npm - @mitre/hdf-converters - Versions diffs - 3.1.0 → 3.2.0 - Mend

@mitre/hdf-converters 3.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +5 -1
package/dist/detect.d.ts.map +1 -1
package/dist/detect.js +1 -1
package/dist/index.d.ts +69 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1167 -66
package/dist/index.js.map +1 -1
package/dist/{register-all-DaYHszLd.js → register-all-ik8sNfNf.js} +68 -7
package/dist/register-all-ik8sNfNf.js.map +1 -0
package/dist/registry.d.ts.map +1 -1
package/dist/registry.js.map +1 -1
package/package.json +7 -7
package/dist/register-all-DaYHszLd.js.map +0 -1

package/dist/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
-import { n as detectConverter, t as registerAllFingerprints } from "./register-all-DaYHszLd.js";
+import { n as detectConverter, t as registerAllFingerprints } from "./register-all-ik8sNfNf.js";
 import { flattenOverlays } from "@mitre/hdf-parsers";
 import { buildCsv, buildXml, parseCsv, parseJSON, parseXml, parseXmlWithArrays, sha256, stripHtml as stripHTML } from "@mitre/hdf-utilities";
-import { AuthorizationStatus, BoundaryDescription, CategorizationLevel, Copyright, HashAlgorithm, OverrideType, PlanType, ResultStatus, createDescription, createMinimalBaseline, createRequirement, createResult, severityToImpact } from "@mitre/hdf-schema";
+import { Applicability, AuthorizationStatus, BoundaryDescription, CategorizationLevel, ControlType, Copyright, HashAlgorithm, OverrideType, PlanType, ResultStatus, VerificationMethodEnum, VerificationMethodEnum as VerificationMethodEnum$1, createDescription, createMinimalBaseline, createRequirement, createResult, severityToImpact } from "@mitre/hdf-schema";
 import { DEFAULT_COMPONENT_MANAGEMENT_NIST_TAGS, DEFAULT_REMEDIATION_NIST_TAGS, DEFAULT_STATIC_ANALYSIS_NIST_TAGS, DEFAULT_STATIC_ANALYSIS_NIST_TAGS as DEFAULT_STATIC_ANALYSIS_NIST_TAGS$1, getAwsConfigNistControlByIdentifier, getAwsConfigNistControlByName, getCCINistMappings, getCweNistControl, getNessusNistControl, getNiktoNistControl, getOwaspNistControl, getScoutsuiteNistControl, nistToCci } from "@mitre/hdf-mappings";
 //#region shared/typescript/converterutil.ts
 /**
@@ -202,6 +202,139 @@ function buildHdfResults(opts) {
 	if (opts.statistics) hdf.statistics = opts.statistics;
 	return JSON.stringify(hdf, null, 2);
 }
+/**
+* Captures a NIST 800-53 control identifier and its base sub-control number,
+* ignoring enhancement suffixes like "(1)" or ".1". Mirrors the Go pattern
+* in shared/go/converterutil.go.
+*/
+const NIST_TAG_PATTERN = /^([A-Z]{2})-(\d+)/;
+/**
+* Maps each recognized NIST 800-53 Rev 5 family to its HDF controlType per
+* SP 800-53 Appendix C / SP 800-53A classification. Unknown families resolve
+* to undefined.
+*/
+const NIST_FAMILY_CONTROL_TYPE = {
+	AC: ControlType.Technical,
+	AT: ControlType.Operational,
+	AU: ControlType.Operational,
+	CA: ControlType.Management,
+	CM: ControlType.Operational,
+	CP: ControlType.Operational,
+	IA: ControlType.Technical,
+	IR: ControlType.Operational,
+	MA: ControlType.Operational,
+	MP: ControlType.Operational,
+	PE: ControlType.Operational,
+	PL: ControlType.Management,
+	PM: ControlType.Management,
+	PS: ControlType.Operational,
+	PT: ControlType.Operational,
+	RA: ControlType.Management,
+	SA: ControlType.Management,
+	SC: ControlType.Technical,
+	SI: ControlType.Technical,
+	SR: ControlType.Management
+};
+/**
+* Derive the HDF `controlType` for a single NIST 800-53 control identifier
+* using a family-prefix heuristic. Returns undefined when the family is
+* unrecognized or the tag is not a NIST control identifier.
+*
+* Heuristic, per NIST SP 800-53 Rev 5 Appendix C and SP 800-53A:
+* - Management: PM, RA, CA, PL, SA, SR families
+* - Operational: AT, AU, CM, CP, IR, MA, MP, PE, PS, PT families
+* - Technical:  AC, IA, SC, SI families
+* - Policy:     any "-1" sub-control (the per-family policy/procedure
+*   document, regardless of which family it belongs to). Enhancements of
+*   -1 controls (e.g., AC-1(1)) also resolve to policy.
+*
+* The "-1" rule takes precedence over the family rule because the per-family
+* policy/procedure document is more usefully classified by its document
+* nature than by the family it documents.
+*
+* @example
+*   deriveControlType("AC-3")      // ControlType.Technical
+*   deriveControlType("AC-1")      // ControlType.Policy   (any *-1 is policy)
+*   deriveControlType("AC-3(1)")   // ControlType.Technical (enhancement of AC-3)
+*   deriveControlType("PM-2")      // ControlType.Management
+*   deriveControlType("SV-238196") // undefined            (not a NIST tag)
+*/
+function deriveControlType(nistTag) {
+	const match = NIST_TAG_PATTERN.exec(nistTag.trim().toUpperCase());
+	if (!match || match[1] === void 0 || match[2] === void 0) return void 0;
+	const family = match[1];
+	const subControl = match[2];
+	const familyClass = NIST_FAMILY_CONTROL_TYPE[family];
+	if (familyClass === void 0) return void 0;
+	if (subControl === "1") return ControlType.Policy;
+	return familyClass;
+}
+/**
+* NIST tag sets this package uses as per-converter static fallbacks when no
+* real per-finding mapping is available. When deriveControlTypeFromTags sees
+* an input that exactly matches one of these bundles, it returns undefined —
+* the input carries no real per-finding signal, and stamping every
+* requirement with the same derived controlType is misleading.
+*
+* Keep in sync with DEFAULT_STATIC_ANALYSIS_NIST_TAGS, DEFAULT_REMEDIATION_NIST_TAGS.
+*/
+const NIST_FALLBACK_BUNDLES = [
+	["RA-5", "SA-11"],
+	["RA-5", "SI-2"],
+	["CM-8"]
+];
+function tagsMatchFallback(tags) {
+	if (tags.length === 0) return false;
+	const sorted = [...new Set(tags)].sort();
+	return NIST_FALLBACK_BUNDLES.some((bundle) => bundle.length === sorted.length && bundle.every((b, i) => b === sorted[i]));
+}
+/**
+* Derive the HDF `controlType` for a slice of NIST tags. Resolves each tag
+* via {@link deriveControlType}, then picks the most-specific class by
+* precedence: technical > operational > management > policy > procedure.
+* The rationale is that a control enforced via configuration (technical)
+* is more actionable than the same control's management/policy framing.
+*
+* Returns undefined when no tag resolves to a known classification, OR when
+* the input exactly matches a converter-level static-fallback bundle (e.g.
+* the DEFAULT_STATIC_ANALYSIS_NIST_TAGS set). The fallback gate prevents
+* converters that have no per-finding NIST signal from stamping every
+* requirement with the same misleading controlType.
+*/
+function deriveControlTypeFromTags(tags) {
+	if (tagsMatchFallback(tags)) return void 0;
+	const rank = {
+		[ControlType.Technical]: 0,
+		[ControlType.Operational]: 1,
+		[ControlType.Management]: 2,
+		[ControlType.Policy]: 3,
+		[ControlType.Procedure]: 4
+	};
+	let best;
+	let bestRank = Number.POSITIVE_INFINITY;
+	for (const tag of tags) {
+		const ct = deriveControlType(tag);
+		if (ct === void 0) continue;
+		const r = rank[ct];
+		if (r < bestRank) {
+			bestRank = r;
+			best = ct;
+		}
+	}
+	return best;
+}
+/**
+* Derive the HDF `verificationMethod` for a requirement based on whether
+* check code is present. Returns `automated` when code is non-empty (a check
+* exists and runs without operator action), and undefined otherwise — the
+* converter is responsible for distinguishing manual-by-design (statement-form,
+* e.g. FedRAMP 20x KSI) from manual-pending-automation (a check that could
+* be automated but isn't yet) when it has the source-format context to do so.
+*/
+function deriveVerificationMethod(code) {
+	if (code === void 0 || code === null || code === "") return void 0;
+	return VerificationMethodEnum$1.Automated;
+}
 //#endregion
 //#region converters/legacyhdf-to-hdf/typescript/converter.ts
 /**
@@ -341,6 +474,11 @@ function convertControl(v1Control) {
 	if (v1Control.results && Array.isArray(v1Control.results)) v2Req.results = v1Control.results.map(convertResult);
 	if (!v2Req.effectiveStatus) v2Req.effectiveStatus = computeEffectiveStatus(v1Control.impact, v2Req.results ?? []);
 	v2Req.severity = tagSeverityToSeverity(v1Control.tags?.severity) ?? impactToSeverity$2(v1Control.impact);
+	const rawNist = v1Control.tags?.nist;
+	if (Array.isArray(rawNist)) {
+		const controlType = deriveControlTypeFromTags(rawNist.filter((v) => typeof v === "string"));
+		if (controlType !== void 0) v2Req.controlType = controlType;
+	}
 	const knownFields = new Set([
 		"id",
 		"title",
@@ -605,7 +743,11 @@ function convertResultGroup(ruleId, rule, sarifResults) {
 	const descriptions = buildDescriptions$1(description, rule, firstResult);
 	const options = { tags: buildTags$3(firstResult, rule, ruleLevel, cweIds, nistControls, cciControls) };
 	if (sourceLocation) options.sourceLocation = sourceLocation;
-	return createRequirement(ruleId, title, descriptions, impact, results, options);
+	const req = createRequirement(ruleId, title, descriptions, impact, results, options);
+	const controlType = deriveControlTypeFromTags(nistControls);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 function resolveRuleLevel(rule, results) {
 	if (rule?.defaultConfiguration?.level) return rule.defaultConfiguration.level;
@@ -810,8 +952,8 @@ function createHDFResult(location, status, backtrace, suppressionMessage) {
 //#endregion
 //#region converters/junit-to-hdf/typescript/converter.ts
 const DEFAULT_NIST = ["SA-11"];
-const CONVERTER_VERSION$1 = "1.0.0";
-const ARRAY_TAGS$1 = ["testsuite", "testcase"];
+const CONVERTER_VERSION$2 = "1.0.0";
+const ARRAY_TAGS$2 = ["testsuite", "testcase"];
 /**
 * Converts JUnit XML test results to HDF format.
