@mitre/hdf-schema 2.0.0

package/dist/ts/hdf-amendments.d.ts

@@ -0,0 +1,446 @@
+/**
+ * Waivers, attestations, exceptions, and POA&Ms that modify requirement compliance status.
+ * Amendments are standalone documents that can be applied to results via merge operations.
+ */
+export interface HdfAmendments {
+    /**
+     * Unique identifier for this amendments document. Useful for cross-referencing when
+     * multiple amendment documents target the same results.
+     */
+    amendmentId?: string;
+    /**
+     * Default identity of who created this amendments document. Individual overrides may
+     * specify their own appliedBy.
+     */
+    appliedBy?: Identity;
+    /**
+     * Identity of the authorizing official who approved these amendments.
+     */
+    approvedBy?: Identity;
+    /**
+     * Description of the amendments' purpose and scope.
+     */
+    description?: string;
+    /**
+     * Information about the tool that generated this document.
+     */
+    generator?: Generator;
+    /**
+     * Cryptographic integrity information for verifying this amendments document has not been
+     * tampered with.
+     */
+    integrity?: Integrity;
+    /**
+     * Optional key-value labels for grouping and querying amendments.
+     */
+    labels?: {
+        [key: string]: string;
+    };
+    /**
+     * Human-readable name for this amendments document. Example: 'Portal Q1 2026 Waivers'.
+     */
+    name: string;
+    /**
+     * The set of amendments (waivers, attestations, exceptions, POA&Ms).
+     */
+    overrides: StandaloneOverride[];
+    /**
+     * Document-level digital signature covering all amendments.
+     */
+    signature?: Signature;
+    /**
+     * URI to the hdf-system document these amendments apply to.
+     */
+    systemRef?: string;
+    /**
+     * Version of this amendments document.
+     */
+    version?: string;
+    [property: string]: any;
+}
+/**
+ * Default identity of who created this amendments document. Individual overrides may
+ * specify their own appliedBy.
+ *
+ * Represents an identity that performed an action, such as capturing evidence or applying
+ * an override.
+ *
+ * Identity of the authorizing official who approved these amendments.
+ *
+ * Identity of who applied this amendment.
+ *
+ * Identity of who or what captured this evidence.
+ *
+ * Identity of who completed this milestone.
+ *
+ * The identity that created this signature.
+ */
+export interface Identity {
+    /**
+     * Optional description of the identity or identity system, particularly useful when type is
+     * 'other'.
+     */
+    description?: string;
+    /**
+     * The identifier value. Example: 'user@example.com', 'jdoe', 'automated-scanner-01'.
+     */
+    identifier: string;
+    /**
+     * The type of identifier. Use 'email' for email addresses, 'username' for user accounts,
+     * 'system' for automated systems, 'simple' for basic string identifiers without additional
+     * classification, or 'other' for custom identity systems.
+     */
+    type: AppliedByType;
+    [property: string]: any;
+}
+/**
+ * The type of identifier. Use 'email' for email addresses, 'username' for user accounts,
+ * 'system' for automated systems, 'simple' for basic string identifiers without additional
+ * classification, or 'other' for custom identity systems.
+ */
+export declare enum AppliedByType {
+    Email = "email",
+    Other = "other",
+    Simple = "simple",
+    System = "system",
+    Username = "username"
+}
+/**
+ * Information about the tool that generated this document.
+ *
+ * Information about the tool that generated this HDF file.
+ */
+export interface Generator {
+    /**
+     * The name of the software that produced this HDF file. Example: 'gosec-to-hdf'.
+     */
+    name: string;
+    /**
+     * The version of the tool. Example: '5.22.3'.
+     */
+    version: string;
+    [property: string]: any;
+}
+/**
+ * Cryptographic integrity information for verifying this amendments document has not been
+ * tampered with.
+ *
+ * Cryptographic integrity information for verifying the HDF file has not been tampered
+ * with. If algorithm is provided, checksum must also be provided, and vice versa.
+ */
+export interface Integrity {
+    /**
+     * The hash algorithm used for the checksum.
