@mitre/hdf-schema 3.2.0 → 3.3.1

package/dist/ts/hdf-baseline.d.ts

@@ -1,549 +0,0 @@
-/**
- * Information on the set of requirements that can be assessed, including baseline metadata
- * and requirement definitions.
- *
- * Shared metadata fields for baselines. Used in both standalone baseline documents and
- * evaluated baseline results.
- */
-export interface HdfBaseline {
-    /**
-     * The set of dependencies this baseline depends on.
-     */
-    depends?: Dependency[];
-    /**
-     * The tool that generated this file.
-     */
-    generator?: Generator;
-    /**
-     * A set of descriptions for the requirement groups.
-     */
-    groups?: RequirementGroup[];
-    /**
-     * The input(s) or attribute(s) to be used in the run.
-     */
-    inputs?: Input[];
-    /**
-     * Cryptographic integrity information for verifying this baseline has not been tampered
-     * with.
-     */
-    integrity?: Integrity;
-    /**
-     * Optional reference to automated remediation resources (Ansible playbooks, Terraform
-     * scripts, etc.) for implementing the security controls defined in this baseline.
-     */
-    remediation?: Remediation;
-    /**
-     * The set of requirements - contains no findings as the assessment has not yet occurred.
-     */
-    requirements: BaselineRequirement[];
-    /**
-     * The name - must be unique.
-     */
-    name: string;
-    /**
-     * The copyright holder(s).
-     */
-    copyright?: string;
-    /**
-     * The email address or other contact information of the copyright holder(s).
-     */
-    copyrightEmail?: string;
-    /**
-     * Optional key-value labels for flexible grouping. Well-known keys: system, component,
-     * environment, region, team. Values must be strings.
-     */
-    labels?: {
-        [key: string]: string;
-    };
-    /**
-     * The copyright license. Example: 'Apache-2.0'.
-     */
-    license?: string;
-    /**
-     * The maintainer(s).
-     */
-    maintainer?: string;
-    /**
-     * The status. Example: 'loaded'.
-     */
-    status?: string;
-    /**
-     * The summary. Example: the Security Technical Implementation Guide (STIG) header.
-     */
-    summary?: string;
-    /**
-     * The set of supported platform targets.
-     */
-    supports?: SupportedPlatform[];
-    /**
-     * The title - should be human readable.
-     */
-    title?: string;
-    /**
-     * The version of the baseline.
-     */
-    version?: string;
-    [property: string]: any;
-}
-/**
- * A dependency for a baseline. Can include relative paths or URLs for where to find the
- * dependency.
- */
-export interface Dependency {
-    /**
-     * The branch name for a git repo.
-     */
-    branch?: string;
-    /**
-     * The 'user/profilename' attribute for an Automate server.
-     */
-    compliance?: string;
-    /**
-     * The location of the git repo. Example:
-     * 'https://github.com/my-org/ubuntu-22.04-stig-baseline.git'.
-     */
-    git?: string;
-    /**
-     * The name or assigned alias.
-     */
-    name?: string;
-    /**
-     * The relative path if the dependency is locally available.
-     */
-    path?: string;
-    /**
-     * The status. Should be: 'loaded', 'failed', or 'skipped'.
-     */
-    status?: string;
-    /**
-     * The reason for the status if it is 'failed' or 'skipped'.
-     */
-    statusMessage?: string;
-    /**
-     * The 'user/profilename' attribute for a Supermarket server.
-     */
-    supermarket?: string;
-    /**
-     * The address of the dependency.
-     */
-    url?: string;
-    [property: string]: any;
-}
-/**
- * The tool that generated this file.
- *
- * Information about the tool that generated this HDF file.
- */
-export interface Generator {
-    /**
-     * The name of the software that produced this HDF file. Example: 'gosec-to-hdf'.
-     */
-    name: string;
-    /**
-     * The version of the tool. Example: '5.22.3'.
-     */
-    version: string;
-    [property: string]: any;
-}
-/**
- * Describes a group of requirements, such as those defined in a single file.