 */
@@ -821,7 +963,7 @@ async function convertJunitToHdf(input) {
 	const { suites, name } = parseJUnitXML(input);
 	return buildHdfResults({
 		generatorName: "hdf-converters",
-		converterVersion: CONVERTER_VERSION$1,
+		converterVersion: CONVERTER_VERSION$2,
 		toolName: "JUnit XML",
 		toolFormat: "XML",
 		baselines: [createMinimalBaseline(name, buildRequirements(suites), { resultsChecksum: await inputChecksum(input) })],
@@ -833,7 +975,7 @@ async function convertJunitToHdf(input) {
 	});
 }
 function parseJUnitXML(input) {
-	const parsed = parseXmlWithArrays(input, ARRAY_TAGS$1);
+	const parsed = parseXmlWithArrays(input, ARRAY_TAGS$2);
 	if (parsed.testsuites) return {
 		suites: parsed.testsuites.testsuite ?? [],
 		name: parsed.testsuites.name || "JUnit Test Results"
@@ -876,7 +1018,11 @@ function testCaseToRequirement(tc, suiteTimestamp) {
 		label: "default",
 		data: `JUnit test: ${tc.name} in ${tc.classname || "unknown"}`
 	}];
-	return createRequirement(id, tc.name, descriptions, .5, [result], { tags: { nist: DEFAULT_NIST } });
+	const req = createRequirement(id, tc.name, descriptions, .5, [result], { tags: { nist: DEFAULT_NIST } });
+	const controlType = deriveControlTypeFromTags(DEFAULT_NIST);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 function buildID(tc) {
 	if (tc.classname) return `${tc.classname}.${tc.name}`;
@@ -923,10 +1069,10 @@ function buildCodeDesc$9(tc) {
 }
 //#endregion
 //#region converters/xccdf-results-to-hdf/typescript/converter.ts
-const CONVERTER_VERSION = "1.0.0";
+const CONVERTER_VERSION$1 = "1.0.0";
 const CCI_SYSTEM = "http://cyber.mil/cci";
 /** Tags that must always be parsed as arrays even if only one element exists. */
-const ARRAY_TAGS = [
+const ARRAY_TAGS$1 = [
 	"Group",
 	"Rule",
 	"Profile",
@@ -969,7 +1115,7 @@ const STATUS_MAP = {
 async function convertXccdfResultsToHdf(input) {
 	if (!input || !input.trim()) throw new Error("Empty input");
 	validateInputSize(input, "xccdf-results");
-	const parsed = parseXmlWithArrays(input, ARRAY_TAGS);
+	const parsed = parseXmlWithArrays(input, ARRAY_TAGS$1);
 	const arfParsed = parsed;
 	if (arfParsed["asset-report-collection"]) return convertArfCollection(arfParsed["asset-report-collection"], input);
 	const benchmark = parsed.Benchmark;
@@ -999,7 +1145,7 @@ async function convertBenchmarkResultsToHdf(benchmark, rawInput) {
 		baselines: [baseline],
 		generator: {
 			name: "hdf-converters",
-			version: CONVERTER_VERSION
+			version: CONVERTER_VERSION$1
 		},
 		tool: {
 			name: "XCCDF Results",
@@ -1058,7 +1204,7 @@ async function convertArfCollection(arc, rawInput) {
 		baselines,
 		generator: {
 			name: "hdf-converters",
-			version: CONVERTER_VERSION
+			version: CONVERTER_VERSION$1
 		},
 		tool: {
 			name: "ARF",
@@ -1144,13 +1290,17 @@ function ruleResultToRequirement(rr, ruleIndex) {
 	});
 	const result = createResult(STATUS_MAP[(rr.result ?? "").toLowerCase()] ?? ResultStatus.NotReviewed, "", { codeDesc: `XCCDF rule ${id}` });
 	const tags = {};
+	let nistTags = [];
 	const cciIds = extractCCIs(rr.ident ?? ruleDef?.ident ?? []);
 	if (cciIds.length > 0) {
 		tags["cci"] = cciIds;
-		const nistTags = cciIds.flatMap((cci) => getCCINistMappings(cci) ?? []);
-		if (nistTags.length > 0) tags["nist"] = [...new Set(nistTags)];
+		nistTags = [...new Set(cciIds.flatMap((cci) => getCCINistMappings(cci) ?? []))];
+		if (nistTags.length > 0) tags["nist"] = nistTags;
 	}
-	return createRequirement(id, title, descriptions, impact, [result], { tags });
+	const req = createRequirement(id, title, descriptions, impact, [result], { tags });
+	const controlType = deriveControlTypeFromTags(nistTags);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 /**
 * Build Component array from TestResult metadata.
@@ -1210,6 +1360,713 @@ function extractCCIs(idents) {
 	return idents.filter((i) => i.system === CCI_SYSTEM).map((i) => i["#text"] ?? "").filter((v) => v.length > 0);
 }
 //#endregion
+//#region shared/typescript/checklist/status.ts
+function normalizeKey(s) {
+	return s.toLowerCase().trim().split("_").join("").split(" ").join("");
+}
+const STATUS_BY_KEY = {
+	open: "Open",
+	notafinding: "NotAFinding",
+	notreviewed: "Not_Reviewed",
+	notapplicable: "Not_Applicable"
+};
+/** Map any CKL/CKLB status spelling to the canonical CheckStatus. */
+function parseStatus(s) {
+	return STATUS_BY_KEY[normalizeKey(s ?? "")] ?? "Not_Reviewed";
+}
+/** CKL (XML) spelling. */
+function statusToCkl(s) {
+	return s || "Not_Reviewed";
+}
+/** CKLB (JSON) snake_case spelling. */
+function statusToCklb(s) {
+	switch (s) {
+		case "Open": return "open";
+		case "NotAFinding": return "not_a_finding";
+		case "Not_Applicable": return "not_applicable";
+		default: return "not_reviewed";
+	}
+}
+/** Canonical status -> HDF Result_Status. */
+function statusToHdf(s) {
+	switch (s) {
+		case "Open": return ResultStatus.Failed;
+		case "NotAFinding": return ResultStatus.Passed;
+		case "Not_Applicable": return ResultStatus.NotApplicable;
+		default: return ResultStatus.NotReviewed;
+	}
+}
+/** HDF Result_Status -> canonical status (error -> Open). */
+function statusFromHdf(s) {
+	switch (s) {
+		case ResultStatus.Passed: return "NotAFinding";
+		case ResultStatus.Failed:
+		case ResultStatus.Error: return "Open";
+		case ResultStatus.NotApplicable: return "Not_Applicable";
+		default: return "Not_Reviewed";
+	}
+}
+//#endregion
+//#region shared/typescript/checklist/ckl.ts
+const ARRAY_TAGS = [
+	"iSTIG",
+	"VULN",
+	"STIG_DATA",
+	"SI_DATA"
+];
+const BUILD_OPTIONS$1 = {
+	attributeNamePrefix: "@_",
+	textNodeName: "#text",
+	ignoreAttributes: false,
+	format: true,
+	indentBy: "	",
+	suppressEmptyNode: false
+};
+function str(v) {
+	return v === void 0 || v === null ? "" : String(v);
+}
+const VULN_ATTR_ORDER = [
+	"Vuln_Num",
+	"Severity",
+	"Group_Title",
+	"Rule_ID",
+	"Rule_Ver",
+	"Rule_Title",
+	"Vuln_Discuss",
+	"IA_Controls",
+	"Check_Content",
+	"Fix_Text",
+	"False_Positives",
+	"False_Negatives",
+	"Documentable",
+	"Mitigations",
+	"Potential_Impact",
+	"Third_Party_Tools",
+	"Mitigation_Control",
+	"Responsibility",
+	"Security_Override_Guidance",
+	"Check_Content_Ref",
+	"Weight",
+	"Class",
+	"STIG_UUID"
+];
+const CORE_VULN_ATTR = new Set([
+	"Vuln_Num",
+	"Severity",
