{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://mitre.github.io/hdf-libs/schemas/hdf-results/v3.1.0", "type": "object", "unevaluatedProperties": false, "required": [ "baselines" ], "properties": { "id": { "type": "string", "format": "uuid", "description": "Unique identifier for this assessment run." }, "timestamp": { "type": "string", "format": "date-time", "description": "When this assessment was executed." }, "components": { "type": "array", "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.1.0#/$defs/Component" }, "description": "The components that were assessed. Each component describes a system element (host, container, cloud resource, application, etc.) with optional identity, SBOM, and external references." }, "baselines": { "type": "array", "items": { "$ref": "#/$defs/Evaluated_Baseline" }, "description": "Information on the baselines that were evaluated, including findings." }, "statistics": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.1.0#/$defs/Statistics", "description": "Statistics for the assessment run, including duration and result counts." }, "generator": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Generator", "description": "Information about the tool that generated this file." }, "tool": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Tool", "description": "The security tool that produced the assessment data in this file." }, "integrity": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Integrity", "description": "Cryptographic integrity information for verifying this file." }, "runner": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.1.0#/$defs/Runner", "description": "Information about the test execution environment where the security tool was run. Distinct from targets (what is being tested)." }, "remediation": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Remediation", "description": "Optional reference to automated remediation resources (Ansible playbooks, Terraform scripts, etc.) for fixing failing requirements found in this assessment." }, "systemRef": { "type": "string", "format": "uri-reference", "description": "Reference to an hdf-system document describing the system under assessment. May be a relative path, absolute URI, or fragment identifier." }, "planRef": { "type": "string", "format": "uri-reference", "description": "Reference to an hdf-plan document describing the assessment plan that produced these results. May be a relative path, absolute URI, or fragment identifier." }, "extensions": { "type": "object", "additionalProperties": true, "description": "Reserved for tool-specific data not defined in the HDF standard. Use this to preserve original tool output, auxiliary data, or custom metadata." } }, "examples": [ { "baselines": [ { "name": "web-server-hardening", "title": "Web Server Security Baseline", "version": "1.0.0", "summary": "Security hardening checks for Apache HTTP Server", "requirements": [ { "id": "SV-100001", "title": "Web server must use TLS 1.2 or higher", "impact": 0.7, "tags": { "nist": [ "SC-8", "SC-23" ] }, "descriptions": [ { "label": "default", "data": "The web server must be configured to use TLS 1.2 or higher for all encrypted connections." } ], "results": [ { "status": "passed", "codeDesc": "SSL configuration is expected to include TLSv1.2", "startTime": "2025-06-15T14:30:00Z", "runTime": 0.042 } ] }, { "id": "SV-100002", "title": "Web server must have X-Frame-Options header set", "impact": 0.5, "tags": { "nist": [ "SA-11", "RA-5" ] }, "descriptions": [ { "label": "default", "data": "The anti-clickjacking X-Frame-Options header must be present on all responses." } ], "results": [ { "status": "failed", "codeDesc": "HTTP response headers are expected to include X-Frame-Options", "startTime": "2025-06-15T14:30:01Z", "message": "X-Frame-Options header not found in response" } ] } ] } ], "components": [ { "type": "application", "name": "Apache HTTP Server 2.4" } ], "generator": { "name": "nikto-to-hdf", "version": "1.0.0" }, "tool": { "name": "Nikto" } } ], "description": "The top level value containing all assessment results.", "title": "HDF Results", "$defs": { "Evaluated_Baseline": { "type": "object", "unevaluatedProperties": false, "required": [ "name", "requirements" ], "allOf": [ { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Baseline_Metadata" } ], "properties": { "depends": { "type": "array", "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Dependency" }, "description": "The set of dependencies this baseline depends on." }, "parentBaseline": { "type": "string", "description": "The name of the parent baseline if this is a dependency of another." }, "description": { "type": "string", "description": "The description - should be more detailed than the summary." }, "integrity": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Integrity", "description": "Cryptographic integrity information for verifying this baseline has not been tampered with." }, "originalChecksum": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum", "description": "SHA-256 checksum of the original baseline definition file (before execution). This is an immutable reference to the baseline as defined, used to detect tampering with baseline requirements or metadata." }, "resultsChecksum": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum", "description": "SHA-256 checksum of the raw results before any amendments (statusOverrides or POAMs). Used to detect tampering with test results. Compare with currentChecksum to verify amendment integrity." }, "statusMessage": { "type": "string", "description": "An explanation of the baseline status. Example: why it was skipped, failed to load, or any other status details." }, "requirements": { "type": "array", "items": { "$ref": "#/$defs/Evaluated_Requirement" }, "minItems": 1, "description": "The set of requirements including any findings. A baseline must have at least one requirement." }, "groups": { "type": "array", "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Requirement_Group" }, "description": "A set of descriptions for the requirement groups." }, "inputs": { "type": "array", "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.1.0#/$defs/Input" }, "description": "Typed inputs used to parameterize this baseline at execution time. See the Input primitive for the full schema." }, "extensions": { "type": "object", "additionalProperties": true, "description": "Reserved for tool-specific baseline metadata not defined in the HDF standard." } }, "description": "Information on a baseline that was evaluated, including any findings.", "title": "Evaluated Baseline" }, "Evaluated_Requirement": { "type": "object", "unevaluatedProperties": false, "required": [ "id", "impact", "tags", "results", "descriptions" ], "allOf": [ { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Requirement_Core" } ], "properties": { "descriptions": { "type": "array", "minItems": 1, "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Requirement_Description" }, "contains": { "type": "object", "required": [ "label" ], "properties": { "label": { "const": "default" } } }, "description": "Array of labeled descriptions. At least one description with label 'default' must be present. Convention: place default description first. Common labels: 'default', 'check', 'fix', 'rationale'." }, "severity": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Severity", "description": "Explicit severity rating. Typically derived from impact score but provided explicitly for clarity." }, "sourceLocation": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Source_Location", "description": "The explicit location of the requirement within the source code." }, "results": { "type": "array", "minItems": 1, "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Requirement_Result" }, "description": "The set of all tests within the requirement and their results." }, "statusOverrides": { "type": "array", "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/Status_Override" }, "description": "Chronological history of all overrides applied to this requirement. Overrides are intentional changes to the compliance status and/or impact score (waivers, attestations, false positives, risk adjustments). Most recent override should be first in array. Preserves full audit trail." }, "poams": { "type": "array", "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0#/$defs/POAM" }, "description": "Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance. POAMs do NOT change effectiveStatus - they track the work being done to address a failure. Separate from statusOverrides which DO change status." }, "effectiveStatus": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Result_Status", "description": "The current effective compliance status of this requirement after applying the most recent non-expired override with a status field, or computed from results (worst-wins) if no status-bearing overrides exist." }, "effectiveImpact": { "type": "number", "minimum": 0, "maximum": 1, "description": "The current effective impact score (0.0–1.0) after applying the most recent non-expired override with an impact field. Absent when no impact overrides apply; consumers should use the requirement's impact field in that case." }, "disposition": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0#/$defs/Override_Type", "description": "The type of the most recent non-expired override governing this requirement. Indicates why the requirement is in its current state (e.g., waiver, falsePositive, riskAdjustment). Absent when no overrides apply." }, "evidence": { "type": "array", "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence" }, "description": "Supporting evidence for this requirement's findings, such as screenshots, code samples, or log excerpts." } }, "examples": [ { "$comment": "Passing requirement — no overrides, no disposition", "id": "SV-230222", "title": "RHEL 9 must use SSH protocol version 2", "impact": 0.7, "tags": { "nist": [ "SC-8" ] }, "descriptions": [ { "label": "default", "data": "SSH must use protocol version 2." } ], "results": [ { "status": "passed", "codeDesc": "sshd_config Protocol is expected to eq 2", "startTime": "2026-01-15T10:00:00Z" } ], "effectiveStatus": "passed" }, { "$comment": "Waiver — AO accepted risk, status overridden to passed", "id": "SV-230300", "title": "RHEL 9 must enforce password complexity", "impact": 0.5, "tags": { "nist": [ "IA-5 (1)" ] }, "descriptions": [ { "label": "default", "data": "Passwords must meet complexity requirements." } ], "results": [ { "status": "failed", "codeDesc": "pwquality.conf minlen is expected to be >= 15", "startTime": "2026-01-15T10:00:00Z", "message": "expected 8 to be >= 15" } ], "statusOverrides": [ { "type": "waiver", "status": "passed", "reason": "Compensating control: PIV/CAC smart card authentication enforced for all users, password login disabled", "appliedBy": { "type": "email", "identifier": "ao@agency.gov" }, "appliedAt": "2026-01-20T10:00:00Z", "expiresAt": "2026-07-20T00:00:00Z" } ], "effectiveStatus": "passed", "disposition": "waiver" }, { "$comment": "False positive (compliance scan) — STIG check was wrong, requirement actually passes", "id": "SV-230410", "title": "RHEL 9 must have sshd PermitRootLogin disabled", "impact": 0.7, "tags": { "nist": [ "AC-6" ] }, "descriptions": [ { "label": "default", "data": "Direct root login via SSH must be disabled." } ], "results": [ { "status": "failed", "codeDesc": "sshd_config PermitRootLogin is expected to eq 'no'", "startTime": "2026-01-15T10:00:00Z", "message": "expected 'prohibit-password' to eq 'no'" } ], "statusOverrides": [ { "type": "falsePositive", "status": "passed", "reason": "Scanner requires literal 'no' but 'prohibit-password' is equally restrictive (disables password-based root login). Manual review confirms root cannot authenticate via SSH.", "appliedBy": { "type": "email", "identifier": "assessor@agency.gov" }, "appliedAt": "2026-01-16T14:00:00Z", "expiresAt": "2026-07-16T00:00:00Z" } ], "effectiveStatus": "passed", "disposition": "falsePositive" }, { "$comment": "False positive (CVE scan) — vulnerability does not apply to this build", "id": "CVE-2026-12345", "title": "libxml2 buffer overflow in xmlParseEntityDecl", "impact": 0.9, "tags": { "nist": [ "SI-2", "RA-5" ] }, "descriptions": [ { "label": "default", "data": "Buffer overflow in libxml2 entity parsing allows remote code execution." } ], "results": [ { "status": "failed", "codeDesc": "libxml2 >= 2.9.0 is expected to be patched for CVE-2026-12345", "startTime": "2026-01-15T10:00:00Z" } ], "statusOverrides": [ { "type": "falsePositive", "status": "notApplicable", "reason": "CVE scanner matched libxml2 version signature, but the vulnerable entity parsing module is compiled out of our build (--without-legacy flag). The affected code path does not exist in the binary.", "appliedBy": { "type": "email", "identifier": "dev@org.gov" }, "appliedAt": "2026-01-16T09:00:00Z", "expiresAt": "2026-07-16T00:00:00Z" } ], "effectiveStatus": "notApplicable", "disposition": "falsePositive" }, { "$comment": "Risk adjustment — impact lowered, pass/fail unchanged", "id": "CVE-2026-67890", "title": "OpenSSL timing side-channel in RSA decryption", "impact": 0.7, "tags": { "nist": [ "SI-2", "RA-5" ] }, "descriptions": [ { "label": "default", "data": "Timing side-channel may allow RSA private key recovery." } ], "results": [ { "status": "failed", "codeDesc": "openssl >= 3.1.0 is expected to be patched for CVE-2026-67890", "startTime": "2026-01-15T10:00:00Z" } ], "statusOverrides": [ { "type": "riskAdjustment", "impact": { "value": 0.3 }, "reason": "The RSA key exchange path is unreachable in our deployment — all TLS connections use ECDHE. Attack requires local network access to the TLS terminator, which is in an isolated VLAN.", "appliedBy": { "type": "email", "identifier": "security-architect@org.gov" }, "appliedAt": "2026-01-17T10:00:00Z", "expiresAt": "2026-07-17T00:00:00Z" } ], "effectiveStatus": "failed", "effectiveImpact": 0.3, "disposition": "riskAdjustment" }, { "$comment": "Operational requirement — cannot remediate, remains open risk", "id": "SV-230500", "title": "RHEL 9 must disable USB mass storage", "impact": 0.5, "tags": { "nist": [ "MP-7" ] }, "descriptions": [ { "label": "default", "data": "USB mass storage kernel module must be disabled." } ], "results": [ { "status": "failed", "codeDesc": "Kernel module 'usb-storage' is expected to be disabled", "startTime": "2026-01-15T10:00:00Z", "message": "usb-storage module is loaded" } ], "statusOverrides": [ { "type": "operationalRequirement", "reason": "Air-gapped system requires USB transfer for classified data ingestion per operational procedure OP-2026-003. Compensating controls: USB ports are physically secured, all transfers are logged and require two-person integrity.", "appliedBy": { "type": "email", "identifier": "system-owner@agency.gov" }, "appliedAt": "2026-01-20T10:00:00Z", "expiresAt": "2026-07-20T00:00:00Z" } ], "effectiveStatus": "failed", "disposition": "operationalRequirement" }, { "$comment": "POAM — remediation tracked, status unchanged", "id": "SV-230350", "title": "RHEL 9 must be patched within 30 days of release", "impact": 0.7, "tags": { "nist": [ "SI-2" ] }, "descriptions": [ { "label": "default", "data": "Security patches must be applied within 30 days." } ], "results": [ { "status": "failed", "codeDesc": "Package updates are expected to be current within 30 days", "startTime": "2026-01-15T10:00:00Z", "message": "15 packages have patches older than 30 days" } ], "poams": [ { "type": "remediation", "explanation": "Patch deployment blocked by vendor compatibility testing. Vendor confirmed fix for Q2 2026.", "appliedBy": { "type": "email", "identifier": "ops@agency.gov" }, "appliedAt": "2026-01-20T10:00:00Z", "milestones": [ { "description": "Vendor releases compatible patch", "estimatedCompletion": "2026-04-01T00:00:00Z", "status": "pending" }, { "description": "Deploy to production", "estimatedCompletion": "2026-04-15T00:00:00Z", "status": "pending" } ] } ], "effectiveStatus": "failed", "disposition": "poam" } ], "description": "A requirement that has been evaluated, including any findings.", "title": "Evaluated Requirement" }, "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.1.0": { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/component/v3.1.0", "title": "HDF Component Primitives", "description": "First-class system component with identity, polymorphic type, SBOM embedding, and system-binding properties. Components are the successor to Targets, adding stable identity (componentId), external system cross-references, and software inventory.", "$defs": { "Base_Component": { "type": "object", "additionalProperties": true, "required": [ "type", "name" ], "properties": { "type": { "type": "string", "description": "Component type discriminator. Same values as Target types." }, "name": { "type": "string", "description": "Human-readable name for this component." }, "componentId": { "type": "string", "format": "uuid", "description": "Stable UUID (RFC 4122) for this component. Required in hdf-system documents, optional in hdf-results. Enables cross-document correlation, diffing, and data flow references." }, "description": { "type": "string", "description": "Description of this component's role or purpose." }, "owner": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity", "description": "Team or individual responsible for this component. Enables per-component ownership when different teams manage different parts of a system." }, "externalIds": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Map of external identifier scheme to value. Well-known schemes: aws (instance ID), azure (resource ID), cmdb (asset ID), emass (system ID), cve (CVE ID). Custom schemes are allowed." }, "labels": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Optional key-value labels for flexible grouping. Well-known keys: system, component, environment, region, team. Values must be strings." }, "sbom": { "description": "Embedded CycloneDX or SPDX SBOM document representing this component's software inventory. The sbomFormat field determines which format constraints apply.", "$comment": "Validated conditionally: CycloneDX requires bomFormat='CycloneDX' + specVersion; SPDX requires spdxVersion + SPDXID. Full SBOM schema validation is a tool-level concern." }, "sbomRef": { "type": "string", "format": "uri-reference", "description": "URI reference to an external CycloneDX or SPDX SBOM document for this component. May be a relative path, absolute URI, or fragment identifier." }, "sbomFormat": { "type": "string", "enum": [ "cyclonedx", "spdx" ], "description": "Format of the SBOM (embedded or referenced). Required when sbom or sbomRef is present." }, "baselineRefs": { "type": "array", "items": { "type": "string" }, "description": "Names of baselines that apply to this component." }, "inputOverrides": { "type": "array", "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0#/$defs/Input_Override" }, "description": "System-specific overrides for baseline input values." }, "targetSelector": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0#/$defs/Target_Selector", "description": "Label selector to match targets belonging to this component during migration. Targets with matching labels are automatically included." } }, "allOf": [ { "if": { "allOf": [ { "properties": { "sbomFormat": { "const": "cyclonedx" } }, "required": [ "sbomFormat" ] }, { "properties": { "sbom": { "type": "object" } }, "required": [ "sbom" ] } ] }, "then": { "properties": { "sbom": { "type": "object", "required": [ "bomFormat", "specVersion" ], "properties": { "bomFormat": { "type": "string", "const": "CycloneDX", "description": "Must be 'CycloneDX' for CycloneDX SBOM documents." }, "specVersion": { "type": "string", "description": "CycloneDX specification version (e.g., '1.4', '1.5', '1.6')." } }, "additionalProperties": true } } } }, { "if": { "allOf": [ { "properties": { "sbomFormat": { "const": "spdx" } }, "required": [ "sbomFormat" ] }, { "properties": { "sbom": { "type": "object" } }, "required": [ "sbom" ] } ] }, "then": { "properties": { "sbom": { "type": "object", "required": [ "spdxVersion", "SPDXID" ], "properties": { "spdxVersion": { "type": "string", "description": "SPDX specification version (e.g., 'SPDX-2.3')." }, "SPDXID": { "type": "string", "description": "SPDX document identifier (e.g., 'SPDXRef-DOCUMENT')." } }, "additionalProperties": true } } } } ], "description": "Base properties shared by all component types. Extends the Target concept with stable identity, external references, and SBOM embedding.", "title": "Base Component" }, "Component": { "description": "A system component. Uses discriminated union pattern with 'type' field as discriminator. Superset of Target with identity, external IDs, and SBOM support.", "title": "Component", "oneOf": [ { "$ref": "#/$defs/Host_Component" }, { "$ref": "#/$defs/Container_Image_Component" }, { "$ref": "#/$defs/Container_Instance_Component" }, { "$ref": "#/$defs/Container_Platform_Component" }, { "$ref": "#/$defs/Cloud_Account_Component" }, { "$ref": "#/$defs/Cloud_Resource_Component" }, { "$ref": "#/$defs/Repository_Component" }, { "$ref": "#/$defs/Application_Component" }, { "$ref": "#/$defs/Artifact_Component" }, { "$ref": "#/$defs/Network_Component" }, { "$ref": "#/$defs/Database_Component" } ] }, "Host_Component": { "allOf": [ { "$ref": "#/$defs/Base_Component" }, { "type": "object", "properties": { "type": { "const": "host" }, "fqdn": { "type": "string", "format": "hostname", "description": "Fully qualified domain name." }, "ipAddress": { "anyOf": [ { "type": "string", "format": "ipv4" }, { "type": "string", "format": "ipv6" } ], "description": "IP address of the host." }, "macAddress": { "type": "string", "pattern": "^([0-9A-Fa-f]{2}:){5}[0-9A-Fa-f]{2}$", "description": "MAC address in colon-separated hexadecimal format." }, "osName": { "type": "string", "description": "Operating system name." }, "osVersion": { "type": "string", "description": "Operating system version." } } } ], "examples": [ { "type": "host", "name": "web-server-prod-01", "componentId": "a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d", "fqdn": "web01.prod.example.com", "ipAddress": "10.0.1.50", "osName": "Ubuntu", "osVersion": "22.04 LTS", "externalIds": { "cmdb": "ASSET-12345", "aws": "i-0abc123def456789" } } ], "description": "A physical or virtual server, workstation, or network device.", "title": "Host Component" }, "Container_Image_Component": { "allOf": [ { "$ref": "#/$defs/Base_Component" }, { "type": "object", "properties": { "type": { "const": "containerImage" }, "imageId": { "type": "string", "description": "Container image ID." }, "registry": { "type": "string", "description": "Container registry. Example: 'docker.io'." }, "repository": { "type": "string", "description": "Repository name. Example: 'library/nginx'." }, "tag": { "type": "string", "description": "Image tag. Example: '1.25'." }, "digest": { "type": "string", "pattern": "^(sha256:[a-f0-9]{64}|sha512:[a-f0-9]{128}|blake3:[a-f0-9]{64})$", "description": "Image digest for immutable reference." } } } ], "description": "A static container image (not running).", "title": "Container Image Component" }, "Container_Instance_Component": { "allOf": [ { "$ref": "#/$defs/Base_Component" }, { "type": "object", "properties": { "type": { "const": "containerInstance" }, "containerId": { "type": "string", "description": "Running container ID." }, "image": { "type": "string", "description": "Image the container was started from." }, "runtime": { "type": "string", "description": "Container runtime. Example: 'docker', 'containerd', 'cri-o'." } } } ], "description": "A running container instance.", "title": "Container Instance Component" }, "Container_Platform_Component": { "allOf": [ { "$ref": "#/$defs/Base_Component" }, { "type": "object", "properties": { "type": { "const": "containerPlatform" }, "platformType": { "type": "string", "description": "Platform type. Example: 'kubernetes', 'openshift', 'ecs', 'docker-swarm'." }, "clusterName": { "type": "string", "description": "Cluster name." }, "namespace": { "type": "string", "description": "Namespace within the cluster, if applicable." }, "version": { "type": "string", "description": "Platform version." } } } ], "description": "A container orchestration platform (Kubernetes, OpenShift, ECS, etc.).", "title": "Container Platform Component" }, "Cloud_Account_Component": { "allOf": [ { "$ref": "#/$defs/Base_Component" }, { "type": "object", "properties": { "type": { "const": "cloudAccount" }, "provider": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Cloud_Provider", "description": "Cloud provider." }, "accountId": { "type": "string", "description": "Cloud account identifier." }, "region": { "type": "string", "description": "Cloud region, if applicable." } } } ], "examples": [ { "type": "cloudAccount", "name": "Production AWS Account", "componentId": "f1e2d3c4-b5a6-4978-8069-1a2b3c4d5e6f", "provider": "aws", "accountId": "123456789012", "region": "us-east-1" } ], "description": "A cloud provider account (AWS account, Azure subscription, GCP project).", "title": "Cloud Account Component" }, "Cloud_Resource_Component": { "allOf": [ { "$ref": "#/$defs/Base_Component" }, { "type": "object", "properties": { "type": { "const": "cloudResource" }, "provider": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Cloud_Provider", "description": "Cloud provider." }, "resourceType": { "type": "string", "description": "Type of cloud resource. Example: 'ec2:instance', 's3:bucket'." }, "resourceId": { "type": "string", "description": "Provider-specific resource identifier." }, "arn": { "type": "string", "description": "Amazon Resource Name (AWS only)." }, "region": { "type": "string", "description": "Cloud region where the resource resides." } } } ], "description": "A specific cloud resource (EC2 instance, S3 bucket, Azure VM, etc.).", "title": "Cloud Resource Component" }, "Repository_Component": { "allOf": [ { "$ref": "#/$defs/Base_Component" }, { "type": "object", "properties": { "type": { "const": "repository" }, "url": { "type": "string", "format": "uri", "description": "Repository URL." }, "branch": { "type": "string", "description": "Branch that was scanned." }, "commit": { "type": "string", "description": "Commit SHA that was scanned." } } } ], "description": "A code repository (for SAST tools).", "title": "Repository Component" }, "Application_Component": { "allOf": [ { "$ref": "#/$defs/Base_Component" }, { "type": "object", "properties": { "type": { "const": "application" }, "url": { "type": "string", "format": "uri", "description": "Application URL (for DAST tools)." }, "version": { "type": "string", "description": "Application version." }, "environment": { "type": "string", "description": "Environment. Example: 'production', 'staging', 'development'." } } } ], "description": "A running application or API (for DAST tools).", "title": "Application Component" }, "Artifact_Component": { "allOf": [ { "$ref": "#/$defs/Base_Component" }, { "type": "object", "properties": { "type": { "const": "artifact" }, "packageManager": { "type": "string", "description": "Package manager. Example: 'npm', 'maven', 'pip', 'nuget'." }, "packageName": { "type": "string", "description": "Package name." }, "version": { "type": "string", "description": "Package version." }, "checksum": { "type": "string", "description": "Package checksum for verification." } } } ], "description": "A software artifact or dependency (for SCA tools).", "title": "Artifact Component" }, "Network_Component": { "allOf": [ { "$ref": "#/$defs/Base_Component" }, { "type": "object", "properties": { "type": { "const": "network" }, "cidr": { "type": "string", "description": "Network CIDR block." }, "gateway": { "type": "string", "description": "Network gateway address." } } } ], "description": "A network segment or network device.", "title": "Network Component" }, "Database_Component": { "allOf": [ { "$ref": "#/$defs/Base_Component" }, { "type": "object", "properties": { "type": { "const": "database" }, "engine": { "type": "string", "description": "Database engine. Example: 'postgresql', 'mysql', 'oracle', 'mssql'." }, "version": { "type": "string", "description": "Database version." }, "host": { "type": "string", "description": "Database host." }, "port": { "type": "integer", "minimum": 1, "maximum": 65535, "description": "Database port." } } } ], "description": "A database instance.", "title": "Database Component" } } }, "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0": { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0", "title": "HDF Common Primitives", "description": "Shared building blocks used by hdf-results and hdf-baseline schemas.", "$defs": { "Hash_Algorithm": { "type": "string", "enum": [ "sha256", "sha384", "sha512" ], "description": "Supported cryptographic hash algorithms for checksums and integrity verification.", "title": "Hash Algorithm" }, "Requirement_Group": { "type": "object", "unevaluatedProperties": false, "required": [ "id", "requirements" ], "properties": { "id": { "type": "string", "description": "The unique identifier for the group. Example: the relative path to the file specifying the requirements." }, "title": { "type": "string", "description": "The title of the group - should be human readable." }, "requirements": { "type": "array", "items": { "type": "string" }, "description": "The set of requirements as specified by their ids in this group. Example: 'SV-238196'." } }, "description": "Describes a group of requirements, such as those defined in a single file.", "title": "Requirement Group" }, "Dependency": { "type": "object", "unevaluatedProperties": false, "required": [], "properties": { "name": { "type": "string", "description": "The name or assigned alias." }, "url": { "type": "string", "format": "uri-reference", "description": "The address of the dependency." }, "branch": { "type": "string", "description": "The branch name for a git repo." }, "path": { "type": "string", "description": "The relative path if the dependency is locally available." }, "statusMessage": { "type": "string", "description": "The reason for the status if it is 'failed' or 'skipped'." }, "status": { "type": "string", "description": "The status. Should be: 'loaded', 'failed', or 'skipped'." }, "git": { "type": "string", "format": "uri", "description": "The location of the git repo. Example: 'https://github.com/my-org/ubuntu-22.04-stig-baseline.git'." }, "supermarket": { "type": "string", "description": "The 'user/profilename' attribute for a Supermarket server." }, "compliance": { "type": "string", "description": "The 'user/profilename' attribute for an Automate server." } }, "examples": [ { "name": "ubuntu-22.04-baseline", "url": "https://github.com/my-org/ubuntu-22.04-stig-baseline", "git": "https://github.com/my-org/ubuntu-22.04-stig-baseline.git", "branch": "main", "status": "loaded" }, { "name": "ssl-tls-baseline", "path": "../shared-baselines/ssl-tls", "status": "loaded" }, { "name": "windows-2022-baseline", "git": "https://github.com/security-org/windows-2022-stig.git", "branch": "v1.2.0", "status": "failed", "statusMessage": "Unable to clone repository: authentication failed" }, { "name": "chef-supermarket-baseline", "supermarket": "dev-sec/linux-baseline", "status": "loaded" } ], "description": "A dependency for a baseline. Can include relative paths or URLs for where to find the dependency.", "title": "Dependency" }, "Reference": { "anyOf": [ { "type": "object", "required": [ "ref" ], "properties": { "ref": { "anyOf": [ { "type": "string", "description": "A human readable/meaningful