- */
-export interface RequirementGroup {
-    /**
-     * The unique identifier for the group. Example: the relative path to the file specifying
-     * the requirements.
-     */
-    id: string;
-    /**
-     * The set of requirements as specified by their ids in this group. Example: 'SV-238196'.
-     */
-    requirements: string[];
-    /**
-     * The title of the group - should be human readable.
-     */
-    title?: string;
-    [property: string]: any;
-}
-/**
- * A typed input parameter that bridges governance requirements and scanner automation.
- * Inputs carry expected configuration values with type information, comparison operators,
- * and validation constraints, enabling traceability from policy through to scan results.
- */
-export interface Input {
-    /**
-     * Validation constraints for the input value.
-     */
-    constraints?: InputConstraints;
-    /**
-     * Human-readable description of what this input controls.
-     */
-    description?: string;
-    /**
-     * The input name. Must be unique within a baseline or results document. Example:
-     * 'max_concurrent_sessions'.
-     */
-    name: string;
-    /**
-     * The comparison operator used when evaluating this input against observed values.
-     */
-    operator?: ComparisonOperator;
-    /**
-     * Whether this input must be provided. Defaults to false if omitted.
-     */
-    required?: boolean;
-    /**
-     * Whether this input contains sensitive data (passwords, keys). Sensitive values should be
-     * redacted in output. Defaults to false if omitted.
-     */
-    sensitive?: boolean;
-    /**
-     * The data type of this input.
-     */
-    type?: InputType;
-    /**
-     * The input value. Type should match the declared type field. Accepts any JSON value.
-     */
-    value?: any;
-    [property: string]: any;
-}
-/**
- * Validation constraints for the input value.
- *
- * Validation constraints for an input value.
- */
-export interface InputConstraints {
-    /**
-     * Enumeration of permitted values.
-     */
-    allowedValues?: any[];
-    /**
-     * Maximum allowed value (for Numeric inputs).
-     */
-    max?: number;
-    /**
-     * Minimum allowed value (for Numeric inputs).
-     */
-    min?: number;
-    /**
-     * Regular expression pattern the value must match (for String inputs).
-     */
-    pattern?: string;
-    [property: string]: any;
-}
-/**
- * The comparison operator used when evaluating this input against observed values.
- *
- * Comparison operator for evaluating the input value against observed values. Numeric:
- * eq/ne/lt/le/gt/ge. String: eq/ne/contains/matches. Collection: in/notIn.
- */
-export declare enum ComparisonOperator {
-    Contains = "contains",
-    Eq = "eq",
-    Ge = "ge",
-    Gt = "gt",
-    In = "in",
-    LE = "le",
-    Lt = "lt",
-    Matches = "matches",
-    Ne = "ne",
-    NotIn = "notIn"
-}
-/**
- * The data type of this input.
- *
- * The data type of the input value. Aligns with InSpec input types.
- */
-export declare enum InputType {
-    Array = "Array",
-    Boolean = "Boolean",
-    Hash = "Hash",
-    Numeric = "Numeric",
-    Regexp = "Regexp",
-    String = "String"
-}
-/**
- * Cryptographic integrity information for verifying this baseline has not been tampered
- * with.
- *
- * Cryptographic integrity information for verifying the HDF file has not been tampered
- * with. If algorithm is provided, checksum must also be provided, and vice versa.
- */
-export interface Integrity {
-    /**
-     * The hash algorithm used for the checksum.
-     */
-    algorithm?: HashAlgorithm;
-    /**
-     * The checksum value.
-     */
-    checksum?: string;
-    /**
-     * Optional cryptographic signature.
-     */
-    signature?: string;
-    /**
-     * Identifier of who signed this file.
-     */
-    signedBy?: string;
-    [property: string]: any;
-}
-/**
- * The hash algorithm used for the checksum.
- *
- * Supported cryptographic hash algorithms for checksums and integrity verification.
- */
-export declare enum HashAlgorithm {
-    Sha256 = "sha256",
-    Sha384 = "sha384",
-    Sha512 = "sha512"
-}
-/**
- * Optional reference to automated remediation resources (Ansible playbooks, Terraform
- * scripts, etc.) for implementing the security controls defined in this baseline.
