From 95e99462c7d5513d314cc3e4b58b32dac8074d06 Mon Sep 17 00:00:00 2001 From: Geoffrey Borough Date: Mon, 26 Feb 2024 11:45:51 +1100 Subject: [PATCH] initial commit (#1) * initial commit * initial commit --- .envrc | 1 + .github/dependabot.yml | 13 + .github/workflows/ci.yaml | 123 + .github/workflows/release.yml | 271 + .gitignore | 20 + .pre-commit-config.yaml | 18 + CHANGELOG.md | 8 + Cargo.lock | 1484 +++++ Cargo.toml | 28 + LICENSE => LICENSE-APACHE | 4 +- LICENSE-MIT | 21 + README.md | 264 +- ROADMAP.md | 59 + SECURITY.md | 12 + cliff.toml | 57 + default.nix | 10 + deny.toml | 67 + flake.lock | 94 + flake.nix | 30 + roscal_cli/Cargo.toml | 36 + roscal_cli/src/cli/cli_fn.rs | 160 + roscal_cli/src/cli/cli_opts.rs | 97 + roscal_cli/src/cli/mod.rs | 2 + roscal_cli/src/lib.rs | 4 + roscal_cli/src/main.rs | 22 + roscal_cli/src/models/dissect.rs | 465 ++ roscal_cli/src/models/merge.rs | 798 +++ roscal_cli/src/models/mod.rs | 7 + roscal_cli/src/models/model.rs | 2893 +++++++++ roscal_cli/src/models/utils.rs | 81 + roscal_cli/src/models/validate.rs | 101 + roscal_cli/src/models/validation.rs | 161 + roscal_cli/src/models/workspace.rs | 96 + roscal_cli/tests/data/ap.yaml | 90 + roscal_cli/tests/data/ar.yaml | 153 + roscal_cli/tests/data/catalog.yaml | 203 + roscal_cli/tests/data/compdef.yaml | 93 + roscal_cli/tests/data/edit_back_matter | 10 + roscal_cli/tests/data/edit_uuid | 1 + roscal_cli/tests/data/malformed | 203 + roscal_cli/tests/data/poam.yaml | 144 + roscal_cli/tests/data/profile.yaml | 421 ++ roscal_cli/tests/data/ssp.yaml | 286 + roscal_cli/tests/dissect.rs | 200 + roscal_cli/tests/merge.rs | 260 + roscal_cli/tests/roundtrip.rs | 279 + roscal_lib/Cargo.toml | 39 + roscal_lib/README.md | 20 + roscal_lib/build.rs | 2833 +++++++++ .../jsonschema/baseline_unified/1.0.0.json | 5542 ++++++++++++++++ roscal_lib/jsonschema/baseline_unified/loc | 1 + .../jsonschema/previous_unified/1.1.1.json | 5659 +++++++++++++++++ roscal_lib/jsonschema/previous_unified/loc | 1 + .../oscal_assessment-plan_schema.json | 3310 ++++++++++ .../oscal_assessment-results_schema.json | 3481 ++++++++++ .../oscal_catalog_schema.json | 1176 ++++ .../oscal_component_schema.json | 1799 ++++++ .../oscal_poam_schema.json | 3398 ++++++++++ .../oscal_profile_schema.json | 1482 +++++ .../oscal_ssp_schema.json | 2365 +++++++ .../tracking_latest_unified/1.1.2.json | 5659 +++++++++++++++++ .../jsonschema/tracking_latest_unified/loc | 1 + roscal_lib/src/assessment/assessment_plan.rs | 2136 +++++++ .../src/assessment/assessment_results.rs | 3431 ++++++++++ roscal_lib/src/assessment/mod.rs | 8 + roscal_lib/src/assessment/poam.rs | 2803 ++++++++ roscal_lib/src/common_impl.rs | 408 ++ roscal_lib/src/control/catalog.rs | 1116 ++++ roscal_lib/src/control/mod.rs | 6 + roscal_lib/src/control/profile.rs | 1801 ++++++ .../implementation/component_definition.rs | 1199 ++++ roscal_lib/src/implementation/mod.rs | 6 + roscal_lib/src/implementation/ssp.rs | 2165 +++++++ roscal_lib/src/lib.rs | 71 + roscal_lib/src/uuid_impl.rs | 42 + roscal_lib/src/validation.rs | 796 +++ .../json/ifa_assessment-plan-example-min.json | 115 + .../ap/json/ifa_assessment-plan-example.json | 157 + .../ap/yaml/ifa_assessment-plan-example.yaml | 90 + .../ifa_assessment-results-example-min.json | 169 + .../json/ifa_assessment-results-example.json | 207 + .../yaml/ifa_assessment-results-example.yaml | 153 + .../tests/catalog/json/basic-catalog-min.json | 234 + .../tests/catalog/json/basic-catalog.json | 275 + .../tests/catalog/yaml/basic-catalog.yaml | 199 + .../example-component-definition-min.json | 132 + .../json/example-component-definition.json | 163 + .../json/example-component-min.json | 98 + .../json/example-component.json | 98 + .../yaml/example-component-definition.yaml | 93 + .../yaml/example-component.yaml | 55 + roscal_lib/tests/loc | 1 + roscal_lib/tests/malformed.rs | 68 + roscal_lib/tests/malformed/date.yaml | 286 + roscal_lib/tests/malformed/datetime.yaml | 421 ++ roscal_lib/tests/malformed/email.yaml | 421 ++ roscal_lib/tests/malformed/uri.yaml | 421 ++ roscal_lib/tests/malformed/uuid.yaml | 421 ++ roscal_lib/tests/parse_test.rs | 198 + ...ifa_plan-of-action-and-milestones-min.json | 197 + .../ifa_plan-of-action-and-milestones.json | 221 + .../ifa_plan-of-action-and-milestones.yaml | 144 + ..._SP-800-53_rev5_HIGH-baseline_profile.json | 458 ++ ..._SP-800-53_rev5_HIGH-baseline_profile.yaml | 421 ++ .../tests/ssp/json/ifa_ssp-example-min.json | 407 ++ .../tests/ssp/json/ifa_ssp-example.json | 458 ++ .../json/oscal_leveraged-example_ssp-min.json | 233 + .../ssp/json/oscal_leveraged-example_ssp.json | 276 + .../oscal_leveraging-example_ssp-min.json | 274 + .../json/oscal_leveraging-example_ssp.json | 321 + .../tests/ssp/json/ssp-example-min.json | 459 ++ roscal_lib/tests/ssp/json/ssp-example.json | 591 ++ .../tests/ssp/yaml/ifa_ssp-example.yaml | 286 + .../ssp/yaml/oscal_leveraged-example_ssp.yaml | 199 + .../yaml/oscal_leveraging-example_ssp.yaml | 210 + roscal_lib/tests/ssp/yaml/ssp-example.yaml | 326 + rustfmt.toml | 2 + shell.nix | 10 + 118 files changed, 72568 insertions(+), 4 deletions(-) create mode 100644 .envrc create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/ci.yaml create mode 100644 .github/workflows/release.yml create mode 100644 .gitignore create mode 100644 .pre-commit-config.yaml create mode 100644 CHANGELOG.md create mode 100644 Cargo.lock create mode 100644 Cargo.toml rename LICENSE => LICENSE-APACHE (99%) create mode 100644 LICENSE-MIT create mode 100644 ROADMAP.md create mode 100644 SECURITY.md create mode 100644 cliff.toml create mode 100644 default.nix create mode 100644 deny.toml create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 roscal_cli/Cargo.toml create mode 100644 roscal_cli/src/cli/cli_fn.rs create mode 100644 roscal_cli/src/cli/cli_opts.rs create mode 100644 roscal_cli/src/cli/mod.rs create mode 100644 roscal_cli/src/lib.rs create mode 100644 roscal_cli/src/main.rs create mode 100644 roscal_cli/src/models/dissect.rs create mode 100644 roscal_cli/src/models/merge.rs create mode 100644 roscal_cli/src/models/mod.rs create mode 100644 roscal_cli/src/models/model.rs create mode 100644 roscal_cli/src/models/utils.rs create mode 100644 roscal_cli/src/models/validate.rs create mode 100644 roscal_cli/src/models/validation.rs create mode 100644 roscal_cli/src/models/workspace.rs create mode 100644 roscal_cli/tests/data/ap.yaml create mode 100644 roscal_cli/tests/data/ar.yaml create mode 100644 roscal_cli/tests/data/catalog.yaml create mode 100644 roscal_cli/tests/data/compdef.yaml create mode 100644 roscal_cli/tests/data/edit_back_matter create mode 100644 roscal_cli/tests/data/edit_uuid create mode 100644 roscal_cli/tests/data/malformed create mode 100644 roscal_cli/tests/data/poam.yaml create mode 100644 roscal_cli/tests/data/profile.yaml create mode 100644 roscal_cli/tests/data/ssp.yaml create mode 100644 roscal_cli/tests/dissect.rs create mode 100644 roscal_cli/tests/merge.rs create mode 100644 roscal_cli/tests/roundtrip.rs create mode 100644 roscal_lib/Cargo.toml create mode 100644 roscal_lib/README.md create mode 100644 roscal_lib/build.rs create mode 100644 roscal_lib/jsonschema/baseline_unified/1.0.0.json create mode 100644 roscal_lib/jsonschema/baseline_unified/loc create mode 100644 roscal_lib/jsonschema/previous_unified/1.1.1.json create mode 100644 roscal_lib/jsonschema/previous_unified/loc create mode 100644 roscal_lib/jsonschema/tracking_latest_models/oscal_assessment-plan_schema.json create mode 100644 roscal_lib/jsonschema/tracking_latest_models/oscal_assessment-results_schema.json create mode 100644 roscal_lib/jsonschema/tracking_latest_models/oscal_catalog_schema.json create mode 100644 roscal_lib/jsonschema/tracking_latest_models/oscal_component_schema.json create mode 100644 roscal_lib/jsonschema/tracking_latest_models/oscal_poam_schema.json create mode 100644 roscal_lib/jsonschema/tracking_latest_models/oscal_profile_schema.json create mode 100644 roscal_lib/jsonschema/tracking_latest_models/oscal_ssp_schema.json create mode 100644 roscal_lib/jsonschema/tracking_latest_unified/1.1.2.json create mode 100644 roscal_lib/jsonschema/tracking_latest_unified/loc create mode 100644 roscal_lib/src/assessment/assessment_plan.rs create mode 100644 roscal_lib/src/assessment/assessment_results.rs create mode 100644 roscal_lib/src/assessment/mod.rs create mode 100644 roscal_lib/src/assessment/poam.rs create mode 100644 roscal_lib/src/common_impl.rs create mode 