SuppressWarnings("null")
   public CLIProcessor(@NonNull String exec) {
-    this(exec, List.of());
+    this(exec, Map.of());
   }
 
-  public CLIProcessor(@NonNull String exec, @NonNull List<IVersionInfo> versionInfos) {
+  public CLIProcessor(@NonNull String exec, @NonNull Map<String, IVersionInfo> versionInfos) {
     this.exec = exec;
     this.versionInfos = versionInfos;
     AnsiConsole.systemInstall();
@@ -154,7 +157,7 @@ public String getExec() {
    * @return the versionInfo
    */
   @NonNull
-  public List<IVersionInfo> getVersionInfos() {
+  public Map<String, IVersionInfo> getVersionInfos() {
     return versionInfos;
   }
 
@@ -195,7 +198,7 @@ private ExitStatus parseCommand(String... args) {
     return status;
   }
 
-  protected List<ICommand> getTopLevelCommands() {
+  protected final List<ICommand> getTopLevelCommands() {
     List<ICommand> retval = Collections.unmodifiableList(commands);
     assert retval != null;
     return retval;
@@ -206,7 +209,6 @@ private static void handleNoColor() {
     AnsiConsole.systemUninstall();
   }
 
-  @SuppressWarnings("resource")
   public static void handleQuiet() {
     LoggerContext ctx = (LoggerContext) LogManager.getContext(false); // NOPMD not closable here
     Configuration config = ctx.getConfiguration();
@@ -220,7 +222,7 @@ public static void handleQuiet() {
 
   protected void showVersion() {
     @SuppressWarnings("resource") PrintStream out = AnsiConsole.out(); // NOPMD - not owner
-    getVersionInfos().stream().forEach((info) -> {
+    getVersionInfos().values().stream().forEach(info -> {
       out.println(ansi()
           .bold().a(info.getName()).boldOff()
           .a(" ")
@@ -253,6 +255,7 @@ public class CallingContext {
     @NonNull
     private final List<String> extraArgs;
 
+    @SuppressFBWarnings(value = "CT_CONSTRUCTOR_THROW", justification = "Use of final fields")
     public CallingContext(@NonNull List<String> args) {
       Map<String, ICommand> topLevelCommandMap = getTopLevelCommands().stream()
           .collect(Collectors.toUnmodifiableMap(ICommand::getName, Function.identity()));
@@ -263,35 +266,31 @@ public CallingContext(@NonNull List<String> args) {
 
       boolean endArgs = false;
       for (String arg : args) {
-        if (endArgs) {
+        if (endArgs || arg.startsWith("-")) {
           extraArgs.add(arg);
+        } else if ("--".equals(arg)) {
+          endArgs = true;
         } else {
-          if (arg.startsWith("-")) {
+          ICommand command;
+          if (calledCommands.isEmpty()) {
+            command = topLevelCommandMap.get(arg);
+          } else {
+            command = calledCommands.getLast();
+            command = command.getSubCommandByName(arg);
+          }
+
+          if (command == null) {
             extraArgs.add(arg);
-          } else if ("--".equals(arg)) {
             endArgs = true;
           } else {
-            ICommand command;
-            if (calledCommands.isEmpty()) {
-              command = topLevelCommandMap.get(arg);
-            } else {
-              command = calledCommands.getLast();
-              command = command.getSubCommandByName(arg);
-            }
-
-            if (command == null) {
-              extraArgs.add(arg);
-              endArgs = true;
-            } else {
-              calledCommands.add(command);
-            }
+            calledCommands.add(command);
           }
         }
       }
 
       if (LOGGER.isDebugEnabled()) {
         String commandChain = calledCommands.stream()
-            .map(command -> command.getName())
+            .map(ICommand::getName)
             .collect(Collectors.joining(" -> "));
         LOGGER.debug("Processing command chain: {}", commandChain);
       }
@@ -311,6 +310,11 @@ public CallingContext(@NonNull List<String> args) {
       this.extraArgs = extraArgs;
     }
 
+    @NonNull
+    public CLIProcessor getCLIProcessor() {
+      return CLIProcessor.this;
+    }
+
     @Nullable
     public ICommand getTargetCommand() {
       return calledCommands.peekLast();
@@ -546,7 +550,7 @@ protected String buildHelpCliSyntax() {
 
       // output required options
       getOptionsList().stream()
-          .filter(option -> option.isRequired())
+          .filter(Option::isRequired)
           .forEach(option -> {
             builder
                 .append(' ')

cli-processor/src/main/java/gov/nist/secauto/metaschema/cli/processor/command/AbstractParentCommand.java

@@ -51,7 +51,7 @@ protected AbstractParentCommand(boolean subCommandRequired) {
     this.subCommandRequired = subCommandRequired;
   }
 
