@mitre/hdf-schema 3.0.0 → 3.1.0-rc.1

package/dist/ts/hdf-results.ts

@@ -422,8 +422,22 @@ export interface EvaluatedRequirement {
      */
     descriptions: Description[];
     /**
-     * The current effective status of this requirement after applying the most recent
-     * non-expired override, or computed from results if no overrides exist.
+     * The type of the most recent non-expired override or POAM governing this requirement.
+     * Indicates why the requirement is in its current state (e.g., waiver, falsePositive,
+     * riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or
+     * POAMs apply.
+     */
+    disposition?: OverrideType;
+    /**
+     * The current effective impact score (0.0–1.0) after applying the most recent non-expired
+     * override with an impact field. Absent when no impact overrides apply; consumers should
+     * use the requirement's impact field in that case.
+     */
+    effectiveImpact?: number;
+    /**
+     * The current effective compliance status of this requirement after applying the most
+     * recent non-expired override with a status field, or computed from results (worst-wins) if
+     * no status-bearing overrides exist.
      */
     effectiveStatus?: ResultStatus;
     /**
@@ -451,9 +465,10 @@ export interface EvaluatedRequirement {
      */
     sourceLocation?: SourceLocation;
     /**
-     * Chronological history of all status overrides applied to this requirement. Status
-     * overrides are intentional changes to the compliance status (waivers, attestations). Most
-     * recent override should be first in array. Preserves full audit trail.
+     * Chronological history of all overrides applied to this requirement. Overrides are
+     * intentional changes to the compliance status and/or impact score (waivers, attestations,
+     * false positives, risk adjustments). Most recent override should be first in array.
+     * Preserves full audit trail.
      */
     statusOverrides?: StatusOverride[];
     /**
@@ -499,8 +514,42 @@ export interface Description {
 }
 
 /**
- * The current effective status of this requirement after applying the most recent
- * non-expired override, or computed from results if no overrides exist.
+ * The type of the most recent non-expired override or POAM governing this requirement.
+ * Indicates why the requirement is in its current state (e.g., waiver, falsePositive,
+ * riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or
+ * POAMs apply.
+ *
+ * The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk
+ * accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam':
+ * remediation tracked (no status change). 'inherited': control provided by another
+ * component or system. 'falsePositive': scanner incorrectly identified a finding — for
+ * compliance scans (STIG, CIS), the check actually passes, so status is typically set to
+ * 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to
+ * this system, so status is typically set to 'notApplicable'. The disposition field on the
+ * requirement distinguishes false positives from genuinely not-applicable findings.
+ * 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk
+ * Adjustment); does not change pass/fail status, only impact via the impact field.
+ * 'operationalRequirement': deviation required by operational constraints (FedRAMP
+ * Operational Requirement); the finding cannot be remediated because the system requires
+ * the affected functionality. Remains an open risk. Migration note: 'exception' was removed
+ * in v3.1.0 — use 'waiver' with status 'notApplicable' instead.
+ *
+ * The type of override applied to this requirement.
+ */
+export enum OverrideType {
+    Attestation = "attestation",
+    FalsePositive = "falsePositive",
+    Inherited = "inherited",
+    OperationalRequirement = "operationalRequirement",
+    Poam = "poam",
+    RiskAdjustment = "riskAdjustment",
+    Waiver = "waiver",
+}
+
+/**
+ * The current effective compliance status of this requirement after applying the most
+ * recent non-expired override with a status field, or computed from results (worst-wins) if
+ * no status-bearing overrides exist.
  *
  * The status of an individual test result. 'notApplicable' indicates the requirement does
  * not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g.,
@@ -508,8 +557,8 @@ export interface Description {
  *
  * The status of this test within the requirement. Example: 'failed'.
  *
- * The new status this override sets for the requirement. This intentionally changes the
- * compliance status.
+ * The new status this override sets for the requirement. Optional when only impact is being
+ * overridden.
  */
 export enum ResultStatus {
     Error = "error",
@@ -573,8 +622,8 @@ export interface Evidence {
  *
  * The identity that created this signature.
  *
- * Identity of who applied this status override. For simple cases, use type 'simple' with
- * just an identifier.
+ * Identity of who applied this override. For simple cases, use type 'simple' with just an
+ * identifier.
  *
  * Identity of the person or system that approved this override.
  *
@@ -674,6 +723,7 @@ export interface Poam {
     /**
      * The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via
      * compensating controls. 'riskAcceptance' documents decision to accept risk.
+     * 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update.
      */
     type: PoamType;
     [property: string]: any;
@@ -803,11 +853,13 @@ export interface VerificationMethod {
 /**
  * The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via
  * compensating controls. 'riskAcceptance' documents decision to accept risk.
+ * 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update.
  */
 export enum PoamType {
     Mitigation = "mitigation",
     Remediation = "remediation",
     RiskAcceptance = "riskAcceptance",
+    VendorDependency = "vendorDependency",
 }
 