reference. Example: a book title." }, { "type": "array", "items": { "type": "object", "additionalProperties": true }, "description": "An array of reference objects." } ] } }, "description": "A reference using the 'ref' field." }, { "type": "object", "required": [ "url" ], "properties": { "url": { "type": "string", "format": "uri" } }, "description": "A URL pointing at the reference." }, { "type": "object", "required": [ "uri" ], "properties": { "uri": { "type": "string", "format": "uri" } }, "description": "A URI pointing at the reference." } ], "description": "A reference to an external document.", "title": "Reference" }, "Source_Location": { "type": "object", "unevaluatedProperties": false, "required": [], "properties": { "ref": { "type": "string", "description": "Path to the file that this requirement originates from." }, "line": { "type": "number", "description": "The line on which this requirement is located." } }, "examples": [ { "ref": "controls/SV-260476.rb", "line": 1 }, { "ref": "profiles/ubuntu/controls/configure_audit.rb", "line": 42 } ], "description": "The explicit location of a requirement within source code.", "title": "Source Location" }, "Supported_Platform": { "type": "object", "unevaluatedProperties": false, "required": [], "properties": { "platformFamily": { "type": "string", "description": "The platform family. Example: 'redhat'." }, "platformName": { "type": "string", "description": "The platform name - can include wildcards. Example: 'debian'." }, "platform": { "type": "string", "description": "The location of the platform. Can be: 'os', 'aws', 'azure', or 'gcp'." }, "release": { "type": "string", "description": "The release of the platform. Example: '20.04' for 'ubuntu'." } }, "description": "A supported platform target. Example: the platform name being 'ubuntu'.", "title": "Supported Platform" }, "Checksum": { "type": "object", "unevaluatedProperties": false, "required": [ "algorithm", "value" ], "properties": { "algorithm": { "$ref": "#/$defs/Hash_Algorithm", "description": "The hash algorithm used for the checksum." }, "value": { "type": "string", "description": "The checksum value." } }, "examples": [ { "algorithm": "sha256", "value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }, { "algorithm": "sha512", "value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e" } ], "description": "Cryptographic checksum for baseline integrity verification.", "title": "Checksum" }, "Identity": { "type": "object", "unevaluatedProperties": false, "required": [ "identifier", "type" ], "properties": { "identifier": { "type": "string", "description": "The identifier value. Example: 'user@example.com', 'jdoe', 'automated-scanner-01'." }, "type": { "type": "string", "enum": [ "email", "username", "system", "simple", "other" ], "description": "The type of identifier. Use 'email' for email addresses, 'username' for user accounts, 'system' for automated systems, 'simple' for basic string identifiers without additional classification, or 'other' for custom identity systems." }, "description": { "type": "string", "description": "Optional description of the identity or identity system, particularly useful when type is 'other'." } }, "examples": [ { "type": "email", "identifier": "admin@example.com" }, { "type": "username", "identifier": "jdoe", "description": "Security Operations Analyst" }, { "type": "system", "identifier": "automated-scanner-01", "description": "Nightly compliance scan pipeline" } ], "description": "Represents an identity that performed an action, such as capturing evidence or applying an override.", "title": "Identity" }, "Evidence": { "type": "object", "unevaluatedProperties": false, "required": [ "type", "data" ], "properties": { "type": { "type": "string", "enum": [ "screenshot", "code", "log", "url", "file", "other" ], "description": "The type of evidence being provided." }, "data": { "type": "string", "description": "The evidence content. For screenshots/files: base64-encoded data or URL. For code/logs: the raw text. For URLs: the URL string." }, "description": { "type": "string", "description": "Human-readable description of what this evidence shows." }, "mimeType": { "type": "string", "description": "MIME type of the evidence. Example: 'image/png', 'text/plain', 'application/json'." }, "encoding": { "type": "string", "description": "Encoding used for the data. Example: 'base64', 'utf-8'." }, "size": { "type": "number", "description": "Size of the evidence data in bytes." }, "capturedAt": { "type": "string", "format": "date-time", "description": "Timestamp when this evidence was captured. ISO 8601 format." }, "capturedBy": { "$ref": "#/$defs/Identity", "description": "Identity of who or what captured this evidence." } }, "examples": [ { "type": "screenshot", "data": "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==", "description": "Screenshot showing firewall configuration with required ports blocked", "mimeType": "image/png", "encoding": "base64", "size": 95, "capturedAt": "2025-12-14T10:30:00Z", "capturedBy": { "identifier": "security-auditor@example.com", "type": "email" } }, { "type": "code", "data": "# Nginx configuration\nserver {\n listen 443 ssl;\n ssl_protocols TLSv1.2 TLSv1.3;\n ssl_ciphers HIGH:!aNULL:!MD5;\n}", "description": "Server configuration showing TLS 1.2+ enforcement", "mimeType": "text/plain", "capturedAt": "2025-12-14T10:45:00Z" }, { "type": "log", "data": "[2025-12-14 10:00:15] INFO: Security scan completed - 0 critical vulnerabilities found\n[2025-12-14 10:00:16] INFO: All required security patches applied\n[2025-12-14 10:00:17] INFO: System compliant with security baseline", "description": "Security scan log output", "mimeType": "text/plain", "size": 256 }, { "type": "url", "data": "https://jira.example.com/browse/SEC-12345", "description": "Link to security ticket documenting remediation work", "capturedAt": "2025-12-14T11:00:00Z" }, { "type": "file", "data": "UEsDBBQAAAAIAI1ZX1YhQp8FHgAAABIAAAAIAAAAdGVzdC50eHRLy8nPS8lQSgIAUmNEBhQAAAA=", "description": "Compliance audit report PDF", "mimeType": "application/pdf", "encoding": "base64", "size": 2048, "capturedAt": "2025-12-14T12:00:00Z", "capturedBy": { "identifier": "compliance-system", "type": "system" } } ], "description": "Supporting evidence for a finding or override, such as screenshots, code samples, log excerpts, or URLs.", "title": "Evidence" }, "Remediation": { "type": "object", "unevaluatedProperties": false, "required": [ "uri" ], "properties": { "uri": { "type": "string", "format": "uri", "description": "URI pointing to automated remediation resources (Ansible playbooks, Terraform scripts, etc.). Examples: GitHub repository, DISA STIG Supplemental Automation Content, vendor-provided scripts." }, "checksum": { "$ref": "#/$defs/Checksum", "description": "Optional cryptographic checksum for verifying the integrity of remediation resources fetched from the URI. Recommended for security when referencing external automation scripts." } }, "examples": [ { "uri": "https://github.com/ansible-lockdown/RHEL9-STIG/tree/main/tasks" }, { "uri": "https://artifacts.example.com/remediation/ubuntu-22.04-hardening-v1.2.tar.gz", "checksum": { "algorithm": "sha256", "value": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2" } } ], "description": "Reference to automated remediation resources for implementing security controls. Points to external automation content like Ansible playbooks, Terraform scripts, or vendor-provided remediation tools.", "title": "Remediation" }, "Verification_Method": { "type": "object", "unevaluatedProperties": false, "required": [ "type", "controller" ], "properties": { "type": { "type": "string", "description": "The type of verification method. Example: 'JsonWebKey2020', 'RsaVerificationKey2018', 'Ed25519VerificationKey2020'." }, "controller": { "type": "string", "description": "The entity that controls this verification method. Can be a DID, URI, or other identifier." }, "publicKeyJwk": { "type": "object", "additionalProperties": true, "description": "Public key in JSON Web Key format." }, "publicKeyPem": { "type": "string", "description": "Public key in PEM format. Example: '-----BEGIN PUBLIC KEY-----...-----END PUBLIC KEY-----'." }, "publicKeyBase58": { "type": "string", "description": "Public key in Base58 format, commonly used with Ed25519 keys." } }, "description": "Verification method containing the public key needed to verify a digital signature. Supports multiple key formats including JWK (for RSA, EC), PEM, and Base58.", "title": "Verification Method" }, "Milestone": { "type": "object", "unevaluatedProperties": false, "required": [ "description", "estimatedCompletion", "status" ], "properties": { "description": { "type": "string", "description": "Description of this milestone or task." }, "estimatedCompletion": { "type": "string", "format": "date-time", "description": "Estimated completion date. ISO 8601 format." }, "status": { "type": "string", "enum": [ "pending", "inProgress", "completed" ], "description": "Current status of this milestone." }, "completedAt": { "type": "string", "format": "date-time", "description": "Actual completion timestamp. ISO 8601 format." }, "completedBy": { "$ref": "#/$defs/Identity", "description": "Identity of who completed this milestone." } }, "description": "A milestone or task within a POA&M remediation plan.", "title": "Milestone" }, "Signature": { "type": "object", "unevaluatedProperties": false, "required": [ "type", "created", "creator", "signatureValue", "proofPurpose", "verificationMethod" ], "properties": { "type": { "type": "string", "description": "The signature suite type. Example: 'JsonWebSignature2020', 'RsaSignature2018', 'Ed25519Signature2020'." }, "created": { "type": "string", "format": "date-time", "description": "When the signature was created. ISO 8601 format." }, "creator": { "$ref": "#/$defs/Identity", "description": "The identity that created this signature." }, "signatureValue": { "type": "string", "description": "The base64-encoded or base58-encoded signature value." }, "proofPurpose": { "type": "string", "description": "The purpose of this signature. Example: 'attestation', 'authentication', 'assertionMethod'." }, "verificationMethod": { "$ref": "#/$defs/Verification_Method", "description": "The verification method containing the public key for signature verification." }, "nonce": { "type": "string", "description": "Random value to prevent replay attacks." }, "challenge": { "type": "string", "description": "Challenge value from the verifier, used in challenge-response