@mitre/hdf-schema 3.0.1 → 3.1.0-rc.1

package/src/schemas/primitives/result.schema.json

@@ -1,133 +0,0 @@
-{
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0",
-  "title": "HDF Result Primitives",
-  "description": "Types for representing assessment results and statuses.",
-  "$defs": {
-    "Result_Status": {
-      "type": "string",
-      "enum": [
-        "passed",
-        "failed",
-        "notApplicable",
-        "notReviewed",
-        "error"
-      ],
-      "description": "The status of an individual test result. 'notApplicable' indicates the requirement does not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g., requires manual verification).",
-      "title": "Result Status"
-    },
-    "Requirement_Result": {
-      "type": "object",
-      "unevaluatedProperties": false,
-      "required": [
-        "status",
-        "codeDesc",
-        "startTime"
-      ],
-      "properties": {
-        "status": {
-          "$ref": "#/$defs/Result_Status",
-          "description": "The status of this test within the requirement. Example: 'failed'."
-        },
-        "codeDesc": {
-          "type": "string",
-          "description": "A description of this test. Example: 'limits.conf * is expected to include [\"hard\", \"maxlogins\", \"10\"]'."
-        },
-        "runTime": {
-          "type": "number",
-          "minimum": 0,
-          "description": "The execution time in seconds for the test."
-        },
-        "startTime": {
-          "type": "string",
-          "format": "date-time",
-          "description": "The time at which the test started."
-        },
-        "resource": {
-          "type": "string",
-          "description": "The resource used in the test. Example: 'file', 'command', 'service'."
-        },
-        "resourceId": {
-          "type": "string",
-          "description": "The unique identifier of the resource. Example: '/etc/passwd'."
-        },
-        "message": {
-          "type": "string",
-          "description": "An explanation of the test result. Typically provided for failed tests, errors, or to explain why a test was not applicable or not reviewed."
-        },
-        "exception": {
-          "type": "string",
-          "description": "The type of exception if an exception was thrown."
-        },
-        "backtrace": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "description": "The stacktrace/backtrace of the exception if one occurred."
-        }
-      },
-      "examples": [
-        {
-          "status": "passed",
-          "codeDesc": "File /etc/ssh/sshd_config content is expected to match /Protocol\\s+2/",
-          "startTime": "2025-06-15T10:30:00Z",
-          "runTime": 0.015
-        },
-        {
-          "status": "failed",
-          "codeDesc": "Service 'telnet' is expected not to be enabled",
-          "startTime": "2025-06-15T10:30:01Z",
-          "runTime": 0.008,
-          "message": "expected that 'Service telnet' is not enabled"
-        },
-        {
-          "status": "error",
-          "codeDesc": "File /etc/audit/auditd.conf content is expected to include 'max_log_file'",
-          "startTime": "2025-06-15T10:30:02Z",
-          "exception": "Errno::ENOENT",
-          "backtrace": [
-            "/opt/inspec/lib/resources/file.rb:42:in 'read'",
-            "/opt/inspec/lib/resources/file.rb:15:in 'content'"
-          ]
-        }
-      ],
-      "description": "A test within a requirement and its results and findings such as how long it took to run.",
-      "title": "Requirement Result"
-    },
-    "Requirement_Description": {
-      "type": "object",
-      "unevaluatedProperties": false,
-      "required": [
-        "label",
-        "data"
-      ],
-      "properties": {
-        "label": {
-          "type": "string",
-          "description": "The type of description. Examples: 'fix', 'check', 'rationale'."
-        },
-        "data": {
-          "type": "string",
-          "description": "The text of the description."
-        }
-      },
-      "examples": [
-        {
-          "label": "default",
-          "data": "Verify the SSH daemon is configured to only use FIPS-validated key exchange algorithms."
-        },
-        {
-          "label": "check",
-          "data": "Run 'sshd -T | grep kexalgorithms' and verify only FIPS-compliant algorithms are listed."
-        },
-        {
-          "label": "fix",
-          "data": "Add 'KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384' to /etc/ssh/sshd_config and restart sshd."
-        }
-      ],
-      "description": "A labeled description for a requirement, such as fix text or check instructions.",
-      "title": "Requirement Description"
-    }
-  }
-}

