@mitre/hdf-schema 3.0.1 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. package/LICENSE.md +55 -0
  2. package/README.md +83 -40
  3. package/dist/go/hdf.go +148 -104
  4. package/dist/index.d.ts +26 -1
  5. package/dist/index.js +26 -1
  6. package/dist/schemas/hdf-amendments.schema.json +178 -53
  7. package/dist/schemas/hdf-baseline.schema.json +181 -56
  8. package/dist/schemas/hdf-comparison.schema.json +523 -108
  9. package/dist/schemas/hdf-evidence-package.schema.json +175 -50
  10. package/dist/schemas/hdf-plan.schema.json +181 -56
  11. package/dist/schemas/hdf-results.schema.json +502 -87
  12. package/dist/schemas/hdf-system.schema.json +190 -65
  13. package/dist/ts/hdf-amendments.d.ts +43 -15
  14. package/dist/ts/hdf-amendments.js +18 -7
  15. package/dist/ts/hdf-amendments.ts +44 -15
  16. package/dist/ts/hdf-results.d.ts +91 -37
  17. package/dist/ts/hdf-results.js +40 -20
  18. package/dist/ts/hdf-results.ts +91 -36
  19. package/package.json +44 -45
  20. package/dist/python/hdf_amendments.py +0 -695
  21. package/dist/python/hdf_baseline.py +0 -782
  22. package/dist/python/hdf_comparison.py +0 -1771
  23. package/dist/python/hdf_evidence_package.py +0 -593
  24. package/dist/python/hdf_plan.py +0 -363
  25. package/dist/python/hdf_results.py +0 -2163
  26. package/dist/python/hdf_system.py +0 -904
  27. package/src/schemas/hdf-amendments.schema.json +0 -97
  28. package/src/schemas/hdf-baseline.schema.json +0 -190
  29. package/src/schemas/hdf-comparison.schema.json +0 -107
  30. package/src/schemas/hdf-evidence-package.schema.json +0 -227
  31. package/src/schemas/hdf-plan.schema.json +0 -92
  32. package/src/schemas/hdf-results.schema.json +0 -304
  33. package/src/schemas/hdf-system.schema.json +0 -136
  34. package/src/schemas/primitives/amendments.schema.json +0 -155
  35. package/src/schemas/primitives/common.schema.json +0 -814
  36. package/src/schemas/primitives/comparison.schema.json +0 -809
  37. package/src/schemas/primitives/component.schema.json +0 -518
  38. package/src/schemas/primitives/data-flow.schema.json +0 -158
  39. package/src/schemas/primitives/extensions.schema.json +0 -342
  40. package/src/schemas/primitives/parameter.schema.json +0 -128
  41. package/src/schemas/primitives/plan.schema.json +0 -128
  42. package/src/schemas/primitives/platform.schema.json +0 -32
  43. package/src/schemas/primitives/result.schema.json +0 -133
  44. package/src/schemas/primitives/runner.schema.json +0 -83
  45. package/src/schemas/primitives/statistics.schema.json +0 -71
  46. package/src/schemas/primitives/system.schema.json +0 -132
  47. package/src/schemas/primitives/target.schema.json +0 -523
package/dist/schemas/hdf-comparison.schema.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "$schema": "https://json-schema.org/draft/2020-12/schema",
3
- "$id": "https://mitre.github.io/hdf-libs/schemas/hdf-comparison/v3.0.0",
3
+ "$id": "https://mitre.github.io/hdf-libs/schemas/hdf-comparison/v3.1.0",
4
4
  "type": "object",
5
5
  "unevaluatedProperties": false,
6
6
  "required": [
@@ -17,7 +17,7 @@
17
17
  "description": "Schema version for this comparison format."
18
18
  },
19
19
  "comparisonMode": {
20
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.0.0#/$defs/Comparison_Mode",
20
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.1.0#/$defs/Comparison_Mode",
21
21
  "description": "The mode of comparison being performed."
22
22
  },
23
23
  "timestamp": {
@@ -26,50 +26,50 @@
26
26
  "description": "When this comparison was performed."
27
27
  },
28
28
  "generator": {
29
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Generator",
29
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Generator",
30
30
  "description": "Information about the tool that generated this comparison."
31
31
  },
32
32
  "sources": {
33
33
  "type": "array",
34
34
  "minItems": 2,
35
35
  "items": {
36
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.0.0#/$defs/Source"
36
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.1.0#/$defs/Source"
37
37
  },
38
38
  "description": "The source documents being compared. At least two sources are required."
39
39
  },
40
40
  "matching": {
41
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.0.0#/$defs/Matching_Config",
41
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.1.0#/$defs/Matching_Config",
42
42
  "description": "Configuration for how requirements were matched across sources."
43
43
  },
44
44
  "summary": {
45
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.0.0#/$defs/Comparison_Summary",
45
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.1.0#/$defs/Comparison_Summary",
46
46
  "description": "Summary statistics for the overall comparison."
47
47
  },
48
48
  "baselineDiffs": {
49
49
  "type": "array",
50
50
  "items": {
51
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.0.0#/$defs/Baseline_Diff"
51
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.1.0#/$defs/Baseline_Diff"
52
52
  },
53
53
  "description": "Comparison of baselines between sources."
54
54
  },
55
55
  "requirementDiffs": {
56
56
  "type": "array",
57
57
  "items": {
58
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.0.0#/$defs/Requirement_Diff"
58
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.1.0#/$defs/Requirement_Diff"
59
59
  },
60
60
  "description": "Detailed comparison of individual requirements between sources."
61
61
  },
62
62
  "componentDiffs": {
63
63
  "type": "array",
64
64
  "items": {
65
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.0.0#/$defs/Component_Diff"
65
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.1.0#/$defs/Component_Diff"
66
66
  },
67
67
  "description": "Comparison of components between two system documents. Used in systemDrift mode."
68
68
  },
69
69
  "packageDiffs": {
70
70
  "type": "array",
71
71
  "items": {
72
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.0.0#/$defs/Package_Diff"
72
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.1.0#/$defs/Package_Diff"
73
73
  },
74
74
  "description": "Comparison of packages between two SBOMs. Used in systemDrift mode for SBOM comparison."
75
75
  },
@@ -81,19 +81,19 @@
81
81
  "drift": {
82
82
  "type": "array",
83
83
  "items": {
84
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.0.0#/$defs/Requirement_Diff"
84
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.1.0#/$defs/Requirement_Diff"
85
85
  },
86
86
  "description": "External/metadata changes separate from status changes (Terraform pattern)."
