@mitre/hdf-schema 3.0.1 → 3.1.0-rc.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. package/LICENSE.md +55 -0
  2. package/README.md +83 -40
  3. package/dist/go/hdf.go +148 -104
  4. package/dist/index.d.ts +26 -1
  5. package/dist/index.js +26 -1
  6. package/dist/schemas/hdf-amendments.schema.json +178 -53
  7. package/dist/schemas/hdf-baseline.schema.json +181 -56
  8. package/dist/schemas/hdf-comparison.schema.json +523 -108
  9. package/dist/schemas/hdf-evidence-package.schema.json +175 -50
  10. package/dist/schemas/hdf-plan.schema.json +181 -56
  11. package/dist/schemas/hdf-results.schema.json +502 -87
  12. package/dist/schemas/hdf-system.schema.json +190 -65
  13. package/dist/ts/hdf-amendments.d.ts +43 -15
  14. package/dist/ts/hdf-amendments.js +18 -7
  15. package/dist/ts/hdf-amendments.ts +44 -15
  16. package/dist/ts/hdf-results.d.ts +91 -37
  17. package/dist/ts/hdf-results.js +40 -20
  18. package/dist/ts/hdf-results.ts +91 -36
  19. package/package.json +44 -45
  20. package/dist/python/hdf_amendments.py +0 -695
  21. package/dist/python/hdf_baseline.py +0 -782
  22. package/dist/python/hdf_comparison.py +0 -1771
  23. package/dist/python/hdf_evidence_package.py +0 -593
  24. package/dist/python/hdf_plan.py +0 -363
  25. package/dist/python/hdf_results.py +0 -2163
  26. package/dist/python/hdf_system.py +0 -904
  27. package/src/schemas/hdf-amendments.schema.json +0 -97
  28. package/src/schemas/hdf-baseline.schema.json +0 -190
  29. package/src/schemas/hdf-comparison.schema.json +0 -107
  30. package/src/schemas/hdf-evidence-package.schema.json +0 -227
  31. package/src/schemas/hdf-plan.schema.json +0 -92
  32. package/src/schemas/hdf-results.schema.json +0 -304
  33. package/src/schemas/hdf-system.schema.json +0 -136
  34. package/src/schemas/primitives/amendments.schema.json +0 -155
  35. package/src/schemas/primitives/common.schema.json +0 -814
  36. package/src/schemas/primitives/comparison.schema.json +0 -809
  37. package/src/schemas/primitives/component.schema.json +0 -518
  38. package/src/schemas/primitives/data-flow.schema.json +0 -158
  39. package/src/schemas/primitives/extensions.schema.json +0 -342
  40. package/src/schemas/primitives/parameter.schema.json +0 -128
  41. package/src/schemas/primitives/plan.schema.json +0 -128
  42. package/src/schemas/primitives/platform.schema.json +0 -32
  43. package/src/schemas/primitives/result.schema.json +0 -133
  44. package/src/schemas/primitives/runner.schema.json +0 -83
  45. package/src/schemas/primitives/statistics.schema.json +0 -71
  46. package/src/schemas/primitives/system.schema.json +0 -132
  47. package/src/schemas/primitives/target.schema.json +0 -523
package/src/schemas/primitives/common.schema.json DELETED
@@ -1,814 +0,0 @@
1
- {
2
- "$schema": "https://json-schema.org/draft/2020-12/schema",
3
- "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0",
4
- "title": "HDF Common Primitives",
5
- "description": "Shared building blocks used by hdf-results and hdf-baseline schemas.",
6
- "$defs": {
7
- "Hash_Algorithm": {
8
- "type": "string",
9
- "enum": [
10
- "sha256",
11
- "sha384",
12
- "sha512"
13
- ],
14
- "description": "Supported cryptographic hash algorithms for checksums and integrity verification.",
15
- "title": "Hash Algorithm"
16
- },
17
- "Requirement_Group": {
18
- "type": "object",
19
- "unevaluatedProperties": false,
20
- "required": [
21
- "id",
22
- "requirements"
23
- ],
24
- "properties": {
25
- "id": {
26
- "type": "string",
27
- "description": "The unique identifier for the group. Example: the relative path to the file specifying the requirements."
28
- },
29
- "title": {
30
- "type": "string",
31
- "description": "The title of the group - should be human readable."