authentication." }, "domain": { "type": "string", "description": "Domain restriction for the signature, prevents cross-domain replay attacks." } }, "examples": [ { "type": "JsonWebSignature2020", "created": "2025-12-14T10:00:00Z", "creator": { "identifier": "security-team@example.com", "type": "email" }, "signatureValue": "eyJhbGciOiJSUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..MEYCIQDvKbtLRhWAa", "proofPurpose": "attestation", "verificationMethod": { "type": "JsonWebKey2020", "controller": "did:example:123456789abcdefghi", "publicKeyJwk": { "kty": "RSA", "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtV", "e": "AQAB" } } }, { "type": "RsaSignature2018", "created": "2025-12-14T11:30:00Z", "creator": { "identifier": "ciso@example.com", "type": "email" }, "signatureValue": "pY9...Cg==", "proofPurpose": "authentication", "verificationMethod": { "type": "RsaVerificationKey2018", "controller": "https://example.com/issuers/565049", "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryQICCl6NZ5gDKrnSztO\n-----END PUBLIC KEY-----" }, "nonce": "c0ae1c8e-c7e7-469f-b252-86e6a0e7387e" }, { "type": "Ed25519Signature2020", "created": "2025-12-14T14:00:00Z", "creator": { "identifier": "automated-signer", "type": "system", "description": "Hardware security module (HSM) for automated attestations" }, "signatureValue": "z58DAdFfa9SkqZMVMxABEBC59Ck6WibLZ", "proofPurpose": "assertionMethod", "verificationMethod": { "type": "Ed25519VerificationKey2020", "controller": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK", "publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV" }, "challenge": "1f44d2f3-d16c-47a4-9f5f-1d6e8f4e3a2b", "domain": "https://compliance.example.com" } ], "description": "A digital signature following W3C Data Integrity Proofs pattern. Supports hardware security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other cryptographic signing methods via JWK, PEM, or Base58 key formats.", "title": "Signature" }, "Baseline_Metadata": { "type": "object", "properties": { "name": { "type": "string", "description": "The name - must be unique." }, "title": { "type": "string", "description": "The title - should be human readable." }, "maintainer": { "type": "string", "description": "The maintainer(s)." }, "copyright": { "type": "string", "description": "The copyright holder(s)." }, "copyrightEmail": { "type": "string", "description": "The email address or other contact information of the copyright holder(s)." }, "license": { "type": "string", "description": "The copyright license. Example: 'Apache-2.0'." }, "summary": { "type": "string", "description": "The summary. Example: the Security Technical Implementation Guide (STIG) header." }, "version": { "type": "string", "description": "The version of the baseline." }, "supports": { "type": "array", "items": { "$ref": "#/$defs/Supported_Platform" }, "description": "The set of supported platform targets." }, "status": { "type": "string", "description": "The status. Example: 'loaded'." }, "labels": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Optional key-value labels for flexible grouping. Well-known keys: system, component, environment, region, team. Values must be strings." } }, "examples": [ { "name": "rhel-9-stig-baseline", "title": "Red Hat Enterprise Linux 9 STIG Baseline", "maintainer": "MITRE SAF Team", "copyright": "The MITRE Corporation", "copyrightEmail": "saf@mitre.org", "license": "Apache-2.0", "summary": "InSpec baseline for RHEL 9 STIG compliance", "version": "1.0.0", "supports": [ { "platformName": "redhat", "platformFamily": "redhat", "release": "9" } ], "status": "loaded" } ], "description": "Shared metadata fields for baselines. Used in both standalone baseline documents and evaluated baseline results.", "title": "Baseline Metadata" }, "Requirement_Core": { "type": "object", "properties": { "id": { "type": "string", "description": "The requirement identifier. Example: 'SV-238196'." }, "title": { "type": "string", "description": "The title - is nullable." }, "descriptions": { "type": "array", "minItems": 1, "items": { "type": "object", "unevaluatedProperties": false, "required": [ "label", "data" ], "properties": { "label": { "type": "string", "description": "Description category. The 'default' label is required for the primary description. Common labels: 'default', 'check', 'fix', 'rationale'. Tools may use custom labels." }, "data": { "type": "string", "description": "The description text content." } } }, "description": "Array of labeled descriptions. At least one description with label 'default' must be present. Convention: place default description first. Common labels: 'default', 'check', 'fix', 'rationale'." }, "impact": { "type": "number", "minimum": 0, "maximum": 1, "description": "The impactfulness or severity (0.0 to 1.0)." }, "refs": { "type": "array", "items": { "$ref": "#/$defs/Reference" }, "description": "The set of references to external documents." }, "tags": { "type": "object", "additionalProperties": true, "description": "A set of tags - usually metadata like CCI, STIG ID, severity." }, "code": { "type": "string", "description": "The raw source code of the requirement. Set to null for manual-only requirements or requirements not yet implemented. Note that if this is an overlay, it does not include the underlying source code." }, "sourceLocation": { "$ref": "#/$defs/Source_Location", "description": "The explicit location of the requirement within the source code." } }, "examples": [ { "id": "SV-238196", "title": "The Ubuntu operating system must enforce password complexity", "impact": 0.5, "tags": { "nist": [ "IA-5" ], "severity": "medium", "cci": [ "CCI-000192" ] }, "refs": [ { "url": "https://public.cyber.mil/stigs/" } ], "descriptions": [ { "label": "default", "data": "Use of a complex password helps to increase the time and resources required to compromise the password." }, { "label": "check", "data": "Verify the value of 'minlen' in /etc/security/pwquality.conf." } ] } ], "description": "Core requirement fields shared between baseline requirements and evaluated requirements. Contains the fundamental requirement definition without assessment results.", "title": "Requirement Core" }, "Severity": { "type": "string", "enum": [ "critical", "high", "medium", "low", "informational" ], "description": "Severity rating for a requirement. Typically derived from the numeric impact score.", "title": "Severity" }, "Cloud_Provider": { "type": [ "string", "null" ], "enum": [ "aws", "azure", "gcp", "oci", "other", null ], "description": "Cloud service provider identifier.", "title": "Cloud Provider" } } }, "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0": { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/system/v3.1.0", "title": "HDF System Primitives", "description": "Types for describing system architecture, authorization boundaries, and components.", "$defs": { "Authorization_Status": { "type": "string", "enum": [ "authorized", "denied", "pendingAuthorization", "conditionallyAuthorized", "notYetRequested", "revoked" ], "description": "Authorization to Operate (ATO) status for the system.", "title": "Authorization Status" }, "Categorization_Level": { "type": "string", "enum": [ "low", "moderate", "high" ], "description": "FIPS 199 security categorization level (impact level).", "title": "Categorization Level" }, "Input_Override": { "type": "object", "unevaluatedProperties": false, "required": [ "inputName", "value" ], "properties": { "baselineRef": { "type": "string", "description": "Name of the baseline this override applies to. If omitted, applies to all baselines that define this input." }, "inputName": { "type": "string", "description": "Name of the input being overridden. Must match an Input.name in the referenced baseline." }, "value": { "description": "The overridden value. Should match the type of the original input." }, "justification": { "type": "string", "description": "Rationale for why this override is needed." }, "approvedBy": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity", "description": "Identity of the person or system that approved this override." } }, "description": "An override of a baseline input value for a specific component. Enables system-specific tailoring of baseline parameters.", "title": "Input Override" }, "Target_Selector": { "type": "object", "additionalProperties": { "type": "string" }, "description": "A label selector that matches targets by label key-value pairs. All specified labels must match (AND logic). Example: { \"labels.component\": \"WebTier\" } matches targets with labels.component = \"WebTier\".", "title": "Target Selector" }, "Control_Designation": { "type": "object", "unevaluatedProperties": false, "required": [ "controlId", "designation", "description" ], "properties": { "controlId": { "type": "string", "description": "The control identifier (e.g., 'SC-7', 'AC-2 (1)'). Must match a NIST tag in a baseline requirement's tags." }, "designation": { "type": "string", "enum": [ "common", "system-specific", "hybrid" ], "description": "NIST SP 800-53 control designation. 'common': fully provided by another component or system. 'system-specific': implemented by the inheriting component(s) only. 