87
87
  },
88
88
  "annotations": {
89
89
  "type": "object",
90
90
  "additionalProperties": {
91
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.0.0#/$defs/Annotation"
91
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.1.0#/$defs/Annotation"
92
92
  },
93
93
  "description": "Map of annotation IDs to annotation objects, providing context or action items for requirement diffs."
94
94
  },
95
95
  "integrity": {
96
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Integrity",
96
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Integrity",
97
97
  "description": "Cryptographic integrity information for verifying this comparison document."
98
98
  },
99
99
  "extensions": {
@@ -105,9 +105,9 @@
105
105
  "description": "Structured comparison between two or more HDF security assessment documents. Supports temporal, baseline, fleet, and multi-source comparison modes.",
106
106
  "title": "HDF Comparison",
107
107
  "$defs": {
108
- "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.0.0": {
108
+ "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.1.0": {
109
109
  "$schema": "https://json-schema.org/draft/2020-12/schema",
110
- "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.0.0",
110
+ "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/comparison/v3.1.0",
111
111
  "title": "HDF Comparison Primitives",
112
112
  "description": "Types for representing structured comparisons between HDF security assessment documents.",
113
113
  "$defs": {
@@ -276,7 +276,7 @@
276
276
  "description": "The original format of the source document before conversion to HDF."
277
277
  },
278
278
  "checksum": {
279
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
279
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
280
280
  "description": "Cryptographic checksum of the source document for integrity verification."
281
281
  },
282
282
  "assessmentTimestamp": {
@@ -285,13 +285,13 @@
285
285
  "description": "When the source assessment was performed. ISO 8601 format."
286
286
  },
287
287
  "tool": {
288
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Tool",
288
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Tool",
289
289
  "description": "The security tool that produced the assessment data in this source."
290
290
  },
291
291
  "components": {
292
292
  "type": "array",
293
293
  "items": {
294
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.0.0#/$defs/Component"
294
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.1.0#/$defs/Component"
295
295
  },
296
296
  "description": "The components assessed in this source."
297
297
  },
@@ -809,7 +809,7 @@
809
809
  "before": {
810
810
  "oneOf": [
811
811
  {
812
- "$ref": "https://mitre.github.io/hdf-libs/schemas/hdf-results/v3.0.0#/$defs/Evaluated_Requirement"
812
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/hdf-results/v3.1.0#/$defs/Evaluated_Requirement"
813
813
  },
814
814
  {
815
815
  "type": "null"
@@ -820,7 +820,7 @@
820
820
  "after": {
821
821
  "oneOf": [
822
822
  {
823
- "$ref": "https://mitre.github.io/hdf-libs/schemas/hdf-results/v3.0.0#/$defs/Evaluated_Requirement"
823
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/hdf-results/v3.1.0#/$defs/Evaluated_Requirement"
824
824
  },
825
825
  {
826
826
  "type": "null"
@@ -916,9 +916,9 @@
916
916
  }
917
917
  }
918
918
  },
919
- "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0": {
919
+ "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0": {
920
920
  "$schema": "https://json-schema.org/draft/2020-12/schema",
921
- "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0",
921
+ "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0",
922
922
  "title": "HDF Common Primitives",
923
923
  "description": "Shared building blocks used by hdf-results and hdf-baseline schemas.",
924
924
  "$defs": {
@@ -1734,9 +1734,9 @@
1734
1734
  }
1735
1735
  }
1736
1736
  },
1737
- "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0": {
1737
+ "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0": {
1738
1738
  "$schema": "https://json-schema.org/draft/2020-12/schema",
1739
- "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0",
1739
+ "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0",
1740
1740
  "title": "HDF Extension Primitives",
1741
1741
  "description": "Extension types for waivers, attestations, generators, and integrity.",
1742
1742
  "$defs": {
@@ -1745,52 +1745,67 @@
1745
1745
  "unevaluatedProperties": false,
1746
1746
  "required": [
1747
1747
  "type",
1748
- "status",
1749
1748
  "reason",
1750
1749
  "appliedBy",
1751
1750
  "appliedAt",
1752
1751
  "expiresAt"
1753
1752
  ],
1753
+ "anyOf": [
1754
+ {
1755
+ "required": [
1756
+ "status"
1757
+ ]
1758
+ },
1759
+ {
1760
+ "required": [
1761
+ "impact"
1762
+ ]
1763
+ }
1764
+ ],
1754
1765
  "properties": {
1755
1766
  "type": {
1756
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.0.0#/$defs/Override_Type",
1757
- "description": "The type of status override applied to this requirement."
1767
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0#/$defs/Override_Type",
1768
+ "description": "The type of override applied to this requirement."
1758
1769
  },
1759
1770
  "status": {
1760
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Result_Status",
1761
- "description": "The new status this override sets for the requirement. This intentionally changes the compliance status."
1771
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Result_Status",
1772
+ "description": "The new status this override sets for the requirement. Optional when only impact is being overridden."
1773
+ },
1774
+ "impact": {
1775
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0#/$defs/Impact_Override",
1776
+ "description": "Override to the requirement's impact score. At least one of status or impact must be set."
1762
1777
  },
1763
1778
  "reason": {
1764
1779
  "type": "string",
1765
- "description": "Explanation for why this status override was applied."
1780
+ "description": "Explanation for why this override was applied."
1766
1781
  },
1767
1782
  "appliedBy": {
1768
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
1769
- "description": "Identity of who applied this status override. For simple cases, use type 'simple' with just an identifier."
1783
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
1784
+ "description": "Identity of who applied this override. For simple cases, use type 'simple' with just an identifier."
1770
1785
  },
1771
1786
  "appliedAt": {
1772
1787
  "type": "string",
1773
1788
  "format": "date-time",
1774
- "description": "Timestamp when this status override was applied. ISO 8601 format."
1789
+ "description": "Timestamp when this override was applied. ISO 8601 format."
1775
1790
  },
1776
1791
  "expiresAt": {
1777
1792
  "type": "string",
1778
1793
  "format": "date-time",
1779
- "description": "Timestamp when this status override expires and must be reviewed/renewed. REQUIRED - no permanent status overrides allowed. ISO 8601 format."
1794
+ "description": "Timestamp when this override expires and must be reviewed/renewed. REQUIRED - no permanent overrides allowed. ISO 8601 format."
