@mitre/hdf-converters 3.1.0 → 3.3.0

package/dist/index.js

@@ -1,7 +1,7 @@
-import { n as detectConverter, t as registerAllFingerprints } from "./register-all-DaYHszLd.js";
+import { n as detectConverter, t as registerAllFingerprints } from "./register-all-C3lYICDC.js";
 import { flattenOverlays } from "@mitre/hdf-parsers";
-import { buildCsv, buildXml, parseCsv, parseJSON, parseXml, parseXmlWithArrays, sha256, stripHtml as stripHTML } from "@mitre/hdf-utilities";
-import { AuthorizationStatus, BoundaryDescription, CategorizationLevel, Copyright, HashAlgorithm, OverrideType, PlanType, ResultStatus, createDescription, createMinimalBaseline, createRequirement, createResult, severityToImpact } from "@mitre/hdf-schema";
+import { buildCsv, buildXml, cvssScoreToSeverity, parseCsv, parseJSON, parsePurl, parseTimestamp, parseXml, parseXmlWithArrays, sha256, stripHtml as stripHTML } from "@mitre/hdf-utilities";
+import { Applicability, AuthorizationStatus, CVSSSeverity, CategorizationLevel, ControlType, Ecosystem, EvidenceType, HashAlgorithm, IdentityType, Justification, MilestoneStatus, OverrideType, PlanType, ResultStatus, TargetType, VerificationMethodEnum, Version, createDescription, createMinimalBaseline, createRequirement, createResult, severityToImpact } from "@mitre/hdf-schema";
 import { DEFAULT_COMPONENT_MANAGEMENT_NIST_TAGS, DEFAULT_REMEDIATION_NIST_TAGS, DEFAULT_STATIC_ANALYSIS_NIST_TAGS, DEFAULT_STATIC_ANALYSIS_NIST_TAGS as DEFAULT_STATIC_ANALYSIS_NIST_TAGS$1, getAwsConfigNistControlByIdentifier, getAwsConfigNistControlByName, getCCINistMappings, getCweNistControl, getNessusNistControl, getNiktoNistControl, getOwaspNistControl, getScoutsuiteNistControl, nistToCci } from "@mitre/hdf-mappings";
 //#region shared/typescript/converterutil.ts
 /**
@@ -30,7 +30,7 @@ async function inputChecksum(input) {
 * Compute an Integrity object (for root-level document integrity) from raw input.
 *
 * Returns an Integrity with algorithm and checksum fields, suitable for
-* HdfBaseline.integrity, HdfSystem.integrity, HdfPlan.integrity, etc.
+* HDFBaseline.integrity, HDFSystem.integrity, HDFPlan.integrity, etc.
 *
 * @param input - Raw input string (JSON, XML, etc.)
 * @returns Integrity object with SHA-256 algorithm and checksum
@@ -120,7 +120,7 @@ function mapCWEToNIST(cweIDs, fallback) {
 	return controls.size > 0 ? [...controls].sort() : fallback;
 }
 /** Matches CWE identifiers like "CWE-79", "CWE 89", "cwe22". */
-const CWE_PATTERN = /CWE[- ]?(\d+)/gi;
+const CWE_PATTERN$1 = /CWE[- ]?(\d+)/gi;
 /**
 * Extract all numeric CWE IDs from text.
 * Returns deduplicated sorted array of numeric ID strings (e.g., ["79", "89"]).
@@ -129,7 +129,7 @@ const CWE_PATTERN = /CWE[- ]?(\d+)/gi;
 * @returns Sorted, deduplicated numeric CWE ID strings
 */
 function extractCWEIDs(text) {
-	const matches = [...text.matchAll(CWE_PATTERN)];
+	const matches = [...text.matchAll(CWE_PATTERN$1)];
 	if (matches.length === 0) return [];
 	const ids = [...new Set(matches.map((m) => m[1]))];
 	ids.sort();
@@ -175,10 +175,59 @@ function ensureArray(value) {
 */
 const DEFAULT_REMEDIATION_NIST_TAGS$1 = ["SI-2", "RA-5"];
 /**
+* Map a PURL `type` segment to the AffectedPackage `ecosystem` enum.
+* Unknown types fall back to `generic`, which the schema enum permits
+* as a catch-all.
+*/
+const PURL_TYPE_TO_ECOSYSTEM = {
+	npm: Ecosystem.Npm,
+	pypi: Ecosystem.Pypi,
+	rpm: Ecosystem.RPM,
+	deb: Ecosystem.Deb,
+	maven: Ecosystem.Maven,
+	gem: Ecosystem.Gem,
+	nuget: Ecosystem.Nuget,
+	golang: Ecosystem.Go,
+	go: Ecosystem.Go,
+	cargo: Ecosystem.Cargo
+};
+/**
+* Resolve an Ecosystem from a PURL type string. Returns `generic` for
+* unknown types so callers can keep the schema's name+version+ecosystem
+* triple valid without inventing a synthetic ecosystem.
+*/
+function ecosystemFromPurlType(type) {
+	if (!type) return Ecosystem.Generic;
+	return PURL_TYPE_TO_ECOSYSTEM[type.toLowerCase()] ?? Ecosystem.Generic;
+}
+/**
+* Build an Affected_Package primitive from any combination of the
+* vocabulary the schema accepts (purl / cpe / name+version+ecosystem).
+* Returns undefined when no identifier or full triple is present —
+* callers should skip the entry rather than emit a schema-invalid
+* AffectedPackage. Empty strings are treated as missing.
+*
+* The schema's anyOf requires at least one of:
+*   - name + version + ecosystem
+*   - purl alone
+*   - cpe alone
+*/
+function buildAffectedPackage$1(opts) {
+	const pkg = {};
+	if (opts.purl) pkg.purl = opts.purl;
+	if (opts.cpe) pkg.cpe = opts.cpe;
+	if (opts.name) pkg.name = opts.name;
+	if (opts.version) pkg.version = opts.version;
+	if (opts.ecosystem) pkg.ecosystem = opts.ecosystem;
+	if (opts.fixedInVersion) pkg.fixedInVersion = opts.fixedInVersion;
+	if (!Boolean(pkg.name && pkg.version && pkg.ecosystem) && !pkg.purl && !pkg.cpe) return void 0;
+	return pkg;
+}
+/**
 * Build an HDF Results document from options.
 *
 * Eliminates the repeated boilerplate of constructing generator, tool,
-* and assembling the top-level HdfResults in every converter. Mirrors
+* and assembling the top-level HDFResults in every converter. Mirrors
 * the Go shared.BuildHDFResults() function.
 *
 * @returns JSON string of the HDF Results document (pretty-printed)
@@ -202,6 +251,156 @@ function buildHdfResults(opts) {
 	if (opts.statistics) hdf.statistics = opts.statistics;
 	return JSON.stringify(hdf, null, 2);
 }
+/**
+* Captures a NIST 800-53 control identifier and its base sub-control number,
+* ignoring enhancement suffixes like "(1)" or ".1". Mirrors the Go pattern
+* in shared/go/converterutil.go.
+*/
+const NIST_TAG_PATTERN = /^([A-Z]{2})-(\d+)/;
+/**
+* Maps each recognized NIST 800-53 Rev 5 family to its HDF controlType per
+* SP 800-53 Appendix C / SP 800-53A classification. Unknown families resolve
+* to undefined.
+*/
+const NIST_FAMILY_CONTROL_TYPE = {
+	AC: ControlType.Technical,
+	AT: ControlType.Operational,
+	AU: ControlType.Operational,
+	CA: ControlType.Management,
+	CM: ControlType.Operational,
+	CP: ControlType.Operational,
+	IA: ControlType.Technical,
+	IR: ControlType.Operational,
+	MA: ControlType.Operational,
+	MP: ControlType.Operational,
+	PE: ControlType.Operational,
+	PL: ControlType.Management,
+	PM: ControlType.Management,
+	PS: ControlType.Operational,
+	PT: ControlType.Operational,
+	RA: ControlType.Management,
+	SA: ControlType.Management,
+	SC: ControlType.Technical,
+	SI: ControlType.Technical,
+	SR: ControlType.Management
+};
+/**
+* Derive the HDF `controlType` for a single NIST 800-53 control identifier
+* using a family-prefix heuristic. Returns undefined when the family is
+* unrecognized or the tag is not a NIST control identifier.
+*
+* Heuristic, per NIST SP 800-53 Rev 5 Appendix C and SP 800-53A:
+* - Management: PM, RA, CA, PL, SA, SR families
+* - Operational: AT, AU, CM, CP, IR, MA, MP, PE, PS, PT families
+* - Technical:  AC, IA, SC, SI families
+* - Policy:     any "-1" sub-control (the per-family policy/procedure
+*   document, regardless of which family it belongs to). Enhancements of
+*   -1 controls (e.g., AC-1(1)) also resolve to policy.
+*
+* The "-1" rule takes precedence over the family rule because the per-family
+* policy/procedure document is more usefully classified by its document
+* nature than by the family it documents.
+*
+* @example
+*   deriveControlType("AC-3")      // ControlType.Technical
+*   deriveControlType("AC-1")      // ControlType.Policy   (any *-1 is policy)
+*   deriveControlType("AC-3(1)")   // ControlType.Technical (enhancement of AC-3)
+*   deriveControlType("PM-2")      // ControlType.Management
+*   deriveControlType("SV-238196") // undefined            (not a NIST tag)
+*/
+function deriveControlType(nistTag) {
+	const match = NIST_TAG_PATTERN.exec(nistTag.trim().toUpperCase());
+	if (!match || match[1] === void 0 || match[2] === void 0) return void 0;
+	const family = match[1];
+	const subControl = match[2];
+	const familyClass = NIST_FAMILY_CONTROL_TYPE[family];
+	if (familyClass === void 0) return void 0;
+	if (subControl === "1") return ControlType.Policy;
+	return familyClass;
+}
+/**
+* NIST tag sets this package uses as per-converter static fallbacks when no
+* real per-finding mapping is available. When deriveControlTypeFromTags sees
+* an input that exactly matches one of these bundles, it returns undefined —
+* the input carries no real per-finding signal, and stamping every
+* requirement with the same derived controlType is misleading.
+*
+* Keep in sync with DEFAULT_STATIC_ANALYSIS_NIST_TAGS, DEFAULT_REMEDIATION_NIST_TAGS.
+*/
+const NIST_FALLBACK_BUNDLES = [
+	["RA-5", "SA-11"],
+	["RA-5", "SI-2"],
+	["CM-8"]
+];
+function tagsMatchFallback(tags) {
+	if (tags.length === 0) return false;
+	const sorted = [...new Set(tags)].sort();
+	return NIST_FALLBACK_BUNDLES.some((bundle) => bundle.length === sorted.length && bundle.every((b, i) => b === sorted[i]));
+}
+/**
+* Derive the HDF `controlType` for a slice of NIST tags. Resolves each tag
+* via {@link deriveControlType}, then picks the most-specific class by
+* precedence: technical > operational > management > policy > procedure.
+* The rationale is that a control enforced via configuration (technical)
+* is more actionable than the same control's management/policy framing.
+*
+* Returns undefined when no tag resolves to a known classification, OR when
+* the input exactly matches a converter-level static-fallback bundle (e.g.
+* the DEFAULT_STATIC_ANALYSIS_NIST_TAGS set). The fallback gate prevents
+* converters that have no per-finding NIST signal from stamping every
+* requirement with the same misleading controlType.
+*/
+function deriveControlTypeFromTags(tags) {
+	if (tagsMatchFallback(tags)) return void 0;
+	const rank = {
+		[ControlType.Technical]: 0,
+		[ControlType.Operational]: 1,
+		[ControlType.Management]: 2,
+		[ControlType.Policy]: 3,
+		[ControlType.Procedure]: 4
+	};
+	let best;
+	let bestRank = Number.POSITIVE_INFINITY;
+	for (const tag of tags) {
+		const ct = deriveControlType(tag);
+		if (ct === void 0) continue;
+		const r = rank[ct];
+		if (r < bestRank) {
+			bestRank = r;
+			best = ct;
+		}
+	}
+	return best;
+}
+/**
+* Derive the HDF `verificationMethod` for a requirement based on whether
+* check code is present. Returns `automated` when code is non-empty (a check
+* exists and runs without operator action), and undefined otherwise — the
+* converter is responsible for distinguishing manual-by-design (statement-form,
+* e.g. FedRAMP 20x KSI) from manual-pending-automation (a check that could
+* be automated but isn't yet) when it has the source-format context to do so.
+*/
+function deriveVerificationMethod(code) {
+	if (code === void 0 || code === null || code === "") return void 0;
+	return VerificationMethodEnum.Automated;
+}
+function buildNoFindingsRequirement(id, codeDesc, startTime) {
+	return {
+		id,
+		title: "No findings reported",
+		impact: 0,
+		descriptions: [{
+			label: "default",
+			data: codeDesc
+		}],
+		results: [{
+			status: ResultStatus.Passed,
+			codeDesc,
+			startTime
+		}],
+		tags: {}
+	};
+}
 //#endregion
 //#region converters/legacyhdf-to-hdf/typescript/converter.ts
 /**
@@ -247,7 +446,7 @@ function impactToSeverity$2(impact) {
 * Normalize status values from v1.0 to v2.0 format.
 * Converts snake_case to camelCase.
 */
-function normalizeStatus(status) {
+function normalizeStatus$1(status) {
 	return {
 		"passed": "passed",
 		"failed": "failed",
@@ -293,7 +492,7 @@ function computeEffectiveStatus(impact, results) {
 * Transforms snake_case field names to camelCase.
 */
 function convertResult(v1Result) {
-	const v2Result = { status: normalizeStatus(v1Result.status) };
+	const v2Result = { status: normalizeStatus$1(v1Result.status) };
 	if (v1Result.code_desc !== void 0) v2Result.codeDesc = v1Result.code_desc;
 	if (v1Result.run_time !== void 0) v2Result.runTime = v1Result.run_time;
 	if (v1Result.start_time !== void 0) v2Result.startTime = v1Result.start_time;
@@ -337,10 +536,15 @@ function convertControl(v1Control) {
 	if (v1Control.code !== void 0) v2Req.code = v1Control.code;
 	if (v1Control.source_location !== void 0) v2Req.sourceLocation = v1Control.source_location;
 	if (v1Control.waiver_data !== void 0) v2Req.waiverData = v1Control.waiver_data;
-	if (v1Control.status !== void 0) v2Req.effectiveStatus = normalizeStatus(v1Control.status);
+	if (v1Control.status !== void 0) v2Req.effectiveStatus = normalizeStatus$1(v1Control.status);
 	if (v1Control.results && Array.isArray(v1Control.results)) v2Req.results = v1Control.results.map(convertResult);
 	if (!v2Req.effectiveStatus) v2Req.effectiveStatus = computeEffectiveStatus(v1Control.impact, v2Req.results ?? []);
 	v2Req.severity = tagSeverityToSeverity(v1Control.tags?.severity) ?? impactToSeverity$2(v1Control.impact);
+	const rawNist = v1Control.tags?.nist;
+	if (Array.isArray(rawNist)) {
+		const controlType = deriveControlTypeFromTags(rawNist.filter((v) => typeof v === "string"));
+		if (controlType !== void 0) v2Req.controlType = controlType;
+	}
 	const knownFields = new Set([
 		"id",
 		"title",
@@ -544,18 +748,19 @@ async function convertSarifToHdf(input) {
 	const { items: limitedRuns, truncated: truncatedRuns } = limitArray(sarif.runs);
 	/* v8 ignore next -- truncation only triggers with >100K items */
 	if (truncatedRuns) console.warn(`WARNING: Input truncated at ${limitedRuns.length} run items (original: ${sarif.runs.length})`);
+	const timestamp = /* @__PURE__ */ new Date();
 	return buildHdfResults({
 		generatorName: "sarif-to-hdf",
 		converterVersion: "1.0.0",
 		toolName: firstDriver?.name,
 		toolVersion: firstDriver?.version,
 		toolFormat: "SARIF",
-		baselines: limitedRuns.map((run) => convertRun(run, sarif.version, resultsChecksum)),
+		baselines: limitedRuns.map((run) => convertRun(run, sarif.version, resultsChecksum, timestamp)),
 		components: [],
-		timestamp: /* @__PURE__ */ new Date()
+		timestamp
 	});
 }
-function convertRun(run, version, resultsChecksum) {
+function convertRun(run, version, resultsChecksum, timestamp) {
 	const ruleMap = buildRuleMap(run);
 	const { items: limitedResults, truncated: truncatedResults } = limitArray(run.results);
 	/* v8 ignore next -- truncation only triggers with >100K items */
@@ -579,7 +784,14 @@ function convertRun(run, version, resultsChecksum) {
 		const group = groupMap.get(ruleId);
 		return convertResultGroup(ruleId, group.rule, group.results);
 	});
-	return createMinimalBaseline(run.tool?.driver?.name || "SARIF", requirements, {
+	const baselineName = run.tool?.driver?.name || "SARIF";
+	if (requirements.length === 0) {
+		const driverName = run.tool?.driver?.name?.trim() || "";
+		const target = driverName || "SARIF analyzer";
+		const idPrefix = driverName || "sarif";
+		requirements.push(buildNoFindingsRequirement(`${idPrefix}-no-findings`, `${target} ran and reported zero findings.`, timestamp));
+	}
+	return createMinimalBaseline(baselineName, requirements, {
 		version,
 		title: "Static Analysis Results Interchange Format",
 		resultsChecksum
@@ -605,7 +817,45 @@ function convertResultGroup(ruleId, rule, sarifResults) {
 	const descriptions = buildDescriptions$1(description, rule, firstResult);
 	const options = { tags: buildTags$3(firstResult, rule, ruleLevel, cweIds, nistControls, cciControls) };
 	if (sourceLocation) options.sourceLocation = sourceLocation;
-	return createRequirement(ruleId, title, descriptions, impact, results, options);
+	const req = createRequirement(ruleId, title, descriptions, impact, results, options);
+	const controlType = deriveControlTypeFromTags(nistControls);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const seenKeys = /* @__PURE__ */ new Set();
+	const packages = [];
+	for (const sr of sarifResults) {
+		const pkg = packageFromSarifProperties(sr.properties);
+		if (!pkg) continue;
+		const key = pkg.purl ?? pkg.cpe ?? `${pkg.name ?? ""}@${pkg.version ?? ""}`;
+		if (seenKeys.has(key)) continue;
+		seenKeys.add(key);
+		packages.push(pkg);
+	}
+	if (packages.length > 0) req.affectedPackages = packages;
+	return req;
+}
+/**
+* Extract an Affected_Package from a SARIF result.properties bag.
+* Recognizes the SCA-tool convention of carrying purl / cpe /
+* packageName+packageVersion / name+version. Returns undefined for
+* SAST results that lack any package identity.
+*/
+function packageFromSarifProperties(props) {
+	if (!props) return void 0;
+	const name = props.packageName ?? props.name;
+	const version = props.packageVersion ?? props.version;
+	let ecosystem;
+	if (props.purl) ecosystem = ecosystemFromPurlType(parsePurl(props.purl)?.type);
+	else if (props.ecosystem) ecosystem = ecosystemFromPurlType(props.ecosystem);
+	else if (name && version) ecosystem = Ecosystem.Generic;
+	return buildAffectedPackage$1({
+		name,
+		version,
+		ecosystem,
+		purl: props.purl,
+		cpe: props.cpe,
+		fixedInVersion: props.fixedInVersion
+	});
 }
 function resolveRuleLevel(rule, results) {
 	if (rule?.defaultConfiguration?.level) return rule.defaultConfiguration.level;
@@ -810,8 +1060,8 @@ function createHDFResult(location, status, backtrace, suppressionMessage) {
 //#endregion
 //#region converters/junit-to-hdf/typescript/converter.ts
 const DEFAULT_NIST = ["SA-11"];
-const CONVERTER_VERSION$1 = "1.0.0";
-const ARRAY_TAGS$1 = ["testsuite", "testcase"];
+const CONVERTER_VERSION$2 = "1.0.0";
+const ARRAY_TAGS$2 = ["testsuite", "testcase"];
 /**
 * Converts JUnit XML test results to HDF format.
 */
@@ -819,21 +1069,23 @@ async function convertJunitToHdf(input) {
 	if (!input || !input.trim()) throw new Error("Empty input");
 	validateInputSize(input, "junit");
 	const { suites, name } = parseJUnitXML(input);
+	const requirements = buildRequirements(suites);
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("junit-no-findings", `JUnit scanned ${noFindingsTarget(name, suites)} and reported zero findings.`, /* @__PURE__ */ new Date()));
 	return buildHdfResults({
-		generatorName: "hdf-converters",
-		converterVersion: CONVERTER_VERSION$1,
+		generatorName: "junit-to-hdf",
+		converterVersion: CONVERTER_VERSION$2,
 		toolName: "JUnit XML",
 		toolFormat: "XML",
-		baselines: [createMinimalBaseline(name, buildRequirements(suites), { resultsChecksum: await inputChecksum(input) })],
+		baselines: [createMinimalBaseline(name, requirements, { resultsChecksum: await inputChecksum(input) })],
 		components: [{
-			type: Copyright.Application,
+			type: TargetType.Application,
 			name
 		}],
 		timestamp: /* @__PURE__ */ new Date()
 	});
 }
 function parseJUnitXML(input) {
-	const parsed = parseXmlWithArrays(input, ARRAY_TAGS$1);
+	const parsed = parseXmlWithArrays(input, ARRAY_TAGS$2);
 	if (parsed.testsuites) return {
 		suites: parsed.testsuites.testsuite ?? [],
 		name: parsed.testsuites.name || "JUnit Test Results"
@@ -876,7 +1128,11 @@ function testCaseToRequirement(tc, suiteTimestamp) {
 		label: "default",
 		data: `JUnit test: ${tc.name} in ${tc.classname || "unknown"}`
 	}];
-	return createRequirement(id, tc.name, descriptions, .5, [result], { tags: { nist: DEFAULT_NIST } });
+	const req = createRequirement(id, tc.name, descriptions, .5, [result], { tags: { nist: DEFAULT_NIST } });
+	const controlType = deriveControlTypeFromTags(DEFAULT_NIST);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 function buildID(tc) {
 	if (tc.classname) return `${tc.classname}.${tc.name}`;
@@ -921,12 +1177,17 @@ function buildCodeDesc$9(tc) {
 	if (tc.classname) return `${tc.classname} :: ${tc.name}`;
 	return tc.name;
 }
+function noFindingsTarget(baselineName, suites) {
+	if (baselineName && baselineName !== "JUnit Test Results") return baselineName;
+	for (const s of suites) if (s.name) return s.name;
+	return "JUnit test suite";
+}
 //#endregion
 //#region converters/xccdf-results-to-hdf/typescript/converter.ts
-const CONVERTER_VERSION = "1.0.0";
+const CONVERTER_VERSION$1 = "1.0.0";
 const CCI_SYSTEM = "http://cyber.mil/cci";
 /** Tags that must always be parsed as arrays even if only one element exists. */
-const ARRAY_TAGS = [
+const ARRAY_TAGS$1 = [
 	"Group",
 	"Rule",
 	"Profile",
@@ -969,7 +1230,7 @@ const STATUS_MAP = {
 async function convertXccdfResultsToHdf(input) {
 	if (!input || !input.trim()) throw new Error("Empty input");
 	validateInputSize(input, "xccdf-results");
-	const parsed = parseXmlWithArrays(input, ARRAY_TAGS);
+	const parsed = parseXmlWithArrays(input, ARRAY_TAGS$1);
 	const arfParsed = parsed;
 	if (arfParsed["asset-report-collection"]) return convertArfCollection(arfParsed["asset-report-collection"], input);
 	const benchmark = parsed.Benchmark;
@@ -985,6 +1246,10 @@ async function convertBenchmarkResultsToHdf(benchmark, rawInput) {
 	/* v8 ignore next -- truncation only triggers with >100K items */
 	if (truncatedRR) console.warn(`WARNING: Input truncated at ${limitedRuleResults.length} rule-result items (original: ${ruleResults.length})`);
 	const requirements = limitedRuleResults.map((rr) => ruleResultToRequirement(rr, ruleIndex));
+	if (requirements.length === 0) {
+		const target = xccdfTargetName(testResult, benchmark);
+		requirements.push(buildNoFindingsRequirement("xccdf-results-no-findings", `XCCDF scanned ${target} and reported zero findings.`, /* @__PURE__ */ new Date()));
+	}
 	const resultsChecksum = await inputChecksum(rawInput);
 	const baseline = createMinimalBaseline(extractText(benchmark.title) || "XCCDF Benchmark", requirements, { resultsChecksum });
 	const components = buildTargets(testResult);
@@ -998,8 +1263,8 @@ async function convertBenchmarkResultsToHdf(benchmark, rawInput) {
 	const hdf = {
 		baselines: [baseline],
 		generator: {
-			name: "hdf-converters",
-			version: CONVERTER_VERSION
+			name: "xccdf-results-to-hdf",
+			version: CONVERTER_VERSION$1
 		},
 		tool: {
 			name: "XCCDF Results",
@@ -1037,6 +1302,10 @@ async function convertArfCollection(arc, rawInput) {
 		/* v8 ignore next -- truncation only triggers with >100K items */
 		if (truncatedARFRR) console.warn(`WARNING: Input truncated at ${limitedARFRuleResults.length} rule-result items (original: ${ruleResults.length})`);
 		const requirements = limitedARFRuleResults.map((rr) => ruleResultToRequirement(rr, ruleIndex));
+		if (requirements.length === 0) {
+			const target = xccdfTargetName(testResult, benchmark);
+			requirements.push(buildNoFindingsRequirement("xccdf-results-no-findings", `XCCDF scanned ${target} and reported zero findings.`, /* @__PURE__ */ new Date()));
+		}
 		let baselineName = "";
 		if (benchmark) baselineName = extractText(benchmark.title) || "";
 		if (!baselineName) baselineName = extractText(testResult.title) || testResult.id || "ARF Report";
@@ -1057,8 +1326,8 @@ async function convertArfCollection(arc, rawInput) {
 	const hdf = {
 		baselines,
 		generator: {
-			name: "hdf-converters",
-			version: CONVERTER_VERSION
+			name: "xccdf-results-to-hdf",
+			version: CONVERTER_VERSION$1
 		},
 		tool: {
 			name: "ARF",
@@ -1144,13 +1413,33 @@ function ruleResultToRequirement(rr, ruleIndex) {
 	});
 	const result = createResult(STATUS_MAP[(rr.result ?? "").toLowerCase()] ?? ResultStatus.NotReviewed, "", { codeDesc: `XCCDF rule ${id}` });
 	const tags = {};
+	let nistTags = [];
 	const cciIds = extractCCIs(rr.ident ?? ruleDef?.ident ?? []);
 	if (cciIds.length > 0) {
 		tags["cci"] = cciIds;
-		const nistTags = cciIds.flatMap((cci) => getCCINistMappings(cci) ?? []);
-		if (nistTags.length > 0) tags["nist"] = [...new Set(nistTags)];
+		nistTags = [...new Set(cciIds.flatMap((cci) => getCCINistMappings(cci) ?? []))];
+		if (nistTags.length > 0) tags["nist"] = nistTags;
 	}
-	return createRequirement(id, title, descriptions, impact, [result], { tags });
+	const req = createRequirement(id, title, descriptions, impact, [result], { tags });
+	const controlType = deriveControlTypeFromTags(nistTags);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
+}
+/**
+* Pick the most specific identifier available for a no-findings codeDesc.
