@mitre/hdf-schema 3.2.0 → 3.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +15 -16
- package/dist/go/hdf.go +398 -134
- package/dist/helpers.d.ts +1 -1
- package/dist/index.d.ts +27 -52
- package/dist/index.js +30 -48
- package/dist/schemas/hdf-amendments.schema.json +466 -45
- package/dist/schemas/hdf-baseline.schema.json +471 -50
- package/dist/schemas/hdf-comparison.schema.json +721 -103
- package/dist/schemas/hdf-evidence-package.schema.json +465 -44
- package/dist/schemas/hdf-plan.schema.json +472 -50
- package/dist/schemas/hdf-results.schema.json +678 -80
- package/dist/schemas/hdf-system.schema.json +497 -59
- package/dist/ts/hdf.d.ts +3562 -0
- package/dist/ts/hdf.js +564 -0
- package/dist/ts/hdf.ts +3623 -0
- package/package.json +18 -17
- package/dist/ts/hdf-amendments.d.ts +0 -474
- package/dist/ts/hdf-amendments.js +0 -88
- package/dist/ts/hdf-amendments.ts +0 -486
- package/dist/ts/hdf-baseline.d.ts +0 -549
- package/dist/ts/hdf-baseline.js +0 -110
- package/dist/ts/hdf-baseline.ts +0 -563
- package/dist/ts/hdf-comparison.d.ts +0 -1185
- package/dist/ts/hdf-comparison.js +0 -216
- package/dist/ts/hdf-comparison.ts +0 -1210
- package/dist/ts/hdf-evidence-package.d.ts +0 -348
- package/dist/ts/hdf-evidence-package.js +0 -39
- package/dist/ts/hdf-evidence-package.ts +0 -356
- package/dist/ts/hdf-plan.d.ts +0 -204
- package/dist/ts/hdf-plan.js +0 -23
- package/dist/ts/hdf-plan.ts +0 -205
- package/dist/ts/hdf-results.d.ts +0 -1588
- package/dist/ts/hdf-results.js +0 -246
- package/dist/ts/hdf-results.ts +0 -1616
- package/dist/ts/hdf-system.d.ts +0 -609
- package/dist/ts/hdf-system.js +0 -102
- package/dist/ts/hdf-system.ts +0 -617
package/dist/go/hdf.go
CHANGED
|
@@ -253,7 +253,7 @@ type Input struct {
|
|
|
253
253
|
// The data type of this input.
|
|
254
254
|
Type *InputType `json:"type,omitempty"`
|
|
255
255
|
// The input value. Type should match the declared type field. Accepts any JSON value.
|
|
256
|
-
Value
|
|
256
|
+
Value interface{} `json:"value,omitempty"`
|
|
257
257
|
}
|
|
258
258
|
|
|
259
259
|
// Validation constraints for the input value.
|
|
@@ -338,6 +338,19 @@ type Checksum struct {
|
|
|
338
338
|
// Core requirement fields shared between baseline requirements and evaluated requirements.
|
|
339
339
|
// Contains the fundamental requirement definition without assessment results.
|
|
340
340
|
type EvaluatedRequirement struct {
|
|
341
|
+
// Packages affected by this vulnerability finding. Vulnerability-finding-scoped — see
|
|
342
|
+
// components[] on hdf-system for component-level package inventories. One entry per matched
|
|
343
|
+
// package signature (scanners often report multiple CPE variations per CVE).
|
|
344
|
+
AffectedPackages []AffectedPackage `json:"affectedPackages,omitempty"`
|
|
345
|
+
// Structured CVSS scoring data for vulnerability findings. One entry per CVE — a finding
|
|
346
|
+
// may match multiple CVEs (common in vulnerability scanners). Captures vendor-supplied Base
|
|
347
|
+
// metrics plus optional consumer-owned Threat / Environmental / Supplemental groups for
|
|
348
|
+
// risk adjustment. See cvss.schema.json.
|
|
349
|
+
Cvss []Cvss `json:"cvss,omitempty"`
|
|
350
|
+
// Common Weakness Enumeration IDs associated with this finding. Use CWE-N format with no
|
|
351
|
+
// leading zeros (matches the MITRE catalog convention). For NIST control mappings derived
|
|
352
|
+
// from CWE, see tags.nist.
|
|
353
|
+
Cwe []string `json:"cwe,omitempty"`
|
|
341
354
|
// Array of labeled descriptions. At least one description with label 'default' must be
|
|
342
355
|
// present. Convention: place default description first. Common labels: 'default', 'check',
|
|
343
356
|
// 'fix', 'rationale'.
|
|
@@ -355,9 +368,16 @@ type EvaluatedRequirement struct {
|
|
|
355
368
|
// recent non-expired override with a status field, or computed from results (worst-wins) if
|
|
356
369
|
// no status-bearing overrides exist.
|
|
357
370
|
EffectiveStatus *ResultStatus `json:"effectiveStatus,omitempty"`
|
|
371
|
+
// FIRST.org EPSS (Exploit Prediction Scoring System) score for this CVE finding. Used
|
|
372
|
+
// alongside CVSS for prioritization — captures the probability the vulnerability will be
|
|
373
|
+
// exploited.
|
|
374
|
+
Epss *Epss `json:"epss,omitempty"`
|
|
358
375
|
// Supporting evidence for this requirement's findings, such as screenshots, code samples,
|
|
359
376
|
// or log excerpts.
|
|
360
377
|
Evidence []Evidence `json:"evidence,omitempty"`
|
|
378
|
+
// CISA Known Exploited Vulnerabilities (KEV) catalog status. When inKev=true, dateAdded and
|
|
379
|
+
// dueDate carry the federal patching deadline.
|
|
380
|
+
Kev *Kev `json:"kev,omitempty"`
|
|
361
381
|
// Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance.
|
|
362
382
|
// POAMs do NOT change effectiveStatus - they track the work being done to address a
|
|
363
383
|
// failure. Separate from statusOverrides which DO change status.
|
|
@@ -412,6 +432,98 @@ type EvaluatedRequirement struct {
|
|
|
412
432
|
VerificationMethod *VerificationMethodEnum `json:"verificationMethod,omitempty"`
|
|
413
433
|
}
|
|
414
434
|
|
|
435
|
+
// Represents a package referenced by a vulnerability finding or by an amendment's scope. On
|
|
436
|
+
// Evaluated_Requirement.affectedPackages it says 'this CVE affects these package versions'.
|
|
437
|
+
// On Standalone_Override.affectedPackages it says 'this amendment is scoped to these
|
|
438
|
+
// packages' (used by VEX, OSCAL POA&M, FedRAMP component-aware amendments). NOT a
|
|
439
|
+
// system-level component identifier — see `components[]` on hdf-system for those. Validity
|
|
440
|
+
// requires at least one of: (name + version + ecosystem), purl alone, or cpe alone. purl
|
|
441
|
+
// and cpe are self-describing identifiers that encode name/version implicitly, so either
|
|
442
|
+
// may stand on its own; the name+version+ecosystem combination is the explicit form for
|
|
443
|
+
// sources without formal identifiers.