1780
1795
  },
1781
1796
  "signature": {
1782
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Signature",
1797
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature",
1783
1798
  "description": "Optional digital signature for enhanced trust and non-repudiation. Supports hardware security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other signing methods."
1784
1799
  },
1785
1800
  "evidence": {
1786
1801
  "type": "array",
1787
1802
  "items": {
1788
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Evidence"
1803
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
1789
1804
  },
1790
- "description": "Supporting evidence for this status override, such as screenshots demonstrating manual verification for attestations."
1805
+ "description": "Supporting evidence for this override, such as screenshots demonstrating manual verification for attestations."
1791
1806
  },
1792
1807
  "previousChecksum": {
1793
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
1808
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
1794
1809
  "description": "SHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement."
1795
1810
  }
1796
1811
  },
@@ -1806,6 +1821,41 @@
1806
1821
  "appliedAt": "2025-12-01T10:00:00Z",
1807
1822
  "expiresAt": "2026-12-01T00:00:00Z"
1808
1823
  },
1824
+ {
1825
+ "type": "riskAdjustment",
1826
+ "impact": {
1827
+ "value": 0.3
1828
+ },
1829
+ "reason": "CVE-123 is in a dead code path, unreachable from any entry point",
1830
+ "appliedBy": {
1831
+ "identifier": "dev@org.gov",
1832
+ "type": "email"
1833
+ },
1834
+ "appliedAt": "2026-04-14T10:00:00Z",
1835
+ "expiresAt": "2026-10-14T00:00:00Z"
1836
+ },
1837
+ {
1838
+ "type": "falsePositive",
1839
+ "status": "passed",
1840
+ "reason": "STIG check misidentified sshd_config syntax; manual review confirms compliant configuration",
1841
+ "appliedBy": {
1842
+ "identifier": "assessor@agency.gov",
1843
+ "type": "email"
1844
+ },
1845
+ "appliedAt": "2026-04-14T10:00:00Z",
1846
+ "expiresAt": "2026-10-14T00:00:00Z"
1847
+ },
1848
+ {
1849
+ "type": "falsePositive",
1850
+ "status": "notApplicable",
1851
+ "reason": "CVE scanner matched library signature but the vulnerable code path is not present — dependency compiled with affected module disabled",
1852
+ "appliedBy": {
1853
+ "identifier": "dev@org.gov",
1854
+ "type": "email"
1855
+ },
1856
+ "appliedAt": "2026-04-14T10:00:00Z",
1857
+ "expiresAt": "2026-10-14T00:00:00Z"
1858
+ },
1809
1859
  {
1810
1860
  "type": "attestation",
1811
1861
  "status": "passed",
@@ -1833,7 +1883,7 @@
1833
1883
  ]
1834
1884
  }
1835
1885
  ],
1836
- "description": "An intentional change to a requirement's compliance status (waiver or attestation). Status overrides change the effectiveStatus of the requirement. All status overrides must have an expiration date to enforce periodic review.",
1886
+ "description": "An intentional change to a requirement's compliance status and/or impact score. At least one of status or impact must be set. Overrides change the effectiveStatus or impact of the requirement. All overrides must have an expiration date to enforce periodic review.",
1837
1887
  "title": "Status Override"
1838
1888
  },
1839
1889
  "POAM": {
@@ -1851,16 +1901,17 @@
1851
1901
  "enum": [
1852
1902
  "remediation",
1853
1903
  "mitigation",
1854
- "riskAcceptance"
1904
+ "riskAcceptance",
1905
+ "vendorDependency"
1855
1906
  ],
1856
- "description": "The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via compensating controls. 'riskAcceptance' documents decision to accept risk."
1907
+ "description": "The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via compensating controls. 'riskAcceptance' documents decision to accept risk. 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update."
1857
1908
  },
1858
1909
  "explanation": {
1859
1910
  "type": "string",
1860
1911
  "description": "Detailed explanation of the plan, including what actions will be taken."
1861
1912
  },
1862
1913
  "appliedBy": {
1863
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
1914
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
1864
1915
  "description": "Identity of who created this POA&M. For simple cases, use type 'simple' with just an identifier."
1865
1916
  },
1866
1917
  "appliedAt": {
@@ -1876,23 +1927,23 @@
1876
1927
  "milestones": {
1877
1928
  "type": "array",
1878
1929
  "items": {
1879
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Milestone"
1930
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Milestone"
1880
1931
  },
1881
1932
  "description": "Optional array of milestones tracking progress toward completion."
1882
1933
  },
1883
1934
  "signature": {
1884
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Signature",
1935
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature",
1885
1936
  "description": "Optional digital signature for enhanced trust and non-repudiation."
1886
1937
  },
1887
1938
  "evidence": {
1888
1939
  "type": "array",
1889
1940
  "items": {
1890
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Evidence"
1941
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
1891
1942
  },
1892
1943
  "description": "Supporting evidence for this POA&M, such as documentation of compensating controls or mitigation implementation."
1893
1944
  },
1894
1945
  "previousChecksum": {
1895
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
1946
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
1896
1947
  "description": "SHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement."
1897
1948
  }
1898
1949
  },
@@ -2043,7 +2094,7 @@
2043
2094
  },
2044
2095
  "properties": {
2045
2096
  "algorithm": {
2046
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Hash_Algorithm",
2097
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Hash_Algorithm",
2047
2098
  "description": "The hash algorithm used for the checksum."