- *
- * Reference to automated remediation resources for implementing security controls. Points
- * to external automation content like Ansible playbooks, Terraform scripts, or
- * vendor-provided remediation tools.
- */
-export interface Remediation {
-    /**
-     * Optional cryptographic checksum for verifying the integrity of remediation resources
-     * fetched from the URI. Recommended for security when referencing external automation
-     * scripts.
-     */
-    checksum?: Checksum;
-    /**
-     * URI pointing to automated remediation resources (Ansible playbooks, Terraform scripts,
-     * etc.). Examples: GitHub repository, DISA STIG Supplemental Automation Content,
-     * vendor-provided scripts.
-     */
-    uri: string;
-    [property: string]: any;
-}
-/**
- * Optional cryptographic checksum for verifying the integrity of remediation resources
- * fetched from the URI. Recommended for security when referencing external automation
- * scripts.
- *
- * Cryptographic checksum for baseline integrity verification.
- */
-export interface Checksum {
-    /**
-     * The hash algorithm used for the checksum.
-     */
-    algorithm: HashAlgorithm;
-    /**
-     * The checksum value.
-     */
-    value: string;
-    [property: string]: any;
-}
-/**
- * A requirement definition without assessment results.
- *
- * Core requirement fields shared between baseline requirements and evaluated requirements.
- * Contains the fundamental requirement definition without assessment results.
- */
-export interface BaselineRequirement {
-    /**
-     * Array of labeled descriptions. At least one description with label 'default' must be
-     * present. Convention: place default description first. Common labels: 'default', 'check',
-     * 'fix', 'rationale'.
-     */
-    descriptions: Description[];
-    /**
-     * Explicit severity rating. Typically derived from impact score but provided explicitly for
-     * clarity.
-     */
-    severity?: Severity;
-    /**
-     * The requirement identifier. Example: 'SV-238196'.
-     */
-    id: string;
-    /**
-     * The impactfulness or severity (0.0 to 1.0).
-     */
-    impact: number;
-    /**
-     * A set of tags - usually metadata like CCI, STIG ID, severity.
-     */
-    tags: {
-        [key: string]: any;
-    };
-    /**
-     * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
-     * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
-     * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
-     * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
-     * Optional: when omitted, consumers should treat the requirement as 'required' by
-     * convention.
-     */
-    applicability?: Applicability;
-    /**
-     * The raw source code of the requirement. Set to null for manual-only requirements or
-     * requirements not yet implemented; use verificationMethod to disambiguate manual-by-design
-     * from manual-pending-automation. Note that if this is an overlay, it does not include the
-     * underlying source code.
-     */
-    code?: string;
-    /**
-     * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
-     * categories. 'policy' = an authored governance statement; 'procedure' = a documented
-     * process; 'technical' = an enforced technical configuration; 'management' = a
-     * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
-     * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
-     * family/id but should not assume a default.
-     */
-    controlType?: ControlType;
-    /**
-     * The set of references to external documents.
-     */
-    refs?: Reference[];
-    /**
-     * The explicit location of the requirement within the source code.
-     */
-    sourceLocation?: SourceLocation;
-    /**
-     * The title - is nullable.
-     */
-    title?: string;
-    /**
-     * How this requirement is intended to be verified. Disambiguates the two cases that null
-     * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
-     * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
-     * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
-     * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
-     * omitted, consumers should not infer a default.
-     */
-    verificationMethod?: VerificationMethodEnum;
-    [property: string]: any;
-}
-/**
- * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
- * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
- * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
- * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
- * Optional: when omitted, consumers should treat the requirement as 'required' by
- * convention.
- */
-export declare enum Applicability {
-    Advisory = "advisory",
-    Optional = "optional",
-    Required = "required"
-}
-/**
- * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
- * categories. 'policy' = an authored governance statement; 'procedure' = a documented
- * process; 'technical' = an enforced technical configuration; 'management' = a
- * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
- * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
- * family/id but should not assume a default.