+* Falls back through TestResult target/title, benchmark title/id, then a generic phrase.
+*/
+function xccdfTargetName(testResult, benchmark) {
+	const tr = testResult ?? {};
+	const target = (tr.target ?? "").trim();
+	if (target) return target;
+	const trTitle = extractText(tr.title).trim();
+	if (trTitle) return trTitle;
+	const benchTitle = extractText(benchmark?.title).trim();
+	if (benchTitle) return benchTitle;
+	const benchId = (benchmark?.id ?? "").trim();
+	if (benchId) return benchId;
+	return "the target";
 }
 /**
 * Build Component array from TestResult metadata.
@@ -1161,7 +1450,7 @@ function buildTargets(testResult) {
 	const addresses = testResult["target-address"] ?? [];
 	const target = {
 		name: targetName,
-		type: Copyright.Host,
+		type: TargetType.Host,
 		labels: {}
 	};
 	if (addresses.length > 0) target.ipAddress = addresses[0];
@@ -1210,6 +1499,713 @@ function extractCCIs(idents) {
 	return idents.filter((i) => i.system === CCI_SYSTEM).map((i) => i["#text"] ?? "").filter((v) => v.length > 0);
 }
 //#endregion
+//#region shared/typescript/checklist/status.ts
+function normalizeKey(s) {
+	return s.toLowerCase().trim().split("_").join("").split(" ").join("");
+}
+const STATUS_BY_KEY = {
+	open: "Open",
+	notafinding: "NotAFinding",
+	notreviewed: "Not_Reviewed",
+	notapplicable: "Not_Applicable"
+};
+/** Map any CKL/CKLB status spelling to the canonical CheckStatus. */
+function parseStatus(s) {
+	return STATUS_BY_KEY[normalizeKey(s ?? "")] ?? "Not_Reviewed";
+}
+/** CKL (XML) spelling. */
+function statusToCkl(s) {
+	return s || "Not_Reviewed";
+}
+/** CKLB (JSON) snake_case spelling. */
+function statusToCklb(s) {
+	switch (s) {
+		case "Open": return "open";
+		case "NotAFinding": return "not_a_finding";
+		case "Not_Applicable": return "not_applicable";
+		default: return "not_reviewed";
+	}
+}
+/** Canonical status -> HDF Result_Status. */
+function statusToHdf(s) {
+	switch (s) {
+		case "Open": return ResultStatus.Failed;
+		case "NotAFinding": return ResultStatus.Passed;
+		case "Not_Applicable": return ResultStatus.NotApplicable;
+		default: return ResultStatus.NotReviewed;
+	}
+}
+/** HDF Result_Status -> canonical status (error -> Open). */
+function statusFromHdf(s) {
+	switch (s) {
+		case ResultStatus.Passed: return "NotAFinding";
+		case ResultStatus.Failed:
+		case ResultStatus.Error: return "Open";
+		case ResultStatus.NotApplicable: return "Not_Applicable";
+		default: return "Not_Reviewed";
+	}
+}
+//#endregion
+//#region shared/typescript/checklist/ckl.ts
+const ARRAY_TAGS = [
+	"iSTIG",
+	"VULN",
+	"STIG_DATA",
+	"SI_DATA"
+];
+const BUILD_OPTIONS$1 = {
+	attributeNamePrefix: "@_",
+	textNodeName: "#text",
+	ignoreAttributes: false,
+	format: true,
+	indentBy: "	",
+	suppressEmptyNode: false
+};
+function str(v) {
+	return v === void 0 || v === null ? "" : String(v);
+}
+const VULN_ATTR_ORDER = [
+	"Vuln_Num",
+	"Severity",
+	"Group_Title",
+	"Rule_ID",
+	"Rule_Ver",
+	"Rule_Title",
+	"Vuln_Discuss",
+	"IA_Controls",
+	"Check_Content",
+	"Fix_Text",
+	"False_Positives",
+	"False_Negatives",
+	"Documentable",
+	"Mitigations",
+	"Potential_Impact",
+	"Third_Party_Tools",
+	"Mitigation_Control",
+	"Responsibility",
+	"Security_Override_Guidance",
+	"Check_Content_Ref",
+	"Weight",
+	"Class",
+	"STIG_UUID"
+];
+const CORE_VULN_ATTR = new Set([
+	"Vuln_Num",
+	"Severity",
+	"Group_Title",
+	"Rule_ID",
+	"Rule_Ver",
+	"Rule_Title",
+	"Vuln_Discuss",
+	"Check_Content",
+	"Fix_Text",
+	"Weight",
+	"Class"
+]);
+/** Parse CKL XML into the format-neutral Checklist model. */
+function parseCkl(input) {
+	const checklist = parseXmlWithArrays(input, ARRAY_TAGS, { processEntities: true }).CHECKLIST;
+	const istigs = checklist?.STIGS?.iSTIG;
+	if (!checklist || !istigs || istigs.length === 0) throw new Error("parse ckl: no <iSTIG> blocks found (not a CKL document?)");
+	const a = checklist.ASSET ?? {};
+	return {
+		format: "ckl",
+		asset: {
+			role: str(a["ROLE"]),
+			assetType: str(a["ASSET_TYPE"]),
+			marking: str(a["MARKING"]),
+			hostName: str(a["HOST_NAME"]),
+			hostIP: str(a["HOST_IP"]),
+			hostMAC: str(a["HOST_MAC"]),
+			hostFQDN: str(a["HOST_FQDN"]),
+			targetComment: str(a["TARGET_COMMENT"]),
+			techArea: str(a["TECH_AREA"]),
+			targetKey: str(a["TARGET_KEY"]),
+			webOrDatabase: str(a["WEB_OR_DATABASE"]) === "true",
+			webDBSite: str(a["WEB_DB_SITE"]),
+			webDBInstance: str(a["WEB_DB_INSTANCE"])
+		},
+		stigs: istigs.map((is) => {
+			const si = is.STIG_INFO?.SI_DATA ?? [];
+			const siVal = (name) => str(si.find((d) => d.SID_NAME === name)?.SID_DATA);
+			return {
+				stigID: siVal("stigid"),
+				title: siVal("title"),
+				version: siVal("version"),
+				releaseInfo: siVal("releaseinfo"),
+				uuid: siVal("uuid"),
+				classification: siVal("classification"),
+				vulns: (is.VULN ?? []).map(cklVulnToModel)
+			};
+		})
+	};
+}
+function cklVulnToModel(v) {
+	const data = v.STIG_DATA ?? [];
+	const attr = (name) => str(data.find((sd) => sd.VULN_ATTRIBUTE === name)?.ATTRIBUTE_DATA);
+	const ccis = [];
+	const extra = {};
+	const promoted = new Set([
+		"CCI_REF",
+		"Vuln_Num",
+		"Severity",
+		"Group_Title",
+		"Rule_ID",
+		"Rule_Ver",
+		"Rule_Title",
+		"Vuln_Discuss",
+		"Check_Content",
+		"Fix_Text",
+		"Weight",
+		"Class"
+	]);
+	for (const sd of data) {
+		const name = sd.VULN_ATTRIBUTE ?? "";
+		const val = str(sd.ATTRIBUTE_DATA);
+		if (name === "CCI_REF") {
+			if (val) ccis.push(val);
+		} else if (!promoted.has(name) && val) extra[name] = val;
+	}
+	return {
+		vulnNum: attr("Vuln_Num"),
+		ruleID: attr("Rule_ID"),
+		ruleVer: attr("Rule_Ver"),
+		groupTitle: attr("Group_Title"),
+		severity: attr("Severity"),
+		ruleTitle: attr("Rule_Title"),
+		vulnDiscuss: attr("Vuln_Discuss"),
+		checkContent: attr("Check_Content"),
+		fixText: attr("Fix_Text"),
+		weight: attr("Weight"),
+		classification: attr("Class"),
+		ccis,
+		status: parseStatus(v.STATUS),
+		findingDetails: str(v.FINDING_DETAILS),
+		comments: str(v.COMMENTS),
+		extra
+	};
+}
+/** Serialize the Checklist model to CKL XML (with declaration). */
+function serializeCkl(cl) {
+	return `<?xml version="1.0" encoding="UTF-8"?>\n${buildXml({ CHECKLIST: {
+		ASSET: {
+			ROLE: cl.asset.role || "None",
+			ASSET_TYPE: cl.asset.assetType || "Computing",
+			HOST_NAME: cl.asset.hostName ?? "",
+			HOST_IP: cl.asset.hostIP ?? "",
+			HOST_MAC: cl.asset.hostMAC ?? "",
+			HOST_FQDN: cl.asset.hostFQDN ?? "",
+			TARGET_COMMENT: cl.asset.targetComment ?? "",
+			TECH_AREA: cl.asset.techArea ?? "",
+			TARGET_KEY: cl.asset.targetKey ?? "",
+			WEB_OR_DATABASE: cl.asset.webOrDatabase ? "true" : "false",
+			WEB_DB_SITE: cl.asset.webDBSite ?? "",
+			WEB_DB_INSTANCE: cl.asset.webDBInstance ?? ""
+		},
+		STIGS: { iSTIG: cl.stigs.map((s) => ({
+			STIG_INFO: { SI_DATA: stigInfoSiData(s) },
+			VULN: s.vulns.map(modelVulnToCkl)
+		})) }
+	} }, BUILD_OPTIONS$1)}`;
+}
+function stigInfoSiData(s) {
+	return [
+		{
+			name: "version",
+			data: s.version
+		},
+		{
+			name: "classification",
+			data: s.classification
+		},
+		{
+			name: "stigid",
+			data: s.stigID
+		},
+		{
+			name: "releaseinfo",
+			data: s.releaseInfo
+		},
+		{
+			name: "title",
+			data: s.title
+		},
+		{
+			name: "uuid",
+			data: s.uuid
+		}
+	].filter((p) => p.data).map((p) => ({
+		SID_NAME: p.name,
+		SID_DATA: p.data
+	}));
+}
+function modelVulnToCkl(v) {
+	const typed = {
+		Vuln_Num: v.vulnNum,
+		Severity: v.severity ?? "",
+		Group_Title: v.groupTitle ?? "",
+		Rule_ID: v.ruleID ?? "",
+		Rule_Ver: v.ruleVer ?? "",
+		Rule_Title: v.ruleTitle ?? "",
+		Vuln_Discuss: v.vulnDiscuss ?? "",
+		Check_Content: v.checkContent ?? "",
+		Fix_Text: v.fixText ?? "",
+		Weight: v.weight || "10.0",
+		Class: v.classification || "Unclass"
+	};
+	const stigData = [];
+	for (const name of VULN_ATTR_ORDER) {
+		const val = typed[name] ?? v.extra?.[name] ?? "";
+		if (!val && !CORE_VULN_ATTR.has(name)) continue;
+		stigData.push({
+			VULN_ATTRIBUTE: name,
+			ATTRIBUTE_DATA: val
+		});
+	}
+	for (const cci of v.ccis) stigData.push({
+		VULN_ATTRIBUTE: "CCI_REF",
+		ATTRIBUTE_DATA: cci
+	});
+	return {
+		STIG_DATA: stigData,
+		STATUS: statusToCkl(v.status),
+		FINDING_DETAILS: v.findingDetails ?? "",
+		COMMENTS: v.comments ?? ""
+	};
+}
+//#endregion
+//#region shared/typescript/checklist/cklb.ts
+/** Parse CKLB JSON into the format-neutral Checklist model. */
+function parseCklb(input) {
+	const doc = parseJSON(input);
+	if (!doc || !Array.isArray(doc.stigs) || doc.stigs.length === 0) throw new Error("parse cklb: no stigs[] found (not a CKLB document?)");
+	const t = doc.target_data ?? {};
+	const asset = {
+		role: nz(t.role),
+		assetType: nz(t.target_type),
+		hostName: nz(t.host_name),
+		hostIP: nz(t.ip_address),
+		hostMAC: nz(t.mac_address),
+		hostFQDN: nz(t.fqdn),
+		targetComment: nz(t.comments),
+		webOrDatabase: t.is_web_database === true,
+		webDBSite: nz(t.web_db_site),
+		webDBInstance: nz(t.web_db_instance),
+		techArea: nz(t.technology_area),
+		classification: nz(t.classification)
+	};
+	const stigs = doc.stigs.map((s) => ({
+		stigID: nz(s.stig_id),
+		title: nz(s.stig_name) || nz(s.display_name),
+		displayName: nz(s.display_name),
+		version: nz(s.version),
+		releaseInfo: nz(s.release_info),
+		uuid: nz(s.uuid),
+		referenceIdentifier: nz(s.reference_identifier),
+		vulns: (s.rules ?? []).map(cklbRuleToModel)
+	}));
+	return {
+		format: "cklb",
+		cklbVersion: nz(doc.cklb_version),
+		asset,
+		stigs
+	};
+}
+/** Coerce a possibly-null/non-string JSON value to string | undefined.
+* Real STIG Viewer CKLB output uses null for unset fields (e.g.
+* target_data.classification: null); the model expects string | undefined. */
+function nz(v) {
+	return typeof v === "string" ? v : void 0;
+}
+function cklbRuleToModel(r) {
+	const extra = {};
+	if (r.third_party_tools) extra["Third_Party_Tools"] = r.third_party_tools;
+	if (r.srg_id) extra["SRG_ID"] = r.srg_id;
+	return {
+		vulnNum: nz(r.group_id) ?? "",
+		ruleID: nz(r.rule_id),
+		ruleVer: nz(r.rule_version),
+		groupID: nz(r.group_id),
+		groupTitle: nz(r.group_title),
+		severity: nz(r.severity),
+		ruleTitle: nz(r.rule_title),
+		vulnDiscuss: nz(r.discussion),
+		checkContent: nz(r.check_content),
+		fixText: nz(r.fix_text),
+		weight: nz(r.weight),
+		classification: nz(r.classification),
+		ccis: Array.isArray(r.ccis) ? r.ccis.filter((c) => typeof c === "string") : [],
+		legacyIDs: r.legacy_ids,
+		status: parseStatus(r.status),
+		findingDetails: nz(r.finding_details),
+		comments: nz(r.comments),
+		extra
+	};
+}
+/** Serialize the Checklist model to CKLB JSON. */
+function serializeCklb(cl) {
+	const doc = {
+		title: cklbTitle(cl),
+		cklb_version: cl.cklbVersion || "1.0",
+		active: false,
+		has_path: false,
+		target_data: {
+			target_type: cl.asset.assetType || "Computing",
+			host_name: cl.asset.hostName ?? "",
+			ip_address: cl.asset.hostIP ?? "",
+			mac_address: cl.asset.hostMAC ?? "",
+			fqdn: cl.asset.hostFQDN ?? "",
+			comments: cl.asset.targetComment ?? "",
+			role: cl.asset.role || "None",
+			is_web_database: cl.asset.webOrDatabase ?? false,
+			technology_area: cl.asset.techArea ?? "",
+			web_db_site: cl.asset.webDBSite ?? "",
+			web_db_instance: cl.asset.webDBInstance ?? "",
+			...cl.asset.classification ? { classification: cl.asset.classification } : {}
+		},
+		stigs: cl.stigs.map((s) => ({
+			stig_name: s.title ?? "",
+			display_name: s.displayName || s.title || "",
+			stig_id: s.stigID ?? "",
+			release_info: s.releaseInfo ?? "",
+			version: s.version ?? "",
+			uuid: s.uuid ?? "",
+			...s.referenceIdentifier ? { reference_identifier: s.referenceIdentifier } : {},
+			rules: s.vulns.map((v) => ({
+				group_id: v.groupID || v.vulnNum,
+				group_title: v.groupTitle ?? "",
+				rule_id: v.ruleID ?? "",
+				rule_version: v.ruleVer ?? "",
+				rule_title: v.ruleTitle ?? "",
+				severity: v.severity ?? "",
+				weight: v.weight || "10.0",
+				check_content: v.checkContent ?? "",
+				fix_text: v.fixText ?? "",
+				discussion: v.vulnDiscuss ?? "",
+				ccis: v.ccis,
+				...v.legacyIDs && v.legacyIDs.length ? { legacy_ids: v.legacyIDs } : {},
+				status: statusToCklb(v.status),
+				comments: v.comments ?? "",
+				finding_details: v.findingDetails ?? "",
+				...v.extra?.["Third_Party_Tools"] ? { third_party_tools: v.extra["Third_Party_Tools"] } : {}
+			}))
+		}))
+	};
+	return JSON.stringify(doc, null, 2);
+}
+function cklbTitle(cl) {
+	return cl.stigs[0]?.title || "STIG Checklist";
+}
+//#endregion
+//#region shared/typescript/checklist/to-hdf.ts
+const CONVERTER_VERSION = "1.0.0";
+/**
+* Map the format-neutral Checklist model to an HDF Results object.
+* controlType is derived per-Vuln from CCI->NIST; verificationMethod and
+* applicability are omitted (the checklist format cannot substantiate them).
+* Original-format metadata is stashed in extensions/tags for round-trip.
+*/
+function checklistToHdf(cl, resultsChecksum, generatorName) {
+	const hdf = {
+		baselines: cl.stigs.map((s) => stigToBaseline(s, resultsChecksum)),
+		generator: {
+			name: generatorName,
+			version: CONVERTER_VERSION
+		},
+		tool: {
+			name: "DISA STIG Viewer",
+			format: cl.format === "cklb" ? "CKLB" : "CKL"
+		},
+		timestamp: /* @__PURE__ */ new Date()
+	};
+	const component = assetToComponent(cl.asset);
+	if (component) hdf.components = [component];
+	const ext = rootExtensions(cl);
+	if (Object.keys(ext).length > 0) hdf.extensions = ext;
+	return hdf;
+}
+function stigToBaseline(s, resultsChecksum) {
+	const baseline = createMinimalBaseline("STIG Checklist Scan", s.vulns.map(vulnToRequirement), { resultsChecksum });
+	if (s.title) baseline.title = s.title;
+	if (s.version) baseline.version = s.version;
+	const ext = baselineExtensions(s);
+	if (Object.keys(ext).length > 0) baseline.extensions = ext;
+	return baseline;
+}
+function vulnToRequirement(v) {
+	const severity = (v.severity ?? "").toLowerCase();
+	const impact = severity ? severityToImpact(severity) : .5;
+	const descriptions = [{
+		label: "default",
+		data: stripHTML(v.vulnDiscuss ?? "")
+	}];
+	if (v.checkContent) descriptions.push({
+		label: "check",
+		data: stripHTML(v.checkContent)
+	});
+	if (v.fixText) descriptions.push({
+		label: "fix",
+		data: stripHTML(v.fixText)
+	});
+	const message = [v.findingDetails, v.comments].map((s) => (s ?? "").trim()).filter(Boolean).join("\n\n");
+	const result = createResult(statusToHdf(v.status), message, { codeDesc: `STIG rule ${v.ruleVer ?? ""}` });
+	const tags = {};
+	let nistTags = [];
+	if (v.ccis.length > 0) {
+		tags["cci"] = v.ccis;
+		nistTags = [...new Set(v.ccis.flatMap((c) => getCCINistMappings(c) ?? []))].sort();
+		tags["nist"] = nistTags;
+	} else tags["nist"] = [];
+	setIf(tags, "rid", v.ruleID);
+	setIf(tags, "stig_id", v.ruleVer);
+	setIf(tags, "gtitle", v.groupTitle);
+	setIf(tags, "group_id", v.groupID);
+	setIf(tags, "weight", v.weight);
+	setIf(tags, "severity", severity);
+	if (v.legacyIDs && v.legacyIDs.length) tags["legacy_ids"] = v.legacyIDs;
+	if (v.extra && Object.keys(v.extra).length > 0) tags["cklMetadata"] = { ...v.extra };
+	const req = createRequirement(v.vulnNum, v.ruleTitle ?? v.vulnNum, descriptions, impact, [result], { tags });
+	if (severity) req.severity = severity;
+	const controlType = deriveControlTypeFromTags(nistTags);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
+}
+function assetToComponent(a) {
+	if (!a.hostName && !a.hostIP && !a.hostFQDN) return void 0;
+	const c = {
+		name: a.hostName || a.hostFQDN || a.hostIP || "",
+		type: TargetType.Host
+	};
+	if (a.hostIP) c.ipAddress = a.hostIP;
+	if (a.hostFQDN) c.fqdn = a.hostFQDN;
+	if (a.hostMAC) c.macAddress = a.hostMAC;
+	return c;
+}
+function rootExtensions(cl) {
+	const ext = { checklistFormat: cl.format || "ckl" };
+	if (cl.cklbVersion) ext["cklbVersion"] = cl.cklbVersion;
+	const ax = {};
+	setIf(ax, "role", cl.asset.role);
+	setIf(ax, "assetType", cl.asset.assetType);
+	setIf(ax, "marking", cl.asset.marking);
+	setIf(ax, "targetKey", cl.asset.targetKey);
+	setIf(ax, "techArea", cl.asset.techArea);
+	setIf(ax, "targetComment", cl.asset.targetComment);
+	setIf(ax, "webDbSite", cl.asset.webDBSite);
+	setIf(ax, "webDbInstance", cl.asset.webDBInstance);
+	setIf(ax, "classification", cl.asset.classification);
+	if (cl.asset.webOrDatabase) ax["webOrDatabase"] = true;
+	if (Object.keys(ax).length > 0) ext["assetExtras"] = ax;
+	return ext;
+}
+function baselineExtensions(s) {
+	const ext = {};
+	setIf(ext, "stigid", s.stigID);
+	setIf(ext, "uuid", s.uuid);
+	setIf(ext, "releaseInfo", s.releaseInfo);
+	setIf(ext, "displayName", s.displayName);
+	setIf(ext, "referenceIdentifier", s.referenceIdentifier);
+	setIf(ext, "classification", s.classification);
+	return ext;
+}
+function setIf(m, key, val) {
+	if (val) m[key] = val;
+}
+//#endregion
+//#region shared/typescript/checklist/from-hdf.ts
+/**
+* Map HDF Results back to the format-neutral Checklist model. When the HDF
+* carries checklist passthrough (extensions/tags from checklistToHdf), the
+* original fields are reproduced losslessly; otherwise required checklist
+* fields are synthesized best-effort so any HDF yields a valid checklist.
