v3.0.0

✨ Highlights

• Namespace Migration to dev.metaschema (#219) - All Java packages have been migrated from gov.nist.secauto.* to dev.metaschema.* to align with upstream namespace changes. This is a breaking change for anyone extending or embedding the CLI.

• Shell Completion Support (#227) - The CLI now supports generating shell completion scripts for bash and zsh, enabling tab completion for commands and options.

• OCI Container Image (#208) - Official multi-architecture container images are now available, making it easy to run the CLI in containerized environments without local installation.

• Comprehensive Documentation (#228) - Major documentation expansion including installation guides, building from source, CLI reference, and integration guides.

• Upstream Improvements - This release incorporates significant improvements from metaschema-java v3.0.0.M2 and liboscal-java v7.0.0, including enhanced constraint validation, performance improvements, and bug fixes.

⚠️ Breaking Changes

Package Namespace Migration

All Java packages have been migrated to align with upstream changes:

• gov.nist.secauto.metaschema.* → dev.metaschema.*
• gov.nist.secauto.oscal.* → dev.metaschema.oscal.*

Migration: Update all import statements if you are extending or embedding the CLI.

(#219) by @david-waltermire

✨ New Features

• Shell completion - Generate bash/zsh completion scripts with oscal-cli shell-completion (#227) by @david-waltermire
• SARIF findings - Detailed SARIF findings in security scan summaries (#223) by @david-waltermire
• OCI container image - Build and run the CLI in Docker containers (#208) by @aj-stein
• Parallel validation (experimental) - New --threads N option enables concurrent constraint validation on multi-core systems for improved performance on large documents (metaschema-java#560)

🐛 Bug Fixes

From metaschema-java v3.0.0.M2

• Fix isRequired() returning false for choice block properties (metaschema-java#608)
• Make CommandService.getCommands() thread-safe (metaschema-java#632)
• Resolve document cache race condition and add cache configuration (metaschema-java#590)
• Escape ampersands in generated Javadoc formal names (metaschema-java#621)
• Fix YAML/JSON module loading with missing typeAdapter and discriminatorValue (metaschema-java#557)

From liboscal-java v7.0.0

• Support field nodes in has-oscal-namespace function, returning FALSE instead of throwing an exception (liboscal-java#233)
• Make ComponentDefinition and MappingCollection implement IOscalInstance to fix ClassCastException with fragment references (liboscal-java#226)
• Update for OSCAL 1.2.0 model compatibility using ProfileMatching for control selection (liboscal-java#223)

📚 Documentation Improvements

• Expand website documentation with guides and architecture (#228) by @david-waltermire
• Add --no-color usage documentation for legacy consoles (#216) by @david-waltermire

🔧 Build & CI Improvements

• Add reusable build workflow and scheduled nightly build (#221) by @david-waltermire
• Add Claude Code configuration (#224) by @david-waltermire
• Remove Saxon and xmlresolver dependencies (#215) by @david-waltermire
• Update CallingContext import for metaschema-java compatibility (#213) by @david-waltermire
• Update dependencies to latest releases (#207) by @david-waltermire

📦 Dependency Updates

Java Libraries

• org.junit:junit-bom: 6.0.1 → 6.0.2 (#220)

Maven Plugins

• org.sonatype.central:central-publishing-maven-plugin: 0.9.0 → 0.10.0 (#222)
• org.codehaus.mojo:license-maven-plugin: 2.7.0 → 2.7.1 (#218)

GitHub Actions

• github/codeql-action: 4.31.7 → 4.31.9 (#205, #211)
• actions/upload-artifact: 5.0.0 → 6.0.0 (#209)

Core Dependencies

• metaschema-java: 3.0.0.M1 → 3.0.0.M2
• liboscal-java: 6.0.0 → 7.0.0

v2.6.0

Download the OSCAL CLI tool. (GPG Signature)

This major release brings OSCAL 1.2.0 support and upgrades to metaschema-java 3.0.0.M1 and liboscal-java 6.0.0, along with a new --pretty-print option for profile resolution and CI/CD improvements.

✨ Highlights

• OSCAL 1.2.0 Support: Updated to the latest OSCAL model with full compatibility
• New --pretty-print option: Format profile resolution output for XML, JSON, and YAML files
• metaschema-java 3.0.0.M1: Major framework upgrade with improved module loading and exception handling
• liboscal-java 6.0.0: Updated to latest OSCAL library
• Improved CI/CD: Added workflow concurrency control and scheduled nightly builds

⚠️ Breaking Changes

metaschema-java 3.0.0.M1 Migration

This release requires migrating to the new metaschema-java 3.0.0.M1 APIs. See the metaschema-java v3.0.0.M1 release notes for complete details.