 /**
@@ -903,30 +955,34 @@ export interface SourceLocation {
 }
 
 /**
- * An intentional change to a requirement's compliance status (waiver or attestation).
- * Status overrides change the effectiveStatus of the requirement. All status overrides must
- * have an expiration date to enforce periodic review.
+ * An intentional change to a requirement's compliance status and/or impact score. At least
+ * one of status or impact must be set. Overrides change the effectiveStatus or impact of
+ * the requirement. All overrides must have an expiration date to enforce periodic review.
  */
 export interface StatusOverride {
     /**
-     * Timestamp when this status override was applied. ISO 8601 format.
+     * Timestamp when this override was applied. ISO 8601 format.
      */
     appliedAt: Date;
     /**
-     * Identity of who applied this status override. For simple cases, use type 'simple' with
-     * just an identifier.
+     * Identity of who applied this override. For simple cases, use type 'simple' with just an
+     * identifier.
      */
     appliedBy: Identity;
     /**
-     * Supporting evidence for this status override, such as screenshots demonstrating manual
+     * Supporting evidence for this override, such as screenshots demonstrating manual
      * verification for attestations.
      */
     evidence?: Evidence[];
     /**
-     * Timestamp when this status override expires and must be reviewed/renewed. REQUIRED - no
-     * permanent status overrides allowed. ISO 8601 format.
+     * Timestamp when this override expires and must be reviewed/renewed. REQUIRED - no
+     * permanent overrides allowed. ISO 8601 format.
      */
     expiresAt: Date;
+    /**
+     * Override to the requirement's impact score. At least one of status or impact must be set.
+     */
+    impact?: ImpactOverride;
     /**
      * SHA-256 checksum of the previous amendment in chronological order. Creates a
      * tamper-evident chain of amendments (similar to blockchain). Null for the first amendment
@@ -934,7 +990,7 @@ export interface StatusOverride {
      */
     previousChecksum?: Checksum;
     /**
-     * Explanation for why this status override was applied.
+     * Explanation for why this override was applied.
      */
     reason: string;
     /**
@@ -944,31 +1000,30 @@ export interface StatusOverride {
      */
     signature?: Signature;
     /**
-     * The new status this override sets for the requirement. This intentionally changes the
-     * compliance status.
+     * The new status this override sets for the requirement. Optional when only impact is being
+     * overridden.
      */
-    status: ResultStatus;
+    status?: ResultStatus;
     /**
-     * The type of status override applied to this requirement.
+     * The type of override applied to this requirement.
      */
     type: OverrideType;
     [property: string]: any;
 }
 
 /**
- * The type of status override applied to this requirement.
+ * Override to the requirement's impact score. At least one of status or impact must be
+ * set.
  *
- * The type of amendment. 'waiver': risk accepted (AO). 'attestation': manually verified
- * (assessor). 'exception': not applicable (system owner + AO). 'poam': remediation tracked
- * (no status change). 'inherited': control provided by another component or system
- * (overrides to notApplicable/passed).
+ * An override to the requirement's impact score. The prior impact is the original result
+ * value or the preceding override in the chain.
  */
-export enum OverrideType {
-    Attestation = "attestation",
-    Exception = "exception",
-    Inherited = "inherited",
-    Poam = "poam",
-    Waiver = "waiver",
+export interface ImpactOverride {
+    /**
+     * The overridden impact score (0.0–1.0).
+     */
+    value: number;
+    [property: string]: any;
 }
 
