@mitre/hdf-schema 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (65) hide show
  1. package/LICENSE.md +55 -0
  2. package/README.md +143 -0
  3. package/dist/go/go.mod +4 -0
  4. package/dist/go/hdf.go +2224 -0
  5. package/dist/helpers.d.ts +77 -0
  6. package/dist/helpers.js +242 -0
  7. package/dist/index.d.ts +62 -0
  8. package/dist/index.js +37 -0
  9. package/dist/python/hdf_amendments.py +695 -0
  10. package/dist/python/hdf_baseline.py +782 -0
  11. package/dist/python/hdf_comparison.py +1771 -0
  12. package/dist/python/hdf_evidence_package.py +593 -0
  13. package/dist/python/hdf_plan.py +363 -0
  14. package/dist/python/hdf_results.py +2163 -0
  15. package/dist/python/hdf_system.py +904 -0
  16. package/dist/schemas/hdf-amendments.schema.json +1562 -0
  17. package/dist/schemas/hdf-baseline.schema.json +1787 -0
  18. package/dist/schemas/hdf-comparison.schema.json +3730 -0
  19. package/dist/schemas/hdf-evidence-package.schema.json +1738 -0
  20. package/dist/schemas/hdf-plan.schema.json +1821 -0
  21. package/dist/schemas/hdf-results.schema.json +2810 -0
  22. package/dist/schemas/hdf-system.schema.json +2512 -0
  23. package/dist/ts/hdf-amendments.d.ts +446 -0
  24. package/dist/ts/hdf-amendments.js +77 -0
  25. package/dist/ts/hdf-amendments.ts +457 -0
  26. package/dist/ts/hdf-baseline.d.ts +472 -0
  27. package/dist/ts/hdf-baseline.js +58 -0
  28. package/dist/ts/hdf-baseline.ts +483 -0
  29. package/dist/ts/hdf-comparison.d.ts +1185 -0
  30. package/dist/ts/hdf-comparison.js +216 -0
  31. package/dist/ts/hdf-comparison.ts +1210 -0
  32. package/dist/ts/hdf-evidence-package.d.ts +348 -0
  33. package/dist/ts/hdf-evidence-package.js +39 -0
  34. package/dist/ts/hdf-evidence-package.ts +356 -0
  35. package/dist/ts/hdf-plan.d.ts +204 -0
  36. package/dist/ts/hdf-plan.js +23 -0
  37. package/dist/ts/hdf-plan.ts +205 -0
  38. package/dist/ts/hdf-results.d.ts +1457 -0
  39. package/dist/ts/hdf-results.js +174 -0
  40. package/dist/ts/hdf-results.ts +1481 -0
  41. package/dist/ts/hdf-system.d.ts +609 -0
  42. package/dist/ts/hdf-system.js +102 -0
  43. package/dist/ts/hdf-system.ts +617 -0
  44. package/package.json +98 -0
  45. package/src/schemas/hdf-amendments.schema.json +97 -0
  46. package/src/schemas/hdf-baseline.schema.json +190 -0
  47. package/src/schemas/hdf-comparison.schema.json +107 -0
  48. package/src/schemas/hdf-evidence-package.schema.json +227 -0
  49. package/src/schemas/hdf-plan.schema.json +92 -0
  50. package/src/schemas/hdf-results.schema.json +304 -0
  51. package/src/schemas/hdf-system.schema.json +136 -0
  52. package/src/schemas/primitives/amendments.schema.json +155 -0
  53. package/src/schemas/primitives/common.schema.json +814 -0
  54. package/src/schemas/primitives/comparison.schema.json +809 -0
  55. package/src/schemas/primitives/component.schema.json +518 -0
  56. package/src/schemas/primitives/data-flow.schema.json +158 -0
  57. package/src/schemas/primitives/extensions.schema.json +342 -0
  58. package/src/schemas/primitives/parameter.schema.json +128 -0
  59. package/src/schemas/primitives/plan.schema.json +128 -0
  60. package/src/schemas/primitives/platform.schema.json +32 -0
  61. package/src/schemas/primitives/result.schema.json +133 -0
  62. package/src/schemas/primitives/runner.schema.json +83 -0
  63. package/src/schemas/primitives/statistics.schema.json +71 -0
  64. package/src/schemas/primitives/system.schema.json +132 -0
  65. package/src/schemas/primitives/target.schema.json +523 -0
package/dist/go/hdf.go ADDED
@@ -0,0 +1,2224 @@
1
+ // Code generated from JSON Schema using quicktype. DO NOT EDIT.
2
+ // To parse and unparse this JSON data, add this code to your project and do:
3
+ //
4
+ // hDFResults, err := UnmarshalHDFResults(bytes)
5
+ // bytes, err = hDFResults.Marshal()
6
+ //
7
+ // hDFBaseline, err := UnmarshalHDFBaseline(bytes)
8
+ // bytes, err = hDFBaseline.Marshal()
9
+ //
10
+ // hDFComparison, err := UnmarshalHDFComparison(bytes)
11
+ // bytes, err = hDFComparison.Marshal()
12
+ //
13
+ // hDFSystem, err := UnmarshalHDFSystem(bytes)
14
+ // bytes, err = hDFSystem.Marshal()
15
+ //
16
+ // hDFPlan, err := UnmarshalHDFPlan(bytes)
17
+ // bytes, err = hDFPlan.Marshal()
18
+ //
19
+ // hDFAmendments, err := UnmarshalHDFAmendments(bytes)
20
+ // bytes, err = hDFAmendments.Marshal()
21
+ //
22
+ // hDFEvidencePackage, err := UnmarshalHDFEvidencePackage(bytes)
23
+ // bytes, err = hDFEvidencePackage.Marshal()
24
+
25
+ package hdf
26
+
27
+ import "bytes"
28
+ import "errors"
29
+ import "time"
30
+
31
+ import "encoding/json"
32
+
33
+ func UnmarshalHDFResults(data []byte) (HDFResults, error) {
34
+ var r HDFResults
35
+ err := json.Unmarshal(data, &r)
36
+ return r, err
37
+ }
38
+
39
+ func (r *HDFResults) Marshal() ([]byte, error) {
40
+ return json.Marshal(r)
41
+ }
42
+
43
+ func UnmarshalHDFBaseline(data []byte) (HDFBaseline, error) {
44
+ var r HDFBaseline
45
+ err := json.Unmarshal(data, &r)
46
+ return r, err
47
+ }
48
+
49
+ func (r *HDFBaseline) Marshal() ([]byte, error) {
50
+ return json.Marshal(r)
51
+ }
52
+
53
+ func UnmarshalHDFComparison(data []byte) (HDFComparison, error) {
54
+ var r HDFComparison
55
+ err := json.Unmarshal(data, &r)
56
+ return r, err
57
+ }
58
+
59
+ func (r *HDFComparison) Marshal() ([]byte, error) {
60
+ return json.Marshal(r)
61
+ }
62
+
63
+ func UnmarshalHDFSystem(data []byte) (HDFSystem, error) {
64
+ var r HDFSystem
65
+ err := json.Unmarshal(data, &r)
66
+ return r, err
67
+ }
68
+
69
+ func (r *HDFSystem) Marshal() ([]byte, error) {
70
+ return json.Marshal(r)
71
+ }
72
+
73
+ func UnmarshalHDFPlan(data []byte) (HDFPlan, error) {
74
+ var r HDFPlan
75
+ err := json.Unmarshal(data, &r)
76
+ return r, err
77
+ }
78
+
79
+ func (r *HDFPlan) Marshal() ([]byte, error) {
80
+ return json.Marshal(r)
81
+ }
82
+
83
+ func UnmarshalHDFAmendments(data []byte) (HDFAmendments, error) {
84
+ var r HDFAmendments
85
+ err := json.Unmarshal(data, &r)
86
+ return r, err
87
+ }
88
+
89
+ func (r *HDFAmendments) Marshal() ([]byte, error) {
90
+ return json.Marshal(r)
91
+ }
92
+
93
+ func UnmarshalHDFEvidencePackage(data []byte) (HDFEvidencePackage, error) {
94
+ var r HDFEvidencePackage
95
+ err := json.Unmarshal(data, &r)
96
+ return r, err
97
+ }
98
+
99
+ func (r *HDFEvidencePackage) Marshal() ([]byte, error) {
100
+ return json.Marshal(r)
101
+ }
102
+
103
+ // The top level value containing all assessment results.
104
+ type HDFResults struct {
105
+ // Information on the baselines that were evaluated, including findings.
106
+ Baselines []EvaluatedBaseline `json:"baselines"`
107
+ // The components that were assessed. Each component describes a system element (host,
108
+ // container, cloud resource, application, etc.) with optional identity, SBOM, and external
109
+ // references.
110
+ Components []Component `json:"components,omitempty"`
111
+ // Reserved for tool-specific data not defined in the HDF standard. Use this to preserve
112
+ // original tool output, auxiliary data, or custom metadata.
113
+ Extensions map[string]interface{} `json:"extensions,omitempty"`
114
+ // Information about the tool that generated this file.
115
+ Generator *Generator `json:"generator,omitempty"`
116
+ // Unique identifier for this assessment run.
117
+ ID *string `json:"id,omitempty"`
118
+ // Cryptographic integrity information for verifying this file.
119
+ Integrity *Integrity `json:"integrity,omitempty"`
120
+ // Reference to an hdf-plan document describing the assessment plan that produced these
121
+ // results. May be a relative path, absolute URI, or fragment identifier.
122
+ PlanRef *string `json:"planRef,omitempty"`
123
+ // Optional reference to automated remediation resources (Ansible playbooks, Terraform
124
+ // scripts, etc.) for fixing failing requirements found in this assessment.
125
+ Remediation *Remediation `json:"remediation,omitempty"`
126
+ // Information about the test execution environment where the security tool was run.
127
+ // Distinct from targets (what is being tested).
128
+ Runner *Runner `json:"runner,omitempty"`
129
+ // Statistics for the assessment run, including duration and result counts.
130
+ Statistics *Statistics `json:"statistics,omitempty"`
131
+ // Reference to an hdf-system document describing the system under assessment. May be a
132
+ // relative path, absolute URI, or fragment identifier.
133
+ SystemRef *string `json:"systemRef,omitempty"`
134
+ // When this assessment was executed.
135
+ Timestamp *time.Time `json:"timestamp,omitempty"`
136
+ // The security tool that produced the assessment data in this file.
137
+ Tool *Tool `json:"tool,omitempty"`
138
+ }
139
+
140
+ // Information on a baseline that was evaluated, including any findings.
141
+ //
142
+ // Shared metadata fields for baselines. Used in both standalone baseline documents and
143
+ // evaluated baseline results.
144
+ type EvaluatedBaseline struct {
145
+ // The set of dependencies this baseline depends on.
146
+ Depends []Dependency `json:"depends,omitempty"`
147
+ // The description - should be more detailed than the summary.
148
+ Description *string `json:"description,omitempty"`
149
+ // Reserved for tool-specific baseline metadata not defined in the HDF standard.
150
+ Extensions map[string]interface{} `json:"extensions,omitempty"`
151
+ // A set of descriptions for the requirement groups.
152
+ Groups []RequirementGroup `json:"groups,omitempty"`
153
+ // Typed inputs used to parameterize this baseline at execution time. See the Input
154
+ // primitive for the full schema.
155
+ Inputs []Input `json:"inputs,omitempty"`
156
+ // Cryptographic integrity information for verifying this baseline has not been tampered
157
+ // with.
158
+ Integrity *Integrity `json:"integrity,omitempty"`
159
+ // SHA-256 checksum of the original baseline definition file (before execution). This is an
160
+ // immutable reference to the baseline as defined, used to detect tampering with baseline
161
+ // requirements or metadata.
162
+ OriginalChecksum *Checksum `json:"originalChecksum,omitempty"`
163
+ // The name of the parent baseline if this is a dependency of another.
164
+ ParentBaseline *string `json:"parentBaseline,omitempty"`
165
+ // The set of requirements including any findings. A baseline must have at least one
166
+ // requirement.
167
+ Requirements []EvaluatedRequirement `json:"requirements"`
168
+ // SHA-256 checksum of the raw results before any amendments (statusOverrides or POAMs).
169
+ // Used to detect tampering with test results. Compare with currentChecksum to verify
170
+ // amendment integrity.
171
+ ResultsChecksum *Checksum `json:"resultsChecksum,omitempty"`
172
+ // An explanation of the baseline status. Example: why it was skipped, failed to load, or
173
+ // any other status details.
174
+ StatusMessage *string `json:"statusMessage,omitempty"`
175
+ // The name - must be unique.
176
+ Name string `json:"name"`
177
+ // The copyright holder(s).
178
+ Copyright *string `json:"copyright,omitempty"`
179
+ // The email address or other contact information of the copyright holder(s).
180
+ CopyrightEmail *string `json:"copyrightEmail,omitempty"`
181
+ // Optional key-value labels for flexible grouping. Well-known keys: system, component,
182
+ // environment, region, team. Values must be strings.
183
+ Labels map[string]string `json:"labels,omitempty"`
184
+ // The copyright license. Example: 'Apache-2.0'.
185
+ License *string `json:"license,omitempty"`
186
+ // The maintainer(s).
187
+ Maintainer *string `json:"maintainer,omitempty"`
188
+ // The status. Example: 'loaded'.
189
+ Status *string `json:"status,omitempty"`
190
+ // The summary. Example: the Security Technical Implementation Guide (STIG) header.
191
+ Summary *string `json:"summary,omitempty"`
192
+ // The set of supported platform targets.
193
+ Supports []SupportedPlatform `json:"supports,omitempty"`
194
+ // The title - should be human readable.
195
+ Title *string `json:"title,omitempty"`
196
+ // The version of the baseline.
197
+ Version *string `json:"version,omitempty"`
198
+ }
199
+
200
+ // A dependency for a baseline. Can include relative paths or URLs for where to find the
201
+ // dependency.
202
+ type Dependency struct {
203
+ // The branch name for a git repo.
204
+ Branch *string `json:"branch,omitempty"`
205
+ // The 'user/profilename' attribute for an Automate server.
206
+ Compliance *string `json:"compliance,omitempty"`
207
+ // The location of the git repo. Example:
208
+ // 'https://github.com/my-org/ubuntu-22.04-stig-baseline.git'.
