@mitre/hdf-schema 3.0.1 → 3.1.0-rc.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +55 -0
- package/README.md +83 -40
- package/dist/go/hdf.go +148 -104
- package/dist/index.d.ts +26 -1
- package/dist/index.js +26 -1
- package/dist/schemas/hdf-amendments.schema.json +178 -53
- package/dist/schemas/hdf-baseline.schema.json +181 -56
- package/dist/schemas/hdf-comparison.schema.json +523 -108
- package/dist/schemas/hdf-evidence-package.schema.json +175 -50
- package/dist/schemas/hdf-plan.schema.json +181 -56
- package/dist/schemas/hdf-results.schema.json +502 -87
- package/dist/schemas/hdf-system.schema.json +190 -65
- package/dist/ts/hdf-amendments.d.ts +43 -15
- package/dist/ts/hdf-amendments.js +18 -7
- package/dist/ts/hdf-amendments.ts +44 -15
- package/dist/ts/hdf-results.d.ts +91 -37
- package/dist/ts/hdf-results.js +40 -20
- package/dist/ts/hdf-results.ts +91 -36
- package/package.json +44 -45
- package/dist/python/hdf_amendments.py +0 -695
- package/dist/python/hdf_baseline.py +0 -782
- package/dist/python/hdf_comparison.py +0 -1771
- package/dist/python/hdf_evidence_package.py +0 -593
- package/dist/python/hdf_plan.py +0 -363
- package/dist/python/hdf_results.py +0 -2163
- package/dist/python/hdf_system.py +0 -904
- package/src/schemas/hdf-amendments.schema.json +0 -97
- package/src/schemas/hdf-baseline.schema.json +0 -190
- package/src/schemas/hdf-comparison.schema.json +0 -107
- package/src/schemas/hdf-evidence-package.schema.json +0 -227
- package/src/schemas/hdf-plan.schema.json +0 -92
- package/src/schemas/hdf-results.schema.json +0 -304
- package/src/schemas/hdf-system.schema.json +0 -136
- package/src/schemas/primitives/amendments.schema.json +0 -155
- package/src/schemas/primitives/common.schema.json +0 -814
- package/src/schemas/primitives/comparison.schema.json +0 -809
- package/src/schemas/primitives/component.schema.json +0 -518
- package/src/schemas/primitives/data-flow.schema.json +0 -158
- package/src/schemas/primitives/extensions.schema.json +0 -342
- package/src/schemas/primitives/parameter.schema.json +0 -128
- package/src/schemas/primitives/plan.schema.json +0 -128
- package/src/schemas/primitives/platform.schema.json +0 -32
- package/src/schemas/primitives/result.schema.json +0 -133
- package/src/schemas/primitives/runner.schema.json +0 -83
- package/src/schemas/primitives/statistics.schema.json +0 -71
- package/src/schemas/primitives/system.schema.json +0 -132
- package/src/schemas/primitives/target.schema.json +0 -523
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
3
|
-
"$id": "https://mitre.github.io/hdf-libs/schemas/hdf-baseline/v3.
|
|
3
|
+
"$id": "https://mitre.github.io/hdf-libs/schemas/hdf-baseline/v3.1.0",
|
|
4
4
|
"type": "object",
|
|
5
5
|
"unevaluatedProperties": false,
|
|
6
6
|
"required": [
|
|
@@ -9,7 +9,7 @@
|
|
|
9
9
|
],
|
|
10
10
|
"allOf": [
|
|
11
11
|
{
|
|
12
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
12
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Baseline_Metadata"
|
|
13
13
|
}
|
|
14
14
|
],
|
|
15
15
|
"properties": {
|
|
@@ -24,34 +24,34 @@
|
|
|
24
24
|
"groups": {
|
|
25
25
|
"type": "array",
|
|
26
26
|
"items": {
|
|
27
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
27
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Requirement_Group"
|
|
28
28
|
},
|
|
29
29
|
"description": "A set of descriptions for the requirement groups."
|
|
30
30
|
},
|
|
31
31
|
"inputs": {
|
|
32
32
|
"type": "array",
|
|
33
33
|
"items": {
|
|
34
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.