32
- },
33
- "requirements": {
34
- "type": "array",
35
- "items": {
36
- "type": "string"
37
- },
38
- "description": "The set of requirements as specified by their ids in this group. Example: 'SV-238196'."
39
- }
40
- },
41
- "description": "Describes a group of requirements, such as those defined in a single file.",
42
- "title": "Requirement Group"
43
- },
44
- "Dependency": {
45
- "type": "object",
46
- "unevaluatedProperties": false,
47
- "required": [],
48
- "properties": {
49
- "name": {
50
- "type": "string",
51
- "description": "The name or assigned alias."
52
- },
53
- "url": {
54
- "type": "string",
55
- "format": "uri-reference",
56
- "description": "The address of the dependency."
57
- },
58
- "branch": {
59
- "type": "string",
60
- "description": "The branch name for a git repo."
61
- },
62
- "path": {
63
- "type": "string",
64
- "description": "The relative path if the dependency is locally available."
65
- },
66
- "statusMessage": {
67
- "type": "string",
68
- "description": "The reason for the status if it is 'failed' or 'skipped'."
69
- },
70
- "status": {
71
- "type": "string",
72
- "description": "The status. Should be: 'loaded', 'failed', or 'skipped'."
73
- },
74
- "git": {
75
- "type": "string",
76
- "format": "uri",
77
- "description": "The location of the git repo. Example: 'https://github.com/my-org/ubuntu-22.04-stig-baseline.git'."
78
- },
79
- "supermarket": {
80
- "type": "string",
81
- "description": "The 'user/profilename' attribute for a Supermarket server."
82
- },
83
- "compliance": {
84
- "type": "string",
85
- "description": "The 'user/profilename' attribute for an Automate server."
86
- }
87
- },
88
- "examples": [
89
- {
90
- "name": "ubuntu-22.04-baseline",
91
- "url": "https://github.com/my-org/ubuntu-22.04-stig-baseline",
92
- "git": "https://github.com/my-org/ubuntu-22.04-stig-baseline.git",
93
- "branch": "main",
94
- "status": "loaded"
95
- },
96
- {
97
- "name": "ssl-tls-baseline",
98
- "path": "../shared-baselines/ssl-tls",
99
- "status": "loaded"
100
- },
101
- {
102
- "name": "windows-2022-baseline",
103
- "git": "https://github.com/security-org/windows-2022-stig.git",
104
- "branch": "v1.2.0",
105
- "status": "failed",
106
- "statusMessage": "Unable to clone repository: authentication failed"
107
- },
108
- {
109
- "name": "chef-supermarket-baseline",
110
- "supermarket": "dev-sec/linux-baseline",
111
- "status": "loaded"
112
- }
113
- ],
114
- "description": "A dependency for a baseline. Can include relative paths or URLs for where to find the dependency.",
115
- "title": "Dependency"
116
- },
117
- "Reference": {
118
- "anyOf": [
119
- {
120
- "type": "object",
121
- "required": [
122
- "ref"
123
- ],
124
- "properties": {
125
- "ref": {
126
- "anyOf": [
127
- {
128
- "type": "string",
129
- "description": "A human readable/meaningful reference. Example: a book title."
130
- },
131
- {
132
- "type": "array",
133
- "items": {
134
- "type": "object",
135
- "additionalProperties": true
136
- },
137
- "description": "An array of reference objects."
138
- }
139
- ]
140
- }
141
- },
142
- "description": "A reference using the 'ref' field."
143
- },
144
- {
145
- "type": "object",
146
- "required": [
147
- "url"
148
- ],
149
- "properties": {
150
- "url": {
151
- "type": "string",
152
- "format": "uri"
153
- }
154
- },
155
- "description": "A URL pointing at the reference."
156
- },
157
- {
158
- "type": "object",
159
- "required": [
160
- "uri"
161
- ],
162
- "properties": {
163
- "uri": {
164
- "type": "string",
165
- "format": "uri"
166
- }
167
- },
168
- "description": "A URI pointing at the reference."
169
- }
170
- ],
171
- "description": "A reference to an external document.",
172
- "title": "Reference"
173
- },
174
- "Source_Location": {
175
- "type": "object",
176
- "unevaluatedProperties": false,
177
- "required": [],
178
- "properties": {
179
- "ref": {
180
- "type": "string",
181
- "description": "Path to the file that this requirement originates from."
