@mitre/hdf-schema 3.0.1 → 3.1.0

package/src/schemas/hdf-plan.schema.json

@@ -1,92 +0,0 @@
-{
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://mitre.github.io/hdf-libs/schemas/hdf-plan/v3.0.0",
-  "title": "HDF Plan",
-  "description": "Defines an assessment plan — what baselines to run against which targets, with resolved inputs and scheduling. Maps to OSCAL Assessment Plan.",
-  "type": "object",
-  "unevaluatedProperties": false,
-  "required": [
-    "name",
-    "assessments"
-  ],
-  "properties": {
-    "planId": {
-      "type": "string",
-      "format": "uuid",
-      "description": "Unique identifier for this plan. Optional in casual use, expected in production documents. Auto-generated if omitted during creation."
-    },
-    "name": {
-      "type": "string",
-      "description": "Human-readable plan name. Example: 'Portal Monthly Assessment'."
-    },
-    "type": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/plan/v3.0.0#/$defs/Plan_Type",
-      "description": "The type of assessment plan."
-    },
-    "description": {
-      "type": "string",
-      "description": "Description of the plan's purpose and scope."
-    },
-    "systemRef": {
-      "type": "string",
-      "format": "uri-reference",
-      "description": "URI to the hdf-system document this plan targets. Example: 'portal-prod.hdf-system.json'."
-    },
-    "assessments": {
-      "type": "array",
-      "minItems": 1,
-      "items": {
-        "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/plan/v3.0.0#/$defs/Assessment"
-      },
-      "description": "The assessments to perform. Each assessment pairs a baseline with targets and resolved inputs."
-    },
-    "schedule": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/plan/v3.0.0#/$defs/Schedule",
-      "description": "Optional scheduling configuration for recurring assessments."
-    },
-    "labels": {
-      "type": "object",
-      "additionalProperties": {
-        "type": "string"
-      },
-      "description": "Optional key-value labels for grouping and querying plans."
-    },
-    "integrity": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Integrity",
-      "description": "Cryptographic integrity information for verifying this plan document has not been tampered with."
-    },
-    "version": {
-      "type": "string",
-      "description": "Version of this plan document."
-    },
-    "generator": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Generator",
-      "description": "Information about the tool that generated this plan."
-    }
-  },
-  "examples": [
-    {
-      "name": "Portal Monthly Assessment",
-      "type": "automated",
-      "systemRef": "portal-prod.hdf-system.json",
-      "assessments": [
-        {
-          "baselineRef": "RHEL9-STIG",
-          "targetSelector": { "labels.component": "WebTier" },
-          "inputs": {
-            "max_concurrent_sessions": 5,
-            "password_min_length": 15
-          },
-          "runner": {
-            "name": "cinc-auditor",
-            "version": "6.8.1"
-          }
-        }
-      ],
-      "schedule": {
-        "cron": "0 2 1 * *",
-        "notifyOnRegression": ["security-team@agency.gov"]
-      }
-    }
-  ]
-}

package/src/schemas/hdf-results.schema.json

@@ -1,304 +0,0 @@
-{
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://mitre.github.io/hdf-libs/schemas/hdf-results/v3.0.0",
-  "type": "object",
-  "unevaluatedProperties": false,
-  "required": [
-    "baselines"
-  ],
-  "properties": {
-    "id": {
-      "type": "string",
-      "format": "uuid",
-      "description": "Unique identifier for this assessment run."
-    },
-    "timestamp": {
-      "type": "string",
-      "format": "date-time",
-      "description": "When this assessment was executed."
-    },
-    "components": {
-      "type": "array",
-      "items": {
-        "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.0.0#/$defs/Component"
-      },
-      "description": "The components that were assessed. Each component describes a system element (host, container, cloud resource, application, etc.) with optional identity, SBOM, and external references."
-    },
-    "baselines": {
-      "type": "array",
-      "items": {
-        "$ref": "#/$defs/Evaluated_Baseline"
-      },
-      "description": "Information on the baselines that were evaluated, including findings."
-    },
-    "statistics": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.0.0#/$defs/Statistics",
-      "description": "Statistics for the assessment run, including duration and result counts."
-    },
-    "generator": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Generator",
-      "description": "Information about the tool that generated this file."