+*/
+function hdfToChecklist(input) {
+	const hdf = parseJSON(input);
+	if (!hdf || !Array.isArray(hdf.baselines) || hdf.baselines.length === 0) throw new Error("hdf to checklist: HDF has no baselines");
+	const ext = hdf.extensions ?? {};
+	const format = strVal(ext, "checklistFormat") || "ckl";
+	const cklbVersion = strVal(ext, "cklbVersion");
+	const asset = buildAsset(hdf, ext);
+	const stigs = hdf.baselines.map(baselineToStig);
+	return {
+		format,
+		cklbVersion: cklbVersion || void 0,
+		asset,
+		stigs
+	};
+}
+function buildAsset(hdf, ext) {
+	const asset = {};
+	const comp = hdf.components?.[0];
+	if (comp) {
+		asset.hostName = comp.name;
+		asset.hostIP = comp.ipAddress;
+		asset.hostFQDN = comp.fqdn;
+		asset.hostMAC = comp.macAddress;
+	}
+	const ax = ext["assetExtras"];
+	if (ax && typeof ax === "object") {
+		const a = ax;
+		asset.role = strVal(a, "role");
+		asset.assetType = strVal(a, "assetType");
+		asset.marking = strVal(a, "marking");
+		asset.targetKey = strVal(a, "targetKey");
+		asset.techArea = strVal(a, "techArea");
+		asset.targetComment = strVal(a, "targetComment");
+		asset.webDBSite = strVal(a, "webDbSite");
+		asset.webDBInstance = strVal(a, "webDbInstance");
+		asset.classification = strVal(a, "classification");
+		asset.webOrDatabase = a["webOrDatabase"] === true;
+	}
+	return asset;
+}
+function baselineToStig(bl) {
+	const ext = bl.extensions ?? {};
+	return {
+		stigID: strVal(ext, "stigid") || bl.title || "",
+		title: bl.title,
+		version: bl.version,
+		uuid: strVal(ext, "uuid"),
+		releaseInfo: strVal(ext, "releaseInfo"),
+		displayName: strVal(ext, "displayName"),
+		referenceIdentifier: strVal(ext, "referenceIdentifier"),
+		classification: strVal(ext, "classification"),
+		vulns: bl.requirements.map(requirementToVuln)
+	};
+}
+function requirementToVuln(req) {
+	const tags = req.tags ?? {};
+	const descs = req.descriptions ?? [];
+	return {
+		vulnNum: req.id,
+		ruleID: strVal(tags, "rid"),
+		ruleVer: strVal(tags, "stig_id"),
+		groupID: strVal(tags, "group_id") || req.id,
+		groupTitle: strVal(tags, "gtitle"),
+		ruleTitle: req.title,
+		weight: strVal(tags, "weight"),
+		severity: resolveSeverity(req, tags),
+		vulnDiscuss: descData(descs, "default"),
+		checkContent: descData(descs, "check"),
+		fixText: descData(descs, "fix"),
+		ccis: resolveCcis(tags),
+		legacyIDs: strSlice(tags, "legacy_ids"),
+		status: statusFromHdf(req.results?.[0]?.status),
+		findingDetails: req.results?.[0]?.message,
+		extra: extractCklMetadata(tags)
+	};
+}
+function resolveSeverity(req, tags) {
+	const tagSev = strVal(tags, "severity");
+	if (tagSev) return tagSev;
+	if (req.severity) return String(req.severity).toLowerCase();
+	const i = req.impact ?? 0;
+	if (i >= .7) return "high";
+	if (i >= .4) return "medium";
+	if (i > 0) return "low";
+	return "";
+}
+function resolveCcis(tags) {
+	const direct = strSlice(tags, "cci");
+	if (direct.length > 0) return direct;
+	const nist = strSlice(tags, "nist");
+	if (nist.length > 0) {
+		const ccis = nistToCci(nist);
+		if (ccis.length > 0) return ccis;
+	}
+	return [];
+}
+function extractCklMetadata(tags) {
+	const meta = tags["cklMetadata"];
+	if (!meta || typeof meta !== "object") return void 0;
+	const out = {};
+	for (const [k, v] of Object.entries(meta)) if (typeof v === "string") out[k] = v;
+	return Object.keys(out).length > 0 ? out : void 0;
+}
+function descData(descs, label) {
+	return descs.find((d) => d.label === label)?.data ?? "";
+}
+function strVal(m, key) {
+	const v = m[key];
+	return typeof v === "string" ? v : "";
+}
+function strSlice(m, key) {
+	const v = m[key];
+	if (Array.isArray(v)) return v.filter((e) => typeof e === "string");
+	return [];
+}
+//#endregion
+//#region converters/ckl-to-hdf/typescript/converter.ts
+/**
+* Convert a DISA STIG Viewer .ckl document to HDF Results JSON.
+*
+* Parsing and the HDF mapping live in the shared checklist module. v3.2
+* classification: controlType is derived per-VULN from CCI->NIST;
+* verificationMethod and applicability are omitted (the checklist format
+* cannot substantiate them — see the Go package doc and build-converter
+* skill Step 4d).
+*/
+async function convertCklToHdf(input) {
+	validateInputSize(input, "ckl-to-hdf");
+	const resultsChecksum = await inputChecksum(input);
+	const checklist = parseCkl(input);
+	return JSON.stringify(checklistToHdf(checklist, resultsChecksum, "ckl-to-hdf"), null, 2);
+}
+//#endregion
+//#region converters/cklb-to-hdf/typescript/converter.ts
+/**
+* Convert a DISA STIG Viewer 3.x .cklb document to HDF Results JSON.
+*
+* Parsing and the HDF mapping live in the shared checklist module. v3.2
+* classification: controlType is derived per-rule from CCI->NIST;
+* verificationMethod and applicability are omitted (the checklist format
+* cannot substantiate them — see the Go package doc and build-converter
+* skill Step 4d).
+*/
+async function convertCklbToHdf(input) {
+	validateInputSize(input, "cklb-to-hdf");
+	const resultsChecksum = await inputChecksum(input);
+	const checklist = parseCklb(input);
+	return JSON.stringify(checklistToHdf(checklist, resultsChecksum, "cklb-to-hdf"), null, 2);
+}
+//#endregion
+//#region converters/hdf-to-ckl/typescript/converter.ts
+/**
+* Convert HDF Results JSON into a DISA STIG Viewer checklist (.ckl XML).
+*
+* This is a thin wrapper over the shared checklist module, mirroring the
+* hdf-to-csv reverse converter. It produces a STIG Viewer 2.x .ckl from ANY
+* HDF: when the HDF carries checklist passthrough (extensions/tags written by
+* a prior ckl/cklb-to-hdf conversion) the original fields are reproduced
+* losslessly; otherwise the required checklist fields are synthesized
+* best-effort (id->Vuln_Num, nist->CCI reverse, status reverse) with safe
+* defaults. Mirrors heimdall2 PR #4841.
+*
+* @param input HDF Results JSON string
+* @returns CKL XML string (with the `<?xml ...?>` header)
+*/
+function convertHdfToCkl(input) {
+	return serializeCkl(hdfToChecklist(input));
+}
+//#endregion
+//#region converters/hdf-to-cklb/typescript/converter.ts
+/**
+* Convert HDF Results JSON into a DISA STIG Viewer 3.x checklist (.cklb, JSON).
+*
+* The HDF->checklist mapping and CKLB serialization live in the shared
+* checklist module; this converter is a thin wrapper. Any HDF input produces a
+* valid CKLB: when the HDF carries checklist passthrough (it originated from a
+* CKL/CKLB via the reverse converters), the original fields are reproduced
+* losslessly; otherwise the required checklist fields are synthesized
+* best-effort from the HDF requirements, tags, and results.
+*
+* @param input HDF Results JSON string
+* @returns CKLB JSON string
+*/
+function convertHdfToCklb(input) {
+	return serializeCklb(hdfToChecklist(input));
+}
+//#endregion
 //#region converters/snyk-to-hdf/typescript/converter.ts
 /**
 * Formats the "from" array as a human-readable dependency path.
@@ -1221,7 +2217,28 @@ function formatDependencyPath(from) {
 /**
 * Builds a single EvaluatedRequirement from a group of vulnerabilities sharing an ID.
 */
-function buildRequirement$15(vulnID, vulns) {
+/**
+* Map Snyk's `packageManager` value to an Affected_Package ecosystem.
+* Snyk reports values that don't always match PURL types one-to-one
+* (pip → pypi, rubygems → gem, yarn → npm). Unknown managers fall back
+* to `generic`.
+*/
+function ecosystemFromSnykPackageManager(pm) {
+	if (!pm) return Ecosystem.Generic;
+	const lower = pm.toLowerCase();
+	if (lower === "pip" || lower === "pip3") return Ecosystem.Pypi;
+	if (lower === "rubygems" || lower === "bundler") return Ecosystem.Gem;
+	if (lower === "yarn" || lower === "npm") return Ecosystem.Npm;
+	return ecosystemFromPurlType(lower);
+}
+/** Synthesize a `pkg:<type>/<name>@<version>` PURL when the ecosystem
+*  maps cleanly. Returns undefined for `generic` so we don't emit a
+*  fake `pkg:generic/...` PURL that downstream tools can't dereference. */
+function synthesizePurl(ecosystem, name, version) {
+	if (ecosystem === Ecosystem.Generic) return void 0;
+	return `pkg:${ecosystem}/${name}@${version}`;
+}
+function buildRequirement$16(vulnID, vulns, packageManager) {
 	const rep = vulns[0];
 	const cweIDs = rep.identifiers.CWE ?? [];
 	const nist = mapCWEToNIST(cweIDs, DEFAULT_STATIC_ANALYSIS_NIST_TAGS);
@@ -1237,7 +2254,24 @@ function buildRequirement$15(vulnID, vulns) {
 		data: rep.description
 	}];
 	const results = vulns.map((vuln) => createResult(ResultStatus.Failed, void 0, { codeDesc: formatDependencyPath(vuln.from) }));
-	return createRequirement(vulnID, rep.title, descriptions, severityToImpact(rep.severity), results, { tags });
+	const req = createRequirement(vulnID, rep.title, descriptions, severityToImpact(rep.severity), results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const name = rep.packageName ?? rep.moduleName;
+	const version = rep.version;
+	if (name && version) {
+		const ecosystem = ecosystemFromSnykPackageManager(packageManager);
+		const pkg = buildAffectedPackage$1({
+			name,
+			version,
+			ecosystem,
+			purl: synthesizePurl(ecosystem, name, version),
+			fixedInVersion: rep.fixedIn?.[0]
+		});
+		if (pkg) req.affectedPackages = [pkg];
+	}
+	return req;
 }
 /**
 * Converts a single Snyk project report to an HDF baseline.
@@ -1253,7 +2287,11 @@ function convertSingleProject(report, resultsChecksum) {
 		else groups.set(vuln.id, [vuln]);
 	}
 	const requirements = [];
-	for (const [vulnID, vulns] of groups) requirements.push(buildRequirement$15(vulnID, vulns));
+	for (const [vulnID, vulns] of groups) requirements.push(buildRequirement$16(vulnID, vulns, report.packageManager));
+	if (requirements.length === 0) {
+		const target = report.projectName ?? report.path ?? "project";
+		requirements.push(buildNoFindingsRequirement("snyk-no-findings", `Snyk scanned ${target} and reported zero vulnerable components.`, /* @__PURE__ */ new Date()));
+	}
 	return createMinimalBaseline("Snyk Scan", requirements, {
 		resultsChecksum,
 		title: `Snyk Project: ${report.projectName ?? ""} Snyk Path: ${report.path ?? ""}`,
@@ -1298,7 +2336,7 @@ async function convertSnykToHdf(input) {
 		baselines,
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		timestamp: /* @__PURE__ */ new Date()
 	});
@@ -1313,7 +2351,7 @@ const IMPACT_MAPPING$8 = new Map([
 	["negligible", 0],
 	["unknown", .5]
 ]);
-function getImpact$8(severity) {
+function getImpact$9(severity) {
 	if (!severity) return .5;
 	return IMPACT_MAPPING$8.get(severity.toLowerCase()) ?? .5;
 }
@@ -1366,11 +2404,97 @@ function buildCodeDesc$8(match) {
 	}
 	return parts.join(" | ");
 }
+function cvssVersionToSchema(v) {
+	switch (v) {
+		case "2.0": return Version.The20;
+		case "3.0": return Version.The30;
+		case "4.0": return Version.The40;
+		default: return Version.The31;
+	}
+}
+function cvssBandSeverity(score) {
+	switch (cvssScoreToSeverity(score)) {
+		case "critical": return CVSSSeverity.Critical;
+		case "high": return CVSSSeverity.High;
+		case "medium": return CVSSSeverity.Medium;
+		case "low": return CVSSSeverity.Low;
+		default: return CVSSSeverity.None;
+	}
+}
+function buildCvssEntries$1(vuln) {
+	if (!vuln.cvss || vuln.cvss.length === 0) return;
+	const entries = [];
+	for (const c of vuln.cvss) {
+		const entry = { version: cvssVersionToSchema(c.version) };
+		if (c.vector) entry.baseVector = c.vector;
+		const score = c.metrics?.baseScore;
+		if (typeof score === "number" && Number.isFinite(score)) {
+			entry.baseScore = score;
+			entry.baseSeverity = cvssBandSeverity(score);
+		}
+		if (vuln.id) entry.source = vuln.id;
+		if (entry.baseVector === void 0 && entry.baseScore === void 0) continue;
+		entries.push(entry);
+	}
+	return entries.length > 0 ? entries : void 0;
+}
+function mapGrypeTypeToEcosystem(grypeType) {
+	switch ((grypeType ?? "").toLowerCase()) {
+		case "rpm": return Ecosystem.RPM;
+		case "deb": return Ecosystem.Deb;
+		case "npm": return Ecosystem.Npm;
+		case "python": return Ecosystem.Pypi;
+		case "gem": return Ecosystem.Gem;
+		case "go-module": return Ecosystem.Go;
+		case "java-archive":
+		case "jenkins-plugin": return Ecosystem.Maven;
+		case "dotnet": return Ecosystem.Nuget;
+		case "rust-crate": return Ecosystem.Cargo;
+		default: return Ecosystem.Generic;
+	}
+}
+function buildAffectedPackages(match) {
+	const artifact = match.artifact;
+	const pkg = {
+		name: artifact.name,
+		version: artifact.version,
+		ecosystem: mapGrypeTypeToEcosystem(artifact.type)
+	};
+	if (artifact.cpes && artifact.cpes.length > 0 && artifact.cpes[0]) pkg.cpe = artifact.cpes[0];
+	if (artifact.purl) pkg.purl = artifact.purl;
+	const fix = match.vulnerability.fix;
+	if (fix && fix.state === "fixed" && fix.versions && fix.versions.length > 0 && fix.versions[0]) pkg.fixedInVersion = fix.versions[0];
+	return [pkg];
+}
+const CWE_ID_PATTERN = /^CWE-[1-9]\d*$/;
+function extractCwe(raw) {
+	if (!raw || raw.length === 0) return void 0;
+	const out = raw.filter((c) => CWE_ID_PATTERN.test(c));
+	return out.length === 0 ? void 0 : out;
+}
+function buildEpss$1(entries) {
+	if (!entries || entries.length === 0) return void 0;
+	const e = entries[0];
+	if (!e.date) return void 0;
+	return {
+		score: e.epss ?? 0,
+		percentile: e.percentile ?? 0,
+		date: e.date
+	};
+}
+function buildKev(k) {
+	if (!k) return void 0;
+	const out = { inKev: Boolean(k.inKev) };
+	if (k.dateAdded) out.dateAdded = k.dateAdded;
+	if (k.dueDate) out.dueDate = k.dueDate;
+	if (k.notes) out.notes = k.notes;
+	return out;
+}
 function convertMatchToRequirement(match, isIgnored) {
 	const vuln = match.vulnerability;
 	const cveId = vuln.id;
 	const severity = vuln.severity;
-	const impact = getImpact$8(severity);
+	const impact = getImpact$9(severity);
 	const description = getDescription(vuln, match.relatedVulnerabilities);
 	const fixInfo = getFixInfo(vuln.fix);
 	const cvssInfo = getCVSSInfo(vuln, match.relatedVulnerabilities);
@@ -1392,7 +2516,7 @@ function convertMatchToRequirement(match, isIgnored) {
 		startTime: /* @__PURE__ */ new Date("0001-01-01T00:00:00Z")
 	};
 	const tags = buildNistCciTags(DEFAULT_STATIC_ANALYSIS_NIST_TAGS, nistToCci(DEFAULT_STATIC_ANALYSIS_NIST_TAGS));
-	return {
+	const requirement = {
 		id: isIgnored ? `Grype-Ignored-Match/${cveId}` : `Grype/${cveId}`,
 		impact,
 		results: [result],
@@ -1411,8 +2535,21 @@ function convertMatchToRequirement(match, isIgnored) {
 				data: cvssInfo
 			}
 		],
-		refs: refs.length > 0 ? refs.map((url) => ({ url })) : void 0
+		refs: refs.length > 0 ? refs.map((url) => ({ url })) : void 0,
+		verificationMethod: VerificationMethodEnum.Automated
 	};
+	const controlType = deriveControlTypeFromTags(DEFAULT_STATIC_ANALYSIS_NIST_TAGS);
+	if (controlType !== void 0) requirement.controlType = controlType;
+	const cvss = buildCvssEntries$1(vuln);
+	if (cvss) requirement.cvss = cvss;
+	requirement.affectedPackages = buildAffectedPackages(match);
+	const cwe = extractCwe(vuln.cwe);
+	if (cwe) requirement.cwe = cwe;
+	const epss = buildEpss$1(vuln.epss);
+	if (epss) requirement.epss = epss;
+	const kev = buildKev(vuln.kev);
+	if (kev) requirement.kev = kev;
+	return requirement;
 }
 async function convertGrypeToHdf(input) {
 	validateInputSize(input, "grype");
@@ -1432,6 +2569,7 @@ async function convertGrypeToHdf(input) {
 		for (const match of limitedIgnored) requirements.push(convertMatchToRequirement(match, true));
 	}
 	const targetName = grypeData.source?.target?.userInput || "Grype Scan";
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("grype-no-findings", `Grype scanned ${targetName} and reported zero vulnerable components.`, /* @__PURE__ */ new Date()));
 	const baseline = createMinimalBaseline(targetName, requirements, { resultsChecksum });
 	return buildHdfResults({
 		generatorName: grypeData.descriptor?.name || "grype",
@@ -1440,7 +2578,7 @@ async function convertGrypeToHdf(input) {
 		toolVersion: grypeData.descriptor?.version,
 		baselines: [baseline],
 		components: [{
-			type: Copyright.Artifact,
+			type: TargetType.Artifact,
 			name: targetName
 		}],
 		timestamp: grypeData.descriptor?.timestamp ? new Date(grypeData.descriptor.timestamp) : /* @__PURE__ */ new Date()
@@ -1448,6 +2586,8 @@ async function convertGrypeToHdf(input) {
 }
 //#endregion
 //#region converters/nessus-to-hdf/typescript/converter.ts
+const CVE_SOURCE_RE = /^CVE-\d{4}-\d{4,}$/;
+const CWE_PATTERN = /CWE[- ]?(\d+)/gi;
 const converterVersion = "1.0.0";
 const IMPACT_MAPPING$7 = {
 	"4": .9,
@@ -1475,7 +2615,9 @@ async function convertNessusToHdf(nessusXml) {
 		"preference",
 		"tag",
 		"ReportItem",
-		"ReportHost"
+		"ReportHost",
+		"cwe",
+		"cve"
 	]);
 	const policyName = parsed.NessusClientData_v2.Policy.policyName;
 	const version = extractVersion(parsed);
@@ -1497,7 +2639,7 @@ async function convertNessusToHdf(nessusXml) {
 		components,
 		statistics: { duration },
 		generator: {
-			name: "hdf-converters",
+			name: "nessus-to-hdf",
 			version: converterVersion
 		},
 		tool: { name: "Nessus" },
@@ -1544,6 +2686,12 @@ function convertReportHostToBaseline(host, policyName, version, resultsChecksum)
 		if (truncatedItems) console.warn(`WARNING: Input truncated at ${limitedItems.length} ReportItem items (original: ${items.length})`);
 		requirements = limitedItems.map((item) => convertReportItemToRequirement(item, host));
 	} else requirements = [];
+	if (requirements.length === 0) {
+		const target = host.name || getHostPropertyValue(host, "host-ip") || "host";
+		const startTimeStr = getHostPropertyValue(host, "HOST_START");
+		const startTime = startTimeStr ? new Date(startTimeStr) : /* @__PURE__ */ new Date();
+		requirements = [buildNoFindingsRequirement("nessus-no-findings", `Nessus scanned ${target} and reported zero findings.`, startTime)];
+	}
 	return createMinimalBaseline(`Nessus ${policyName}`, requirements, {
 		title: `Nessus ${policyName}`,
 		version,
@@ -1554,17 +2702,164 @@ function convertReportHostToBaseline(host, policyName, version, resultsChecksum)
 }
 function convertReportItemToRequirement(item, host) {
 	const isCompliance = !!item["compliance-reference"];
+	const id = isCompliance ? parseComplianceRef(item["compliance-reference"], "Vuln-ID")[0] || item["pluginID"] : item["pluginID"];
+	const title = isCompliance ? item["compliance-check-name"] || item["pluginName"] : item["pluginName"];
+	const descriptions = buildDescriptions(item, isCompliance);
+	const impact = calculateImpact(item, isCompliance);
+	const tags = buildTags$2(item, isCompliance);
+	const refs = buildRefs(item);
+	const results = [buildResult$1(item, host, isCompliance)];
+	const code = JSON.stringify(item, null, 2);
+	const nistTags = tags["nist"];
+	const controlType = deriveControlTypeFromTags(nistTags ?? []);
+	const verificationMethod = deriveVerificationMethod(code);
+	const req = {
+		id,
+		title,
+		descriptions,
+		impact,
+		tags,
+		refs,
+		results,
+		code
+	};
+	if (controlType !== void 0) req.controlType = controlType;
+	if (verificationMethod !== void 0) req.verificationMethod = verificationMethod;
+	if (!isCompliance) {
+		const cvssEntries = buildCvssEntries(item);
+		if (cvssEntries.length > 0) req.cvss = cvssEntries;
+		const cweIDs = buildCweIDs(item);
+		if (cweIDs.length > 0) req.cwe = cweIDs;
+		const epss = buildEpss(item, host);
+		if (epss !== void 0) req.epss = epss;
+	}
+	return req;
+}
+/**
+* Build a structured Cvss entry for a CVE finding. Returns an array because
+* the schema models cvss as a multi-entry array (Nessus emits one entry per
+* item; multi-vendor convergence may yield more).
+*/
+function buildCvssEntries(item) {
+	const source = (item.cvss_score_source || "").trim();
+	if (!source || !CVE_SOURCE_RE.test(source)) return [];
+	const hasV3 = !!(item.cvss3_vector || item.cvss3_base_score);
+	const hasV2 = !!(item.cvss_vector || item.cvss_base_score);
+	if (!hasV3 && !hasV2) return [];
+	let version;
+	let baseVector;
+	let baseScore;
+	let threatVector;
+	let threatScore;
+	if (hasV3) {
+		version = detectV3Version(item.cvss3_vector ?? "");
+		baseVector = item.cvss3_vector || void 0;
+		baseScore = parseFloatOrUndef(item.cvss3_base_score);
+		threatVector = stripVersionPrefix(item.cvss3_temporal_vector);
+		threatScore = item.cvss3_temporal_score ? parseFloatSafe(item.cvss3_temporal_score) : void 0;
+	} else {
+		version = Version.The20;
+		baseVector = stripV2Prefix(item.cvss_vector ?? "") || void 0;
+		baseScore = parseFloatOrUndef(item.cvss_base_score);
+		threatVector = stripV2Prefix(item.cvss_temporal_vector ?? "") || void 0;
+		threatScore = item.cvss_temporal_score ? parseFloatSafe(item.cvss_temporal_score) : void 0;
+	}
+	const entry = {
+		version,
+		source
+	};
+	if (baseVector) entry.baseVector = baseVector;
+	if (baseScore !== void 0) {
+		entry.baseScore = baseScore;
+		const baseSeverity = mapCvssSeverity(baseScore);
+		if (baseSeverity !== void 0) entry.baseSeverity = baseSeverity;
+	}
+	if (threatVector !== void 0 && threatVector !== "") entry.threatVector = threatVector;
+	if (threatScore !== void 0) {
+		entry.threatScore = threatScore;
+		entry.computedScore = threatScore;
+		const computedSeverity = mapCvssSeverity(threatScore);
+		if (computedSeverity !== void 0) entry.computedSeverity = computedSeverity;
+	}
+	return [entry];
+}
+function detectV3Version(vector) {
+	if (vector.startsWith("CVSS:3.1/")) return Version.The31;
+	if (vector.startsWith("CVSS:3.0/")) return Version.The30;
+	return Version.The30;
+}
+function stripVersionPrefix(vector) {
+	if (!vector) return void 0;
+	for (const prefix of [
+		"CVSS:3.0/",
+		"CVSS:3.1/",
+		"CVSS:4.0/"
+	]) if (vector.startsWith(prefix)) return vector.slice(prefix.length);
+	return vector;
+}
+function stripV2Prefix(vector) {
+	return vector.startsWith("CVSS2#") ? vector.slice(6) : vector;
+}
+function parseFloatSafe(s) {
+	if (!s) return 0;
+	const f = Number.parseFloat(s);
+	return Number.isFinite(f) ? f : 0;
+}
+function parseFloatOrUndef(s) {
+	if (s === void 0 || s === "") return void 0;
+	const f = Number.parseFloat(s);
+	return Number.isFinite(f) ? f : void 0;
+}
+function mapCvssSeverity(score) {
+	switch (cvssScoreToSeverity(score)) {
+		case "critical": return CVSSSeverity.Critical;
+		case "high": return CVSSSeverity.High;
+		case "medium": return CVSSSeverity.Medium;
+		case "low": return CVSSSeverity.Low;
+		case "none": return CVSSSeverity.None;
+		default: return;
+	}
+}
+/**
+* Extract CWE IDs from a ReportItem's <cwe> elements. Nessus emits bare
+* numeric IDs (e.g. <cwe>200</cwe>); occasionally pipe-separated or prefixed
+* forms appear. Output is "CWE-N" form per schema convention.