-  protected void addCommandHandler(ICommand handler) {
+  protected final void addCommandHandler(ICommand handler) {
     String commandName = handler.getName();
     this.commandToSubcommandHandlerMap.put(commandName, handler);
   }
@@ -87,7 +87,7 @@ protected ExitStatus executeCommand(
       status = ExitCode.INVALID_COMMAND
           .exitMessage("Please use one of the following sub-commands: " +
               getSubCommands().stream()
-                  .map(command -> command.getName())
+                  .map(ICommand::getName)
                   .collect(Collectors.joining(", ")));
     } else {
       status = ExitCode.OK.exit();

cli-processor/src/main/java/gov/nist/secauto/metaschema/cli/processor/command/DefaultExtraArgument.java

@@ -26,15 +26,19 @@
 
 package gov.nist.secauto.metaschema.cli.processor.command;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
 public class DefaultExtraArgument implements ExtraArgument {
   private final String name;
   private final boolean required;
   private final int number;
 
+  @SuppressFBWarnings(value = "CT_CONSTRUCTOR_THROW", justification = "Use of final fields")
   public DefaultExtraArgument(String name, boolean required) {
     this(name, required, 1);
   }
 
+  @SuppressFBWarnings(value = "CT_CONSTRUCTOR_THROW", justification = "Use of final fields")
   public DefaultExtraArgument(String name, boolean required, int number) {
     if (number < 1) {
       throw new IllegalArgumentException("number must be a positive value");

cli-processor/src/main/resources/log4j2.xml

@@ -2,11 +2,11 @@
 <!DOCTYPE Configuration>
 <Configuration verbose="true">
 	<Appenders>
-		<Console name="console-trace" target="SYSTEM_ERR" immediateFlush="true">
+		<Console name="console-trace" target="SYSTEM_OUT" immediateFlush="true">
 			<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n" charset="UTF-8" />
 			<ThresholdFilter level="INFO" onMatch="DENY" onMismatch="ACCEPT" />
 		</Console>
-		<Console name="console-info" target="SYSTEM_ERR" immediateFlush="true">
+		<Console name="console-info" target="SYSTEM_OUT" immediateFlush="true">
 			<PatternLayout pattern="%m%n" charset="UTF-8" />
 			<Filters>
 				<ThresholdFilter level="ERROR" onMatch="DENY" onMismatch="ACCEPT" />

core/pom.xml

@@ -169,9 +169,10 @@
                     <artifactId>jacoco-maven-plugin</artifactId>
                     <configuration>
                         <excludes>
-                            <exclude>
-                                gov/nist/secauto/metaschema/core/model/xml/xmlbeans/**/*</exclude>
+							<!-- filter generated code -->
+                            <exclude>gov/nist/secauto/metaschema/core/model/xml/xmlbeans/**/*</exclude>
                             <exclude>org/apache/xmlbeans/**/*</exclude>
+                            <exclude>gov/nist/secauto/metaschema/core/metapath/antlr/*</exclude>
                         </excludes>
                     </configuration>
                 </plugin>

core/src/main/antlr4/Metapath10.g4

@@ -4,16 +4,13 @@ parser grammar Metapath10;
 