-    },
-    "tool": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Tool",
-      "description": "The security tool that produced the assessment data in this file."
-    },
-    "integrity": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Integrity",
-      "description": "Cryptographic integrity information for verifying this file."
-    },
-    "runner": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.0.0#/$defs/Runner",
-      "description": "Information about the test execution environment where the security tool was run. Distinct from targets (what is being tested)."
-    },
-    "remediation": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Remediation",
-      "description": "Optional reference to automated remediation resources (Ansible playbooks, Terraform scripts, etc.) for fixing failing requirements found in this assessment."
-    },
-    "systemRef": {
-      "type": "string",
-      "format": "uri-reference",
-      "description": "Reference to an hdf-system document describing the system under assessment. May be a relative path, absolute URI, or fragment identifier."
-    },
-    "planRef": {
-      "type": "string",
-      "format": "uri-reference",
-      "description": "Reference to an hdf-plan document describing the assessment plan that produced these results. May be a relative path, absolute URI, or fragment identifier."
-    },
-    "extensions": {
-      "type": "object",
-      "additionalProperties": true,
-      "description": "Reserved for tool-specific data not defined in the HDF standard. Use this to preserve original tool output, auxiliary data, or custom metadata."
-    }
-  },
-  "examples": [
-    {
-      "baselines": [
-        {
-          "name": "web-server-hardening",
-          "title": "Web Server Security Baseline",
-          "version": "1.0.0",
-          "summary": "Security hardening checks for Apache HTTP Server",
-          "requirements": [
-            {
-              "id": "SV-100001",
-              "title": "Web server must use TLS 1.2 or higher",
-              "impact": 0.7,
-              "tags": {
-                "nist": ["SC-8", "SC-23"]
-              },
-              "descriptions": [
-                {
-                  "label": "default",
-                  "data": "The web server must be configured to use TLS 1.2 or higher for all encrypted connections."
-                }
-              ],
-              "results": [
-                {
-                  "status": "passed",
-                  "codeDesc": "SSL configuration is expected to include TLSv1.2",
-                  "startTime": "2025-06-15T14:30:00Z",
-                  "runTime": 0.042
-                }
-              ]
-            },
-            {
-              "id": "SV-100002",
-              "title": "Web server must have X-Frame-Options header set",
-              "impact": 0.5,
-              "tags": {
-                "nist": ["SA-11", "RA-5"]
-              },
-              "descriptions": [
-                {
-                  "label": "default",
-                  "data": "The anti-clickjacking X-Frame-Options header must be present on all responses."
-                }
-              ],
-              "results": [
-                {
-                  "status": "failed",
-                  "codeDesc": "HTTP response headers are expected to include X-Frame-Options",
-                  "startTime": "2025-06-15T14:30:01Z",
-                  "message": "X-Frame-Options header not found in response"
-                }
-              ]
-            }
-          ]
-        }
-      ],
-      "components": [
-        {
-          "type": "application",
-          "name": "Apache HTTP Server 2.4"
-        }
-      ],
-      "generator": {
-        "name": "nikto-to-hdf",
-        "version": "1.0.0"
-      },
-      "tool": {
-        "name": "Nikto"
-      }
-    }
-  ],
-  "description": "The top level value containing all assessment results.",
-  "title": "HDF Results",
-  "$defs": {
-    "Evaluated_Baseline": {
-      "type": "object",
-      "unevaluatedProperties": false,
-      "required": [
-        "name",
-        "requirements"
-      ],
-      "allOf": [
-        {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Baseline_Metadata"
-        }
-      ],
-      "properties": {
-        "depends": {
-          "type": "array",
-          "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Dependency"
-          },
-          "description": "The set of dependencies this baseline depends on."
-        },
-        "parentBaseline": {
-          "type": "string",
-          "description": "The name of the parent baseline if this is a dependency of another."
-        },
-        "description": {
-          "type": "string",
-          "description": "The description - should be more detailed than the summary."
-        },
-        "integrity": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Integrity",
-          "description": "Cryptographic integrity information for verifying this baseline has not been tampered with."
-        },
-        "originalChecksum": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
-          "description": "SHA-256 checksum of the original baseline definition file (before execution). This is an immutable reference to the baseline as defined, used to detect tampering with baseline requirements or metadata."