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mitre/hdf-schema",
-  "version": "3.0.0",
+  "version": "3.1.0-rc.1",
   "description": "JSON schemas and multi-language type definitions for Heimdall Data Format (HDF)",
   "publishConfig": {
     "access": "public"
@@ -10,64 +10,45 @@
   "types": "./dist/index.d.ts",
   "exports": {
     ".": {
-      "import": "./dist/index.js",
-      "types": "./dist/index.d.ts"
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
     },
     "./helpers": {
-      "import": "./dist/helpers.js",
-      "types": "./dist/helpers.d.ts"
+      "types": "./dist/helpers.d.ts",
+      "import": "./dist/helpers.js"
     },
     "./hdf-results": {
-      "import": "./dist/ts/hdf-results.js",
-      "types": "./dist/ts/hdf-results.d.ts"
+      "types": "./dist/ts/hdf-results.d.ts",
+      "import": "./dist/ts/hdf-results.js"
     },
     "./hdf-baseline": {
-      "import": "./dist/ts/hdf-baseline.js",
-      "types": "./dist/ts/hdf-baseline.d.ts"
+      "types": "./dist/ts/hdf-baseline.d.ts",
+      "import": "./dist/ts/hdf-baseline.js"
     },
     "./hdf-comparison": {
-      "import": "./dist/ts/hdf-comparison.js",
-      "types": "./dist/ts/hdf-comparison.d.ts"
+      "types": "./dist/ts/hdf-comparison.d.ts",
+      "import": "./dist/ts/hdf-comparison.js"
     },
     "./hdf-system": {
-      "import": "./dist/ts/hdf-system.js",
-      "types": "./dist/ts/hdf-system.d.ts"
+      "types": "./dist/ts/hdf-system.d.ts",
+      "import": "./dist/ts/hdf-system.js"
     },
     "./hdf-plan": {
-      "import": "./dist/ts/hdf-plan.js",
-      "types": "./dist/ts/hdf-plan.d.ts"
+      "types": "./dist/ts/hdf-plan.d.ts",
+      "import": "./dist/ts/hdf-plan.js"
     },
     "./hdf-amendments": {
-      "import": "./dist/ts/hdf-amendments.js",
-      "types": "./dist/ts/hdf-amendments.d.ts"
+      "types": "./dist/ts/hdf-amendments.d.ts",
+      "import": "./dist/ts/hdf-amendments.js"
     },
     "./hdf-evidence-package": {
-      "import": "./dist/ts/hdf-evidence-package.js",
-      "types": "./dist/ts/hdf-evidence-package.d.ts"
-    },
-    "./schemas/*": "./src/schemas/*"
+      "types": "./dist/ts/hdf-evidence-package.d.ts",
+      "import": "./dist/ts/hdf-evidence-package.js"
+    }
   },
   "files": [
-    "dist",
-    "src/schemas"
+    "dist"
   ],
-  "scripts": {
-    "build": "pnpm run clean && pnpm run build:schemas && pnpm run build:types && pnpm run build:index",
-    "build:schemas": "node --import tsx src/bundle-schemas.ts",
-    "build:types": "node --import tsx src/generate-types.ts",
-    "build:index": "node --import tsx src/create-index.ts",
-    "watch:schemas": "nodemon --watch src/schemas --ext json --exec 'tsx src/bundle-schemas.ts'",
-    "serve:schemas": "npx http-server dist/schemas -p 8081 --cors",
-    "dev:viewer": "pnpm run build:schemas && concurrently \"pnpm run watch:schemas\" \"pnpm run serve:schemas\"",
-    "clean": "rimraf dist",
-    "test": "pnpm run test:ts",
-    "test:ts": "vitest run",
-    "test:go": "echo 'No Go tests in hdf-schema'",
-    "test:watch": "vitest",
-    "test:coverage": "vitest run --coverage",
-    "lint": "eslint src test",
-    "lint:fix": "eslint src test --fix"
-  },
   "repository": {
     "type": "git",
     "url": "https://github.com/mitre/hdf-libs.git",
@@ -77,7 +58,8 @@
   "license": "Apache-2.0",
   "dependencies": {
     "ajv": "^8.17.0",
-    "ajv-formats": "^3.0.0"
+    "ajv-formats": "^3.0.0",
+    "@mitre/hdf-utilities": "^3.1.0-rc.1"
   },
   "devDependencies": {
     "@hyperjump/json-schema": "^1.17.2",
@@ -88,7 +70,7 @@
     "tsx": "^4.20.6"
   },
   "engines": {
-    "node": ">=20.0.0"
+    "node": ">=22.0.0"
   },
   "keywords": [
     "hdf",
@@ -98,5 +80,23 @@
     "inspec",
     "stig",
     "compliance"
-  ]
-}
+  ],
+  "scripts": {
+    "build": "pnpm run clean && pnpm run build:schemas && pnpm run build:types && pnpm run build:index",
+    "build:schemas": "node --import tsx src/bundle-schemas.ts",
+    "build:types": "node --import tsx src/generate-types.ts",
+    "build:index": "node --import tsx src/create-index.ts",
+    "watch:schemas": "nodemon --watch src/schemas --ext json --exec 'tsx src/bundle-schemas.ts'",
+    "serve:schemas": "npx http-server dist/schemas -p 8081 --cors",
+    "dev:viewer": "pnpm run build:schemas && concurrently \"pnpm run watch:schemas\" \"pnpm run serve:schemas\"",
+    "clean": "rimraf dist",
+    "test": "pnpm run test:ts",
+    "test:ts": "vitest run",
+    "test:go": "echo 'No Go tests in hdf-schema'",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "type-check": "tsc --noEmit",
+    "lint": "eslint src test",
+    "lint:fix": "eslint src test --fix"
+  }
+}