182
- },
183
- "line": {
184
- "type": "number",
185
- "description": "The line on which this requirement is located."
186
- }
187
- },
188
- "examples": [
189
- {
190
- "ref": "controls/SV-260476.rb",
191
- "line": 1
192
- },
193
- {
194
- "ref": "profiles/ubuntu/controls/configure_audit.rb",
195
- "line": 42
196
- }
197
- ],
198
- "description": "The explicit location of a requirement within source code.",
199
- "title": "Source Location"
200
- },
201
- "Supported_Platform": {
202
- "type": "object",
203
- "unevaluatedProperties": false,
204
- "required": [],
205
- "properties": {
206
- "platformFamily": {
207
- "type": "string",
208
- "description": "The platform family. Example: 'redhat'."
209
- },
210
- "platformName": {
211
- "type": "string",
212
- "description": "The platform name - can include wildcards. Example: 'debian'."
213
- },
214
- "platform": {
215
- "type": "string",
216
- "description": "The location of the platform. Can be: 'os', 'aws', 'azure', or 'gcp'."
217
- },
218
- "release": {
219
- "type": "string",
220
- "description": "The release of the platform. Example: '20.04' for 'ubuntu'."
221
- }
222
- },
223
- "description": "A supported platform target. Example: the platform name being 'ubuntu'.",
224
- "title": "Supported Platform"
225
- },
226
- "Checksum": {
227
- "type": "object",
228
- "unevaluatedProperties": false,
229
- "required": [
230
- "algorithm",
231
- "value"
232
- ],
233
- "properties": {
234
- "algorithm": {
235
- "$ref": "#/$defs/Hash_Algorithm",
236
- "description": "The hash algorithm used for the checksum."
237
- },
238
- "value": {
239
- "type": "string",
240
- "description": "The checksum value."
241
- }
242
- },
243
- "examples": [
244
- {
245
- "algorithm": "sha256",
246
- "value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
247
- },
248
- {
249
- "algorithm": "sha512",
250
- "value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e"
251
- }
252
- ],
253
- "description": "Cryptographic checksum for baseline integrity verification.",
254
- "title": "Checksum"
255
- },
256
- "Identity": {
257
- "type": "object",
258
- "unevaluatedProperties": false,
259
- "required": [
260
- "identifier",
261
- "type"
262
- ],
263
- "properties": {
264
- "identifier": {
265
- "type": "string",
266
- "description": "The identifier value. Example: 'user@example.com', 'jdoe', 'automated-scanner-01'."
267
- },
268
- "type": {
269
- "type": "string",
270
- "enum": [
271
- "email",
272
- "username",
273
- "system",
274
- "simple",
275
- "other"
276
- ],
277
- "description": "The type of identifier. Use 'email' for email addresses, 'username' for user accounts, 'system' for automated systems, 'simple' for basic string identifiers without additional classification, or 'other' for custom identity systems."
278
- },
279
- "description": {
280
- "type": "string",
281
- "description": "Optional description of the identity or identity system, particularly useful when type is 'other'."
282
- }
283
- },
284
- "examples": [
285
- {
286
- "type": "email",
287
- "identifier": "admin@example.com"
288
- },
289
- {
290
- "type": "username",
291
- "identifier": "jdoe",
292
- "description": "Security Operations Analyst"
293
- },
294
- {
295
- "type": "system",
296
- "identifier": "automated-scanner-01",
297
- "description": "Nightly compliance scan pipeline"
298
- }
299
- ],
300
- "description": "Represents an identity that performed an action, such as capturing evidence or applying an override.",
301
- "title": "Identity"
302
- },
303
- "Evidence": {
304
- "type": "object",
305
- "unevaluatedProperties": false,
306
- "required": [
307
- "type",
308
- "data"
309
- ],
310
- "properties": {
311
- "type": {
312
- "type": "string",
313
- "enum": [
314
- "screenshot",
315
- "code",
316
- "log",
317
- "url",
318
- "file",
319
- "other"
320
- ],
321
- "description": "The type of evidence being provided."
322
- },
323
- "data": {
324
- "type": "string",
325
- "description": "The evidence content. For screenshots/files: base64-encoded data or URL. For code/logs: the raw text. For URLs: the URL string."