+	"Group_Title",
+	"Rule_ID",
+	"Rule_Ver",
+	"Rule_Title",
+	"Vuln_Discuss",
+	"Check_Content",
+	"Fix_Text",
+	"Weight",
+	"Class"
+]);
+/** Parse CKL XML into the format-neutral Checklist model. */
+function parseCkl(input) {
+	const checklist = parseXmlWithArrays(input, ARRAY_TAGS, { processEntities: true }).CHECKLIST;
+	const istigs = checklist?.STIGS?.iSTIG;
+	if (!checklist || !istigs || istigs.length === 0) throw new Error("parse ckl: no <iSTIG> blocks found (not a CKL document?)");
+	const a = checklist.ASSET ?? {};
+	return {
+		format: "ckl",
+		asset: {
+			role: str(a["ROLE"]),
+			assetType: str(a["ASSET_TYPE"]),
+			marking: str(a["MARKING"]),
+			hostName: str(a["HOST_NAME"]),
+			hostIP: str(a["HOST_IP"]),
+			hostMAC: str(a["HOST_MAC"]),
+			hostFQDN: str(a["HOST_FQDN"]),
+			targetComment: str(a["TARGET_COMMENT"]),
+			techArea: str(a["TECH_AREA"]),
+			targetKey: str(a["TARGET_KEY"]),
+			webOrDatabase: str(a["WEB_OR_DATABASE"]) === "true",
+			webDBSite: str(a["WEB_DB_SITE"]),
+			webDBInstance: str(a["WEB_DB_INSTANCE"])
+		},
+		stigs: istigs.map((is) => {
+			const si = is.STIG_INFO?.SI_DATA ?? [];
+			const siVal = (name) => str(si.find((d) => d.SID_NAME === name)?.SID_DATA);
+			return {
+				stigID: siVal("stigid"),
+				title: siVal("title"),
+				version: siVal("version"),
+				releaseInfo: siVal("releaseinfo"),
+				uuid: siVal("uuid"),
+				classification: siVal("classification"),
+				vulns: (is.VULN ?? []).map(cklVulnToModel)
+			};
+		})
+	};
+}
+function cklVulnToModel(v) {
+	const data = v.STIG_DATA ?? [];
+	const attr = (name) => str(data.find((sd) => sd.VULN_ATTRIBUTE === name)?.ATTRIBUTE_DATA);
+	const ccis = [];
+	const extra = {};
+	const promoted = new Set([
+		"CCI_REF",
+		"Vuln_Num",
+		"Severity",
+		"Group_Title",
+		"Rule_ID",
+		"Rule_Ver",
+		"Rule_Title",
+		"Vuln_Discuss",
+		"Check_Content",
+		"Fix_Text",
+		"Weight",
+		"Class"
+	]);
+	for (const sd of data) {
+		const name = sd.VULN_ATTRIBUTE ?? "";
+		const val = str(sd.ATTRIBUTE_DATA);
+		if (name === "CCI_REF") {
+			if (val) ccis.push(val);
+		} else if (!promoted.has(name) && val) extra[name] = val;
+	}
+	return {
+		vulnNum: attr("Vuln_Num"),
+		ruleID: attr("Rule_ID"),
+		ruleVer: attr("Rule_Ver"),
+		groupTitle: attr("Group_Title"),
+		severity: attr("Severity"),
+		ruleTitle: attr("Rule_Title"),
+		vulnDiscuss: attr("Vuln_Discuss"),
+		checkContent: attr("Check_Content"),
+		fixText: attr("Fix_Text"),
+		weight: attr("Weight"),
+		classification: attr("Class"),
+		ccis,
+		status: parseStatus(v.STATUS),
+		findingDetails: str(v.FINDING_DETAILS),
+		comments: str(v.COMMENTS),
+		extra
+	};
+}
+/** Serialize the Checklist model to CKL XML (with declaration). */
+function serializeCkl(cl) {
+	return `<?xml version="1.0" encoding="UTF-8"?>\n${buildXml({ CHECKLIST: {
+		ASSET: {
+			ROLE: cl.asset.role || "None",
+			ASSET_TYPE: cl.asset.assetType || "Computing",
+			HOST_NAME: cl.asset.hostName ?? "",
+			HOST_IP: cl.asset.hostIP ?? "",
+			HOST_MAC: cl.asset.hostMAC ?? "",
+			HOST_FQDN: cl.asset.hostFQDN ?? "",
+			TARGET_COMMENT: cl.asset.targetComment ?? "",
+			TECH_AREA: cl.asset.techArea ?? "",
+			TARGET_KEY: cl.asset.targetKey ?? "",
+			WEB_OR_DATABASE: cl.asset.webOrDatabase ? "true" : "false",
+			WEB_DB_SITE: cl.asset.webDBSite ?? "",
+			WEB_DB_INSTANCE: cl.asset.webDBInstance ?? ""
+		},
+		STIGS: { iSTIG: cl.stigs.map((s) => ({
+			STIG_INFO: { SI_DATA: stigInfoSiData(s) },
+			VULN: s.vulns.map(modelVulnToCkl)
+		})) }
+	} }, BUILD_OPTIONS$1)}`;
+}
+function stigInfoSiData(s) {
+	return [
+		{
+			name: "version",
+			data: s.version
+		},
+		{
+			name: "classification",
+			data: s.classification
+		},
+		{
+			name: "stigid",
+			data: s.stigID
+		},
+		{
+			name: "releaseinfo",
+			data: s.releaseInfo
+		},
+		{
+			name: "title",
+			data: s.title
+		},
+		{
+			name: "uuid",
+			data: s.uuid
+		}
+	].filter((p) => p.data).map((p) => ({
+		SID_NAME: p.name,
+		SID_DATA: p.data
+	}));
+}
+function modelVulnToCkl(v) {
+	const typed = {
+		Vuln_Num: v.vulnNum,
+		Severity: v.severity ?? "",
+		Group_Title: v.groupTitle ?? "",
+		Rule_ID: v.ruleID ?? "",
+		Rule_Ver: v.ruleVer ?? "",
+		Rule_Title: v.ruleTitle ?? "",
+		Vuln_Discuss: v.vulnDiscuss ?? "",
+		Check_Content: v.checkContent ?? "",
+		Fix_Text: v.fixText ?? "",
+		Weight: v.weight || "10.0",
+		Class: v.classification || "Unclass"
+	};
+	const stigData = [];
+	for (const name of VULN_ATTR_ORDER) {
+		const val = typed[name] ?? v.extra?.[name] ?? "";
+		if (!val && !CORE_VULN_ATTR.has(name)) continue;
+		stigData.push({
+			VULN_ATTRIBUTE: name,
+			ATTRIBUTE_DATA: val
+		});
+	}
+	for (const cci of v.ccis) stigData.push({
+		VULN_ATTRIBUTE: "CCI_REF",
+		ATTRIBUTE_DATA: cci
+	});
+	return {
+		STIG_DATA: stigData,
+		STATUS: statusToCkl(v.status),
+		FINDING_DETAILS: v.findingDetails ?? "",
+		COMMENTS: v.comments ?? ""
+	};
+}
+//#endregion
+//#region shared/typescript/checklist/cklb.ts
+/** Parse CKLB JSON into the format-neutral Checklist model. */
+function parseCklb(input) {
+	const doc = parseJSON(input);
+	if (!doc || !Array.isArray(doc.stigs) || doc.stigs.length === 0) throw new Error("parse cklb: no stigs[] found (not a CKLB document?)");
+	const t = doc.target_data ?? {};
+	const asset = {
+		role: nz(t.role),
+		assetType: nz(t.target_type),
+		hostName: nz(t.host_name),
+		hostIP: nz(t.ip_address),
+		hostMAC: nz(t.mac_address),
+		hostFQDN: nz(t.fqdn),
+		targetComment: nz(t.comments),
+		webOrDatabase: t.is_web_database === true,
+		webDBSite: nz(t.web_db_site),
+		webDBInstance: nz(t.web_db_instance),
+		techArea: nz(t.technology_area),
+		classification: nz(t.classification)
+	};
+	const stigs = doc.stigs.map((s) => ({
+		stigID: nz(s.stig_id),
+		title: nz(s.stig_name) || nz(s.display_name),
+		displayName: nz(s.display_name),
+		version: nz(s.version),
+		releaseInfo: nz(s.release_info),
+		uuid: nz(s.uuid),
+		referenceIdentifier: nz(s.reference_identifier),
+		vulns: (s.rules ?? []).map(cklbRuleToModel)
+	}));
+	return {
+		format: "cklb",
+		cklbVersion: nz(doc.cklb_version),
+		asset,
+		stigs
+	};
+}
+/** Coerce a possibly-null/non-string JSON value to string | undefined.
+* Real STIG Viewer CKLB output uses null for unset fields (e.g.