package/src/schemas/primitives/runner.schema.json

@@ -1,83 +0,0 @@
-{
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.0.0",
-  "title": "HDF Runner Primitive",
-  "description": "Information about the test execution environment where the security tool/scanner was executed.",
-  "$defs": {
-    "Runner": {
-      "type": "object",
-      "unevaluatedProperties": false,
-      "required": ["name"],
-      "properties": {
-        "name": {
-          "type": "string",
-          "description": "The name of the runner environment. Examples: 'ubuntu', 'macos', 'windows', 'docker', 'kubernetes-pod', 'manual'."
-        },
-        "release": {
-          "type": "string",
-          "description": "The version/release of the operating system or runtime. Example: '20.04', '13.2', '11'."
-        },
-        "architecture": {
-          "type": "string",
-          "description": "The CPU architecture of the runner system. Example: 'x86_64', 'arm64', 'aarch64'."
-        },
-        "hostname": {
-          "type": "string",
-          "description": "The hostname of the runner system. Example: 'ci-runner-01', 'jenkins-agent-03', 'k8s-node-worker-03'."
-        },
-        "containerImage": {
-          "type": "string",
-          "description": "The container image used for the test execution. Example: 'inspec/inspec:latest', 'ghcr.io/my-org/scanner:v2.1.0'. Useful for CI/CD pipelines where tests run in containers."
-        },
-        "containerId": {
-          "type": "string",
-          "description": "The container instance identifier. Example: 'a1b2c3d4e5f6', 'security-scan-job-xyz123'. Can be a Docker container ID, Kubernetes pod name, or other container runtime identifier."
-        },
-        "operator": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
-          "description": "The identity of the person or system responsible for executing the test. This could be a human auditor manually completing a checklist, an automated CI/CD system, or a security tool. Optional field to support both automated and manual HDF generation."
-        }
-      },
-      "examples": [
-        {
-          "name": "docker",
-          "release": "20.04",
-          "architecture": "x86_64",
-          "hostname": "github-runner-prod-01",
-          "containerImage": "ghcr.io/inspec/inspec:5.22.3",
-          "containerId": "security-scan-job-a1b2c3d4",
-          "operator": {
-            "identifier": "github-actions",
-            "type": "system",
-            "description": "Automated CI/CD pipeline"
-          }
-        },
-        {
-          "name": "kubernetes-pod",
-          "release": "1.28.4",
-          "architecture": "arm64",
-          "hostname": "k8s-worker-node-05",
-          "containerImage": "gcr.io/my-org/security-scanner:v3.2.1",
-          "containerId": "compliance-scan-pod-xyz789",
-          "operator": {
-            "identifier": "security-automation@example.com",
-            "type": "email"
-          }
-        },
-        {
-          "name": "manual",
-          "release": "macOS 14.2",
-          "architecture": "arm64",
-          "hostname": "auditor-mbp-02",
-          "operator": {
-            "identifier": "jane.smith",
-            "type": "username",
-            "description": "Senior Security Auditor - Manual Assessment"
-          }
-        }
-      ],
-      "description": "Information about the test execution environment. This is distinct from the target being scanned - the runner is where the security tool executes, while targets are what is being assessed.",
-      "title": "Runner"
-    }
-  }
-}

package/src/schemas/primitives/statistics.schema.json

@@ -1,71 +0,0 @@
-{
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.0.0",
-  "title": "HDF Statistics Primitives",
-  "description": "Statistics types for tracking assessment run metrics.",
-  "$defs": {
-    "Statistic_Block": {
-      "type": "object",
-      "unevaluatedProperties": false,
-      "required": [
-        "total"
-      ],
-      "properties": {
-        "total": {
-          "type": "integer",
-          "minimum": 0,
-          "description": "The total count. Example: the total number of requirements in a given category for a run."
-        }
-      },
-      "description": "Statistics for a given item, such as the total count.",
-      "title": "Statistic Block"
-    },
-    "Statistic_Hash": {
-      "type": "object",
-      "unevaluatedProperties": false,
-      "required": [],
-      "properties": {
-        "passed": {
-          "$ref": "#/$defs/Statistic_Block",
-          "description": "Statistics for requirements that passed."
-        },
-        "failed": {
-          "$ref": "#/$defs/Statistic_Block",
-          "description": "Statistics for requirements that failed."
-        },
-        "notApplicable": {
-          "$ref": "#/$defs/Statistic_Block",
-          "description": "Statistics for requirements that are not applicable to the target."
-        },
-        "notReviewed": {
-          "$ref": "#/$defs/Statistic_Block",
-          "description": "Statistics for requirements that were not reviewed (manual check required)."
-        },
-        "error": {
-          "$ref": "#/$defs/Statistic_Block",
-          "description": "Statistics for requirements that encountered an error during assessment."
-        }
-      },
-      "description": "Statistics for requirement results, grouped by status.",
-      "title": "Statistic Hash"
-    },
-    "Statistics": {
-      "type": "object",
-      "unevaluatedProperties": false,
-      "required": [],
-      "properties": {
-        "duration": {
-          "type": "number",
-          "minimum": 0,
-          "description": "How long (in seconds) this assessment run took."
-        },
-        "requirements": {
-          "$ref": "#/$defs/Statistic_Hash",
-          "description": "Breakdowns of requirement statistics by result status."
-        }
-      },
-      "description": "Statistics for the assessment run(s) such as duration and result counts.",
-      "title": "Statistics"
-    }
-  }
-}