100644 roscal_lib/src/control/catalog.rs create mode 100644 roscal_lib/src/control/mod.rs create mode 100644 roscal_lib/src/control/profile.rs create mode 100644 roscal_lib/src/implementation/component_definition.rs create mode 100644 roscal_lib/src/implementation/mod.rs create mode 100644 roscal_lib/src/implementation/ssp.rs create mode 100644 roscal_lib/src/lib.rs create mode 100644 roscal_lib/src/uuid_impl.rs create mode 100644 roscal_lib/src/validation.rs create mode 100644 roscal_lib/tests/ap/json/ifa_assessment-plan-example-min.json create mode 100644 roscal_lib/tests/ap/json/ifa_assessment-plan-example.json create mode 100644 roscal_lib/tests/ap/yaml/ifa_assessment-plan-example.yaml create mode 100644 roscal_lib/tests/ar/json/ifa_assessment-results-example-min.json create mode 100644 roscal_lib/tests/ar/json/ifa_assessment-results-example.json create mode 100644 roscal_lib/tests/ar/yaml/ifa_assessment-results-example.yaml create mode 100644 roscal_lib/tests/catalog/json/basic-catalog-min.json create mode 100644 roscal_lib/tests/catalog/json/basic-catalog.json create mode 100644 roscal_lib/tests/catalog/yaml/basic-catalog.yaml create mode 100644 roscal_lib/tests/component-definition/json/example-component-definition-min.json create mode 100644 roscal_lib/tests/component-definition/json/example-component-definition.json create mode 100644 roscal_lib/tests/component-definition/json/example-component-min.json create mode 100644 roscal_lib/tests/component-definition/json/example-component.json create mode 100644 roscal_lib/tests/component-definition/yaml/example-component-definition.yaml create mode 100644 roscal_lib/tests/component-definition/yaml/example-component.yaml create mode 100644 roscal_lib/tests/loc create mode 100644 roscal_lib/tests/malformed.rs create mode 100644 roscal_lib/tests/malformed/date.yaml create mode 100644 roscal_lib/tests/malformed/datetime.yaml create mode 100644 roscal_lib/tests/malformed/email.yaml create mode 100644 roscal_lib/tests/malformed/uri.yaml create mode 100644 roscal_lib/tests/malformed/uuid.yaml create mode 100644 roscal_lib/tests/parse_test.rs create mode 100644 roscal_lib/tests/poam/json/ifa_plan-of-action-and-milestones-min.json create mode 100644 roscal_lib/tests/poam/json/ifa_plan-of-action-and-milestones.json create mode 100644 roscal_lib/tests/poam/yaml/ifa_plan-of-action-and-milestones.yaml create mode 100644 roscal_lib/tests/profile/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json create mode 100644 roscal_lib/tests/profile/yaml/NIST_SP-800-53_rev5_HIGH-baseline_profile.yaml create mode 100644 roscal_lib/tests/ssp/json/ifa_ssp-example-min.json create mode 100644 roscal_lib/tests/ssp/json/ifa_ssp-example.json create mode 100644 roscal_lib/tests/ssp/json/oscal_leveraged-example_ssp-min.json create mode 100644 roscal_lib/tests/ssp/json/oscal_leveraged-example_ssp.json create mode 100644 roscal_lib/tests/ssp/json/oscal_leveraging-example_ssp-min.json create mode 100644 roscal_lib/tests/ssp/json/oscal_leveraging-example_ssp.json create mode 100644 roscal_lib/tests/ssp/json/ssp-example-min.json create mode 100644 roscal_lib/tests/ssp/json/ssp-example.json create mode 100644 roscal_lib/tests/ssp/yaml/ifa_ssp-example.yaml create mode 100644 roscal_lib/tests/ssp/yaml/oscal_leveraged-example_ssp.yaml create mode 100644 roscal_lib/tests/ssp/yaml/oscal_leveraging-example_ssp.yaml create mode 100644 roscal_lib/tests/ssp/yaml/ssp-example.yaml create mode 100644 rustfmt.toml create mode 100644 shell.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..8392d15 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..71e71c7 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + - package-ecosystem: cargo + directory: "/" + schedule: + interval: daily + open-pull-requests-limit: 10 + + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: daily + open-pull-requests-limit: 10 \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..97053f7 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,123 @@ +name: CI + +run-name: "CI run '${{ github.head_ref || github.ref_name }}'" + +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + +concurrency: + group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: true + +jobs: + format: + name: Cargo format + runs-on: ubuntu-latest + steps: + + - name: Install toolchain + uses: dtolnay/rust-toolchain@stable + with: + toolchain: 1.76.0 + components: rustfmt + + - name: Checkout source + uses: actions/checkout@v4 + + - name: Setup cache + uses: Swatinem/rust-cache@v2 + with: + save-if: ${{ github.ref == 'refs/heads/main' }} + + - name: Check format + run: cargo fmt --all + + security-check: + name: Security check + runs-on: ubuntu-latest + steps: + + - name: Install toolchain + uses: dtolnay/rust-toolchain@stable + with: + toolchain: 1.76.0 + components: rustfmt + + - name: Checkout sources + uses: actions/checkout@v4 + + - name: Install cargo-deny + run: cargo install cargo-deny --locked + + - name: Install cargo-vet + run: cargo install cargo-vet --locked + + - name: Run cargo deny + run: cargo deny check + + - name: Run cargo vet + run: cargo vet init && cargo vet + + - name: Report failure + if: failure() + run: | + echo "## Security Check Failed" >> $GITHUB_STEP_SUMMARY + + clippy: + name: Check clippy + runs-on: ubuntu-latest + steps: + + - name: Install toolchain + uses: dtolnay/rust-toolchain@stable + with: + toolchain: 1.76.0 + components: clippy + + - name: Checkout sources + uses: actions/checkout@v4 + + - name: Setup cache + uses: Swatinem/rust-cache@v2 + with: + save-if: ${{ github.ref == 'refs/heads/main' }} + + - name: Install dependencies + run: | + sudo apt-get -y update + sudo apt-get -y install npm + npm install -g quicktype + + - name: Run clippy + run: cargo clippy -- -D warnings + + build-test: + name: Cargo test + runs-on: ubuntu-latest + steps: + + - name: Install stable toolchain + uses: dtolnay/rust-toolchain@stable + with: + toolchain: 1.76.0 + + - name: Checkout sources + uses: actions/checkout@v4 + + - name: Setup cache + uses: Swatinem/rust-cache@v2 + with: + save-if: ${{ github.ref == 'refs/heads/main' }} + + - name: Install dependencies + run: | + sudo apt-get -y update + sudo apt-get -y install npm + npm install -g quicktype + + - name: Run test + run: cargo test diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..77395e3 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,271 @@ +# Copyright 2022-2023, axodotdev +# SPDX-License-Identifier: MIT or Apache-2.0 +# +# CI that: +# +# * checks for a Git Tag that looks like a release +# * builds artifacts with cargo-dist (archives, installers, hashes) +# * uploads those artifacts to temporary workflow zip +# * on success, uploads the artifacts to a Github Release +# +# Note that the Github Release will be created with a generated +# title/body based on your changelogs. + +name: Release + +permissions: + contents: write + +# This task will run whenever you push a git tag that looks like a version +# like "1.0.0", "v0.1.0-prerelease.1", "my-app/0.1.0", "releases/v1.0.0", etc. +# Various formats will be parsed into a VERSION and an optional PACKAGE_NAME, where +# PACKAGE_NAME must be the name of a Cargo package in your workspace, and VERSION +# must be a Cargo-style SemVer Version (must have at least major.minor.patch). +# +# If PACKAGE_NAME is specified, then the announcement will be for that +# package (erroring out if it doesn't have the given version or isn't cargo-dist-able). +# +# If PACKAGE_NAME isn't specified, then the announcement will be for all +# (cargo-dist-able) packages in the workspace with that version (this mode is +# intended for workspaces with only one dist-able package, or with all dist-able +# packages versioned/released in lockstep). +# +# If you push multiple tags at once, separate instances of this workflow will +# spin up, creating an independent announcement for each one. However Github +# will hard limit this to 3 tags per commit, as it will assume more tags is a +# mistake. +# +# If there's a prerelease-style suffix to the version, then the release(s) +# will be marked as a prerelease. +on: + push: + tags: + - '**[0-9]+.[0-9]+.