+* target_data.classification: null); the model expects string | undefined. */
+function nz(v) {
+	return typeof v === "string" ? v : void 0;
+}
+function cklbRuleToModel(r) {
+	const extra = {};
+	if (r.third_party_tools) extra["Third_Party_Tools"] = r.third_party_tools;
+	if (r.srg_id) extra["SRG_ID"] = r.srg_id;
+	return {
+		vulnNum: nz(r.group_id) ?? "",
+		ruleID: nz(r.rule_id),
+		ruleVer: nz(r.rule_version),
+		groupID: nz(r.group_id),
+		groupTitle: nz(r.group_title),
+		severity: nz(r.severity),
+		ruleTitle: nz(r.rule_title),
+		vulnDiscuss: nz(r.discussion),
+		checkContent: nz(r.check_content),
+		fixText: nz(r.fix_text),
+		weight: nz(r.weight),
+		classification: nz(r.classification),
+		ccis: Array.isArray(r.ccis) ? r.ccis.filter((c) => typeof c === "string") : [],
+		legacyIDs: r.legacy_ids,
+		status: parseStatus(r.status),
+		findingDetails: nz(r.finding_details),
+		comments: nz(r.comments),
+		extra
+	};
+}
+/** Serialize the Checklist model to CKLB JSON. */
+function serializeCklb(cl) {
+	const doc = {
+		title: cklbTitle(cl),
+		cklb_version: cl.cklbVersion || "1.0",
+		active: false,
+		has_path: false,
+		target_data: {
+			target_type: cl.asset.assetType || "Computing",
+			host_name: cl.asset.hostName ?? "",
+			ip_address: cl.asset.hostIP ?? "",
+			mac_address: cl.asset.hostMAC ?? "",
+			fqdn: cl.asset.hostFQDN ?? "",
+			comments: cl.asset.targetComment ?? "",
+			role: cl.asset.role || "None",
+			is_web_database: cl.asset.webOrDatabase ?? false,
+			technology_area: cl.asset.techArea ?? "",
+			web_db_site: cl.asset.webDBSite ?? "",
+			web_db_instance: cl.asset.webDBInstance ?? "",
+			...cl.asset.classification ? { classification: cl.asset.classification } : {}
+		},
+		stigs: cl.stigs.map((s) => ({
+			stig_name: s.title ?? "",
+			display_name: s.displayName || s.title || "",
+			stig_id: s.stigID ?? "",
+			release_info: s.releaseInfo ?? "",
+			version: s.version ?? "",
+			uuid: s.uuid ?? "",
+			...s.referenceIdentifier ? { reference_identifier: s.referenceIdentifier } : {},
+			rules: s.vulns.map((v) => ({
+				group_id: v.groupID || v.vulnNum,
+				group_title: v.groupTitle ?? "",
+				rule_id: v.ruleID ?? "",
+				rule_version: v.ruleVer ?? "",
+				rule_title: v.ruleTitle ?? "",
+				severity: v.severity ?? "",
+				weight: v.weight || "10.0",
+				check_content: v.checkContent ?? "",
+				fix_text: v.fixText ?? "",
+				discussion: v.vulnDiscuss ?? "",
+				ccis: v.ccis,
+				...v.legacyIDs && v.legacyIDs.length ? { legacy_ids: v.legacyIDs } : {},
+				status: statusToCklb(v.status),
+				comments: v.comments ?? "",
+				finding_details: v.findingDetails ?? "",
+				...v.extra?.["Third_Party_Tools"] ? { third_party_tools: v.extra["Third_Party_Tools"] } : {}
+			}))
+		}))
+	};
+	return JSON.stringify(doc, null, 2);
+}
+function cklbTitle(cl) {
+	return cl.stigs[0]?.title || "STIG Checklist";
+}
+//#endregion
+//#region shared/typescript/checklist/to-hdf.ts
+const CONVERTER_VERSION = "1.0.0";
+/**
+* Map the format-neutral Checklist model to an HDF Results object.
+* controlType is derived per-Vuln from CCI->NIST; verificationMethod and
+* applicability are omitted (the checklist format cannot substantiate them).
+* Original-format metadata is stashed in extensions/tags for round-trip.
+*/
+function checklistToHdf(cl, resultsChecksum) {
+	const hdf = {
+		baselines: cl.stigs.map((s) => stigToBaseline(s, resultsChecksum)),
+		generator: {
+			name: "hdf-converters",
+			version: CONVERTER_VERSION
+		},
+		tool: {
+			name: "DISA STIG Viewer",
+			format: cl.format === "cklb" ? "CKLB" : "CKL"
+		},
+		timestamp: /* @__PURE__ */ new Date()
+	};
+	const component = assetToComponent(cl.asset);
+	if (component) hdf.components = [component];
+	const ext = rootExtensions(cl);
+	if (Object.keys(ext).length > 0) hdf.extensions = ext;
+	return hdf;
+}
+function stigToBaseline(s, resultsChecksum) {
+	const baseline = createMinimalBaseline("STIG Checklist Scan", s.vulns.map(vulnToRequirement), { resultsChecksum });
+	if (s.title) baseline.title = s.title;
+	if (s.version) baseline.version = s.version;
+	const ext = baselineExtensions(s);
+	if (Object.keys(ext).length > 0) baseline.extensions = ext;
+	return baseline;
+}
+function vulnToRequirement(v) {
+	const severity = (v.severity ?? "").toLowerCase();
+	const impact = severity ? severityToImpact(severity) : .5;
+	const descriptions = [{
+		label: "default",
+		data: stripHTML(v.vulnDiscuss ?? "")
+	}];
+	if (v.checkContent) descriptions.push({
+		label: "check",
+		data: stripHTML(v.checkContent)
+	});
+	if (v.fixText) descriptions.push({
+		label: "fix",
+		data: stripHTML(v.fixText)
+	});
+	const message = [v.findingDetails, v.comments].map((s) => (s ?? "").trim()).filter(Boolean).join("\n\n");
+	const result = createResult(statusToHdf(v.status), message, { codeDesc: `STIG rule ${v.ruleVer ?? ""}` });
+	const tags = {};
+	let nistTags = [];
+	if (v.ccis.length > 0) {
+		tags["cci"] = v.ccis;
+		nistTags = [...new Set(v.ccis.flatMap((c) => getCCINistMappings(c) ?? []))].sort();
+		tags["nist"] = nistTags;
+	} else tags["nist"] = [];
+	setIf(tags, "rid", v.ruleID);
+	setIf(tags, "stig_id", v.ruleVer);
+	setIf(tags, "gtitle", v.groupTitle);
+	setIf(tags, "group_id", v.groupID);
+	setIf(tags, "weight", v.weight);
+	setIf(tags, "severity", severity);
+	if (v.legacyIDs && v.legacyIDs.length) tags["legacy_ids"] = v.legacyIDs;
+	if (v.extra && Object.keys(v.extra).length > 0) tags["cklMetadata"] = { ...v.extra };
+	const req = createRequirement(v.vulnNum, v.ruleTitle ?? v.vulnNum, descriptions, impact, [result], { tags });
+	if (severity) req.severity = severity;
+	const controlType = deriveControlTypeFromTags(nistTags);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
+}
+function assetToComponent(a) {
+	if (!a.hostName && !a.hostIP && !a.hostFQDN) return void 0;
+	const c = {
+		name: a.hostName || a.hostFQDN || a.hostIP || "",
+		type: Copyright.Host
+	};
+	if (a.hostIP) c.ipAddress = a.hostIP;
+	if (a.hostFQDN) c.fqdn = a.hostFQDN;
+	if (a.hostMAC) c.macAddress = a.hostMAC;
+	return c;
+}
+function rootExtensions(cl) {
+	const ext = { checklistFormat: cl.format || "ckl" };
+	if (cl.cklbVersion) ext["cklbVersion"] = cl.cklbVersion;
+	const ax = {};
+	setIf(ax, "role", cl.asset.role);
+	setIf(ax, "assetType", cl.asset.assetType);
+	setIf(ax, "marking", cl.asset.marking);
+	setIf(ax, "targetKey", cl.asset.targetKey);
+	setIf(ax, "techArea", cl.asset.techArea);
+	setIf(ax, "targetComment", cl.asset.targetComment);
+	setIf(ax, "webDbSite", cl.asset.webDBSite);
+	setIf(ax, "webDbInstance", cl.asset.webDBInstance);
+	setIf(ax, "classification", cl.asset.classification);
+	if (cl.asset.webOrDatabase) ax["webOrDatabase"] = true;
+	if (Object.keys(ax).length > 0) ext["assetExtras"] = ax;
+	return ext;
+}
+function baselineExtensions(s) {
+	const ext = {};
+	setIf(ext, "stigid", s.stigID);
+	setIf(ext, "uuid", s.uuid);
+	setIf(ext, "releaseInfo", s.releaseInfo);
+	setIf(ext, "displayName", s.displayName);
+	setIf(ext, "referenceIdentifier", s.referenceIdentifier);
+	setIf(ext, "classification", s.classification);
+	return ext;
+}
+function setIf(m, key, val) {
+	if (val) m[key] = val;
+}
+//#endregion
+//#region shared/typescript/checklist/from-hdf.ts
+/**
+* Map HDF Results back to the format-neutral Checklist model. When the HDF
+* carries checklist passthrough (extensions/tags from checklistToHdf), the
+* original fields are reproduced losslessly; otherwise required checklist
+* fields are synthesized best-effort so any HDF yields a valid checklist.