Dependency	Previous Version	New Version
metaschema-java	2.2.0	3.0.0.M1
liboscal-java	5.2.1	6.0.0

API Changes

The IBindingContext.registerModule() method signature changed in metaschema-java 3.0.0 to throw a checked MetaschemaException. Error handling has been improved to provide more descriptive error messages and proper exit codes when module registration fails.

✨ New Features

• Add --pretty-print option for profile resolution output (#193) - Originally contributed by Mahesh Kumar Gaddam (@ermahesh) in usnistgov/oscal-cli#295

🔧 Build & CI Improvements

• Added concurrency configuration to cancel in-progress workflow runs on new commits (#206)
• Added scheduled nightly builds at 4:00 AM UTC (#206)
• Removed deprecated --exclude-mail flag from lychee-action (#194)

What's Changed

Features

• Add --pretty-print option for profile resolution output by @david-waltermire in #193

Core Changes

• Update to metaschema-java 3.0.0.M1-SNAPSHOT by @david-waltermire in #204
• Update dependencies to latest releases by @david-waltermire in #207

Build & CI

• Add concurrency and nightly build support to GitHub workflows by @david-waltermire in #206
• Remove deprecated --exclude-mail flag from lychee-action by @david-waltermire in #194

Full Changelog: v2.5.1...v2.6.0

📦 Dependency Updates

Java Libraries

• gov.nist.secauto.metaschema:metaschema-java: 2.2.0 → 3.0.0.M1 (#204, #207)
• gov.nist.secauto.oscal:liboscal-java: 5.2.1 → 6.0.0 (#204, #207)
• commons-io:commons-io: 2.18.0 → 2.21.0 (#195)
• org.json:json: 20250107 → 20250517 (#153)
• org.junit:junit-bom: 5.12.1 → 6.0.1 (#199)
• org.apache.logging.log4j:log4j-bom: 2.24.3 → 2.25.2 (#180)
• org.xmlresolver:xmlresolver: 6.0.14 → 6.0.19 (#203)
• org.fusesource.jansi:jansi: 2.4.1 → 2.4.2
• com.github.erosb:everit-json-schema: 1.14.5 → 1.14.6

Maven Plugins

• org.codehaus.mojo:license-maven-plugin: 2.5.0 → 2.7.0 (#179)
• org.sonatype.central:central-publishing-maven-plugin: updates (#181)
• io.github.git-commit-id:git-commit-id-maven-plugin: updates (#157)
• me.fabriciorby:maven-surefire-junit5-tree-reporter: updates (#202)

GitHub Actions

• actions/checkout: 4.2.2 → 6.0.1 (#168, #197)
• actions/setup-java: 4.7.1 → 5.1.0 (#170, #201)
• actions/upload-artifact: 4.6.2 → 5.0.0 (#196)
• actions/github-script: 7.0.1 → 8.0.0 (#175)
• github/codeql-action: 3.28.17 → 4.31.8 (#191, #200, #205)
• peter-evans/create-issue-from-file: 5.0.1 → 6.0.0 (#198)
• lycheeverse/lychee-action: 2.4.1 → 2.7.0 (#190)

v2.5.1

Download the OSCAL CLI tool. (GPG Signature)

This patch release incorporates the liboscal-java 5.2.0 patch and build environment updates.

What's Changed

• Update workflow runner OS from Ubuntu 20.04 to 24.04 by @aj-stein in #143
• Bumping liboscal-java version from 5.2.0 to 5.2.1 by @david-waltermire in #145
• Bump lycheeverse/lychee-action from 2.4.0 to 2.4.1 by @dependabot in #141
• Bump github/codeql-action from 3.28.13 to 3.28.17 by @dependabot in #140
• Bump actions/setup-java from 4.7.0 to 4.7.1 by @dependabot in #135

New Contributors

• @aj-stein made their first contribution in #143

Full Changelog: v2.5.0...v2.5.1

v2.5.0

Download the OSCAL CLI tool. (GPG Signature)

This minor release incorporates feature improvements and bug fixes from metaschema-framework/metaschema-java v2.2.0 and metaschema-framework/liboscal-java v5.2.0.

The OSCAL version used by this tool is v1.1.3.