[0-9]+*' + pull_request: + workflow_dispatch: + +concurrency: + group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: true + +jobs: + # Run 'cargo dist plan' (or host) to determine what tasks we need to do + plan: + runs-on: ubuntu-latest + outputs: + val: ${{ steps.plan.outputs.manifest }} + tag: ${{ !github.event.pull_request && github.ref_name || '' }} + tag-flag: ${{ !github.event.pull_request && format('--tag={0}', github.ref_name) || '' }} + publishing: ${{ !github.event.pull_request }} + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + - name: Install cargo-dist + # we specify bash to get pipefail; it guards against the `curl` command + # failing. otherwise `sh` won't catch that `curl` returned non-0 + shell: bash + run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.10.0/cargo-dist-installer.sh | sh" + # sure would be cool if github gave us proper conditionals... + # so here's a doubly-nested ternary-via-truthiness to try to provide the best possible + # functionality based on whether this is a pull_request, and whether it's from a fork. + # (PRs run on the *source* but secrets are usually on the *target* -- that's *good* + # but also really annoying to build CI around when it needs secrets to work right.) + - id: plan + run: | + cargo dist ${{ (!github.event.pull_request && format('host --steps=create --tag={0}', github.ref_name)) || 'plan' }} --output-format=json > plan-dist-manifest.json + echo "cargo dist ran successfully" + cat plan-dist-manifest.json + echo "manifest=$(jq -c "." plan-dist-manifest.json)" >> "$GITHUB_OUTPUT" + - name: "Upload dist-manifest.json" + uses: actions/upload-artifact@v4 + with: + name: artifacts-plan-dist-manifest + path: plan-dist-manifest.json + + # Build and packages all the platform-specific things + build-local-artifacts: + name: build-local-artifacts (${{ join(matrix.targets, ', ') }}) + # Let the initial task tell us to not run (currently very blunt) + needs: + - plan + if: ${{ fromJson(needs.plan.outputs.val).ci.github.artifacts_matrix.include != null && (needs.plan.outputs.publishing == 'true' || fromJson(needs.plan.outputs.val).ci.github.pr_run_mode == 'upload') }} + strategy: + fail-fast: false + # Target platforms/runners are computed by cargo-dist in create-release. + # Each member of the matrix has the following arguments: + # + # - runner: the github runner + # - dist-args: cli flags to pass to cargo dist + # - install-dist: expression to run to install cargo-dist on the runner + # + # Typically there will be: + # - 1 "global" task that builds universal installers + # - N "local" tasks that build each platform's binaries and platform-specific installers + matrix: ${{ fromJson(needs.plan.outputs.val).ci.github.artifacts_matrix }} + runs-on: ${{ matrix.runner }} + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BUILD_MANIFEST_NAME: target/distrib/${{ join(matrix.targets, '-') }}-dist-manifest.json + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + - uses: swatinem/rust-cache@v2 + - name: Install cargo-dist + run: ${{ matrix.install_dist }} + # Get the dist-manifest + - name: Fetch local artifacts + uses: actions/download-artifact@v4 + with: + pattern: artifacts-* + path: target/distrib/ + merge-multiple: true + - name: Install dependencies + run: | + ${{ matrix.packages_install }} + npm install -g quicktype + - name: Build artifacts + run: | + # Actually do builds and make zips and whatnot + cargo dist build ${{ needs.plan.outputs.tag-flag }} --print=linkage --output-format=json ${{ matrix.dist_args }} > dist-manifest.json + echo "cargo dist ran successfully" + - id: cargo-dist + name: Post-build + # We force bash here just because github makes it really hard to get values up + # to "real" actions without writing to env-vars, and writing to env-vars has + # inconsistent syntax between shell and powershell. + shell: bash + run: | + # Parse out what we just built and upload it to scratch storage + echo "paths<> "$GITHUB_OUTPUT" + jq --raw-output ".artifacts[]?.path | select( . != null )" dist-manifest.json >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + + cp dist-manifest.json "$BUILD_MANIFEST_NAME" + - name: "Upload artifacts" + uses: actions/upload-artifact@v4 + with: + name: artifacts-build-local-${{ join(matrix.targets, '_') }} + path: | + ${{ steps.cargo-dist.outputs.paths }} + ${{ env.BUILD_MANIFEST_NAME }} + + # Build and package all the platform-agnostic(ish) things + build-global-artifacts: + needs: + - plan + - build-local-artifacts + runs-on: "ubuntu-20.04" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BUILD_MANIFEST_NAME: target/distrib/global-dist-manifest.json + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + - name: Install cargo-dist + run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.10.0/cargo-dist-installer.sh | sh" + # Get all the local artifacts for the global tasks to use (for e.g. checksums) + - name: Fetch local artifacts + uses: actions/download-artifact@v4 + with: + pattern: artifacts-* + path: target/distrib/ + merge-multiple: true + - id: cargo-dist + shell: bash + run: | + cargo dist build ${{ needs.plan.outputs.tag-flag }} --output-format=json "--artifacts=global" > dist-manifest.json + echo "cargo dist ran successfully" + + # Parse out what we just built and upload it to scratch storage + echo "paths<> "$GITHUB_OUTPUT" + jq --raw-output ".artifacts[]?.path | select( . != null )" dist-manifest.json >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + + cp dist-manifest.json "$BUILD_MANIFEST_NAME" + - name: "Upload artifacts" + uses: actions/upload-artifact@v4 + with: + name: artifacts-build-global + path: | + ${{ steps.cargo-dist.outputs.paths }} + ${{ env.BUILD_MANIFEST_NAME }} + # Determines if we should publish/announce + host: + needs: + - plan + - build-local-artifacts + - build-global-artifacts + # Only run if we're "publishing", and only if local and global didn't fail (skipped is fine) + if: ${{ always() && needs.plan.outputs.publishing == 'true' && (needs.build-global-artifacts.result == 'skipped' || needs.build-global-artifacts.result == 'success') && (needs.build-local-artifacts.result == 'skipped' || needs.build-local-artifacts.result == 'success') }} + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + runs-on: "ubuntu-20.04" + outputs: + val: ${{ steps.host.outputs.manifest }} + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + - name: Install cargo-dist + run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.10.0/cargo-dist-installer.sh | sh" + # Fetch artifacts from scratch-storage + - name: Fetch artifacts + uses: actions/download-artifact@v4 + with: + pattern: artifacts-* + path: target/distrib/ + merge-multiple: true + # This is a harmless no-op for Github Releases, hosting for that happens in "announce" + - id: host + shell: bash + run: | + cargo dist host ${{ needs.plan.outputs.tag-flag }} --steps=upload --steps=release --output-format=json > dist-manifest.json + echo "artifacts uploaded and released successfully" + cat dist-manifest.json + echo "manifest=$(jq -c "." dist-manifest.json)" >> "$GITHUB_OUTPUT" + - name: "Upload dist-manifest.json" + uses: actions/upload-artifact@v4 + with: + # Overwrite the previous copy + name: artifacts-dist-manifest + path: dist-manifest.json + + # Create a Github Release while uploading all files to it + announce: + needs: + - plan + - host + # use "always() && ..." to allow us to wait for all publish jobs while + # still allowing individual publish jobs to skip themselves (for prereleases). + # "host" however must run to completion, no skipping allowed! + if: ${{ always() && needs.host.result == 'success' }} + runs-on: "ubuntu-20.04" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + steps: + - uses: actions/checkout@v4 + with: + submodules: recursive + - name: "Download Github Artifacts" + uses: actions/download-artifact@v4 + with: + pattern: artifacts-* + path: artifacts + merge-multiple: true + - name: Cleanup + run: | + # Remove the granular manifests + rm -f artifacts/*-dist-manifest.json + - name: Create Github Release + uses: ncipollo/release-action@v1 + with: + tag: ${{ needs.plan.outputs.tag }} + name: ${{ fromJson(needs.host.outputs.val).announcement_title }} + body: ${{ fromJson(needs.host.outputs.val).announcement_github_body }} + prerelease: ${{ fromJson(needs.host.outputs.val).announcement_is_prerelease }} + artifacts: "artifacts/*" diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7cd8a09 --- /dev/null +++ b/.gitignore @@ -0,0 +1,20 @@ +# Generated by Cargo +# will have compiled files and executables +debug/ +target/ + +# These are backup files generated by rustfmt +**/*.rs.bk + +# MSVC Windows builds of rustc generate these, which store debugging information +*.pdb + + +# Added by cargo + +/target + +/result + +.cargo +.vscode \ No newline at end