+*/
+function buildCweIDs(item) {
+	if (!item.cwe) return [];
+	const raws = Array.isArray(item.cwe) ? item.cwe : [item.cwe];
+	const seen = /* @__PURE__ */ new Set();
+	for (const raw of raws) {
+		const text = String(raw);
+		for (const m of text.matchAll(CWE_PATTERN)) if (m[1]) seen.add(m[1]);
+		for (const tok of text.split(/[^0-9]+/)) if (tok !== "") seen.add(tok);
+	}
+	if (seen.size === 0) return [];
+	return [...seen].sort().map((id) => `CWE-${id}`);
+}
+/**
+* Build a structured Epss entry when the ReportItem includes EPSS data.
+* The date is derived from the host's HOST_START in YYYY-MM-DD form.
+*/
+function buildEpss(item, host) {
+	const hasScore = item.epss_score !== void 0 && item.epss_score !== "";
+	const hasPct = item.epss_percentile !== void 0 && item.epss_percentile !== "";
+	if (!hasScore && !hasPct) return void 0;
+	const date = epssDate(host);
+	if (date === void 0) return void 0;
 	return {
-		id: isCompliance ? parseComplianceRef(item["compliance-reference"], "Vuln-ID")[0] || item["pluginID"] : item["pluginID"],
-		title: isCompliance ? item["compliance-check-name"] || item["pluginName"] : item["pluginName"],
-		descriptions: buildDescriptions(item, isCompliance),
-		impact: calculateImpact(item, isCompliance),
-		tags: buildTags$2(item, isCompliance),
-		refs: buildRefs(item),
-		results: [buildResult$1(item, host, isCompliance)],
-		code: JSON.stringify(item, null, 2)
+		date,
+		score: hasScore ? parseFloatSafe(item.epss_score) : 0,
+		percentile: hasPct ? parseFloatSafe(item.epss_percentile) : 0
 	};
 }
+function epssDate(host) {
+	const hs = getHostPropertyValue(host, "HOST_START");
+	if (hs) {
+		const d = new Date(hs);
+		if (!Number.isNaN(d.getTime())) return d.toISOString().slice(0, 10);
+	}
+}
 function buildDescriptions(item, isCompliance) {
 	const descriptions = [];
 	if (isCompliance && item["compliance-info"]) descriptions.push({
@@ -1625,7 +2920,7 @@ function buildTags$2(item, isCompliance) {
 }
 function buildRefs(item) {
 	const refs = [];
-	if (item.see_also) refs.push({ url: item.see_also });
+	if (item.see_also) for (const url of item.see_also.split(/\s+/).filter(Boolean)) refs.push({ url });
 	return refs.length > 0 ? refs : void 0;
 }
 function buildResult$1(item, host, isCompliance) {
@@ -1667,7 +2962,7 @@ function convertReportHostToTarget(host) {
 	});
 	const target = {
 		name: hostName,
-		type: Copyright.Host
+		type: TargetType.Host
 	};
 	if (isFQDN(hostName)) target.fqdn = hostName;
 	const hostIp = hostProps["host-ip"];
@@ -1735,18 +3030,40 @@ async function convertSonarqubeToHdf(input) {
 		const baseline = convertProjectToBaseline(projectKey, issues, componentMap, ruleMap, resultsChecksum);
 		baselines.push(baseline);
 	}
+	let components = Array.from(issuesByProject.keys()).map((projectKey) => ({
+		type: TargetType.Application,
+		name: projectKey
+	}));
+	if (baselines.length === 0) {
+		const targetName = deriveEmptyScanTarget(sonarData.components);
+		baselines.push({
+			name: targetName,
+			title: `SonarQube Analysis for ${targetName}`,
+			requirements: [buildNoFindingsRequirement("sonarqube-no-findings", `SonarQube scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date())],
+			resultsChecksum
+		});
+		components = [{
+			type: TargetType.Application,
+			name: targetName
+		}];
+	}
 	return buildHdfResults({
 		generatorName: "sonarqube-to-hdf",
 		converterVersion: "1.0.0",
 		toolName: "SonarQube",
 		baselines,
-		components: Array.from(issuesByProject.keys()).map((projectKey) => ({
-			type: Copyright.Application,
-			name: projectKey
-		})),
+		components,
 		timestamp: /* @__PURE__ */ new Date()
 	});
 }
+function deriveEmptyScanTarget(components) {
+	if (components) {
+		const project = components.find((c) => c.qualifier === "TRK");
+		if (project) return project.key;
+		if (components.length > 0) return components[0].key;
+	}
+	return "the SonarQube project";
+}
 function convertProjectToBaseline(projectKey, issues, componentMap, ruleMap, resultsChecksum) {
 	const issuesByRule = /* @__PURE__ */ new Map();
 	for (const issue of issues) {
@@ -1786,7 +3103,11 @@ function convertRuleToRequirement(ruleKey, issues, componentMap, ruleMap) {
 		...allTags
 	} };
 	if (sourceLocation) options.sourceLocation = sourceLocation;
-	return createRequirement(ruleKey, title, [createDescription("default", description)], impact, results, options);
+	const req = createRequirement(ruleKey, title, [createDescription("default", description)], impact, results, options);
+	const controlType = deriveControlTypeFromTags(nistControls);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 function extractDescription(rule) {
 	if (!rule) return "";
@@ -1905,7 +3226,21 @@ function buildResult(r) {
 		...startTime ? { startTime } : {}
 	});
 }
-function buildRequirement$14(rule) {
+/**
+* Synthesizes a single HDF result for a Config rule whose live evaluation
+* returned zero in-scope resources. The HDF schema requires `results` to have
+* minItems >= 1; this honestly signals to auditors that the rule's check ran
+* but had no scope in this account/region rather than vacuously claiming
+* "passed". See issue #80 bug 2.
+*/
+function buildNotApplicableResult(rule) {
+	const codeDesc = `AWS Config rule ${rule.ConfigRuleName} evaluated zero in-scope resources in this account/region.`;
+	return createResult(ResultStatus.NotApplicable, codeDesc, {
+		codeDesc,
+		startTime: /* @__PURE__ */ new Date()
+	});
+}
+function buildRequirement$15(rule) {
 	const nist = buildNistTags$3(rule.Source.SourceIdentifier, rule.ConfigRuleName);
 	const tags = nist.length > 0 ? { nist } : {};
 	const descriptions = [{
@@ -1916,14 +3251,18 @@ function buildRequirement$14(rule) {
 		data: buildCheckText(rule)
 	}];
 	const title = `${getAccountId(rule.ConfigRuleArn)} - ${rule.ConfigRuleName}`;
-	const results = rule.EvaluationResults.map(buildResult);
-	return createRequirement(rule.ConfigRuleId, title, descriptions, .5, results, {
+	const results = rule.EvaluationResults.length > 0 ? rule.EvaluationResults.map(buildResult) : [buildNotApplicableResult(rule)];
+	const req = createRequirement(rule.ConfigRuleId, title, descriptions, .5, results, {
 		tags,
 		sourceLocation: {
 			ref: rule.ConfigRuleArn,
 			line: 1
 		}
 	});
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts an AWS Config static export (ConfigRulesFile JSON) to HDF format.
@@ -1942,7 +3281,7 @@ async function convertAwsConfigToHdf(input) {
 	/* v8 ignore next -- truncation only triggers with >100K items */
 	if (truncatedRules) console.warn(`WARNING: Input truncated at ${limitedRules.length} ConfigRule items (original: ${data.ConfigRules.length})`);
 	const baseline = {
-		...createMinimalBaseline("AWS Config", limitedRules.map(buildRequirement$14), { resultsChecksum }),
+		...createMinimalBaseline("AWS Config", limitedRules.map(buildRequirement$15), { resultsChecksum }),
 		title: "AWS Config Compliance Results",
 		version: "1.0.0",
 		maintainer: "Amazon Web Services"
@@ -1956,7 +3295,7 @@ async function convertAwsConfigToHdf(input) {
 		toolName: "AWS Config",
 		baselines: [baseline],
 		components: [{
-			type: Copyright.CloudAccount,
+			type: TargetType.CloudAccount,
 			name: `AWS Account ${accountId}`,
 			labels: {
 				account: accountId,
@@ -1968,6 +3307,120 @@ async function convertAwsConfigToHdf(input) {
 	});
 }
 //#endregion
+//#region converters/checkov-to-hdf/typescript/converter.ts
+/**
+* Maps checkov result string to HDF ResultStatus.
+*/
+function mapStatus$2(result) {
+	switch (result.toUpperCase()) {
+		case "PASSED": return ResultStatus.Passed;
+		case "FAILED": return ResultStatus.Failed;
+		case "SKIPPED": return ResultStatus.NotReviewed;
+		default: return ResultStatus.NotReviewed;
+	}
+}
+/**
+* Maps severity to impact, defaulting to 0.5 for null/unknown.
+*/
+function getImpact$8(severity) {
+	if (!severity) return .5;
+	return severityToImpact(severity);
+}
+/**
+* Converts a single CheckovCheck to an HDF RequirementResult.
+*/
+function checkToResult(check) {
+	const status = mapStatus$2(check.check_result.result);
+	const codeDesc = `Resource: ${check.resource}\nFile: ${check.file_path} (lines ${JSON.stringify(check.file_line_range)})`;
+	let message;
+	if (status === ResultStatus.NotReviewed && check.check_result.suppress_comment) message = check.check_result.suppress_comment;
+	return createResult(status, message ?? "", { codeDesc });
+}
+/**
+* Converts a group of checks sharing a check_id into one EvaluatedRequirement.
+*/
+function buildRequirement$14(checkId, checks) {
+	const rep = checks[0];
+	const impact = getImpact$8(rep.severity);
+	const tags = { nist: [...DEFAULT_STATIC_ANALYSIS_NIST_TAGS] };
+	const descriptions = [{
+		label: "default",
+		data: rep.check_name
+	}];
+	if (rep.guideline) descriptions.push({
+		label: "check",
+		data: rep.guideline
+	});
+	const results = checks.map(checkToResult);
+	const req = createRequirement(checkId, rep.check_name, descriptions, impact, results, { tags });
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const controlType = deriveControlTypeFromTags([...DEFAULT_STATIC_ANALYSIS_NIST_TAGS]);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
+}
+/**
+* Parses checkov input which can be a single object or array.
+*/
+function parseInput(input) {
+	const parsed = parseJSON(input);
+	if (Array.isArray(parsed)) return parsed;
+	if (!parsed || typeof parsed !== "object") throw new Error("Invalid checkov structure: not a valid JSON object");
+	if (!parsed.results || typeof parsed.results !== "object") throw new Error("Invalid checkov structure: missing or invalid results field");
+	return [parsed];
+}
+/**
+* Converts checkov output to HDF format.
+* Accepts native checkov JSON (single object or array) and SARIF format.
+* SARIF input is detected automatically and delegated to the shared SARIF converter.
+*
+* @param input - checkov JSON or SARIF string
+* @returns HDF JSON string
+*/
+async function convertCheckovToHdf(input) {
+	validateInputSize(input, "checkov");
+	registerAllFingerprints();
+	const detected = detectConverter(input);
+	if (detected && detected.fingerprint.id === "sarif-to-hdf") return convertSarifToHdf(input);
+	const resultsChecksum = await inputChecksum(input);
+	const reports = parseInput(input);
+	const allChecks = [];
+	const checkTypes = [];
+	let version;
+	for (const report of reports) {
+		checkTypes.push(report.check_type);
+		if (!version && report.summary.checkov_version) version = report.summary.checkov_version;
+		allChecks.push(...report.results.passed_checks);
+		allChecks.push(...report.results.failed_checks);
+		allChecks.push(...report.results.skipped_checks);
+	}
+	const { items: limitedChecks, truncated } = limitArray(allChecks);
+	/* v8 ignore next -- truncation only triggers with >100K items */
+	if (truncated) console.warn(`WARNING: Input truncated at ${limitedChecks.length} check items (original: ${allChecks.length})`);
+	const groups = /* @__PURE__ */ new Map();
+	for (const check of limitedChecks) {
+		const existing = groups.get(check.check_id);
+		if (existing) existing.push(check);
+		else groups.set(check.check_id, [check]);
+	}
+	const requirements = [];
+	for (const [checkId, checks] of groups) requirements.push(buildRequirement$14(checkId, checks));
+	const format = checkTypes.join(", ");
+	if (requirements.length === 0) {
+		const target = format || "input";
+		requirements.push(buildNoFindingsRequirement("checkov-no-findings", `Checkov scanned ${target} and reported zero findings.`, /* @__PURE__ */ new Date()));
+	}
+	const baseline = createMinimalBaseline("Checkov Scan", requirements, { resultsChecksum });
+	return buildHdfResults({
+		generatorName: "checkov-to-hdf",
+		converterVersion: "1.0.0",
+		toolName: "Checkov",
+		toolVersion: version,
+		toolFormat: format,
+		baselines: [baseline],
+		timestamp: /* @__PURE__ */ new Date()
+	});
+}
+//#endregion
 //#region converters/gosec-to-hdf/typescript/converter.ts
 /**
 * Severity to HDF impact mapping for gosec.
@@ -2010,8 +3463,9 @@ function issueToResult(issue) {
 function buildRequirement$13(ruleId, issues) {
 	const rep = issues[0];
 	const impact = IMPACT_MAPPING$6[rep.severity.toUpperCase()] ?? .5;
+	const nist = mapCWEToNIST([rep.cwe.id], DEFAULT_REMEDIATION_NIST_TAGS$1);
 	const tags = {
-		nist: mapCWEToNIST([rep.cwe.id], DEFAULT_REMEDIATION_NIST_TAGS$1),
+		nist,
 		cwe: {
 			id: rep.cwe.id,
 			url: rep.cwe.url
@@ -2025,7 +3479,11 @@ function buildRequirement$13(ruleId, issues) {
 		label: "check",
 		data: `CWE-${rep.cwe.id}: ${rep.cwe.url}`
 	}];
-	return createRequirement(ruleId, rep.details, descriptions, impact, results, { tags });
+	const req = createRequirement(ruleId, rep.details, descriptions, impact, results, { tags });
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 /**
 * Converts gosec output to HDF format.
@@ -2055,6 +3513,7 @@ async function convertGosecToHdf(input) {
 	}
 	const requirements = [];
 	for (const [ruleId, issues] of groups) requirements.push(buildRequirement$13(ruleId, issues));
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("gosec-no-findings", "gosec scanned Go codebase and reported zero findings.", /* @__PURE__ */ new Date()));
 	const baseline = createMinimalBaseline("gosec Scan", requirements, { resultsChecksum });
 	return buildHdfResults({
 		generatorName: "gosec-to-hdf",
@@ -2089,7 +3548,7 @@ function convertVulnToRequirement(vuln) {
 	const extras = {};
 	if (vuln.OSVDB && vuln.OSVDB !== "0") extras.osvdb = vuln.OSVDB;
 	const tags = buildNistCciTags(nistTags, cciTags, Object.keys(extras).length > 0 ? extras : void 0);
-	return {
+	const req = {
 		id: vuln.id,
 		title: vuln.msg,
 		impact: .5,
@@ -2100,6 +3559,10 @@ function convertVulnToRequirement(vuln) {
 			data: vuln.msg
 		}]
 	};
+	const controlType = deriveControlTypeFromTags(nistTags);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 async function convertNiktoToHdf(input) {
 	validateInputSize(input, "nikto");
@@ -2131,6 +3594,7 @@ async function convertNiktoToHdf(input) {
 	if (niktoData.host) targetParts.push(`Host: ${niktoData.host}`);
 	if (niktoData.port) targetParts.push(`Port: ${niktoData.port}`);
 	const targetName = targetParts.length > 0 ? targetParts.join(" ") : "Nikto Scan";
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("nikto-no-findings", `Nikto scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date()));
 	return buildHdfResults({
 		generatorName: "nikto-to-hdf",
 		converterVersion: "unknown",
@@ -2142,7 +3606,7 @@ async function convertNiktoToHdf(input) {
 			summary: niktoData.banner || ""
 		})],
 		components: [{
-			type: Copyright.Application,
+			type: TargetType.Application,
 			name: targetName
 		}]
 	});
@@ -2204,45 +3668,8 @@ async function convertZapToHdf(input) {
 	if (detected && detected.fingerprint.id === "sarif-to-hdf") return convertSarifToHdf(input);
 	const resultsChecksum = await inputChecksum(input);
 	const zapData = parseJSON(input);
-	if (!zapData.site || !Array.isArray(zapData.site)) {
-		const hdf = {
-			baselines: [createMinimalBaseline("OWASP ZAP Scan", [], {
-				resultsChecksum,
-				title: "OWASP ZAP Scan",
-				summary: ""
-			})],
-			generator: {
-				name: "zap-to-hdf",
-				version: "unknown"
-			},
-			tool: {
-				name: "OWASP ZAP",
-				format: "JSON"
-			}
-		};
-		return JSON.stringify(hdf, null, 2);
-	}
-	const site = selectSite(zapData.site);
-	if (!site) {
-		const hdf = {
-			baselines: [createMinimalBaseline("OWASP ZAP Scan", [], {
-				resultsChecksum,
-				title: "OWASP ZAP Scan",
-				summary: `ZAP Version ${zapData["@version"] ?? "unknown"}`
-			})],
-			generator: {
-				name: "zap-to-hdf",
-				version: "unknown"
-			},
-			tool: {
-				name: "OWASP ZAP",
-				format: "JSON"
-			}
-		};
-		if (zapData["@generated"]) hdf.timestamp = new Date(zapData["@generated"]);
-		return JSON.stringify(hdf, null, 2);
-	}
-	const alerts = site.alerts ?? [];
+	const site = selectSite(Array.isArray(zapData.site) ? zapData.site : []);
+	const alerts = site?.alerts ?? [];
 	const pluginIdCount = /* @__PURE__ */ new Map();
 	const { items: limitedAlerts, truncated } = limitArray(alerts);
 	/* v8 ignore next -- truncation only triggers with >100K items */
@@ -2291,14 +3718,24 @@ async function convertZapToHdf(input) {
 			impact,
 			results,
 			tags,
-			descriptions
+			descriptions,
+			verificationMethod: VerificationMethodEnum.Automated
 		};
+		const controlType = deriveControlTypeFromTags(nistTags);
+		if (controlType !== void 0) req.controlType = controlType;
 		requirements.push(req);
 	}
-	const targetName = site["@host"] ?? "Unknown Host";
+	const targetName = site?.["@host"] ?? "Unknown Host";
+	const siteName = site?.["@name"] ?? "";
+	const baselineName = site && (site["@name"] || site["@host"]) ? `OWASP ZAP Scan of ${site["@name"] ?? targetName}` : "OWASP ZAP Scan";
+	if (requirements.length === 0) {
+		let target = siteName || targetName;
+		if (!target || target === "Unknown Host") target = "the target site";
+		requirements.push(buildNoFindingsRequirement("zap-no-findings", `OWASP ZAP scanned ${target} and reported zero findings.`, /* @__PURE__ */ new Date()));
+	}
 	const baseline = createMinimalBaseline("OWASP ZAP Scan", requirements, {
 		resultsChecksum,
-		title: `OWASP ZAP Scan of ${site["@name"] ?? targetName}`,
+		title: baselineName,
 		summary: `ZAP Version ${zapData["@version"] ?? "unknown"}`
 	});
 	const tool = {
@@ -2307,14 +3744,14 @@ async function convertZapToHdf(input) {
 	};
 	if (zapData["@version"]) tool.version = zapData["@version"];
 	const components = [];
-	if (site["@name"]) components.push({
+	if (site?.["@name"]) components.push({
 		name: targetName,
-		type: Copyright.Application,
+		type: TargetType.Application,
 		url: site["@name"]
 	});
 	else if (targetName !== "Unknown Host") components.push({
 		name: targetName,
-		type: Copyright.Application
+		type: TargetType.Application
 	});
 	const hdf = {
 		baselines: [baseline],
@@ -2435,7 +3872,10 @@ async function convertCyclonedxToHdf(input) {
 		const affects = vuln.affects ?? [];
 		const results = affects.length > 0 ? affects.map((affect) => createResult(ResultStatus.Failed, void 0, { codeDesc: formatCodeDesc$4(componentLookup, affect.ref) })) : [createResult(ResultStatus.Failed, void 0, { codeDesc: `Vulnerability ${vuln.id}` })];
 		const title = vuln.source?.name ? `${vuln.id} (${vuln.source.name})` : vuln.id;
-		requirements.push(createRequirement(vuln.id, title, descriptions, impact, results, { tags }));
+		const req = createRequirement(vuln.id, title, descriptions, impact, results, { tags });
+		const controlType = deriveControlTypeFromTags(nist);
+		if (controlType !== void 0) req.controlType = controlType;
+		requirements.push(req);
 	}
 	const baseline = createMinimalBaseline("CycloneDX Scan", requirements, { resultsChecksum });
 	const targetName = bom.metadata?.component?.name ?? "";
@@ -2447,7 +3887,7 @@ async function convertCyclonedxToHdf(input) {
 		baselines: [baseline],
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		timestamp: /* @__PURE__ */ new Date()
 	});
@@ -2501,6 +3941,9 @@ function createRow(baseline, requirement, target) {
 		"Status": String(status),
 		"NIST Controls": nistControls,
 		"CCI Controls": cciControls,
+		"Control Type": requirement.controlType ?? "",
+		"Verification Method": requirement.verificationMethod ?? "",
+		"Applicability": requirement.applicability ?? "",
 		"Result Message": message
 	};
 }
@@ -2624,7 +4067,12 @@ async function convertSplunkToHdf(input) {
 				})) : [];
 				const options = { tags: control.tags ?? {} };
 				if (control.source_location) options.sourceLocation = control.source_location;
-				return createRequirement(control.id, control.title, descriptions, control.impact, results, options);
+				const req = createRequirement(control.id, control.title, descriptions, control.impact, results, options);
+				const nistTagsRaw = control.tags?.["nist"];
+				const controlType = deriveControlTypeFromTags(Array.isArray(nistTagsRaw) ? nistTagsRaw.filter((t) => typeof t === "string") : []);
+				if (controlType !== void 0) req.controlType = controlType;
+				req.verificationMethod = VerificationMethodEnum.Automated;
+				return req;
 			});
 			const groups = convertGroups(profile.groups);
 			const baselineOptions = { resultsChecksum };
@@ -2639,7 +4087,7 @@ async function convertSplunkToHdf(input) {
 		baselines: allBaselines,
 		components: [{
 			name: targetName,
-			type: Copyright.Host,
+			type: TargetType.Host,
 			osName: targetRelease || void 0,
 			labels: {}
 		}],
@@ -2739,9 +4187,9 @@ function gitlabSeverityToImpact(severity) {
 }
 function scanTypeToTargetType(scanType) {
 	switch (scanType) {
-		case "dast": return Copyright.Application;
-		case "container_scanning": return Copyright.ContainerImage;
-		default: return Copyright.Repository;
+		case "dast": return TargetType.Application;
+		case "container_scanning": return TargetType.ContainerImage;
+		default: return TargetType.Repository;
 	}
 }
 function scanTypeLabel(scanType) {
@@ -2867,13 +4315,21 @@ async function convertGitlabToHdf(input) {
 			impact,
 			results: [result],
 			tags,
-			descriptions
+			descriptions,
+			verificationMethod: VerificationMethodEnum.Automated
 		};
+		const controlType = deriveControlTypeFromTags(nistTags);
+		if (controlType !== void 0) req.controlType = controlType;
 		requirements.push(req);
 	}
+	const label = scanTypeLabel(scanType);
+	if (requirements.length === 0) {
+		const ts = startTime ? new Date(startTime) : /* @__PURE__ */ new Date();
+		requirements.push(buildNoFindingsRequirement("gitlab-no-findings", `GitLab ${label} scan via ${scannerName} reported zero findings.`, ts));
+	}
 	const baseline = createMinimalBaseline("GitLab Security Scan", requirements, {
 		resultsChecksum,
-		title: `GitLab ${scanTypeLabel(scanType)} Security Scan`,
+		title: `GitLab ${label} Security Scan`,
 		summary: `Scanner: ${scannerName}${scannerVersion ? ` v${scannerVersion}` : ""}`
 	});
 	const tool = {
@@ -3004,13 +4460,17 @@ function buildRequirement$12(reqID, findings) {
 	}));
 	const sourceFile = getSourceFile(rep);
 	const sourceLine = getSourceLine(rep);
-	return createRequirement(reqID, title, descriptions, .5, results, {
+	const req = createRequirement(reqID, title, descriptions, .5, results, {
 		tags,
 		sourceLocation: sourceFile ? {
 			ref: sourceFile,
 			line: sourceLine
 		} : void 0
 	});
+	const controlType = deriveControlTypeFromTags(TRUFFLEHOG_NIST);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts TruffleHog output to HDF format.