-        },
-        "resultsChecksum": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
-          "description": "SHA-256 checksum of the raw results before any amendments (statusOverrides or POAMs). Used to detect tampering with test results. Compare with currentChecksum to verify amendment integrity."
-        },
-        "statusMessage": {
-          "type": "string",
-          "description": "An explanation of the baseline status. Example: why it was skipped, failed to load, or any other status details."
-        },
-        "requirements": {
-          "type": "array",
-          "items": {
-            "$ref": "#/$defs/Evaluated_Requirement"
-          },
-          "minItems": 1,
-          "description": "The set of requirements including any findings. A baseline must have at least one requirement."
-        },
-        "groups": {
-          "type": "array",
-          "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Requirement_Group"
-          },
-          "description": "A set of descriptions for the requirement groups."
-        },
-        "inputs": {
-          "type": "array",
-          "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.0.0#/$defs/Input"
-          },
-          "description": "Typed inputs used to parameterize this baseline at execution time. See the Input primitive for the full schema."
-        },
-        "extensions": {
-          "type": "object",
-          "additionalProperties": true,
-          "description": "Reserved for tool-specific baseline metadata not defined in the HDF standard."
-        }
-      },
-      "description": "Information on a baseline that was evaluated, including any findings.",
-      "title": "Evaluated Baseline"
-    },
-    "Evaluated_Requirement": {
-      "type": "object",
-      "unevaluatedProperties": false,
-      "required": [
-        "id",
-        "impact",
-        "tags",
-        "results",
-        "descriptions"
-      ],
-      "allOf": [
-        {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Requirement_Core"
-        }
-      ],
-      "properties": {
-        "descriptions": {
-          "type": "array",
-          "minItems": 1,
-          "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Requirement_Description"
-          },
-          "contains": {
-            "type": "object",
-            "required": [
-              "label"
-            ],
-            "properties": {
-              "label": {
-                "const": "default"
-              }
-            }
-          },
-          "description": "Array of labeled descriptions. At least one description with label 'default' must be present. Convention: place default description first. Common labels: 'default', 'check', 'fix', 'rationale'."
-        },
-        "severity": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Severity",
-          "description": "Explicit severity rating. Typically derived from impact score but provided explicitly for clarity."
-        },
-        "sourceLocation": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Source_Location",
-          "description": "The explicit location of the requirement within the source code."
-        },
-        "results": {
-          "type": "array",
-          "minItems": 1,
-          "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Requirement_Result"
-          },
-          "description": "The set of all tests within the requirement and their results."
-        },
-        "statusOverrides": {
-          "type": "array",
-          "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Status_Override"
-          },
-          "description": "Chronological history of all status overrides applied to this requirement. Status overrides are intentional changes to the compliance status (waivers, attestations). Most recent override should be first in array. Preserves full audit trail."
-        },
-        "poams": {
-          "type": "array",
-          "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/POAM"
-          },
-          "description": "Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance. POAMs do NOT change effectiveStatus - they track the work being done to address a failure. Separate from statusOverrides which DO change status."
-        },
-        "effectiveStatus": {
-          "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Result_Status",
-          "description": "The current effective status of this requirement after applying the most recent non-expired override, or computed from results if no overrides exist."
-        },
-        "evidence": {
-          "type": "array",
-          "items": {
-            "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Evidence"
-          },
-          "description": "Supporting evidence for this requirement's findings, such as screenshots, code samples, or log excerpts."
-        }
-      },
-      "description": "A requirement that has been evaluated, including any findings.",
-      "title": "Evaluated Requirement"
-    }
-  }
-}

package/src/schemas/hdf-system.schema.json

@@ -1,136 +0,0 @@
-{
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://mitre.github.io/hdf-libs/schemas/hdf-system/v3.0.0",
-  "title": "HDF System",
-  "description": "Describes a system's authorization boundary, components, and interconnections. Maps to OSCAL SSP system-characteristics and FedRAMP system inventory.",
-  "type": "object",
-  "unevaluatedProperties": false,
-  "required": [
-    "name",
-    "components"
-  ],
-  "properties": {
-    "systemId": {
-      "type": "string",
-      "format": "uuid",
-      "description": "Stable UUID (RFC 4122) for this system. Enables cross-document correlation independent of file location. Optional in casual use, expected in production documents."