|
|
34
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.1.0#/$defs/Input"
|
|
35
35
|
},
|
|
36
36
|
"description": "The input(s) or attribute(s) to be used in the run."
|
|
37
37
|
},
|
|
38
38
|
"integrity": {
|
|
39
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.
|
|
39
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Integrity",
|
|
40
40
|
"description": "Cryptographic integrity information for verifying this baseline has not been tampered with."
|
|
41
41
|
},
|
|
42
42
|
"remediation": {
|
|
43
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
43
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Remediation",
|
|
44
44
|
"description": "Optional reference to automated remediation resources (Ansible playbooks, Terraform scripts, etc.) for implementing the security controls defined in this baseline."
|
|
45
45
|
},
|
|
46
46
|
"depends": {
|
|
47
47
|
"type": "array",
|
|
48
48
|
"items": {
|
|
49
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
49
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Dependency"
|
|
50
50
|
},
|
|
51
51
|
"description": "The set of dependencies this baseline depends on."
|
|
52
52
|
},
|
|
53
53
|
"generator": {
|
|
54
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.
|
|
54
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Generator",
|
|
55
55
|
"description": "The tool that generated this file."
|
|
56
56
|
}
|
|
57
57
|
},
|
|
@@ -142,7 +142,7 @@
|
|
|
142
142
|
],
|
|
143
143
|
"allOf": [
|
|
144
144
|
{
|
|
145
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
145
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Requirement_Core"
|
|
146
146
|
}
|
|
147
147
|
],
|
|
148
148
|
"properties": {
|
|
@@ -151,7 +151,7 @@
|
|
|
151
151
|
"description": "Array of labeled descriptions. At least one description with label 'default' must be present. Convention: place default description first. Common labels: 'default', 'check', 'fix', 'rationale'."
|
|
152
152
|
},
|
|
153
153
|
"severity": {
|
|
154
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
154
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Severity",
|
|
155
155
|
"description": "Explicit severity rating. Typically derived from impact score but provided explicitly for clarity."
|
|
156
156
|
}
|
|
157
157
|
},
|
|
@@ -193,9 +193,9 @@
|
|
|
193
193
|
"description": "Array of labeled descriptions. At least one description with label 'default' must be present.",
|
|
194
194
|
"title": "Baseline Requirement Descriptions"
|
|
195
195
|
},
|
|
196
|
-
"https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
196
|
+
"https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0": {
|
|
197
197
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
198
|
-
"$id": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
198
|
+
"$id": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0",
|
|
199
199
|
"title": "HDF Common Primitives",
|
|
200
200
|
"description": "Shared building blocks used by hdf-results and hdf-baseline schemas.",
|
|
201
201
|
"$defs": {
|
|
@@ -1011,9 +1011,9 @@
|
|
|
1011
1011
|
}
|
|
1012
1012
|
}
|
|
1013
1013
|
},
|
|
1014
|
-
"https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.
|
|
1014
|
+
"https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.1.0": {
|
|
1015
1015
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
1016
|
-
"$id": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.
|
|
1016
|
+
"$id": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.1.0",
|
|
1017
1017
|
"title": "HDF Parameter Primitives",
|
|
1018
1018
|
"description": "Input/parameter type definitions for typed, traceable configuration values that bridge governance prose and scanner automation.",
|
|
1019
1019
|
"$defs": {
|
|
@@ -1144,9 +1144,9 @@
|
|
|
1144
1144
|
}
|
|
1145
1145
|
}
|
|
1146
1146
|
},
|
|
1147
|
-
"https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.
|
|
1147
|
+
"https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0": {
|
|
1148
1148
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
1149
|
-
"$id": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.