@@ -3023,19 +4483,22 @@ async function convertTrufflehogToHdf(input) {
 	if (!input || input.trim().length === 0) throw new Error("trufflehog: empty input");
 	validateInputSize(input, "trufflehog");
 	const findings = parseFindings(input);
-	if (findings.length === 0) throw new Error("trufflehog: no findings in input");
 	const resultsChecksum = await inputChecksum(input);
 	const limitedFindings = limitArrayWithWarning(findings, "finding");
 	const groups = groupFindings(limitedFindings);
 	const requirements = [];
 	for (const [reqID, group] of groups) requirements.push(buildRequirement$12(reqID, group));
+	if (requirements.length === 0) {
+		const target = findGitRepoURL(limitedFindings) ?? limitedFindings[0]?.SourceName ?? "the target source";
+		requirements.push(buildNoFindingsRequirement("trufflehog-no-findings", `TruffleHog scanned ${target} and reported zero findings.`, /* @__PURE__ */ new Date()));
+	}
 	const hdf = {
 		baselines: [createMinimalBaseline("TruffleHog Scan", requirements, {
 			resultsChecksum,
 			title: `TruffleHog Scan (${limitedFindings[0]?.SourceName ?? "trufflehog"})`
 		})],
 		generator: {
-			name: "hdf-converters",
+			name: "trufflehog-to-hdf",
 			version: "1.0.0"
 		},
 		tool: {
@@ -3047,7 +4510,7 @@ async function convertTrufflehogToHdf(input) {
 	const repoURL = findGitRepoURL(limitedFindings);
 	if (repoURL) hdf.components = [{
 		name: repoURL,
-		type: Copyright.Repository
+		type: TargetType.Repository
 	}];
 	return JSON.stringify(hdf, null, 2);
 }
@@ -3109,6 +4572,7 @@ async function convertBurpsuiteToHdf(input) {
 	const requirements = [];
 	for (const [issueType, groupIssues] of groups) requirements.push(buildRequirement$11(issueType, groupIssues));
 	const targetName = limitedIssues.length > 0 ? (limitedIssues[0].host?.["#text"] ?? "Unknown").trim() : "Unknown";
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("burpsuite-no-findings", `Burp Suite scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date()));
 	const baseline = createMinimalBaseline("BurpSuite Scan", requirements, {
 		resultsChecksum,
 		title: `BurpSuite Scan: ${targetName}`
@@ -3122,7 +4586,7 @@ async function convertBurpsuiteToHdf(input) {
 		baselines: [baseline],
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		generator: {
 			name: "burpsuite-to-hdf",
@@ -3165,14 +4629,18 @@ function buildRequirement$11(issueType, issues) {
 		};
 	});
 	const impact = getImpact$7(rep.severity ?? "information");
-	return {
+	const req = {
 		id: issueType,
 		title: rep.name ?? void 0,
 		impact,
 		tags,
 		descriptions,
-		results
+		results,
+		verificationMethod: VerificationMethodEnum.Automated
 	};
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 //#endregion
 //#region converters/dbprotect-to-hdf/typescript/converter.ts
@@ -3261,7 +4729,11 @@ function buildRequirement$10(checkID, findings, hasStatus) {
 			startTime: parseDate(f["Date"] ?? "")
 		});
 	});
-	return createRequirement(checkID, rep["Check"] ?? "", descriptions, getImpact$6(rep["Risk DV"] ?? ""), results, { tags });
+	const req = createRequirement(checkID, rep["Check"] ?? "", descriptions, getImpact$6(rep["Risk DV"] ?? ""), results, { tags });
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const controlType = deriveControlTypeFromTags([...nist]);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 /**
 * Converts DBProtect Cognos XML output to HDF format.
@@ -3311,7 +4783,7 @@ async function convertDbprotectToHdf(input) {
 		})],
 		components: [{
 			name: targetName,
-			type: Copyright.Host
+			type: TargetType.Host
 		}],
 		timestamp: /* @__PURE__ */ new Date()
 	});
@@ -3351,6 +4823,148 @@ function buildSummary(result) {
 	return `Package Vulnerability Summary: ${result.vulnerabilityDistribution ? String(result.vulnerabilityDistribution.total) : "N/A"} Application Compliance Issue Total: ${result.complianceDistribution ? String(result.complianceDistribution.total) : "N/A"}`;
 }
 /**
+* Detects CVSS schema version enum from the vector prefix. Defaults to 3.1
+* since modern Twistlock exclusively emits 3.x output.
+*/
+function cvssVersionFromVector(vector) {
+	if (!vector) return Version.The31;
+	if (vector.startsWith("CVSS:2.0/")) return Version.The20;
+	if (vector.startsWith("CVSS:3.0/")) return Version.The30;
+	if (vector.startsWith("CVSS:4.0/")) return Version.The40;
+	return Version.The31;
+}
+/**
+* Maps cvssScoreToSeverity('low'|'medium'|...) into the CVSSSeverity enum.
+*/
+function cvssSeverityFromScore(score) {
+	switch (cvssScoreToSeverity(score)) {
+		case "none": return CVSSSeverity.None;
+		case "low": return CVSSSeverity.Low;
+		case "medium": return CVSSSeverity.Medium;
+		case "high": return CVSSSeverity.High;
+		case "critical": return CVSSSeverity.Critical;
+		default: return;
+	}
+}
+/**
+* Builds a Cvss entry from a Twistlock vulnerability. Returns undefined only
+* when neither a score nor a vector is available. When the vendor emits a
+* score but no vector (common in Twistlock/Prisma Cloud output), the Cvss
+* entry is still emitted — the schema makes baseVector optional precisely
+* so vendor-final-score data isn't dropped.
+*/
+function buildCvss(vuln) {
+	const hasScore = typeof vuln.cvss === "number" && Number.isFinite(vuln.cvss);
+	const hasVector = !!vuln.vector;
+	if (!hasScore && !hasVector) return void 0;
+	const cv = { version: cvssVersionFromVector(vuln.vector) };
+	if (hasScore) {
+		cv.baseScore = vuln.cvss;
+		const sev = cvssSeverityFromScore(vuln.cvss);
+		if (sev !== void 0) cv.baseSeverity = sev;
+	}
+	if (hasVector) cv.baseVector = vuln.vector;
+	const source = vuln.cve ?? vuln.id;
+	if (source) cv.source = source;
+	return cv;
+}
+const CWE_REGEX = /cwe[-_]?(\d+)/gi;
+/**
+* Extracts canonical CWE-N identifiers from a free-form string.
+*/
+function parseCwes(raw) {
+	if (!raw) return [];
+	const out = [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const m of raw.matchAll(CWE_REGEX)) {
+		const id = `CWE-${m[1]}`;
+		if (seen.has(id)) continue;
+		seen.add(id);
+		out.push(id);
+	}
+	return out;
+}
+function rhelDistro(distro) {
+	const low = distro.toLowerCase();
+	return [
+		"red hat",
+		"rhel",
+		"centos",
+		"fedora",
+		"amazon linux",
+		"oracle linux",
+		"rocky",
+		"alma"
+	].some((m) => low.includes(m));
+}
+function debDistro(distro) {
+	const low = distro.toLowerCase();
+	return ["debian", "ubuntu"].some((m) => low.includes(m));
+}
+/**
+* Maps a Twistlock package type plus the result's distro string to a schema
+* Ecosystem value. Defaults to 'generic' for unknown types.
+*/
+function resolveEcosystem(packageType, distro) {
+	const t = (packageType ?? "").toLowerCase();
+	const d = distro ?? "";
+	switch (t) {
+		case "os":
+			if (rhelDistro(d)) return Ecosystem.RPM;
+			if (debDistro(d)) return Ecosystem.Deb;
+			return Ecosystem.Generic;
+		case "rpm": return Ecosystem.RPM;
+		case "deb": return Ecosystem.Deb;
+		case "jar":
+		case "maven": return Ecosystem.Maven;
+		case "python":
+		case "pypi": return Ecosystem.Pypi;
+		case "nodejs":
+		case "npm": return Ecosystem.Npm;
+		case "gem": return Ecosystem.Gem;
+		case "nuget": return Ecosystem.Nuget;
+		case "go": return Ecosystem.Go;
+		case "cargo": return Ecosystem.Cargo;
+		default: return Ecosystem.Generic;
+	}
+}
+const FIX_VERSION_REGEX = /\d+(?:\.\d+)+[A-Za-z0-9._+\-]*/;
+/**
+* Extracts the first version-looking token from fixedBy or a "fixed in X"
+* status string. Returns empty string when no fix info is present.
+*/
+function extractFixedInVersion(vuln) {
+	if (vuln.fixedBy) return vuln.fixedBy;
+	if (!(vuln.status ?? "").toLowerCase().includes("fixed")) return "";
+	const m = (vuln.status ?? "").match(FIX_VERSION_REGEX);
+	return m ? m[0] : "";
+}
+/**
+* Builds an AffectedPackage entry from per-vulnerability fields. Returns
+* undefined when packageName or packageVersion are missing (both required).
+*/
+function buildAffectedPackage(vuln, packageTypes, distro) {
+	if (!vuln.packageName || !vuln.packageVersion) return void 0;
+	const pkgType = vuln.packageType ?? packageTypes.get(vuln.packageName);
+	const pkg = {
+		name: vuln.packageName,
+		version: vuln.packageVersion,
+		ecosystem: resolveEcosystem(pkgType, distro)
+	};
+	const fixed = extractFixedInVersion(vuln);
+	if (fixed) pkg.fixedInVersion = fixed;
+	return pkg;
+}
+/**
+* Indexes packageName → packageType from the result-level packages array.
+*/
+function buildPackageTypeIndex(pkgs) {
+	const idx = /* @__PURE__ */ new Map();
+	if (!pkgs) return idx;
+	for (const p of pkgs) if (p.name && p.type) idx.set(p.name, p.type);
+	return idx;
+}
+/**
 * Builds the code_desc string for a vulnerability result.
 */
 function formatCodeDesc$2(vuln) {
@@ -3360,10 +4974,17 @@ function formatCodeDesc$2(vuln) {
 }
 /**
 * Converts a single vulnerability into an EvaluatedRequirement.
+*
+* @param vuln - The Twistlock vulnerability object
+* @param packageTypes - name→type lookup built from the enclosing result's packages array
+* @param distro - the enclosing result's distro string, used to disambiguate "os" packages
 */
-function buildRequirement$9(vuln) {
+function buildRequirement$9(vuln, packageTypes, distro) {
 	const nist = DEFAULT_REMEDIATION_NIST_TAGS;
-	const tags = buildNistCciTags(nist, nistToCci(nist), { cveid: [vuln.id] });
+	const cciTags = nistToCci(nist);
+	const extras = { cveid: [vuln.id] };
+	if (typeof vuln.cvss === "number" && vuln.cvss > 0) extras["cvss_base_score"] = vuln.cvss;
+	const tags = buildNistCciTags(nist, cciTags, extras);
 	const descriptions = [{
 		label: "default",
 		data: vuln.description
@@ -3373,7 +4994,17 @@ function buildRequirement$9(vuln) {
 		codeDesc: formatCodeDesc$2(vuln),
 		startTime
 	})];
-	return createRequirement(vuln.id, vuln.id, descriptions, twistlockSeverityToImpact(vuln.severity), results, { tags });
+	const req = createRequirement(vuln.id, vuln.id, descriptions, twistlockSeverityToImpact(vuln.severity), results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const cv = buildCvss(vuln);
+	if (cv) req.cvss = [cv];
+	const cwes = parseCwes(vuln.cwe);
+	if (cwes.length > 0) req.cwe = cwes;
+	const pkg = buildAffectedPackage(vuln, packageTypes, distro);
+	if (pkg) req.affectedPackages = [pkg];
+	return req;
 }
 /**
 * Converts a single TwistlockResult to an EvaluatedBaseline.
@@ -3383,7 +5014,13 @@ function convertSingleResult(result, resultsChecksum) {
 	const { items: limitedVulns, truncated } = limitArray(vulns);
 	/* v8 ignore next -- truncation only triggers with >100K items */
 	if (truncated) console.warn(`WARNING: Input truncated at ${limitedVulns.length} vulnerability items (original: ${vulns.length})`);
-	return createMinimalBaseline("Twistlock Scan", limitedVulns.map((vuln) => buildRequirement$9(vuln)), {
+	const packageTypes = buildPackageTypeIndex(result.packages);
+	const requirements = limitedVulns.map((vuln) => buildRequirement$9(vuln, packageTypes, result.distro));
+	if (requirements.length === 0) {
+		const target = result.name ?? result.repository ?? result.id ?? "scan target";
+		requirements.push(buildNoFindingsRequirement("twistlock-no-findings", `Twistlock scanned ${target} and reported zero vulnerable components.`, /* @__PURE__ */ new Date()));
+	}
+	return createMinimalBaseline("Twistlock Scan", requirements, {
 		resultsChecksum,
 		title: buildTitle$1(result),
 		summary: buildSummary(result)
@@ -3418,7 +5055,7 @@ async function convertTwistlockToHdf(input) {
 		baselines,
 		components: [{
 			name: targetName,
-			type: Copyright.ContainerImage,
+			type: TargetType.ContainerImage,
 			labels: { image: results[0]?.id ?? targetName }
 		}],
 		timestamp: /* @__PURE__ */ new Date()
@@ -3486,7 +5123,32 @@ function buildRequirement$8(finding, timestamp) {
 		codeDesc,
 		startTime: timestamp ? new Date(timestamp) : void 0
 	})];
-	return createRequirement(finding.matrix, getTitle$1(finding), descriptions, getImpact$5(finding.vulnerability.severity), results, { tags });
+	const req = createRequirement(finding.matrix, getTitle$1(finding), descriptions, getImpact$5(finding.vulnerability.severity), results, { tags });
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	const pkg = buildAffectedPackageFromComponent(finding.component);
+	if (pkg) req.affectedPackages = [pkg];
+	return req;
+}
+/**
+* Builds an Affected_Package from a Dependency-Track component. Prefers
+* the rich identifiers Dependency-Track already exposes (purl, cpe) and
+* augments with name/version/ecosystem when available. Returns undefined
+* when the component carries no schema-acceptable identifier.
+*/
+function buildAffectedPackageFromComponent(c) {
+	let ecosystem;
+	if (c.purl) ecosystem = ecosystemFromPurlType(parsePurl(c.purl)?.type);
+	else if (c.name && c.version) ecosystem = ecosystemFromPurlType(void 0);
+	return buildAffectedPackage$1({
+		name: c.name,
+		version: c.version,
+		ecosystem,
+		purl: c.purl,
+		cpe: c.cpe,
+		fixedInVersion: c.latestVersion
+	});
 }
 /**
 * Converts Dependency-Track FPF JSON output to HDF format.
@@ -3501,7 +5163,12 @@ async function convertDeptrackToHdf(input) {
 	const parsed = parseJSON(input);
 	if (!parsed || typeof parsed !== "object") throw new Error("deptrack: invalid JSON");
 	if (!parsed.findings && !parsed.project && !parsed.meta) throw new Error("deptrack: input does not appear to be a Dependency-Track report");
-	const baseline = createMinimalBaseline("Dependency-Track Scan", (parsed.findings ?? []).map((finding) => buildRequirement$8(finding, parsed.meta?.timestamp)), {
+	const requirements = (parsed.findings ?? []).map((finding) => buildRequirement$8(finding, parsed.meta?.timestamp));
+	if (requirements.length === 0) {
+		const projectName = parsed.project?.name ?? parsed.project?.uuid ?? "";
+		requirements.push(buildNoFindingsRequirement("deptrack-no-findings", `Dependency-Track analyzed ${projectName} and reported zero vulnerable components.`, /* @__PURE__ */ new Date()));
+	}
+	const baseline = createMinimalBaseline("Dependency-Track Scan", requirements, {
 		resultsChecksum,
 		title: `Dependency-Track: ${parsed.project?.name ?? ""} ${parsed.project?.version ?? ""}`,
 		summary: parsed.project?.description
@@ -3515,7 +5182,7 @@ async function convertDeptrackToHdf(input) {
 		baselines: [baseline],
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		timestamp: /* @__PURE__ */ new Date()
 	});
@@ -3589,7 +5256,52 @@ function buildRequirement$7(entryID, entries) {
 		data: formatDescription(rep)
 	}];
 	const results = entries.map((entry) => createResult(ResultStatus.Failed, void 0, { codeDesc: formatCodeDesc$1(entry) }));
-	return createRequirement(entryID, rep.summary, descriptions, severityToImpact(rep.severity), results, { tags });
+	const req = createRequirement(entryID, rep.summary, descriptions, severityToImpact(rep.severity), results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const pkg = buildAffectedPackageFromEntry(rep);
+	if (pkg) req.affectedPackages = [pkg];
+	return req;
+}
+function ecosystemFromXraySource(scheme) {
+	if (scheme === "gav") return Ecosystem.Maven;
+	return ecosystemFromPurlType(scheme);
+}
+function parseSourceCompID(s) {
+	if (!s) return void 0;
+	const m = /^([a-zA-Z0-9]+):\/\/(.+)$/.exec(s);
+	if (!m) return void 0;
+	const scheme = m[1].toLowerCase();
+	const rest = m[2];
+	const colonIdx = rest.lastIndexOf(":");
+	if (colonIdx > 0) return {
+		scheme,
+		name: rest.slice(0, colonIdx),
+		version: rest.slice(colonIdx + 1)
+	};
+	return {
+		scheme,
+		name: rest
+	};
+}
+function buildAffectedPackageFromEntry(entry) {
+	const parsed = parseSourceCompID(entry.source_comp_id ?? entry.source_id);
+	let name = entry.component ?? "";
+	let version;
+	let ecosystem;
+	if (parsed) {
+		if (parsed.name) name = parsed.name;
+		version = parsed.version;
+		ecosystem = ecosystemFromXraySource(parsed.scheme);
+	}
+	const fixed = entry.component_versions?.fixed_versions?.[0];
+	return buildAffectedPackage$1({
+		name,
+		version,
+		ecosystem: ecosystem ?? (name ? Ecosystem.Generic : void 0),
+		fixedInVersion: fixed
+	});
 }
 /**
 * Converts JFrog Xray JSON output to HDF format.
@@ -3620,6 +5332,7 @@ async function convertJfrogXrayToHdf(input) {
 	}
 	const requirements = [];
 	for (const [entryID, entries] of groups) requirements.push(buildRequirement$7(entryID, entries));
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("jfrog-xray-no-findings", "JFrog Xray scanned the target artifact and reported zero vulnerable components.", /* @__PURE__ */ new Date()));
 	return buildHdfResults({
 		generatorName: "jfrog-xray-to-hdf",
 		converterVersion: "1.0.0",
@@ -3628,7 +5341,7 @@ async function convertJfrogXrayToHdf(input) {
 		baselines: [createMinimalBaseline("JFrog Xray Scan", requirements, { resultsChecksum })],
 		components: [{
 			name: "JFrog Xray Scan",
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		timestamp: /* @__PURE__ */ new Date()
 	});
@@ -3687,7 +5400,20 @@ function buildRequirement$6(vuln) {
 		data: vuln.description
 	}];
 	const results = [createResult(ResultStatus.Failed, vulnMessage(vuln), { codeDesc: "" })];
-	return createRequirement(vulnID(vuln), vulnTitle(vuln), descriptions, getImpact$4(vuln), results, { tags });
+	const req = createRequirement(vulnID(vuln), vulnTitle(vuln), descriptions, getImpact$4(vuln), results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const cpe23 = (vuln.cpes ?? []).find((c) => /^cpe:2\.3:[aho]:/.test(c));
+	const pkg = buildAffectedPackage$1({
+		name: vuln.package_name,
+		version: vuln.package_version,
+		ecosystem: vuln.package_name && vuln.package_version ? Ecosystem.Generic : void 0,
+		cpe: cpe23,
+		fixedInVersion: vuln.fixed_version
+	});
+	if (pkg) req.affectedPackages = [pkg];
+	return req;
 }
 /**
 * Constructs the baseline title from the image metadata.
@@ -3732,6 +5458,9 @@ async function convertNeuvectorToHdf(input) {
 		seen.add(id);
 		requirements.push(buildRequirement$6(vuln));
 	}
+	const now = /* @__PURE__ */ new Date();
+	const target = targetNameFromReport(scan.report);
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("neuvector-no-findings", `NeuVector scanned ${target} and reported zero vulnerable components.`, now));
 	return buildHdfResults({
 		generatorName: "neuvector-to-hdf",
 		converterVersion: "1.0.0",
@@ -3743,13 +5472,13 @@ async function convertNeuvectorToHdf(input) {
 		})],
 		components: [{
 			name: targetNameFromReport(scan.report),
-			type: Copyright.ContainerImage,
+			type: TargetType.ContainerImage,
 			labels: {
 				image: `${scan.report.registry}/${scan.report.repository}:${scan.report.tag}`,
 				registry: scan.report.registry
 			}
 		}],
-		timestamp: /* @__PURE__ */ new Date()
+		timestamp: now
 	});
 }
 //#endregion
@@ -3826,14 +5555,18 @@ function buildRequirement$5(desc, vulns, snippetMap, startTimeStr) {
 		codeDesc: buildCodeDesc$2(vuln, snippetMap),
 		startTime: new Date(startTimeStr)
 	}));
-	return {
+	const req = {
 		id: desc.classID ?? "unknown",
 		title,
 		impact,
 		tags,
 		descriptions,
-		results
+		results,
+		verificationMethod: VerificationMethodEnum.Automated
 	};
+	const controlType = deriveControlTypeFromTags(nistTags);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 /**
 * Converts Fortify FVDL XML to HDF format.
@@ -3860,21 +5593,22 @@ async function convertFortifyToHdf(input) {
 	if (truncatedDescs) console.warn(`WARNING: Input truncated at ${limitedDescs.length} Description items (original: ${descriptions.length})`);
 	const createdDate = fvdl.CreatedTS?.date ?? "";
 	const startTimeStr = `${createdDate}T${fvdl.CreatedTS?.time ?? ""}`;
-	const baseline = createMinimalBaseline("Fortify Scan", limitedDescs.map((desc) => {
+	const requirements = limitedDescs.map((desc) => {
 		return buildRequirement$5(desc, vulnGroups.get(desc.classID ?? "") ?? [], snippetMap, startTimeStr);
-	}), {
-		resultsChecksum,
-		title: "Fortify Static Analyzer Scan",
-		summary: `Fortify Static Analyzer Scan of UUID: ${fvdl.UUID ?? ""}`,
-		version: fvdl.EngineData?.EngineVersion ?? "",
-		status: "loaded"
 	});
 	const targetName = fvdl.Build?.SourceBasePath ?? fvdl.Build?.BuildID ?? "Unknown";
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("fortify-no-findings", `Fortify scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date()));
 	const hdfResult = {
-		baselines: [baseline],
+		baselines: [createMinimalBaseline("Fortify Scan", requirements, {
+			resultsChecksum,
+			title: "Fortify Static Analyzer Scan",
+			summary: `Fortify Static Analyzer Scan of UUID: ${fvdl.UUID ?? ""}`,
+			version: fvdl.EngineData?.EngineVersion ?? "",
+			status: "loaded"
+		})],
 		components: [{
 			name: targetName,
-			type: Copyright.Repository
+			type: TargetType.Repository
 		}],
 		generator: {
 			name: "fortify-to-hdf",
@@ -3985,7 +5719,52 @@ function buildRequirement$4(rec) {
 		data: rec.Description
 	}];
 	const results = [createResult(ResultStatus.Failed, message, { codeDesc })];
-	return createRequirement(id, title, descriptions, getImpact$3(rec.Severity), results, { tags });
+	const req = createRequirement(id, title, descriptions, getImpact$3(rec.Severity), results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	if (rec["CVE ID"]) {
+		const pkg = buildAffectedPackageFromRecord(rec);
+		if (pkg) req.affectedPackages = [pkg];
+	}
+	return req;
+}
+/**
+* Distro slugs in Prisma look like `redhat-RHEL7`, `debian-buster`,
+* `alpine-3.14`, `ubuntu-20.04`. Only the leading vendor segment is
+* mapped — unknown vendors fall back to `generic` rather than guessing.
+*/
+function ecosystemFromDistro(distro) {
+	if (!distro) return Ecosystem.Generic;
+	switch (distro.split("-")[0]?.toLowerCase()) {
+		case "redhat":
+		case "rhel":
+		case "centos":
+		case "rocky":
+		case "alma":
+		case "fedora":
+		case "amazon":
+		case "amazonlinux":
+		case "suse":
+		case "sles":
+		case "opensuse": return Ecosystem.RPM;
+		case "debian":
+		case "ubuntu": return Ecosystem.Deb;
+		default: return Ecosystem.Generic;
+	}
+}
+const FIX_VERSION_PATTERN = /fixed in\s+([^\s,;]+)/i;
+function buildAffectedPackageFromRecord(rec) {
+	const name = rec["Source Package"] || rec.Packages;
+	const version = rec["Package Version"];
+	if (!name || !version) return void 0;
+	const fixMatch = rec["Fix Status"] ? FIX_VERSION_PATTERN.exec(rec["Fix Status"]) : null;
+	return buildAffectedPackage$1({
+		name,
+		version,
+		ecosystem: ecosystemFromDistro(rec.Distro),
+		fixedInVersion: fixMatch ? fixMatch[1] : void 0
+	});
 }
 /**
 * Groups records by hostname, preserving insertion order.