New and Noteworthy

• Added support for resolved relative links produced during profile resolution using the --relative-to=URI argument to the resolve command, supported by metaschema-framework/liboscal-java#94, resolving #84 and usnistgov/oscal-cli#78. (#88)
• JUnit tests run during the build are now run using multiple threads. This dramatically speeds up build duration. (#119)
• Use of extra constraints that support cross checking controls directly referenced in a profile exist in the referenced catalog. Reports non-existence as a validation error. This addresses usnistgov/oscal-cli#126, supported by metaschema-framework/liboscal-java#133.
• Adjusted profile resolution reference warnings to be logged at debug instead of warning. This will reduce a ton of noise in the CLI output. This addresses usnistgov/oscal-cli#270, supported by metaschema-framework/liboscal-java#133.

Important Bug Fixes

• Ensured that controls defined at the catalog level are not duplicated during profile resolution. This fixes a bug (#60) caused during the import handling phase of profile resolution, which was "promoting" controls defined at the catalog level, causing a second copy of the control to be added. This was fixed by making controls at the catalog level always eligible for selection. Supported by metaschema-framework/liboscal-java#92.
• Added missing functionality for the DEBUG constraint level adderessing bug #92, based on metaschema-framework/metaschema-java#307.

What's Changed

• Bump github/codeql-action from 3.27.5 to 3.27.7 by @dependabot in #89
• oscal-cli resolve --relative-to=URI by @david-waltermire in #88
• Bump lycheeverse/lychee-action from 2.1.0 to 2.2.0 by @dependabot in #97
• Bump actions/setup-java from 4.5.0 to 4.6.0 by @dependabot in #96
• Bump actions/upload-artifact from 4.4.3 to 4.5.0 by @dependabot in #95
• Bump org.apache.xmlbeans:xmlbeans from 5.2.2 to 5.3.0 by @dependabot in #94
• Bump org.junit:junit-bom from 5.11.3 to 5.11.4 by @dependabot in #93
• Bump org.apache.logging.log4j:log4j-bom from 2.24.2 to 2.24.3 by @dependabot in #91
• Bump org.json:json from 20240303 to 20241224 by @dependabot in #99
• Bump github/codeql-action from 3.27.7 to 3.28.0 by @dependabot in #98
• Bump org.codehaus.mojo:license-maven-plugin from 2.4.0 to 2.5.0 by @dependabot in #86
• Feature/build tuneup by @david-waltermire in #119
• Bump actions/upload-artifact from 4.5.0 to 4.6.2 by @dependabot in #126
• Bump actions/setup-java from 4.6.0 to 4.7.0 by @dependabot in #110
• Bump lycheeverse/lychee-action from 2.2.0 to 2.3.0 by @dependabot in #113
• Bump github/codeql-action from 3.28.0 to 3.28.13 by @dependabot in #127
• Bump org.sonatype.central:central-publishing-maven-plugin from 0.6.0 to 0.7.0 by @dependabot in #102
• Bump org.xmlresolver:xmlresolver from 6.0.12 to 6.0.14 by @dependabot in #123
• Bump org.junit:junit-bom from 5.12.0 to 5.12.1 by @dependabot in #124
• Update README.md by @david-waltermire in #130
• Bump lycheeverse/lychee-action from 2.3.0 to 2.4.0 by @dependabot in #131
• Tune-up CLI unit tests by @david-waltermire in #132

Full Changelog: v2.4.0...v2.5.0

v2.4.0

Download the OSCAL CLI tool. (GPG Signature)

This minor release incorporates feature improvements and bug fixes from metaschema-java.

The OSCAL version used by this tool has been updated to v1.1.3.

What's Changed

• Code cleanup by @david-waltermire in #82
• Bump org.sonatype.central:central-publishing-maven-plugin from 0.5.0 to 0.6.0 by @dependabot in #74
• Bump commons-io:commons-io from 2.17.0 to 2.18.0 by @dependabot in #78
• Bump github/codeql-action from 3.27.1 to 3.27.5 by @dependabot in #79
• Bump org.apache.logging.log4j:log4j-bom from 2.24.1 to 2.24.2 by @dependabot in #81

Full Changelog: v2.3.1...v2.4.0

v2.3.1

Download the OSCAL CLI tool. (GPG Signature)

This patch release incorporates bug fixes from metaschema-java.

What's Changed

• Add unit tests for a bug causing error messages to be silently dropped by @david-waltermire in #69

Full Changelog: v2.3.0...v2.3.1

v2.3.0

Download the OSCAL CLI tool. (GPG Signature)

This minor release integrates changes from metaschema-framework/metaschema-java v2.0.0. A major release was chosen here since this release only adds functionality to and fixes bugs in the CLI.