|
|
1149
|
+
"$id": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0",
|
|
1150
1150
|
"title": "HDF Extension Primitives",
|
|
1151
1151
|
"description": "Extension types for waivers, attestations, generators, and integrity.",
|
|
1152
1152
|
"$defs": {
|
|
@@ -1155,52 +1155,67 @@
|
|
|
1155
1155
|
"unevaluatedProperties": false,
|
|
1156
1156
|
"required": [
|
|
1157
1157
|
"type",
|
|
1158
|
-
"status",
|
|
1159
1158
|
"reason",
|
|
1160
1159
|
"appliedBy",
|
|
1161
1160
|
"appliedAt",
|
|
1162
1161
|
"expiresAt"
|
|
1163
1162
|
],
|
|
1163
|
+
"anyOf": [
|
|
1164
|
+
{
|
|
1165
|
+
"required": [
|
|
1166
|
+
"status"
|
|
1167
|
+
]
|
|
1168
|
+
},
|
|
1169
|
+
{
|
|
1170
|
+
"required": [
|
|
1171
|
+
"impact"
|
|
1172
|
+
]
|
|
1173
|
+
}
|
|
1174
|
+
],
|
|
1164
1175
|
"properties": {
|
|
1165
1176
|
"type": {
|
|
1166
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.
|
|
1167
|
-
"description": "The type of
|
|
1177
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0#/$defs/Override_Type",
|
|
1178
|
+
"description": "The type of override applied to this requirement."
|
|
1168
1179
|
},
|
|
1169
1180
|
"status": {
|
|
1170
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.
|
|
1171
|
-
"description": "The new status this override sets for the requirement.
|
|
1181
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Result_Status",
|
|
1182
|
+
"description": "The new status this override sets for the requirement. Optional when only impact is being overridden."
|
|
1183
|
+
},
|
|
1184
|
+
"impact": {
|
|
1185
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0#/$defs/Impact_Override",
|
|
1186
|
+
"description": "Override to the requirement's impact score. At least one of status or impact must be set."
|
|
1172
1187
|
},
|
|
1173
1188
|
"reason": {
|
|
1174
1189
|
"type": "string",
|
|
1175
|
-
"description": "Explanation for why this
|
|
1190
|
+
"description": "Explanation for why this override was applied."
|
|
1176
1191
|
},
|
|
1177
1192
|
"appliedBy": {
|
|
1178
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1179
|
-
"description": "Identity of who applied this
|
|
1193
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
|
|
1194
|
+
"description": "Identity of who applied this override. For simple cases, use type 'simple' with just an identifier."
|
|
1180
1195
|
},
|
|
1181
1196
|
"appliedAt": {
|
|
1182
1197
|
"type": "string",
|
|
1183
1198
|
"format": "date-time",
|
|
1184
|
-
"description": "Timestamp when this
|
|
1199
|
+
"description": "Timestamp when this override was applied. ISO 8601 format."
|
|
1185
1200
|
},
|
|
1186
1201
|
"expiresAt": {
|
|
1187
1202
|
"type": "string",
|
|
1188
1203
|
"format": "date-time",
|
|
1189
|
-
"description": "Timestamp when this
|
|
1204
|
+
"description": "Timestamp when this override expires and must be reviewed/renewed. REQUIRED - no permanent overrides allowed. ISO 8601 format."
|
|
1190
1205
|
},
|
|
1191
1206
|
"signature": {
|
|
1192
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1207
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature",
|
|
1193
1208
|
"description": "Optional digital signature for enhanced trust and non-repudiation. Supports hardware security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other signing methods."
|
|
1194
1209
|
},
|
|
1195
1210
|
"evidence": {
|
|
1196
1211
|
"type": "array",
|
|
1197
1212
|
"items": {
|
|
1198
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1213
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
|
|
1199
1214
|
},
|
|
1200
|
-
"description": "Supporting evidence for this
|
|
1215
|
+
"description": "Supporting evidence for this override, such as screenshots demonstrating manual verification for attestations."
|
|
1201
1216
|
},
|
|
1202
1217
|
"previousChecksum": {
|
|
1203
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1218
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
|
|
1204
1219
|
"description": "SHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement."