'hybrid': shared responsibility between provider and inheritor." }, "providedBy": { "type": "string", "format": "uuid", "description": "componentId of a local component that provides this control. Omit when the provider is an external system." }, "systemRef": { "type": "string", "format": "uri-reference", "description": "Reference to another hdf-system document whose component provides this control. Use when the provider is in a different system. Omit when the provider is local." }, "inheritedBy": { "type": "array", "items": { "type": "string", "format": "uuid" }, "description": "componentIds that inherit this control. If omitted, all components in the system inherit it." }, "description": { "type": "string", "description": "Justification for this designation — who provides the control, why it's inherited, and any relevant authorization references." } }, "examples": [ { "controlId": "IA-2", "designation": "common", "providedBy": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "inheritedBy": [ "11111111-2222-3333-4444-555555555555" ], "description": "User identification and authentication provided by Keycloak SSO via SAML 2.0." }, { "controlId": "PE-2", "designation": "common", "description": "Physical access authorizations provided by AWS GovCloud per FedRAMP High authorization." } ], "description": "Declares a control's designation within a system — whether it is common (provided by another component or system), system-specific (implemented locally), or hybrid (shared responsibility). Maps to NIST SP 800-53 Appendix C control designations and OSCAL SSP by-component provided/inherited semantics.", "title": "Control Designation" } } }, "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.1.0": { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/statistics/v3.1.0", "title": "HDF Statistics Primitives", "description": "Statistics types for tracking assessment run metrics.", "$defs": { "Statistic_Block": { "type": "object", "unevaluatedProperties": false, "required": [ "total" ], "properties": { "total": { "type": "integer", "minimum": 0, "description": "The total count. Example: the total number of requirements in a given category for a run." } }, "description": "Statistics for a given item, such as the total count.", "title": "Statistic Block" }, "Statistic_Hash": { "type": "object", "unevaluatedProperties": false, "required": [], "properties": { "passed": { "$ref": "#/$defs/Statistic_Block", "description": "Statistics for requirements that passed." }, "failed": { "$ref": "#/$defs/Statistic_Block", "description": "Statistics for requirements that failed." }, "notApplicable": { "$ref": "#/$defs/Statistic_Block", "description": "Statistics for requirements that are not applicable to the target." }, "notReviewed": { "$ref": "#/$defs/Statistic_Block", "description": "Statistics for requirements that were not reviewed (manual check required)." }, "error": { "$ref": "#/$defs/Statistic_Block", "description": "Statistics for requirements that encountered an error during assessment." } }, "description": "Statistics for requirement results, grouped by status.", "title": "Statistic Hash" }, "Statistics": { "type": "object", "unevaluatedProperties": false, "required": [], "properties": { "duration": { "type": "number", "minimum": 0, "description": "How long (in seconds) this assessment run took." }, "requirements": { "$ref": "#/$defs/Statistic_Hash", "description": "Breakdowns of requirement statistics by result status." } }, "description": "Statistics for the assessment run(s) such as duration and result counts.", "title": "Statistics" } } }, "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0": { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/extensions/v3.1.0", "title": "HDF Extension Primitives", "description": "Extension types for waivers, attestations, generators, and integrity.", "$defs": { "Status_Override": { "type": "object", "unevaluatedProperties": false, "required": [ "type", "reason", "appliedBy", "appliedAt", "expiresAt" ], "anyOf": [ { "required": [ "status" ] }, { "required": [ "impact" ] } ], "properties": { "type": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0#/$defs/Override_Type", "description": "The type of override applied to this requirement." }, "status": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Result_Status", "description": "The new status this override sets for the requirement. Optional when only impact is being overridden." }, "impact": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0#/$defs/Impact_Override", "description": "Override to the requirement's impact score. At least one of status or impact must be set." }, "reason": { "type": "string", "description": "Explanation for why this override was applied." }, "appliedBy": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity", "description": "Identity of who applied this override. For simple cases, use type 'simple' with just an identifier." }, "appliedAt": { "type": "string", "format": "date-time", "description": "Timestamp when this override was applied. ISO 8601 format." }, "expiresAt": { "type": "string", "format": "date-time", "description": "Timestamp when this override expires and must be reviewed/renewed. REQUIRED - no permanent overrides allowed. ISO 8601 format." }, "signature": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature", "description": "Optional digital signature for enhanced trust and non-repudiation. Supports hardware security tokens (PKCS#11/PKCS#12), Yubikeys, GPG keys, passkeys, and other signing methods." }, "evidence": { "type": "array", "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence" }, "description": "Supporting evidence for this override, such as screenshots demonstrating manual verification for attestations." }, "previousChecksum": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum", "description": "SHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement." } }, "examples": [ { "type": "waiver", "status": "notApplicable", "reason": "This control does not apply to containerized environments as the application runs in ephemeral containers without persistent storage", "appliedBy": { "identifier": "security-team@example.com", "type": "email" }, "appliedAt": "2025-12-01T10:00:00Z", "expiresAt": "2026-12-01T00:00:00Z" }, { "type": "riskAdjustment", "impact": { "value": 0.3 }, "reason": "CVE-123 is in a dead code path, unreachable from any entry point", "appliedBy": { "identifier": "dev@org.gov", "type": "email" }, "appliedAt": "2026-04-14T10:00:00Z", "expiresAt": "2026-10-14T00:00:00Z" }, { "type": "falsePositive", "status": "passed", "reason": "STIG check misidentified sshd_config syntax; manual review confirms compliant configuration", "appliedBy": { "identifier": "assessor@agency.gov", "type": "email" }, "appliedAt": "2026-04-14T10:00:00Z", "expiresAt": "2026-10-14T00:00:00Z" }, { "type": "falsePositive", "status": "notApplicable", "reason": "CVE scanner matched library signature but the vulnerable code path is not present — dependency compiled with affected module disabled", "appliedBy": { "identifier": "dev@org.gov", "type": "email" }, "appliedAt": "2026-04-14T10:00:00Z", "expiresAt": "2026-10-14T00:00:00Z" }, { "type": "attestation", "status": "passed", "reason": "Manual verification completed: Reviewed firewall rules and confirmed all required ports are properly restricted per security policy", "appliedBy": { "identifier": "john.doe", "type": "username", "description": "Senior Security Engineer" }, "appliedAt": "2025-11-30T14:30:00Z", "expiresAt": "2026-05-30T00:00:00Z", "evidence": [ { "type": "screenshot", "data": "base64-encoded-screenshot-data-here", "description": "Screenshot showing firewall configuration", "mimeType": "image/png", "encoding": "base64", "capturedAt": "2025-11-30T14:25:00Z", "capturedBy": { "identifier": "john.doe", "type": "username" } } ] } ], "description": "An intentional change to a requirement's compliance status and/or impact score. At least one of status or impact must be set. Overrides change the effectiveStatus or impact of the requirement. All overrides must have an expiration date to enforce periodic review.", "title": "Status Override" }, "POAM": { "type": "object", "unevaluatedProperties": false, "required": [ "type", "explanation", "appliedBy", "appliedAt" ], "properties": { "type": { "type": "string", "enum": [ "remediation", "mitigation", "riskAcceptance", "vendorDependency" ], "description": "The type of POA&M. 'remediation' fixes root cause. 'mitigation' reduces risk via compensating controls. 'riskAcceptance' documents decision to accept risk. 'vendorDependency' tracks a fix that depends on a vendor releasing a patch or update." }, "explanation": { "type": "string", "description": "Detailed explanation of the plan, including what actions will be taken." }, "appliedBy": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity", "description": "Identity of who created this POA&M. For simple cases, use type 'simple' with just an identifier." }, "appliedAt": { "type": "string", "format": "date-time", "description": "Timestamp when this POA&M was created. ISO 8601 format." }, "expiresAt": { "type": "string", "format": "date-time", "description": "Optional expiration date for this POA&M requiring review/renewal. ISO 8601 format." }, "milestones": { "type": "array", "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Milestone" }, "description": "Optional array of milestones tracking progress toward completion." }, "signature": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature", "description": "Optional digital signature for enhanced trust and non-repudiation." }, "evidence": { "type": "array", "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence" }, "description": "Supporting evidence for this POA&M, such as documentation of compensating controls or mitigation implementation." }, "previousChecksum": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum", "description": "SHA-256 checksum of the previous amendment in chronological order. Creates a tamper-evident chain of amendments (similar to blockchain). Null for the first amendment on a requirement." } }, "examples": [ { "type": "remediation", "explanation": "Upgrade OpenSSL to version 3.0.x to address CVE-2024-XXXXX vulnerability. Root cause: outdated dependency version in base image.", "appliedBy": { "identifier": "devops-team@example.com", "type": "email" }, "appliedAt": "2025-12-01T09:00:00Z", "milestones": [ { "description": "Update base Docker image to use OpenSSL 3.0.x", "estimatedCompletion": "2025-12-15T00:00:00Z", "status": "completed", "completedAt": "2025-12-10T16:30:00Z", "completedBy": { "identifier": "alice.smith", "type": "username" } }, { "description": "Deploy updated image to production", "estimatedCompletion": "2025-12-20T00:00:00Z", "status": "inProgress" }, { "description": "Verify vulnerability no longer present via security scan", "estimatedCompletion": "2025-12-22T00:00:00Z", "status": "pending" } ] }, { "type": "mitigation", "explanation": "Implement network segmentation as compensating control while awaiting vendor patch for database vulnerability. Traffic to vulnerable database server is restricted to internal management VLAN only.", "appliedBy": { "identifier": "security-architect", "type": "system", "description": "Automated POA&M creation from vulnerability scan" }, "appliedAt": "2025-11-28T14:00:00Z", "expiresAt": "2026-02-28T00:00:00Z", "milestones": [ { "description": "Configure firewall rules to restrict database access to management VLAN", "estimatedCompletion": "2025-12-02T00:00:00Z", "status": "completed", "completedAt": "2025-11-29T11:15:00Z", "completedBy": { "identifier": "network-ops@example.com", "type": "email" } }, { "description": "Monitor for vendor security patch release", "estimatedCompletion": "2026-02-28T00:00:00Z", "status": "inProgress" } ], "evidence": [ { "type": "code", "data": "# Firewall rule configuration\niptables -A INPUT -s 10.0.1.0/24 -p tcp --dport 5432 -j ACCEPT\niptables -A INPUT -p tcp --dport 5432 -j DROP", "description": "Firewall rules restricting database access", "mimeType": "text/plain" } ] }, { "type": "riskAcceptance", "explanation": "Risk accepted for legacy system scheduled for decommissioning in Q1 2026. Cost of remediation ($50K for emergency upgrade) exceeds residual risk given 3-month remaining lifespan. Compensating controls: isolated network segment, enhanced monitoring.", "appliedBy": { "identifier": "ciso@example.com", "type": "email" }, "appliedAt": "2025-12-05T10:00:00Z", "expiresAt": "2026-04-01T00:00:00Z", "milestones": [ { "description": "Complete migration to replacement system", "estimatedCompletion": "2026-03-15T00:00:00Z", "status": "inProgress" }, { "description": "Decommission legacy system", "estimatedCompletion": "2026-03-31T00:00:00Z", "status": "pending" } ] } ], "description": "Plan of Action and Milestones for tracking remediation, mitigation, or risk acceptance. POAMs do NOT change the effectiveStatus - the requirement remains in its current state while the POA&M tracks remediation efforts.", "title": "POAM" }, "Generator": { "type": "object", "unevaluatedProperties": false, "required": [ "name", "version" ], "properties": { "name": { "type": "string", "description": "The name of the software that produced this HDF file. Example: 'gosec-to-hdf'." }, "version": { "type": "string", "description": "The version of the tool. Example: '5.22.3'." } }, "description": "Information about the tool that generated this HDF file.", "title": "Generator" }, "Tool": { "type": "object", "unevaluatedProperties": false, "properties": { "name": { "type": "string", "description": "The name of the security tool that produced the data. Examples: 'gosec', 'Semgrep', 'OpenSCAP', 'AWS Config', 'Nessus'. Omit if the tool cannot be identified." }, "version": { "type": "string", "description": "Version of the source tool, if available in the tool's output. Example: '5.22.3'." }, "format": { "type": "string", "description": "The file format, if it is a recognized named format shared by multiple tools. Examples: 'SARIF', 'XCCDF'. Omit for tool-specific formats where the tool name already implies the format (Nessus XML, gosec JSON)." } }, "description": "The security tool that produced the assessment data represented in this HDF file. Aligns with SARIF, OSCAL, and CycloneDX terminology.", "title": "Tool" }, "Integrity": { "type": "object", "unevaluatedProperties": false, "dependentRequired": { "algorithm": [ "checksum" ], "checksum": [ "algorithm" ] }, "properties": { "algorithm": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Hash_Algorithm", "description": "The hash algorithm used for the checksum." }, "checksum": { "type": "string", "description": "The checksum value." }, "signature": { "type": "string", "description": "Optional cryptographic signature." }, "signedBy": { "type": "string", "description": "Identifier of who signed this file." } }, "examples": [ { "algorithm": "sha256", "checksum": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }, { "algorithm": "sha512", "checksum": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e", "signature": "MEUCIQDx1y2hKl3mN8vP9qRz4tJ2sW5nX6cY8bD9aE3fG4hI5wIgK7mN8oP9qR0zS1tU2vW3xY4zA5bC6dD7eE8fG9hI0jK=", "signedBy": "security-automation@example.com" } ], "description": "Cryptographic integrity information for verifying the HDF file has not been tampered with. If algorithm is provided, checksum must also be provided, and vice versa.", "title": "Integrity" } } }, "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0": { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/amendments/v3.1.0", "title": "HDF Amendment Primitives", "description": "Types for waivers, attestations, and POA&Ms that modify requirement compliance status.", "$defs": { "Override_Type": { "type": "string", "enum": [ "waiver", "attestation", "poam", "inherited", "falsePositive", "riskAdjustment", "operationalRequirement" ], "description": "The type of amendment, aligned with FedRAMP deviation request categories. 'waiver': risk accepted by Authorizing Official. 'attestation': manually verified by assessor. 'poam': remediation tracked (no status change). 'inherited': control provided by another component or system. 'falsePositive': scanner incorrectly identified a finding — for compliance scans (STIG, CIS), the check actually passes, so status is typically set to 'passed'; for vulnerability scans (CVE, SCA), the flagged vulnerability does not apply to this system, so status is typically set to 'notApplicable'. The disposition field on the requirement distinguishes false positives from genuinely not-applicable findings. 'riskAdjustment': impact score adjusted based on environmental context (FedRAMP Risk Adjustment); does not change pass/fail status, only impact via the impact field. 'operationalRequirement': deviation required by operational constraints (FedRAMP Operational Requirement); the finding cannot be remediated because the system requires the affected functionality. Remains an open risk.", "title": "Override Type" }, "Impact_Override": { "type": "object", "required": [ "value" ], "unevaluatedProperties": false, "properties": { "value": { "type": "number", "minimum": 0, "maximum": 1, "description": "The overridden impact score (0.0–1.0)." } }, "description": "An override to the requirement's impact score. The prior impact is the original result value or the preceding override in the chain.", "title": "Impact Override" }, "Standalone_Override": { "type": "object", "unevaluatedProperties": false, "required": [ "type", "requirementId", "reason", "appliedBy", "appliedAt", "expiresAt" ], "anyOf": [ { "required": [ "status" ] }, { "required": [ "impact" ] } ], "properties": { "type": { "$ref": "#/$defs/Override_Type", "description": "The type of amendment." }, "requirementId": { "type": "string", "description": "The ID of the requirement being amended. Must match a requirement ID in the referenced baseline." }, "baselineRef": { "type": "string", "description": "Name of the baseline containing the requirement. Required when the system has multiple baselines with potentially overlapping requirement IDs." }, "status": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0#/$defs/Result_Status", "description": "The new status this amendment sets. Optional when only impact is being overridden." }, "impact": { "$ref": "#/$defs/Impact_Override", "description": "Override to the requirement's impact score. At least one of status or impact must be set." }, "reason": { "type": "string", "description": "Justification for this amendment." }, "appliedBy": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity", "description": "Identity of who applied this amendment." }, "appliedAt": { "type": "string", "format": "date-time", "description": "When this amendment was applied. ISO 8601 format." }, "expiresAt": { "type": "string", "format": "date-time", "description": "When this amendment expires and must be reviewed. No permanent amendments. ISO 8601 format." }, "evidence": { "type": "array", "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Evidence" }, "description": "Supporting evidence (screenshots, logs, URLs, documents)." }, "signature": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Signature", "description": "Digital signature for non-repudiation." }, "previousChecksum": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Checksum", "description": "Checksum of the prior amendment in the chain. Creates a tamper-evident linked list. Null for the first amendment." }, "milestones": { "type": "array", "items": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Milestone" }, "description": "Remediation milestones (primarily for POA&M type amendments)." }, "inheritedFrom": { "type": "string", "format": "uuid", "description": "componentId of the local component that provides this control. Set when the provider is in the same system. Omit for external or cross-system providers; the reason field explains the source. Primarily used with type 'inherited'." }, "componentRef": { "type": "string", "format": "uuid", "description": "componentId of the component this amendment is scoped to. When set, the amendment only applies to the specified component. When omitted, the amendment applies system-wide." } }, "examples": [ { "type": "waiver", "requirementId": "SV-257777", "baselineRef": "RHEL9-STIG", "status": "passed", "reason": "Compensating control: session timeout set to 15 min", "appliedBy": { "type": "email", "identifier": "ao@agency.gov" }, "appliedAt": "2026-01-15T10:00:00Z", "expiresAt": "2026-06-30T00:00:00Z", "evidence": [ { "type": "url", "data": "https://jira.agency.gov/CYBER-4521", "description": "ISSM approval with compensating control documentation" } ] }, { "type": "falsePositive", "requirementId": "SV-258010", "baselineRef": "RHEL9-STIG", "status": "passed", "reason": "STIG check misidentified sshd_config syntax; manual review confirms compliant configuration", "appliedBy": { "type": "email", "identifier": "assessor@agency.gov" }, "appliedAt": "2026-04-14T10:00:00Z", "expiresAt": "2026-10-14T00:00:00Z" }, { "type": "falsePositive", "requirementId": "CVE-2026-12345", "status": "notApplicable", "reason": "CVE scanner matched library signature but the vulnerable code path is not present in our build — dependency is compiled with the affected module disabled", "appliedBy": { "type": "email", "identifier": "dev@org.gov" }, "appliedAt": "2026-04-14T10:00:00Z", "expiresAt": "2026-10-14T00:00:00Z" }, { "type": "riskAdjustment", "requirementId": "SV-258020", "baselineRef": "RHEL9-STIG", "impact": { "value": 0.3 }, "reason": "CVE-123 is in a dead code path, unreachable from any entry point", "appliedBy": { "type": "email", "identifier": "dev@org.gov" }, "appliedAt": "2026-04-14T10:00:00Z", "expiresAt": "2026-10-14T00:00:00Z" }, { "type": "poam", "requirementId": "SV-258001", "baselineRef": "RHEL9-STIG", "status": "failed", "reason": "Patch requires vendor release, expected Q2 2026", "appliedBy": { "type": "email", "identifier": "sysadmin@agency.gov" }, "appliedAt": "2026-01-20T09:00:00Z", "expiresAt": "2026-07-01T00:00:00Z", "milestones": [ { "description": "Vendor patch release", "estimatedCompletion": "2026-04-15T00:00:00Z", "status": "pending" }, { "description": "Apply patch to all servers", "estimatedCompletion": "2026-05-01T00:00:00Z", "status": "pending" } ] }, { "type": "inherited", "requirementId": "SV-230368", "baselineRef": "RHEL9-STIG", "status": "notApplicable", "reason": "IA-2 is a common control provided by Keycloak SSO. This application has no local authentication mechanism.", "inheritedFrom": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "appliedBy": { "type": "email", "identifier": "issm@agency.gov" }, "appliedAt": "2026-03-26T10:00:00Z", "expiresAt": "2026-09-26T00:00:00Z" } ], "description": "A standalone amendment that modifies a requirement's compliance status and/or impact score. At least one of status or impact must be set. Extends the inline Override concept with requirementId and baselineRef for use outside of results documents.", "title": "Standalone Override" } } }, "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0": { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/result/v3.1.0", "title": "HDF Result Primitives", "description": "Types for representing assessment results and statuses.", "$defs": { "Result_Status": { "type": "string", "enum": [ "passed", "failed", "notApplicable", "notReviewed", "error" ], "description": "The status of an individual test result. 