326
- },
327
- "description": {
328
- "type": "string",
329
- "description": "Human-readable description of what this evidence shows."
330
- },
331
- "mimeType": {
332
- "type": "string",
333
- "description": "MIME type of the evidence. Example: 'image/png', 'text/plain', 'application/json'."
334
- },
335
- "encoding": {
336
- "type": "string",
337
- "description": "Encoding used for the data. Example: 'base64', 'utf-8'."
338
- },
339
- "size": {
340
- "type": "number",
341
- "description": "Size of the evidence data in bytes."
342
- },
343
- "capturedAt": {
344
- "type": "string",
345
- "format": "date-time",
346
- "description": "Timestamp when this evidence was captured. ISO 8601 format."
347
- },
348
- "capturedBy": {
349
- "$ref": "#/$defs/Identity",
350
- "description": "Identity of who or what captured this evidence."
351
- }
352
- },
353
- "examples": [
354
- {
355
- "type": "screenshot",
356
- "data": "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==",
357
- "description": "Screenshot showing firewall configuration with required ports blocked",
358
- "mimeType": "image/png",
359
- "encoding": "base64",
360
- "size": 95,
361
- "capturedAt": "2025-12-14T10:30:00Z",
362
- "capturedBy": {
363
- "identifier": "security-auditor@example.com",
364
- "type": "email"
365
- }
366
- },
367
- {
368
- "type": "code",
369
- "data": "# Nginx configuration\nserver {\n listen 443 ssl;\n ssl_protocols TLSv1.2 TLSv1.3;\n ssl_ciphers HIGH:!aNULL:!MD5;\n}",
370
- "description": "Server configuration showing TLS 1.2+ enforcement",
371
- "mimeType": "text/plain",
372
- "capturedAt": "2025-12-14T10:45:00Z"
373
- },
374
- {
375
- "type": "log",
376
- "data": "[2025-12-14 10:00:15] INFO: Security scan completed - 0 critical vulnerabilities found\n[2025-12-14 10:00:16] INFO: All required security patches applied\n[2025-12-14 10:00:17] INFO: System compliant with security baseline",
377
- "description": "Security scan log output",
378
- "mimeType": "text/plain",
379
- "size": 256
380
- },
381
- {
382
- "type": "url",
383
- "data": "https://jira.example.com/browse/SEC-12345",
384
- "description": "Link to security ticket documenting remediation work",
385
- "capturedAt": "2025-12-14T11:00:00Z"
386
- },
387
- {
388
- "type": "file",
389
- "data": "UEsDBBQAAAAIAI1ZX1YhQp8FHgAAABIAAAAIAAAAdGVzdC50eHRLy8nPS8lQSgIAUmNEBhQAAAA=",
390
- "description": "Compliance audit report PDF",
391
- "mimeType": "application/pdf",
392
- "encoding": "base64",
393
- "size": 2048,
394
- "capturedAt": "2025-12-14T12:00:00Z",
395
- "capturedBy": {
396
- "identifier": "compliance-system",
397
- "type": "system"
398
- }
399
- }
400
- ],
401
- "description": "Supporting evidence for a finding or override, such as screenshots, code samples, log excerpts, or URLs.",
402
- "title": "Evidence"
403
- },
404
- "Remediation": {
405
- "type": "object",
406
- "unevaluatedProperties": false,
407
- "required": [
408
- "uri"
409
- ],
410
- "properties": {
411
- "uri": {
412
- "type": "string",
413
- "format": "uri",
414
- "description": "URI pointing to automated remediation resources (Ansible playbooks, Terraform scripts, etc.). Examples: GitHub repository, DISA STIG Supplemental Automation Content, vendor-provided scripts."
415
- },
416
- "checksum": {
417
- "$ref": "#/$defs/Checksum",
418
- "description": "Optional cryptographic checksum for verifying the integrity of remediation resources fetched from the URI. Recommended for security when referencing external automation scripts."
