@mitre/hdf-schema 3.1.0-rc.1 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +8 -1
- package/dist/go/go.mod +2 -2
- package/dist/go/hdf.go +172 -76
- package/dist/helpers.d.ts +4 -0
- package/dist/index.js +21 -21
- package/dist/schemas/hdf-amendments.schema.json +134 -35
- package/dist/schemas/hdf-baseline.schema.json +139 -40
- package/dist/schemas/hdf-comparison.schema.json +190 -91
- package/dist/schemas/hdf-evidence-package.schema.json +133 -34
- package/dist/schemas/hdf-plan.schema.json +139 -40
- package/dist/schemas/hdf-results.schema.json +169 -70
- package/dist/schemas/hdf-system.schema.json +148 -49
- package/dist/ts/hdf-baseline.d.ts +79 -2
- package/dist/ts/hdf-baseline.js +52 -0
- package/dist/ts/hdf-baseline.ts +82 -2
- package/dist/ts/hdf-results.d.ts +79 -2
- package/dist/ts/hdf-results.js +52 -0
- package/dist/ts/hdf-results.ts +82 -2
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -105,7 +105,7 @@ function processResults(results: HdfResults) {
|
|
|
105
105
|
### Using Generated Types (Go)
|
|
106
106
|
|
|
107
107
|
```go
|
|
108
|
-
import hdf "github.com/mitre/hdf-libs/hdf-schema/dist/go"
|
|
108
|
+
import hdf "github.com/mitre/hdf-libs/hdf-schema/dist/go/v3"
|
|
109
109
|
|
|
110
110
|
func main() {
|
|
111
111
|
data := []byte(`{"baselines": [...]}`)
|
|
@@ -188,6 +188,13 @@ All schemas use **JSON Schema draft/2020-12**.
|
|
|
188
188
|
Interactive schema reference documentation is published at:
|
|
189
189
|
**<https://mitre.github.io/hdf-libs/schemas/>**
|
|
190
190
|
|
|
191
|
+
### What's new in v3.2.0
|
|
192
|
+
|
|
193
|
+
- **`controlType`** field on `Requirement_Core` — optional enum (`policy | procedure | technical | management | operational`) aligning with NIST SP 800-53 / SP 800-53A categories. Replaces heuristic derivation from family conventions.
|
|
194
|
+
- **`verificationMethod`** field on `Requirement_Core` — optional enum (`automated | manual-by-design | manual-pending-automation | hybrid`) disambiguating the two cases that null `code` overloaded: inherently manual vs. automation-could-exist-but-doesn't-yet.
|
|
195
|
+
- **`applicability`** field on `Requirement_Core` — optional enum (`required | optional | advisory`) providing a uniform expression for what FedRAMP `CORE` props, FedRAMP 20x `Optional:` markers, CIS Implementation Groups, and CMMC sublevels each encode incompatibly today.
|
|
196
|
+
- **All three fields are optional and additive.** v3.1.x documents validate cleanly under v3.2.0.
|
|
197
|
+
|
|
191
198
|
### What's new in v3.1.0
|
|
192
199
|
|
|
193
200
|
- **`disposition`** field on `EvaluatedRequirement` — the type of the governing override or POAM (e.g., `waiver`, `falsePositive`, `riskAdjustment`). Indicates why a requirement is in its current state.
|
package/dist/go/go.mod
CHANGED
package/dist/go/hdf.go
CHANGED
|
@@ -338,56 +338,78 @@ type Checksum struct {
|
|
|
338
338
|
// Core requirement fields shared between baseline requirements and evaluated requirements.
|
|
339
339
|
// Contains the fundamental requirement definition without assessment results.
|
|
340
340
|
type EvaluatedRequirement struct {
|
|
341
|
-
// Array of labeled descriptions. At least one description with label 'default' must be
|
|
342
|
-
// present. Convention: place default description first. Common labels: 'default', 'check',
|
|
343
|
-
// 'fix', 'rationale'.
|
|
344
|
-
Descriptions []Description
|
|
345
|
-
// The type of the most recent non-expired override or POAM governing this requirement.
|
|
346
|
-
// Indicates why the requirement is in its current state (e.g., waiver, falsePositive,
|
|
347
|
-
// riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or
|
|
348
|
-
// POAMs apply.
|
|
349
|
-
Disposition *OverrideType
|
|
350
|
-
// The current effective impact score (0.0–1.0) after applying the most recent non-expired
|
|
351
|
-
// override with an impact field. Absent when no impact overrides apply; consumers should
|
|
352
|
-
// use the requirement's impact field in that case.