+*/
+function hdfToChecklist(input) {
+	const hdf = parseJSON(input);
+	if (!hdf || !Array.isArray(hdf.baselines) || hdf.baselines.length === 0) throw new Error("hdf to checklist: HDF has no baselines");
+	const ext = hdf.extensions ?? {};
+	const format = strVal(ext, "checklistFormat") || "ckl";
+	const cklbVersion = strVal(ext, "cklbVersion");
+	const asset = buildAsset(hdf, ext);
+	const stigs = hdf.baselines.map(baselineToStig);
+	return {
+		format,
+		cklbVersion: cklbVersion || void 0,
+		asset,
+		stigs
+	};
+}
+function buildAsset(hdf, ext) {
+	const asset = {};
+	const comp = hdf.components?.[0];
+	if (comp) {
+		asset.hostName = comp.name;
+		asset.hostIP = comp.ipAddress;
+		asset.hostFQDN = comp.fqdn;
+		asset.hostMAC = comp.macAddress;
+	}
+	const ax = ext["assetExtras"];
+	if (ax && typeof ax === "object") {
+		const a = ax;
+		asset.role = strVal(a, "role");
+		asset.assetType = strVal(a, "assetType");
+		asset.marking = strVal(a, "marking");
+		asset.targetKey = strVal(a, "targetKey");
+		asset.techArea = strVal(a, "techArea");
+		asset.targetComment = strVal(a, "targetComment");
+		asset.webDBSite = strVal(a, "webDbSite");
+		asset.webDBInstance = strVal(a, "webDbInstance");
+		asset.classification = strVal(a, "classification");
+		asset.webOrDatabase = a["webOrDatabase"] === true;
+	}
+	return asset;
+}
+function baselineToStig(bl) {
+	const ext = bl.extensions ?? {};
+	return {
+		stigID: strVal(ext, "stigid") || bl.title || "",
+		title: bl.title,
+		version: bl.version,
+		uuid: strVal(ext, "uuid"),
+		releaseInfo: strVal(ext, "releaseInfo"),
+		displayName: strVal(ext, "displayName"),
+		referenceIdentifier: strVal(ext, "referenceIdentifier"),
+		classification: strVal(ext, "classification"),
+		vulns: bl.requirements.map(requirementToVuln)
+	};
+}
+function requirementToVuln(req) {
+	const tags = req.tags ?? {};
+	const descs = req.descriptions ?? [];
+	return {
+		vulnNum: req.id,
+		ruleID: strVal(tags, "rid"),
+		ruleVer: strVal(tags, "stig_id"),
+		groupID: strVal(tags, "group_id") || req.id,
+		groupTitle: strVal(tags, "gtitle"),
+		ruleTitle: req.title,
+		weight: strVal(tags, "weight"),
+		severity: resolveSeverity(req, tags),
+		vulnDiscuss: descData(descs, "default"),
+		checkContent: descData(descs, "check"),
+		fixText: descData(descs, "fix"),
+		ccis: resolveCcis(tags),
+		legacyIDs: strSlice(tags, "legacy_ids"),
+		status: statusFromHdf(req.results?.[0]?.status),
+		findingDetails: req.results?.[0]?.message,
+		extra: extractCklMetadata(tags)
+	};
+}
+function resolveSeverity(req, tags) {
+	const tagSev = strVal(tags, "severity");
+	if (tagSev) return tagSev;
+	if (req.severity) return String(req.severity).toLowerCase();
+	const i = req.impact ?? 0;
+	if (i >= .7) return "high";
+	if (i >= .4) return "medium";
+	if (i > 0) return "low";
+	return "";
+}
+function resolveCcis(tags) {
+	const direct = strSlice(tags, "cci");
+	if (direct.length > 0) return direct;
+	const nist = strSlice(tags, "nist");
+	if (nist.length > 0) {
+		const ccis = nistToCci(nist);
+		if (ccis.length > 0) return ccis;
+	}
+	return [];
+}
+function extractCklMetadata(tags) {
+	const meta = tags["cklMetadata"];
+	if (!meta || typeof meta !== "object") return void 0;
+	const out = {};
+	for (const [k, v] of Object.entries(meta)) if (typeof v === "string") out[k] = v;
+	return Object.keys(out).length > 0 ? out : void 0;
+}
+function descData(descs, label) {
+	return descs.find((d) => d.label === label)?.data ?? "";
+}
+function strVal(m, key) {
+	const v = m[key];
+	return typeof v === "string" ? v : "";
+}
+function strSlice(m, key) {
+	const v = m[key];
+	if (Array.isArray(v)) return v.filter((e) => typeof e === "string");
+	return [];
+}
+//#endregion
+//#region converters/ckl-to-hdf/typescript/converter.ts
+/**
+* Convert a DISA STIG Viewer .ckl document to HDF Results JSON.
+*
+* Parsing and the HDF mapping live in the shared checklist module. v3.2
+* classification: controlType is derived per-VULN from CCI->NIST;
+* verificationMethod and applicability are omitted (the checklist format
+* cannot substantiate them — see the Go package doc and build-converter
+* skill Step 4d).
+*/
+async function convertCklToHdf(input) {
+	validateInputSize(input, "ckl-to-hdf");
+	const resultsChecksum = await inputChecksum(input);
+	const checklist = parseCkl(input);
+	return JSON.stringify(checklistToHdf(checklist, resultsChecksum), null, 2);
+}
+//#endregion
+//#region converters/cklb-to-hdf/typescript/converter.ts
+/**
+* Convert a DISA STIG Viewer 3.x .cklb document to HDF Results JSON.
+*
+* Parsing and the HDF mapping live in the shared checklist module. v3.2
+* classification: controlType is derived per-rule from CCI->NIST;
+* verificationMethod and applicability are omitted (the checklist format
+* cannot substantiate them — see the Go package doc and build-converter
+* skill Step 4d).
+*/
+async function convertCklbToHdf(input) {
+	validateInputSize(input, "cklb-to-hdf");
+	const resultsChecksum = await inputChecksum(input);
+	const checklist = parseCklb(input);
+	return JSON.stringify(checklistToHdf(checklist, resultsChecksum), null, 2);
+}
+//#endregion
+//#region converters/hdf-to-ckl/typescript/converter.ts
+/**
+* Convert HDF Results JSON into a DISA STIG Viewer checklist (.ckl XML).
+*
+* This is a thin wrapper over the shared checklist module, mirroring the
+* hdf-to-csv reverse converter. It produces a STIG Viewer 2.x .ckl from ANY
+* HDF: when the HDF carries checklist passthrough (extensions/tags written by
+* a prior ckl/cklb-to-hdf conversion) the original fields are reproduced
+* losslessly; otherwise the required checklist fields are synthesized
+* best-effort (id->Vuln_Num, nist->CCI reverse, status reverse) with safe
+* defaults. Mirrors heimdall2 PR #4841.
+*
+* @param input HDF Results JSON string
+* @returns CKL XML string (with the `<?xml ...?>` header)
+*/
+function convertHdfToCkl(input) {
+	return serializeCkl(hdfToChecklist(input));
+}
+//#endregion
+//#region converters/hdf-to-cklb/typescript/converter.ts
+/**
+* Convert HDF Results JSON into a DISA STIG Viewer 3.x checklist (.cklb, JSON).
+*
+* The HDF->checklist mapping and CKLB serialization live in the shared
+* checklist module; this converter is a thin wrapper. Any HDF input produces a
+* valid CKLB: when the HDF carries checklist passthrough (it originated from a
+* CKL/CKLB via the reverse converters), the original fields are reproduced
+* losslessly; otherwise the required checklist fields are synthesized
+* best-effort from the HDF requirements, tags, and results.
+*
+* @param input HDF Results JSON string
+* @returns CKLB JSON string
+*/
+function convertHdfToCklb(input) {
+	return serializeCklb(hdfToChecklist(input));
+}
+//#endregion
 //#region converters/snyk-to-hdf/typescript/converter.ts
 /**
 * Formats the "from" array as a human-readable dependency path.
@@ -1221,7 +2078,7 @@ function formatDependencyPath(from) {
 /**
 * Builds a single EvaluatedRequirement from a group of vulnerabilities sharing an ID.
 */
-function buildRequirement$15(vulnID, vulns) {
+function buildRequirement$16(vulnID, vulns) {
 	const rep = vulns[0];
 	const cweIDs = rep.identifiers.CWE ?? [];
 	const nist = mapCWEToNIST(cweIDs, DEFAULT_STATIC_ANALYSIS_NIST_TAGS);
@@ -1237,7 +2094,11 @@ function buildRequirement$15(vulnID, vulns) {
 		data: rep.description
 	}];
 	const results = vulns.map((vuln) => createResult(ResultStatus.Failed, void 0, { codeDesc: formatDependencyPath(vuln.from) }));
-	return createRequirement(vulnID, rep.title, descriptions, severityToImpact(rep.severity), results, { tags });
+	const req = createRequirement(vulnID, rep.title, descriptions, severityToImpact(rep.severity), results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts a single Snyk project report to an HDF baseline.