 options { tokenVocab=Metapath10Lexer; superClass=Metapath10ParserBase; }
 
-// Metapath extensions
-metapath : expr EOF ;
-
 // [1]
-// xpath : expr EOF ;
+metapath : expr EOF ;
 // paramlist : param ( COMMA param)* ;
 // param : DOLLAR eqname typedeclaration? ;
 // functionbody : enclosedexpr ;
 // [5]
-// enclosedexpr : OC expr? CC ;
+enclosedexpr : OC expr? CC ;
 expr : exprsingle ( COMMA exprsingle)* ;
 exprsingle : forexpr | letexpr | quantifiedexpr  | ifexpr | orexpr ;
 forexpr : simpleforclause KW_RETURN exprsingle ;
@@ -57,14 +54,11 @@ relativepathexpr : stepexpr (( SLASH | SS) stepexpr)* ;
 stepexpr : postfixexpr | axisstep ;
 axisstep : (reversestep | forwardstep) predicatelist ;
 // [40]
-// forwardstep : forwardaxis nodetest | abbrevforwardstep ;
-forwardstep : forwardaxis nametest | abbrevforwardstep ;
+forwardstep : forwardaxis nodetest | abbrevforwardstep ;
 // forwardaxis : KW_CHILD COLONCOLON | KW_DESCENDANT COLONCOLON | KW_ATTRIBUTE COLONCOLON | KW_SELF COLONCOLON | KW_DESCENDANT_OR_SELF COLONCOLON | KW_FOLLOWING_SIBLING COLONCOLON | KW_FOLLOWING COLONCOLON | KW_NAMESPACE COLONCOLON ;
 forwardaxis : KW_CHILD COLONCOLON | KW_DESCENDANT COLONCOLON | KW_SELF COLONCOLON | KW_DESCENDANT_OR_SELF COLONCOLON ;
-// abbrevforwardstep : AT? nodetest ;
-abbrevforwardstep : AT? nametest ;
-// reversestep : reverseaxis nodetest | abbrevreversestep ;
-reversestep : reverseaxis nametest | abbrevreversestep ;
+abbrevforwardstep : AT? nodetest ;
+reversestep : reverseaxis nodetest | abbrevreversestep ;
 // reverseaxis : KW_PARENT COLONCOLON | KW_ANCESTOR COLONCOLON | KW_PRECEDING_SIBLING COLONCOLON | KW_PRECEDING COLONCOLON | KW_ANCESTOR_OR_SELF COLONCOLON ;
 reverseaxis : KW_PARENT COLONCOLON | KW_ANCESTOR COLONCOLON | KW_ANCESTOR_OR_SELF COLONCOLON ;
 // [45]
@@ -73,19 +67,18 @@ abbrevreversestep : DD ;
 nodetest : nametest ;
 nametest : eqname | wildcard ;
 wildcard : STAR | NCName CS | SC NCName | BracedURILiteral STAR ;
-// postfixexpr : primaryexpr (predicate | argumentlist | lookup)* ;
-postfixexpr : primaryexpr (predicate)* ;
+postfixexpr : primaryexpr (predicate | argumentlist | lookup)* ;
 // [50]
 argumentlist : OP (argument ( COMMA argument)*)? CP ;
 predicatelist : predicate* ;
 predicate : OB expr CB ;
-// lookup : QM keyspecifier ;
-// keyspecifier : NCName | IntegerLiteral | parenthesizedexpr | STAR ;
+lookup : QM keyspecifier ;
+keyspecifier : NCName | IntegerLiteral | parenthesizedexpr | STAR ;
 // [55]
 //arrowfunctionspecifier : eqname | varref | parenthesizedexpr ;
 arrowfunctionspecifier : eqname;
 // primaryexpr : literal | varref | parenthesizedexpr | contextitemexpr | functioncall | functionitemexpr | mapconstructor | arrayconstructor | unarylookup ;
-primaryexpr : literal | varref | parenthesizedexpr | contextitemexpr | functioncall ;
+primaryexpr : literal | varref | parenthesizedexpr | contextitemexpr | functioncall | mapconstructor | arrayconstructor | unarylookup;
 literal : numericliteral | StringLiteral ;
 numericliteral : IntegerLiteral | DecimalLiteral | DoubleLiteral ;
 varref : DOLLAR varname ;
@@ -101,16 +94,16 @@ argument : exprsingle ;
 // functionitemexpr : namedfunctionref | inlinefunctionexpr ;
 // namedfunctionref : eqname POUND IntegerLiteral /* xgc: reserved-function-names */;
 // inlinefunctionexpr : KW_FUNCTION OP paramlist? CP ( KW_AS sequencetype)? functionbody ;
-// mapconstructor : KW_MAP OC (mapconstructorentry ( COMMA mapconstructorentry)*)? CC ;
+mapconstructor : KW_MAP OC (mapconstructorentry ( COMMA mapconstructorentry)*)? CC ;
 // [70]
-// mapconstructorentry : mapkeyexpr COLON mapvalueexpr ;
-// mapkeyexpr : exprsingle ;
-// mapvalueexpr : exprsingle ;
-// arrayconstructor : squarearrayconstructor | curlyarrayconstructor ;
-// squarearrayconstructor : OB (exprsingle ( COMMA exprsingle)*)? CB ;
+mapconstructorentry : mapkeyexpr COLON mapvalueexpr ;
+mapkeyexpr : exprsingle ;
+mapvalueexpr : exprsingle ;
+arrayconstructor : squarearrayconstructor | curlyarrayconstructor ;
+squarearrayconstructor : OB (exprsingle ( COMMA exprsingle)*)? CB ;
 // [75]
-// curlyarrayconstructor : KW_ARRAY enclosedexpr ;
-// unarylookup : QM keyspecifier ;
+curlyarrayconstructor : KW_ARRAY enclosedexpr ;
+unarylookup : QM keyspecifier ;
 // singletype : simpletypename QM? ;
 // typedeclaration : KW_AS sequencetype ;
 // sequencetype : KW_EMPTY_SEQUENCE OP CP | itemtype occurrenceindicator? ;
@@ -156,7 +149,7 @@ argument : exprsingle ;
 
 
 // Error in the spec. EQName also includes acceptable keywords.
-eqname : QName | URIQualifiedName
+eqname : NCName | QName | URIQualifiedName
  | KW_ANCESTOR
  | KW_ANCESTOR_OR_SELF
  | KW_AND