419
- }
420
- },
421
- "examples": [
422
- {
423
- "uri": "https://github.com/ansible-lockdown/RHEL9-STIG/tree/main/tasks"
424
- },
425
- {
426
- "uri": "https://artifacts.example.com/remediation/ubuntu-22.04-hardening-v1.2.tar.gz",
427
- "checksum": {
428
- "algorithm": "sha256",
429
- "value": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
430
- }
431
- }
432
- ],
433
- "description": "Reference to automated remediation resources for implementing security controls. Points to external automation content like Ansible playbooks, Terraform scripts, or vendor-provided remediation tools.",
434
- "title": "Remediation"
435
- },
436
- "Verification_Method": {
437
- "type": "object",
438
- "unevaluatedProperties": false,
439
- "required": [
440
- "type",
441
- "controller"
442
- ],
443
- "properties": {
444
- "type": {
445
- "type": "string",
446
- "description": "The type of verification method. Example: 'JsonWebKey2020', 'RsaVerificationKey2018', 'Ed25519VerificationKey2020'."
447
- },
448
- "controller": {
449
- "type": "string",
450
- "description": "The entity that controls this verification method. Can be a DID, URI, or other identifier."
451
- },
452
- "publicKeyJwk": {
453
- "type": "object",
454
- "additionalProperties": true,
455
- "description": "Public key in JSON Web Key format."
456
- },
457
- "publicKeyPem": {
458
- "type": "string",
459
- "description": "Public key in PEM format. Example: '-----BEGIN PUBLIC KEY-----...-----END PUBLIC KEY-----'."
460
- },
461
- "publicKeyBase58": {
462
- "type": "string",
463
- "description": "Public key in Base58 format, commonly used with Ed25519 keys."
464
- }
465
- },
466
- "description": "Verification method containing the public key needed to verify a digital signature. Supports multiple key formats including JWK (for RSA, EC), PEM, and Base58.",
467
- "title": "Verification Method"
468
- },
469
- "Milestone": {
470
- "type": "object",
471
- "unevaluatedProperties": false,
472
- "required": [
473
- "description",
474
- "estimatedCompletion",
475
- "status"
476
- ],
477
- "properties": {
478
- "description": {
479
- "type": "string",
480
- "description": "Description of this milestone or task."
481
- },
482
- "estimatedCompletion": {
483
- "type": "string",
484
- "format": "date-time",
485
- "description": "Estimated completion date. ISO 8601 format."
486
- },
487
- "status": {
488
- "type": "string",
489
- "enum": [
490
- "pending",
491
- "inProgress",
492
- "completed"
493
- ],
494
- "description": "Current status of this milestone."
495
- },
496
- "completedAt": {
497
- "type": "string",
498
- "format": "date-time",
499
- "description": "Actual completion timestamp. ISO 8601 format."
500
- },
501
- "completedBy": {
502
- "$ref": "#/$defs/Identity",
503
- "description": "Identity of who completed this milestone."
504
- }
505
- },
506
- "description": "A milestone or task within a POA&M remediation plan.",
507
- "title": "Milestone"
508
- },
509
- "Signature": {
510
- "type": "object",
511
- "unevaluatedProperties": false,
512
- "required": [
513
- "type",
514
- "created",
515
- "creator",
516
- "signatureValue",
517
- "proofPurpose",
518
- "verificationMethod"
519
- ],
520
- "properties": {
521
- "type": {
522
- "type": "string",
523
- "description": "The signature suite type. Example: 'JsonWebSignature2020', 'RsaSignature2018', 'Ed25519Signature2020'."
524
- },
525
- "created": {
526
- "type": "string",
527
- "format": "date-time",
528
- "description": "When the signature was created. ISO 8601 format."
529
- },
530
- "creator": {
531
- "$ref": "#/$defs/Identity",
532
- "description": "The identity that created this signature."
533
- },
534
- "signatureValue": {
535
- "type": "string",
536
- "description": "The base64-encoded or base58-encoded signature value."
537
- },
538
- "proofPurpose": {
539
- "type": "string",
540
- "description": "The purpose of this signature. Example: 'attestation', 'authentication', 'assertionMethod'."
541
- },
542
- "verificationMethod": {
543
- "$ref": "#/$defs/Verification_Method",
544
- "description": "The verification method containing the public key for signature verification."
545
- },
546
- "nonce": {
547
- "type": "string",
548
- "description": "Random value to prevent replay attacks."
549
- },
550
- "challenge": {
551
- "type": "string",
552
- "description": "Challenge value from the verifier, used in challenge-response authentication."
553
- },
554
- "domain": {
555
- "type": "string",
556
- "description": "Domain restriction for the signature, prevents cross-domain replay attacks."