|
|
353
|
-
EffectiveImpact *float64
|
|
354
|
-
// The current effective compliance status of this requirement after applying the most
|
|
355
|
-
// recent non-expired override with a status field, or computed from results (worst-wins) if
|
|
356
|
-
// no status-bearing overrides exist.
|
|
357
|
-
EffectiveStatus *ResultStatus
|
|
358
|
-
// Supporting evidence for this requirement's findings, such as screenshots, code samples,
|
|
359
|
-
// or log excerpts.
|
|
360
|
-
Evidence []Evidence
|
|
361
|
-
// Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance.
|
|
362
|
-
// POAMs do NOT change effectiveStatus - they track the work being done to address a
|
|
363
|
-
// failure. Separate from statusOverrides which DO change status.
|
|
364
|
-
Poams []PoamElement
|
|
365
|
-
// The set of all tests within the requirement and their results.
|
|
366
|
-
Results []RequirementResult
|
|
367
|
-
// Explicit severity rating. Typically derived from impact score but provided explicitly for
|
|
368
|
-
// clarity.
|
|
369
|
-
Severity *Severity
|
|
370
|
-
// The explicit location of the requirement within the source code.
|
|
371
|
-
SourceLocation *SourceLocation
|
|
372
|
-
// Chronological history of all overrides applied to this requirement. Overrides are
|
|
373
|
-
// intentional changes to the compliance status and/or impact score (waivers, attestations,
|
|
374
|
-
// false positives, risk adjustments). Most recent override should be first in array.
|
|
375
|
-
// Preserves full audit trail.
|
|
376
|
-
StatusOverrides []StatusOverride
|
|
377
|
-
// The requirement identifier. Example: 'SV-238196'.
|
|
378
|
-
ID string
|
|
379
|
-
// The impactfulness or severity (0.0 to 1.0).
|
|
380
|
-
Impact float64
|
|
381
|
-
// A set of tags - usually metadata like CCI, STIG ID, severity.
|
|
382
|
-
Tags map[string]interface{}
|
|
383
|
-
//
|
|
384
|
-
//
|
|
385
|
-
//
|
|
386
|
-
|
|
387
|
-
//
|
|
388
|
-
|
|
389
|
-
|
|
390
|
-
|
|
341
|
+
// Array of labeled descriptions. At least one description with label 'default' must be
|
|
342
|
+
// present. Convention: place default description first. Common labels: 'default', 'check',
|
|
343
|
+
// 'fix', 'rationale'.
|
|
344
|
+
Descriptions []Description `json:"descriptions"`
|
|
345
|
+
// The type of the most recent non-expired override or POAM governing this requirement.
|
|
346
|
+
// Indicates why the requirement is in its current state (e.g., waiver, falsePositive,
|
|
347
|
+
// riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or
|
|
348
|
+
// POAMs apply.
|
|
349
|
+
Disposition *OverrideType `json:"disposition,omitempty"`
|
|
350
|
+
// The current effective impact score (0.0–1.0) after applying the most recent non-expired
|
|
351
|
+
// override with an impact field. Absent when no impact overrides apply; consumers should
|
|
352
|
+
// use the requirement's impact field in that case.
|
|
353
|
+
EffectiveImpact *float64 `json:"effectiveImpact,omitempty"`
|
|
354
|
+
// The current effective compliance status of this requirement after applying the most
|
|
355
|
+
// recent non-expired override with a status field, or computed from results (worst-wins) if
|
|
356
|
+
// no status-bearing overrides exist.
|
|
357
|
+
EffectiveStatus *ResultStatus `json:"effectiveStatus,omitempty"`
|
|
358
|
+
// Supporting evidence for this requirement's findings, such as screenshots, code samples,
|
|
359
|
+
// or log excerpts.
|
|
360
|
+
Evidence []Evidence `json:"evidence,omitempty"`
|
|
361
|
+
// Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance.
|
|
362
|
+
// POAMs do NOT change effectiveStatus - they track the work being done to address a
|
|
363
|
+
// failure. Separate from statusOverrides which DO change status.
|
|
364
|
+
Poams []PoamElement `json:"poams,omitempty"`
|
|
365
|
+
// The set of all tests within the requirement and their results.
|
|
366
|
+
Results []RequirementResult `json:"results"`
|
|
367
|
+
// Explicit severity rating. Typically derived from impact score but provided explicitly for
|
|
368
|
+
// clarity.
|
|
369
|
+
Severity *Severity `json:"severity,omitempty"`
|
|
370
|
+
// The explicit location of the requirement within the source code.