@@ -1253,7 +2114,7 @@ function convertSingleProject(report, resultsChecksum) {
 		else groups.set(vuln.id, [vuln]);
 	}
 	const requirements = [];
-	for (const [vulnID, vulns] of groups) requirements.push(buildRequirement$15(vulnID, vulns));
+	for (const [vulnID, vulns] of groups) requirements.push(buildRequirement$16(vulnID, vulns));
 	return createMinimalBaseline("Snyk Scan", requirements, {
 		resultsChecksum,
 		title: `Snyk Project: ${report.projectName ?? ""} Snyk Path: ${report.path ?? ""}`,
@@ -1313,7 +2174,7 @@ const IMPACT_MAPPING$8 = new Map([
 	["negligible", 0],
 	["unknown", .5]
 ]);
-function getImpact$8(severity) {
+function getImpact$9(severity) {
 	if (!severity) return .5;
 	return IMPACT_MAPPING$8.get(severity.toLowerCase()) ?? .5;
 }
@@ -1370,7 +2231,7 @@ function convertMatchToRequirement(match, isIgnored) {
 	const vuln = match.vulnerability;
 	const cveId = vuln.id;
 	const severity = vuln.severity;
-	const impact = getImpact$8(severity);
+	const impact = getImpact$9(severity);
 	const description = getDescription(vuln, match.relatedVulnerabilities);
 	const fixInfo = getFixInfo(vuln.fix);
 	const cvssInfo = getCVSSInfo(vuln, match.relatedVulnerabilities);
@@ -1392,7 +2253,7 @@ function convertMatchToRequirement(match, isIgnored) {
 		startTime: /* @__PURE__ */ new Date("0001-01-01T00:00:00Z")
 	};
 	const tags = buildNistCciTags(DEFAULT_STATIC_ANALYSIS_NIST_TAGS, nistToCci(DEFAULT_STATIC_ANALYSIS_NIST_TAGS));
-	return {
+	const requirement = {
 		id: isIgnored ? `Grype-Ignored-Match/${cveId}` : `Grype/${cveId}`,
 		impact,
 		results: [result],
@@ -1411,8 +2272,12 @@ function convertMatchToRequirement(match, isIgnored) {
 				data: cvssInfo
 			}
 		],
-		refs: refs.length > 0 ? refs.map((url) => ({ url })) : void 0
+		refs: refs.length > 0 ? refs.map((url) => ({ url })) : void 0,
+		verificationMethod: VerificationMethodEnum.Automated
 	};
+	const controlType = deriveControlTypeFromTags(DEFAULT_STATIC_ANALYSIS_NIST_TAGS);
+	if (controlType !== void 0) requirement.controlType = controlType;
+	return requirement;
 }
 async function convertGrypeToHdf(input) {
 	validateInputSize(input, "grype");
@@ -1554,16 +2419,30 @@ function convertReportHostToBaseline(host, policyName, version, resultsChecksum)
 }
 function convertReportItemToRequirement(item, host) {
 	const isCompliance = !!item["compliance-reference"];
-	return {
-		id: isCompliance ? parseComplianceRef(item["compliance-reference"], "Vuln-ID")[0] || item["pluginID"] : item["pluginID"],
-		title: isCompliance ? item["compliance-check-name"] || item["pluginName"] : item["pluginName"],
-		descriptions: buildDescriptions(item, isCompliance),
-		impact: calculateImpact(item, isCompliance),
-		tags: buildTags$2(item, isCompliance),
-		refs: buildRefs(item),
-		results: [buildResult$1(item, host, isCompliance)],
-		code: JSON.stringify(item, null, 2)
+	const id = isCompliance ? parseComplianceRef(item["compliance-reference"], "Vuln-ID")[0] || item["pluginID"] : item["pluginID"];
+	const title = isCompliance ? item["compliance-check-name"] || item["pluginName"] : item["pluginName"];
+	const descriptions = buildDescriptions(item, isCompliance);
+	const impact = calculateImpact(item, isCompliance);
+	const tags = buildTags$2(item, isCompliance);
+	const refs = buildRefs(item);
+	const results = [buildResult$1(item, host, isCompliance)];
+	const code = JSON.stringify(item, null, 2);
+	const nistTags = tags["nist"];
+	const controlType = deriveControlTypeFromTags(nistTags ?? []);
+	const verificationMethod = deriveVerificationMethod(code);
+	const req = {
+		id,
+		title,
+		descriptions,
+		impact,
+		tags,
+		refs,
+		results,
+		code
 	};
+	if (controlType !== void 0) req.controlType = controlType;
+	if (verificationMethod !== void 0) req.verificationMethod = verificationMethod;
+	return req;
 }
 function buildDescriptions(item, isCompliance) {
 	const descriptions = [];
@@ -1786,7 +2665,11 @@ function convertRuleToRequirement(ruleKey, issues, componentMap, ruleMap) {
 		...allTags
 	} };
 	if (sourceLocation) options.sourceLocation = sourceLocation;
-	return createRequirement(ruleKey, title, [createDescription("default", description)], impact, results, options);
+	const req = createRequirement(ruleKey, title, [createDescription("default", description)], impact, results, options);
+	const controlType = deriveControlTypeFromTags(nistControls);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 function extractDescription(rule) {
 	if (!rule) return "";
@@ -1905,7 +2788,7 @@ function buildResult(r) {
 		...startTime ? { startTime } : {}
 	});
 }
-function buildRequirement$14(rule) {
+function buildRequirement$15(rule) {
 	const nist = buildNistTags$3(rule.Source.SourceIdentifier, rule.ConfigRuleName);
 	const tags = nist.length > 0 ? { nist } : {};
 	const descriptions = [{
@@ -1917,13 +2800,17 @@ function buildRequirement$14(rule) {
 	}];
 	const title = `${getAccountId(rule.ConfigRuleArn)} - ${rule.ConfigRuleName}`;
 	const results = rule.EvaluationResults.map(buildResult);
-	return createRequirement(rule.ConfigRuleId, title, descriptions, .5, results, {
+	const req = createRequirement(rule.ConfigRuleId, title, descriptions, .5, results, {
 		tags,
 		sourceLocation: {
 			ref: rule.ConfigRuleArn,
 			line: 1
 		}
 	});
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts an AWS Config static export (ConfigRulesFile JSON) to HDF format.
@@ -1942,7 +2829,7 @@ async function convertAwsConfigToHdf(input) {
 	/* v8 ignore next -- truncation only triggers with >100K items */
 	if (truncatedRules) console.warn(`WARNING: Input truncated at ${limitedRules.length} ConfigRule items (original: ${data.ConfigRules.length})`);
 	const baseline = {
-		...createMinimalBaseline("AWS Config", limitedRules.map(buildRequirement$14), { resultsChecksum }),
+		...createMinimalBaseline("AWS Config", limitedRules.map(buildRequirement$15), { resultsChecksum }),
 		title: "AWS Config Compliance Results",
 		version: "1.0.0",
 		maintainer: "Amazon Web Services"
@@ -1968,6 +2855,116 @@ async function convertAwsConfigToHdf(input) {
 	});
 }
 //#endregion
+//#region converters/checkov-to-hdf/typescript/converter.ts
+/**
+* Maps checkov result string to HDF ResultStatus.
+*/
+function mapStatus$2(result) {
+	switch (result.toUpperCase()) {
+		case "PASSED": return ResultStatus.Passed;
+		case "FAILED": return ResultStatus.Failed;
+		case "SKIPPED": return ResultStatus.NotReviewed;
+		default: return ResultStatus.NotReviewed;
+	}
+}
+/**
+* Maps severity to impact, defaulting to 0.5 for null/unknown.
+*/
+function getImpact$8(severity) {
+	if (!severity) return .5;
+	return severityToImpact(severity);
+}
+/**
+* Converts a single CheckovCheck to an HDF RequirementResult.
+*/
+function checkToResult(check) {
+	const status = mapStatus$2(check.check_result.result);
+	const codeDesc = `Resource: ${check.resource}\nFile: ${check.file_path} (lines ${JSON.stringify(check.file_line_range)})`;
+	let message;
+	if (status === ResultStatus.NotReviewed && check.check_result.suppress_comment) message = check.check_result.suppress_comment;
+	return createResult(status, message ?? "", { codeDesc });
+}
+/**
+* Converts a group of checks sharing a check_id into one EvaluatedRequirement.
+*/
+function buildRequirement$14(checkId, checks) {
+	const rep = checks[0];
+	const impact = getImpact$8(rep.severity);
+	const tags = { nist: [...DEFAULT_STATIC_ANALYSIS_NIST_TAGS] };
+	const descriptions = [{
+		label: "default",
+		data: rep.check_name
+	}];
+	if (rep.guideline) descriptions.push({
+		label: "check",
+		data: rep.guideline
+	});
+	const results = checks.map(checkToResult);
+	const req = createRequirement(checkId, rep.check_name, descriptions, impact, results, { tags });
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const controlType = deriveControlTypeFromTags([...DEFAULT_STATIC_ANALYSIS_NIST_TAGS]);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
+}
+/**
+* Parses checkov input which can be a single object or array.
+*/
+function parseInput(input) {
+	const parsed = parseJSON(input);
+	if (Array.isArray(parsed)) return parsed;
+	if (!parsed || typeof parsed !== "object") throw new Error("Invalid checkov structure: not a valid JSON object");
+	if (!parsed.results || typeof parsed.results !== "object") throw new Error("Invalid checkov structure: missing or invalid results field");
+	return [parsed];
+}
+/**
+* Converts checkov output to HDF format.
+* Accepts native checkov JSON (single object or array) and SARIF format.
+* SARIF input is detected automatically and delegated to the shared SARIF converter.
+*
+* @param input - checkov JSON or SARIF string
+* @returns HDF JSON string
+*/
+async function convertCheckovToHdf(input) {
+	validateInputSize(input, "checkov");
+	registerAllFingerprints();
+	const detected = detectConverter(input);
+	if (detected && detected.fingerprint.id === "sarif-to-hdf") return convertSarifToHdf(input);
+	const resultsChecksum = await inputChecksum(input);
+	const reports = parseInput(input);
+	const allChecks = [];
+	const checkTypes = [];
+	let version;
+	for (const report of reports) {
+		checkTypes.push(report.check_type);
+		if (!version && report.summary.checkov_version) version = report.summary.checkov_version;
+		allChecks.push(...report.results.passed_checks);
+		allChecks.push(...report.results.failed_checks);
+		allChecks.push(...report.results.skipped_checks);
+	}
+	const { items: limitedChecks, truncated } = limitArray(allChecks);
+	/* v8 ignore next -- truncation only triggers with >100K items */
+	if (truncated) console.warn(`WARNING: Input truncated at ${limitedChecks.length} check items (original: ${allChecks.length})`);
+	const groups = /* @__PURE__ */ new Map();
+	for (const check of limitedChecks) {
+		const existing = groups.get(check.check_id);
+		if (existing) existing.push(check);
+		else groups.set(check.check_id, [check]);
+	}
+	const requirements = [];
+	for (const [checkId, checks] of groups) requirements.push(buildRequirement$14(checkId, checks));
+	const baseline = createMinimalBaseline("Checkov Scan", requirements, { resultsChecksum });
+	const format = checkTypes.join(", ");
+	return buildHdfResults({
+		generatorName: "checkov-to-hdf",
+		converterVersion: "1.0.0",
+		toolName: "Checkov",
+		toolVersion: version,
+		toolFormat: format,
+		baselines: [baseline],
+		timestamp: /* @__PURE__ */ new Date()
+	});
+}
+//#endregion
 //#region converters/gosec-to-hdf/typescript/converter.ts
 /**
 * Severity to HDF impact mapping for gosec.