@@ -4018,20 +5797,25 @@ function buildBaseline(hostname, records, resultsChecksum) {
 async function convertPrismaToHdf(input) {
 	if (!input || input.trim().length === 0) throw new Error("prisma: empty input");
 	validateInputSize(input, "prisma");
+	const headers = (input.split(/\r?\n/, 1)[0] ?? "").split(",").map((h) => h.trim());
+	for (const col of REQUIRED_COLUMNS) if (!headers.includes(col)) throw new Error(`prisma: missing required CSV column "${col}"`);
 	const records = parseCsv(input);
-	if (records.length === 0) throw new Error("prisma: no data rows in CSV");
-	const firstRecord = records[0];
-	for (const col of REQUIRED_COLUMNS) if (!(col in firstRecord)) throw new Error(`prisma: missing required CSV column "${col}"`);
 	const resultsChecksum = await inputChecksum(input);
-	const hostGroups = groupByHostname(records);
 	const baselines = [];
 	const components = [];
-	for (const [hostname, hostRecords] of hostGroups) {
-		baselines.push(buildBaseline(hostname, hostRecords, resultsChecksum));
-		components.push({
-			name: hostname,
-			type: Copyright.Host
-		});
+	if (records.length === 0) baselines.push(createMinimalBaseline("Prisma Cloud Scan", [buildNoFindingsRequirement("prisma-no-findings", "Prisma Cloud scanned the workload and reported zero vulnerable components.", /* @__PURE__ */ new Date())], {
+		resultsChecksum,
+		title: "Prisma Cloud Scan"
+	}));
+	else {
+		const hostGroups = groupByHostname(records);
+		for (const [hostname, hostRecords] of hostGroups) {
+			baselines.push(buildBaseline(hostname, hostRecords, resultsChecksum));
+			components.push({
+				name: hostname,
+				type: TargetType.Host
+			});
+		}
 	}
 	return buildHdfResults({
 		generatorName: "prisma-to-hdf",
@@ -4145,7 +5929,7 @@ function buildRequirement$3(vuln, initiated) {
 		startTime
 	}];
 	const impact = getImpact$2(vuln.severity ?? "");
-	return {
+	const req = {
 		id: vuln.LookupId ?? "",
 		title: vuln.name ?? void 0,
 		impact,
@@ -4153,6 +5937,10 @@ function buildRequirement$3(vuln, initiated) {
 		descriptions,
 		results
 	};
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts Netsparker/Invicti XML scan results to HDF format.
@@ -4176,20 +5964,25 @@ async function convertNetsparkerToHdf(input) {
 	const { items: limitedVulns, truncated } = limitArray(vulns);
 	/* v8 ignore next -- truncation only triggers with >100K items */
 	if (truncated) console.warn(`WARNING: Input truncated at ${limitedVulns.length} vulnerability items (original: ${vulns.length})`);
-	const baseline = createMinimalBaseline("Netsparker Scan", limitedVulns.map((vuln) => buildRequirement$3(vuln, initiated)), {
-		resultsChecksum,
-		title: `${toolName} Enterprise Scan ID: ${target["scan-id"] ?? ""} URL: ${target.url ?? ""}`
-	});
 	const targetName = target.url ?? "Unknown";
+	const requirements = limitedVulns.map((vuln) => buildRequirement$3(vuln, initiated));
+	if (requirements.length === 0) {
+		const initiatedDate = initiated ? new Date(initiated) : /* @__PURE__ */ new Date();
+		const startTime = isNaN(initiatedDate.getTime()) ? /* @__PURE__ */ new Date() : initiatedDate;
+		requirements.push(buildNoFindingsRequirement("netsparker-no-findings", `${toolName} scanned ${targetName} and reported zero findings.`, startTime));
+	}
 	return buildHdfResults({
 		generatorName: "netsparker-to-hdf",
 		converterVersion: "1.0.0",
 		toolName,
 		toolFormat: "XML",
-		baselines: [baseline],
+		baselines: [createMinimalBaseline("Netsparker Scan", requirements, {
+			resultsChecksum,
+			title: `${toolName} Enterprise Scan ID: ${target["scan-id"] ?? ""} URL: ${target.url ?? ""}`
+		})],
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}]
 	});
 }
@@ -4284,7 +6077,11 @@ function buildRequirement$2(ruleID, finding, startTime) {
 		codeDesc: finding.description,
 		startTime: startTime ? new Date(startTime) : void 0
 	});
-	return createRequirement(ruleID, finding.description, descriptions, getImpact$1(finding.level), [resultObj], { tags });
+	const req = createRequirement(ruleID, finding.description, descriptions, getImpact$1(finding.level), [resultObj], { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts ScoutSuite output to HDF format.
@@ -4300,12 +6097,14 @@ async function convertScoutsuiteToHdf(input) {
 	const resultsChecksum = await inputChecksum(jsonStr);
 	const report = parseJSON(jsonStr);
 	if (!report || typeof report !== "object") throw new Error("scoutsuite: invalid JSON");
-	const baseline = createMinimalBaseline("ScoutSuite Scan", limitArrayWithWarning(collapseFindings(report), "finding").map(([ruleID, finding]) => buildRequirement$2(ruleID, finding, report.last_run.time)), {
+	const requirements = limitArrayWithWarning(collapseFindings(report), "finding").map(([ruleID, finding]) => buildRequirement$2(ruleID, finding, report.last_run.time));
+	const targetName = `${report.last_run.ruleset_name} ruleset:${report.provider_name}:${report.account_id}`;
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("scoutsuite-no-findings", `ScoutSuite scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date()));
+	const baseline = createMinimalBaseline("ScoutSuite Scan", requirements, {
 		resultsChecksum,
 		title: `Scout Suite Report using ${report.last_run.ruleset_name} ruleset on ${report.provider_name} with account ${report.account_id}`,
 		summary: report.last_run.ruleset_about
 	});
-	const targetName = `${report.last_run.ruleset_name} ruleset:${report.provider_name}:${report.account_id}`;
 	return buildHdfResults({
 		generatorName: "scoutsuite-to-hdf",
 		converterVersion: "1.0.0",
@@ -4315,7 +6114,7 @@ async function convertScoutsuiteToHdf(input) {
 		baselines: [baseline],
 		components: [{
 			name: targetName,
-			type: Copyright.CloudAccount,
+			type: TargetType.CloudAccount,
 			labels: {
 				account: report.account_id,
 				provider: report.provider_code ?? report.provider_name
@@ -4432,7 +6231,11 @@ function buildRequirementFromResult(result, filename) {
 		codeDesc: `No sections reported by ${scannerName}`,
 		startTime
 	})];
-	return createRequirement(result.sha256, filename, descriptions, scoreToImpact(score), results, { tags });
+	const req = createRequirement(result.sha256, filename, descriptions, scoreToImpact(score), results, { tags });
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	const controlType = deriveControlTypeFromTags([...nist]);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 /**
 * Builds an HDF baseline for a single scanner's results.
@@ -4468,6 +6271,10 @@ async function convertConveyorToHdf(input) {
 		const desc = data.api_response.params["description"];
 		if (typeof desc === "string" && desc.length > 0) targetName = desc;
 	}
+	if (baselines.length === 0) baselines.push(createMinimalBaseline("Conveyor Scan", [buildNoFindingsRequirement("conveyor-no-findings", `Conveyor scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date())], {
+		resultsChecksum,
+		title: "Conveyor Scan (no findings)"
+	}));
 	return buildHdfResults({
 		generatorName: "conveyor-to-hdf",
 		converterVersion: "1.0.0",
@@ -4476,7 +6283,7 @@ async function convertConveyorToHdf(input) {
 		baselines,
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		timestamp: /* @__PURE__ */ new Date()
 	});
@@ -4660,7 +6467,11 @@ function buildCWERequirement(cat, impact, firstBuildDate) {
 			startTime
 		}));
 	});
-	return createRequirement(attr(cat, "categoryid"), attr(cat, "categoryname"), descriptions, impact, results, { tags });
+	const req = createRequirement(attr(cat, "categoryid"), attr(cat, "categoryname"), descriptions, impact, results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /** Build CVE-based requirements from SCA components. */
 function buildCVERequirements(sca, firstBuildDate) {
@@ -4712,10 +6523,14 @@ function buildCVERequirement(vuln, components, firstBuildDate) {
 	}));
 	const cveSummary = attr(vuln, "cve_summary");
 	const cveId = attr(vuln, "cve_id");
-	return createRequirement(cveId, cveId, [{
+	const req = createRequirement(cveId, cveId, [{
 		label: "default",
 		data: cveSummary || ""
 	}], impact, results, { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Convert Veracode DetailedReport XML to HDF JSON string.
@@ -4735,6 +6550,8 @@ async function convertVeracodeToHdf(input) {
 	const cweRequirements = buildCWERequirements(ensureArray(report.severity), firstBuildDate);
 	const cveRequirements = buildCVERequirements(report.software_composition_analysis, firstBuildDate);
 	const allRequirements = [...cweRequirements, ...cveRequirements];
+	const targetName = attr(report, "app_name") || "Veracode Application";
+	if (allRequirements.length === 0) allRequirements.push(buildNoFindingsRequirement("veracode-no-findings", `Veracode scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date()));
 	let title;
 	const staticAnalysis = report["static-analysis"];
 	if (staticAnalysis) {
@@ -4750,7 +6567,6 @@ async function convertVeracodeToHdf(input) {
 		version: attr(report, "policy_version"),
 		summary: attr(report, "policy_name")
 	});
-	const targetName = attr(report, "app_name") || "Veracode Application";
 	const timestamp = parseVeracodeTimestamp(firstBuildDate);
 	return buildHdfResults({
 		generatorName: "veracode-to-hdf",
@@ -4760,7 +6576,7 @@ async function convertVeracodeToHdf(input) {
 		baselines: [baseline],
 		components: [{
 			name: targetName,
-			type: Copyright.Application
+			type: TargetType.Application
 		}],
 		timestamp
 	});
@@ -4811,7 +6627,8 @@ function buildRequirement$1(cs, profiles, createdDateTime) {
 	const title = getTitle(profiles, cs);
 	const impact = getImpact(profiles, cs);
 	const status = getStatus(profiles, cs);
-	const tags = buildNistCciTags([...DEFAULT_STATIC_ANALYSIS_NIST_TAGS], []);
+	const nist = [...DEFAULT_STATIC_ANALYSIS_NIST_TAGS];
+	const tags = buildNistCciTags(nist, []);
 	const descriptions = [{
 		label: "default",
 		data: stripHTML(cs.description)
@@ -4831,10 +6648,14 @@ function buildRequirement$1(cs, profiles, createdDateTime) {
 	}
 	const codeDesc = cs.implementationStatus || "No implementation status provided";
 	const startTime = createdDateTime ? new Date(createdDateTime) : void 0;
-	return createRequirement(id, title, descriptions, impact, [createResult(status, void 0, {
+	const req = createRequirement(id, title, descriptions, impact, [createResult(status, void 0, {
 		codeDesc,
 		...startTime ? { startTime } : {}
 	})], { tags });
+	const controlType = deriveControlTypeFromTags(nist);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts Microsoft Secure Score combined JSON to HDF format.
@@ -4873,7 +6694,7 @@ async function convertMsftSecureScoreToHdf(input) {
 		}),
 		components: [{
 			name: `Azure Tenant: ${tenantId}`,
-			type: Copyright.CloudAccount,
+			type: TargetType.CloudAccount,
 			labels: {
 				account: tenantId,
 				provider: "azure"
@@ -4896,6 +6717,7 @@ async function convertMsftDefenderDevopsToHdf(input) {
 	const { components, runEnrichments } = extractEnrichments(raw);
 	const hdfJson = await convertSarifToHdf(input);
 	const result = JSON.parse(hdfJson);
+	synthesizeNoFindingsPlaceholders(result);
 	applyEnrichments(result, components, runEnrichments);
 	if (result.generator) result.generator.name = "msft-defender-devops-to-hdf";
 	if (result.tool) result.tool.name = "Microsoft Defender for DevOps";
@@ -4910,7 +6732,7 @@ function extractEnrichments(raw) {
 			seenRepos.add(vcp.repositoryUri);
 			const target = {
 				name: repoNameFromURI(vcp.repositoryUri),
-				type: Copyright.Repository,
+				type: TargetType.Repository,
 				url: vcp.repositoryUri,
 				labels: {}
 			};
@@ -4960,6 +6782,14 @@ function applyEnrichments(result, components, runEnrichments) {
 		}
 	}
 }
+function synthesizeNoFindingsPlaceholders(result) {
+	const startTime = result.timestamp ?? /* @__PURE__ */ new Date();
+	for (const baseline of result.baselines ?? []) {
+		if (baseline.requirements && baseline.requirements.length > 0) continue;
+		const tool = baseline.name;
+		baseline.requirements = [buildNoFindingsRequirement(`${tool}-no-findings`, `Microsoft Defender for DevOps scanner "${tool}" ran and reported zero findings.`, startTime)];
+	}
+}
 function repoNameFromURI(uri) {
 	const parts = uri.split("/");
 	return parts[parts.length - 1] || uri;
@@ -5021,7 +6851,9 @@ function buildRequirement(assessmentID, assessments) {
 		data: meta.remediationDescription
 	});
 	const results = assessments.map(buildResultFromAssessment);
-	return createRequirement(assessmentID, rep.properties.displayName, descriptions, impact, results, { tags });
+	const req = createRequirement(assessmentID, rep.properties.displayName, descriptions, impact, results, { tags });
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts a single assessment into an HDF RequirementResult.
@@ -5054,21 +6886,23 @@ async function convertMsftDefenderCloudToHdf(input) {
 	}
 	const requirements = [];
 	for (const [assessmentID, assessments] of groups) requirements.push(buildRequirement(assessmentID, assessments));
+	const subscriptionID = limitedAssessments.length > 0 ? extractSubscriptionID(limitedAssessments[0].id) : "";
+	if (requirements.length === 0) {
+		const targetName = subscriptionID || "Unknown";
+		requirements.push(buildNoFindingsRequirement("msft-defender-cloud-no-findings", `Microsoft Defender for Cloud scanned ${targetName} and reported zero findings.`, /* @__PURE__ */ new Date()));
+	}
 	const baseline = createMinimalBaseline("Microsoft Defender for Cloud Assessments", requirements, { resultsChecksum });
 	const components = [];
-	if (limitedAssessments.length > 0) {
-		const subscriptionID = extractSubscriptionID(limitedAssessments[0].id);
-		if (subscriptionID) components.push({
-			name: `Azure Subscription ${subscriptionID}`,
-			type: Copyright.CloudAccount,
-			accountId: subscriptionID,
-			provider: "azure",
-			labels: {
-				account: subscriptionID,
-				provider: "azure"
-			}
-		});
-	}
+	if (subscriptionID) components.push({
+		name: `Azure Subscription ${subscriptionID}`,
+		type: TargetType.CloudAccount,
+		accountId: subscriptionID,
+		provider: "azure",
+		labels: {
+			account: subscriptionID,
+			provider: "azure"
+		}
+	});
 	return buildHdfResults({
 		generatorName: "msft-defender-cloud-to-hdf",
 		converterVersion: "1.0.0",
@@ -5143,7 +6977,7 @@ function extractDeviceTarget(alert) {
 		for (const ev of alert.evidence) if ((ev["@odata.type"] ?? "").includes("deviceEvidence") && ev.deviceDnsName) {
 			const target = {
 				name: ev.deviceDnsName,
-				type: Copyright.Host,
+				type: TargetType.Host,
 				labels: { provider: "azure" }
 			};
 			if (ev.deviceDnsName) target.fqdn = ev.deviceDnsName;
@@ -5153,7 +6987,7 @@ function extractDeviceTarget(alert) {
 	}
 	return {
 		name: alert.tenantId ?? "unknown",
-		type: Copyright.CloudAccount,
+		type: TargetType.CloudAccount,
 		accountId: alert.tenantId,
 		labels: {
 			account: alert.tenantId ?? "",
@@ -5189,7 +7023,12 @@ function alertToRequirement(alert) {
 		data: alert.recommendedActions
 	});
 	const tags = buildTags$1(alert);
-	return createRequirement(alert.id, alert.title, descriptions, impact, results, { tags });
+	const req = createRequirement(alert.id, alert.title, descriptions, impact, results, { tags });
+	const nistTags = tags.nist;
+	const controlType = deriveControlTypeFromTags(nistTags);
+	if (controlType !== void 0) req.controlType = controlType;
+	req.verificationMethod = VerificationMethodEnum.Automated;
+	return req;
 }
 /**
 * Converts Microsoft Defender for Endpoint alerts (Microsoft Graph Security API v2 format) to HDF.
@@ -5217,6 +7056,7 @@ async function convertMsftDefenderEndpointToHdf(input) {
 			components.push(target);
 		}
 	}
+	if (requirements.length === 0) requirements.push(buildNoFindingsRequirement("msft-defender-endpoint-no-findings", "Microsoft Defender for Endpoint scanned the tenant and reported zero findings.", /* @__PURE__ */ new Date()));
 	return buildHdfResults({
 		generatorName: "msft-defender-endpoint-to-hdf",
 		converterVersion: "1.0.0",
@@ -5357,8 +7197,7 @@ function buildTestResultObj(hdfData, baseline) {
 				[`${ATTR}idref`]: ruleIdRef,
 				result: wrap(hdfStatusToXccdf(result.status))
 			};
-			const startTime = typeof result.startTime === "string" ? result.startTime : result.startTime.toISOString();
-			rr[`${ATTR}time`] = startTime;
+			rr[`${ATTR}time`] = typeof result.startTime === "string" ? result.startTime : result.startTime.toISOString();
 			if (result.message) rr.message = wrap(result.message);
 			if (result.codeDesc) rr.check = {
 				[`${ATTR}system`]: "http://oval.mitre.org/XMLSchema/oval-definitions-5",
@@ -5788,7 +7627,7 @@ async function convertHdfToOscalPoam(input) {
 	return JSON.stringify(doc, null, 2);
 }
 /**
-* Converts parsed HdfAmendments to an OSCAL PlanOfActionAndMilestones.
+* Converts parsed HDFAmendments to an OSCAL PlanOfActionAndMilestones.
 */
 function amendmentsToPOAM(amendments) {
 	const now = (/* @__PURE__ */ new Date()).toISOString();
@@ -5964,6 +7803,9 @@ async function convertIonchannelToHdf(input) {
 			startTime: /* @__PURE__ */ new Date("0001-01-01T00:00:00Z")
 		})], { tags });
 		req.code = code;
+		const controlType = deriveControlTypeFromTags(DEFAULT_COMPONENT_MANAGEMENT_NIST_TAGS);
+		if (controlType !== void 0) req.controlType = controlType;
+		req.verificationMethod = VerificationMethodEnum.Automated;
 		return req;
 	});
 	const resultsChecksum = await inputChecksum(input);
@@ -5985,6 +7827,1150 @@ async function convertIonchannelToHdf(input) {
 	});
 }
 //#endregion
+//#region shared/typescript/vex/mapping.ts
+/** Canonical VEX status across OpenVEX / CSAF / CycloneDX. */
+const VexStatus = {
+	NotAffected: "not_affected",
+	Affected: "affected",
+	Fixed: "fixed",
+	UnderInvestigation: "under_investigation"
+};
+/**
+* Map an ecosystem-specific status string to the canonical VexStatus.
+* Returns undefined for values without a clean mapping — caller should warn
+* and skip, not guess.
+*/
+function normalizeStatus(raw) {
+	switch (raw.trim().toLowerCase()) {
+		case "not_affected":
+		case "known_not_affected":
+		case "false_positive": return VexStatus.NotAffected;
+		case "affected":
+		case "known_affected":
+		case "exploitable": return VexStatus.Affected;
+		case "fixed":
+		case "first_fixed":
+		case "resolved":
+		case "resolved_with_pedigree": return VexStatus.Fixed;
+		case "under_investigation":
+		case "in_triage": return VexStatus.UnderInvestigation;
+		default: return;
+	}
+}
+/**
+* Map an ecosystem-specific justification string to the canonical HDF
+* Justification enum. Returns undefined for unknown values; callers SHOULD
+* log unknown values rather than silently dropping (the schema spec wants
+* pass-through, but practically we expect the enum to be extended when a
+* new vocabulary is integrated rather than carrying raw labels
+* indefinitely).
+*
+* The HDF Justification enum (v3.2.x) covers:
+*   - the original OpenVEX / CSAF VEX five values
+*   - CycloneDX-specific reachability values (requires_*, protected_*)
+*     that describe why a vulnerable code path is unreachable in the
+*     deployed configuration.
+*/
+function normalizeJustification(raw) {
+	switch (raw.trim().toLowerCase()) {
+		case "component_not_present":
+		case "code_not_present": return Justification.ComponentNotPresent;
+		case "vulnerable_code_not_present": return Justification.VulnerableCodeNotPresent;
+		case "vulnerable_code_not_in_execute_path":
+		case "code_not_reachable": return Justification.VulnerableCodeNotInExecutePath;
+		case "vulnerable_code_cannot_be_controlled_by_adversary": return Justification.VulnerableCodeCannotBeControlledByAdversary;
+		case "inline_mitigations_already_exist":
+		case "protected_by_mitigating_control": return Justification.InlineMitigationsAlreadyExist;
+		case "requires_configuration": return Justification.RequiresConfiguration;
+		case "requires_dependency": return Justification.RequiresDependency;
+		case "requires_environment": return Justification.RequiresEnvironment;
+		case "protected_by_compiler": return Justification.ProtectedByCompiler;
+		case "protected_at_runtime": return Justification.ProtectedAtRuntime;
+		case "protected_at_perimeter": return Justification.ProtectedAtPerimeter;
+		default: return;
+	}
+}
+/**
+* Render an HDF Justification value as the CycloneDX-native vocabulary.
+* CycloneDX uses short-form names (code_not_present, code_not_reachable,
+* protected_by_mitigating_control) for the three justifications shared
+* with OpenVEX/CSAF, and shares the six CycloneDX-specific reachability
+* values verbatim.
+*
+* Returns undefined when the HDF value has no equivalent in CycloneDX's
+* enum (vulnerable_code_not_present and
+* vulnerable_code_cannot_be_controlled_by_adversary). Callers should
+* omit the justification field in that case.
+*/
+function justificationForCycloneDX(j) {
+	switch (j) {
+		case Justification.ComponentNotPresent: return "code_not_present";
+		case Justification.VulnerableCodeNotInExecutePath: return "code_not_reachable";
+		case Justification.InlineMitigationsAlreadyExist: return "protected_by_mitigating_control";
+		case Justification.RequiresConfiguration:
+		case Justification.RequiresDependency:
+		case Justification.RequiresEnvironment:
+		case Justification.ProtectedByCompiler:
+		case Justification.ProtectedAtRuntime:
+		case Justification.ProtectedAtPerimeter: return String(j);
+		default: return;
+	}
+}
+/**
+* Return the amendment shape an importer should produce for a canonical VEX
+* status. Returns undefined for "affected" and "under_investigation" — those
+* are informational; the consumer creates an amendment later if they act.
+*/
+function importTargetFor(status) {
+	switch (status) {
+		case VexStatus.NotAffected: return {
+			overrideType: OverrideType.FalsePositive,
+			status: ResultStatus.Passed,
+			setJustification: true,
+			poamActionTemplate: ""
+		};
+		case VexStatus.Fixed: return {
+			overrideType: OverrideType.Poam,
+			status: ResultStatus.Failed,
+			setJustification: false,
+			poamActionTemplate: "vendor reports fix; apply and re-scan to verify"
+		};
+		case VexStatus.Affected:
+		case VexStatus.UnderInvestigation: return;
+		/* c8 ignore next 2 — every VexStatus has a case above */
+		default: return;
+	}
+}
+/**
+* Return the canonical VEX status an exporter should emit for an HDF
+* override. Returns undefined when no VEX statement should be emitted —
+* the consumer has not acted, and VEX requires a deliberate statement.
+*
+* `allMilestonesCompleted` and `closureChained` are consulted only for
+* POA&M overrides. Closure is signalled by BOTH flags being true; either
+* alone is insufficient.
+*/
+function exportStatusFor(override, allMilestonesCompleted, closureChained) {
+	if (!override) return;
+	if (override.justification) return VexStatus.NotAffected;
+	switch (override.type) {
+		case OverrideType.FalsePositive:
+		case OverrideType.Attestation:
+		case OverrideType.Inherited: return VexStatus.NotAffected;
+		case OverrideType.Waiver:
+		case OverrideType.RiskAdjustment:
+		case OverrideType.OperationalRequirement: return VexStatus.Affected;
+		case OverrideType.Poam: return allMilestonesCompleted && closureChained ? VexStatus.Fixed : VexStatus.Affected;
+		/* c8 ignore next 2 — every OverrideType has a case above */
+		default: return;
+	}
+}
+const ECOSYSTEM_FROM_PURL_TYPE = {
+	npm: Ecosystem.Npm,
+	pypi: Ecosystem.Pypi,
+	rpm: Ecosystem.RPM,
+	deb: Ecosystem.Deb,
+	maven: Ecosystem.Maven,
+	gem: Ecosystem.Gem,
+	nuget: Ecosystem.Nuget,
+	golang: Ecosystem.Go,
+	go: Ecosystem.Go,
+	cargo: Ecosystem.Cargo
+};
+/**
+* Build an AffectedPackage from a single product identifier string emitted
+* by a VEX format. Recognizes PURLs and CPE 2.3 strings; returns undefined
+* for opaque identifiers (importer should drop the entry — schema additions
+* forbid fabricating name+version).