2048
2099
  },
2049
2100
  "checksum": {
@@ -2076,36 +2127,66 @@
2076
2127
  }
2077
2128
  }
2078
2129
  },
2079
- "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.0.0": {
2130
+ "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0": {
2080
2131
  "$schema": "https://json-schema.org/draft/2020-12/schema",
2081
- "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.0.0",
2132
+ "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0",
2082
2133
  "title": "HDF Amendment Primitives",
2083
- "description": "Types for waivers, attestations, exceptions, and POA&Ms that modify requirement compliance status.",
2134
+ "description": "Types for waivers, attestations, and POA&Ms that modify requirement compliance status.",
2084
2135
  "$defs": {
2085
2136
  "Override_Type": {
2086
2137
  "type": "string",
2087
2138
  "enum": [
2088
2139
  "waiver",
2089
2140
  "attestation",
2090
- "exception",
2091
2141
  "poam",
2092
- "inherited"
2142
+ "inherited",
2143
+ "falsePositive",
2144
+ "riskAdjustment",
2145
+ "operationalRequirement"
2093
2146
  ],
2094
- "description": "The type of amendment. 'waiver': risk accepted (AO). 'attestation': manually verified (assessor). 'exception': not applicable (system owner + AO). 'poam': remediation tracked (no status change). 'inherited': control provided by another component or system (overrides to notApplicable/passed).",
2147
+ "description": "The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam': remediation tracked (no status change). 'inherited': control provided by another component or system. 'falsePositive': scanner incorrectly identified a finding — for compliance scans (STIG, CIS), the check actually passes, so status is typically set to 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to this system, so status is typically set to 'notApplicable'. The disposition field on the requirement distinguishes false positives from genuinely not-applicable findings. 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk Adjustment); does not change pass/fail status, only impact via the impact field. 'operationalRequirement': deviation required by operational constraints (FedRAMP Operational Requirement); the finding cannot be remediated because the system requires the affected functionality. Remains an open risk. Migration note: 'exception' was removed in v3.1.0 — use 'waiver' with status 'notApplicable' instead.",
2095
2148
  "title": "Override Type"
2096
2149
  },
2150
+ "Impact_Override": {
2151
+ "type": "object",
2152
+ "required": [
2153
+ "value"
2154
+ ],
2155
+ "unevaluatedProperties": false,
2156
+ "properties": {
2157
+ "value": {
2158
+ "type": "number",
2159
+ "minimum": 0,
2160
+ "maximum": 1,
2161
+ "description": "The overridden impact score (0.0–1.0)."
2162
+ }
2163
+ },
2164
+ "description": "An override to the requirement's impact score. The prior impact is the original result value or the preceding override in the chain.",
2165
+ "title": "Impact Override"
2166
+ },
2097
2167
  "Standalone_Override": {
2098
2168
  "type": "object",
2099
2169
  "unevaluatedProperties": false,
2100
2170
  "required": [
2101
2171
  "type",
2102
2172
  "requirementId",
2103
- "status",
2104
2173
  "reason",
2105
2174
  "appliedBy",
2106
2175
  "appliedAt",
2107
2176
  "expiresAt"
2108
2177
  ],
2178
+ "anyOf": [
2179
+ {
2180
+ "required": [
2181
+ "status"
2182
+ ]
2183
+ },
2184
+ {
2185
+ "required": [
2186
+ "impact"
2187
+ ]
2188
+ }
2189
+ ],
2109
2190
  "properties": {
2110
2191
  "type": {
2111
2192
  "$ref": "#/$defs/Override_Type",
@@ -2120,15 +2201,19 @@
2120
2201
  "description": "Name of the baseline containing the requirement. Required when the system has multiple baselines with potentially overlapping requirement IDs."
2121
2202
  },
2122
2203
  "status": {
2123
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Result_Status",
2124
- "description": "The new status this amendment sets. For POA&Ms, this is the current status (POA&Ms track work, they don't change status)."
2204
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Result_Status",
2205
+ "description": "The new status this amendment sets. Optional when only impact is being overridden."
2206
+ },
2207
+ "impact": {
2208
+ "$ref": "#/$defs/Impact_Override",
2209
+ "description": "Override to the requirement's impact score. At least one of status or impact must be set."
2125
2210
  },
2126
2211
  "reason": {
2127
2212
  "type": "string",
2128
2213
  "description": "Justification for this amendment."
2129
2214
  },
2130
2215
  "appliedBy": {
2131
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
2216
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
2132
2217
  "description": "Identity of who applied this amendment."
2133
2218
  },
2134
2219
  "appliedAt": {
@@ -2144,22 +2229,22 @@
2144
2229
  "evidence": {
2145
2230
  "type": "array",
2146
2231
  "items": {
2147
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Evidence"
2232
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
2148
2233
  },
2149
2234
  "description": "Supporting evidence (screenshots, logs, URLs, documents)."
2150
2235
  },
2151
2236
  "signature": {
2152
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Signature",
2237
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature",
2153
2238
  "description": "Digital signature for non-repudiation."
2154
2239
  },
2155
2240
  "previousChecksum": {
2156
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
2241
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
2157
2242
  "description": "Checksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null for the first amendment."
2158
2243
  },
2159
2244
  "milestones": {
2160
2245
  "type": "array",
2161
2246
  "items": {
2162
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Milestone"
2247
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Milestone"
2163
2248
  },
2164
2249
  "description": "Remediation milestones (primarily for POA&M type amendments)."
2165
2250
  },
@@ -2195,6 +2280,46 @@
2195
2280
  }
2196
2281
  ]
2197
2282
  },
2283
+ {
2284
+ "type": "falsePositive",
2285
+ "requirementId": "SV-258010",
2286
+ "baselineRef": "RHEL9-STIG",
2287
+ "status": "passed",
2288
+ "reason": "STIG check misidentified sshd_config syntax; manual review confirms compliant configuration",
2289
+ "appliedBy": {
2290
+ "type": "email",
2291
+ "identifier": "assessor@agency.gov"
2292
+ },
2293
+ "appliedAt": "2026-04-14T10:00:00Z",
2294
+ "expiresAt": "2026-10-14T00:00:00Z"
2295
+ },
2296
+ {
2297
+ "type": "falsePositive",
2298
+ "requirementId": "CVE-2026-12345",
2299
+ "status": "notApplicable",
2300
+ "reason": "CVE scanner matched library signature but the vulnerable code path is not present in our build — dependency is compiled with the affected module disabled",
2301
+ "appliedBy": {
2302
+ "type": "email",
2303
+ "identifier": "dev@org.gov"
2304
+ },
2305
+ "appliedAt": "2026-04-14T10:00:00Z",
2306
+ "expiresAt": "2026-10-14T00:00:00Z"
2307
+ },
2308
+ {
2309
+ "type": "riskAdjustment",
2310
+ "requirementId": "SV-258020",
2311
+ "baselineRef": "RHEL9-STIG",
2312
+ "impact": {
2313
+ "value": 0.3
2314
+ },
2315
+ "reason": "CVE-123 is in a dead code path, unreachable from any entry point",
2316
+ "appliedBy": {
2317
+ "type": "email",
2318
+ "identifier": "dev@org.gov"
2319
+ },
2320
+ "appliedAt": "2026-04-14T10:00:00Z",
2321
+ "expiresAt": "2026-10-14T00:00:00Z"
2322
+ },
2198
2323
  {
2199
2324
  "type": "poam",
2200
2325
  "requirementId": "SV-258001",
@@ -2235,14 +2360,14 @@
2235
2360
  "expiresAt": "2026-09-26T00:00:00Z"
2236
2361
  }
2237
2362
  ],
2238
- "description": "A standalone amendment that modifies a requirement's compliance status. Extends the inline Status_Override concept with requirementId and baselineRef for use outside of results documents.",
2363
+ "description": "A standalone amendment that modifies a requirement's compliance status and/or impact score. At least one of status or impact must be set. Extends the inline Override concept with requirementId and baselineRef for use outside of results documents.",
2239
2364
  "title": "Standalone Override"
2240
2365
  }
2241
2366
  }
2242
2367
  },
2243
- "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0": {
2368
+ "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0": {
2244
2369
  "$schema": "https://json-schema.org/draft/2020-12/schema",
2245
- "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0",
2370
+ "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0",
2246
2371
  "title": "HDF Result Primitives",
2247
2372
  "description": "Types for representing assessment results and statuses.",
2248
2373
  "$defs": {
@@ -2373,9 +2498,9 @@
2373
2498
  }
2374
2499
  }
2375
2500
  },
2376
- "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.0.0": {
2501
+ "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.1.0": {
2377
2502
  "$schema": "https://json-schema.org/draft/2020-12/schema",
2378
- "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.0.0",
2503
+ "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.1.0",
2379
2504
  "title": "HDF Component Primitives",
2380
2505
  "description": "First-class system component with identity, polymorphic type, SBOM embedding, and system-binding properties. Components are the successor to Targets, adding stable identity (componentId), external system cross-references, and software inventory.",
2381
2506
  "$defs": {
@@ -2405,7 +2530,7 @@
2405
2530
  "description": "Description of this component's role or purpose."