|
|
371
|
+
SourceLocation *SourceLocation `json:"sourceLocation,omitempty"`
|
|
372
|
+
// Chronological history of all overrides applied to this requirement. Overrides are
|
|
373
|
+
// intentional changes to the compliance status and/or impact score (waivers, attestations,
|
|
374
|
+
// false positives, risk adjustments). Most recent override should be first in array.
|
|
375
|
+
// Preserves full audit trail.
|
|
376
|
+
StatusOverrides []StatusOverride `json:"statusOverrides,omitempty"`
|
|
377
|
+
// The requirement identifier. Example: 'SV-238196'.
|
|
378
|
+
ID string `json:"id"`
|
|
379
|
+
// The impactfulness or severity (0.0 to 1.0).
|
|
380
|
+
Impact float64 `json:"impact"`
|
|
381
|
+
// A set of tags - usually metadata like CCI, STIG ID, severity.
|
|
382
|
+
Tags map[string]interface{} `json:"tags"`
|
|
383
|
+
// Whether the requirement is mandatory within its baseline. Distinct from severity (risk
|
|
384
|
+
// weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
|
|
385
|
+
// FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
|
|
386
|
+
// memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
|
|
387
|
+
// Optional: when omitted, consumers should treat the requirement as 'required' by
|
|
388
|
+
// convention.
|
|
389
|
+
Applicability *Applicability `json:"applicability,omitempty"`
|
|
390
|
+
// The raw source code of the requirement. Set to null for manual-only requirements or
|
|
391
|
+
// requirements not yet implemented; use verificationMethod to disambiguate manual-by-design
|
|
392
|
+
// from manual-pending-automation. Note that if this is an overlay, it does not include the
|
|
393
|
+
// underlying source code.
|
|
394
|
+
Code *string `json:"code,omitempty"`
|
|
395
|
+
// Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
|
|
396
|
+
// categories. 'policy' = an authored governance statement; 'procedure' = a documented
|
|
397
|
+
// process; 'technical' = an enforced technical configuration; 'management' = a
|
|
398
|
+
// programmatic/management activity; 'operational' = a recurring operational activity (e.g.
|
|
399
|
+
// AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
|
|
400
|
+
// family/id but should not assume a default.
|
|
401
|
+
ControlType *ControlType `json:"controlType,omitempty"`
|
|
402
|
+
// The set of references to external documents.
|
|
403
|
+
Refs []Reference `json:"refs,omitempty"`
|
|
404
|
+
// The title - is nullable.
|
|
405
|
+
Title *string `json:"title,omitempty"`
|
|
406
|
+
// How this requirement is intended to be verified. Disambiguates the two cases that null
|
|
407
|
+
// 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
|
|
408
|
+
// to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
|
|
409
|
+
// exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
|
|
410
|
+
// runs without operator action; 'hybrid' = part automated, part manual. Optional: when
|
|
411
|
+
// omitted, consumers should not infer a default.
|
|
412
|
+
VerificationMethod *VerificationMethodEnum `json:"verificationMethod,omitempty"`
|
|
391
413
|
}
|
|
392
414
|
|
|
393
415
|
type Description struct {
|
|
@@ -1012,29 +1034,51 @@ type HDFBaseline struct {
|
|
|
1012
1034
|
// Core requirement fields shared between baseline requirements and evaluated requirements.
|
|
1013
1035
|
// Contains the fundamental requirement definition without assessment results.
|
|
1014
1036
|
type BaselineRequirement struct {
|
|
1015
|
-
// Array of labeled descriptions. At least one description with label 'default' must be
|
|
1016
|
-
// present. Convention: place default description first. Common labels: 'default', 'check',
|
|
1017
|
-
// 'fix', 'rationale'.
|
|
1018
|
-
Descriptions []Description
|
|
1019
|
-
// Explicit severity rating. Typically derived from impact score but provided explicitly for
|
|
1020
|
-
// clarity.
|
|
1021
|
-
Severity *Severity
|
|
1022
|
-
// The requirement identifier. Example: 'SV-238196'.
|
|
1023
|
-
ID string
|
|
1024
|
-
// The impactfulness or severity (0.0 to 1.0).
|
|
1025
|
-
Impact float64
|
|
1026
|
-
// A set of tags - usually metadata like CCI, STIG ID, severity.