209
+ Git *string `json:"git,omitempty"`
210
+ // The name or assigned alias.
211
+ Name *string `json:"name,omitempty"`
212
+ // The relative path if the dependency is locally available.
213
+ Path *string `json:"path,omitempty"`
214
+ // The status. Should be: 'loaded', 'failed', or 'skipped'.
215
+ Status *string `json:"status,omitempty"`
216
+ // The reason for the status if it is 'failed' or 'skipped'.
217
+ StatusMessage *string `json:"statusMessage,omitempty"`
218
+ // The 'user/profilename' attribute for a Supermarket server.
219
+ Supermarket *string `json:"supermarket,omitempty"`
220
+ // The address of the dependency.
221
+ URL *string `json:"url,omitempty"`
222
+ }
223
+
224
+ // Describes a group of requirements, such as those defined in a single file.
225
+ type RequirementGroup struct {
226
+ // The unique identifier for the group. Example: the relative path to the file specifying
227
+ // the requirements.
228
+ ID string `json:"id"`
229
+ // The set of requirements as specified by their ids in this group. Example: 'SV-238196'.
230
+ Requirements []string `json:"requirements"`
231
+ // The title of the group - should be human readable.
232
+ Title *string `json:"title,omitempty"`
233
+ }
234
+
235
+ // A typed input parameter that bridges governance requirements and scanner automation.
236
+ // Inputs carry expected configuration values with type information, comparison operators,
237
+ // and validation constraints, enabling traceability from policy through to scan results.
238
+ type Input struct {
239
+ // Validation constraints for the input value.
240
+ Constraints *InputConstraints `json:"constraints,omitempty"`
241
+ // Human-readable description of what this input controls.
242
+ Description *string `json:"description,omitempty"`
243
+ // The input name. Must be unique within a baseline or results document. Example:
244
+ // 'max_concurrent_sessions'.
245
+ Name string `json:"name"`
246
+ // The comparison operator used when evaluating this input against observed values.
247
+ Operator *ComparisonOperator `json:"operator,omitempty"`
248
+ // Whether this input must be provided. Defaults to false if omitted.
249
+ Required *bool `json:"required,omitempty"`
250
+ // Whether this input contains sensitive data (passwords, keys). Sensitive values should be
251
+ // redacted in output. Defaults to false if omitted.
252
+ Sensitive *bool `json:"sensitive,omitempty"`
253
+ // The data type of this input.
254
+ Type *InputType `json:"type,omitempty"`
255
+ // The input value. Type should match the declared type field. Accepts any JSON value.
256
+ Value interface{} `json:"value,omitempty"`
257
+ }
258
+
259
+ // Validation constraints for the input value.
260
+ //
261
+ // Validation constraints for an input value.
262
+ type InputConstraints struct {
263
+ // Enumeration of permitted values.
264
+ AllowedValues []interface{} `json:"allowedValues,omitempty"`
265
+ // Maximum allowed value (for Numeric inputs).
266
+ Max *float64 `json:"max,omitempty"`
267
+ // Minimum allowed value (for Numeric inputs).
268
+ Min *float64 `json:"min,omitempty"`
269
+ // Regular expression pattern the value must match (for String inputs).
270
+ Pattern *string `json:"pattern,omitempty"`
271
+ }
272
+
273
+ // Cryptographic integrity information for verifying this baseline has not been tampered
274
+ // with.
275
+ //
276
+ // Cryptographic integrity information for verifying the HDF file has not been tampered
277
+ // with. If algorithm is provided, checksum must also be provided, and vice versa.
278
+ //
279
+ // Cryptographic integrity information for verifying this file.
280
+ //
281
+ // Cryptographic integrity information for verifying this comparison document.
282
+ //
283
+ // Cryptographic integrity information for verifying this system document has not been
284
+ // tampered with.
285
+ //
286
+ // Cryptographic integrity information for verifying this plan document has not been
287
+ // tampered with.
288
+ //
289
+ // Cryptographic integrity information for verifying this amendments document has not been
290
+ // tampered with.
291
+ //
292
+ // Cryptographic integrity information for verifying this evidence package has not been
293
+ // tampered with.
294
+ type Integrity struct {
295
+ // The hash algorithm used for the checksum.
296
+ Algorithm *HashAlgorithm `json:"algorithm,omitempty"`
297
+ // The checksum value.
298
+ Checksum *string `json:"checksum,omitempty"`
299
+ // Optional cryptographic signature.
300
+ Signature *string `json:"signature,omitempty"`
301
+ // Identifier of who signed this file.
302
+ SignedBy *string `json:"signedBy,omitempty"`
303
+ }
304
+
305
+ // SHA-256 checksum of the original baseline definition file (before execution). This is an
306
+ // immutable reference to the baseline as defined, used to detect tampering with baseline
307
+ // requirements or metadata.
308
+ //
309
+ // Cryptographic checksum for baseline integrity verification.
310
+ //
311
+ // SHA-256 checksum of the previous amendment in chronological order. Creates a
312
+ // tamper-evident chain of amendments (similar to blockchain). Null for the first amendment
313
+ // on a requirement.
314
+ //
315
+ // SHA-256 checksum of the raw results before any amendments (statusOverrides or POAMs).
316
+ // Used to detect tampering with test results. Compare with currentChecksum to verify
317
+ // amendment integrity.
318
+ //
319
+ // Optional cryptographic checksum for verifying the integrity of remediation resources
320
+ // fetched from the URI. Recommended for security when referencing external automation
321
+ // scripts.
322
+ //
323
+ // Cryptographic checksum of the source document for integrity verification.
324
+ //
325
+ // Checksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null
326
+ // for the first amendment.
327
+ //
328
+ // Cryptographic checksum for verifying the referenced document's integrity.
329
+ type Checksum struct {
330
+ // The hash algorithm used for the checksum.
331
+ Algorithm HashAlgorithm `json:"algorithm"`
332
+ // The checksum value.
333
+ Value string `json:"value"`
334
+ }
335
+
336
+ // A requirement that has been evaluated, including any findings.
337
+ //
338
+ // Core requirement fields shared between baseline requirements and evaluated requirements.
339
+ // Contains the fundamental requirement definition without assessment results.
340
+ type EvaluatedRequirement struct {
341
+ // Array of labeled descriptions. At least one description with label 'default' must be
342
+ // present. Convention: place default description first. Common labels: 'default', 'check',
343
+ // 'fix', 'rationale'.
344
+ Descriptions []Description `json:"descriptions"`
345
+ // The current effective status of this requirement after applying the most recent
346
+ // non-expired override, or computed from results if no overrides exist.
347
+ EffectiveStatus *ResultStatus `json:"effectiveStatus,omitempty"`
348
+ // Supporting evidence for this requirement's findings, such as screenshots, code samples,
349
+ // or log excerpts.
350
+ Evidence []Evidence `json:"evidence,omitempty"`
351
+ // Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance.
352
+ // POAMs do NOT change effectiveStatus - they track the work being done to address a
353
+ // failure. Separate from statusOverrides which DO change status.
354
+ Poams []PoamElement `json:"poams,omitempty"`
355
+ // The set of all tests within the requirement and their results.
356
+ Results []RequirementResult `json:"results"`
357
+ // Explicit severity rating. Typically derived from impact score but provided explicitly for
358
+ // clarity.
359
+ Severity *Severity `json:"severity,omitempty"`
360
+ // The explicit location of the requirement within the source code.
361
+ SourceLocation *SourceLocation `json:"sourceLocation,omitempty"`
362
+ // Chronological history of all status overrides applied to this requirement. Status
363
+ // overrides are intentional changes to the compliance status (waivers, attestations). Most
364
+ // recent override should be first in array. Preserves full audit trail.
365
+ StatusOverrides []StatusOverride `json:"statusOverrides,omitempty"`
366
+ // The requirement identifier. Example: 'SV-238196'.
367
+ ID string `json:"id"`
368
+ // The impactfulness or severity (0.0 to 1.0).
369
+ Impact float64 `json:"impact"`
370
+ // A set of tags - usually metadata like CCI, STIG ID, severity.
371
+ Tags map[string]interface{} `json:"tags"`
372
+ // The raw source code of the requirement. Set to null for manual-only requirements or
373
+ // requirements not yet implemented. Note that if this is an overlay, it does not include
374
+ // the underlying source code.
375
+ Code *string `json:"code,omitempty"`
376
+ // The set of references to external documents.
377
+ Refs []Reference `json:"refs,omitempty"`
378
+ // The title - is nullable.
379
+ Title *string `json:"title,omitempty"`
380
+ }
381
+
382
+ type Description struct {
383
+ // The description text content.
384
+ Data string `json:"data"`
385
+ // Description category. The 'default' label is required for the primary description. Common
386
+ // labels: 'default', 'check', 'fix', 'rationale'. Tools may use custom labels.
387
+ Label string `json:"label"`
388
+ }
389
+
390
+ // Supporting evidence for a finding or override, such as screenshots, code samples, log
391
+ // excerpts, or URLs.
392
+ type Evidence struct {
393
+ // Timestamp when this evidence was captured. ISO 8601 format.
394
+ CapturedAt *time.Time `json:"capturedAt,omitempty"`
395
+ // Identity of who or what captured this evidence.
396
+ CapturedBy *Identity `json:"capturedBy,omitempty"`
397
+ // The evidence content. For screenshots/files: base64-encoded data or URL. For code/logs:
398
+ // the raw text. For URLs: the URL string.
399
+ Data string `json:"data"`
400
+ // Human-readable description of what this evidence shows.
401
+ Description *string `json:"description,omitempty"`
402
+ // Encoding used for the data. Example: 'base64', 'utf-8'.
403
+ Encoding *string `json:"encoding,omitempty"`
404
+ // MIME type of the evidence. Example: 'image/png', 'text/plain', 'application/json'.
405
+ MIMEType *string `json:"mimeType,omitempty"`
406
+ // Size of the evidence data in bytes.
407
+ Size *float64 `json:"size,omitempty"`
408
+ // The type of evidence being provided.
409
+ Type EvidenceType `json:"type"`
410
+ }
411
+
412
+ // Identity of who or what captured this evidence.
413
+ //
414
+ // Represents an identity that performed an action, such as capturing evidence or applying
415
+ // an override.
416
+ //
417
+ // Identity of who created this POA&M. For simple cases, use type 'simple' with just an
418
+ // identifier.
419
+ //
420
+ // Identity of who completed this milestone.
421
+ //
422
+ // The identity that created this signature.
423
+ //
424
+ // Identity of who applied this status override. For simple cases, use type 'simple' with
425
+ // just an identifier.
426
+ //
427
+ // Identity of the person or system that approved this override.
428
+ //
429
+ // Team or individual responsible for this component. Enables per-component ownership when
430
+ // different teams manage different parts of a system.
431
+ //
432
+ // The identity of the person or system responsible for executing the test. This could be a
433
+ // human auditor manually completing a checklist, an automated CI/CD system, or a security
434
+ // tool. Optional field to support both automated and manual HDF generation.
435
+ //
436
+ // Team or individual responsible for this system's authorization and compliance. Maps to
437
+ // OSCAL responsible-party with role 'system-owner'.
438
+ //
439
+ // Default identity of who created this amendments document. Individual overrides may
440
+ // specify their own appliedBy.
441
+ //
442
+ // Identity of the authorizing official who approved these amendments.
443
+ //
444
+ // Identity of who applied this amendment.
445
+ //
446
+ // Identity of who prepared this evidence package.
447
+ type Identity struct {
448
+ // Optional description of the identity or identity system, particularly useful when type is
449
+ // 'other'.
450
+ Description *string `json:"description,omitempty"`
451
+ // The identifier value. Example: 'user@example.com', 'jdoe', 'automated-scanner-01'.
452
+ Identifier string `json:"identifier"`
453
+ // The type of identifier. Use 'email' for email addresses, 'username' for user accounts,
454
+ // 'system' for automated systems, 'simple' for basic string identifiers without additional
455
+ // classification, or 'other' for custom identity systems.
456
+ Type OwnerType `json:"type"`
457
+ }
458
+
459
+ // Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance.
460
+ // POAMs do NOT change the effectiveStatus - the requirement remains in its current state
461
+ // while the POA&M tracks remediation efforts.
462
+ type PoamElement struct {
463
+ // Timestamp when this POA&M was created. ISO 8601 format.
464
+ AppliedAt time.Time `json:"appliedAt"`
465
+ // Identity of who created this POA&M. For simple cases, use type 'simple' with just an
466
+ // identifier.
467
+ AppliedBy Identity `json:"appliedBy"`
468
+ // Supporting evidence for this POA&M, such as documentation of compensating controls or
469
+ // mitigation implementation.
470
+ Evidence []Evidence `json:"evidence,omitempty"`
471
+ // Optional expiration date for this POA&M requiring review/renewal. ISO 8601 format.
472
+ ExpiresAt *time.Time `json:"expiresAt,omitempty"`
473
+ // Detailed explanation of the plan, including what actions will be taken.
474
+ Explanation string `json:"explanation"`
475
+ // Optional array of milestones tracking progress toward completion.
476
+ Milestones []Milestone `json:"milestones,omitempty"`
477
+ // SHA-256 checksum of the previous amendment in chronological order. Creates a
478
+ // tamper-evident chain of amendments (similar to blockchain). Null for the first amendment
479
+ // on a requirement.
480
+ PreviousChecksum *Checksum `json:"previousChecksum,omitempty"`
481
+ // Optional digital signature for enhanced trust and non-repudiation.
482
+ Signature *Signature `json:"signature,omitempty"`
483
+ // The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via
484
+ // compensating controls. 'riskAcceptance' documents decision to accept risk.
485
+ Type PoamType `json:"type"`
486
+ }
487
+
488
+ // A milestone or task within a POA&M remediation plan.
489
+ type Milestone struct {
490
+ // Actual completion timestamp. ISO 8601 format.
491
+ CompletedAt *time.Time `json:"completedAt,omitempty"`
492
+ // Identity of who completed this milestone.
493
+ CompletedBy *Identity `json:"completedBy,omitempty"`
494
+ // Description of this milestone or task.
495
+ Description string `json:"description"`
496
+ // Estimated completion date. ISO 8601 format.
497
+ EstimatedCompletion time.Time `json:"estimatedCompletion"`
498
+ // Current status of this milestone.
