Schematron

Roger L. Costello 18 July 2007 1

Purpose

• Two Types of Schema Languages – http://www.xfront.com/schematron/Two-types of-XML-Schema-Language.html

Schema Language grammar-based (structure, form, syntax) rule-based (data relationships) DTD XML Schema Relax NG Schematron 2

Purpose

• Schematron Usage and Features – http://www.xfront.com/schematron/Schematro n-Usage-and-Features.html

Schematron Co-constraints Cardinality Algorithmic 3

How it Works

• Overview – http://www.xfront.com/schematron/overview.ht

ml 4

Use Cases

• Validating Co-constraints – http://www.xfront.com/schematron/co constraints.html

• Validating Cardinality – http://www.xfront.com/schematron/cardinality.

html • Algorithmic Constraint Checking – http://www.xfront.com/schematron/algorithms.

html 5

Who's Using It

• • • • Open Vulnerability and Assessment Language (OVAL™): the standard for determining vulnerability and configuration issues on computer systems – "OVAL is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language." "There are many things that cannot be validated with W3C Schema. Maybe the most pertinent example is trying to validate that a particular element exists based on the value of an attribute. To validate these types of conditions, ISO Schematron rules have been included with the OVAL Schema." Homepage: http://oval.mitre.org/ Schematron Schemas: – http://oval.mitre.org/language/download/schema/version5.1/ovaldefinition/schem atron/oval-definitions-schematron.zip

6

Who's Using It (cont.)

• Schematron validation is being integrated into Cross Domain XML Guards – Radiant Mercury (RM) • http://ftp.fas.org/irp/program/disseminate/radiant_mercury.pdf

– Information Support Server Environment (ISSE) • http://www.globalsecurity.org/intell/systems/isse-guard.htm

– DataSync Guard (DSG) • BAE Systems • Schematron validation can be used by the XML Guards to perform – co-constraint checking (

e.g.

classification label checking) – cardinality checking (

e.g.

dirty word checking) – algorithmic constraint checking (

e.g.

checksum validation) 7

Lessons Learned

• • Validation time can be enhanced 4x by setting the optimize parameter in the ISO Schematron stylesheet. http://eccnet.eccnet.com/pipermail/schema tron-love-in/2007-January/000363.html

8

Recommendations

• Use ISO Schematron to express these data constraints: – Co-constraints – Cardinality checking – Algorithmic checking 9