2406
2531
  },
2407
2532
  "owner": {
2408
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
2533
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
2409
2534
  "description": "Team or individual responsible for this component. Enables per-component ownership when different teams manage different parts of a system."
2410
2535
  },
2411
2536
  "externalIds": {
@@ -2449,12 +2574,12 @@
2449
2574
  "inputOverrides": {
2450
2575
  "type": "array",
2451
2576
  "items": {
2452
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0#/$defs/Input_Override"
2577
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0#/$defs/Input_Override"
2453
2578
  },
2454
2579
  "description": "System-specific overrides for baseline input values."
2455
2580
  },
2456
2581
  "targetSelector": {
2457
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0#/$defs/Target_Selector",
2582
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0#/$defs/Target_Selector",
2458
2583
  "description": "Label selector to match targets belonging to this component during migration. Targets with matching labels are automatically included."
2459
2584
  }
2460
2585
  },
@@ -2774,7 +2899,7 @@
2774
2899
  "const": "cloudAccount"
2775
2900
  },
2776
2901
  "provider": {
2777
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Cloud_Provider",
2902
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Cloud_Provider",
2778
2903
  "description": "Cloud provider."
2779
2904
  },
2780
2905
  "accountId": {
@@ -2813,7 +2938,7 @@
2813
2938
  "const": "cloudResource"
2814
2939
  },
2815
2940
  "provider": {
2816
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Cloud_Provider",
2941
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Cloud_Provider",
2817
2942
  "description": "Cloud provider."
2818
2943
  },
2819
2944
  "resourceType": {
@@ -2993,9 +3118,9 @@
2993
3118
  }
2994
3119
  }
2995
3120
  },
2996
- "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0": {
3121
+ "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0": {
2997
3122
  "$schema": "https://json-schema.org/draft/2020-12/schema",
2998
- "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.0.0",
3123
+ "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0",
2999
3124
  "title": "HDF System Primitives",
3000
3125
  "description": "Types for describing system architecture, authorization boundaries, and components.",
3001
3126
  "$defs": {
@@ -3046,7 +3171,7 @@
3046
3171
  "description": "Rationale for why this override is needed."
3047
3172
  },
3048
3173
  "approvedBy": {
3049
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
3174
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
3050
3175
  "description": "Identity of the person or system that approved this override."
3051
3176
  }
3052
3177
  },
@@ -3127,9 +3252,9 @@
3127
3252
  }
3128
3253
  }
3129
3254
  },
3130
- "https://mitre.github.io/hdf-libs/schemas/hdf-results/v3.0.0": {
3255
+ "https://mitre.github.io/hdf-libs/schemas/hdf-results/v3.1.0": {
3131
3256
  "$schema": "https://json-schema.org/draft/2020-12/schema",
3132
- "$id": "https://mitre.github.io/hdf-libs/schemas/hdf-results/v3.0.0",
3257
+ "$id": "https://mitre.github.io/hdf-libs/schemas/hdf-results/v3.1.0",
3133
3258
  "type": "object",
3134
3259
  "unevaluatedProperties": false,
3135
3260
  "required": [
@@ -3149,7 +3274,7 @@
3149
3274
  "components": {
3150
3275
  "type": "array",
3151
3276
  "items": {
3152
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.0.0#/$defs/Component"
3277
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.1.0#/$defs/Component"
3153
3278
  },
3154
3279
  "description": "The components that were assessed. Each component describes a system element (host, container, cloud resource, application, etc.) with optional identity, SBOM, and external references."
3155
3280
  },
@@ -3161,27 +3286,27 @@
3161
3286
  "description": "Information on the baselines that were evaluated, including findings."
3162
3287
  },
3163
3288
  "statistics": {
3164
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.0.0#/$defs/Statistics",
3289
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.1.0#/$defs/Statistics",
3165
3290
  "description": "Statistics for the assessment run, including duration and result counts."
3166
3291
  },
3167
3292
  "generator": {
3168
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Generator",
3293
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Generator",
3169
3294
  "description": "Information about the tool that generated this file."
3170
3295
  },
3171
3296
  "tool": {
3172
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Tool",
3297
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Tool",
3173
3298
  "description": "The security tool that produced the assessment data in this file."
3174
3299
  },
3175
3300
  "integrity": {
3176
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Integrity",
3301
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Integrity",
3177
3302
  "description": "Cryptographic integrity information for verifying this file."
3178
3303
  },
3179
3304
  "runner": {
3180
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.0.0#/$defs/Runner",
3305
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.1.0#/$defs/Runner",
3181
3306
  "description": "Information about the test execution environment where the security tool was run. Distinct from targets (what is being tested)."
3182
3307
  },
3183
3308
  "remediation": {
3184
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Remediation",
3309
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Remediation",
3185
3310
  "description": "Optional reference to automated remediation resources (Ansible playbooks, Terraform scripts, etc.) for fixing failing requirements found in this assessment."