+     */
+    algorithm?: HashAlgorithm;
+    /**
+     * The checksum value.
+     */
+    checksum?: string;
+    /**
+     * Optional cryptographic signature.
+     */
+    signature?: string;
+    /**
+     * Identifier of who signed this file.
+     */
+    signedBy?: string;
+    [property: string]: any;
+}
+/**
+ * The hash algorithm used for the checksum.
+ *
+ * Supported cryptographic hash algorithms for checksums and integrity verification.
+ */
+export declare enum HashAlgorithm {
+    Sha256 = "sha256",
+    Sha384 = "sha384",
+    Sha512 = "sha512"
+}
+/**
+ * A standalone amendment that modifies a requirement's compliance status. Extends the
+ * inline Status_Override concept with requirementId and baselineRef for use outside of
+ * results documents.
+ */
+export interface StandaloneOverride {
+    /**
+     * When this amendment was applied. ISO 8601 format.
+     */
+    appliedAt: Date;
+    /**
+     * Identity of who applied this amendment.
+     */
+    appliedBy: Identity;
+    /**
+     * Name of the baseline containing the requirement. Required when the system has multiple
+     * baselines with potentially overlapping requirement IDs.
+     */
+    baselineRef?: string;
+    /**
+     * componentId of the component this amendment is scoped to. When set, the amendment only
+     * applies to the specified component. When omitted, the amendment applies system-wide.
+     */
+    componentRef?: string;
+    /**
+     * Supporting evidence (screenshots, logs, URLs, documents).
+     */
+    evidence?: Evidence[];
+    /**
+     * When this amendment expires and must be reviewed. No permanent amendments. ISO 8601
+     * format.
+     */
+    expiresAt: Date;
+    /**
+     * componentId of the local component that provides this control. Set when the provider is
+     * in the same system. Omit for external or cross-system providers; the reason field
+     * explains the source. Primarily used with type 'inherited'.
+     */
+    inheritedFrom?: string;
+    /**
+     * Remediation milestones (primarily for POA&M type amendments).
+     */
+    milestones?: Milestone[];
+    /**
+     * Checksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null
+     * for the first amendment.
+     */
+    previousChecksum?: Checksum;
+    /**
+     * Justification for this amendment.
+     */
+    reason: string;
+    /**
+     * The ID of the requirement being amended. Must match a requirement ID in the referenced
+     * baseline.
+     */
+    requirementId: string;
+    /**
+     * Digital signature for non-repudiation.
+     */
+    signature?: Signature;
+    /**
+     * The new status this amendment sets. For POA&Ms, this is the current status (POA&Ms track
+     * work, they don't change status).
+     */
+    status: ResultStatus;
+    /**
+     * The type of amendment.
+     */
+    type: OverrideType;
+    [property: string]: any;
+}
+/**
+ * Supporting evidence for a finding or override, such as screenshots, code samples, log
+ * excerpts, or URLs.
+ */
+export interface Evidence {
+    /**
+     * Timestamp when this evidence was captured. ISO 8601 format.
+     */
+    capturedAt?: Date;
+    /**
+     * Identity of who or what captured this evidence.
+     */
+    capturedBy?: Identity;
+    /**
+     * The evidence content. For screenshots/files: base64-encoded data or URL. For code/logs:
+     * the raw text. For URLs: the URL string.
+     */
+    data: string;
+    /**
+     * Human-readable description of what this evidence shows.
+     */
+    description?: string;
+    /**
+     * Encoding used for the data. Example: 'base64', 'utf-8'.
+     */
+    encoding?: string;
+    /**
+     * MIME type of the evidence. Example: 'image/png', 'text/plain', 'application/json'.
+     */
+    mimeType?: string;
+    /**
+     * Size of the evidence data in bytes.
+     */
+    size?: number;
+    /**
+     * The type of evidence being provided.
+     */
+    type: EvidenceType;
+    [property: string]: any;
+}
+/**
+ * The type of evidence being provided.