This release fixes #67 based on metaschema-java changes. See metaschema-framework/metaschema-java#232.

What's Changed

• Bump org.xmlresolver:xmlresolver from 6.0.10 to 6.0.11 by @dependabot in #66
• Bump actions/setup-java from 4.4.0 to 4.5.0 by @dependabot in #65
• Bump actions/checkout from 4.2.1 to 4.2.2 by @dependabot in #64
• Bump github/codeql-action from 3.26.12 to 3.27.0 by @dependabot in #62
• Bump org.junit:junit-bom from 5.11.1 to 5.11.3 by @dependabot in #61
• Bump lycheeverse/lychee-action from 1.10.0 to 2.0.2 by @dependabot in #59
• Bump actions/upload-artifact from 4.4.2 to 4.4.3 by @dependabot in #56
• Update to metaschema-java 2.0.0 by @david-waltermire in #68

Full Changelog: v2.2.0...v2.3.0

v2.2.0

Download the OSCAL CLI tool. (GPG Signature)

Changelog

• Features, bug fixes, and dependency updates from metaschema-java v1.2.0.
• Documentation changes and dependency updates from liboscal-java v4.2.0.

What's Changed

• Update .lycheeignore by @david-waltermire in #47
• Bump commons-io:commons-io from 2.16.1 to 2.17.0 by @dependabot in #36
• Bump actions/setup-java from 4.3.0 to 4.4.0 by @dependabot in #42
• Bump peter-evans/create-issue-from-file from 5.0.0 to 5.0.1 by @dependabot in #43
• Bump actions/checkout from 4.1.7 to 4.2.0 by @dependabot in #44
• Bump github/codeql-action from 3.26.7 to 3.26.10 by @dependabot in #46
• Bump org.xmlresolver:xmlresolver from 6.0.9 to 6.0.10 by @dependabot in #39
• Bump github/codeql-action from 3.26.10 to 3.26.11 by @dependabot in #49
• Bump actions/checkout from 4.2.0 to 4.2.1 by @dependabot in #52
• Bump actions/upload-artifact from 4.4.0 to 4.4.1 by @dependabot in #51
• Bump github/codeql-action from 3.26.11 to 3.26.12 by @dependabot in #50
• Bump actions/upload-artifact from 4.4.1 to 4.4.2 by @dependabot in #53
• Bump to v2.2.0 by @david-waltermire in #48

Full Changelog: v2.1.0...v2.2.0

v2.1.0

Download the OSCAL CLI tool. (GPG Signature)

What's new

This minor release adds the oscal-cli list-allowed-values command, which lists all allowed values constraints associated with a given node in the OSCAL model graph.

usage: oscal-cli list-allowed-values [<options>] [<destination-file>]
 -c <URL>                additional constraint definitions
 -h,--help               display this help message
    --no-color           do not colorize output
    --overwrite          overwrite the destination if it exists
 -q,--quiet              minimize output to include only errors
    --show-stack-trace   display the stack trace associated with an error
    --version            display the application version

This release also adds new commands under the oscal-cli metaschema command path, which are provided by metaschema-java.

These include:

• oscal-cli metaschema metapath eval
• oscal-cli metaschema generate-diagram

Additionally, all content validation commands now allow you to disable schema or constraint validation using arguments.

--disable-constraint-validation   do not perform constraint validation
--disable-schema-validation       do not perform schema validation

What's Changed

• Bump org.xmlresolver:xmlresolver from 6.0.8 to 6.0.9 by @dependabot in #14
• Bump github/codeql-action from 3.26.0 to 3.26.3 by @dependabot in #12
• Update .lycheeignore by @david-waltermire in #23
• Bump github/codeql-action from 3.26.3 to 3.26.7 by @dependabot in #28
• Bump actions/setup-java from 4.2.2 to 4.3.0 by @dependabot in #25
• Bump actions/upload-artifact from 4.3.6 to 4.4.0 by @dependabot in #20
• Adjust README instructions with community feedback by @aj-stein-gsa in #21
• Bump dependencies and code cleanup by @david-waltermire in #29
• Add list-allowed-values command by @david-waltermire in #30
• Allowed Values Command Cleanup by @david-waltermire in #31

New Contributors

• @aj-stein-gsa made their first contribution in #21

Full Changelog: v2.0.2...v2.1.0

v2.0.2

Download the OSCAL CLI tool. (GPG Signature)

What's Changed

• Bump liboscal java to 4.0.2 by @david-waltermire in #15

Full Changelog: v2.0.1...v2.0.2