3186
3311
  },
3187
3312
  "systemRef": {
@@ -3289,14 +3414,14 @@
3289
3414
  ],
3290
3415
  "allOf": [
3291
3416
  {
3292
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Baseline_Metadata"
3417
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Baseline_Metadata"
3293
3418
  }
3294
3419
  ],
3295
3420
  "properties": {
3296
3421
  "depends": {
3297
3422
  "type": "array",
3298
3423
  "items": {
3299
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Dependency"
3424
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Dependency"
3300
3425
  },
3301
3426
  "description": "The set of dependencies this baseline depends on."
3302
3427
  },
@@ -3309,15 +3434,15 @@
3309
3434
  "description": "The description - should be more detailed than the summary."
3310
3435
  },
3311
3436
  "integrity": {
3312
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Integrity",
3437
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Integrity",
3313
3438
  "description": "Cryptographic integrity information for verifying this baseline has not been tampered with."
3314
3439
  },
3315
3440
  "originalChecksum": {
3316
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
3441
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
3317
3442
  "description": "SHA-256 checksum of the original baseline definition file (before execution). This is an immutable reference to the baseline as defined, used to detect tampering with baseline requirements or metadata."
3318
3443
  },
3319
3444
  "resultsChecksum": {
3320
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Checksum",
3445
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum",
3321
3446
  "description": "SHA-256 checksum of the raw results before any amendments (statusOverrides or POAMs). Used to detect tampering with test results. Compare with currentChecksum to verify amendment integrity."
3322
3447
  },
3323
3448
  "statusMessage": {
@@ -3335,14 +3460,14 @@
3335
3460
  "groups": {
3336
3461
  "type": "array",
3337
3462
  "items": {
3338
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Requirement_Group"
3463
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Requirement_Group"
3339
3464
  },
3340
3465
  "description": "A set of descriptions for the requirement groups."
3341
3466
  },
3342
3467
  "inputs": {
3343
3468
  "type": "array",
3344
3469
  "items": {
3345
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.0.0#/$defs/Input"
3470
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.1.0#/$defs/Input"
3346
3471
  },
3347
3472
  "description": "Typed inputs used to parameterize this baseline at execution time. See the Input primitive for the full schema."
3348
3473
  },
@@ -3367,7 +3492,7 @@
3367
3492
  ],
3368
3493
  "allOf": [
3369
3494
  {
3370
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Requirement_Core"
3495
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Requirement_Core"
3371
3496
  }
3372
3497
  ],
3373
3498
  "properties": {
@@ -3375,7 +3500,7 @@
3375
3500
  "type": "array",
3376
3501
  "minItems": 1,
3377
3502
  "items": {
3378
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Requirement_Description"
3503
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Requirement_Description"
3379
3504
  },
3380
3505
  "contains": {
3381
3506
  "type": "object",
@@ -3391,55 +3516,345 @@
3391
3516
  "description": "Array of labeled descriptions. At least one description with label 'default' must be present. Convention: place default description first. Common labels: 'default', 'check', 'fix', 'rationale'."
3392
3517
  },
3393
3518
  "severity": {
3394
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Severity",
3519
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Severity",
3395
3520
  "description": "Explicit severity rating. Typically derived from impact score but provided explicitly for clarity."
3396
3521
  },
3397
3522
  "sourceLocation": {
3398
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Source_Location",
3523
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Source_Location",
3399
3524
  "description": "The explicit location of the requirement within the source code."
3400
3525
  },
3401
3526
  "results": {
3402
3527
  "type": "array",
3403
3528
  "minItems": 1,
3404
3529
  "items": {
3405
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Requirement_Result"
3530
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Requirement_Result"
3406
3531
  },
3407
3532
  "description": "The set of all tests within the requirement and their results."
3408
3533
  },
3409
3534
  "statusOverrides": {
3410
3535
  "type": "array",
3411
3536
  "items": {
3412
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/Status_Override"
3537
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Status_Override"
3413
3538
  },
3414
- "description": "Chronological history of all status overrides applied to this requirement. Status overrides are intentional changes to the compliance status (waivers, attestations). Most recent override should be first in array. Preserves full audit trail."
3539
+ "description": "Chronological history of all overrides applied to this requirement. Overrides are intentional changes to the compliance status and/or impact score (waivers, attestations, false positives, risk adjustments). Most recent override should be first in array. Preserves full audit trail."
3415
3540
  },
3416
3541
  "poams": {
3417
3542
  "type": "array",
3418
3543
  "items": {
3419
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.0.0#/$defs/POAM"
3544
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/POAM"
3420
3545
  },
3421
3546
  "description": "Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance. POAMs do NOT change effectiveStatus - they track the work being done to address a failure. Separate from statusOverrides which DO change status."
3422
3547
  },
3423
3548
  "effectiveStatus": {
3424
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.0.0#/$defs/Result_Status",
3425
- "description": "The current effective status of this requirement after applying the most recent non-expired override, or computed from results if no overrides exist."
3549
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Result_Status",
3550
+ "description": "The current effective compliance status of this requirement after applying the most recent non-expired override with a status field, or computed from results (worst-wins) if no status-bearing overrides exist."
3551
+ },
3552
+ "effectiveImpact": {
3553
+ "type": "number",
3554
+ "minimum": 0,
3555
+ "maximum": 1,
3556
+ "description": "The current effective impact score (0.0–1.0) after applying the most recent non-expired override with an impact field. Absent when no impact overrides apply; consumers should use the requirement's impact field in that case."
3557
+ },
3558
+ "disposition": {
3559
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0#/$defs/Override_Type",
3560
+ "description": "The type of the most recent non-expired override or POAM governing this requirement. Indicates why the requirement is in its current state (e.g., waiver, falsePositive, riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or POAMs apply."
3426
3561
  },
3427
3562
  "evidence": {
3428
3563
  "type": "array",
3429
3564
  "items": {
3430
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Evidence"
3565
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence"
3431
3566
  },
3432
3567
  "description": "Supporting evidence for this requirement's findings, such as screenshots, code samples, or log excerpts."
3433
3568
  }
3434
3569
  },
3570
+ "examples": [
3571
+ {
3572
+ "$comment": "Passing requirement — no overrides, no disposition",
3573
+ "id": "SV-230222",
3574
+ "title": "RHEL 9 must use SSH protocol version 2",
3575
+ "impact": 0.7,
3576
+ "tags": {
3577
+ "nist": [
3578
+ "SC-8"
3579
+ ]
3580
+ },
3581
+ "descriptions": [
3582
+ {
3583
+ "label": "default",
3584
+ "data": "SSH must use protocol version 2."