|
|
1205
1220
|
}
|
|
1206
1221
|
},
|
|
@@ -1216,6 +1231,41 @@
|
|
|
1216
1231
|
"appliedAt": "2025-12-01T10:00:00Z",
|
|
1217
1232
|
"expiresAt": "2026-12-01T00:00:00Z"
|
|
1218
1233
|
},
|
|
1234
|
+
{
|
|
1235
|
+
"type": "riskAdjustment",
|
|
1236
|
+
"impact": {
|
|
1237
|
+
"value": 0.3
|
|
1238
|
+
},
|
|
1239
|
+
"reason": "CVE-123 is in a dead code path, unreachable from any entry point",
|
|
1240
|
+
"appliedBy": {
|
|
1241
|
+
"identifier": "dev@org.gov",
|
|
1242
|
+
"type": "email"
|
|
1243
|
+
},
|
|
1244
|
+
"appliedAt": "2026-04-14T10:00:00Z",
|
|
1245
|
+
"expiresAt": "2026-10-14T00:00:00Z"
|
|
1246
|
+
},
|
|
1247
|
+
{
|
|
1248
|
+
"type": "falsePositive",
|
|
1249
|
+
"status": "passed",
|
|
1250
|
+
"reason": "STIG check misidentified sshd_config syntax; manual review confirms compliant configuration",
|
|
1251
|
+
"appliedBy": {
|
|
1252
|
+
"identifier": "assessor@agency.gov",
|
|
1253
|
+
"type": "email"
|
|
1254
|
+
},
|
|
1255
|
+
"appliedAt": "2026-04-14T10:00:00Z",
|
|
1256
|
+
"expiresAt": "2026-10-14T00:00:00Z"
|
|
1257
|
+
},
|
|
1258
|
+
{
|
|
1259
|
+
"type": "falsePositive",
|
|
1260
|
+
"status": "notApplicable",
|
|
1261
|
+
"reason": "CVE scanner matched library signature but the vulnerable code path is not present — dependency compiled with affected module disabled",
|
|
1262
|
+
"appliedBy": {
|
|
1263
|
+
"identifier": "dev@org.gov",
|
|
1264
|
+
"type": "email"
|
|
1265
|
+
},
|
|
1266
|
+
"appliedAt": "2026-04-14T10:00:00Z",
|
|
1267
|
+
"expiresAt": "2026-10-14T00:00:00Z"
|
|
1268
|
+
},
|
|
1219
1269
|
{
|
|
1220
1270
|
"type": "attestation",
|
|
1221
1271
|
"status": "passed",
|
|
@@ -1243,7 +1293,7 @@
|
|
|
1243
1293
|
]
|
|
1244
1294
|
}
|
|
1245
1295
|
],
|
|
1246
|
-
"description": "An intentional change to a requirement's compliance status
|
|
1296
|
+
"description": "An intentional change to a requirement's compliance status and/or impact score. At least one of status or impact must be set. Overrides change the effectiveStatus or impact of the requirement. All overrides must have an expiration date to enforce periodic review.",
|
|
1247
1297
|
"title": "Status Override"
|
|
1248
1298
|
},
|
|
1249
1299
|
"POAM": {
|
|
@@ -1261,16 +1311,17 @@
|
|
|
1261
1311
|
"enum": [
|
|
1262
1312
|
"remediation",
|
|
1263
1313
|
"mitigation",
|
|
1264
|
-
"riskAcceptance"
|
|
1314
|
+
"riskAcceptance",
|
|
1315
|
+
"vendorDependency"
|
|
1265
1316
|
],
|
|
1266
|
-
"description": "The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via compensating controls. 'riskAcceptance' documents decision to accept risk."
|
|
1317
|
+
"description": "The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via compensating controls. 'riskAcceptance' documents decision to accept risk. 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update."
|
|
1267
1318
|
},
|
|
1268
1319
|
"explanation": {
|
|
1269
1320
|
"type": "string",
|
|
1270
1321
|
"description": "Detailed explanation of the plan, including what actions will be taken."
|
|
1271
1322
|
},
|
|
1272
1323
|
"appliedBy": {
|
|
1273
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1324
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
|
|
1274
1325
|
"description": "Identity of who created this POA&M. For simple cases, use type 'simple' with just an identifier."