499
+ Status Status `json:"status"`
500
+ }
501
+
502
+ // Optional digital signature for enhanced trust and non-repudiation.
503
+ //
504
+ // A digital signature following W3C Data Integrity Proofs pattern. Supports hardware
505
+ // security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other cryptographic
506
+ // signing methods via JWK, PEM, or Base58 key formats.
507
+ //
508
+ // Optional digital signature for enhanced trust and non-repudiation. Supports hardware
509
+ // security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other signing
510
+ // methods.
511
+ //
512
+ // Digital signature for non-repudiation.
513
+ //
514
+ // Document-level digital signature covering all amendments.
515
+ //
516
+ // Digital signature covering the entire evidence package.
517
+ type Signature struct {
518
+ // Challenge value from the verifier, used in challenge-response authentication.
519
+ Challenge *string `json:"challenge,omitempty"`
520
+ // When the signature was created. ISO 8601 format.
521
+ Created time.Time `json:"created"`
522
+ // The identity that created this signature.
523
+ Creator Identity `json:"creator"`
524
+ // Domain restriction for the signature, prevents cross-domain replay attacks.
525
+ Domain *string `json:"domain,omitempty"`
526
+ // Random value to prevent replay attacks.
527
+ Nonce *string `json:"nonce,omitempty"`
528
+ // The purpose of this signature. Example: 'attestation', 'authentication',
529
+ // 'assertionMethod'.
530
+ ProofPurpose string `json:"proofPurpose"`
531
+ // The base64-encoded or base58-encoded signature value.
532
+ SignatureValue string `json:"signatureValue"`
533
+ // The signature suite type. Example: 'JsonWebSignature2020', 'RsaSignature2018',
534
+ // 'Ed25519Signature2020'.
535
+ Type string `json:"type"`
536
+ // The verification method containing the public key for signature verification.
537
+ VerificationMethod VerificationMethod `json:"verificationMethod"`
538
+ }
539
+
540
+ // The verification method containing the public key for signature verification.
541
+ //
542
+ // Verification method containing the public key needed to verify a digital signature.
543
+ // Supports multiple key formats including JWK (for RSA, EC), PEM, and Base58.
544
+ type VerificationMethod struct {
545
+ // The entity that controls this verification method. Can be a DID, URI, or other identifier.
546
+ Controller string `json:"controller"`
547
+ // Public key in Base58 format, commonly used with Ed25519 keys.
548
+ PublicKeyBase58 *string `json:"publicKeyBase58,omitempty"`
549
+ // Public key in JSON Web Key format.
550
+ PublicKeyJwk map[string]interface{} `json:"publicKeyJwk,omitempty"`
551
+ // Public key in PEM format. Example: '-----BEGIN PUBLIC KEY-----...-----END PUBLIC
552
+ // KEY-----'.
553
+ PublicKeyPem *string `json:"publicKeyPem,omitempty"`
554
+ // The type of verification method. Example: 'JsonWebKey2020', 'RsaVerificationKey2018',
555
+ // 'Ed25519VerificationKey2020'.
556
+ Type string `json:"type"`
557
+ }
558
+
559
+ // A reference to an external document.
560
+ //
561
+ // A reference using the 'ref' field.
562
+ //
563
+ // A URL pointing at the reference.
564
+ //
565
+ // A URI pointing at the reference.
566
+ type Reference struct {
567
+ Ref *Ref `json:"ref,omitempty"`
568
+ URL *string `json:"url,omitempty"`
569
+ URI *string `json:"uri,omitempty"`
570
+ }
571
+
572
+ // A test within a requirement and its results and findings such as how long it took to run.
573
+ type RequirementResult struct {
574
+ // The stacktrace/backtrace of the exception if one occurred.
575
+ Backtrace []string `json:"backtrace,omitempty"`
576
+ // A description of this test. Example: 'limits.conf * is expected to include ["hard",
577
+ // "maxlogins", "10"]'.
578
+ CodeDesc string `json:"codeDesc"`
579
+ // The type of exception if an exception was thrown.
580
+ Exception *string `json:"exception,omitempty"`
581
+ // An explanation of the test result. Typically provided for failed tests, errors, or to
582
+ // explain why a test was not applicable or not reviewed.
583
+ Message *string `json:"message,omitempty"`
584
+ // The resource used in the test. Example: 'file', 'command', 'service'.
585
+ Resource *string `json:"resource,omitempty"`
586
+ // The unique identifier of the resource. Example: '/etc/passwd'.
587
+ ResourceID *string `json:"resourceId,omitempty"`
588
+ // The execution time in seconds for the test.
589
+ RunTime *float64 `json:"runTime,omitempty"`
590
+ // The time at which the test started.
591
+ StartTime time.Time `json:"startTime"`
592
+ // The status of this test within the requirement. Example: 'failed'.
593
+ Status ResultStatus `json:"status"`
594
+ }
595
+
596
+ // The explicit location of the requirement within the source code.
597
+ //
598
+ // The explicit location of a requirement within source code.
599
+ type SourceLocation struct {
600
+ // The line on which this requirement is located.
601
+ Line *float64 `json:"line,omitempty"`
602
+ // Path to the file that this requirement originates from.
603
+ Ref *string `json:"ref,omitempty"`
604
+ }
605
+
606
+ // An intentional change to a requirement's compliance status (waiver or attestation).
607
+ // Status overrides change the effectiveStatus of the requirement. All status overrides must
608
+ // have an expiration date to enforce periodic review.
609
+ type StatusOverride struct {
610
+ // Timestamp when this status override was applied. ISO 8601 format.
611
+ AppliedAt time.Time `json:"appliedAt"`
612
+ // Identity of who applied this status override. For simple cases, use type 'simple' with
613
+ // just an identifier.
614
+ AppliedBy Identity `json:"appliedBy"`
615
+ // Supporting evidence for this status override, such as screenshots demonstrating manual
616
+ // verification for attestations.
617
+ Evidence []Evidence `json:"evidence,omitempty"`
618
+ // Timestamp when this status override expires and must be reviewed/renewed. REQUIRED - no
619
+ // permanent status overrides allowed. ISO 8601 format.
620
+ ExpiresAt time.Time `json:"expiresAt"`
621
+ // SHA-256 checksum of the previous amendment in chronological order. Creates a
622
+ // tamper-evident chain of amendments (similar to blockchain). Null for the first amendment
623
+ // on a requirement.
624
+ PreviousChecksum *Checksum `json:"previousChecksum,omitempty"`
625
+ // Explanation for why this status override was applied.
626
+ Reason string `json:"reason"`
627
+ // Optional digital signature for enhanced trust and non-repudiation. Supports hardware
628
+ // security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other signing
629
+ // methods.
630
+ Signature *Signature `json:"signature,omitempty"`
631
+ // The new status this override sets for the requirement. This intentionally changes the
632
+ // compliance status.
633
+ Status ResultStatus `json:"status"`
634
+ // The type of status override applied to this requirement.
635
+ Type OverrideType `json:"type"`
636
+ }
637
+
638
+ // A supported platform target. Example: the platform name being 'ubuntu'.
639
+ type SupportedPlatform struct {
640
+ // The location of the platform. Can be: 'os', 'aws', 'azure', or 'gcp'.
641
+ Platform *string `json:"platform,omitempty"`
642
+ // The platform family. Example: 'redhat'.
643
+ PlatformFamily *string `json:"platformFamily,omitempty"`
644
+ // The platform name - can include wildcards. Example: 'debian'.
645
+ PlatformName *string `json:"platformName,omitempty"`
646
+ // The release of the platform. Example: '20.04' for 'ubuntu'.
647
+ Release *string `json:"release,omitempty"`
648
+ }
649
+
650
+ // A system component. Uses discriminated union pattern with 'type' field as discriminator.
651
+ // Superset of Target with identity, external IDs, and SBOM support.
652
+ //
653
+ // A physical or virtual server, workstation, or network device.
654
+ //
655
+ // Base properties shared by all component types. Extends the Target concept with stable
656
+ // identity, external references, and SBOM embedding.
657
+ //
658
+ // A static container image (not running).
659
+ //
660
+ // A running container instance.
661
+ //
662
+ // A container orchestration platform (Kubernetes, OpenShift, ECS, etc.).
663
+ //
664
+ // A cloud provider account (AWS account, Azure subscription, GCP project).
665
+ //
666
+ // A specific cloud resource (EC2 instance, S3 bucket, Azure VM, etc.).
667
+ //
668
+ // A code repository (for SAST tools).
669
+ //
670
+ // A running application or API (for DAST tools).
671
+ //
672
+ // A software artifact or dependency (for SCA tools).
673
+ //
674
+ // A network segment or network device.
675
+ //
676
+ // A database instance.
677
+ type Component struct {
678
+ // Names of baselines that apply to this component.
679
+ BaselineRefs []string `json:"baselineRefs,omitempty"`
680
+ // Stable UUID (RFC 4122) for this component. Required in hdf-system documents, optional in
681
+ // hdf-results. Enables cross-document correlation, diffing, and data flow references.
682
+ ComponentID *string `json:"componentId,omitempty"`
683
+ // Description of this component's role or purpose.
684
+ Description *string `json:"description,omitempty"`
685
+ // Map of external identifier scheme to value. Well-known schemes: aws (instance ID), azure
686
+ // (resource ID), cmdb (asset ID), emass (system ID), cve (CVE ID). Custom schemes are
687
+ // allowed.
688
+ ExternalIDS map[string]string `json:"externalIds,omitempty"`
689
+ // System-specific overrides for baseline input values.
690
+ InputOverrides []InputOverride `json:"inputOverrides,omitempty"`
691
+ // Optional key-value labels for flexible grouping. Well-known keys: system, component,
692
+ // environment, region, team. Values must be strings.
693
+ Labels map[string]string `json:"labels,omitempty"`
694
+ // Human-readable name for this component.
695
+ Name string `json:"name"`
696
+ // Team or individual responsible for this component. Enables per-component ownership when
697
+ // different teams manage different parts of a system.
698
+ Owner *Identity `json:"owner,omitempty"`
699
+ // Embedded CycloneDX or SPDX SBOM document representing this component's software
700
+ // inventory. The sbomFormat field determines which format constraints apply.
701
+ Sbom interface{} `json:"sbom,omitempty"`
702
+ // Format of the SBOM (embedded or referenced). Required when sbom or sbomRef is present.
703
+ SbomFormat *SbomFormat `json:"sbomFormat,omitempty"`
704
+ // URI reference to an external CycloneDX or SPDX SBOM document for this component. May be a
705
+ // relative path, absolute URI, or fragment identifier.
706
+ SbomRef *string `json:"sbomRef,omitempty"`
707
+ // Label selector to match targets belonging to this component during migration. Targets
708
+ // with matching labels are automatically included.
709
+ TargetSelector map[string]string `json:"targetSelector,omitempty"`
710
+ // Component type discriminator. Same values as Target types.
711
+ Type Copyright `json:"type"`
712
+ // Fully qualified domain name.
713
+ FQDN *string `json:"fqdn,omitempty"`
714
+ // IP address of the host.
715
+ IPAddress *string `json:"ipAddress,omitempty"`
716
+ // MAC address in colon-separated hexadecimal format.
717
+ MACAddress *string `json:"macAddress,omitempty"`
718
+ // Operating system name.
719
+ OSName *string `json:"osName,omitempty"`
720
+ // Operating system version.
721
+ OSVersion *string `json:"osVersion,omitempty"`
722
+ // Image digest for immutable reference.
723
+ Digest *string `json:"digest,omitempty"`
724
+ // Container image ID.
725
+ ImageID *string `json:"imageId,omitempty"`
726
+ // Container registry. Example: 'docker.io'.
727
+ Registry *string `json:"registry,omitempty"`
728
+ // Repository name. Example: 'library/nginx'.
729
+ Repository *string `json:"repository,omitempty"`
730
+ // Image tag. Example: '1.25'.
731
+ Tag *string `json:"tag,omitempty"`
732
+ // Running container ID.
733
+ ContainerID *string `json:"containerId,omitempty"`
734
+ // Image the container was started from.
735
+ Image *string `json:"image,omitempty"`
736
+ // Container runtime. Example: 'docker', 'containerd', 'cri-o'.
737
+ Runtime *string `json:"runtime,omitempty"`
738
+ // Cluster name.
739
+ ClusterName *string `json:"clusterName,omitempty"`
740
+ // Namespace within the cluster, if applicable.
741
+ Namespace *string `json:"namespace,omitempty"`
742
+ // Platform type. Example: 'kubernetes', 'openshift', 'ecs', 'docker-swarm'.
743
+ PlatformType *string `json:"platformType,omitempty"`
744
+ // Platform version.
745
+ //
746
+ // Application version.
747
+ //
748
+ // Package version.
749
+ //
750
+ // Database version.
751
+ Version *string `json:"version,omitempty"`
752
+ // Cloud account identifier.
753
+ AccountID *string `json:"accountId,omitempty"`
754
+ // Cloud provider.
755
+ Provider *CloudProvider `json:"provider,omitempty"`
756
+ // Cloud region, if applicable.
757
+ //
758
+ // Cloud region where the resource resides.
759
+ Region *string `json:"region,omitempty"`
760
+ // Amazon Resource Name (AWS only).
761
+ Arn *string `json:"arn,omitempty"`
762
+ // Provider-specific resource identifier.
763
+ ResourceID *string `json:"resourceId,omitempty"`
764
+ // Type of cloud resource. Example: 'ec2:instance', 's3:bucket'.
765
+ ResourceType *string `json:"resourceType,omitempty"`
766
+ // Branch that was scanned.
767
+ Branch *string `json:"branch,omitempty"`
768
+ // Commit SHA that was scanned.
769
+ Commit *string `json:"commit,omitempty"`
770
+ // Repository URL.
771
+ //
772
+ // Application URL (for DAST tools).
773
+ URL *string `json:"url,omitempty"`
774
+ // Environment. Example: 'production', 'staging', 'development'.
775
+ Environment *string `json:"environment,omitempty"`
776
+ // Package checksum for verification.
777
+ Checksum *string `json:"checksum,omitempty"`
778
+ // Package manager. Example: 'npm', 'maven', 'pip', 'nuget'.
779
+ PackageManager *string `json:"packageManager,omitempty"`
780
+ // Package name.
781
+ PackageName *string `json:"packageName,omitempty"`
782
+ // Network CIDR block.