-    },
-    "owner": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
-      "description": "Team or individual responsible for this system's authorization and compliance. Maps to OSCAL responsible-party with role 'system-owner'."
-    },
-    "name": {
-      "type": "string",
-      "description": "Human-readable system name. Example: 'Enterprise Portal Production'."
-    },
-    "identifier": {
-      "type": "string",
-      "description": "System identifier from an authoritative source. Example: eMASS system ID, FedRAMP package ID."
-    },
-    "identifierScheme": {
-      "type": "string",
-      "format": "uri-reference",
-      "description": "URI identifying the scheme of the system identifier. Example: 'https://emass.mil', 'https://fedramp.gov'."
-    },
-    "description": {
-      "type": "string",
-      "description": "Description of the system's purpose and mission."
-    },
-    "authorizationStatus": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0#/$defs/Authorization_Status",
-      "description": "Current Authorization to Operate (ATO) status."
-    },
-    "authorizationDate": {
-      "type": "string",
-      "format": "date-time",
-      "description": "Date the current authorization status was granted. ISO 8601 format."
-    },
-    "categorizationLevel": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0#/$defs/Categorization_Level",
-      "description": "FIPS 199 security categorization (impact level)."
-    },
-    "boundaryDescription": {
-      "type": "string",
-      "description": "Description of the system's authorization boundary. Example: network CIDR blocks, cloud VPC IDs, physical locations."
-    },
-    "components": {
-      "type": "array",
-      "minItems": 1,
-      "items": {
-        "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.0.0#/$defs/Component"
-      },
-      "description": "System components within the authorization boundary. Uses the full polymorphic Component type with stable identity (componentId), external references, and SBOM support."
-    },
-    "controlDesignations": {
-      "type": "array",
-      "items": {
-        "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0#/$defs/Control_Designation"
-      },
-      "description": "Declares which controls are common, hybrid, or system-specific, and which component provides them. Maps to NIST SP 800-53 control designations and OSCAL leveraged-authorizations."
-    },
-    "dataFlows": {
-      "type": "array",
-      "items": {
-        "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/data-flow/v3.0.0#/$defs/Data_Flow"
-      },
-      "description": "Inter-component data flows describing how components communicate. Supports local, cross-system, and external flows. Replaces the interconnections[] field."
-    },
-    "labels": {
-      "type": "object",
-      "additionalProperties": {
-        "type": "string"
-      },
-      "description": "Optional key-value labels for grouping and querying systems."
-    },
-    "integrity": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Integrity",
-      "description": "Cryptographic integrity information for verifying this system document has not been tampered with."
-    },
-    "version": {
-      "type": "string",
-      "description": "Version of this system document."
-    },
-    "generator": {
-      "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Generator",
-      "description": "Information about the tool that generated this system document."
-    }
-  },
-  "examples": [
-    {
-      "name": "Enterprise Portal Production",
-      "identifier": "SYS-2024-00142",
-      "identifierScheme": "https://emass.mil",
-      "authorizationStatus": "authorized",
-      "authorizationDate": "2025-06-15T00:00:00Z",
-      "categorizationLevel": "moderate",
-      "boundaryDescription": "All resources in prod VPC (10.0.0.0/16)",
-      "components": [
-        {
-          "name": "WebTier",
-          "type": "application",
-          "componentId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
-          "description": "RHEL 9 web servers running the portal",
-          "baselineRefs": ["RHEL9-STIG", "DISA-Container-STIG"],
-          "sbomRef": "https://artifacts.agency.gov/sbom/webtier-2026-03.cdx.json",
-          "sbomFormat": "cyclonedx"
-        },
-        {
-          "name": "DatabaseTier",
-          "type": "database",
-          "componentId": "11111111-2222-3333-4444-555555555555",
-          "baselineRefs": ["PostgreSQL-15-STIG"]
-        }
-      ],
-      "dataFlows": [
-        {
-          "from": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
-          "to": "11111111-2222-3333-4444-555555555555",
-          "protocol": "jdbc",
-          "port": 5432,
-          "direction": "unidirectional",
-          "description": "Web tier connects to database"
-        }
-      ]
-    }
-  ]
-}