|
|
444
|
+
type AffectedPackage struct {
|
|
445
|
+
// Optional CPE 2.3 URI identifying the affected product. Validated leniently: only the
|
|
446
|
+
// 'cpe:2.3:' prefix and the part-type letter ('a' application, 'h' hardware, 'o' operating
|
|
447
|
+
// system) are enforced here. Use `hdf-utilities.parseCpe` for full-grammar parsing.
|
|
448
|
+
// Example: 'cpe:2.3:a:openssl:openssl:1.1.1k:*:*:*:*:*:*:*'.
|
|
449
|
+
Cpe *string `json:"cpe,omitempty"`
|
|
450
|
+
// The packaging ecosystem the package belongs to. Use 'generic' for hardware, firmware, or
|
|
451
|
+
// anything outside the listed language/OS package managers.
|
|
452
|
+
Ecosystem *Ecosystem `json:"ecosystem,omitempty"`
|
|
453
|
+
// Optional version string identifying the first release that contains the fix for the
|
|
454
|
+
// vulnerability. Use the same version syntax as `version`. Example: '1.1.1l' fixes
|
|
455
|
+
// 'openssl@1.1.1k'.
|
|
456
|
+
FixedInVersion *string `json:"fixedInVersion,omitempty"`
|
|
457
|
+
// The package name as published in its ecosystem. Examples: 'openssl' (rpm), 'lodash'
|
|
458
|
+
// (npm), 'org.apache.logging.log4j:log4j-core' (maven, group:artifact).
|
|
459
|
+
Name *string `json:"name,omitempty"`
|
|
460
|
+
// Optional Package URL (PURL) identifying the affected package. Validated leniently: only
|
|
461
|
+
// the 'pkg:TYPE/' scheme prefix is enforced here, where TYPE follows the PURL grammar (a
|
|
462
|
+
// letter followed by letters, digits, '.', '+', or '-') and is matched case-insensitively
|
|
463
|
+
// to mirror `hdf-utilities.parsePurl`'s accept-and-warn behavior. Use `parsePurl` for full
|
|
464
|
+
// PURL parsing. Example: 'pkg:rpm/redhat/openssl@1.1.1k-7.el8_4?arch=x86_64'.
|
|
465
|
+
Purl *string `json:"purl,omitempty"`
|
|
466
|
+
// The exact version of the package that the vulnerability scanner observed. Use the
|
|
467
|
+
// ecosystem's native version string verbatim (e.g., '1.1.1k-7.el8_4' for rpm, '4.17.20' for
|
|
468
|
+
// npm).
|
|
469
|
+
Version *string `json:"version,omitempty"`
|
|
470
|
+
}
|
|
471
|
+
|
|
472
|
+
// Structured CVSS scoring data backing this override. Captures the rubric (which
|
|
473
|
+
// Environmental/Threat metrics the consumer modified, the recomputed score) used to justify
|
|
474
|
+
// a riskAdjustment. For other override types this is optional context.
|
|
475
|
+
//
|
|
476
|
+
// A CVSS (Common Vulnerability Scoring System) score record for a vulnerability finding.
|
|
477
|
+
// Captures the vendor-supplied Base metric group and optional consumer-supplied Threat,
|
|
478
|
+
// Environmental, and Supplemental metric groups. Supports all four CVSS major versions
|
|
479
|
+
// (2.0, 3.0, 3.1, 4.0). Vector strings are validated against a permissive umbrella grammar;
|
|
480
|
+
// semantic validation (correct metrics per version, correct values per metric) is performed
|
|
481
|
+
// by the hdf-utilities `validateCvssVector` helper rather than at the schema layer.
|
|
482
|
+
type Cvss struct {
|
|
483
|
+
// The Base score (0.0–10.0) computed from the base vector. Reflects the intrinsic,
|
|
484
|
+
// vendor-published severity before consumer enrichment.
|
|
485
|
+
BaseScore *float64 `json:"baseScore,omitempty"`
|
|
486
|
+
// Qualitative severity band corresponding to baseScore. CVSS 2.0 does not natively use
|
|
487
|
+
// 'none' or 'critical' bands; map accordingly when populating.
|
|
488
|
+
BaseSeverity *CVSSSeverity `json:"baseSeverity,omitempty"`
|
|
489
|
+
// Optional Base metric group vector string as emitted by the source (e.g.,
|
|
490
|
+
// 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'). For CVSS 2.0 the version prefix is
|
|
491
|
+
// omitted. Some vendor tools emit a final baseScore without the vector — in that case this
|
|
492
|
+
// field is absent and the score cannot be recomputed or decomposed. The pattern accepts any
|
|
493
|
+
// version-prefixed or prefix-less metric token sequence; semantic validity of individual
|
|
494
|
+
// metrics is checked by hdf-utilities, not by the schema.
|
|
495
|
+
BaseVector *string `json:"baseVector,omitempty"`
|
|
496
|
+
// Optional final score after combining Base + Threat + Environmental metrics. This is the
|
|
497
|
+
// score consumers should treat as authoritative for risk decisions when present.
|
|
498
|
+
ComputedScore *float64 `json:"computedScore,omitempty"`
|
|
499
|
+
// Qualitative severity band corresponding to computedScore. Same band convention as
|
|
500
|
+
// baseSeverity.
|
|
501
|
+
ComputedSeverity *CVSSSeverity `json:"computedSeverity,omitempty"`
|
|
502
|
+
// Optional score (0.0–10.0) recomputed after applying Environmental metrics.
|
|
503
|
+
EnvironmentalScore *float64 `json:"environmentalScore,omitempty"`
|
|
504
|
+
// Optional Environmental metric group vector segment (e.g., 'MAV:N/CR:H/IR:H/AR:H').
|
|
505
|
+
// Consumer-supplied — reflects the deployment context (criticality, mitigations, network
|
|
506
|
+
// exposure).
|
|
507
|
+
EnvironmentalVector *string `json:"environmentalVector,omitempty"`
|
|
508
|
+
// Optional identifier the CVSS data is associated with — most commonly a CVE ID (e.g.,
|
|
509
|
+
// 'CVE-2024-12345'), but may also be a vendor advisory ID, GHSA, or similar.
|
|
510
|
+
Source *string `json:"source,omitempty"`
|
|
511
|
+
// Optional Supplemental metric group vector segment (CVSS 4.0 only). Examples:
|
|
512
|
+
// 'S:P/AU:N/V:C/RE:M/U:Amber'. Per CVSS 4.0 spec, supplemental metrics convey additional
|
|
513
|
+
// context but have no impact on the computed score.