|
|
1275
1326
|
},
|
|
1276
1327
|
"appliedAt": {
|
|
@@ -1286,23 +1337,23 @@
|
|
|
1286
1337
|
"milestones": {
|
|
1287
1338
|
"type": "array",
|
|
1288
1339
|
"items": {
|
|
1289
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1340
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Milestone"
|
|
1290
1341
|
},
|
|
1291
1342
|
"description": "Optional array of milestones tracking progress toward completion."
|
|
1292
1343
|
},
|
|
1293
1344
|
"signature": {
|
|
1294
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1345
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature",
|
|
1295
1346
|
"description": "Optional digital signature for enhanced trust and non-repudiation."
|
|
1296
1347
|
},
|
|
1297
1348
|
"evidence": {
|
|
1298
1349
|
"type": "array",
|
|
1299
1350
|
"items": {
|
|
1300
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1351
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
|
|
1301
1352
|
},
|
|
1302
1353
|
"description": "Supporting evidence for this POA&M, such as documentation of compensating controls or mitigation implementation."
|
|
1303
1354
|
},
|
|
1304
1355
|
"previousChecksum": {
|
|
1305
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1356
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
|
|
1306
1357
|
"description": "SHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement."
|
|
1307
1358
|
}
|
|
1308
1359
|
},
|
|
@@ -1453,7 +1504,7 @@
|
|
|
1453
1504
|
},
|
|
1454
1505
|
"properties": {
|
|
1455
1506
|
"algorithm": {
|
|
1456
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1507
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Hash_Algorithm",
|
|
1457
1508
|
"description": "The hash algorithm used for the checksum."
|
|
1458
1509
|
},
|
|
1459
1510
|
"checksum": {
|
|
@@ -1486,36 +1537,66 @@
|
|
|
1486
1537
|
}
|
|
1487
1538
|
}
|
|
1488
1539
|
},
|
|
1489
|
-
"https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.
|
|
1540
|
+
"https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0": {
|
|
1490
1541
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
1491
|
-
"$id": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.
|
|
1542
|
+
"$id": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0",
|
|
1492
1543
|
"title": "HDF Amendment Primitives",
|
|
1493
|
-
"description": "Types for waivers, attestations,
|
|
1544
|
+
"description": "Types for waivers, attestations, and POA&Ms that modify requirement compliance status.",
|
|
1494
1545
|
"$defs": {
|
|
1495
1546
|
"Override_Type": {
|
|
1496
1547
|
"type": "string",
|
|
1497
1548
|
"enum": [
|
|
1498
1549
|
"waiver",
|
|
1499
1550
|
"attestation",
|
|
1500
|
-
"exception",
|
|
1501
1551
|
"poam",
|
|
1502
|
-
"inherited"
|
|
1552
|
+
"inherited",
|
|
1553
|
+
"falsePositive",
|
|
1554
|
+
"riskAdjustment",
|
|
1555
|
+
"operationalRequirement"
|
|
1503
1556
|
],
|
|
1504
|
-
"description": "The type of amendment. 'waiver': risk accepted
|
|
1557
|
+
"description": "The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam': remediation tracked (no status change). 'inherited': control provided by another component or system. 'falsePositive': scanner incorrectly identified a finding — for compliance scans (STIG, CIS), the check actually passes, so status is typically set to 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to this system, so status is typically set to 'notApplicable'. The disposition field on the requirement distinguishes false positives from genuinely not-applicable findings. 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk Adjustment); does not change pass/fail status, only impact via the impact field. 'operationalRequirement': deviation required by operational constraints (FedRAMP Operational Requirement); the finding cannot be remediated because the system requires the affected functionality. Remains an open risk. Migration note: 'exception' was removed in v3.1.0 — use 'waiver' with status 'notApplicable' instead.",
|
|
1505
1558
|
"title": "Override Type"
|
|
1506
1559
|
},
|
|
1560
|
+
"Impact_Override": {
|
|
1561
|
+
"type": "object",
|
|
1562
|
+
"required": [
|
|
1563
|
+
"value"
|
|
1564
|
+
],
|
|
1565
|
+
"unevaluatedProperties": false,
|
|
1566
|
+
"properties": {
|
|
1567
|
+
"value": {
|
|
1568
|
+
"type": "number",
|
|
1569
|
+
"minimum": 0,
|
|
1570
|
+
"maximum": 1,
|
|
1571
|
+
"description": "The overridden impact score (0.0–1.0)."