- */
-export declare enum ControlType {
-    Management = "management",
-    Operational = "operational",
-    Policy = "policy",
-    Procedure = "procedure",
-    Technical = "technical"
-}
-export interface Description {
-    /**
-     * The description text content.
-     */
-    data: string;
-    /**
-     * Description category. The 'default' label is required for the primary description. Common
-     * labels: 'default', 'check', 'fix', 'rationale'. Tools may use custom labels.
-     */
-    label: string;
-    [property: string]: any;
-}
-/**
- * A reference to an external document.
- *
- * A reference using the 'ref' field.
- *
- * A URL pointing at the reference.
- *
- * A URI pointing at the reference.
- */
-export interface Reference {
-    ref?: {
-        [key: string]: any;
-    }[] | string;
-    url?: string;
-    uri?: string;
-    [property: string]: any;
-}
-/**
- * Explicit severity rating. Typically derived from impact score but provided explicitly for
- * clarity.
- *
- * Severity rating for a requirement. Typically derived from the numeric impact score.
- */
-export declare enum Severity {
-    Critical = "critical",
-    High = "high",
-    Informational = "informational",
-    Low = "low",
-    Medium = "medium"
-}
-/**
- * The explicit location of the requirement within the source code.
- *
- * The explicit location of a requirement within source code.
- */
-export interface SourceLocation {
-    /**
-     * The line on which this requirement is located.
-     */
-    line?: number;
-    /**
-     * Path to the file that this requirement originates from.
-     */
-    ref?: string;
-    [property: string]: any;
-}
-/**
- * How this requirement is intended to be verified. Disambiguates the two cases that null
- * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
- * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
- * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
- * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
- * omitted, consumers should not infer a default.
- *
- * How a requirement is intended to be verified. Disambiguates the two cases that null
- * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
- * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
- * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
- * runs without operator action; 'hybrid' = part automated, part manual. Named '_Enum' to
- * disambiguate from the unrelated Verification_Method DID-context struct.
- */
-export declare enum VerificationMethodEnum {
-    Automated = "automated",
-    Hybrid = "hybrid",
-    ManualByDesign = "manual-by-design",
-    ManualPendingAutomation = "manual-pending-automation"
-}
-/**
- * A supported platform target. Example: the platform name being 'ubuntu'.
- */
-export interface SupportedPlatform {
-    /**
-     * The location of the platform. Can be: 'os', 'aws', 'azure', or 'gcp'.
-     */
-    platform?: string;
-    /**
-     * The platform family. Example: 'redhat'.
-     */
-    platformFamily?: string;
-    /**
-     * The platform name - can include wildcards. Example: 'debian'.
-     */
-    platformName?: string;
-    /**
-     * The release of the platform. Example: '20.04' for 'ubuntu'.
-     */
-    release?: string;
-    [property: string]: any;
-}

package/dist/ts/hdf-baseline.js

@@ -1,110 +0,0 @@
-/**
- * The comparison operator used when evaluating this input against observed values.
- *
- * Comparison operator for evaluating the input value against observed values. Numeric:
- * eq/ne/lt/le/gt/ge. String: eq/ne/contains/matches. Collection: in/notIn.
- */
-export var ComparisonOperator;
-(function (ComparisonOperator) {
-    ComparisonOperator["Contains"] = "contains";
-    ComparisonOperator["Eq"] = "eq";
-    ComparisonOperator["Ge"] = "ge";
-    ComparisonOperator["Gt"] = "gt";
-    ComparisonOperator["In"] = "in";
-    ComparisonOperator["LE"] = "le";
-    ComparisonOperator["Lt"] = "lt";
-    ComparisonOperator["Matches"] = "matches";
-    ComparisonOperator["Ne"] = "ne";
-    ComparisonOperator["NotIn"] = "notIn";
-})(ComparisonOperator || (ComparisonOperator = {}));
-/**
- * The data type of this input.
- *
- * The data type of the input value. Aligns with InSpec input types.