package/src/schemas/primitives/system.schema.json

@@ -1,132 +0,0 @@
-{
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0",
-  "title": "HDF System Primitives",
-  "description": "Types for describing system architecture, authorization boundaries, and components.",
-  "$defs": {
-    "Authorization_Status": {
-      "type": "string",
-      "enum": [
-        "authorized",
-        "denied",
-        "pendingAuthorization",
-        "conditionallyAuthorized",
-        "notYetRequested",
-        "revoked"
-      ],
-      "description": "Authorization to Operate (ATO) status for the system.",
-      "title": "Authorization Status"
-    },
-    "Categorization_Level": {
-      "type": "string",
-      "enum": [
-        "low",
-        "moderate",
-        "high"
-      ],
-      "description": "FIPS 199 security categorization level (impact level).",
-      "title": "Categorization Level"
-    },
-    "Input_Override": {
-      "type": "object",
-      "unevaluatedProperties": false,
-      "required": [
-        "inputName",
-        "value"
-      ],
-      "properties": {
-        "baselineRef": {
-          "type": "string",
-          "description": "Name of the baseline this override applies to. If omitted, applies to all baselines that define this input."
-        },
-        "inputName": {
-          "type": "string",
-          "description": "Name of the input being overridden. Must match an Input.name in the referenced baseline."
-        },
-        "value": {
-          "description": "The overridden value. Should match the type of the original input."
-        },
-        "justification": {
-          "type": "string",
-          "description": "Rationale for why this override is needed."
-        },
-        "approvedBy": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
-          "description": "Identity of the person or system that approved this override."
-        }
-      },
-      "description": "An override of a baseline input value for a specific component. Enables system-specific tailoring of baseline parameters.",
-      "title": "Input Override"
-    },
-    "Target_Selector": {
-      "type": "object",
-      "additionalProperties": {
-        "type": "string"
-      },
-      "description": "A label selector that matches targets by label key-value pairs. All specified labels must match (AND logic). Example: { \"labels.component\": \"WebTier\" } matches targets with labels.component = \"WebTier\".",
-      "title": "Target Selector"
-    },
-    "Control_Designation": {
-      "type": "object",
-      "unevaluatedProperties": false,
-      "required": [
-        "controlId",
-        "designation",
-        "description"
-      ],
-      "properties": {
-        "controlId": {
-          "type": "string",
-          "description": "The control identifier (e.g., 'SC-7', 'AC-2 (1)'). Must match a NIST tag in a baseline requirement's tags."
-        },
-        "designation": {
-          "type": "string",
-          "enum": [
-            "common",
-            "system-specific",
-            "hybrid"
-          ],
-          "description": "NIST SP 800-53 control designation. 'common': fully provided by another component or system. 'system-specific': implemented by the inheriting component(s) only. 'hybrid': shared responsibility between provider and inheritor."
-        },
-        "providedBy": {
-          "type": "string",
-          "format": "uuid",
-          "description": "componentId of a local component that provides this control. Omit when the provider is an external system."
-        },
-        "systemRef": {
-          "type": "string",
-          "format": "uri-reference",
-          "description": "Reference to another hdf-system document whose component provides this control. Use when the provider is in a different system. Omit when the provider is local."
-        },
-        "inheritedBy": {
-          "type": "array",
-          "items": {
-            "type": "string",
-            "format": "uuid"
-          },
-          "description": "componentIds that inherit this control. If omitted, all components in the system inherit it."
-        },
-        "description": {
-          "type": "string",
-          "description": "Justification for this designation — who provides the control, why it's inherited, and any relevant authorization references."
-        }
-      },
-      "examples": [
-        {
-          "controlId": "IA-2",
-          "designation": "common",
-          "providedBy": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
-          "inheritedBy": ["11111111-2222-3333-4444-555555555555"],
-          "description": "User identification and authentication provided by Keycloak SSO via SAML 2.0."
-        },
-        {
-          "controlId": "PE-2",
-          "designation": "common",
-          "description": "Physical access authorizations provided by AWS GovCloud per FedRAMP High authorization."
-        }
-      ],
-      "description": "Declares a control's designation within a system — whether it is common (provided by another component or system), system-specific (implemented locally), or hybrid (shared responsibility). Maps to NIST SP 800-53 Appendix C control designations and OSCAL SSP by-component provided/inherited semantics.",
-      "title": "Control Designation"
-    }
-  }
-}