|
|
1572
|
+
}
|
|
1573
|
+
},
|
|
1574
|
+
"description": "An override to the requirement's impact score. The prior impact is the original result value or the preceding override in the chain.",
|
|
1575
|
+
"title": "Impact Override"
|
|
1576
|
+
},
|
|
1507
1577
|
"Standalone_Override": {
|
|
1508
1578
|
"type": "object",
|
|
1509
1579
|
"unevaluatedProperties": false,
|
|
1510
1580
|
"required": [
|
|
1511
1581
|
"type",
|
|
1512
1582
|
"requirementId",
|
|
1513
|
-
"status",
|
|
1514
1583
|
"reason",
|
|
1515
1584
|
"appliedBy",
|
|
1516
1585
|
"appliedAt",
|
|
1517
1586
|
"expiresAt"
|
|
1518
1587
|
],
|
|
1588
|
+
"anyOf": [
|
|
1589
|
+
{
|
|
1590
|
+
"required": [
|
|
1591
|
+
"status"
|
|
1592
|
+
]
|
|
1593
|
+
},
|
|
1594
|
+
{
|
|
1595
|
+
"required": [
|
|
1596
|
+
"impact"
|
|
1597
|
+
]
|
|
1598
|
+
}
|
|
1599
|
+
],
|
|
1519
1600
|
"properties": {
|
|
1520
1601
|
"type": {
|
|
1521
1602
|
"$ref": "#/$defs/Override_Type",
|
|
@@ -1530,15 +1611,19 @@
|
|
|
1530
1611
|
"description": "Name of the baseline containing the requirement. Required when the system has multiple baselines with potentially overlapping requirement IDs."
|
|
1531
1612
|
},
|
|
1532
1613
|
"status": {
|
|
1533
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.
|
|
1534
|
-
"description": "The new status this amendment sets.
|
|
1614
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Result_Status",
|
|
1615
|
+
"description": "The new status this amendment sets. Optional when only impact is being overridden."
|
|
1616
|
+
},
|
|
1617
|
+
"impact": {
|
|
1618
|
+
"$ref": "#/$defs/Impact_Override",
|
|
1619
|
+
"description": "Override to the requirement's impact score. At least one of status or impact must be set."
|
|
1535
1620
|
},
|
|
1536
1621
|
"reason": {
|
|
1537
1622
|
"type": "string",
|
|
1538
1623
|
"description": "Justification for this amendment."
|
|
1539
1624
|
},
|
|
1540
1625
|
"appliedBy": {
|
|
1541
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1626
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
|
|
1542
1627
|
"description": "Identity of who applied this amendment."
|
|
1543
1628
|
},
|
|
1544
1629
|
"appliedAt": {
|
|
@@ -1554,22 +1639,22 @@
|
|
|
1554
1639
|
"evidence": {
|
|
1555
1640
|
"type": "array",
|
|
1556
1641
|
"items": {
|
|
1557
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1642
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
|
|
1558
1643
|
},
|
|
1559
1644
|
"description": "Supporting evidence (screenshots, logs, URLs, documents)."
|
|
1560
1645
|
},
|
|
1561
1646
|
"signature": {
|
|
1562
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1647
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature",
|
|
1563
1648
|
"description": "Digital signature for non-repudiation."
|
|
1564
1649
|
},
|
|
1565
1650
|
"previousChecksum": {
|
|
1566
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1651
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
|
|
1567
1652
|
"description": "Checksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null for the first amendment."
|
|
1568
1653
|
},
|
|
1569
1654
|
"milestones": {
|
|
1570
1655
|
"type": "array",
|
|
1571
1656
|
"items": {
|
|
1572
|
-
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.