- */
-export var InputType;
-(function (InputType) {
-    InputType["Array"] = "Array";
-    InputType["Boolean"] = "Boolean";
-    InputType["Hash"] = "Hash";
-    InputType["Numeric"] = "Numeric";
-    InputType["Regexp"] = "Regexp";
-    InputType["String"] = "String";
-})(InputType || (InputType = {}));
-/**
- * The hash algorithm used for the checksum.
- *
- * Supported cryptographic hash algorithms for checksums and integrity verification.
- */
-export var HashAlgorithm;
-(function (HashAlgorithm) {
-    HashAlgorithm["Sha256"] = "sha256";
-    HashAlgorithm["Sha384"] = "sha384";
-    HashAlgorithm["Sha512"] = "sha512";
-})(HashAlgorithm || (HashAlgorithm = {}));
-/**
- * Whether the requirement is mandatory within its baseline. Distinct from severity (risk
- * weight) and status (lifecycle state). Maps cleanly onto: FedRAMP rev5 OSCAL 'CORE' prop,
- * FedRAMP 20x inline 'Optional:' markers, CMMC sublevel rows, and CIS Implementation Group
- * memberships (IG1/IG2/IG3 may carry richer semantics; layer those onto props[]/tags{}).
- * Optional: when omitted, consumers should treat the requirement as 'required' by
- * convention.
- */
-export var Applicability;
-(function (Applicability) {
-    Applicability["Advisory"] = "advisory";
-    Applicability["Optional"] = "optional";
-    Applicability["Required"] = "required";
-})(Applicability || (Applicability = {}));
-/**
- * Classification of the control's nature, aligning with NIST SP 800-53 / SP 800-53A
- * categories. 'policy' = an authored governance statement; 'procedure' = a documented
- * process; 'technical' = an enforced technical configuration; 'management' = a
- * programmatic/management activity; 'operational' = a recurring operational activity (e.g.
- * AT, IR, MA families). Optional: when omitted, consumers may infer heuristically from
- * family/id but should not assume a default.
- */
-export var ControlType;
-(function (ControlType) {
-    ControlType["Management"] = "management";
-    ControlType["Operational"] = "operational";
-    ControlType["Policy"] = "policy";
-    ControlType["Procedure"] = "procedure";
-    ControlType["Technical"] = "technical";
-})(ControlType || (ControlType = {}));
-/**
- * Explicit severity rating. Typically derived from impact score but provided explicitly for
- * clarity.
- *
- * Severity rating for a requirement. Typically derived from the numeric impact score.
- */
-export var Severity;
-(function (Severity) {
-    Severity["Critical"] = "critical";
-    Severity["High"] = "high";
-    Severity["Informational"] = "informational";
-    Severity["Low"] = "low";
-    Severity["Medium"] = "medium";
-})(Severity || (Severity = {}));
-/**
- * How this requirement is intended to be verified. Disambiguates the two cases that null
- * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
- * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
- * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
- * runs without operator action; 'hybrid' = part automated, part manual. Optional: when
- * omitted, consumers should not infer a default.
- *
- * How a requirement is intended to be verified. Disambiguates the two cases that null
- * 'code' overloads: 'manual-by-design' (the requirement is statement-form and not amenable
- * to automation, e.g. FedRAMP 20x KSIs); 'manual-pending-automation' (automation could
- * exist but does not yet, e.g. a STIG rule lacking a fix). 'automated' = a check exists and
- * runs without operator action; 'hybrid' = part automated, part manual. Named '_Enum' to
- * disambiguate from the unrelated Verification_Method DID-context struct.
- */
-export var VerificationMethodEnum;
-(function (VerificationMethodEnum) {
-    VerificationMethodEnum["Automated"] = "automated";
-    VerificationMethodEnum["Hybrid"] = "hybrid";
-    VerificationMethodEnum["ManualByDesign"] = "manual-by-design";
-    VerificationMethodEnum["ManualPendingAutomation"] = "manual-pending-automation";
-})(VerificationMethodEnum || (VerificationMethodEnum = {}));