783
+ CIDR *string `json:"cidr,omitempty"`
784
+ // Network gateway address.
785
+ Gateway *string `json:"gateway,omitempty"`
786
+ // Database engine. Example: 'postgresql', 'mysql', 'oracle', 'mssql'.
787
+ Engine *string `json:"engine,omitempty"`
788
+ // Database host.
789
+ Host *string `json:"host,omitempty"`
790
+ // Database port.
791
+ Port *int64 `json:"port,omitempty"`
792
+ }
793
+
794
+ // An override of a baseline input value for a specific component. Enables system-specific
795
+ // tailoring of baseline parameters.
796
+ type InputOverride struct {
797
+ // Identity of the person or system that approved this override.
798
+ ApprovedBy *Identity `json:"approvedBy,omitempty"`
799
+ // Name of the baseline this override applies to. If omitted, applies to all baselines that
800
+ // define this input.
801
+ BaselineRef *string `json:"baselineRef,omitempty"`
802
+ // Name of the input being overridden. Must match an Input.name in the referenced baseline.
803
+ InputName string `json:"inputName"`
804
+ // Rationale for why this override is needed.
805
+ Justification *string `json:"justification,omitempty"`
806
+ // The overridden value. Should match the type of the original input.
807
+ Value interface{} `json:"value,omitempty"`
808
+ }
809
+
810
+ // Information about the tool that generated this file.
811
+ //
812
+ // Information about the tool that generated this HDF file.
813
+ //
814
+ // The tool that generated this file.
815
+ //
816
+ // Information about the tool that generated this comparison.
817
+ //
818
+ // Information about the tool that generated this system document.
819
+ //
820
+ // Information about the tool that generated this plan.
821
+ //
822
+ // Information about the tool that generated this document.
823
+ type Generator struct {
824
+ // The name of the software that produced this HDF file. Example: 'gosec-to-hdf'.
825
+ Name string `json:"name"`
826
+ // The version of the tool. Example: '5.22.3'.
827
+ Version string `json:"version"`
828
+ }
829
+
830
+ // Optional reference to automated remediation resources (Ansible playbooks, Terraform
831
+ // scripts, etc.) for fixing failing requirements found in this assessment.
832
+ //
833
+ // Reference to automated remediation resources for implementing security controls. Points
834
+ // to external automation content like Ansible playbooks, Terraform scripts, or
835
+ // vendor-provided remediation tools.
836
+ //
837
+ // Optional reference to automated remediation resources (Ansible playbooks, Terraform
838
+ // scripts, etc.) for implementing the security controls defined in this baseline.
839
+ type Remediation struct {
840
+ // Optional cryptographic checksum for verifying the integrity of remediation resources
841
+ // fetched from the URI. Recommended for security when referencing external automation
842
+ // scripts.
843
+ Checksum *Checksum `json:"checksum,omitempty"`
844
+ // URI pointing to automated remediation resources (Ansible playbooks, Terraform scripts,
845
+ // etc.). Examples: GitHub repository, DISA STIG Supplemental Automation Content,
846
+ // vendor-provided scripts.
847
+ URI string `json:"uri"`
848
+ }
849
+
850
+ // Information about the test execution environment where the security tool was run.
851
+ // Distinct from targets (what is being tested).
852
+ //
853
+ // Information about the test execution environment. This is distinct from the target being
854
+ // scanned - the runner is where the security tool executes, while targets are what is being
855
+ // assessed.
856
+ type Runner struct {
857
+ // The CPU architecture of the runner system. Example: 'x86_64', 'arm64', 'aarch64'.
858
+ Architecture *string `json:"architecture,omitempty"`
859
+ // The container instance identifier. Example: 'a1b2c3d4e5f6', 'security-scan-job-xyz123'.
860
+ // Can be a Docker container ID, Kubernetes pod name, or other container runtime identifier.
861
+ ContainerID *string `json:"containerId,omitempty"`
862
+ // The container image used for the test execution. Example: 'inspec/inspec:latest',
863
+ // 'ghcr.io/my-org/scanner:v2.1.0'. Useful for CI/CD pipelines where tests run in containers.
864
+ ContainerImage *string `json:"containerImage,omitempty"`
865
+ // The hostname of the runner system. Example: 'ci-runner-01', 'jenkins-agent-03',
866
+ // 'k8s-node-worker-03'.
867
+ Hostname *string `json:"hostname,omitempty"`
868
+ // The name of the runner environment. Examples: 'ubuntu', 'macos', 'windows', 'docker',
869
+ // 'kubernetes-pod', 'manual'.
870
+ Name string `json:"name"`
871
+ // The identity of the person or system responsible for executing the test. This could be a
872
+ // human auditor manually completing a checklist, an automated CI/CD system, or a security
873
+ // tool. Optional field to support both automated and manual HDF generation.
874
+ Operator *Identity `json:"operator,omitempty"`
875
+ // The version/release of the operating system or runtime. Example: '20.04', '13.2', '11'.
876
+ Release *string `json:"release,omitempty"`
877
+ }
878
+
879
+ // Statistics for the assessment run, including duration and result counts.
880
+ //
881
+ // Statistics for the assessment run(s) such as duration and result counts.
882
+ type Statistics struct {
883
+ // How long (in seconds) this assessment run took.
884
+ Duration *float64 `json:"duration,omitempty"`
885
+ // Breakdowns of requirement statistics by result status.
886
+ Requirements *StatisticHash `json:"requirements,omitempty"`
887
+ }
888
+
889
+ // Breakdowns of requirement statistics by result status.
890
+ //
891
+ // Statistics for requirement results, grouped by status.
892
+ type StatisticHash struct {
893
+ // Statistics for requirements that encountered an error during assessment.
894
+ Error *StatisticBlock `json:"error,omitempty"`
895
+ // Statistics for requirements that failed.
896
+ Failed *StatisticBlock `json:"failed,omitempty"`
897
+ // Statistics for requirements that are not applicable to the target.
898
+ NotApplicable *StatisticBlock `json:"notApplicable,omitempty"`
899
+ // Statistics for requirements that were not reviewed (manual check required).
900
+ NotReviewed *StatisticBlock `json:"notReviewed,omitempty"`
901
+ // Statistics for requirements that passed.
902
+ Passed *StatisticBlock `json:"passed,omitempty"`
903
+ }
904
+
905
+ // Statistics for requirements that encountered an error during assessment.
906
+ //
907
+ // Statistics for a given item, such as the total count.
908
+ //
909
+ // Statistics for requirements that failed.
910
+ //
911
+ // Statistics for requirements that are not applicable to the target.
912
+ //
913
+ // Statistics for requirements that were not reviewed (manual check required).
914
+ //
915
+ // Statistics for requirements that passed.
916
+ type StatisticBlock struct {
917
+ // The total count. Example: the total number of requirements in a given category for a run.
918
+ Total int64 `json:"total"`
919
+ }
920
+
921
+ // The security tool that produced the assessment data in this file.
922
+ //
923
+ // The security tool that produced the assessment data represented in this HDF file. Aligns
924
+ // with SARIF, OSCAL, and CycloneDX terminology.
925
+ //
926
+ // The security tool that produced the assessment data in this source.
927
+ type Tool struct {
928
+ // The file format, if it is a recognized named format shared by multiple tools. Examples:
929
+ // 'SARIF', 'XCCDF'. Omit for tool-specific formats where the tool name already implies the
930
+ // format (Nessus XML, gosec JSON).
931
+ Format *string `json:"format,omitempty"`
932
+ // The name of the security tool that produced the data. Examples: 'gosec', 'Semgrep',
933
+ // 'OpenSCAP', 'AWS Config', 'Nessus'. Omit if the tool cannot be identified.
934
+ Name *string `json:"name,omitempty"`
935
+ // Version of the source tool, if available in the tool's output. Example: '5.22.3'.
936
+ Version *string `json:"version,omitempty"`
937
+ }
938
+
939
+ // Information on the set of requirements that can be assessed, including baseline metadata
940
+ // and requirement definitions.
941
+ //
942
+ // Shared metadata fields for baselines. Used in both standalone baseline documents and
943
+ // evaluated baseline results.
944
+ type HDFBaseline struct {
945
+ // The set of dependencies this baseline depends on.
946
+ Depends []Dependency `json:"depends,omitempty"`
947
+ // The tool that generated this file.
948
+ Generator *Generator `json:"generator,omitempty"`
949
+ // A set of descriptions for the requirement groups.
950
+ Groups []RequirementGroup `json:"groups,omitempty"`
951
+ // The input(s) or attribute(s) to be used in the run.
952
+ Inputs []Input `json:"inputs,omitempty"`
953
+ // Cryptographic integrity information for verifying this baseline has not been tampered
954
+ // with.
955
+ Integrity *Integrity `json:"integrity,omitempty"`
956
+ // Optional reference to automated remediation resources (Ansible playbooks, Terraform
957
+ // scripts, etc.) for implementing the security controls defined in this baseline.
958
+ Remediation *Remediation `json:"remediation,omitempty"`
959
+ // The set of requirements - contains no findings as the assessment has not yet occurred.
960
+ Requirements []BaselineRequirement `json:"requirements"`
961
+ // The name - must be unique.
962
+ Name string `json:"name"`
963
+ // The copyright holder(s).
964
+ Copyright *string `json:"copyright,omitempty"`
965
+ // The email address or other contact information of the copyright holder(s).
966
+ CopyrightEmail *string `json:"copyrightEmail,omitempty"`
967
+ // Optional key-value labels for flexible grouping. Well-known keys: system, component,
968
+ // environment, region, team. Values must be strings.
969
+ Labels map[string]string `json:"labels,omitempty"`
970
+ // The copyright license. Example: 'Apache-2.0'.
971
+ License *string `json:"license,omitempty"`
972
+ // The maintainer(s).
973
+ Maintainer *string `json:"maintainer,omitempty"`
974
+ // The status. Example: 'loaded'.
975
+ Status *string `json:"status,omitempty"`
976
+ // The summary. Example: the Security Technical Implementation Guide (STIG) header.
977
+ Summary *string `json:"summary,omitempty"`
978
+ // The set of supported platform targets.
979
+ Supports []SupportedPlatform `json:"supports,omitempty"`
980
+ // The title - should be human readable.
981
+ Title *string `json:"title,omitempty"`
982
+ // The version of the baseline.
983
+ Version *string `json:"version,omitempty"`
984
+ }
985
+
986
+ // A requirement definition without assessment results.
987
+ //
988
+ // Core requirement fields shared between baseline requirements and evaluated requirements.
989
+ // Contains the fundamental requirement definition without assessment results.
990
+ type BaselineRequirement struct {
991
+ // Array of labeled descriptions. At least one description with label 'default' must be
992
+ // present. Convention: place default description first. Common labels: 'default', 'check',
993
+ // 'fix', 'rationale'.
994
+ Descriptions []Description `json:"descriptions"`
995
+ // Explicit severity rating. Typically derived from impact score but provided explicitly for
996
+ // clarity.
997
+ Severity *Severity `json:"severity,omitempty"`
998
+ // The requirement identifier. Example: 'SV-238196'.
999
+ ID string `json:"id"`
1000
+ // The impactfulness or severity (0.0 to 1.0).
1001
+ Impact float64 `json:"impact"`
1002
+ // A set of tags - usually metadata like CCI, STIG ID, severity.
1003
+ Tags map[string]interface{} `json:"tags"`
1004
+ // The raw source code of the requirement. Set to null for manual-only requirements or
1005
+ // requirements not yet implemented. Note that if this is an overlay, it does not include
1006
+ // the underlying source code.
1007
+ Code *string `json:"code,omitempty"`
1008
+ // The set of references to external documents.
1009
+ Refs []Reference `json:"refs,omitempty"`
1010
+ // The explicit location of the requirement within the source code.
1011
+ SourceLocation *SourceLocation `json:"sourceLocation,omitempty"`
1012
+ // The title - is nullable.
1013
+ Title *string `json:"title,omitempty"`
1014
+ }
1015
+
1016
+ // Structured comparison between two or more HDF security assessment documents. Supports
1017
+ // temporal, baseline, fleet, and multi-source comparison modes.
1018
+ type HDFComparison struct {
1019
+ // Map of annotation IDs to annotation objects, providing context or action items for
1020
+ // requirement diffs.
1021
+ Annotations map[string]Annotation `json:"annotations,omitempty"`
1022
+ // Comparison of baselines between sources.
1023
+ BaselineDiffs []BaselineDiff `json:"baselineDiffs,omitempty"`
1024
+ // The mode of comparison being performed.
1025
+ ComparisonMode ComparisonMode `json:"comparisonMode"`
1026
+ // Comparison of components between two system documents. Used in systemDrift mode.
1027
+ ComponentDiffs []ComponentDiff `json:"componentDiffs,omitempty"`
1028
+ // External/metadata changes separate from status changes (Terraform pattern).
1029
+ Drift []RequirementDiff `json:"drift,omitempty"`
1030
+ // Reserved for tool-specific data not defined in the HDF standard.
1031
+ Extensions map[string]interface{} `json:"extensions,omitempty"`
1032
+ // Schema version for this comparison format.
1033
+ FormatVersion FormatVersion `json:"formatVersion"`
1034
+ // Information about the tool that generated this comparison.
1035
+ Generator *Generator `json:"generator,omitempty"`
1036
+ // Cryptographic integrity information for verifying this comparison document.
1037
+ Integrity *Integrity `json:"integrity,omitempty"`
1038
+ // Configuration for how requirements were matched across sources.
1039
+ Matching *MatchingConfig `json:"matching,omitempty"`
1040
+ // Comparison of packages between two SBOMs. Used in systemDrift mode for SBOM comparison.
1041
+ PackageDiffs []PackageDiff `json:"packageDiffs,omitempty"`
1042
+ // Detailed comparison of individual requirements between sources.
1043
+ RequirementDiffs []RequirementDiff `json:"requirementDiffs"`
1044
+ // The source documents being compared. At least two sources are required.
1045
+ Sources []Source `json:"sources"`
1046
+ // Summary statistics for the overall comparison.
1047
+ Summary ComparisonSummary `json:"summary"`
1048
+ // URI identifying the system being compared in systemDrift mode.
1049
+ SystemRef *string `json:"systemRef,omitempty"`
1050
+ // When this comparison was performed.