|
|
514
|
+
SupplementalVector *string `json:"supplementalVector,omitempty"`
|
|
515
|
+
// Optional score (0.0–10.0) recomputed after applying Threat metrics. Always less than or
|
|
516
|
+
// equal to baseScore in practice.
|
|
517
|
+
ThreatScore *float64 `json:"threatScore,omitempty"`
|
|
518
|
+
// Optional Threat metric group vector segment (e.g., 'E:U/RL:O/RC:C' for CVSS 3.1, or 'E:A'
|
|
519
|
+
// for CVSS 4.0). Consumer-supplied — captures real-world exploitation and remediation
|
|
520
|
+
// context the vendor cannot know.
|
|
521
|
+
ThreatVector *string `json:"threatVector,omitempty"`
|
|
522
|
+
// The CVSS specification version this entry conforms to. Vendor scanners typically emit 3.1
|
|
523
|
+
// or 4.0; legacy data may use 2.0 or 3.0.
|
|
524
|
+
Version Version `json:"version"`
|
|
525
|
+
}
|
|
526
|
+
|
|
415
527
|
type Description struct {
|
|
416
528
|
// The description text content.
|
|
417
529
|
Data string `json:"data"`
|
|
@@ -420,6 +532,26 @@ type Description struct {
|
|
|
420
532
|
Label string `json:"label"`
|
|
421
533
|
}
|
|
422
534
|
|
|
535
|
+
// FIRST.org EPSS (Exploit Prediction Scoring System) score for this CVE finding. Used
|
|
536
|
+
// alongside CVSS for prioritization — captures the probability the vulnerability will be
|
|
537
|
+
// exploited.
|
|
538
|
+
//
|
|
539
|
+
// FIRST.org Exploit Prediction Scoring System (EPSS) data for a single vulnerability. All
|
|
540
|
+
// three fields are required when an Epss object is present; the date disambiguates which
|
|
541
|
+
// day's score this is, since EPSS recomputes daily.
|
|
542
|
+
type Epss struct {
|
|
543
|
+
// ISO 8601 date (YYYY-MM-DD) on which FIRST.org published this EPSS score.
|
|
544
|
+
Date string `json:"date"`
|
|
545
|
+
// Rank of this score relative to all scored CVEs, expressed as a value between 0.0 and 1.0
|
|
546
|
+
// inclusive. A percentile of 0.99 means this CVE is scored at or above 99% of all scored
|
|
547
|
+
// CVEs.
|
|
548
|
+
Percentile float64 `json:"percentile"`
|
|
549
|
+
// Exploit probability as a value between 0.0 and 1.0 inclusive. Higher values indicate
|
|
550
|
+
// greater predicted likelihood of exploitation in the next 30 days. Example: 0.97532 means
|
|
551
|
+
// roughly a 97.5% predicted probability.
|
|
552
|
+
Score float64 `json:"score"`
|
|
553
|
+
}
|
|
554
|
+
|
|
423
555
|
// Supporting evidence for a finding or override, such as screenshots, code samples, log
|
|
424
556
|
// excerpts, or URLs.
|
|
425
557
|
type Evidence struct {
|
|
@@ -478,15 +610,32 @@ type Evidence struct {
|
|
|
478
610
|
//
|
|
479
611
|
// Identity of who prepared this evidence package.
|
|
480
612
|
type Identity struct {
|
|
481
|
-
// Optional description of the identity or identity system, particularly useful when type is
|
|
482
|
-
// 'other'.
|
|
483
|
-
Description *string
|
|
484
|
-
// The identifier value. Example: 'user@example.com', 'jdoe', 'automated-scanner-01'.
|
|
485
|
-
Identifier string
|
|
486
|
-
// The type of identifier. Use 'email' for email addresses, 'username' for user accounts,
|
|
487
|
-
// 'system' for automated systems, 'simple' for basic string identifiers without additional
|
|
488
|
-
// classification, or 'other' for custom identity systems.
|
|
489
|
-
Type
|
|
613
|
+
// Optional description of the identity or identity system, particularly useful when type is
|
|
614
|
+
// 'other'.
|
|
615
|
+
Description *string `json:"description,omitempty"`
|
|
616
|
+
// The identifier value. Example: 'user@example.com', 'jdoe', 'automated-scanner-01'.
|
|
617
|
+
Identifier string `json:"identifier"`
|
|
618
|
+
// The type of identifier. Use 'email' for email addresses, 'username' for user accounts,
|
|
619
|
+
// 'system' for automated systems, 'simple' for basic string identifiers without additional
|
|
620
|
+
// classification, or 'other' for custom identity systems.
|
|
621
|
+
Type IdentityType `json:"type"`
|
|
622
|
+
}
|
|
623
|
+
|
|
624
|
+
// CISA Known Exploited Vulnerabilities (KEV) catalog status. When inKev=true, dateAdded and
|
|
625
|
+
// dueDate carry the federal patching deadline.
|
|
626
|
+
type Kev struct {
|
|
627
|
+
// ISO 8601 calendar date (YYYY-MM-DD) the vulnerability was added to the CISA KEV catalog.
|
|
628
|
+
// Required when inKev is true.
|
|
629
|
+
DateAdded *string `json:"dateAdded,omitempty"`
|
|
630
|
+
// ISO 8601 calendar date (YYYY-MM-DD) by which federal agencies must remediate per CISA BOD
|
|
631
|
+
// 22-01. Normally later than dateAdded, but the schema does not enforce ordering because
|
|
632
|
+
// CISA occasionally adjusts published dates. Required when inKev is true.
|
|
633
|
+
DueDate *string `json:"dueDate,omitempty"`
|
|
634
|
+
// Whether this vulnerability is currently in the CISA Known Exploited Vulnerabilities
|
|
635
|
+
// catalog. When true, dateAdded and dueDate are required.
|
|
636
|
+
InKev bool `json:"inKev"`
|
|
637
|
+
// CISA's notes describing the vulnerability, observed exploitation, or remediation guidance.
|
|
638
|
+
Notes *string `json:"notes,omitempty"`
|
|
490
639
|
}
|
|
491
640
|
|
|
492
641
|
// Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance.
|
|
@@ -516,21 +665,21 @@ type PoamElement struct {
|
|
|
516
665
|
// The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via
|
|
517
666
|
// compensating controls. 'riskAcceptance' documents decision to accept risk.
|
|
518
667
|
// 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update.
|
|
519
|
-
Type
|
|
668
|
+
Type POAMType `json:"type"`
|
|
520
669
|
}
|
|
521
670
|
|
|
522
671
|
// A milestone or task within a POA&M remediation plan.
|
|
523
672
|
type Milestone struct {
|
|
524
|
-
// Actual completion timestamp. ISO 8601 format.