+ */
+export declare enum EvidenceType {
+    Code = "code",
+    File = "file",
+    Log = "log",
+    Other = "other",
+    Screenshot = "screenshot",
+    URL = "url"
+}
+/**
+ * A milestone or task within a POA&M remediation plan.
+ */
+export interface Milestone {
+    /**
+     * Actual completion timestamp. ISO 8601 format.
+     */
+    completedAt?: Date;
+    /**
+     * Identity of who completed this milestone.
+     */
+    completedBy?: Identity;
+    /**
+     * Description of this milestone or task.
+     */
+    description: string;
+    /**
+     * Estimated completion date. ISO 8601 format.
+     */
+    estimatedCompletion: Date;
+    /**
+     * Current status of this milestone.
+     */
+    status: Status;
+    [property: string]: any;
+}
+/**
+ * Current status of this milestone.
+ */
+export declare enum Status {
+    Completed = "completed",
+    InProgress = "inProgress",
+    Pending = "pending"
+}
+/**
+ * Checksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null
+ * for the first amendment.
+ *
+ * Cryptographic checksum for baseline integrity verification.
+ */
+export interface Checksum {
+    /**
+     * The hash algorithm used for the checksum.
+     */
+    algorithm: HashAlgorithm;
+    /**
+     * The checksum value.
+     */
+    value: string;
+    [property: string]: any;
+}
+/**
+ * Digital signature for non-repudiation.
+ *
+ * A digital signature following W3C Data Integrity Proofs pattern. Supports hardware
+ * security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other cryptographic
+ * signing methods via JWK, PEM, or Base58 key formats.
+ *
+ * Document-level digital signature covering all amendments.
+ */
+export interface Signature {
+    /**
+     * Challenge value from the verifier, used in challenge-response authentication.
+     */
+    challenge?: string;
+    /**
+     * When the signature was created. ISO 8601 format.
+     */
+    created: Date;
+    /**
+     * The identity that created this signature.
+     */
+    creator: Identity;
+    /**
+     * Domain restriction for the signature, prevents cross-domain replay attacks.
+     */
+    domain?: string;
+    /**
+     * Random value to prevent replay attacks.
+     */
+    nonce?: string;
+    /**
+     * The purpose of this signature. Example: 'attestation', 'authentication',
+     * 'assertionMethod'.
+     */
+    proofPurpose: string;
+    /**
+     * The base64-encoded or base58-encoded signature value.
+     */
+    signatureValue: string;
+    /**
+     * The signature suite type. Example: 'JsonWebSignature2020', 'RsaSignature2018',
+     * 'Ed25519Signature2020'.
+     */
+    type: string;
+    /**
+     * The verification method containing the public key for signature verification.
+     */
+    verificationMethod: VerificationMethod;
+    [property: string]: any;
+}
+/**
+ * The verification method containing the public key for signature verification.
+ *
+ * Verification method containing the public key needed to verify a digital signature.
+ * Supports multiple key formats including JWK (for RSA, EC), PEM, and Base58.
+ */
+export interface VerificationMethod {
+    /**
+     * The entity that controls this verification method. Can be a DID, URI, or other identifier.
+     */
+    controller: string;
+    /**
+     * Public key in Base58 format, commonly used with Ed25519 keys.
+     */
+    publicKeyBase58?: string;
+    /**
+     * Public key in JSON Web Key format.
+     */
+    publicKeyJwk?: {
+        [key: string]: any;
+    };
+    /**
+     * Public key in PEM format. Example: '-----BEGIN PUBLIC KEY-----...-----END PUBLIC
+     * KEY-----'.
+     */
+    publicKeyPem?: string;
+    /**
+     * The type of verification method. Example: 'JsonWebKey2020', 'RsaVerificationKey2018',
+     * 'Ed25519VerificationKey2020'.
+     */
+    type: string;
+    [property: string]: any;
+}
+/**
+ * The new status this amendment sets. For POA&Ms, this is the current status (POA&Ms track
+ * work, they don't change status).
+ *
+ * The status of an individual test result. 'notApplicable' indicates the requirement does
+ * not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g.,
+ * requires manual verification).