3585
+ }
3586
+ ],
3587
+ "results": [
3588
+ {
3589
+ "status": "passed",
3590
+ "codeDesc": "sshd_config Protocol is expected to eq 2",
3591
+ "startTime": "2026-01-15T10:00:00Z"
3592
+ }
3593
+ ],
3594
+ "effectiveStatus": "passed"
3595
+ },
3596
+ {
3597
+ "$comment": "Waiver — AO accepted risk, status overridden to passed",
3598
+ "id": "SV-230300",
3599
+ "title": "RHEL 9 must enforce password complexity",
3600
+ "impact": 0.5,
3601
+ "tags": {
3602
+ "nist": [
3603
+ "IA-5 (1)"
3604
+ ]
3605
+ },
3606
+ "descriptions": [
3607
+ {
3608
+ "label": "default",
3609
+ "data": "Passwords must meet complexity requirements."
3610
+ }
3611
+ ],
3612
+ "results": [
3613
+ {
3614
+ "status": "failed",
3615
+ "codeDesc": "pwquality.conf minlen is expected to be >= 15",
3616
+ "startTime": "2026-01-15T10:00:00Z",
3617
+ "message": "expected 8 to be >= 15"
3618
+ }
3619
+ ],
3620
+ "statusOverrides": [
3621
+ {
3622
+ "type": "waiver",
3623
+ "status": "passed",
3624
+ "reason": "Compensating control: PIV/CAC smart card authentication enforced for all users, password login disabled",
3625
+ "appliedBy": {
3626
+ "type": "email",
3627
+ "identifier": "ao@agency.gov"
3628
+ },
3629
+ "appliedAt": "2026-01-20T10:00:00Z",
3630
+ "expiresAt": "2026-07-20T00:00:00Z"
3631
+ }
3632
+ ],
3633
+ "effectiveStatus": "passed",
3634
+ "disposition": "waiver"
3635
+ },
3636
+ {
3637
+ "$comment": "False positive (compliance scan) — STIG check was wrong, requirement actually passes",
3638
+ "id": "SV-230410",
3639
+ "title": "RHEL 9 must have sshd PermitRootLogin disabled",
3640
+ "impact": 0.7,
3641
+ "tags": {
3642
+ "nist": [
3643
+ "AC-6"
3644
+ ]
3645
+ },
3646
+ "descriptions": [
3647
+ {
3648
+ "label": "default",
3649
+ "data": "Direct root login via SSH must be disabled."
3650
+ }
3651
+ ],
3652
+ "results": [
3653
+ {
3654
+ "status": "failed",
3655
+ "codeDesc": "sshd_config PermitRootLogin is expected to eq 'no'",
3656
+ "startTime": "2026-01-15T10:00:00Z",
3657
+ "message": "expected 'prohibit-password' to eq 'no'"
3658
+ }
3659
+ ],
3660
+ "statusOverrides": [
3661
+ {
3662
+ "type": "falsePositive",
3663
+ "status": "passed",
3664
+ "reason": "Scanner requires literal 'no' but 'prohibit-password' is equally restrictive (disables password-based root login). Manual review confirms root cannot authenticate via SSH.",
3665
+ "appliedBy": {
3666
+ "type": "email",
3667
+ "identifier": "assessor@agency.gov"
3668
+ },
3669
+ "appliedAt": "2026-01-16T14:00:00Z",
3670
+ "expiresAt": "2026-07-16T00:00:00Z"
3671
+ }
3672
+ ],
3673
+ "effectiveStatus": "passed",
3674
+ "disposition": "falsePositive"
3675
+ },
3676
+ {
3677
+ "$comment": "False positive (CVE scan) — vulnerability does not apply to this build",
3678
+ "id": "CVE-2026-12345",
3679
+ "title": "libxml2 buffer overflow in xmlParseEntityDecl",
3680
+ "impact": 0.9,
3681
+ "tags": {
3682
+ "nist": [
3683
+ "SI-2",
3684
+ "RA-5"
3685
+ ]
3686
+ },
3687
+ "descriptions": [
3688
+ {
3689
+ "label": "default",
3690
+ "data": "Buffer overflow in libxml2 entity parsing allows remote code execution."
3691
+ }
3692
+ ],
3693
+ "results": [
3694
+ {
3695
+ "status": "failed",
3696
+ "codeDesc": "libxml2 >= 2.9.0 is expected to be patched for CVE-2026-12345",
3697
+ "startTime": "2026-01-15T10:00:00Z"
3698
+ }
3699
+ ],
3700
+ "statusOverrides": [
3701
+ {
3702
+ "type": "falsePositive",
3703
+ "status": "notApplicable",
3704
+ "reason": "CVE scanner matched libxml2 version signature, but the vulnerable entity parsing module is compiled out of our build (--without-legacy flag). The affected code path does not exist in the binary.",
3705
+ "appliedBy": {
3706
+ "type": "email",
3707
+ "identifier": "dev@org.gov"
3708
+ },
3709
+ "appliedAt": "2026-01-16T09:00:00Z",
3710
+ "expiresAt": "2026-07-16T00:00:00Z"
3711
+ }
3712
+ ],
3713
+ "effectiveStatus": "notApplicable",
3714
+ "disposition": "falsePositive"
3715
+ },
3716
+ {
3717
+ "$comment": "Risk adjustment — impact lowered, pass/fail unchanged",
3718
+ "id": "CVE-2026-67890",
3719
+ "title": "OpenSSL timing side-channel in RSA decryption",
3720
+ "impact": 0.7,
3721
+ "tags": {
3722
+ "nist": [
3723
+ "SI-2",
3724
+ "RA-5"
3725
+ ]
3726
+ },
3727
+ "descriptions": [
3728
+ {
3729
+ "label": "default",
3730
+ "data": "Timing side-channel may allow RSA private key recovery."