|
|
1657
|
+
"$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Milestone"
|
|
1573
1658
|
},
|
|
1574
1659
|
"description": "Remediation milestones (primarily for POA&M type amendments)."
|
|
1575
1660
|
},
|
|
@@ -1605,6 +1690,46 @@
|
|
|
1605
1690
|
}
|
|
1606
1691
|
]
|
|
1607
1692
|
},
|
|
1693
|
+
{
|
|
1694
|
+
"type": "falsePositive",
|
|
1695
|
+
"requirementId": "SV-258010",
|
|
1696
|
+
"baselineRef": "RHEL9-STIG",
|
|
1697
|
+
"status": "passed",
|
|
1698
|
+
"reason": "STIG check misidentified sshd_config syntax; manual review confirms compliant configuration",
|
|
1699
|
+
"appliedBy": {
|
|
1700
|
+
"type": "email",
|
|
1701
|
+
"identifier": "assessor@agency.gov"
|
|
1702
|
+
},
|
|
1703
|
+
"appliedAt": "2026-04-14T10:00:00Z",
|
|
1704
|
+
"expiresAt": "2026-10-14T00:00:00Z"
|
|
1705
|
+
},
|
|
1706
|
+
{
|
|
1707
|
+
"type": "falsePositive",
|
|
1708
|
+
"requirementId": "CVE-2026-12345",
|
|
1709
|
+
"status": "notApplicable",
|
|
1710
|
+
"reason": "CVE scanner matched library signature but the vulnerable code path is not present in our build — dependency is compiled with the affected module disabled",
|
|
1711
|
+
"appliedBy": {
|
|
1712
|
+
"type": "email",
|
|
1713
|
+
"identifier": "dev@org.gov"
|
|
1714
|
+
},
|
|
1715
|
+
"appliedAt": "2026-04-14T10:00:00Z",
|
|
1716
|
+
"expiresAt": "2026-10-14T00:00:00Z"
|
|
1717
|
+
},
|
|
1718
|
+
{
|
|
1719
|
+
"type": "riskAdjustment",
|
|
1720
|
+
"requirementId": "SV-258020",
|
|
1721
|
+
"baselineRef": "RHEL9-STIG",
|
|
1722
|
+
"impact": {
|
|
1723
|
+
"value": 0.3
|
|
1724
|
+
},
|
|
1725
|
+
"reason": "CVE-123 is in a dead code path, unreachable from any entry point",
|
|
1726
|
+
"appliedBy": {
|
|
1727
|
+
"type": "email",
|
|
1728
|
+
"identifier": "dev@org.gov"
|
|
1729
|
+
},
|
|
1730
|
+
"appliedAt": "2026-04-14T10:00:00Z",
|
|
1731
|
+
"expiresAt": "2026-10-14T00:00:00Z"
|
|
1732
|
+
},
|
|
1608
1733
|
{
|
|
1609
1734
|
"type": "poam",
|
|
1610
1735
|
"requirementId": "SV-258001",
|
|
@@ -1645,14 +1770,14 @@
|
|
|
1645
1770
|
"expiresAt": "2026-09-26T00:00:00Z"
|
|
1646
1771
|
}
|
|
1647
1772
|
],
|
|
1648
|
-
"description": "A standalone amendment that modifies a requirement's compliance status. Extends the inline
|
|
1773
|
+
"description": "A standalone amendment that modifies a requirement's compliance status and/or impact score. At least one of status or impact must be set. Extends the inline Override concept with requirementId and baselineRef for use outside of results documents.",
|
|
1649
1774
|
"title": "Standalone Override"
|
|
1650
1775
|
}
|
|
1651
1776
|
}
|
|
1652
1777
|
},
|
|
1653
|
-
"https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.
|
|
1778
|
+
"https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0": {
|
|
1654
1779
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
1655
|
-
"$id": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.
|
|
1780
|
+
"$id": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0",
|
|
1656
1781
|
"title": "HDF Result Primitives",
|
|
1657
1782
|
"description": "Types for representing assessment results and statuses.",
|
|
1658
1783
|
"$defs": {
|