|
|
525
|
-
CompletedAt *time.Time
|
|
526
|
-
// Identity of who completed this milestone.
|
|
527
|
-
CompletedBy *Identity
|
|
528
|
-
// Description of this milestone or task.
|
|
529
|
-
Description string
|
|
530
|
-
// Estimated completion date. ISO 8601 format.
|
|
531
|
-
EstimatedCompletion time.Time
|
|
532
|
-
// Current status of this milestone.
|
|
533
|
-
Status
|
|
673
|
+
// Actual completion timestamp. ISO 8601 format.
|
|
674
|
+
CompletedAt *time.Time `json:"completedAt,omitempty"`
|
|
675
|
+
// Identity of who completed this milestone.
|
|
676
|
+
CompletedBy *Identity `json:"completedBy,omitempty"`
|
|
677
|
+
// Description of this milestone or task.
|
|
678
|
+
Description string `json:"description"`
|
|
679
|
+
// Estimated completion date. ISO 8601 format.
|
|
680
|
+
EstimatedCompletion time.Time `json:"estimatedCompletion"`
|
|
681
|
+
// Current status of this milestone.
|
|
682
|
+
Status MilestoneStatus `json:"status"`
|
|
534
683
|
}
|
|
535
684
|
|
|
536
685
|
// Optional digital signature for enhanced trust and non-repudiation.
|
|
@@ -598,7 +747,7 @@ type VerificationMethod struct {
|
|
|
598
747
|
//
|
|
599
748
|
// A URI pointing at the reference.
|
|
600
749
|
type Reference struct {
|
|
601
|
-
Ref *Ref
|
|
750
|
+
Ref *Ref `json:"ref,omitempty"`
|
|
602
751
|
URL *string `json:"url,omitempty"`
|
|
603
752
|
URI *string `json:"uri,omitempty"`
|
|
604
753
|
}
|
|
@@ -646,6 +795,10 @@ type StatusOverride struct {
|
|
|
646
795
|
// Identity of who applied this override. For simple cases, use type 'simple' with just an
|
|
647
796
|
// identifier.
|
|
648
797
|
AppliedBy Identity `json:"appliedBy"`
|
|
798
|
+
// Structured CVSS scoring data backing this override. Captures the rubric (which
|
|
799
|
+
// Environmental/Threat metrics the consumer modified, the recomputed score) used to justify
|
|
800
|
+
// a riskAdjustment. For other override types this is optional context.
|
|
801
|
+
Cvss *Cvss `json:"cvss,omitempty"`
|
|
649
802
|
// Supporting evidence for this override, such as screenshots demonstrating manual
|
|
650
803
|
// verification for attestations.
|
|
651
804
|
Evidence []Evidence `json:"evidence,omitempty"`
|
|
@@ -654,6 +807,12 @@ type StatusOverride struct {
|
|
|
654
807
|
ExpiresAt time.Time `json:"expiresAt"`
|
|
655
808
|
// Override to the requirement's impact score. At least one of status or impact must be set.
|
|
656
809
|
Impact *ImpactOverride `json:"impact,omitempty"`
|
|
810
|
+
// Structured controlled-vocabulary classification for why this override applies.
|
|
811
|
+
// Complements (does not replace) the free-text 'reason' field. Most useful on falsePositive
|
|
812
|
+
// and attestation overrides where the structured category enables filtering and lossless
|
|
813
|
+
// round-trip with VEX / OSCAL / FedRAMP DR. See the Justification primitive for the
|
|
814
|
+
// precedent vocabulary and rationale.
|
|
815
|
+
Justification *Justification `json:"justification,omitempty"`
|
|
657
816
|
// SHA-256 checksum of the previous amendment in chronological order. Creates a
|
|
658
817
|
// tamper-evident chain of amendments (similar to blockchain). Null for the first amendment
|
|
659
818
|
// on a requirement.
|
|
@@ -744,9 +903,9 @@ type Component struct {
|
|
|
744
903
|
Owner *Identity `json:"owner,omitempty"`
|
|
745
904
|
// Embedded CycloneDX or SPDX SBOM document representing this component's software
|
|
746
905
|
// inventory. The sbomFormat field determines which format constraints apply.
|
|
747
|
-
Sbom
|
|
906
|
+
Sbom interface{} `json:"sbom,omitempty"`
|
|
748
907
|
// Format of the SBOM (embedded or referenced). Required when sbom or sbomRef is present.
|
|
749
|
-
SbomFormat *
|
|
908
|
+
SbomFormat *SBOMFormat `json:"sbomFormat,omitempty"`
|
|
750
909
|
// URI reference to an external CycloneDX or SPDX SBOM document for this component. May be a
|
|
751
910
|
// relative path, absolute URI, or fragment identifier.
|
|
752
911
|
SbomRef *string `json:"sbomRef,omitempty"`
|
|
@@ -754,7 +913,7 @@ type Component struct {
|
|
|
754
913
|
// with matching labels are automatically included.
|
|
755
914
|
TargetSelector map[string]string `json:"targetSelector,omitempty"`
|
|
756
915
|
// Component type discriminator. Same values as Target types.
|
|
757
|
-
Type
|
|
916
|
+
Type TargetType `json:"type"`
|
|
758
917
|
// Fully qualified domain name.
|
|
759
918
|
FQDN *string `json:"fqdn,omitempty"`
|
|
760
919
|
// IP address of the host.
|
|
@@ -798,7 +957,7 @@ type Component struct {
|
|
|
798
957
|
// Cloud account identifier.
|
|
799
958
|
AccountID *string `json:"accountId,omitempty"`
|
|
800
959
|
// Cloud provider.
|
|
801
|
-
Provider
|
|
960
|
+
Provider *CloudProvider `json:"provider,omitempty"`
|
|
802
961
|
// Cloud region, if applicable.
|
|
803
962
|
//
|
|
804
963
|
// Cloud region where the resource resides.
|
|
@@ -850,7 +1009,7 @@ type InputOverride struct {
|
|
|
850
1009
|
// Rationale for why this override is needed.
|
|
851
1010
|
Justification *string `json:"justification,omitempty"`
|
|
852
1011
|
// The overridden value. Should match the type of the original input.
|
|
853
|
-
Value
|
|
1012
|
+
Value interface{} `json:"value"`
|
|
854
1013
|
}
|
|
855
1014
|
|
|
856
1015
|
// Information about the tool that generated this file.
|
|
@@ -1147,10 +1306,10 @@ type BaselineDiff struct {
|
|
|
1147
1306
|
|
|
1148
1307
|
// Comparison of a single component between two system document versions.
|
|
1149
1308
|
type ComponentDiff struct {
|
|
1150
|
-
// Component snapshot from the new system document.
|
|
1151
|
-
After
|
|
1152
|
-
// Component snapshot from the old system document.