557
- }
558
- },
559
- "examples": [
560
- {
561
- "type": "JsonWebSignature2020",
562
- "created": "2025-12-14T10:00:00Z",
563
- "creator": {
564
- "identifier": "security-team@example.com",
565
- "type": "email"
566
- },
567
- "signatureValue": "eyJhbGciOiJSUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..MEYCIQDvKbtLRhWAa",
568
- "proofPurpose": "attestation",
569
- "verificationMethod": {
570
- "type": "JsonWebKey2020",
571
- "controller": "did:example:123456789abcdefghi",
572
- "publicKeyJwk": {
573
- "kty": "RSA",
574
- "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtV",
575
- "e": "AQAB"
576
- }
577
- }
578
- },
579
- {
580
- "type": "RsaSignature2018",
581
- "created": "2025-12-14T11:30:00Z",
582
- "creator": {
583
- "identifier": "ciso@example.com",
584
- "type": "email"
585
- },
586
- "signatureValue": "pY9...Cg==",
587
- "proofPurpose": "authentication",
588
- "verificationMethod": {
589
- "type": "RsaVerificationKey2018",
590
- "controller": "https://example.com/issuers/565049",
591
- "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryQICCl6NZ5gDKrnSztO\n-----END PUBLIC KEY-----"
592
- },
593
- "nonce": "c0ae1c8e-c7e7-469f-b252-86e6a0e7387e"
594
- },
595
- {
596
- "type": "Ed25519Signature2020",
597
- "created": "2025-12-14T14:00:00Z",
598
- "creator": {
599
- "identifier": "automated-signer",
600
- "type": "system",
601
- "description": "Hardware security module (HSM) for automated attestations"
602
- },
603
- "signatureValue": "z58DAdFfa9SkqZMVMxABEBC59Ck6WibLZ",
604
- "proofPurpose": "assertionMethod",
605
- "verificationMethod": {
606
- "type": "Ed25519VerificationKey2020",
607
- "controller": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
608
- "publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV"
609
- },
610
- "challenge": "1f44d2f3-d16c-47a4-9f5f-1d6e8f4e3a2b",
611
- "domain": "https://compliance.example.com"
612
- }
613
- ],
614
- "description": "A digital signature following W3C Data Integrity Proofs pattern. Supports hardware security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other cryptographic signing methods via JWK, PEM, or Base58 key formats.",
615
- "title": "Signature"
616
- },
617
- "Baseline_Metadata": {
618
- "type": "object",
619
- "properties": {
620
- "name": {
621
- "type": "string",
622
- "description": "The name - must be unique."
623
- },
624
- "title": {
625
- "type": "string",
626
- "description": "The title - should be human readable."
627
- },
628
- "maintainer": {
629
- "type": "string",
630
- "description": "The maintainer(s)."
631
- },
632
- "copyright": {
633
- "type": "string",
634
- "description": "The copyright holder(s)."
635
- },
636
- "copyrightEmail": {
637
- "type": "string",
638
- "description": "The email address or other contact information of the copyright holder(s)."
639
- },
640
- "license": {
641
- "type": "string",
642
- "description": "The copyright license. Example: 'Apache-2.0'."
643
- },
644
- "summary": {
645
- "type": "string",
646
- "description": "The summary. Example: the Security Technical Implementation Guide (STIG) header."
647
- },
648
- "version": {
649
- "type": "string",
650
- "description": "The version of the baseline."
651
- },
652
- "supports": {
653
- "type": "array",
654
- "items": {
655
- "$ref": "#/$defs/Supported_Platform"
656
- },
657
- "description": "The set of supported platform targets."
658
- },
659
- "status": {
660
- "type": "string",
661
- "description": "The status. Example: 'loaded'."
662
- },
663
- "labels": {
664
- "type": "object",
665
- "additionalProperties": {
666
- "type": "string"
667
- },
668
- "description": "Optional key-value labels for flexible grouping. Well-known keys: system, component, environment, region, team. Values must be strings."