'notApplicable' indicates the requirement does not apply to the target. 'notReviewed' indicates the requirement was not assessed (e.g., requires manual verification).", "title": "Result Status" }, "Requirement_Result": { "type": "object", "unevaluatedProperties": false, "required": [ "status", "codeDesc", "startTime" ], "properties": { "status": { "$ref": "#/$defs/Result_Status", "description": "The status of this test within the requirement. Example: 'failed'." }, "codeDesc": { "type": "string", "description": "A description of this test. Example: 'limits.conf * is expected to include [\"hard\", \"maxlogins\", \"10\"]'." }, "runTime": { "type": "number", "minimum": 0, "description": "The execution time in seconds for the test." }, "startTime": { "type": "string", "format": "date-time", "description": "The time at which the test started." }, "resource": { "type": "string", "description": "The resource used in the test. Example: 'file', 'command', 'service'." }, "resourceId": { "type": "string", "description": "The unique identifier of the resource. Example: '/etc/passwd'." }, "message": { "type": "string", "description": "An explanation of the test result. Typically provided for failed tests, errors, or to explain why a test was not applicable or not reviewed." }, "exception": { "type": "string", "description": "The type of exception if an exception was thrown." }, "backtrace": { "type": "array", "items": { "type": "string" }, "description": "The stacktrace/backtrace of the exception if one occurred." } }, "examples": [ { "status": "passed", "codeDesc": "File /etc/ssh/sshd_config content is expected to match /Protocol\\s+2/", "startTime": "2025-06-15T10:30:00Z", "runTime": 0.015 }, { "status": "failed", "codeDesc": "Service 'telnet' is expected not to be enabled", "startTime": "2025-06-15T10:30:01Z", "runTime": 0.008, "message": "expected that 'Service telnet' is not enabled" }, { "status": "error", "codeDesc": "File /etc/audit/auditd.conf content is expected to include 'max_log_file'", "startTime": "2025-06-15T10:30:02Z", "exception": "Errno::ENOENT", "backtrace": [ "/opt/inspec/lib/resources/file.rb:42:in 'read'", "/opt/inspec/lib/resources/file.rb:15:in 'content'" ] } ], "description": "A test within a requirement and its results and findings such as how long it took to run.", "title": "Requirement Result" }, "Requirement_Description": { "type": "object", "unevaluatedProperties": false, "required": [ "label", "data" ], "properties": { "label": { "type": "string", "description": "The type of description. Examples: 'fix', 'check', 'rationale'." }, "data": { "type": "string", "description": "The text of the description." } }, "examples": [ { "label": "default", "data": "Verify the SSH daemon is configured to only use FIPS-validated key exchange algorithms." }, { "label": "check", "data": "Run 'sshd -T | grep kexalgorithms' and verify only FIPS-compliant algorithms are listed." }, { "label": "fix", "data": "Add 'KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384' to /etc/ssh/sshd_config and restart sshd." } ], "description": "A labeled description for a requirement, such as fix text or check instructions.", "title": "Requirement Description" } } }, "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.1.0": { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/runner/v3.1.0", "title": "HDF Runner Primitive", "description": "Information about the test execution environment where the security tool/scanner was executed.", "$defs": { "Runner": { "type": "object", "unevaluatedProperties": false, "required": [ "name" ], "properties": { "name": { "type": "string", "description": "The name of the runner environment. Examples: 'ubuntu', 'macos', 'windows', 'docker', 'kubernetes-pod', 'manual'." }, "release": { "type": "string", "description": "The version/release of the operating system or runtime. Example: '20.04', '13.2', '11'." }, "architecture": { "type": "string", "description": "The CPU architecture of the runner system. Example: 'x86_64', 'arm64', 'aarch64'." }, "hostname": { "type": "string", "description": "The hostname of the runner system. Example: 'ci-runner-01', 'jenkins-agent-03', 'k8s-node-worker-03'." }, "containerImage": { "type": "string", "description": "The container image used for the test execution. Example: 'inspec/inspec:latest', 'ghcr.io/my-org/scanner:v2.1.0'. Useful for CI/CD pipelines where tests run in containers." }, "containerId": { "type": "string", "description": "The container instance identifier. Example: 'a1b2c3d4e5f6', 'security-scan-job-xyz123'. Can be a Docker container ID, Kubernetes pod name, or other container runtime identifier." }, "operator": { "$ref": "https://mitre.github.io/hdf-libs/schemas/primitives/common/v3.1.0#/$defs/Identity", "description": "The identity of the person or system responsible for executing the test. This could be a human auditor manually completing a checklist, an automated CI/CD system, or a security tool. Optional field to support both automated and manual HDF generation." } }, "examples": [ { "name": "docker", "release": "20.04", "architecture": "x86_64", "hostname": "github-runner-prod-01", "containerImage": "ghcr.io/inspec/inspec:5.22.3", "containerId": "security-scan-job-a1b2c3d4", "operator": { "identifier": "github-actions", "type": "system", "description": "Automated CI/CD pipeline" } }, { "name": "kubernetes-pod", "release": "1.28.4", "architecture": "arm64", "hostname": "k8s-worker-node-05", "containerImage": "gcr.io/my-org/security-scanner:v3.2.1", "containerId": "compliance-scan-pod-xyz789", "operator": { "identifier": "security-automation@example.com", "type": "email" } }, { "name": "manual", "release": "macOS 14.2", "architecture": "arm64", "hostname": "auditor-mbp-02", "operator": { "identifier": "jane.smith", "type": "username", "description": "Senior Security Auditor - Manual Assessment" } } ], "description": "Information about the test execution environment. This is distinct from the target being scanned - the runner is where the security tool executes, while targets are what is being assessed.", "title": "Runner" } } }, "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.1.0": { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://mitre.github.io/hdf-libs/schemas/primitives/parameter/v3.1.0", "title": "HDF Parameter Primitives", "description": "Input/parameter type definitions for typed, traceable configuration values that bridge governance prose and scanner automation.", "$defs": { "Input_Type": { "type": "string", "enum": [ "String", "Numeric", "Boolean", "Array", "Hash", "Regexp" ], "description": "The data type of the input value. Aligns with InSpec input types.", "title": "Input Type" }, "Comparison_Operator": { "type": "string", "enum": [ "eq", "ne", "lt", "le", "gt", "ge", "contains", "matches", "in", "notIn" ], "description": "Comparison operator for evaluating the input value against observed values. Numeric: eq/ne/lt/le/gt/ge. String: eq/ne/contains/matches. Collection: in/notIn.", "title": "Comparison Operator" }, "Input_Constraints": { "type": "object", "unevaluatedProperties": false, "properties": { "min": { "type": "number", "description": "Minimum allowed value (for Numeric inputs)." }, "max": { "type": "number", "description": "Maximum allowed value (for Numeric inputs)." }, "pattern": { "type": "string", "description": "Regular expression pattern the value must match (for String inputs)." }, "allowedValues": { "type": "array", "description": "Enumeration of permitted values." } }, "description": "Validation constraints for an input value.", "title": "Input Constraints" }, "Input": { "type": "object", "unevaluatedProperties": false, "required": [ "name" ], "properties": { "name": { "type": "string", "description": "The input name. Must be unique within a baseline or results document. Example: 'max_concurrent_sessions'." }, "type": { "$ref": "#/$defs/Input_Type", "description": "The data type of this input." }, "value": { "description": "The input value. Type should match the declared type field. Accepts any JSON value." }, "description": { "type": "string", "description": "Human-readable description of what this input controls." }, "required": { "type": "boolean", "description": "Whether this input must be provided. Defaults to false if omitted." }, "sensitive": { "type": "boolean", "description": "Whether this input contains sensitive data (passwords, keys). Sensitive values should be redacted in output. Defaults to false if omitted." }, "operator": { "$ref": "#/$defs/Comparison_Operator", "description": "The comparison operator used when evaluating this input against observed values." }, "constraints": { "$ref": "#/$defs/Input_Constraints", "description": "Validation constraints for the input value." } }, "examples": [ { "name": "max_concurrent_sessions", "type": "Numeric", "value": 3, "description": "Maximum concurrent sessions per user", "required": true, "sensitive": false, "operator": "le", "constraints": { "min": 1, "max": 100 } }, { "name": "allowed_ciphers", "type": "String", "value": "AES256-GCM", "description": "Permitted TLS cipher suite", "constraints": { "pattern": "^AES" } }, { "name": "db_password", "type": "String", "sensitive": true } ], "description": "A typed input parameter that bridges governance requirements and scanner automation. Inputs carry expected configuration values with type information, comparison operators, and validation constraints, enabling traceability from policy through to scan results.", "title": "Input" } } } } }