|
|
1153
|
-
Before
|
|
1309
|
+
// Component snapshot from the new system document. Null when state is 'absent'.
|
|
1310
|
+
After interface{} `json:"after,omitempty"`
|
|
1311
|
+
// Component snapshot from the old system document. Null when state is 'new'.
|
|
1312
|
+
Before interface{} `json:"before,omitempty"`
|
|
1154
1313
|
// Detailed field-level changes between the before and after component snapshots.
|
|
1155
1314
|
FieldChanges []FieldChange `json:"fieldChanges,omitempty"`
|
|
1156
1315
|
// Component name used for matching across system versions.
|
|
@@ -1162,9 +1321,9 @@ type ComponentDiff struct {
|
|
|
1162
1321
|
// A single field-level change between two versions of a requirement.
|
|
1163
1322
|
type FieldChange struct {
|
|
1164
1323
|
// The new value of the field (for 'add' and 'replace' operations).
|
|
1165
|
-
NewValue
|
|
1324
|
+
NewValue interface{} `json:"newValue,omitempty"`
|
|
1166
1325
|
// The previous value of the field (for 'remove' and 'replace' operations).
|
|
1167
|
-
OldValue
|
|
1326
|
+
OldValue interface{} `json:"oldValue,omitempty"`
|
|
1168
1327
|
// The type of change operation.
|
|
1169
1328
|
Op Op `json:"op"`
|
|
1170
1329
|
// JSON Pointer path to the changed field.
|
|
@@ -1175,13 +1334,13 @@ type FieldChange struct {
|
|
|
1175
1334
|
// before/after snapshots.
|
|
1176
1335
|
type RequirementDiff struct {
|
|
1177
1336
|
// The requirement as it appeared in the new source. Null when state is 'absent'.
|
|
1178
|
-
After
|
|
1337
|
+
After interface{} `json:"after"`
|
|
1179
1338
|
// Sensitive data from the new source that should not be included in the main after snapshot.
|
|
1180
1339
|
AfterSensitive map[string]interface{} `json:"afterSensitive,omitempty"`
|
|
1181
1340
|
// IDs of annotations attached to this requirement diff.
|
|
1182
1341
|
AnnotationIDS []string `json:"annotationIds,omitempty"`
|
|
1183
1342
|
// The requirement as it appeared in the old/reference source. Null when state is 'new'.
|
|
1184
|
-
Before
|
|
1343
|
+
Before interface{} `json:"before"`
|
|
1185
1344
|
// Sensitive data from the old source that should not be included in the main before
|
|
1186
1345
|
// snapshot.
|
|
1187
1346
|
BeforeSensitive map[string]interface{} `json:"beforeSensitive,omitempty"`
|
|
@@ -1237,7 +1396,7 @@ type Value struct {
|
|
|
1237
1396
|
// Human-readable label for the source.
|
|
1238
1397
|
SourceLabel string `json:"sourceLabel"`
|
|
1239
1398
|
// The value reported by this source for the conflicting field.
|
|
1240
|
-
Value
|
|
1399
|
+
Value interface{} `json:"value"`
|
|
1241
1400
|
}
|
|
1242
1401
|
|
|
1243
1402
|
// Configuration for how requirements were matched across sources.
|
|
@@ -1500,7 +1659,7 @@ type DataFlow struct {
|
|
|
1500
1659
|
Protocol *string `json:"protocol,omitempty"`
|
|
1501
1660
|
// The other end of this data flow. Can be a local component (UUID), a cross-system
|
|
1502
1661
|
// component reference, or an external endpoint.
|
|
1503
|
-
To
|
|
1662
|
+
To interface{} `json:"to"`
|
|
1504
1663
|
}
|
|
1505
1664
|
|
|
1506
1665
|
// Defines an assessment plan — what baselines to run against which targets, with resolved
|
|
@@ -1614,47 +1773,74 @@ type HDFAmendments struct {
|
|
|
1614
1773
|
Version *string `json:"version,omitempty"`
|
|
1615
1774
|
}
|
|
1616
1775
|
|
|
1617
|
-
// A standalone
|
|
1618
|
-
//
|
|
1619
|
-
//
|
|
1776
|
+
// A standalone override to a requirement's compliance status or risk impact. Validation has
|
|
1777
|
+
// two branches gated on 'type': when type is 'operationalRequirement', neither 'status' nor
|
|
1778
|
+
// 'impact' may be set — the override records accepted risk without changing the finding
|
|
1779
|
+
// (documentation-only). For all other types, at least one of 'status' or 'impact' must be
|
|
1780
|
+
// set. This rule aligns with: (1) OSCAL Assessment Results — finding.target.status and
|
|
1781
|
+
// finding.associated-risk[].facet[] are separate axes
|
|
1782
|
+
// (https://pages.nist.gov/OSCAL/learn/concepts/layer/assessment/assessment-results/); (2)
|
|
1783
|
+
// FedRAMP deviation request types — Risk Adjustment changes impact only, Operational
|
|
1784
|
+
// Requirement documents acceptance only, False Positive changes status
|
|
1785
|
+
// (https://www.ignyteplatform.com/blog/fedramp/fedramp-deviation-requests-submit/); (3)
|
|
1786
|
+
// NIST SP 800-37 RMF — risk response (accept/mitigate/transfer) is a separate step from
|
|
1787
|
+
// control assessment status (https://csrc.nist.gov/pubs/sp/800/37/r2/final).
|
|
1620
1788
|
type StandaloneOverride struct {
|
|
1621
|
-
//
|
|
1622
|
-
|
|
1623
|
-
//
|
|
1624
|
-
|
|
1625
|
-
//
|
|
1626
|
-
//
|
|
1627
|
-
|
|
1628
|
-
|
|
1629
|
-
//
|
|
1630
|
-
|
|
1631
|
-
//
|
|
1632
|
-
|
|
1633
|
-
//
|
|
1634
|
-
//
|
|
1635
|
-
|
|
1636
|
-
//
|
|
1637
|
-
|
|
1638
|
-
|
|
1639
|
-
//
|
|
1640
|
-
//
|
|
1641
|
-
|
|
1642
|
-
|
|
1643
|
-
|
|
1644
|
-
|
|
1645
|
-
//
|
|
1646
|
-
|
|
1647
|
-
|
|
1648
|
-
|
|
1649
|
-
|
|
1650
|
-
//
|
|
1651
|
-
|
|
1652
|
-
//
|
|
1653
|
-
|
|
1654
|
-
//
|
|
1655
|
-
|
|
1656
|
-
//
|
|
1657
|
-
|
|
1789
|
+
// Software packages this amendment is scoped to, distinct from componentRef (which scopes
|
|
1790
|
+
// to an HDF-internal Component by UUID). Use when the source amendment format references
|
|
1791
|
+
// packages by purl/cpe/name+version — e.g., VEX `affects[]` / `products[]`, OSCAL POA&M
|
|
1792
|
+
// `subjects[]`, FedRAMP component-aware amendments. Symmetric with
|
|
1793
|
+
// Evaluated_Requirement.affectedPackages, which scopes findings to the same package
|
|
1794
|
+
// vocabulary. When omitted, the amendment applies system-wide (or only to componentRef when
|
|
1795
|
+
// that is set).