669
- }
670
- },
671
- "examples": [
672
- {
673
- "name": "rhel-9-stig-baseline",
674
- "title": "Red Hat Enterprise Linux 9 STIG Baseline",
675
- "maintainer": "MITRE SAF Team",
676
- "copyright": "The MITRE Corporation",
677
- "copyrightEmail": "saf@mitre.org",
678
- "license": "Apache-2.0",
679
- "summary": "InSpec baseline for RHEL 9 STIG compliance",
680
- "version": "1.0.0",
681
- "supports": [
682
- {
683
- "platformName": "redhat",
684
- "platformFamily": "redhat",
685
- "release": "9"
686
- }
687
- ],
688
- "status": "loaded"
689
- }
690
- ],
691
- "description": "Shared metadata fields for baselines. Used in both standalone baseline documents and evaluated baseline results.",
692
- "title": "Baseline Metadata"
693
- },
694
- "Requirement_Core": {
695
- "type": "object",
696
- "properties": {
697
- "id": {
698
- "type": "string",
699
- "description": "The requirement identifier. Example: 'SV-238196'."
700
- },
701
- "title": {
702
- "type": "string",
703
- "description": "The title - is nullable."
704
- },
705
- "descriptions": {
706
- "type": "array",
707
- "minItems": 1,
708
- "items": {
709
- "type": "object",
710
- "unevaluatedProperties": false,
711
- "required": [
712
- "label",
713
- "data"
714
- ],
715
- "properties": {
716
- "label": {
717
- "type": "string",
718
- "description": "Description category. The 'default' label is required for the primary description. Common labels: 'default', 'check', 'fix', 'rationale'. Tools may use custom labels."
719
- },
720
- "data": {
721
- "type": "string",
722
- "description": "The description text content."
723
- }
724
- }
725
- },
726
- "description": "Array of labeled descriptions. At least one description with label 'default' must be present. Convention: place default description first. Common labels: 'default', 'check', 'fix', 'rationale'."
727
- },
728
- "impact": {
729
- "type": "number",
730
- "minimum": 0.0,
731
- "maximum": 1.0,
732
- "description": "The impactfulness or severity (0.0 to 1.0)."
733
- },
734
- "refs": {
735
- "type": "array",
736
- "items": {
737
- "$ref": "#/$defs/Reference"
738
- },
739
- "description": "The set of references to external documents."
740
- },
741
- "tags": {
742
- "type": "object",
743
- "additionalProperties": true,
744
- "description": "A set of tags - usually metadata like CCI, STIG ID, severity."
745
- },
746
- "code": {
747
- "type": "string",
748
- "description": "The raw source code of the requirement. Set to null for manual-only requirements or requirements not yet implemented. Note that if this is an overlay, it does not include the underlying source code."
749
- },
750
- "sourceLocation": {
751
- "$ref": "#/$defs/Source_Location",
752
- "description": "The explicit location of the requirement within the source code."
753
- }
754
- },
755
- "examples": [
756
- {
757
- "id": "SV-238196",
758
- "title": "The Ubuntu operating system must enforce password complexity",
759
- "impact": 0.5,
760
- "tags": {
761
- "nist": ["IA-5"],
762
- "severity": "medium",
763
- "cci": ["CCI-000192"]
764
- },
765
- "refs": [
766
- {
767
- "url": "https://public.cyber.mil/stigs/"
768
- }
769
- ],
770
- "descriptions": [
771
- {
772
- "label": "default",
773
- "data": "Use of a complex password helps to increase the time and resources required to compromise the password."
774
- },
775
- {
776
- "label": "check",
777
- "data": "Verify the value of 'minlen' in /etc/security/pwquality.conf."
778
- }
779
- ]
780
- }
781
- ],
782
- "description": "Core requirement fields shared between baseline requirements and evaluated requirements. Contains the fundamental requirement definition without assessment results.",
783
- "title": "Requirement Core"
784
- },
785
- "Severity": {
786
- "type": "string",
787
- "enum": [
788
- "critical",
789
- "high",
790
- "medium",
791
- "low",
792
- "informational"
793
- ],
794
- "description": "Severity rating for a requirement. Typically derived from the numeric impact score.",
795
- "title": "Severity"
796
- },
797
- "Cloud_Provider": {
798
- "type": [
799
- "string",
800
- "null"
801
- ],
802
- "enum": [
803
- "aws",
804
- "azure",
805
- "gcp",
806
- "oci",
807
- "other",
808
- null
809
- ],
810
- "description": "Cloud service provider identifier.",
811
- "title": "Cloud Provider"
812
- }
813
- }
814
- }