1051
+ Timestamp *time.Time `json:"timestamp,omitempty"`
1052
+ }
1053
+
1054
+ // An annotation attached to a comparison, providing context or action items.
1055
+ type Annotation struct {
1056
+ // The category of this annotation.
1057
+ Category *AnnotationCategory `json:"category,omitempty"`
1058
+ // Detailed description of the annotation.
1059
+ Description *string `json:"description,omitempty"`
1060
+ // Human-readable label for this annotation.
1061
+ Label string `json:"label"`
1062
+ // Whether this annotation requires human confirmation before acting on it.
1063
+ NeedsConfirmation *bool `json:"needsConfirmation,omitempty"`
1064
+ }
1065
+
1066
+ // Comparison of a baseline between sources.
1067
+ type BaselineDiff struct {
1068
+ // The source of any ID mapping used to correlate requirements across baseline versions.
1069
+ MappingSource *string `json:"mappingSource,omitempty"`
1070
+ // Name of the baseline being compared.
1071
+ Name string `json:"name"`
1072
+ // Version of the baseline in the new source.
1073
+ NewVersion *string `json:"newVersion,omitempty"`
1074
+ // Version of the baseline in the old source.
1075
+ OldVersion *string `json:"oldVersion,omitempty"`
1076
+ // The state of this baseline in the comparison.
1077
+ State BaselineDiffState `json:"state"`
1078
+ }
1079
+
1080
+ // Comparison of a single component between two system document versions.
1081
+ type ComponentDiff struct {
1082
+ // Component snapshot from the new system document.
1083
+ After interface{} `json:"after,omitempty"`
1084
+ // Component snapshot from the old system document.
1085
+ Before interface{} `json:"before,omitempty"`
1086
+ // Detailed field-level changes between the before and after component snapshots.
1087
+ FieldChanges []FieldChange `json:"fieldChanges,omitempty"`
1088
+ // Component name used for matching across system versions.
1089
+ Name string `json:"name"`
1090
+ // The state of this component in the comparison.
1091
+ State BaselineDiffState `json:"state"`
1092
+ }
1093
+
1094
+ // A single field-level change between two versions of a requirement.
1095
+ type FieldChange struct {
1096
+ // The new value of the field (for 'add' and 'replace' operations).
1097
+ NewValue interface{} `json:"newValue,omitempty"`
1098
+ // The previous value of the field (for 'remove' and 'replace' operations).
1099
+ OldValue interface{} `json:"oldValue,omitempty"`
1100
+ // The type of change operation.
1101
+ Op Op `json:"op"`
1102
+ // JSON Pointer path to the changed field.
1103
+ Path string `json:"path"`
1104
+ }
1105
+
1106
+ // A comparison of a single requirement between sources, including state, changes, and full
1107
+ // before/after snapshots.
1108
+ type RequirementDiff struct {
1109
+ // The requirement as it appeared in the new source. Null when state is 'absent'.
1110
+ After interface{} `json:"after,omitempty"`
1111
+ // Sensitive data from the new source that should not be included in the main after snapshot.
1112
+ AfterSensitive map[string]interface{} `json:"afterSensitive,omitempty"`
1113
+ // IDs of annotations attached to this requirement diff.
1114
+ AnnotationIDS []string `json:"annotationIds,omitempty"`
1115
+ // The requirement as it appeared in the old/reference source. Null when state is 'new'.
1116
+ Before interface{} `json:"before,omitempty"`
1117
+ // Sensitive data from the old source that should not be included in the main before
1118
+ // snapshot.
1119
+ BeforeSensitive map[string]interface{} `json:"beforeSensitive,omitempty"`
1120
+ // The reasons for the state change.
1121
+ ChangeReasons []ChangeReason `json:"changeReasons"`
1122
+ // Conflicts between multiple scanner results for this requirement.
1123
+ Conflicts []ScannerConflict `json:"conflicts,omitempty"`
1124
+ // Detailed field-level changes between the before and after versions.
1125
+ FieldChanges []FieldChange `json:"fieldChanges"`
1126
+ // The canonical requirement identifier used for this diff.
1127
+ ID string `json:"id"`
1128
+ // Confidence score for the match (0-1).
1129
+ MatchConfidence *float64 `json:"matchConfidence,omitempty"`
1130
+ // Whether the match was manually confirmed by a human.
1131
+ MatchManual *bool `json:"matchManual,omitempty"`
1132
+ // The strategy that was used to match this requirement across sources.
1133
+ MatchStrategy *MatchStrategy `json:"matchStrategy,omitempty"`
1134
+ // The effective status of the requirement in the new source.
1135
+ NewEffectiveStatus *string `json:"newEffectiveStatus,omitempty"`
1136
+ // The requirement ID in the new source, if different from the canonical id.
1137
+ NewID *string `json:"newId,omitempty"`
1138
+ // The impact score of the requirement in the new source (0-1).
1139
+ NewImpact *float64 `json:"newImpact,omitempty"`
1140
+ // The effective status of the requirement in the old source.
1141
+ OldEffectiveStatus *string `json:"oldEffectiveStatus,omitempty"`
1142
+ // The requirement ID in the old source, if different from the canonical id.
1143
+ OldID *string `json:"oldId,omitempty"`
1144
+ // The impact score of the requirement in the old source (0-1).
1145
+ OldImpact *float64 `json:"oldImpact,omitempty"`
1146
+ // Index into the sources array for multi-source comparisons.
1147
+ SourceIndex *int64 `json:"sourceIndex,omitempty"`
1148
+ // The state of this requirement in the comparison.
1149
+ State RequirementState `json:"state"`
1150
+ // The requirement title for human readability.
1151
+ Title *string `json:"title,omitempty"`
1152
+ }
1153
+
1154
+ // A conflict between scanner results for the same requirement.
1155
+ type ScannerConflict struct {
1156
+ // The field where the conflict occurs.
1157
+ Field string `json:"field"`
1158
+ // How the conflict was resolved.
1159
+ Resolution *ConflictResolution `json:"resolution,omitempty"`
1160
+ // Index of the source whose value was chosen as the resolution.
1161
+ ResolvedIndex *int64 `json:"resolvedIndex,omitempty"`
1162
+ // The conflicting values from each source.
1163
+ Values []Value `json:"values"`
1164
+ }
1165
+
1166
+ type Value struct {
1167
+ // Zero-based index into the sources array.
1168
+ SourceIndex int64 `json:"sourceIndex"`
1169
+ // Human-readable label for the source.
1170
+ SourceLabel string `json:"sourceLabel"`
1171
+ // The value reported by this source for the conflicting field.
1172
+ Value interface{} `json:"value,omitempty"`
1173
+ }
1174
+
1175
+ // Configuration for how requirements were matched across sources.
1176
+ //
1177
+ // Configuration for how requirements are matched across sources.
1178
+ type MatchingConfig struct {
1179
+ // Ordered list of fallback strategies tried when the primary strategy fails to find a match.
1180
+ FallbackStrategies []MatchStrategy `json:"fallbackStrategies,omitempty"`
1181
+ // Fields used to compute a fingerprint for fuzzy matching.
1182
+ FingerprintFields []string `json:"fingerprintFields,omitempty"`
1183
+ // URI pointing to an external mapping table used for ID translation.
1184
+ MappingTableURI *string `json:"mappingTableUri,omitempty"`
1185
+ // Minimum confidence score (0-1) required to accept a match.
1186
+ MinimumConfidence *float64 `json:"minimumConfidence,omitempty"`
1187
+ // The primary strategy used to match requirements across sources.
1188
+ PrimaryStrategy MatchStrategy `json:"primaryStrategy"`
1189
+ }
1190
+
1191
+ // Comparison of a single package between two SBOM versions, matched by purl.
1192
+ type PackageDiff struct {
1193
+ // License identifiers for this package.
1194
+ Licenses []string `json:"licenses,omitempty"`
1195
+ // Human-readable package name.
1196
+ Name *string `json:"name,omitempty"`
1197
+ // Package version in the new SBOM.
1198
+ NewVersion *string `json:"newVersion,omitempty"`
1199
+ // Package version in the old SBOM.
1200
+ OldVersion *string `json:"oldVersion,omitempty"`
1201
+ // Package URL (purl) used as the identity key for matching across SBOMs.
1202
+ Purl string `json:"purl"`
1203
+ // The state of this package: added (new in new SBOM), removed (absent from new SBOM),
1204
+ // updated (version changed), unchanged.
1205
+ State PackageDiffState `json:"state"`
1206
+ }
1207
+
1208
+ // A source document participating in the comparison.
1209
+ type Source struct {
1210
+ // When the source assessment was performed. ISO 8601 format.
1211
+ AssessmentTimestamp *time.Time `json:"assessmentTimestamp,omitempty"`
1212
+ // Reference to the baseline used in this source assessment.
1213
+ BaselineRef *BaselineRef `json:"baselineRef,omitempty"`
1214
+ // Cryptographic checksum of the source document for integrity verification.
1215
+ Checksum *Checksum `json:"checksum,omitempty"`
1216
+ // The components assessed in this source.
1217
+ Components []Component `json:"components,omitempty"`
1218
+ // Human-readable label for this source. Example: 'Before remediation scan'.
1219
+ Label string `json:"label"`
1220
+ // The original format of the source document before conversion to HDF.
1221
+ OriginalFormat *OriginalFormat `json:"originalFormat,omitempty"`
1222
+ // The role of this source in the comparison.
1223
+ Role SourceRole `json:"role"`
1224
+ // The security tool that produced the assessment data in this source.
1225
+ Tool *Tool `json:"tool,omitempty"`
1226
+ // URI pointing to the source document.
1227
+ URI *string `json:"uri,omitempty"`
1228
+ }
1229
+
1230
+ // Reference to the baseline used in this source assessment.
1231
+ type BaselineRef struct {
1232
+ // Name of the baseline used in this source.
1233
+ Name string `json:"name"`
1234
+ // Version of the baseline used in this source.
1235
+ Version *string `json:"version,omitempty"`
1236
+ }
1237
+
1238
+ // Summary statistics for the overall comparison.
1239
+ type ComparisonSummary struct {
1240
+ // Number of requirements present only in the old source.
1241
+ Absent *int64 `json:"absent,omitempty"`
1242
+ // Average confidence score across all requirement matches (0-1).
1243
+ AverageMatchConfidence *float64 `json:"averageMatchConfidence,omitempty"`
1244
+ // State counts broken down by severity level.
1245
+ BySeverity *SeverityBreakdown `json:"bySeverity,omitempty"`
1246
+ // Change in compliance percentage (new - old).
1247
+ ComplianceDelta *float64 `json:"complianceDelta,omitempty"`
1248
+ // Number of requirements that changed from failing to passing.
1249
+ Fixed *int64 `json:"fixed,omitempty"`
1250
+ // Number of requirements successfully matched between sources.
1251
+ MatchedCount int64 `json:"matchedCount"`
1252
+ // Number of requirements that were reorganized without content change.
1253
+ Moved *int64 `json:"moved,omitempty"`
1254
+ // Number of requirements present only in the new source.
1255
+ New *int64 `json:"new,omitempty"`
1256
+ // Compliance percentage of the new source (0-100).
1257
+ NewCompliancePercent *float64 `json:"newCompliancePercent,omitempty"`
1258
+ // Compliance percentage of the old source (0-100).
1259
+ OldCompliancePercent *float64 `json:"oldCompliancePercent,omitempty"`
1260
+ // Summary statistics for each individual source in a multi-source comparison.
1261
+ PerSource []PerSourceSummary `json:"perSource,omitempty"`
1262
+ // Number of requirements that changed from passing to failing.
1263
+ Regressed *int64 `json:"regressed,omitempty"`
1264
+ // Total number of unique requirements across all sources.
1265
+ Total int64 `json:"total"`
1266
+ // Number of requirements with the same effective status.
1267
+ Unchanged *int64 `json:"unchanged,omitempty"`
1268
+ // Number of requirements in the new source with no match in the old source.
1269
+ UnmatchedNewCount int64 `json:"unmatchedNewCount"`
1270
+ // Number of requirements in the old source with no match in the new source.
1271
+ UnmatchedOldCount int64 `json:"unmatchedOldCount"`
1272
+ // Number of requirements with a generic status change.
1273
+ Updated *int64 `json:"updated,omitempty"`
1274
+ }
1275
+
1276
+ // State counts broken down by severity level.
1277
+ //
1278
+ // Breakdown of state counts by severity level.
1279
+ type SeverityBreakdown struct {
1280
+ // State counts for critical severity requirements.
1281
+ Critical *StateCounts `json:"critical,omitempty"`
1282
+ // State counts for high severity requirements.
1283
+ High *StateCounts `json:"high,omitempty"`
1284
+ // State counts for low severity requirements.
1285
+ Low *StateCounts `json:"low,omitempty"`
1286
+ // State counts for medium severity requirements.
1287
+ Medium *StateCounts `json:"medium,omitempty"`
1288
+ }
1289
+
1290
+ // State counts for critical severity requirements.
1291
+ //
1292
+ // Counts of requirements in each state.
1293
+ //
1294
+ // State counts for high severity requirements.
1295
+ //
1296
+ // State counts for low severity requirements.
1297
+ //
1298
+ // State counts for medium severity requirements.
1299
+ type StateCounts struct {
1300
+ // Number of requirements present only in the old source.
1301
+ Absent *int64 `json:"absent,omitempty"`
1302
+ // Number of requirements that changed from failing to passing.
1303
+ Fixed *int64 `json:"fixed,omitempty"`
1304
+ // Number of requirements that were reorganized without content change.
1305
+ Moved *int64 `json:"moved,omitempty"`
1306
+ // Number of requirements present only in the new source.
1307
+ New *int64 `json:"new,omitempty"`
1308
+ // Number of requirements that changed from passing to failing.
1309
+ Regressed *int64 `json:"regressed,omitempty"`
1310
+ // Number of requirements with the same effective status.
1311
+ Unchanged *int64 `json:"unchanged,omitempty"`
1312
+ // Number of requirements with a generic status change.
1313
+ Updated *int64 `json:"updated,omitempty"`
1314
+ }
1315
+
1316
+ // Summary statistics for a single source in a multi-source comparison.
1317
+ type PerSourceSummary struct {
1318
+ // Number of requirements present only in the old source.
1319
+ Absent *int64 `json:"absent,omitempty"`
1320
+ // Number of requirements that changed from failing to passing.