|
|
1796
|
+
AffectedPackages []AffectedPackage `json:"affectedPackages,omitempty"`
|
|
1797
|
+
// When this amendment was applied. ISO 8601 format.
|
|
1798
|
+
AppliedAt time.Time `json:"appliedAt"`
|
|
1799
|
+
// Identity of who applied this amendment.
|
|
1800
|
+
AppliedBy Identity `json:"appliedBy"`
|
|
1801
|
+
// Name of the baseline containing the requirement. Required when the system has multiple
|
|
1802
|
+
// baselines with potentially overlapping requirement IDs.
|
|
1803
|
+
BaselineRef *string `json:"baselineRef,omitempty"`
|
|
1804
|
+
// componentId of the component this amendment is scoped to. When set, the amendment only
|
|
1805
|
+
// applies to the specified component. When omitted, the amendment applies system-wide.
|
|
1806
|
+
ComponentRef *string `json:"componentRef,omitempty"`
|
|
1807
|
+
// Structured CVSS scoring data backing this override. Captures the rubric (which
|
|
1808
|
+
// Environmental/Threat metrics the consumer modified, the recomputed score) used to justify
|
|
1809
|
+
// a riskAdjustment. For other override types this is optional context.
|
|
1810
|
+
Cvss *Cvss `json:"cvss,omitempty"`
|
|
1811
|
+
// Supporting evidence (screenshots, logs, URLs, documents).
|
|
1812
|
+
Evidence []Evidence `json:"evidence,omitempty"`
|
|
1813
|
+
// When this amendment expires and must be reviewed. No permanent amendments. ISO 8601
|
|
1814
|
+
// format.
|
|
1815
|
+
ExpiresAt time.Time `json:"expiresAt"`
|
|
1816
|
+
// Override to the requirement's impact score. At least one of status or impact must be set.
|
|
1817
|
+
Impact *ImpactOverride `json:"impact,omitempty"`
|
|
1818
|
+
// componentId of the local component that provides this control. Set when the provider is
|
|
1819
|
+
// in the same system. Omit for external or cross-system providers; the reason field
|
|
1820
|
+
// explains the source. Primarily used with type 'inherited'.
|
|
1821
|
+
InheritedFrom *string `json:"inheritedFrom,omitempty"`
|
|
1822
|
+
// Structured controlled-vocabulary classification for why this override applies.
|
|
1823
|
+
// Complements (does not replace) the free-text 'reason' field. Most useful on falsePositive
|
|
1824
|
+
// and attestation overrides where the structured category enables filtering and lossless
|
|
1825
|
+
// round-trip with VEX / OSCAL / FedRAMP DR. See the Justification primitive for the
|
|
1826
|
+
// precedent vocabulary and rationale.
|
|
1827
|
+
Justification *Justification `json:"justification,omitempty"`
|
|
1828
|
+
// Remediation milestones (primarily for POA&M type amendments).
|
|
1829
|
+
Milestones []Milestone `json:"milestones,omitempty"`
|
|
1830
|
+
// Checksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null
|
|
1831
|
+
// for the first amendment.
|
|
1832
|
+
PreviousChecksum *Checksum `json:"previousChecksum,omitempty"`
|
|
1833
|
+
// Justification for this amendment.
|
|
1834
|
+
Reason string `json:"reason"`
|
|
1835
|
+
// The ID of the requirement being amended. Must match a requirement ID in the referenced
|
|
1836
|
+
// baseline.
|
|
1837
|
+
RequirementID string `json:"requirementId"`
|
|
1838
|
+
// Digital signature for non-repudiation.
|
|
1839
|
+
Signature *Signature `json:"signature,omitempty"`
|
|
1840
|
+
// The new status this amendment sets. Optional when only impact is being overridden.
|
|
1841
|
+
Status *ResultStatus `json:"status,omitempty"`
|
|
1842
|
+
// The type of amendment.
|
|
1843
|
+
Type OverrideType `json:"type"`
|
|
1658
1844
|
}
|
|
1659
1845
|
|
|
1660
1846
|
// Bundles references to all HDF documents for audit, authorization, and compliance review.
|
|
@@ -1784,6 +1970,23 @@ const (
|
|
|
1784
1970
|
Sha512 HashAlgorithm = "sha512"
|
|
1785
1971
|
)
|
|
1786
1972
|
|
|
1973
|
+
// The packaging ecosystem the package belongs to. Use 'generic' for hardware, firmware, or
|
|
1974
|
+
// anything outside the listed language/OS package managers.
|
|
1975
|
+
type Ecosystem string
|
|
1976
|
+
|
|
1977
|
+
const (
|
|
1978
|
+
Cargo Ecosystem = "cargo"
|
|
1979
|
+
Deb Ecosystem = "deb"
|
|
1980
|
+
Gem Ecosystem = "gem"
|
|
1981
|
+
Generic Ecosystem = "generic"
|
|
1982
|
+
Go Ecosystem = "go"
|
|
1983
|
+
Maven Ecosystem = "maven"
|
|
1984
|
+
Npm Ecosystem = "npm"
|
|
1985
|
+
Nuget Ecosystem = "nuget"
|
|
1986
|
+
Pypi Ecosystem = "pypi"
|
|
1987
|
+
RPM Ecosystem = "rpm"
|
|
1988
|
+
)
|
|
1989
|
+
|
|
1787
1990
|
// Whether the requirement is mandatory within its baseline. Distinct from severity (risk
|
|
1788
1991
|
// weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
|
|
1789
1992
|
// FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
|
|
@@ -1814,6 +2017,36 @@ const (
|
|
|
1814
2017
|
Technical ControlType = "technical"
|
|
1815
2018
|
)
|
|
1816
2019
|
|
|
2020
|
+
// Qualitative severity band corresponding to baseScore. CVSS 2.0 does not natively use
|
|
2021
|
+
// 'none' or 'critical' bands; map accordingly when populating.
|
|
2022
|
+
//
|
|
2023
|
+
// Qualitative CVSS severity band. Aligns with FIRST/NVD bands: none=0.0, low=0.1-3.9,
|
|
2024
|
+
// medium=4.0-6.9, high=7.0-8.9, critical=9.0-10.0. Distinct from the broader Severity enum
|
|
2025
|
+
// used on Requirement_Core (which includes 'informational').
|
|
2026
|
+
//
|
|
2027
|
+
// Qualitative severity band corresponding to computedScore. Same band convention as
|
|
2028
|
+
// baseSeverity.