of file diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..3d04a5f --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,18 @@ +repos: +- repo: local + hooks: + - id: clippy + name: clippy + description: cargo clippy + entry: cargo clippy + language: system + args: ["--", "-D", "warnings"] + types: [rust] + pass_filenames: false + - id: fmt + name: fmt + description: cargo fmt + entry: cargo fmt + language: system + types: [rust] + args: ["--all"] \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..bcd482e --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +## [0.1.0] - 2024-02-26 + +### Changed + +- Initial commit + diff --git a/Cargo.lock b/Cargo.lock new file mode 100644 index 0000000..c99a564 --- /dev/null +++ b/Cargo.lock @@ -0,0 +1,1484 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 3 + +[[package]] +name = "addr2line" +version = "0.21.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8a30b2e23b9e17a9f90641c7ab1549cd9b44f296d3ccbf309d2863cfe398a0cb" +dependencies = [ + "gimli", +] + +[[package]] +name = "adler" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" + +[[package]] +name = "aho-corasick" +version = "1.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b2969dcb958b36655471fc61f7e416fa76033bdd4bfed0678d8fee1e2d07a1f0" +dependencies = [ + "memchr", +] + +[[package]] +name = "android-tzdata" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0" + +[[package]] +name = "android_system_properties" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311" +dependencies = [ + "libc", +] + +[[package]] +name = "anstream" +version = "0.6.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "96b09b5178381e0874812a9b157f7fe84982617e48f71f4e3235482775e5b540" +dependencies = [ + "anstyle", + "anstyle-parse", + "anstyle-query", + "anstyle-wincon", + "colorchoice", + "utf8parse", +] + +[[package]] +name = "anstyle" +version = "1.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8901269c6307e8d93993578286ac0edf7f195079ffff5ebdeea6a59ffb7e36bc" + +[[package]] +name = "anstyle-parse" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c75ac65da39e5fe5ab759307499ddad880d724eed2f6ce5b5e8a26f4f387928c" +dependencies = [ + "utf8parse", +] + +[[package]] +name = "anstyle-query" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e28923312444cdd728e4738b3f9c9cac739500909bb3d3c94b43551b16517648" +dependencies = [ + "windows-sys 0.52.0", +] + +[[package]] +name = "anstyle-wincon" +version = "3.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1cd54b81ec8d6180e24654d0b371ad22fc3dd083b6ff8ba325b72e00c87660a7" +dependencies = [ + "anstyle", + "windows-sys 0.52.0", +] + +[[package]] +name = "anyhow" +version = "1.0.80" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5ad32ce52e4161730f7098c077cd2ed6229b5804ccf99e5366be1ab72a98b4e1" + +[[package]] +name = "assert_cmd" +version = "2.0.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed72493ac66d5804837f480ab3766c72bdfab91a65e565fc54fa9e42db0073a8" +dependencies = [ + "anstyle", + "bstr", + "doc-comment", + "predicates", + "predicates-core", + "predicates-tree", + "wait-timeout", +] + +[[package]] +name = "autocfg" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" + +[[package]] +name = "backtrace" +version = "0.3.69" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2089b7e3f35b9dd2d0ed921ead4f6d318c27680d4a5bd167b3ee120edb105837" +dependencies = [ + "addr2line", + "cc", + "cfg-if", + "libc", + "miniz_oxide", + "object", + "rustc-demangle", +] + +[[package]] +name = "bitflags" +version = "1.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" + +[[package]] +name = "bitflags" +version = "2.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" + +[[package]] +name = "block-buffer" +version = "0.10.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71" +dependencies = [ + "generic-array", +] + +[[package]] +name = "bstr" +version = "1.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c48f0051a4b4c5e0b6d365cd04af53aeaa209e3cc15ec2cdb69e73cc87fbd0dc" +dependencies = [ + "memchr", + "regex-automata", + "serde", +] + +[[package]] +name = "bumpalo" +version = "3.15.