+*/
+function affectedPackageFromIdentifier(identifier) {
+	if (!identifier) return void 0;
+	if (identifier.startsWith("pkg:")) {
+		const parsed = parsePurl(identifier);
+		if (parsed) {
+			const pkg = { purl: identifier };
+			/* c8 ignore next 2 — parsePurl populates name/version when the
+			identifier was a well-formed purl; the absent branches require a
+			malformed-but-prefixed input that loses these fields without
+			triggering the outer null return. Defensive. */
+			if (parsed.name) pkg.name = parsed.name;
+			if (parsed.version) pkg.version = parsed.version;
+			pkg.ecosystem = ECOSYSTEM_FROM_PURL_TYPE[parsed.type] ?? Ecosystem.Generic;
+			return pkg;
+		}
+		return { purl: identifier };
+	}
+	if (identifier.startsWith("cpe:2.3:")) return { cpe: identifier };
+}
+/**
+* Build a unique list of AffectedPackage entries from a sequence of product
+* identifier strings. Empty / unresolvable identifiers are dropped; duplicate
+* purls/cpes/names are collapsed.
+*/
+function affectedPackagesFromIdentifiers(identifiers) {
+	const out = [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const id of identifiers) {
+		const pkg = affectedPackageFromIdentifier(id);
+		if (!pkg) continue;
+		/* c8 ignore next — affectedPackageFromIdentifier always emits either
+		purl or cpe, so the name fallback branch isn't reachable through
+		this caller. Kept for safety if a hand-built AffectedPackage flows
+		through a future caller. */
+		const key = pkg.purl ?? pkg.cpe ?? `${pkg.name ?? ""}@${pkg.version ?? ""}`;
+		if (seen.has(key)) continue;
+		seen.add(key);
+		out.push(pkg);
+	}
+	return out;
+}
+/**
+* Render an AffectedPackage as a single identifier string suitable for
+* round-tripping into a VEX format. Prefers purl > cpe > name@version.
+* Returns undefined when nothing identifying is set.
+*/
+function affectedPackageToIdentifier(pkg) {
+	if (pkg.purl) return pkg.purl;
+	if (pkg.cpe) return pkg.cpe;
+	if (pkg.name && pkg.version) return `${pkg.name}@${pkg.version}`;
+	if (pkg.name) return pkg.name;
+}
+/**
+* Build an HDF Evidence entry pointing at the upstream VEX document. Used by
+* importers to preserve provenance even though we lose the structured
+* statement_id. Returns undefined when sourceURI is empty — don't fabricate.
+*/
+function supplierEvidence(sourceURI, description) {
+	if (!sourceURI.trim()) return;
+	return {
+		type: EvidenceType.URL,
+		data: sourceURI,
+		description: description?.trim() ? description : "Upstream VEX statement"
+	};
+}
+//#endregion
+//#region converters/openvex-to-hdf/typescript/converter.ts
+/**
+* OpenVEX to HDF Amendments converter.
+*
+* VEX statements are consumer-attached context for CVE findings. The act of
+* attaching IS the amendment, so this converter emits HDF Amendments rather
+* than HDF Results.
+*
+* VEX 'fixed' is an abstract supplier claim; the assessed system has not
+* been verified to carry the fix. Imports therefore become open POA&M
+* overrides (status pinned to failed pending re-scan), not status flips.
+*
+* Spec: https://github.com/openvex/spec
+*/
+/** One year in milliseconds. VEX statements are re-evaluated as new info
+*  arrives; one year is a defensive default consistent with the
+*  no-permanent-amendment rule on Standalone_Override. */
+const DEFAULT_EXPIRY_HORIZON_MS$2 = 365 * 24 * 60 * 60 * 1e3;
+async function convertOpenVexToHdf(input, converterVersion) {
+	validateInputSize(input, "openvex-to-hdf");
+	const doc = parseJSON(input);
+	const docTime = (doc.timestamp ? parseTimestamp(doc.timestamp) : null) ?? /* @__PURE__ */ new Date();
+	const overrides = [];
+	for (const stmt of doc.statements ?? []) {
+		const override = statementToOverride(stmt, doc, docTime);
+		if (override) overrides.push(override);
+	}
+	if (overrides.length === 0) throw new Error("openvex-to-hdf: VEX document contains no actionable statements (all 'affected' or 'under_investigation'); no amendment to write");
+	return {
+		name: doc.author ? `OpenVEX statements from ${doc.author}` : "OpenVEX statements",
+		description: `Imported VEX statements from ${truncateId(doc["@id"] ?? "")}`,
+		overrides,
+		appliedBy: identityFor$1(doc.author, doc.role),
+		generator: {
+			name: "openvex-to-hdf",
+			version: converterVersion
+		},
+		integrity: await inputIntegrity(input)
+	};
+}
+function statementToOverride(stmt, doc, docTime) {
+	const canonical = normalizeStatus(stmt.status ?? "");
+	if (!canonical) return void 0;
+	const target = importTargetFor(canonical);
+	if (!target) return void 0;
+	const requirementId = stmt.vulnerability?.name ?? stmt.vulnerability?.["@id"] ?? "";
+	if (!requirementId) return void 0;
+	const stmtTime = (stmt.timestamp ? parseTimestamp(stmt.timestamp) : null) ?? docTime;
+	const author = stmt.author ?? doc.author ?? "";
+	const expiresAt = new Date(stmtTime.getTime() + DEFAULT_EXPIRY_HORIZON_MS$2);
+	const override = {
+		type: target.overrideType,
+		requirementId,
+		appliedAt: stmtTime,
+		expiresAt,
+		appliedBy: identityFor$1(author, doc.role),
+		reason: buildReason$2(stmt, target.poamActionTemplate)
+	};
+	const affectedPackages = affectedPackagesFromIdentifiers((stmt.products ?? []).map((p) => p["@id"]).filter((id) => Boolean(id)));
+	if (affectedPackages.length > 0) override.affectedPackages = affectedPackages;
+	if (target.status !== void 0) override.status = target.status;
+	if (target.setJustification && stmt.justification) {
+		const j = normalizeJustification(stmt.justification);
+		if (j) override.justification = j;
+	}
+	const ev = supplierEvidence(doc["@id"] ?? "", "OpenVEX document");
+	if (ev) override.evidence = [ev];
+	if (target.overrideType === OverrideType.Poam) override.milestones = [{
+		description: target.poamActionTemplate,
+		status: MilestoneStatus.Pending,
+		estimatedCompletion: expiresAt
+	}];
+	return override;
+}
+function buildReason$2(stmt, poamTemplate) {
+	const parts = [];
+	if (stmt.impact_statement) parts.push(stmt.impact_statement);
+	if (stmt.action_statement) parts.push(stmt.action_statement);
+	if (parts.length === 0) return poamTemplate || `Imported from OpenVEX status "${stmt.status ?? ""}"`;
+	return parts.join("\n");
+}
+function identityFor$1(author, role) {
+	if (!author) return {
+		type: IdentityType.System,
+		identifier: "openvex-import"
+	};
+	const id = {
+		type: author.includes("@") ? IdentityType.Email : IdentityType.Simple,
+		identifier: author
+	};
+	if (role) id.description = role;
+	return id;
+}
+function truncateId(id) {
+	const MAX = 80;
+	return id.length <= MAX ? id : `${id.slice(0, MAX)}...`;
+}
+//#endregion
+//#region converters/csaf-vex-to-hdf/typescript/converter.ts
+/**
+* CSAF VEX to HDF Amendments converter.
+*
+* CSAF (OASIS Common Security Advisory Framework) VEX profile is the
+* vendor-advisory format. Per the amendment-output pattern (Step 4f),
+* 'fixed' becomes an open POA&M, not a status flip — supplier claim is
+* not assessed-system evidence.
+*
+* Spec: https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html
+*/
+const DEFAULT_EXPIRY_HORIZON_MS$1 = 365 * 24 * 60 * 60 * 1e3;
+async function convertCsafVexToHdf(input, converterVersion) {
+	validateInputSize(input, "csaf-vex-to-hdf");
+	const doc = parseJSON(input);
+	if (doc.document?.category !== "csaf_vex") throw new Error(`csaf-vex-to-hdf: document.category is ${JSON.stringify(doc.document?.category)}; only 'csaf_vex' is supported`);
+	const dm = doc.document;
+	const tracking = dm.tracking ?? {};
+	const publisher = dm.publisher ?? {};
+	const docTime = (tracking.current_release_date ? parseTimestamp(tracking.current_release_date) : null) ?? /* @__PURE__ */ new Date();
+	const productLookup = buildProductLookup$1(doc.product_tree);
+	const overrides = [];
+	for (const v of doc.vulnerabilities ?? []) overrides.push(...vulnerabilityToOverrides(v, publisher, tracking, docTime, productLookup));
+	if (overrides.length === 0) throw new Error("csaf-vex-to-hdf: CSAF VEX document contains no actionable statements (only affected/under_investigation/recommended); no amendment to write");
+	const publisherName = publisher.name ?? "";
+	return {
+		name: publisherName ? `CSAF VEX statements from ${publisherName}` : "CSAF VEX statements",
+		description: `Imported VEX advisory ${tracking.id ?? ""}`,
+		overrides,
+		appliedBy: identityFor(publisher),
+		generator: {
+			name: "csaf-vex-to-hdf",
+			version: converterVersion
+		},
+		integrity: await inputIntegrity(input),
+		version: tracking.version
+	};
+}
+function vulnerabilityToOverrides(vuln, publisher, tracking, docTime, productLookup) {
+	if (!vuln.cve) return [];
+	const ps = vuln.product_status;
+	if (!ps) return [];
+	const out = [];
+	if (ps.known_not_affected?.length) {
+		const o = buildOverride(vuln, publisher, tracking, docTime, VexStatus.NotAffected, ps.known_not_affected, productLookup);
+		if (o) out.push(o);
+	}
+	const fixedProducts = [...ps.fixed ?? [], ...ps.first_fixed ?? []];
+	if (fixedProducts.length > 0) {
+		const o = buildOverride(vuln, publisher, tracking, docTime, VexStatus.Fixed, fixedProducts, productLookup);
+		if (o) out.push(o);
+	}
+	return out;
+}
+function buildOverride(vuln, publisher, tracking, docTime, canonical, products, productLookup) {
+	const target = importTargetFor(canonical);
+	if (!target) return void 0;
+	const expiresAt = new Date(docTime.getTime() + DEFAULT_EXPIRY_HORIZON_MS$1);
+	const override = {
+		type: target.overrideType,
+		requirementId: vuln.cve,
+		appliedAt: docTime,
+		expiresAt,
+		appliedBy: identityFor(publisher),
+		reason: buildReason$1(vuln, products)
+	};
+	const affectedPackages = resolveAffectedPackages(products, productLookup);
+	if (affectedPackages.length > 0) override.affectedPackages = affectedPackages;
+	if (target.status !== void 0) override.status = target.status;
+	if (target.setJustification) {
+		const j = pickJustification(vuln, products);
+		if (j) override.justification = j;
+	}
+	const evidence = [];
+	const advisoryEv = supplierEvidence(advisoryURI(publisher, tracking), "CSAF VEX advisory");
+	if (advisoryEv) evidence.push(advisoryEv);
+	for (const r of vuln.references ?? []) {
+		if (!r.url) continue;
+		const ev = supplierEvidence(r.url, r.summary ?? r.category ?? "");
+		if (ev) evidence.push(ev);
+	}
+	if (evidence.length > 0) override.evidence = evidence;
+	if (target.overrideType === OverrideType.Poam) override.milestones = [{
+		description: firstActionRemediation(vuln, products) || target.poamActionTemplate,
+		status: MilestoneStatus.Pending,
+		estimatedCompletion: expiresAt
+	}];
+	return override;
+}
+function pickJustification(vuln, products) {
+	const scope = new Set(products);
+	for (const f of vuln.flags ?? []) {
+		if (!overlap(f.product_ids ?? [], scope)) continue;
+		if (!f.label) continue;
+		const j = normalizeJustification(f.label);
+		if (j) return j;
+	}
+}
+function firstActionRemediation(vuln, products) {
+	const scope = new Set(products);
+	for (const r of vuln.remediations ?? []) {
+		const ids = r.product_ids;
+		if (ids && ids.length > 0 && !overlap(ids, scope)) continue;
+		if ((r.category === "vendor_fix" || r.category === "mitigation" || r.category === "workaround") && r.details) return r.details;
+	}
+	return "";
+}
+function buildReason$1(vuln, products) {
+	const parts = [];
+	const scope = new Set(products);
+	for (const n of vuln.notes ?? []) if (n.category === "description" && n.text) parts.push(n.text);
+	for (const t of vuln.threats ?? []) {
+		if (!t.details) continue;
+		const ids = t.product_ids;
+		if (ids && ids.length > 0 && !overlap(ids, scope)) continue;
+		parts.push(t.details);
+	}
+	if (parts.length === 0) return `Imported from CSAF VEX (${vuln.cve ?? "unknown CVE"})`;
+	return parts.join("\n");
+}
+/**
+* Walk a CSAF product_tree and build a lookup from product_id to a
+* structured AffectedPackage. Prefers product_identification_helper.purl,
+* then .cpe, then the full_product_name's `name` (used for matching only
+* — name+version is hard to derive from CSAF reliably, so we drop entries
+* with no purl and no cpe).
+*/
+function buildProductLookup$1(tree) {
+	const lookup = /* @__PURE__ */ new Map();
+	if (!tree) return lookup;
+	if (tree.full_product_names) for (const fp of tree.full_product_names) registerProduct(fp, lookup);
+	if (tree.branches) walkBranches(tree.branches, lookup);
+	return lookup;
+}
+function walkBranches(branches, lookup, ctx = {}) {
+	for (const b of branches) {
+		const next = { ...ctx };
+		/* c8 ignore next 2 — falsy branches require a malformed CSAF branch
+		node (category set but name empty) which we don't fixture. */
+		if (b.category === "product_name" && b.name) next.productName = b.name;
+		if (b.category === "product_version" && b.name) next.version = b.name;
+		if (b.product) registerProduct(b.product, lookup, next);
+		if (b.branches) walkBranches(b.branches, lookup, next);
+	}
+}
+function registerProduct(fp, lookup, ctx = {}) {
+	/* c8 ignore next — defensive against a malformed CSAF full_product_name
+	missing its required product_id field; not fixtured. */
+	if (!fp.product_id) return;
+	const helper = fp.product_identification_helper;
+	if (helper?.purl) {
+		const pkg = affectedPackageFromIdentifier(helper.purl);
+		/* c8 ignore next 4 — affectedPackageFromIdentifier always returns a
+		non-null value for an input that starts with 'pkg:' (preserves
+		malformed input as purl-only). The null branch is unreachable from
+		this callsite. */
+		if (pkg) {
+			lookup.set(fp.product_id, pkg);
+			return;
+		}
+	}
+	if (helper?.cpe) {
+		const pkg = affectedPackageFromIdentifier(helper.cpe);
+		/* c8 ignore next 4 — same as above; identifiers starting with
+		'cpe:2.3:' always produce a cpe-only AffectedPackage. */
+		if (pkg) {
+			lookup.set(fp.product_id, pkg);
+			return;
+		}
+	}
+	if (ctx.productName && ctx.version) lookup.set(fp.product_id, {
+		name: ctx.productName,
+		version: ctx.version,
+		ecosystem: Ecosystem.Generic
+	});
+}
+function resolveAffectedPackages(productIds, lookup) {
+	const out = [];
+	const seenKeys = /* @__PURE__ */ new Set();
+	for (const id of productIds) {
+		const pkg = lookup.get(id);
+		if (!pkg) continue;
+		const key = pkg.purl ?? pkg.cpe ?? `${pkg.name ?? ""}@${pkg.version ?? ""}`;
+		if (seenKeys.has(key)) continue;
+		seenKeys.add(key);
+		out.push(pkg);
+	}
+	return out;
+}
+function identityFor(p) {
+	if (!p.name) return {
+		type: IdentityType.System,
+		identifier: "csaf-vex-import"
+	};
+	const id = {
+		type: IdentityType.Simple,
+		identifier: p.name
+	};
+	if (p.category) id.description = p.category;
+	return id;
+}
+function advisoryURI(publisher, tracking) {
+	/* c8 ignore next */
+	const id = tracking.id ?? "";
+	const ns = publisher.namespace;
+	if (ns && id) return `${ns.replace(/\/+$/, "")}/${id}`;
+	return id;
+}
+function overlap(ids, scope) {
+	return ids.some((id) => scope.has(id));
+}
+//#endregion
+//#region converters/cyclonedx-vex-to-hdf/typescript/converter.ts
+/**
+* CycloneDX VEX to HDF Amendments converter.
+*
+* CycloneDX VEX is not a separate format — it's a CycloneDX BOM whose
+* vulnerabilities[] carry an `analysis` object. CycloneDX-specific
+* justifications without an HDF equivalent (requires_configuration,
+* protected_by_compiler, etc.) are preserved verbatim in the reason
+* field via the shared helper's unknown-value passthrough.
+*
+* Spec: https://cyclonedx.org/use-cases/#vulnerability-exploitability
+*/
+const DEFAULT_EXPIRY_HORIZON_MS = 365 * 24 * 60 * 60 * 1e3;
+async function convertCyclonedxVexToHdf(input, converterVersion) {
+	validateInputSize(input, "cyclonedx-vex-to-hdf");
+	const bom = parseJSON(input);
+	if (bom.bomFormat !== "CycloneDX") throw new Error(`cyclonedx-vex-to-hdf: bomFormat is ${JSON.stringify(bom.bomFormat)}; only 'CycloneDX' is supported`);
+	const docTime = (bom.metadata?.timestamp ? parseTimestamp(bom.metadata.timestamp) : null) ?? /* @__PURE__ */ new Date();
+	const productLookup = buildProductLookup(bom);
+	const publisher = publisherIdentityOrDefault(bom);
+	const overrides = [];
+	for (const v of bom.vulnerabilities ?? []) {
+		const o = vulnerabilityToOverride(v, productLookup, docTime, publisher);
+		if (o) overrides.push(o);
+	}
+	if (overrides.length === 0) throw new Error("cyclonedx-vex-to-hdf: BOM contains no actionable VEX statements (only exploitable/in_triage or no analysis); no amendment to write");
+	const publisherName = publisher.identifier;
+	return {
+		name: publisherName && publisherName !== "cyclonedx-vex-import" ? `CycloneDX VEX statements from ${publisherName}` : "CycloneDX VEX statements",
+		description: bom.serialNumber ? `Imported CycloneDX VEX ${bom.serialNumber}` : "Imported CycloneDX VEX",
+		overrides,
+		appliedBy: publisher,
+		generator: {
+			name: "cyclonedx-vex-to-hdf",
+			version: converterVersion
+		},
+		integrity: await inputIntegrity(input)
+	};
+}
+function vulnerabilityToOverride(v, productLookup, docTime, publisher) {
+	if (!v.id || !v.analysis?.state) return void 0;
+	const canonical = normalizeStatus(v.analysis.state);
+	if (!canonical) return void 0;
+	const target = importTargetFor(canonical);
+	if (!target) return void 0;
+	const affectedPackages = affectedPackagesForVuln(v, productLookup);
+	const expiresAt = new Date(docTime.getTime() + DEFAULT_EXPIRY_HORIZON_MS);
+	const override = {
+		type: target.overrideType,
+		requirementId: v.id,
+		appliedAt: docTime,
+		expiresAt,
+		appliedBy: publisher,
+		reason: buildReason(v)
+	};
+	if (affectedPackages.length > 0) override.affectedPackages = affectedPackages;
+	if (target.status !== void 0) override.status = target.status;
+	if (target.setJustification && v.analysis.justification) {
+		const j = normalizeJustification(v.analysis.justification);
+		if (j) override.justification = j;
+	}
+	const evidence = [];
+	if (v.source?.url) {
+		const ev = supplierEvidence(v.source.url, v.source.name ?? "");
+		if (ev) evidence.push(ev);
+	}
+	for (const r of v.references ?? []) {
+		if (!r.source?.url) continue;
+		const ev = supplierEvidence(r.source.url, r.source.name ?? "");
+		if (ev) evidence.push(ev);
+	}
+	if (evidence.length > 0) override.evidence = evidence;
+	if (target.overrideType === OverrideType.Poam) override.milestones = [{
+		description: firstActionFromResponse(v.analysis.response ?? []) || target.poamActionTemplate,
+		status: MilestoneStatus.Pending,
+		estimatedCompletion: expiresAt
+	}];
+	return override;
+}
+function buildReason(v) {
+	const parts = [];
+	if (v.description) parts.push(v.description);
+	if (v.analysis?.detail) parts.push(v.analysis.detail);
+	return parts.join("\n");
+}
+/**
+* Resolve CycloneDX affects[].ref entries to structured AffectedPackage
+* entries. Looks up the bom-ref in the component table to recover purl,
+* name/version. Opaque bom-refs with no component-table match are dropped
+* (the schema forbids fabricating name+version, and bom-refs aren't
+* portable identifiers outside their source BOM).
+*/
+function affectedPackagesForVuln(v, lookup) {
+	const out = [];
+	const seenKeys = /* @__PURE__ */ new Set();
+	for (const a of v.affects ?? []) {
+		if (!a.ref) continue;
+		const comp = lookup.get(a.ref);
+		const pkg = comp ? affectedPackageFromComponent(comp) : affectedPackageFromIdentifier(a.ref);
+		if (!pkg) continue;
+		const key = pkg.purl ?? pkg.cpe ?? `${pkg.name ?? ""}@${pkg.version ?? ""}`;
+		if (seenKeys.has(key)) continue;
+		seenKeys.add(key);
+		out.push(pkg);
+	}
+	return out;
+}
+/**
+* Build an AffectedPackage from a CycloneDX Component. Prefers structured
+* purl decomposition via the shared helper (so name/version/ecosystem are
+* also populated when the purl is parseable); falls back to the component's
+* name+version when no purl is set. Returns undefined when the component
+* carries neither a purl nor a name+version pair (schema requires at least
+* name+version+ecosystem, purl, or cpe).
+*/
+function affectedPackageFromComponent(c) {
+	if (c.purl) return affectedPackageFromIdentifier(c.purl);
+	if (c.name && c.version) return {
+		name: c.name,
+		version: c.version,
+		ecosystem: Ecosystem.Generic
+	};
+}
+function buildProductLookup(bom) {
+	const lookup = /* @__PURE__ */ new Map();
+	const root = bom.metadata?.component;
+	if (root?.["bom-ref"]) lookup.set(root["bom-ref"], root);
+	for (const c of bom.components ?? []) if (c["bom-ref"]) lookup.set(c["bom-ref"], c);
+	return lookup;
+}
+function firstActionFromResponse(resp) {
+	for (const r of resp) switch (r.trim().toLowerCase()) {
+		case "update": return "Apply vendor update and re-scan to verify.";
+		case "rollback": return "Roll back to the unaffected version and re-scan to verify.";
+		case "workaround_available": return "Apply the documented workaround.";
+	}
+	return "";
+}
+function publisherIdentityOrDefault(bom) {
+	for (const a of bom.metadata?.authors ?? []) {
+		if (a.email) return {
+			type: IdentityType.Email,
+			identifier: a.email
+		};
+		if (a.name) return {
+			type: IdentityType.Simple,
+			identifier: a.name
+		};
+	}
+	for (const t of bom.metadata?.tools ?? []) {
+		const ident = [t.vendor, t.name].filter(Boolean).join(" ").trim();
+		if (ident) return {
+			type: IdentityType.System,
+			identifier: ident
+		};
+	}
+	return {
+		type: IdentityType.System,
+		identifier: "cyclonedx-vex-import"
+	};
+}
+//#endregion
+//#region converters/hdf-to-csaf-vex/typescript/converter.ts
+/**
+* HDF Amendments to CSAF VEX (csaf_vex profile) converter.
+*
+* Reverse direction of csaf-vex-to-hdf. Intentionally partial-fidelity:
+* fields the shared VEX mapping considers consumer-action-bearing survive
+* round-trip; the rest collapse into the available CSAF fields.