|
|
2029
|
+
type CVSSSeverity string
|
|
2030
|
+
|
|
2031
|
+
const (
|
|
2032
|
+
CVSSSeverityCritical CVSSSeverity = "critical"
|
|
2033
|
+
CVSSSeverityHigh CVSSSeverity = "high"
|
|
2034
|
+
CVSSSeverityLow CVSSSeverity = "low"
|
|
2035
|
+
CVSSSeverityMedium CVSSSeverity = "medium"
|
|
2036
|
+
None CVSSSeverity = "none"
|
|
2037
|
+
)
|
|
2038
|
+
|
|
2039
|
+
// The CVSS specification version this entry conforms to. Vendor scanners typically emit 3.1
|
|
2040
|
+
// or 4.0; legacy data may use 2.0 or 3.0.
|
|
2041
|
+
type Version string
|
|
2042
|
+
|
|
2043
|
+
const (
|
|
2044
|
+
The20 Version = "2.0"
|
|
2045
|
+
The30 Version = "3.0"
|
|
2046
|
+
The31 Version = "3.1"
|
|
2047
|
+
The40 Version = "4.0"
|
|
2048
|
+
)
|
|
2049
|
+
|
|
1817
2050
|
// The type of the most recent non-expired override or POAM governing this requirement.
|
|
1818
2051
|
// Indicates why the requirement is in its current state (e.g., waiver, falsePositive,
|
|
1819
2052
|
// riskAdjustment) or what remediation is being tracked (poam). Absent when no overrides or
|
|
@@ -1876,47 +2109,47 @@ const (
|
|
|
1876
2109
|
// The type of identifier. Use 'email' for email addresses, 'username' for user accounts,
|
|
1877
2110
|
// 'system' for automated systems, 'simple' for basic string identifiers without additional
|
|
1878
2111
|
// classification, or 'other' for custom identity systems.
|
|
1879
|
-
type
|
|
2112
|
+
type IdentityType string
|
|
1880
2113
|
|
|
1881
2114
|
const (
|
|
1882
|
-
Email
|
|
1883
|
-
|
|
1884
|
-
|
|
1885
|
-
|
|
1886
|
-
Username
|
|
2115
|
+
Email IdentityType = "email"
|
|
2116
|
+
IdentityTypeOther IdentityType = "other"
|
|
2117
|
+
IdentityTypeSystem IdentityType = "system"
|
|
2118
|
+
Simple IdentityType = "simple"
|
|
2119
|
+
Username IdentityType = "username"
|
|
1887
2120
|
)
|
|
1888
2121
|
|
|
1889
2122
|
// The type of evidence being provided.
|
|
1890
2123
|
type EvidenceType string
|
|
1891
2124
|
|
|
1892
2125
|
const (
|
|
1893
|
-
Code
|
|
1894
|
-
|
|
1895
|
-
|
|
1896
|
-
Log
|
|
1897
|
-
Screenshot
|
|
1898
|
-
URL
|
|
2126
|
+
Code EvidenceType = "code"
|
|
2127
|
+
EvidenceTypeOther EvidenceType = "other"
|
|
2128
|
+
File EvidenceType = "file"
|
|
2129
|
+
Log EvidenceType = "log"
|
|
2130
|
+
Screenshot EvidenceType = "screenshot"
|
|
2131
|
+
URL EvidenceType = "url"
|
|
1899
2132
|
)
|
|
1900
2133
|
|
|
1901
2134
|
// Current status of this milestone.
|
|
1902
|
-
type
|
|
2135
|
+
type MilestoneStatus string
|
|
1903
2136
|
|
|
1904
2137
|
const (
|
|
1905
|
-
Completed
|
|
1906
|
-
InProgress
|
|
1907
|
-
Pending
|
|
2138
|
+
Completed MilestoneStatus = "completed"
|
|
2139
|
+
InProgress MilestoneStatus = "inProgress"
|
|
2140
|
+
Pending MilestoneStatus = "pending"
|
|
1908
2141
|
)
|
|
1909
2142
|
|
|
1910
2143
|
// The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via
|
|
1911
2144
|
// compensating controls. 'riskAcceptance' documents decision to accept risk.
|
|
1912
2145
|
// 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update.
|
|
1913
|
-
type
|
|
2146
|
+
type POAMType string
|
|
1914
2147
|
|
|
1915
2148
|
const (
|
|
1916
|
-
Mitigation
|
|
1917
|
-
|
|
1918
|
-
|
|
1919
|
-
VendorDependency
|
|
2149
|
+
Mitigation POAMType = "mitigation"
|
|
2150
|
+
POAMTypeRemediation POAMType = "remediation"
|
|
2151
|
+
RiskAcceptance POAMType = "riskAcceptance"
|
|
2152
|
+
VendorDependency POAMType = "vendorDependency"
|
|
1920
2153
|
)
|
|
1921
2154
|
|
|
1922
2155
|
// Explicit severity rating. Typically derived from impact score but provided explicitly for
|
|
@@ -1926,11 +2159,49 @@ const (
|
|
|
1926
2159
|
type Severity string
|
|
1927
2160
|
|
|
1928
2161
|
const (
|
|
1929
|
-
|
|
1930
|
-
|
|
1931
|
-
|
|
1932
|
-
|
|
1933
|
-
|
|
2162
|
+
Informational Severity = "informational"
|
|
2163
|
+
SeverityCritical Severity = "critical"
|
|
2164
|
+
SeverityHigh Severity = "high"
|
|
2165
|
+
SeverityLow Severity = "low"
|
|
2166
|
+
SeverityMedium Severity = "medium"
|
|
2167
|
+
)
|
|
2168
|
+
|
|
2169
|
+
// Structured controlled-vocabulary classification for why this override applies.
|
|
2170
|
+
// Complements (does not replace) the free-text 'reason' field. Most useful on falsePositive
|
|
2171
|
+
// and attestation overrides where the structured category enables filtering and lossless
|
|
2172
|
+
// round-trip with VEX / OSCAL / FedRAMP DR. See the Justification primitive for the
|
|
2173
|
+
// precedent vocabulary and rationale.