@@ -2010,8 +3007,9 @@ function issueToResult(issue) {
 function buildRequirement$13(ruleId, issues) {
 	const rep = issues[0];
 	const impact = IMPACT_MAPPING$6[rep.severity.toUpperCase()] ?? .5;
+	const nist = mapCWEToNIST([rep.cwe.id], DEFAULT_REMEDIATION_NIST_TAGS$1);
 	const tags = {
-		nist: mapCWEToNIST([rep.cwe.id], DEFAULT_REMEDIATION_NIST_TAGS$1),
+		nist,
 		cwe: {
 			id: rep.cwe.id,
 			url: rep.cwe.url
@@ -2025,7 +3023,11 @@ function buildRequirement$13(ruleId, issues) {
 		label: "check",
 		data: `CWE-${rep.cwe.id}: ${rep.cwe.url}`
 	}];
-	return createRequirement(ruleId, rep.details, descriptions, impact, results, { tags });
+	const req = createRequirement(ruleId, rep.details, descriptions, impact, results, { tags });
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 /**
 * Converts gosec output to HDF format.
@@ -2089,7 +3091,7 @@ function convertVulnToRequirement(vuln) {
 	const extras = {};
 	if (vuln.OSVDB && vuln.OSVDB !== "0") extras.osvdb = vuln.OSVDB;
 	const tags = buildNistCciTags(nistTags, cciTags, Object.keys(extras).length > 0 ? extras : void 0);
-	return {
+	const req = {
 		id: vuln.id,
 		title: vuln.msg,
 		impact: .5,
@@ -2100,6 +3102,10 @@ function convertVulnToRequirement(vuln) {
 			data: vuln.msg
 		}]
 	};
+	const controlType = deriveControlTypeFromTags(nistTags);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 async function convertNiktoToHdf(input) {
 	validateInputSize(input, "nikto");
@@ -2291,8 +3297,11 @@ async function convertZapToHdf(input) {
 			impact,
 			results,
 			tags,
-			descriptions
+			descriptions,
+			verificationMethod: VerificationMethodEnum.Automated
 		};
+		const controlType = deriveControlTypeFromTags(nistTags);
+		if (controlType !== void 0) req.controlType = controlType;
 		requirements.push(req);
 	}
 	const targetName = site["@host"] ?? "Unknown Host";
@@ -2435,7 +3444,10 @@ async function convertCyclonedxToHdf(input) {
 		const affects = vuln.affects ?? [];
 		const results = affects.length > 0 ? affects.map((affect) => createResult(ResultStatus.Failed, void 0, { codeDesc: formatCodeDesc$4(componentLookup, affect.ref) })) : [createResult(ResultStatus.Failed, void 0, { codeDesc: `Vulnerability ${vuln.id}` })];
 		const title = vuln.source?.name ? `${vuln.id} (${vuln.source.name})` : vuln.id;
-		requirements.push(createRequirement(vuln.id, title, descriptions, impact, results, { tags }));
+		const req = createRequirement(vuln.id, title, descriptions, impact, results, { tags });
+		const controlType = deriveControlTypeFromTags(nist);
+		if (controlType !== void 0) req.controlType = controlType;
+		requirements.push(req);
 	}
 	const baseline = createMinimalBaseline("CycloneDX Scan", requirements, { resultsChecksum });
 	const targetName = bom.metadata?.component?.name ?? "";
@@ -2501,6 +3513,9 @@ function createRow(baseline, requirement, target) {
 		"Status": String(status),
 		"NIST Controls": nistControls,
 		"CCI Controls": cciControls,
+		"Control Type": requirement.controlType ?? "",
+		"Verification Method": requirement.verificationMethod ?? "",
+		"Applicability": requirement.applicability ?? "",
 		"Result Message": message
 	};
 }
@@ -2624,7 +3639,12 @@ async function convertSplunkToHdf(input) {
 				})) : [];
 				const options = { tags: control.tags ?? {} };
 				if (control.source_location) options.sourceLocation = control.source_location;
-				return createRequirement(control.id, control.title, descriptions, control.impact, results, options);
+				const req = createRequirement(control.id, control.title, descriptions, control.impact, results, options);
+				const nistTagsRaw = control.tags?.["nist"];
+				const controlType = deriveControlTypeFromTags(Array.isArray(nistTagsRaw) ? nistTagsRaw.filter((t) => typeof t === "string") : []);
+				if (controlType !== void 0) req.controlType = controlType;
+				req.verificationMethod = VerificationMethodEnum.Automated;
+				return req;
 			});
 			const groups = convertGroups(profile.groups);
 			const baselineOptions = { resultsChecksum };
@@ -2867,8 +3887,11 @@ async function convertGitlabToHdf(input) {
 			impact,
 			results: [result],
 			tags,
-			descriptions
+			descriptions,
+			verificationMethod: VerificationMethodEnum.Automated
 		};
+		const controlType = deriveControlTypeFromTags(nistTags);
+		if (controlType !== void 0) req.controlType = controlType;
 		requirements.push(req);
 	}
 	const baseline = createMinimalBaseline("GitLab Security Scan", requirements, {
@@ -3004,13 +4027,17 @@ function buildRequirement$12(reqID, findings) {
 	}));
 	const sourceFile = getSourceFile(rep);
 	const sourceLine = getSourceLine(rep);
-	return createRequirement(reqID, title, descriptions, .5, results, {
+	const req = createRequirement(reqID, title, descriptions, .5, results, {
 		tags,
 		sourceLocation: sourceFile ? {
 			ref: sourceFile,
 			line: sourceLine
 		} : void 0
 	});
+	const controlType = deriveControlTypeFromTags(TRUFFLEHOG_NIST);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts TruffleHog output to HDF format.
@@ -3165,14 +4192,18 @@ function buildRequirement$11(issueType, issues) {
 		};
 	});
 	const impact = getImpact$7(rep.severity ?? "information");
-	return {
+	const req = {
 		id: issueType,
 		title: rep.name ?? void 0,
 		impact,
 		tags,
 		descriptions,
-		results
+		results,
+		verificationMethod: VerificationMethodEnum.Automated
 	};
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 //#endregion
 //#region converters/dbprotect-to-hdf/typescript/converter.ts
@@ -3261,7 +4292,11 @@ function buildRequirement$10(checkID, findings, hasStatus) {
 			startTime: parseDate(f["Date"] ?? "")
 		});
 	});
-	return createRequirement(checkID, rep["Check"] ?? "", descriptions, getImpact$6(rep["Risk DV"] ?? ""), results, { tags });
+	const req = createRequirement(checkID, rep["Check"] ?? "", descriptions, getImpact$6(rep["Risk DV"] ?? ""), results, { tags });
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const controlType = deriveControlTypeFromTags([...nist]);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 /**
 * Converts DBProtect Cognos XML output to HDF format.
@@ -3373,7 +4408,11 @@ function buildRequirement$9(vuln) {
 		codeDesc: formatCodeDesc$2(vuln),
 		startTime
 	})];
-	return createRequirement(vuln.id, vuln.id, descriptions, twistlockSeverityToImpact(vuln.severity), results, { tags });
+	const req = createRequirement(vuln.id, vuln.id, descriptions, twistlockSeverityToImpact(vuln.severity), results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts a single TwistlockResult to an EvaluatedBaseline.
@@ -3486,7 +4525,11 @@ function buildRequirement$8(finding, timestamp) {
 		codeDesc,
 		startTime: timestamp ? new Date(timestamp) : void 0
 	})];
-	return createRequirement(finding.matrix, getTitle$1(finding), descriptions, getImpact$5(finding.vulnerability.severity), results, { tags });
+	const req = createRequirement(finding.matrix, getTitle$1(finding), descriptions, getImpact$5(finding.vulnerability.severity), results, { tags });
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 /**
 * Converts Dependency-Track FPF JSON output to HDF format.
@@ -3589,7 +4632,11 @@ function buildRequirement$7(entryID, entries) {
 		data: formatDescription(rep)
 	}];
 	const results = entries.map((entry) => createResult(ResultStatus.Failed, void 0, { codeDesc: formatCodeDesc$1(entry) }));
-	return createRequirement(entryID, rep.summary, descriptions, severityToImpact(rep.severity), results, { tags });
+	const req = createRequirement(entryID, rep.summary, descriptions, severityToImpact(rep.severity), results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts JFrog Xray JSON output to HDF format.
@@ -3687,7 +4734,11 @@ function buildRequirement$6(vuln) {
 		data: vuln.description
 	}];
 	const results = [createResult(ResultStatus.Failed, vulnMessage(vuln), { codeDesc: "" })];
-	return createRequirement(vulnID(vuln), vulnTitle(vuln), descriptions, getImpact$4(vuln), results, { tags });
+	const req = createRequirement(vulnID(vuln), vulnTitle(vuln), descriptions, getImpact$4(vuln), results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Constructs the baseline title from the image metadata.
@@ -3826,14 +4877,18 @@ function buildRequirement$5(desc, vulns, snippetMap, startTimeStr) {
 		codeDesc: buildCodeDesc$2(vuln, snippetMap),
 		startTime: new Date(startTimeStr)
 	}));
-	return {
+	const req = {
 		id: desc.classID ?? "unknown",
 		title,
 		impact,
 		tags,
 		descriptions,
-		results
+		results,
+		verificationMethod: VerificationMethodEnum.Automated
 	};
+	const controlType = deriveControlTypeFromTags(nistTags);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 /**
 * Converts Fortify FVDL XML to HDF format.
@@ -3985,7 +5040,11 @@ function buildRequirement$4(rec) {
 		data: rec.Description
 	}];
 	const results = [createResult(ResultStatus.Failed, message, { codeDesc })];
-	return createRequirement(id, title, descriptions, getImpact$3(rec.Severity), results, { tags });
+	const req = createRequirement(id, title, descriptions, getImpact$3(rec.Severity), results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Groups records by hostname, preserving insertion order.