|
|
1027
|
-
Tags map[string]interface{}
|
|
1028
|
-
//
|
|
1029
|
-
//
|
|
1030
|
-
//
|
|
1031
|
-
|
|
1032
|
-
//
|
|
1033
|
-
|
|
1034
|
-
|
|
1035
|
-
|
|
1036
|
-
//
|
|
1037
|
-
|
|
1037
|
+
// Array of labeled descriptions. At least one description with label 'default' must be
|
|
1038
|
+
// present. Convention: place default description first. Common labels: 'default', 'check',
|
|
1039
|
+
// 'fix', 'rationale'.
|
|
1040
|
+
Descriptions []Description `json:"descriptions"`
|
|
1041
|
+
// Explicit severity rating. Typically derived from impact score but provided explicitly for
|
|
1042
|
+
// clarity.
|
|
1043
|
+
Severity *Severity `json:"severity,omitempty"`
|
|
1044
|
+
// The requirement identifier. Example: 'SV-238196'.
|
|
1045
|
+
ID string `json:"id"`
|
|
1046
|
+
// The impactfulness or severity (0.0 to 1.0).
|
|
1047
|
+
Impact float64 `json:"impact"`
|
|
1048
|
+
// A set of tags - usually metadata like CCI, STIG ID, severity.
|
|
1049
|
+
Tags map[string]interface{} `json:"tags"`
|
|
1050
|
+
// Whether the requirement is mandatory within its baseline. Distinct from severity (risk
|
|
1051
|
+
// weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
|
|
1052
|
+
// FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
|
|
1053
|
+
// memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
|
|
1054
|
+
// Optional: when omitted, consumers should treat the requirement as 'required' by
|
|
1055
|
+
// convention.
|
|
1056
|
+
Applicability *Applicability `json:"applicability,omitempty"`
|
|
1057
|
+
// The raw source code of the requirement. Set to null for manual-only requirements or
|
|
1058
|
+
// requirements not yet implemented; use verificationMethod to disambiguate manual-by-design
|
|
1059
|
+
// from manual-pending-automation. Note that if this is an overlay, it does not include the
|
|
1060
|
+
// underlying source code.
|
|
1061
|
+
Code *string `json:"code,omitempty"`
|
|
1062
|
+
// Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
|
|
1063
|
+
// categories. 'policy' = an authored governance statement; 'procedure' = a documented
|
|
1064
|
+
// process; 'technical' = an enforced technical configuration; 'management' = a
|
|
1065
|
+
// programmatic/management activity; 'operational' = a recurring operational activity (e.g.
|
|
1066
|
+
// AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
|
|
1067
|
+
// family/id but should not assume a default.
|
|
1068
|
+
ControlType *ControlType `json:"controlType,omitempty"`
|
|
1069
|
+
// The set of references to external documents.
|
|
1070
|
+
Refs []Reference `json:"refs,omitempty"`
|
|
1071
|
+
// The explicit location of the requirement within the source code.
|
|
1072
|
+
SourceLocation *SourceLocation `json:"sourceLocation,omitempty"`
|
|
1073
|
+
// The title - is nullable.
|
|
1074
|
+
Title *string `json:"title,omitempty"`
|
|
1075
|
+
// How this requirement is intended to be verified. Disambiguates the two cases that null
|
|
1076
|
+
// 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
|
|
1077
|
+
// to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
|
|
1078
|
+
// exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
|
|
1079
|
+
// runs without operator action; 'hybrid' = part automated, part manual. Optional: when
|
|
1080
|
+
// omitted, consumers should not infer a default.
|
|
1081
|
+
VerificationMethod *VerificationMethodEnum `json:"verificationMethod,omitempty"`
|
|
1038
1082
|
}
|
|
1039
1083
|
|
|
1040
1084
|
// Structured comparison between two or more HDF security assessment documents. Supports
|
|
@@ -1740,6 +1784,36 @@ const (
|
|
|
1740
1784
|
Sha512 HashAlgorithm = "sha512"
|
|
1741
1785
|
)
|
|
1742
1786
|
|
|
1787
|
+
// Whether the requirement is mandatory within its baseline. Distinct from severity (risk
|
|
1788
|
+
// weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
|
|
1789
|
+
// FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
|
|
1790
|
+
// memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
|
|
1791
|
+
// Optional: when omitted, consumers should treat the requirement as 'required' by
|
|
1792
|
+
// convention.