3731
+ }
3732
+ ],
3733
+ "results": [
3734
+ {
3735
+ "status": "failed",
3736
+ "codeDesc": "openssl >= 3.1.0 is expected to be patched for CVE-2026-67890",
3737
+ "startTime": "2026-01-15T10:00:00Z"
3738
+ }
3739
+ ],
3740
+ "statusOverrides": [
3741
+ {
3742
+ "type": "riskAdjustment",
3743
+ "impact": {
3744
+ "value": 0.3
3745
+ },
3746
+ "reason": "The RSA key exchange path is unreachable in our deployment — all TLS connections use ECDHE. Attack requires local network access to the TLS terminator, which is in an isolated VLAN.",
3747
+ "appliedBy": {
3748
+ "type": "email",
3749
+ "identifier": "security-architect@org.gov"
3750
+ },
3751
+ "appliedAt": "2026-01-17T10:00:00Z",
3752
+ "expiresAt": "2026-07-17T00:00:00Z"
3753
+ }
3754
+ ],
3755
+ "effectiveStatus": "failed",
3756
+ "effectiveImpact": 0.3,
3757
+ "disposition": "riskAdjustment"
3758
+ },
3759
+ {
3760
+ "$comment": "Operational requirement — cannot remediate, remains open risk",
3761
+ "id": "SV-230500",
3762
+ "title": "RHEL 9 must disable USB mass storage",
3763
+ "impact": 0.5,
3764
+ "tags": {
3765
+ "nist": [
3766
+ "MP-7"
3767
+ ]
3768
+ },
3769
+ "descriptions": [
3770
+ {
3771
+ "label": "default",
3772
+ "data": "USB mass storage kernel module must be disabled."
3773
+ }
3774
+ ],
3775
+ "results": [
3776
+ {
3777
+ "status": "failed",
3778
+ "codeDesc": "Kernel module 'usb-storage' is expected to be disabled",
3779
+ "startTime": "2026-01-15T10:00:00Z",
3780
+ "message": "usb-storage module is loaded"
3781
+ }
3782
+ ],
3783
+ "statusOverrides": [
3784
+ {
3785
+ "type": "operationalRequirement",
3786
+ "status": "failed",
3787
+ "reason": "Air-gapped system requires USB transfer for classified data ingestion per operational procedure OP-2026-003. Compensating controls: USB ports are physically secured, all transfers are logged and require two-person integrity.",
3788
+ "appliedBy": {
3789
+ "type": "email",
3790
+ "identifier": "system-owner@agency.gov"
3791
+ },
3792
+ "appliedAt": "2026-01-20T10:00:00Z",
3793
+ "expiresAt": "2026-07-20T00:00:00Z"
3794
+ }
3795
+ ],
3796
+ "effectiveStatus": "failed",
3797
+ "disposition": "operationalRequirement"
3798
+ },
3799
+ {
3800
+ "$comment": "POAM — remediation tracked, status unchanged",
3801
+ "id": "SV-230350",
3802
+ "title": "RHEL 9 must be patched within 30 days of release",
3803
+ "impact": 0.7,
3804
+ "tags": {
3805
+ "nist": [
3806
+ "SI-2"
3807
+ ]
3808
+ },
3809
+ "descriptions": [
3810
+ {
3811
+ "label": "default",
3812
+ "data": "Security patches must be applied within 30 days."
3813
+ }
3814
+ ],
3815
+ "results": [
3816
+ {
3817
+ "status": "failed",
3818
+ "codeDesc": "Package updates are expected to be current within 30 days",
3819
+ "startTime": "2026-01-15T10:00:00Z",
3820
+ "message": "15 packages have patches older than 30 days"
3821
+ }
3822
+ ],
3823
+ "poams": [
3824
+ {
3825
+ "type": "remediation",
3826
+ "explanation": "Patch deployment blocked by vendor compatibility testing. Vendor confirmed fix for Q2 2026.",
3827
+ "appliedBy": {
3828
+ "type": "email",
3829
+ "identifier": "ops@agency.gov"
3830
+ },
3831
+ "appliedAt": "2026-01-20T10:00:00Z",
3832
+ "milestones": [
3833
+ {
3834
+ "description": "Vendor releases compatible patch",
3835
+ "estimatedCompletion": "2026-04-01T00:00:00Z",
3836
+ "status": "pending"
3837
+ },
3838
+ {
3839
+ "description": "Deploy to production",
3840
+ "estimatedCompletion": "2026-04-15T00:00:00Z",
3841
+ "status": "pending"
3842
+ }
3843
+ ]
3844
+ }
3845
+ ],
3846
+ "effectiveStatus": "failed",
3847
+ "disposition": "poam"
3848
+ }
3849
+ ],
3435
3850
  "description": "A requirement that has been evaluated, including any findings.",
3436
3851
  "title": "Evaluated Requirement"
3437
3852
  }
3438
3853
  }
3439
3854
  },
3440
- "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.0.0": {
3855
+ "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.1.0": {
3441
3856
  "$schema": "https://json-schema.org/draft/2020-12/schema",
3442
- "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.0.0",
3857
+ "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.1.0",
3443
3858
  "title": "HDF Statistics Primitives",
3444
3859
  "description": "Statistics types for tracking assessment run metrics.",
3445
3860
  "$defs": {
@@ -3508,9 +3923,9 @@
3508
3923
  }
3509
3924
  }
3510
3925
  },
3511
- "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.0.0": {
3926
+ "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.1.0": {
3512
3927
  "$schema": "https://json-schema.org/draft/2020-12/schema",
3513
- "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.0.0",
3928
+ "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.1.0",
3514
3929
  "title": "HDF Runner Primitive",
3515
3930
  "description": "Information about the test execution environment where the security tool/scanner was executed.",
3516
3931
  "$defs": {
@@ -3546,7 +3961,7 @@
3546
3961
  "description": "The container instance identifier. Example: 'a1b2c3d4e5f6', 'security-scan-job-xyz123'. Can be a Docker container ID, Kubernetes pod name, or other container runtime identifier."
3547
3962
  },
3548
3963
  "operator": {
3549
- "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.0.0#/$defs/Identity",
3964
+ "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity",
3550
3965
  "description": "The identity of the person or system responsible for executing the test. This could be a human auditor manually completing a checklist, an automated CI/CD system, or a security tool. Optional field to support both automated and manual HDF generation."
3551
3966
  }
3552
3967
  },
@@ -3593,9 +4008,9 @@
3593
4008
  }
3594
4009
  }
3595
4010
  },
3596
- "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.0.0": {
4011
+ "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.1.0": {
3597
4012
  "$schema": "https://json-schema.org/draft/2020-12/schema",
3598
- "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.0.0",
4013
+ "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.1.0",
3599
4014
  "title": "HDF Parameter Primitives",
3600
4015
  "description": "Input/parameter type definitions for typed, traceable configuration values that bridge governance prose and scanner automation.",
3601
4016
  "$defs": {