+ */
+export declare enum ResultStatus {
+    Error = "error",
+    Failed = "failed",
+    NotApplicable = "notApplicable",
+    NotReviewed = "notReviewed",
+    Passed = "passed"
+}
+/**
+ * The type of amendment.
+ *
+ * The type of amendment. 'waiver': risk accepted (AO). 'attestation': manually verified
+ * (assessor). 'exception': not applicable (system owner + AO). 'poam': remediation tracked
+ * (no status change). 'inherited': control provided by another component or system
+ * (overrides to notApplicable/passed).
+ */
+export declare enum OverrideType {
+    Attestation = "attestation",
+    Exception = "exception",
+    Inherited = "inherited",
+    Poam = "poam",
+    Waiver = "waiver"
+}

package/dist/ts/hdf-amendments.js

@@ -0,0 +1,77 @@
+/**
+ * The type of identifier. Use 'email' for email addresses, 'username' for user accounts,
+ * 'system' for automated systems, 'simple' for basic string identifiers without additional
+ * classification, or 'other' for custom identity systems.
+ */
+export var AppliedByType;
+(function (AppliedByType) {
+    AppliedByType["Email"] = "email";
+    AppliedByType["Other"] = "other";
+    AppliedByType["Simple"] = "simple";
+    AppliedByType["System"] = "system";
+    AppliedByType["Username"] = "username";
+})(AppliedByType || (AppliedByType = {}));
+/**
+ * The hash algorithm used for the checksum.
+ *
+ * Supported cryptographic hash algorithms for checksums and integrity verification.
+ */
+export var HashAlgorithm;
+(function (HashAlgorithm) {
+    HashAlgorithm["Sha256"] = "sha256";
+    HashAlgorithm["Sha384"] = "sha384";
+    HashAlgorithm["Sha512"] = "sha512";
+})(HashAlgorithm || (HashAlgorithm = {}));
+/**
+ * The type of evidence being provided.
+ */
+export var EvidenceType;
+(function (EvidenceType) {
+    EvidenceType["Code"] = "code";
+    EvidenceType["File"] = "file";
+    EvidenceType["Log"] = "log";
+    EvidenceType["Other"] = "other";
+    EvidenceType["Screenshot"] = "screenshot";
+    EvidenceType["URL"] = "url";
+})(EvidenceType || (EvidenceType = {}));
+/**
+ * Current status of this milestone.
+ */
+export var Status;
+(function (Status) {
+    Status["Completed"] = "completed";
+    Status["InProgress"] = "inProgress";
+    Status["Pending"] = "pending";
+})(Status || (Status = {}));
+/**
+ * The new status this amendment sets. For POA&Ms, this is the current status (POA&Ms track
+ * work, they don't change status).
+ *
+ * The status of an individual test result. 'notApplicable' indicates the requirement does
+ * not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g.,
+ * requires manual verification).
+ */
+export var ResultStatus;
+(function (ResultStatus) {
+    ResultStatus["Error"] = "error";
+    ResultStatus["Failed"] = "failed";
+    ResultStatus["NotApplicable"] = "notApplicable";
+    ResultStatus["NotReviewed"] = "notReviewed";
+    ResultStatus["Passed"] = "passed";
+})(ResultStatus || (ResultStatus = {}));
+/**
+ * The type of amendment.
+ *
+ * The type of amendment. 'waiver': risk accepted (AO). 'attestation': manually verified
+ * (assessor). 'exception': not applicable (system owner + AO). 'poam': remediation tracked
+ * (no status change). 'inherited': control provided by another component or system
+ * (overrides to notApplicable/passed).
+ */
+export var OverrideType;
+(function (OverrideType) {
+    OverrideType["Attestation"] = "attestation";
+    OverrideType["Exception"] = "exception";
+    OverrideType["Inherited"] = "inherited";
+    OverrideType["Poam"] = "poam";
+    OverrideType["Waiver"] = "waiver";
+})(OverrideType || (OverrideType = {}));