1321
+ Fixed *int64 `json:"fixed,omitempty"`
1322
+ // Human-readable label for this source.
1323
+ Label string `json:"label"`
1324
+ // Number of requirements that were reorganized without content change.
1325
+ Moved *int64 `json:"moved,omitempty"`
1326
+ // Number of requirements present only in the new source.
1327
+ New *int64 `json:"new,omitempty"`
1328
+ // Number of requirements that changed from passing to failing.
1329
+ Regressed *int64 `json:"regressed,omitempty"`
1330
+ // Zero-based index into the sources array identifying which source this summary is for.
1331
+ SourceIndex int64 `json:"sourceIndex"`
1332
+ // Number of requirements with the same effective status.
1333
+ Unchanged *int64 `json:"unchanged,omitempty"`
1334
+ // Number of requirements with a generic status change.
1335
+ Updated *int64 `json:"updated,omitempty"`
1336
+ }
1337
+
1338
+ // Describes a system's authorization boundary, components, and interconnections. Maps to
1339
+ // OSCAL SSP system-characteristics and FedRAMP system inventory.
1340
+ type HDFSystem struct {
1341
+ // Date the current authorization status was granted. ISO 8601 format.
1342
+ AuthorizationDate *time.Time `json:"authorizationDate,omitempty"`
1343
+ // Current Authorization to Operate (ATO) status.
1344
+ AuthorizationStatus *AuthorizationStatus `json:"authorizationStatus,omitempty"`
1345
+ // Description of the system's authorization boundary. Example: network CIDR blocks, cloud
1346
+ // VPC IDs, physical locations.
1347
+ BoundaryDescription *string `json:"boundaryDescription,omitempty"`
1348
+ // FIPS 199 security categorization (impact level).
1349
+ CategorizationLevel *CategorizationLevel `json:"categorizationLevel,omitempty"`
1350
+ // System components within the authorization boundary. Uses the full polymorphic Component
1351
+ // type with stable identity (componentId), external references, and SBOM support.
1352
+ Components []Component `json:"components"`
1353
+ // Declares which controls are common, hybrid, or system-specific, and which component
1354
+ // provides them. Maps to NIST SP 800-53 control designations and OSCAL
1355
+ // leveraged-authorizations.
1356
+ ControlDesignations []ControlDesignation `json:"controlDesignations,omitempty"`
1357
+ // Inter-component data flows describing how components communicate. Supports local,
1358
+ // cross-system, and external flows. Replaces the interconnections[] field.
1359
+ DataFlows []DataFlow `json:"dataFlows,omitempty"`
1360
+ // Description of the system's purpose and mission.
1361
+ Description *string `json:"description,omitempty"`
1362
+ // Information about the tool that generated this system document.
1363
+ Generator *Generator `json:"generator,omitempty"`
1364
+ // System identifier from an authoritative source. Example: eMASS system ID, FedRAMP package
1365
+ // ID.
1366
+ Identifier *string `json:"identifier,omitempty"`
1367
+ // URI identifying the scheme of the system identifier. Example: 'https://emass.mil',
1368
+ // 'https://fedramp.gov'.
1369
+ IdentifierScheme *string `json:"identifierScheme,omitempty"`
1370
+ // Cryptographic integrity information for verifying this system document has not been
1371
+ // tampered with.
1372
+ Integrity *Integrity `json:"integrity,omitempty"`
1373
+ // Optional key-value labels for grouping and querying systems.
1374
+ Labels map[string]string `json:"labels,omitempty"`
1375
+ // Human-readable system name. Example: 'Enterprise Portal Production'.
1376
+ Name string `json:"name"`
1377
+ // Team or individual responsible for this system's authorization and compliance. Maps to
1378
+ // OSCAL responsible-party with role 'system-owner'.
1379
+ Owner *Identity `json:"owner,omitempty"`
1380
+ // Stable UUID (RFC 4122) for this system. Enables cross-document correlation independent of
1381
+ // file location. Optional in casual use, expected in production documents.
1382
+ SystemID *string `json:"systemId,omitempty"`
1383
+ // Version of this system document.
1384
+ Version *string `json:"version,omitempty"`
1385
+ }
1386
+
1387
+ // Declares a control's designation within a system — whether it is common (provided by
1388
+ // another component or system), system-specific (implemented locally), or hybrid (shared
1389
+ // responsibility). Maps to NIST SP 800-53 Appendix C control designations and OSCAL SSP
1390
+ // by-component provided/inherited semantics.
1391
+ type ControlDesignation struct {
1392
+ // The control identifier (e.g., 'SC-7', 'AC-2 (1)'). Must match a NIST tag in a baseline
1393
+ // requirement's tags.
1394
+ ControlID string `json:"controlId"`
1395
+ // Justification for this designation — who provides the control, why it's inherited, and
1396
+ // any relevant authorization references.
1397
+ Description string `json:"description"`
1398
+ // NIST SP 800-53 control designation. 'common': fully provided by another component or
1399
+ // system. 'system-specific': implemented by the inheriting component(s) only. 'hybrid':
1400
+ // shared responsibility between provider and inheritor.
1401
+ Designation Designation `json:"designation"`
1402
+ // componentIds that inherit this control. If omitted, all components in the system inherit
1403
+ // it.
1404
+ InheritedBy []string `json:"inheritedBy,omitempty"`
1405
+ // componentId of a local component that provides this control. Omit when the provider is an
1406
+ // external system.
1407
+ ProvidedBy *string `json:"providedBy,omitempty"`
1408
+ // Reference to another hdf-system document whose component provides this control. Use when
1409
+ // the provider is in a different system. Omit when the provider is local.
1410
+ SystemRef *string `json:"systemRef,omitempty"`
1411
+ }
1412
+
1413
+ // A data flow between two endpoints. The 'from' endpoint is always a local component; the
1414
+ // 'to' endpoint can be local, cross-system, or external. Use 'direction' to indicate
1415
+ // whether data flows one-way or both ways.
1416
+ type DataFlow struct {
1417
+ // Authentication mechanism used for this connection. Examples: 'mTLS', 'OAuth2', 'API key',
1418
+ // 'SAML', 'Kerberos'.
1419
+ Authentication *string `json:"authentication,omitempty"`
1420
+ // Human-readable description of this data flow's purpose and the data exchanged.
1421
+ Description *string `json:"description,omitempty"`
1422
+ // Data flow direction. 'unidirectional' means data flows from→to only. 'bidirectional'
1423
+ // means data flows in both directions (e.g., request/response).
1424
+ Direction *Direction `json:"direction,omitempty"`
1425
+ // UUID of the local component that is one end of this data flow. Always references a
1426
+ // component in the current system document.
1427
+ From string `json:"from"`
1428
+ // Network port number.
1429
+ Port *int64 `json:"port,omitempty"`
1430
+ // Communication protocol. Examples: 'http', 'https', 'grpc', 'ssh', 'jdbc', 'k8s-api',
1431
+ // 'socket', 'sftp'.
1432
+ Protocol *string `json:"protocol,omitempty"`
1433
+ // The other end of this data flow. Can be a local component (UUID), a cross-system
1434
+ // component reference, or an external endpoint.
1435
+ To interface{} `json:"to,omitempty"`
1436
+ }
1437
+
1438
+ // Defines an assessment plan — what baselines to run against which targets, with resolved
1439
+ // inputs and scheduling. Maps to OSCAL Assessment Plan.
1440
+ type HDFPlan struct {
1441
+ // The assessments to perform. Each assessment pairs a baseline with targets and resolved
1442
+ // inputs.
1443
+ Assessments []Assessment `json:"assessments"`
1444
+ // Description of the plan's purpose and scope.
1445
+ Description *string `json:"description,omitempty"`
1446
+ // Information about the tool that generated this plan.
1447
+ Generator *Generator `json:"generator,omitempty"`
1448
+ // Cryptographic integrity information for verifying this plan document has not been
1449
+ // tampered with.
1450
+ Integrity *Integrity `json:"integrity,omitempty"`
1451
+ // Optional key-value labels for grouping and querying plans.
1452
+ Labels map[string]string `json:"labels,omitempty"`
1453
+ // Human-readable plan name. Example: 'Portal Monthly Assessment'.
1454
+ Name string `json:"name"`
1455
+ // Unique identifier for this plan. Optional in casual use, expected in production
1456
+ // documents. Auto-generated if omitted during creation.
1457
+ PlanID *string `json:"planId,omitempty"`
1458
+ // Optional scheduling configuration for recurring assessments.
1459
+ Schedule *Schedule `json:"schedule,omitempty"`
1460
+ // URI to the hdf-system document this plan targets. Example: 'portal-prod.hdf-system.json'.
1461
+ SystemRef *string `json:"systemRef,omitempty"`
1462
+ // The type of assessment plan.
1463
+ Type *PlanType `json:"type,omitempty"`
1464
+ // Version of this plan document.
1465
+ Version *string `json:"version,omitempty"`
1466
+ }
1467
+
1468
+ // A single assessment within a plan — defines which baseline to run against which targets
1469
+ // with what configuration.
1470
+ type Assessment struct {
1471
+ // Reference to the baseline to evaluate. May be a baseline name (e.g. 'RHEL9-STIG'), a
1472
+ // relative path to an HDF Baseline document (e.g. 'rhel9-stig.hdf-baseline.json'), or an
1473
+ // absolute URI.
1474
+ BaselineRef string `json:"baselineRef"`
1475
+ // componentId of the system component this assessment targets. Use for direct component
1476
+ // binding. Alternative to targetSelector.
1477
+ ComponentRef *string `json:"componentRef,omitempty"`
1478
+ // Description of this assessment's purpose.
1479
+ Description *string `json:"description,omitempty"`
1480
+ // Resolved input values for this assessment. Keys are input names, values are the final
1481
+ // resolved values (after baseline defaults + system overrides).
1482
+ Inputs map[string]interface{} `json:"inputs,omitempty"`
1483
+ // Runner/scanner configuration for this assessment.
1484
+ Runner *RunnerConfig `json:"runner,omitempty"`
1485
+ // Label selector to match targets for this assessment. Overrides the system component's
1486
+ // targetSelector if provided.
1487
+ TargetSelector map[string]string `json:"targetSelector,omitempty"`
1488
+ }
1489
+
1490
+ // Runner/scanner configuration for this assessment.
1491
+ //
1492
+ // Configuration for the assessment runner/scanner.
1493
+ type RunnerConfig struct {
1494
+ // Name of the assessment runner. Example: 'cinc-auditor', 'inspec', 'openscap'.
1495
+ Name *string `json:"name,omitempty"`
1496
+ // Version of the runner.
1497
+ Version *string `json:"version,omitempty"`
1498
+ }
1499
+
1500
+ // Optional scheduling configuration for recurring assessments.
1501
+ //
1502
+ // Scheduling configuration for recurring assessments.
1503
+ type Schedule struct {
1504
+ // Cron expression for recurring assessments. Example: '0 2 1 * *' (2 AM on the 1st of each
1505
+ // month).
1506
+ Cron *string `json:"cron,omitempty"`
1507
+ // Date after which assessments should no longer run. ISO 8601 format.
1508
+ EndDate *time.Time `json:"endDate,omitempty"`
1509
+ // Email addresses or notification endpoints to alert when assessments complete.
1510
+ NotifyOnCompletion []string `json:"notifyOnCompletion,omitempty"`
1511
+ // Email addresses or notification endpoints to alert when regressions are detected.
1512
+ NotifyOnRegression []string `json:"notifyOnRegression,omitempty"`
1513
+ // Earliest date to begin assessments. ISO 8601 format.
1514
+ StartDate *time.Time `json:"startDate,omitempty"`
1515
+ }
1516
+
1517
+ // Waivers, attestations, exceptions, and POA&Ms that modify requirement compliance status.
1518
+ // Amendments are standalone documents that can be applied to results via merge operations.
1519
+ type HDFAmendments struct {
1520
+ // Unique identifier for this amendments document. Useful for cross-referencing when
1521
+ // multiple amendment documents target the same results.
1522
+ AmendmentID *string `json:"amendmentId,omitempty"`
1523
+ // Default identity of who created this amendments document. Individual overrides may
1524
+ // specify their own appliedBy.
1525
+ AppliedBy *Identity `json:"appliedBy,omitempty"`
1526
+ // Identity of the authorizing official who approved these amendments.
1527
+ ApprovedBy *Identity `json:"approvedBy,omitempty"`
1528
+ // Description of the amendments' purpose and scope.
1529
+ Description *string `json:"description,omitempty"`
1530
+ // Information about the tool that generated this document.
1531
+ Generator *Generator `json:"generator,omitempty"`
1532
+ // Cryptographic integrity information for verifying this amendments document has not been
1533
+ // tampered with.
1534
+ Integrity *Integrity `json:"integrity,omitempty"`
1535
+ // Optional key-value labels for grouping and querying amendments.
1536
+ Labels map[string]string `json:"labels,omitempty"`
1537
+ // Human-readable name for this amendments document. Example: 'Portal Q1 2026 Waivers'.
1538
+ Name string `json:"name"`
1539
+ // The set of amendments (waivers, attestations, exceptions, POA&Ms).
1540
+ Overrides []StandaloneOverride `json:"overrides"`
1541
+ // Document-level digital signature covering all amendments.
1542
+ Signature *Signature `json:"signature,omitempty"`
1543
+ // URI to the hdf-system document these amendments apply to.
1544
+ SystemRef *string `json:"systemRef,omitempty"`
1545
+ // Version of this amendments document.
1546
+ Version *string `json:"version,omitempty"`
1547
+ }
1548
+
1549
+ // A standalone amendment that modifies a requirement's compliance status. Extends the
1550
+ // inline Status_Override concept with requirementId and baselineRef for use outside of
1551
+ // results documents.
1552
+ type StandaloneOverride struct {
1553
+ // When this amendment was applied. ISO 8601 format.
1554
+ AppliedAt time.Time `json:"appliedAt"`
1555
+ // Identity of who applied this amendment.
1556
+ AppliedBy Identity `json:"appliedBy"`
1557
+ // Name of the baseline containing the requirement. Required when the system has multiple
1558
+ // baselines with potentially overlapping requirement IDs.
1559
+ BaselineRef *string `json:"baselineRef,omitempty"`
1560
+ // componentId of the component this amendment is scoped to. When set, the amendment only
1561
+ // applies to the specified component. When omitted, the amendment applies system-wide.