+*/
+const CVE_ID_PATTERN$2 = /^CVE-\d{4}-\d{4,}$/;
+const PRODUCTS_LINE$2 = /^Products:\s*(.+)$/m;
+const DEFAULT_PRODUCT_ID$2 = "HDFPID-0001";
+function convertHdfToCsafVex(input, converterVersion) {
+	validateInputSize(input, "hdf-to-csaf-vex");
+	const amendments = parseJSON(input);
+	const groups = groupByCVE(amendments.overrides ?? []);
+	const productSet = /* @__PURE__ */ new Map();
+	const vulnerabilities = [];
+	for (const group of groups) {
+		const v = buildVulnerability(group);
+		if (!v) continue;
+		vulnerabilities.push(v);
+		for (const p of productIDsForGroup(group)) productSet.set(p, true);
+	}
+	if (vulnerabilities.length === 0) throw new Error("hdf-to-csaf-vex: no overrides with CVE-shaped requirementIds; nothing to emit");
+	const products = [...productSet.keys()].sort();
+	const doc = buildDocument(amendments, converterVersion);
+	doc.vulnerabilities = vulnerabilities;
+	doc.product_tree.full_product_names = products.length > 0 ? products.map((p) => ({
+		name: p,
+		product_id: p
+	})) : [{
+		name: DEFAULT_PRODUCT_ID$2,
+		product_id: DEFAULT_PRODUCT_ID$2
+	}];
+	return JSON.stringify(doc, null, 2);
+}
+function groupByCVE(overrides) {
+	const groups = /* @__PURE__ */ new Map();
+	for (const o of overrides) {
+		if (!CVE_ID_PATTERN$2.test(o.requirementId)) continue;
+		let g = groups.get(o.requirementId);
+		if (!g) {
+			g = {
+				cve: o.requirementId,
+				overrides: []
+			};
+			groups.set(o.requirementId, g);
+		}
+		g.overrides.push(o);
+	}
+	return [...groups.values()].sort((a, b) => a.cve.localeCompare(b.cve));
+}
+function productIDsForGroup(group) {
+	const seen = /* @__PURE__ */ new Set();
+	for (const o of group.overrides) for (const p of productIDsFor$1(o)) seen.add(p);
+	return [...seen].sort();
+}
+function productIDsFor$1(o) {
+	if (o.affectedPackages && o.affectedPackages.length > 0) {
+		const ids = o.affectedPackages.map((p) => affectedPackageToIdentifier(p)).filter((id) => Boolean(id));
+		if (ids.length > 0) return ids;
+	}
+	if (o.componentRef) return [o.componentRef];
+	const m = PRODUCTS_LINE$2.exec(o.reason ?? "");
+	if (m && m[1]) {
+		const parts = m[1].split(",").map((s) => s.trim()).filter(Boolean);
+		if (parts.length > 0) return parts;
+	}
+	return [DEFAULT_PRODUCT_ID$2];
+}
+function stripProductsLine$1(reason) {
+	return reason.replace(PRODUCTS_LINE$2, "").replace(/\n+$/, "");
+}
+function allMilestonesCompleted$2(o) {
+	if (!o.milestones || o.milestones.length === 0) return false;
+	return o.milestones.every((m) => m.status === MilestoneStatus.Completed);
+}
+function buildVulnerability(group) {
+	const v = { cve: group.cve };
+	const status = {};
+	let emitted = false;
+	for (const o of group.overrides) {
+		const pids = productIDsFor$1(o);
+		let canonical = exportStatusFor(o, allMilestonesCompleted$2(o), false);
+		if (!canonical) continue;
+		if (o.type === OverrideType.Poam && canonical === VexStatus.Affected && allMilestonesCompleted$2(o)) canonical = VexStatus.Fixed;
+		if (canonical === VexStatus.NotAffected) {
+			status.known_not_affected = (status.known_not_affected ?? []).concat(pids);
+			if (o.justification) {
+				v.flags = v.flags ?? [];
+				v.flags.push({
+					label: String(o.justification),
+					product_ids: pids,
+					date: new Date(o.appliedAt).toISOString().replace(/\.\d+Z$/, "Z")
+				});
+			}
+			emitted = true;
+		} else if (canonical === VexStatus.Fixed) {
+			status.fixed = (status.fixed ?? []).concat(pids);
+			for (const m of o.milestones ?? []) {
+				if (!m.description) continue;
+				v.remediations = v.remediations ?? [];
+				v.remediations.push({
+					category: "vendor_fix",
+					details: m.description,
+					product_ids: pids
+				});
+			}
+			emitted = true;
+		} else if (canonical === VexStatus.Affected) {
+			status.known_affected = (status.known_affected ?? []).concat(pids);
+			if (o.reason) {
+				v.threats = v.threats ?? [];
+				v.threats.push({
+					category: "impact",
+					details: stripProductsLine$1(o.reason),
+					product_ids: pids
+				});
+			}
+			if (o.type === OverrideType.Poam) for (const m of o.milestones ?? []) {
+				if (!m.description) continue;
+				v.remediations = v.remediations ?? [];
+				v.remediations.push({
+					category: "workaround",
+					details: m.description,
+					product_ids: pids
+				});
+			}
+			emitted = true;
+		}
+		for (const e of o.evidence ?? []) {
+			if (e.type !== "url" || !e.data) continue;
+			v.references = v.references ?? [];
+			v.references.push({
+				category: "external",
+				summary: e.description ?? "",
+				url: e.data
+			});
+		}
+	}
+	/* c8 ignore next */
+	if (!emitted) return void 0;
+	if (status.fixed) status.fixed = [...new Set(status.fixed)];
+	if (status.known_affected) status.known_affected = [...new Set(status.known_affected)];
+	if (status.known_not_affected) status.known_not_affected = [...new Set(status.known_not_affected)];
+	v.product_status = status;
+	if (v.references) {
+		const seen = /* @__PURE__ */ new Set();
+		v.references = v.references.filter((r) => {
+			if (seen.has(r.url)) return false;
+			seen.add(r.url);
+			return true;
+		});
+	}
+	return v;
+}
+function buildDocument(amendments, converterVersion) {
+	const now = (/* @__PURE__ */ new Date()).toISOString().replace(/\.\d+Z$/, "Z");
+	const publisherName = amendments.appliedBy?.identifier || "HDF Amendments Export";
+	const trackingId = amendments.amendmentId || "HDF-VEX-EXPORT";
+	const docVersion = amendments.version || "1";
+	const title = amendments.name || "HDF Amendments exported as CSAF VEX";
+	const notes = [];
+	if (amendments.description) notes.push({
+		category: "summary",
+		text: amendments.description,
+		title: "Description"
+	});
+	return {
+		document: {
+			category: "csaf_vex",
+			csaf_version: "2.0",
+			title,
+			notes,
+			publisher: {
+				category: "other",
+				name: publisherName
+			},
+			tracking: {
+				id: trackingId,
+				status: "final",
+				version: docVersion,
+				current_release_date: now,
+				initial_release_date: now,
+				revision_history: [{
+					date: now,
+					number: docVersion,
+					summary: "Generated by hdf-to-csaf-vex from HDF Amendments."
+				}],
+				generator: {
+					engine: {
+						name: "hdf-to-csaf-vex",
+						version: converterVersion
+					},
+					date: now
+				}
+			}
+		},
+		product_tree: { full_product_names: [] },
+		vulnerabilities: []
+	};
+}
+//#endregion
+//#region converters/hdf-to-openvex/typescript/converter.ts
+/**
+* HDF Amendments to OpenVEX converter.
+*
+* Reverse direction of openvex-to-hdf. Step 4f amendment-output pattern,
+* partial-fidelity by design — consumer-action-bearing fields (CVE id,
+* status, justification) survive round-trip; the rest collapse.
+*/
+const CVE_ID_PATTERN$1 = /^CVE-\d{4}-\d{4,}$/;
+const PRODUCTS_LINE$1 = /^Products:\s*(.+)$/m;
+const OPENVEX_CONTEXT = "https://openvex.dev/ns/v0.2.0";
+const OPENVEX_NAMESPACE = "https://openvex.dev/docs/public/";
+const DEFAULT_PRODUCT_ID$1 = "HDFPID-0001";
+async function convertHdfToOpenVex(input, converterVersion) {
+	validateInputSize(input, "hdf-to-openvex");
+	const amendments = parseJSON(input);
+	const statements = [];
+	let earliest;
+	for (const o of amendments.overrides ?? []) {
+		const s = overrideToStatement(o);
+		if (!s) continue;
+		statements.push(s);
+		const t = new Date(o.appliedAt);
+		if (!earliest || t < earliest) earliest = t;
+	}
+	if (statements.length === 0) throw new Error("hdf-to-openvex: no overrides with CVE-shaped requirementIds; nothing to emit");
+	statements.sort((a, b) => a.vulnerability.name.localeCompare(b.vulnerability.name));
+	const author = amendments.appliedBy?.identifier || "HDF Amendments Export";
+	const role = amendments.appliedBy?.description;
+	const doc = {
+		"@context": OPENVEX_CONTEXT,
+		"@id": await buildDocumentID(input, amendments),
+		author,
+		role,
+		timestamp: (earliest ?? /* @__PURE__ */ new Date()).toISOString().replace(/\.\d+Z$/, "Z"),
+		version: 1,
+		statements
+	};
+	return JSON.stringify(doc, null, 2);
+}
+function overrideToStatement(o) {
+	if (!CVE_ID_PATTERN$1.test(o.requirementId)) return void 0;
+	let canonical = exportStatusFor(o, allMilestonesCompleted$1(o), false);
+	if (!canonical) return void 0;
+	if (o.type === OverrideType.Poam && canonical === VexStatus.Affected && allMilestonesCompleted$1(o)) canonical = VexStatus.Fixed;
+	const stmt = {
+		vulnerability: {
+			name: o.requirementId,
+			"@id": `https://nvd.nist.gov/vuln/detail/${o.requirementId}`
+		},
+		status: String(canonical),
+		timestamp: new Date(o.appliedAt).toISOString().replace(/\.\d+Z$/, "Z"),
+		products: productsFor(o)
+	};
+	if (canonical === VexStatus.NotAffected) {
+		if (o.justification) stmt.justification = String(o.justification);
+		const impact = stripProductsLine(o.reason ?? "");
+		if (impact) stmt.impact_statement = impact;
+	} else if (canonical === VexStatus.Fixed) stmt.action_statement = firstMilestoneAction(o) || "Fix applied; consumer re-scan confirmed clean.";
+	else if (canonical === VexStatus.Affected) stmt.action_statement = firstMilestoneAction(o) || stripProductsLine(o.reason ?? "");
+	return stmt;
+}
+function productsFor(o) {
+	if (o.affectedPackages && o.affectedPackages.length > 0) {
+		const ids = o.affectedPackages.map((p) => affectedPackageToIdentifier(p)).filter((id) => Boolean(id));
+		if (ids.length > 0) return ids.map((id) => ({ "@id": id }));
+	}
+	let ids = [];
+	if (o.componentRef) ids = [o.componentRef];
+	else {
+		const m = PRODUCTS_LINE$1.exec(o.reason ?? "");
+		if (m && m[1]) ids = m[1].split(",").map((s) => s.trim()).filter(Boolean);
+	}
+	if (ids.length === 0) ids = [DEFAULT_PRODUCT_ID$1];
+	return ids.map((id) => ({ "@id": id }));
+}
+function firstMilestoneAction(o) {
+	for (const m of o.milestones ?? []) if (m.description) return m.description;
+	return "";
+}
+function allMilestonesCompleted$1(o) {
+	if (!o.milestones || o.milestones.length === 0) return false;
+	return o.milestones.every((m) => m.status === MilestoneStatus.Completed);
+}
+function stripProductsLine(reason) {
+	return reason.replace(PRODUCTS_LINE$1, "").replace(/\n+$/, "");
+}
+async function buildDocumentID(input, a) {
+	if (a.amendmentId) return `${OPENVEX_NAMESPACE}vex-${a.amendmentId}`;
+	return `${OPENVEX_NAMESPACE}vex-${await sha256(input)}`;
+}
+//#endregion
+//#region converters/hdf-to-cyclonedx-vex/typescript/converter.ts
+/**
+* HDF Amendments to CycloneDX VEX converter (export side).
+*
+* Reverse direction of cyclonedx-vex-to-hdf. Step 4f amendment-output
+* pattern, partial-fidelity by design — consumer-action-bearing fields
+* (CVE id, status, justification) survive round-trip; the rest collapse
+* into the available CycloneDX VEX fields.
+*/
+const CVE_ID_PATTERN = /^CVE-\d{4}-\d{4,}$/;
+const PRODUCTS_LINE = /^Products:\s*(.+)$/m;
+const RAW_JUST_LINE = /^VEX justification:\s*(.+)$/m;
+const RESPONSE_LINE = /^Response:.*$/gm;
+const DEFAULT_PRODUCT_ID = "HDFPID-0001";
+function convertHdfToCyclonedxVex(input, converterVersion) {
+	validateInputSize(input, "hdf-to-cyclonedx-vex");
+	const amendments = parseJSON(input);
+	const componentRegistry = /* @__PURE__ */ new Map();
+	const vulnerabilities = [];
+	let earliest;
+	for (const o of amendments.overrides ?? []) {
+		if (!CVE_ID_PATTERN.test(o.requirementId)) continue;
+		const v = overrideToVulnerability(o, componentRegistry);
+		if (!v) continue;
+		vulnerabilities.push(v);
+		const t = new Date(o.appliedAt);
+		if (!earliest || t < earliest) earliest = t;
+	}
+	if (vulnerabilities.length === 0) throw new Error("hdf-to-cyclonedx-vex: no overrides with CVE-shaped requirementIds; nothing to emit");
+	vulnerabilities.sort((a, b) => a.id.localeCompare(b.id));
+	const components = [...componentRegistry.values()].sort((a, b) => a["bom-ref"].localeCompare(b["bom-ref"]));
+	const bom = {
+		bomFormat: "CycloneDX",
+		specVersion: "1.4",
+		serialNumber: buildSerialNumberSync(input, amendments),
+		version: 1,
+		metadata: buildMetadata(amendments, earliest ?? /* @__PURE__ */ new Date(), converterVersion),
+		components,
+		vulnerabilities
+	};
+	return JSON.stringify(bom, null, 2);
+}
+function overrideToVulnerability(o, componentRegistry) {
+	let canonical = exportStatusFor(o, allMilestonesCompleted(o), false);
+	if (!canonical) return void 0;
+	if (o.type === OverrideType.Poam && canonical === VexStatus.Affected && allMilestonesCompleted(o)) canonical = VexStatus.Fixed;
+	const pids = productIDsFor(o);
+	const pkgById = /* @__PURE__ */ new Map();
+	for (const p of o.affectedPackages ?? []) {
+		const id = affectedPackageToIdentifier(p);
+		if (id) pkgById.set(id, p);
+	}
+	for (const pid of pids) componentRegistry.set(pid, componentFor(pid, pkgById.get(pid)));
+	const analysis = { state: canonicalToCycloneDXState(canonical) };
+	if (o.justification) {
+		const cdxJust = justificationForCycloneDX(o.justification);
+		if (cdxJust) analysis.justification = cdxJust;
+	}
+	const detail = stripReasonAnnotations(o.reason ?? "");
+	if (detail) analysis.detail = detail;
+	if (canonical === VexStatus.Fixed) analysis.response = ["update"];
+	else if (canonical === VexStatus.Affected && o.type === OverrideType.Poam) analysis.response = ["workaround_available"];
+	const v = {
+		id: o.requirementId,
+		source: {
+			name: "NVD",
+			url: `https://nvd.nist.gov/vuln/detail/${o.requirementId}`
+		},
+		analysis,
+		affects: pids.map((p) => ({ ref: p }))
+	};
+	for (const e of o.evidence ?? []) {
+		if (e.type !== "url" || !e.data) continue;
+		v.references = v.references ?? [];
+		v.references.push({
+			id: o.requirementId,
+			source: {
+				name: e.description ?? "",
+				url: e.data
+			}
+		});
+	}
+	return v;
+}
+function canonicalToCycloneDXState(canonical) {
+	switch (canonical) {
+		case VexStatus.NotAffected: return "not_affected";
+		case VexStatus.Fixed: return "resolved";
+		case VexStatus.Affected: return "exploitable";
+		/* c8 ignore next 2 — defensive: every VexStatus has a case above */
+		default: return canonical;
+	}
+}
+function componentFor(pid, pkg) {
+	const c = {
+		type: "application",
+		name: pkg?.name ?? pid,
+		"bom-ref": pid
+	};
+	if (pkg?.version) c.version = pkg.version;
+	if (pkg?.purl ?? (pid.startsWith("pkg:") ? pid : void 0)) c.purl = pkg?.purl ?? pid;
+	if (pkg?.cpe ?? (pid.startsWith("cpe:2.3:") ? pid : void 0)) c.cpe = pkg?.cpe ?? pid;
+	return c;
+}
+function productIDsFor(o) {
+	if (o.affectedPackages && o.affectedPackages.length > 0) {
+		const ids = o.affectedPackages.map((p) => affectedPackageToIdentifier(p)).filter((id) => Boolean(id));
+		if (ids.length > 0) return ids;
+	}
+	if (o.componentRef) return [o.componentRef];
+	const m = PRODUCTS_LINE.exec(o.reason ?? "");
+	if (m && m[1]) {
+		const parts = m[1].split(",").map((s) => s.trim()).filter(Boolean);
+		if (parts.length > 0) return parts;
+	}
+	return [DEFAULT_PRODUCT_ID];
+}
+function stripReasonAnnotations(reason) {
+	return reason.replace(PRODUCTS_LINE, "").replace(RAW_JUST_LINE, "").replace(RESPONSE_LINE, "").trim();
+}
+function allMilestonesCompleted(o) {
+	if (!o.milestones || o.milestones.length === 0) return false;
+	return o.milestones.every((m) => m.status === MilestoneStatus.Completed);
+}
+function buildMetadata(a, docTime, converterVersion) {
+	const metadata = {
+		timestamp: docTime.toISOString().replace(/\.\d+Z$/, "Z"),
+		tools: [{
+			vendor: "mitre",
+			name: "hdf-to-cyclonedx-vex",
+			version: converterVersion
+		}]
+	};
+	if (a.appliedBy?.identifier) {
+		const author = {};
+		if (a.appliedBy.type === IdentityType.Email) author.email = a.appliedBy.identifier;
+		else author.name = a.appliedBy.identifier;
+		metadata.authors = [author];
+	}
+	return metadata;
+}
+function buildSerialNumberSync(input, a) {
+	if (a.amendmentId) return `urn:uuid:${a.amendmentId}`;
+	return `urn:uuid:${fnv1a(input)}`;
+}
+function fnv1a(s) {
+	let h = 2166136261;
+	for (let i = 0; i < s.length; i++) {
+		h ^= s.charCodeAt(i);
+		h = Math.imul(h, 16777619) >>> 0;
+	}
+	const d = h.toString(16).padStart(8, "0");
+	return (d + d + d + d).slice(0, 32);
+}
+//#endregion
 //#region converters/oscal-to-hdf/typescript/detect.ts
 /**
 * OSCAL document type detection.
@@ -6073,7 +9059,7 @@ async function catalogToBaseline(catalog, rawInput) {
 		requirements,
 		groups,
 		generator: {
-			name: "hdf-converters",
+			name: "oscal-catalog-to-hdf",
 			version: "1.0.0"
 		}
 	};
@@ -6083,13 +9069,17 @@ function controlToBaselineRequirement(ctrl) {
 	const nistTag = controlIdToNistTag(ctrl.id);
 	const descriptions = buildCatalogDescriptions(ctrl);
 	const tags = buildCatalogTags(ctrl);
-	return {
+	const req = {
 		id: nistTag,
 		title: ctrl.title,
 		impact: .5,
 		descriptions,
 		tags
 	};
+	const controlType = deriveControlTypeFromTags([nistTag]);
+	if (controlType !== void 0) req.controlType = controlType;
+	if (extractPropValue(ctrl.props, "CORE") === "true") req.applicability = Applicability.Required;
+	return req;
 }
 /** Creates HDF Description entries from control parts. */
 function buildCatalogDescriptions(ctrl) {
@@ -6312,7 +9302,7 @@ async function convertOscalComponentToHdf(input) {
 		integrity,
 		requirements,
 		generator: {
-			name: "hdf-converters",
+			name: "oscal-component-to-hdf",
 			version: "1.0.0"
 		}
 	};
@@ -6373,7 +9363,7 @@ async function convertOscalSspToHdf(input) {
 		integrity,
 		components: [],
 		generator: {
-			name: "hdf-converters",
+			name: "oscal-ssp-to-hdf",
 			version: "1.0.0"
 		}
 	};
@@ -6500,13 +9490,13 @@ function sspComponentToHDFComponent(sc, componentControls) {
 function mapOSCALComponentType(oscalType) {
 	switch (oscalType.toLowerCase()) {
 		case "software":
-		case "this-system": return BoundaryDescription.Application;
-		case "service": return BoundaryDescription.Application;
-		case "hardware": return BoundaryDescription.Host;
-		case "network": return BoundaryDescription.Network;
-		case "database": return BoundaryDescription.Database;
-		case "storage": return BoundaryDescription.Artifact;
-		default: return BoundaryDescription.Application;
+		case "this-system": return TargetType.Application;
+		case "service": return TargetType.Application;
+		case "hardware": return TargetType.Host;
+		case "network": return TargetType.Network;
+		case "database": return TargetType.Database;
+		case "storage": return TargetType.Artifact;
+		default: return TargetType.Application;
 	}
 }
 //#endregion
@@ -6543,7 +9533,7 @@ async function convertOscalSapToHdf(input) {
 		type: planType,
 		description,
 		generator: {
-			name: "hdf-converters",
+			name: "oscal-sap-to-hdf",
 			version: "1.0.0"
 		}
 	};
@@ -6673,7 +9663,7 @@ async function convertOscalPoamToHdf(input) {
 		version: meta.version,
 		appliedBy,
 		generator: {
-			name: "hdf-converters",
+			name: "oscal-poam-to-hdf",
 			version: "1.0.0"
 		}
 	};
@@ -6870,7 +9860,10 @@ function findingsToEvaluatedRequirement(controlId, findings, obsMap, riskMap, re
 	const descriptions = sarBuildDescriptions(findings, obsMap);
 	const results = [];
 	for (const f of findings) results.push(findingToRequirementResult(f, obsMap, riskMap, result));
-	return createRequirement(nistTag, title, descriptions, impact, results, { tags: { nist: [nistTag] } });
+	const req = createRequirement(nistTag, title, descriptions, impact, results, { tags: { nist: [nistTag] } });
+	const controlType = deriveControlTypeFromTags([nistTag]);
+	if (controlType !== void 0) req.controlType = controlType;
+	return req;
 }
 function findingToRequirementResult(f, obsMap, riskMap, result) {
 	const status = mapFindingStatus(f);
@@ -6983,6 +9976,6 @@ function sarBaselineName(result, sar) {
 	return toKebabCase(result.title || sar.metadata.title, "oscal-assessment-results");
 }
 //#endregion
-export { convertAwsConfigToHdf, convertBurpsuiteToHdf, convertConveyorToHdf, convertCyclonedxToHdf, convertDbprotectToHdf, convertDeptrackToHdf, convertFortifyToHdf, convertGitlabToHdf, convertGosecToHdf, convertGrypeToHdf, convertHdfToCsv, convertHdfToOscalPoam, convertHdfToOscalSar, convertHdfToXccdf, convertHdfToXml, convertIonchannelToHdf, convertJfrogXrayToHdf, convertJunitToHdf, convertMsftDefenderCloudToHdf, convertMsftDefenderDevopsToHdf, convertMsftDefenderEndpointToHdf, convertMsftSecureScoreToHdf, convertNessusToHdf, convertNetsparkerToHdf, convertNeuvectorToHdf, convertNiktoToHdf, convertOscalCatalogToHdf, convertOscalComponentToHdf, convertOscalPoamToHdf, convertOscalProfileToHdf, convertOscalSapToHdf, convertOscalSarToHdf, convertOscalSspToHdf, convertPrismaToHdf, convertSarifToHdf, convertScoutsuiteToHdf, convertSnykToHdf, convertSonarqubeToHdf, convertSplunkToHdf, convertTrufflehogToHdf, convertTwistlockToHdf, convertV1ToV2, convertVeracodeToHdf, convertXccdfResultsToHdf, convertZapToHdf, detectOscalDocumentType, isHDFV1 };
+export { convertAwsConfigToHdf, convertBurpsuiteToHdf, convertCheckovToHdf, convertCklToHdf, convertCklbToHdf, convertConveyorToHdf, convertCsafVexToHdf, convertCyclonedxToHdf, convertCyclonedxVexToHdf, convertDbprotectToHdf, convertDeptrackToHdf, convertFortifyToHdf, convertGitlabToHdf, convertGosecToHdf, convertGrypeToHdf, convertHdfToCkl, convertHdfToCklb, convertHdfToCsafVex, convertHdfToCsv, convertHdfToCyclonedxVex, convertHdfToOpenVex, convertHdfToOscalPoam, convertHdfToOscalSar, convertHdfToXccdf, convertHdfToXml, convertIonchannelToHdf, convertJfrogXrayToHdf, convertJunitToHdf, convertMsftDefenderCloudToHdf, convertMsftDefenderDevopsToHdf, convertMsftDefenderEndpointToHdf, convertMsftSecureScoreToHdf, convertNessusToHdf, convertNetsparkerToHdf, convertNeuvectorToHdf, convertNiktoToHdf, convertOpenVexToHdf, convertOscalCatalogToHdf, convertOscalComponentToHdf, convertOscalPoamToHdf, convertOscalProfileToHdf, convertOscalSapToHdf, convertOscalSarToHdf, convertOscalSspToHdf, convertPrismaToHdf, convertSarifToHdf, convertScoutsuiteToHdf, convertSnykToHdf, convertSonarqubeToHdf, convertSplunkToHdf, convertTrufflehogToHdf, convertTwistlockToHdf, convertV1ToV2, convertVeracodeToHdf, convertXccdfResultsToHdf, convertZapToHdf, detectOscalDocumentType, isHDFV1 };
 
 //# sourceMappingURL=index.js.map