|
|
2174
|
+
//
|
|
2175
|
+
// Structured controlled-vocabulary reason for an override, complementing the free-text
|
|
2176
|
+
// 'reason' field. 'reason' carries the human-readable rationale an auditor reads;
|
|
2177
|
+
// 'justification' carries the machine-readable category enabling filtering, aggregation,
|
|
2178
|
+
// and lossless round-trip with structured ecosystems (VEX, OSCAL, FedRAMP DR). Both fields
|
|
2179
|
+
// may be present simultaneously and are NOT redundant: 'reason' explains the specific
|
|
2180
|
+
// circumstance; 'justification' classifies it. Authors SHOULD populate both when a
|
|
2181
|
+
// controlled-vocabulary value applies — the enum value alone is not self-explanatory to an
|
|
2182
|
+
// auditor. The vocabulary is drawn from the VEX ecosystem: the first five values are common
|
|
2183
|
+
// across OpenVEX, CSAF VEX, and CycloneDX VEX; the remaining six (requires_configuration /
|
|
2184
|
+
// requires_dependency / requires_environment / protected_by_compiler / protected_at_runtime
|
|
2185
|
+
// / protected_at_perimeter) are CycloneDX-specific and describe why the vulnerable code
|
|
2186
|
+
// path is unreachable in the deployed configuration. The enum is extended additively across
|
|
2187
|
+
// schema versions as other ecosystems' controlled vocabularies are integrated; documents
|
|
2188
|
+
// using values added in a newer schema version will fail validation against an older
|
|
2189
|
+
// schema. Consumers SHOULD validate against the schema version declared by the document
|
|
2190
|
+
// ($schema) rather than assume a fixed vocabulary.
|
|
2191
|
+
type Justification string
|
|
2192
|
+
|
|
2193
|
+
const (
|
|
2194
|
+
ComponentNotPresent Justification = "component_not_present"
|
|
2195
|
+
InlineMitigationsAlreadyExist Justification = "inline_mitigations_already_exist"
|
|
2196
|
+
ProtectedAtPerimeter Justification = "protected_at_perimeter"
|
|
2197
|
+
ProtectedAtRuntime Justification = "protected_at_runtime"
|
|
2198
|
+
ProtectedByCompiler Justification = "protected_by_compiler"
|
|
2199
|
+
RequiresConfiguration Justification = "requires_configuration"
|
|
2200
|
+
RequiresDependency Justification = "requires_dependency"
|
|
2201
|
+
RequiresEnvironment Justification = "requires_environment"
|
|
2202
|
+
VulnerableCodeCannotBeControlledByAdversary Justification = "vulnerable_code_cannot_be_controlled_by_adversary"
|
|
2203
|
+
VulnerableCodeNotInExecutePath Justification = "vulnerable_code_not_in_execute_path"
|
|
2204
|
+
VulnerableCodeNotPresent Justification = "vulnerable_code_not_present"
|
|
1934
2205
|
)
|
|
1935
2206
|
|
|
1936
2207
|
// How this requirement is intended to be verified. Disambiguates the two cases that null
|
|
@@ -1966,30 +2237,28 @@ const (
|
|
|
1966
2237
|
)
|
|
1967
2238
|
|
|
1968
2239
|
// Format of the SBOM (embedded or referenced). Required when sbom or sbomRef is present.
|
|
1969
|
-
type
|
|
2240
|
+
type SBOMFormat string
|
|
1970
2241
|
|
|
1971
2242
|
const (
|
|
1972
|
-
Cyclonedx
|
|
1973
|
-
Spdx
|
|
2243
|
+
Cyclonedx SBOMFormat = "cyclonedx"
|
|
2244
|
+
Spdx SBOMFormat = "spdx"
|
|
1974
2245
|
)
|
|
1975
2246
|
|
|
1976
|
-
//
|
|
1977
|
-
|
|
1978
|
-
// IP address of the host.
|
|
1979
|
-
type Copyright string
|
|
2247
|
+
// Component type discriminator. Same values as Target types.
|
|
2248
|
+
type TargetType string
|
|
1980
2249
|
|
|
1981
2250
|
const (
|
|
1982
|
-
Application
|
|
1983
|
-
Artifact
|
|
1984
|
-
CloudAccount
|
|
1985
|
-
CloudResource
|
|
1986
|
-
ContainerImage
|
|
1987
|
-
ContainerInstance
|
|
1988
|
-
ContainerPlatform
|
|
1989
|
-
Database
|
|
1990
|
-
Host
|
|
1991
|
-
Network
|
|
1992
|
-
Repository
|
|
2251
|
+
Application TargetType = "application"
|
|
2252
|
+
Artifact TargetType = "artifact"
|
|
2253
|
+
CloudAccount TargetType = "cloudAccount"
|
|
2254
|
+
CloudResource TargetType = "cloudResource"
|
|
2255
|
+
ContainerImage TargetType = "containerImage"
|
|
2256
|
+
ContainerInstance TargetType = "containerInstance"
|
|
2257
|
+
ContainerPlatform TargetType = "containerPlatform"
|
|
2258
|
+
Database TargetType = "database"
|
|
2259
|
+
Host TargetType = "host"
|
|
2260
|
+
Network TargetType = "network"
|
|
2261
|
+
Repository TargetType = "repository"
|
|
1993
2262
|
)
|
|
1994
2263
|
|
|
1995
2264
|
// The category of this annotation.
|
|
@@ -2011,10 +2280,10 @@ const (
|
|
|
2011
2280
|
type BaselineDiffState string
|
|
2012
2281
|
|
|
2013
2282
|
const (
|
|
2014
|
-
|
|
2015
|
-
|
|
2016
|
-
|
|
2017
|
-
|
|
2283
|
+
BaselineDiffStateAbsent BaselineDiffState = "absent"
|
|
2284
|
+
BaselineDiffStateNew BaselineDiffState = "new"
|
|
2285
|
+
BaselineDiffStateUnchanged BaselineDiffState = "unchanged"
|
|
2286
|
+
BaselineDiffStateUpdated BaselineDiffState = "updated"
|
|
2018
2287
|
)
|
|
2019
2288
|
|
|
2020
2289
|
// The mode of comparison being performed.
|
|
@@ -2123,10 +2392,10 @@ const (
|
|
|
2123
2392
|
type PackageDiffState string
|
|
2124
2393
|
|
|
2125
2394
|
const (
|
|
2126
|
-
Added
|
|
2127
|
-
|
|
2128
|
-
|
|
2129
|
-
Removed
|
|
2395
|
+
Added PackageDiffState = "added"
|
|
2396
|
+
PackageDiffStateUnchanged PackageDiffState = "unchanged"
|
|
2397
|
+
PackageDiffStateUpdated PackageDiffState = "updated"
|
|
2398
|
+
Removed PackageDiffState = "removed"
|
|
2130
2399
|
)
|
|
2131
2400
|
|
|
2132
2401
|
// The original format of the source document before conversion to HDF.
|
|
@@ -2357,8 +2626,3 @@ func marshalUnion(pi *int64, pf *float64, pb *bool, ps *string, haveArray bool,
|
|
|
2357
2626
|
}
|
|
2358
2627
|
return nil, errors.New("Union must not be null")
|
|
2359
2628
|
}
|
|
2360
|
-
|
|
2361
|
-
// Backward-compatible aliases for renamed constants.
|
|
2362
|
-
const (
|
|
2363
|
-
CopyrightApplication = Application
|
|
2364
|
-
)
|