1562
+ ComponentRef *string `json:"componentRef,omitempty"`
1563
+ // Supporting evidence (screenshots, logs, URLs, documents).
1564
+ Evidence []Evidence `json:"evidence,omitempty"`
1565
+ // When this amendment expires and must be reviewed. No permanent amendments. ISO 8601
1566
+ // format.
1567
+ ExpiresAt time.Time `json:"expiresAt"`
1568
+ // componentId of the local component that provides this control. Set when the provider is
1569
+ // in the same system. Omit for external or cross-system providers; the reason field
1570
+ // explains the source. Primarily used with type 'inherited'.
1571
+ InheritedFrom *string `json:"inheritedFrom,omitempty"`
1572
+ // Remediation milestones (primarily for POA&M type amendments).
1573
+ Milestones []Milestone `json:"milestones,omitempty"`
1574
+ // Checksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null
1575
+ // for the first amendment.
1576
+ PreviousChecksum *Checksum `json:"previousChecksum,omitempty"`
1577
+ // Justification for this amendment.
1578
+ Reason string `json:"reason"`
1579
+ // The ID of the requirement being amended. Must match a requirement ID in the referenced
1580
+ // baseline.
1581
+ RequirementID string `json:"requirementId"`
1582
+ // Digital signature for non-repudiation.
1583
+ Signature *Signature `json:"signature,omitempty"`
1584
+ // The new status this amendment sets. For POA&Ms, this is the current status (POA&Ms track
1585
+ // work, they don't change status).
1586
+ Status ResultStatus `json:"status"`
1587
+ // The type of amendment.
1588
+ Type OverrideType `json:"type"`
1589
+ }
1590
+
1591
+ // Bundles references to all HDF documents for audit, authorization, and compliance review.
1592
+ // Each content entry references a document by type, URI, and checksum for integrity
1593
+ // verification.
1594
+ type HDFEvidencePackage struct {
1595
+ // Summary of assessment completeness and compliance status.
1596
+ CompletenessCheck *CompletenessCheck `json:"completenessCheck,omitempty"`
1597
+ // References to HDF documents included in this evidence package.
1598
+ Contents []ContentReference `json:"contents"`
1599
+ // Description of the evidence package's purpose and scope.
1600
+ Description *string `json:"description,omitempty"`
1601
+ // Information about the tool that generated this document.
1602
+ Generator *Generator `json:"generator,omitempty"`
1603
+ // Cryptographic integrity information for verifying this evidence package has not been
1604
+ // tampered with.
1605
+ Integrity *Integrity `json:"integrity,omitempty"`
1606
+ // Optional key-value labels for grouping and querying evidence packages.
1607
+ Labels map[string]string `json:"labels,omitempty"`
1608
+ // Human-readable name for this evidence package. Example: 'Enterprise Portal ATO Evidence -
1609
+ // Q1 2026'.
1610
+ Name string `json:"name"`
1611
+ // Unique identifier for this evidence package. Optional in casual use, expected in
1612
+ // production ATO submissions. Auto-generated if omitted during creation.
1613
+ PackageID *string `json:"packageId,omitempty"`
1614
+ // URI to the hdf-plan document that drove this assessment. Used for completeness
1615
+ // verification — every baseline in the plan should have a corresponding results document in
1616
+ // this package.
1617
+ PlanRef *string `json:"planRef,omitempty"`
1618
+ // When this evidence package was prepared. ISO 8601 format.
1619
+ PreparedAt *time.Time `json:"preparedAt,omitempty"`
1620
+ // Identity of who prepared this evidence package.
1621
+ PreparedBy *Identity `json:"preparedBy,omitempty"`
1622
+ // Digital signature covering the entire evidence package.
1623
+ Signature *Signature `json:"signature,omitempty"`
1624
+ // URI to the hdf-system document this evidence package covers.
1625
+ SystemRef *string `json:"systemRef,omitempty"`
1626
+ // Version of this evidence package.
1627
+ Version *string `json:"version,omitempty"`
1628
+ }
1629
+
1630
+ // Summary of assessment completeness and compliance status.
1631
+ //
1632
+ // Informational summary of assessment completeness. Not authoritative — tools should
1633
+ // compute these from the referenced documents.
1634
+ type CompletenessCheck struct {
1635
+ // Whether all baselines referenced by system components have assessment results.
1636
+ AllBaselinesAssessed *bool `json:"allBaselinesAssessed,omitempty"`
1637
+ // Whether all system components have at least one matching target in the results.
1638
+ AllComponentsCovered *bool `json:"allComponentsCovered,omitempty"`
1639
+ // Overall compliance percentage across all assessments.
1640
+ CompliancePercent *float64 `json:"compliancePercent,omitempty"`
1641
+ // Number of waivers/amendments that have expired.
1642
+ ExpiredWaivers *int64 `json:"expiredWaivers,omitempty"`
1643
+ // SBOM coverage across system components.
1644
+ SbomCoverage *SBOMCoverage `json:"sbomCoverage,omitempty"`
1645
+ // Number of POA&M items that are still open (not completed).
1646
+ UnresolvedPoams *int64 `json:"unresolvedPoams,omitempty"`
1647
+ }
1648
+
1649
+ // SBOM coverage across system components.
1650
+ //
1651
+ // SBOM coverage statistics for the system.
1652
+ type SBOMCoverage struct {
1653
+ // Number of system components that have an associated SBOM.
1654
+ ComponentsWithSbom *int64 `json:"componentsWithSbom,omitempty"`
1655
+ // Total number of components in the system.
1656
+ TotalComponents *int64 `json:"totalComponents,omitempty"`
1657
+ }
1658
+
1659
+ // A reference to an HDF document or SBOM included in the evidence package.
1660
+ type ContentReference struct {
1661
+ // Cryptographic checksum for verifying the referenced document's integrity.
1662
+ Checksum *Checksum `json:"checksum,omitempty"`
1663
+ // componentId of the component this content entry relates to. Use to link SBOMs, results,
1664
+ // or other documents to a specific system component.
1665
+ ComponentRef *string `json:"componentRef,omitempty"`
1666
+ // Optional description of this content entry.
1667
+ Description *string `json:"description,omitempty"`
1668
+ // The type of HDF document being referenced.
1669
+ Type ContentType `json:"type"`
1670
+ // URI to the document. Can be a relative path or absolute URL.
1671
+ URI string `json:"uri"`
1672
+ }
1673
+
1674
+ // The comparison operator used when evaluating this input against observed values.
1675
+ //
1676
+ // Comparison operator for evaluating the input value against observed values. Numeric:
1677
+ // eq/ne/lt/le/gt/ge. String: eq/ne/contains/matches. Collection: in/notIn.
1678
+ type ComparisonOperator string
1679
+
1680
+ const (
1681
+ Contains ComparisonOperator = "contains"
1682
+ Eq ComparisonOperator = "eq"
1683
+ Ge ComparisonOperator = "ge"
1684
+ Gt ComparisonOperator = "gt"
1685
+ In ComparisonOperator = "in"
1686
+ LE ComparisonOperator = "le"
1687
+ Lt ComparisonOperator = "lt"
1688
+ Matches ComparisonOperator = "matches"
1689
+ Ne ComparisonOperator = "ne"
1690
+ NotIn ComparisonOperator = "notIn"
1691
+ )
1692
+
1693
+ // The data type of this input.
1694
+ //
1695
+ // The data type of the input value. Aligns with InSpec input types.
1696
+ type InputType string
1697
+
1698
+ const (
1699
+ Array InputType = "Array"
1700
+ Boolean InputType = "Boolean"
1701
+ Hash InputType = "Hash"
1702
+ Numeric InputType = "Numeric"
1703
+ Regexp InputType = "Regexp"
1704
+ String InputType = "String"
1705
+ )
1706
+
1707
+ // The hash algorithm used for the checksum.
1708
+ //
1709
+ // Supported cryptographic hash algorithms for checksums and integrity verification.
1710
+ type HashAlgorithm string
1711
+
1712
+ const (
1713
+ Sha256 HashAlgorithm = "sha256"
1714
+ Sha384 HashAlgorithm = "sha384"
1715
+ Sha512 HashAlgorithm = "sha512"
1716
+ )
1717
+
1718
+ // The current effective status of this requirement after applying the most recent
1719
+ // non-expired override, or computed from results if no overrides exist.
1720
+ //
1721
+ // The status of an individual test result. 'notApplicable' indicates the requirement does
1722
+ // not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g.,
1723
+ // requires manual verification).
1724
+ //
1725
+ // The status of this test within the requirement. Example: 'failed'.
1726
+ //
1727
+ // The new status this override sets for the requirement. This intentionally changes the
1728
+ // compliance status.
1729
+ //
1730
+ // The new status this amendment sets. For POA&Ms, this is the current status (POA&Ms track
1731
+ // work, they don't change status).
1732
+ type ResultStatus string
1733
+
1734
+ const (
1735
+ Error ResultStatus = "error"
1736
+ Failed ResultStatus = "failed"
1737
+ NotApplicable ResultStatus = "notApplicable"
1738
+ NotReviewed ResultStatus = "notReviewed"
1739
+ Passed ResultStatus = "passed"
1740
+ )
1741
+
1742
+ // The type of identifier. Use 'email' for email addresses, 'username' for user accounts,
1743
+ // 'system' for automated systems, 'simple' for basic string identifiers without additional
1744
+ // classification, or 'other' for custom identity systems.
1745
+ type OwnerType string
1746
+
1747
+ const (
1748
+ Email OwnerType = "email"
1749
+ PurpleOther OwnerType = "other"
1750
+ Simple OwnerType = "simple"
1751
+ TypeSystem OwnerType = "system"
1752
+ Username OwnerType = "username"
1753
+ )
1754
+
1755
+ // The type of evidence being provided.
1756
+ type EvidenceType string
1757
+
1758
+ const (
1759
+ Code EvidenceType = "code"
1760
+ File EvidenceType = "file"
1761
+ FluffyOther EvidenceType = "other"
1762
+ Log EvidenceType = "log"
1763
+ Screenshot EvidenceType = "screenshot"
1764
+ URL EvidenceType = "url"
1765
+ )
1766
+
1767
+ // Current status of this milestone.
1768
+ type Status string
1769
+
1770
+ const (
1771
+ Completed Status = "completed"
1772
+ InProgress Status = "inProgress"
1773
+ Pending Status = "pending"
1774
+ )
1775
+
1776
+ // The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via
1777
+ // compensating controls. 'riskAcceptance' documents decision to accept risk.
1778
+ type PoamType string
1779
+
1780
+ const (
1781
+ Mitigation PoamType = "mitigation"
1782
+ RiskAcceptance PoamType = "riskAcceptance"
1783
+ TypeRemediation PoamType = "remediation"
1784
+ )
1785
+
1786
+ // Explicit severity rating. Typically derived from impact score but provided explicitly for
1787
+ // clarity.
1788
+ //
1789
+ // Severity rating for a requirement. Typically derived from the numeric impact score.
1790
+ type Severity string
1791
+
1792
+ const (
1793
+ Critical Severity = "critical"
1794
+ Informational Severity = "informational"
1795
+ Medium Severity = "medium"
1796
+ SeverityHigh Severity = "high"
1797
+ SeverityLow Severity = "low"
1798
+ )
1799
+
1800
+ // The type of status override applied to this requirement.
1801
+ //
1802
+ // The type of amendment. 'waiver': risk accepted (AO). 'attestation': manually verified
1803
+ // (assessor). 'exception': not applicable (system owner + AO). 'poam': remediation tracked
1804
+ // (no status change). 'inherited': control provided by another component or system
1805
+ // (overrides to notApplicable/passed).
1806
+ //
1807
+ // The type of amendment.
1808
+ type OverrideType string
1809
+
1810
+ const (
1811
+ Attestation OverrideType = "attestation"
1812
+ Exception OverrideType = "exception"
1813
+ Inherited OverrideType = "inherited"
1814
+ OverrideTypeWaiver OverrideType = "waiver"
1815
+ Poam OverrideType = "poam"
1816
+ )
1817
+
1818
+ type CloudProvider string
1819
+
1820
+ const (
1821
+ Aws CloudProvider = "aws"
1822
+ Azure CloudProvider = "azure"
1823
+ CloudProviderOther CloudProvider = "other"
1824
+ Gcp CloudProvider = "gcp"
1825
+ Oci CloudProvider = "oci"
1826
+ )
1827
+
1828
+ // Format of the SBOM (embedded or referenced). Required when sbom or sbomRef is present.
1829
+ type SbomFormat string
1830
+
1831
+ const (
1832
+ Cyclonedx SbomFormat = "cyclonedx"
1833
+ Spdx SbomFormat = "spdx"
1834
+ )
1835
+
1836
+ // A human readable/meaningful reference. Example: a book title.
1837
+ //
1838
+ // IP address of the host.
1839
+ type Copyright string
1840
+
1841
+ const (
1842
+ Application Copyright = "application"
1843
+ Artifact Copyright = "artifact"
1844
+ CloudAccount Copyright = "cloudAccount"
1845
+ CloudResource Copyright = "cloudResource"
1846
+ ContainerImage Copyright = "containerImage"
1847
+ ContainerInstance Copyright = "containerInstance"
1848
+ ContainerPlatform Copyright = "containerPlatform"
1849
+ Database Copyright = "database"
1850
+ Host Copyright = "host"
1851
+ Network Copyright = "network"
1852
+ Repository Copyright = "repository"
1853
+ )
1854
+
1855
+ // The category of this annotation.
1856
+ //
1857
+ // The category of an annotation attached to a comparison.
1858
+ type AnnotationCategory string
1859
+
1860
+ const (
1861
+ AnnotationCategoryRemediation AnnotationCategory = "remediation"
1862
+ AnnotationCategoryWaiver AnnotationCategory = "waiver"
1863
+ BaselineChange AnnotationCategory = "baselineChange"
1864
+ Drift AnnotationCategory = "drift"
1865
+ ScannerNote AnnotationCategory = "scannerNote"
1866
+ )
1867
+
1868
+ // The state of this baseline in the comparison.
1869
+ //
1870
+ // The state of this component in the comparison.