|
|
1793
|
+
type Applicability string
|
|
1794
|
+
|
|
1795
|
+
const (
|
|
1796
|
+
Advisory Applicability = "advisory"
|
|
1797
|
+
Optional Applicability = "optional"
|
|
1798
|
+
Required Applicability = "required"
|
|
1799
|
+
)
|
|
1800
|
+
|
|
1801
|
+
// Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
|
|
1802
|
+
// categories. 'policy' = an authored governance statement; 'procedure' = a documented
|
|
1803
|
+
// process; 'technical' = an enforced technical configuration; 'management' = a
|
|
1804
|
+
// programmatic/management activity; 'operational' = a recurring operational activity (e.g.
|
|
1805
|
+
// AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
|
|
1806
|
+
// family/id but should not assume a default.
|
|
1807
|
+
type ControlType string
|
|
1808
|
+
|
|
1809
|
+
const (
|
|
1810
|
+
Management ControlType = "management"
|
|
1811
|
+
Operational ControlType = "operational"
|
|
1812
|
+
Policy ControlType = "policy"
|
|
1813
|
+
Procedure ControlType = "procedure"
|
|
1814
|
+
Technical ControlType = "technical"
|
|
1815
|
+
)
|
|
1816
|
+
|
|
1743
1817
|
// The type of the most recent non-expired override or POAM governing this requirement.
|
|
1744
1818
|
// Indicates why the requirement is in its current state (e.g., waiver, falsePositive,
|
|
1745
1819
|
// riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or
|
|
@@ -1859,6 +1933,28 @@ const (
|
|
|
1859
1933
|
SeverityLow Severity = "low"
|
|
1860
1934
|
)
|
|
1861
1935
|
|
|
1936
|
+
// How this requirement is intended to be verified. Disambiguates the two cases that null
|
|
1937
|
+
// 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
|
|
1938
|
+
// to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
|
|
1939
|
+
// exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
|
|
1940
|
+
// runs without operator action; 'hybrid' = part automated, part manual. Optional: when
|
|
1941
|
+
// omitted, consumers should not infer a default.
|
|
1942
|
+
//
|
|
1943
|
+
// How a requirement is intended to be verified. Disambiguates the two cases that null
|
|
1944
|
+
// 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
|
|
1945
|
+
// to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
|
|
1946
|
+
// exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
|
|
1947
|
+
// runs without operator action; 'hybrid' = part automated, part manual. Named '_Enum' to
|
|
1948
|
+
// disambiguate from the unrelated Verification_Method DID-context struct.
|
|
1949
|
+
type VerificationMethodEnum string
|
|
1950
|
+
|
|
1951
|
+
const (
|
|
1952
|
+
ManualByDesign VerificationMethodEnum = "manual-by-design"
|
|
1953
|
+
ManualPendingAutomation VerificationMethodEnum = "manual-pending-automation"
|
|
1954
|
+
VerificationMethodEnumAutomated VerificationMethodEnum = "automated"
|
|
1955
|
+
VerificationMethodEnumHybrid VerificationMethodEnum = "hybrid"
|
|
1956
|
+
)
|
|
1957
|
+
|
|
1862
1958
|
type CloudProvider string
|
|
1863
1959
|
|
|
1864
1960
|
const (
|
|
@@ -2109,9 +2205,9 @@ const (
|
|
|
2109
2205
|
type PlanType string
|
|
2110
2206
|
|
|
2111
2207
|
const (
|
|
2112
|
-
|
|
2113
|
-
PlanTypeHybrid
|
|
2114
|
-
PlanTypeManual
|
|
2208
|
+
PlanTypeAutomated PlanType = "automated"
|
|
2209
|
+
PlanTypeHybrid PlanType = "hybrid"
|
|
2210
|
+
PlanTypeManual PlanType = "manual"
|
|
2115
2211
|
)
|
|
2116
2212
|
|
|
2117
2213
|
// The type of HDF document being referenced.
|
package/dist/helpers.d.ts
CHANGED
|
@@ -68,9 +68,13 @@ export function createSupportedPlatform(
|
|
|
68
68
|
|
|
69
69
|
export function createSourceLocation(ref: string, line: number): SourceLocation;
|
|
70
70
|
|
|
71
|
+
export function severityToImpact(severity: null): null;
|
|
71
72
|
export function severityToImpact(severity: string): number;
|
|
73
|
+
export function severityToImpact(severity: string | null): number | null;
|
|
72
74
|
|
|
75
|
+
export function impactToSeverity(impact: null): null;
|
|
73
76
|
export function impactToSeverity(impact: number): string;
|
|
77
|
+
export function impactToSeverity(impact: number | null): string | null;
|
|
74
78
|
|
|
75
79
|
export function computeEffectiveStatus(
|
|
76
80
|
requirement: EvaluatedRequirement
|