@@ -4145,7 +5204,7 @@ function buildRequirement$3(vuln, initiated) {
 		startTime
 	}];
 	const impact = getImpact$2(vuln.severity ?? "");
-	return {
+	const req = {
 		id: vuln.LookupId ?? "",
 		title: vuln.name ?? void 0,
 		impact,
@@ -4153,6 +5212,10 @@ function buildRequirement$3(vuln, initiated) {
 		descriptions,
 		results
 	};
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts Netsparker/Invicti XML scan results to HDF format.
@@ -4284,7 +5347,11 @@ function buildRequirement$2(ruleID, finding, startTime) {
 		codeDesc: finding.description,
 		startTime: startTime ? new Date(startTime) : void 0
 	});
-	return createRequirement(ruleID, finding.description, descriptions, getImpact$1(finding.level), [resultObj], { tags });
+	const req = createRequirement(ruleID, finding.description, descriptions, getImpact$1(finding.level), [resultObj], { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts ScoutSuite output to HDF format.
@@ -4432,7 +5499,11 @@ function buildRequirementFromResult(result, filename) {
 		codeDesc: `No sections reported by ${scannerName}`,
 		startTime
 	})];
-	return createRequirement(result.sha256, filename, descriptions, scoreToImpact(score), results, { tags });
+	const req = createRequirement(result.sha256, filename, descriptions, scoreToImpact(score), results, { tags });
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const controlType = deriveControlTypeFromTags([...nist]);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 /**
 * Builds an HDF baseline for a single scanner's results.
@@ -4660,7 +5731,11 @@ function buildCWERequirement(cat, impact, firstBuildDate) {
 			startTime
 		}));
 	});
-	return createRequirement(attr(cat, "categoryid"), attr(cat, "categoryname"), descriptions, impact, results, { tags });
+	const req = createRequirement(attr(cat, "categoryid"), attr(cat, "categoryname"), descriptions, impact, results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /** Build CVE-based requirements from SCA components. */
 function buildCVERequirements(sca, firstBuildDate) {
@@ -4712,10 +5787,14 @@ function buildCVERequirement(vuln, components, firstBuildDate) {
 	}));
 	const cveSummary = attr(vuln, "cve_summary");
 	const cveId = attr(vuln, "cve_id");
-	return createRequirement(cveId, cveId, [{
+	const req = createRequirement(cveId, cveId, [{
 		label: "default",
 		data: cveSummary || ""
 	}], impact, results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Convert Veracode DetailedReport XML to HDF JSON string.
@@ -4811,7 +5890,8 @@ function buildRequirement$1(cs, profiles, createdDateTime) {
 	const title = getTitle(profiles, cs);
 	const impact = getImpact(profiles, cs);
 	const status = getStatus(profiles, cs);
-	const tags = buildNistCciTags([...DEFAULT_STATIC_ANALYSIS_NIST_TAGS], []);
+	const nist = [...DEFAULT_STATIC_ANALYSIS_NIST_TAGS];
+	const tags = buildNistCciTags(nist, []);
 	const descriptions = [{
 		label: "default",
 		data: stripHTML(cs.description)
@@ -4831,10 +5911,14 @@ function buildRequirement$1(cs, profiles, createdDateTime) {
 	}
 	const codeDesc = cs.implementationStatus || "No implementation status provided";
 	const startTime = createdDateTime ? new Date(createdDateTime) : void 0;
-	return createRequirement(id, title, descriptions, impact, [createResult(status, void 0, {
+	const req = createRequirement(id, title, descriptions, impact, [createResult(status, void 0, {
 		codeDesc,
 		...startTime ? { startTime } : {}
 	})], { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts Microsoft Secure Score combined JSON to HDF format.
@@ -5021,7 +6105,9 @@ function buildRequirement(assessmentID, assessments) {
 		data: meta.remediationDescription
 	});
 	const results = assessments.map(buildResultFromAssessment);
-	return createRequirement(assessmentID, rep.properties.displayName, descriptions, impact, results, { tags });
+	const req = createRequirement(assessmentID, rep.properties.displayName, descriptions, impact, results, { tags });
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts a single assessment into an HDF RequirementResult.
@@ -5189,7 +6275,12 @@ function alertToRequirement(alert) {
 		data: alert.recommendedActions
 	});
 	const tags = buildTags$1(alert);
-	return createRequirement(alert.id, alert.title, descriptions, impact, results, { tags });
+	const req = createRequirement(alert.id, alert.title, descriptions, impact, results, { tags });
+	const nistTags = tags.nist;
+	const controlType = deriveControlTypeFromTags(nistTags);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts Microsoft Defender for Endpoint alerts (Microsoft Graph Security API v2 format) to HDF.
@@ -5964,6 +7055,9 @@ async function convertIonchannelToHdf(input) {
 			startTime: /* @__PURE__ */ new Date("0001-01-01T00:00:00Z")
 		})], { tags });
 		req.code = code;
+		const controlType = deriveControlTypeFromTags(DEFAULT_COMPONENT_MANAGEMENT_NIST_TAGS);
+		if (controlType !== void 0) req.controlType = controlType;
+		req.verificationMethod = VerificationMethodEnum.Automated;
 		return req;
 	});
 	const resultsChecksum = await inputChecksum(input);
@@ -6083,13 +7177,17 @@ function controlToBaselineRequirement(ctrl) {
 	const nistTag = controlIdToNistTag(ctrl.id);
 	const descriptions = buildCatalogDescriptions(ctrl);
 	const tags = buildCatalogTags(ctrl);
-	return {
+	const req = {
 		id: nistTag,
 		title: ctrl.title,
 		impact: .5,
 		descriptions,
 		tags
 	};
+	const controlType = deriveControlTypeFromTags([nistTag]);
+	if (controlType !== void 0) req.controlType = controlType;
+	if (extractPropValue(ctrl.props, "CORE") === "true") req.applicability = Applicability.Required;
+	return req;
 }
 /** Creates HDF Description entries from control parts. */
 function buildCatalogDescriptions(ctrl) {
@@ -6870,7 +7968,10 @@ function findingsToEvaluatedRequirement(controlId, findings, obsMap, riskMap, re
 	const descriptions = sarBuildDescriptions(findings, obsMap);
 	const results = [];
 	for (const f of findings) results.push(findingToRequirementResult(f, obsMap, riskMap, result));
-	return createRequirement(nistTag, title, descriptions, impact, results, { tags: { nist: [nistTag] } });
+	const req = createRequirement(nistTag, title, descriptions, impact, results, { tags: { nist: [nistTag] } });
+	const controlType = deriveControlTypeFromTags([nistTag]);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 function findingToRequirementResult(f, obsMap, riskMap, result) {
 	const status = mapFindingStatus(f);
@@ -6983,6 +8084,6 @@ function sarBaselineName(result, sar) {
 	return toKebabCase(result.title || sar.metadata.title, "oscal-assessment-results");
 }
 //#endregion
-export { convertAwsConfigToHdf, convertBurpsuiteToHdf, convertConveyorToHdf, convertCyclonedxToHdf, convertDbprotectToHdf, convertDeptrackToHdf, convertFortifyToHdf, convertGitlabToHdf, convertGosecToHdf, convertGrypeToHdf, convertHdfToCsv, convertHdfToOscalPoam, convertHdfToOscalSar, convertHdfToXccdf, convertHdfToXml, convertIonchannelToHdf, convertJfrogXrayToHdf, convertJunitToHdf, convertMsftDefenderCloudToHdf, convertMsftDefenderDevopsToHdf, convertMsftDefenderEndpointToHdf, convertMsftSecureScoreToHdf, convertNessusToHdf, convertNetsparkerToHdf, convertNeuvectorToHdf, convertNiktoToHdf, convertOscalCatalogToHdf, convertOscalComponentToHdf, convertOscalPoamToHdf, convertOscalProfileToHdf, convertOscalSapToHdf, convertOscalSarToHdf, convertOscalSspToHdf, convertPrismaToHdf, convertSarifToHdf, convertScoutsuiteToHdf, convertSnykToHdf, convertSonarqubeToHdf, convertSplunkToHdf, convertTrufflehogToHdf, convertTwistlockToHdf, convertV1ToV2, convertVeracodeToHdf, convertXccdfResultsToHdf, convertZapToHdf, detectOscalDocumentType, isHDFV1 };
+export { convertAwsConfigToHdf, convertBurpsuiteToHdf, convertCheckovToHdf, convertCklToHdf, convertCklbToHdf, convertConveyorToHdf, convertCyclonedxToHdf, convertDbprotectToHdf, convertDeptrackToHdf, convertFortifyToHdf, convertGitlabToHdf, convertGosecToHdf, convertGrypeToHdf, convertHdfToCkl, convertHdfToCklb, convertHdfToCsv, convertHdfToOscalPoam, convertHdfToOscalSar, convertHdfToXccdf, convertHdfToXml, convertIonchannelToHdf, convertJfrogXrayToHdf, convertJunitToHdf, convertMsftDefenderCloudToHdf, convertMsftDefenderDevopsToHdf, convertMsftDefenderEndpointToHdf, convertMsftSecureScoreToHdf, convertNessusToHdf, convertNetsparkerToHdf, convertNeuvectorToHdf, convertNiktoToHdf, convertOscalCatalogToHdf, convertOscalComponentToHdf, convertOscalPoamToHdf, convertOscalProfileToHdf, convertOscalSapToHdf, convertOscalSarToHdf, convertOscalSspToHdf, convertPrismaToHdf, convertSarifToHdf, convertScoutsuiteToHdf, convertSnykToHdf, convertSonarqubeToHdf, convertSplunkToHdf, convertTrufflehogToHdf, convertTwistlockToHdf, convertV1ToV2, convertVeracodeToHdf, convertXccdfResultsToHdf, convertZapToHdf, detectOscalDocumentType, isHDFV1 };
 //# sourceMappingURL=index.js.map