1871
+ type BaselineDiffState string
1872
+
1873
+ const (
1874
+ PurpleUnchanged BaselineDiffState = "unchanged"
1875
+ PurpleUpdated BaselineDiffState = "updated"
1876
+ StateAbsent BaselineDiffState = "absent"
1877
+ StateNew BaselineDiffState = "new"
1878
+ )
1879
+
1880
+ // The mode of comparison being performed.
1881
+ //
1882
+ // The mode of comparison. 'temporal' compares the same target over time. 'baseline'
1883
+ // compares against a golden reference. 'fleet' compares across multiple systems.
1884
+ // 'multiSource' compares outputs from different scanners. 'baselineEvolution' compares two
1885
+ // baseline documents to detect requirement changes between versions. 'systemDrift' compares
1886
+ // two system documents to detect component-level changes.
1887
+ type ComparisonMode string
1888
+
1889
+ const (
1890
+ Baseline ComparisonMode = "baseline"
1891
+ BaselineEvolution ComparisonMode = "baselineEvolution"
1892
+ Fleet ComparisonMode = "fleet"
1893
+ MultiSource ComparisonMode = "multiSource"
1894
+ SystemDrift ComparisonMode = "systemDrift"
1895
+ Temporal ComparisonMode = "temporal"
1896
+ )
1897
+
1898
+ // The type of change operation.
1899
+ type Op string
1900
+
1901
+ const (
1902
+ Add Op = "add"
1903
+ Remove Op = "remove"
1904
+ Replace Op = "replace"
1905
+ )
1906
+
1907
+ // The reason a requirement's state changed between sources.
1908
+ type ChangeReason string
1909
+
1910
+ const (
1911
+ BaselineUpgraded ChangeReason = "baselineUpgraded"
1912
+ ConfigChanged ChangeReason = "configChanged"
1913
+ ControlMapped ChangeReason = "controlMapped"
1914
+ ImpactChanged ChangeReason = "impactChanged"
1915
+ MetadataChanged ChangeReason = "metadataChanged"
1916
+ OverrideAdded ChangeReason = "overrideAdded"
1917
+ OverrideExpired ChangeReason = "overrideExpired"
1918
+ OverrideModified ChangeReason = "overrideModified"
1919
+ OverrideRemoved ChangeReason = "overrideRemoved"
1920
+ ResultChanged ChangeReason = "resultChanged"
1921
+ ScannerChanged ChangeReason = "scannerChanged"
1922
+ TargetChanged ChangeReason = "targetChanged"
1923
+ )
1924
+
1925
+ // How the conflict was resolved.
1926
+ //
1927
+ // How a conflict between multiple scanner results was resolved.
1928
+ type ConflictResolution string
1929
+
1930
+ const (
1931
+ ConflictResolutionManual ConflictResolution = "manual"
1932
+ MostRecent ConflictResolution = "mostRecent"
1933
+ MostSevere ConflictResolution = "mostSevere"
1934
+ Unresolved ConflictResolution = "unresolved"
1935
+ )
1936
+
1937
+ // The strategy that was used to match this requirement across sources.
1938
+ //
1939
+ // The strategy used to match requirements across sources. 'exactId' matches by identical
1940
+ // IDs. 'mappedId' uses an ID mapping table. 'cciMatch'/'nistMatch' match by framework
1941
+ // identifiers. 'fuzzyTitle'/'fuzzyContent' use text similarity.
1942
+ //
1943
+ // The primary strategy used to match requirements across sources.
1944
+ type MatchStrategy string
1945
+
1946
+ const (
1947
+ CciMatch MatchStrategy = "cciMatch"
1948
+ ExactID MatchStrategy = "exactId"
1949
+ FuzzyContent MatchStrategy = "fuzzyContent"
1950
+ FuzzyTitle MatchStrategy = "fuzzyTitle"
1951
+ MappedID MatchStrategy = "mappedId"
1952
+ NISTMatch MatchStrategy = "nistMatch"
1953
+ )
1954
+
1955
+ // The state of this requirement in the comparison.
1956
+ //
1957
+ // SARIF-compatible vocabulary extended for security. 'new' = present only in new source,
1958
+ // 'absent' = present only in old, 'unchanged' = same effective status, 'updated' = status
1959
+ // changed (generic), 'fixed' = was failing now passing, 'regressed' = was passing now
1960
+ // failing, 'moved' = reorganized same content, 'split'/'merged' = reserved for v1.1.
1961
+ type RequirementState string
1962
+
1963
+ const (
1964
+ Fixed RequirementState = "fixed"
1965
+ Merged RequirementState = "merged"
1966
+ Moved RequirementState = "moved"
1967
+ Regressed RequirementState = "regressed"
1968
+ RequirementStateAbsent RequirementState = "absent"
1969
+ RequirementStateNew RequirementState = "new"
1970
+ RequirementStateUnchanged RequirementState = "unchanged"
1971
+ RequirementStateUpdated RequirementState = "updated"
1972
+ Split RequirementState = "split"
1973
+ )
1974
+
1975
+ type FormatVersion string
1976
+
1977
+ const (
1978
+ The100 FormatVersion = "1.0.0"
1979
+ )
1980
+
1981
+ // The state of this package: added (new in new SBOM), removed (absent from new SBOM),
1982
+ // updated (version changed), unchanged.
1983
+ type PackageDiffState string
1984
+
1985
+ const (
1986
+ Added PackageDiffState = "added"
1987
+ FluffyUnchanged PackageDiffState = "unchanged"
1988
+ FluffyUpdated PackageDiffState = "updated"
1989
+ Removed PackageDiffState = "removed"
1990
+ )
1991
+
1992
+ // The original format of the source document before conversion to HDF.
1993
+ type OriginalFormat string
1994
+
1995
+ const (
1996
+ HdfV2 OriginalFormat = "hdf-v2"
1997
+ InspecV1 OriginalFormat = "inspec-v1"
1998
+ OscalAr OriginalFormat = "oscal-ar"
1999
+ Sarif OriginalFormat = "sarif"
2000
+ Xccdf OriginalFormat = "xccdf"
2001
+ )
2002
+
2003
+ // The role of this source in the comparison.
2004
+ //
2005
+ // The role of a source document in the comparison.
2006
+ type SourceRole string
2007
+
2008
+ const (
2009
+ Golden SourceRole = "golden"
2010
+ Old SourceRole = "old"
2011
+ SourceRoleNew SourceRole = "new"
2012
+ SourceRoleReference SourceRole = "reference"
2013
+ SourceRoleSystem SourceRole = "system"
2014
+ )
2015
+
2016
+ // Current Authorization to Operate (ATO) status.
2017
+ //
2018
+ // Authorization to Operate (ATO) status for the system.
2019
+ type AuthorizationStatus string
2020
+
2021
+ const (
2022
+ Authorized AuthorizationStatus = "authorized"
2023
+ ConditionallyAuthorized AuthorizationStatus = "conditionallyAuthorized"
2024
+ Denied AuthorizationStatus = "denied"
2025
+ NotYetRequested AuthorizationStatus = "notYetRequested"
2026
+ PendingAuthorization AuthorizationStatus = "pendingAuthorization"
2027
+ Revoked AuthorizationStatus = "revoked"
2028
+ )
2029
+
2030
+ // FIPS 199 security categorization (impact level).
2031
+ //
2032
+ // FIPS 199 security categorization level (impact level).
2033
+ type CategorizationLevel string
2034
+
2035
+ const (
2036
+ CategorizationLevelHigh CategorizationLevel = "high"
2037
+ CategorizationLevelLow CategorizationLevel = "low"
2038
+ Moderate CategorizationLevel = "moderate"
2039
+ )
2040
+
2041
+ // NIST SP 800-53 control designation. 'common': fully provided by another component or
2042
+ // system. 'system-specific': implemented by the inheriting component(s) only. 'hybrid':
2043
+ // shared responsibility between provider and inheritor.
2044
+ type Designation string
2045
+
2046
+ const (
2047
+ Common Designation = "common"
2048
+ DesignationHybrid Designation = "hybrid"
2049
+ SystemSpecific Designation = "system-specific"
2050
+ )
2051
+
2052
+ // Data flow direction. 'unidirectional' means data flows from→to only. 'bidirectional'
2053
+ // means data flows in both directions (e.g., request/response).
2054
+ type Direction string
2055
+
2056
+ const (
2057
+ Bidirectional Direction = "bidirectional"
2058
+ Unidirectional Direction = "unidirectional"
2059
+ )
2060
+
2061
+ // The type of assessment plan.
2062
+ //
2063
+ // The type of assessment. 'automated' for scanner-driven, 'manual' for human-performed,
2064
+ // 'hybrid' for both.
2065
+ type PlanType string
2066
+
2067
+ const (
2068
+ Automated PlanType = "automated"
2069
+ PlanTypeHybrid PlanType = "hybrid"
2070
+ PlanTypeManual PlanType = "manual"
2071
+ )
2072
+
2073
+ // The type of HDF document being referenced.
2074
+ //
2075
+ // The type of document referenced in the evidence package.
2076
+ type ContentType string
2077
+
2078
+ const (
2079
+ HdfAmendments ContentType = "hdf-amendments"
2080
+ HdfBaseline ContentType = "hdf-baseline"
2081
+ HdfComparison ContentType = "hdf-comparison"
2082
+ HdfPlan ContentType = "hdf-plan"
2083
+ HdfResults ContentType = "hdf-results"
2084
+ HdfSystem ContentType = "hdf-system"
2085
+ Sbom ContentType = "sbom"
2086
+ )
2087
+
2088
+ type Ref struct {
2089
+ AnythingMapArray []map[string]interface{}
2090
+ String *string
2091
+ }
2092
+
2093
+ func (x *Ref) UnmarshalJSON(data []byte) error {
2094
+ x.AnythingMapArray = nil
2095
+ object, err := unmarshalUnion(data, nil, nil, nil, &x.String, true, &x.AnythingMapArray, false, nil, false, nil, false, nil, false)
2096
+ if err != nil {
2097
+ return err
2098
+ }
2099
+ if object {
2100
+ }
2101
+ return nil
2102
+ }
2103
+
2104
+ func (x *Ref) MarshalJSON() ([]byte, error) {
2105
+ return marshalUnion(nil, nil, nil, x.String, x.AnythingMapArray != nil, x.AnythingMapArray, false, nil, false, nil, false, nil, false)
2106
+ }
2107
+
2108
+ func unmarshalUnion(data []byte, pi **int64, pf **float64, pb **bool, ps **string, haveArray bool, pa interface{}, haveObject bool, pc interface{}, haveMap bool, pm interface{}, haveEnum bool, pe interface{}, nullable bool) (bool, error) {
2109
+ if pi != nil {
2110
+ *pi = nil
2111
+ }
2112
+ if pf != nil {
2113
+ *pf = nil
2114
+ }
2115
+ if pb != nil {
2116
+ *pb = nil
2117
+ }
2118
+ if ps != nil {
2119
+ *ps = nil
2120
+ }
2121
+
2122
+ dec := json.NewDecoder(bytes.NewReader(data))
2123
+ dec.UseNumber()
2124
+ tok, err := dec.Token()
2125
+ if err != nil {
2126
+ return false, err
2127
+ }
2128
+
2129
+ switch v := tok.(type) {
2130
+ case json.Number:
2131
+ if pi != nil {
2132
+ i, err := v.Int64()
2133
+ if err == nil {
2134
+ *pi = &i
2135
+ return false, nil
2136
+ }
2137
+ }
2138
+ if pf != nil {
2139
+ f, err := v.Float64()
2140
+ if err == nil {
2141
+ *pf = &f
2142
+ return false, nil
2143
+ }
2144
+ return false, errors.New("Unparsable number")
2145
+ }
2146
+ return false, errors.New("Union does not contain number")
2147
+ case float64:
2148
+ return false, errors.New("Decoder should not return float64")
2149
+ case bool:
2150
+ if pb != nil {
2151
+ *pb = &v
2152
+ return false, nil
2153
+ }
2154
+ return false, errors.New("Union does not contain bool")
2155
+ case string:
2156
+ if haveEnum {
2157
+ return false, json.Unmarshal(data, pe)
2158
+ }
2159
+ if ps != nil {
2160
+ *ps = &v
2161
+ return false, nil
2162
+ }
2163
+ return false, errors.New("Union does not contain string")
2164
+ case nil:
2165
+ if nullable {
2166
+ return false, nil
2167
+ }
2168
+ return false, errors.New("Union does not contain null")
2169
+ case json.Delim:
2170
+ if v == '{' {
2171
+ if haveObject {
2172
+ return true, json.Unmarshal(data, pc)
2173
+ }
2174
+ if haveMap {
2175
+ return false, json.Unmarshal(data, pm)
2176
+ }
2177
+ return false, errors.New("Union does not contain object")
2178
+ }
2179
+ if v == '[' {
2180
+ if haveArray {
2181
+ return false, json.Unmarshal(data, pa)
2182
+ }
2183
+ return false, errors.New("Union does not contain array")
2184
+ }
2185
+ return false, errors.New("Cannot handle delimiter")
2186
+ }
2187
+ return false, errors.New("Cannot unmarshal union")
2188
+ }
2189
+
2190
+ func marshalUnion(pi *int64, pf *float64, pb *bool, ps *string, haveArray bool, pa interface{}, haveObject bool, pc interface{}, haveMap bool, pm interface{}, haveEnum bool, pe interface{}, nullable bool) ([]byte, error) {
2191
+ if pi != nil {
2192
+ return json.Marshal(*pi)
2193
+ }
2194
+ if pf != nil {
2195
+ return json.Marshal(*pf)
2196
+ }
2197
+ if pb != nil {
2198
+ return json.Marshal(*pb)
2199
+ }
2200
+ if ps != nil {
2201
+ return json.Marshal(*ps)
2202
+ }
2203
+ if haveArray {
2204
+ return json.Marshal(pa)
2205
+ }
2206
+ if haveObject {
2207
+ return json.Marshal(pc)
2208
+ }
2209
+ if haveMap {
2210
+ return json.Marshal(pm)
2211
+ }
2212
+ if haveEnum {
2213
+ return json.Marshal(pe)
2214
+ }
2215
+ if nullable {
2216
+ return json.Marshal(nil)
2217
+ }
2218
+ return nil, errors.New("Union must not be null")
2219
+ }
2220
+
2221
+ // Backward-compatible aliases for renamed constants.
2222
+ const (
2223
+ CopyrightApplication = Application
2224
+ )