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ea184aa71bb362a1157c896979544cc23974e08fd265f29ea96b59f0b4a555b" + +[[package]] +name = "bytes" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a2bd12c1caf447e69cd4528f47f94d203fd2582878ecb9e9465484c4148a8223" + +[[package]] +name = "cc" +version = "1.0.86" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7f9fa1897e4325be0d68d48df6aa1a71ac2ed4d27723887e7754192705350730" + +[[package]] +name = "cfg-if" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" + +[[package]] +name = "chrono" +version = "0.4.34" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5bc015644b92d5890fab7489e49d21f879d5c990186827d42ec511919404f38b" +dependencies = [ + "android-tzdata", + "iana-time-zone", + "js-sys", + "num-traits", + "serde", + "wasm-bindgen", + "windows-targets 0.52.3", +] + +[[package]] +name = "clap" +version = "4.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c918d541ef2913577a0f9566e9ce27cb35b6df072075769e0b26cb5a554520da" +dependencies = [ + "clap_builder", + "clap_derive", +] + +[[package]] +name = "clap_builder" +version = "4.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9f3e7391dad68afb0c2ede1bf619f579a3dc9c2ec67f089baa397123a2f3d1eb" +dependencies = [ + "anstream", + "anstyle", + "clap_lex", + "strsim 0.11.0", +] + +[[package]] +name = "clap_derive" +version = "4.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "307bc0538d5f0f83b8248db3087aa92fe504e4691294d0c96c0eabc33f47ba47" +dependencies = [ + "heck", + "proc-macro2", + "quote", + "syn 2.0.50", +] + +[[package]] +name = "clap_lex" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "98cc8fbded0c607b7ba9dd60cd98df59af97e84d24e49c8557331cfc26d301ce" + +[[package]] +name = "colorchoice" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7" + +[[package]] +name = "core-foundation-sys" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "06ea2b9bc92be3c2baa9334a323ebca2d6f074ff852cd1d7b11064035cd3868f" + +[[package]] +name = "cpufeatures" +version = "0.2.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "53fe5e26ff1b7aef8bca9c6080520cfb8d9333c7568e1829cef191a9723e5504" +dependencies = [ + "libc", +] + +[[package]] +name = "crypto-common" +version = "0.1.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" +dependencies = [ + "generic-array", + "typenum", +] + +[[package]] +name = "darling" +version = "0.20.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3a5d17510e4a1a87f323de70b7b1eaac1ee0e37866c6720b2d279452d0edf389" +dependencies = [ + "darling_core", + "darling_macro", +] + +[[package]] +name = "darling_core" +version = "0.20.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a98eea36a7ff910fa751413d0895551143a8ea41d695d9798ec7d665df7f7f5e" +dependencies = [ + "fnv", + "ident_case", + "proc-macro2", + "quote", + "strsim 0.10.0", + "syn 2.0.50", +] + +[[package]] +name = "darling_macro" +version = "0.20.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d6a366a3f90c5d59a4b91169775f88e52e8f71a0e7804cc98a8db2932cf4ed57" +dependencies = [ + "darling_core", + "quote", + "syn 2.0.50", +] + +[[package]] +name = "deprecate-until" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7a3767f826efbbe5a5ae093920b58b43b01734202be697e1354914e862e8e704" +dependencies = [ + "proc-macro2", + "quote", + "semver", + "syn 2.0.50", +] + +[[package]] +name = "derivative" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b" +dependencies = [ + "proc-macro2", + "quote", + "syn 1.0.109", +] + +[[package]] +name = "derive_builder" +version = "0.20.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0350b5cb0331628a5916d6c5c0b72e97393b8b6b03b47a9284f4e7f5a405ffd7" +dependencies = [ + "derive_builder_macro", +] + +[[package]] +name = "derive_builder_core" +version = "0.20.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d48cda787f839151732d396ac69e3473923d54312c070ee21e9effcaa8ca0b1d" +dependencies = [ + "darling", + "proc-macro2", + "quote", + "syn 2.0.50", +] + +[[package]] +name = "derive_builder_macro" +version = "0.20.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "206868b8242f27cecce124c19fd88157fbd0dd334df2587f36417bafbc85097b" +dependencies = [ + "derive_builder_core", + "syn 2.0.50", +] + +[[package]] +name = "difflib" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6184e33543162437515c2e2b48714794e37845ec9851711914eec9d308f6ebe8" + +[[package]] +name = "digest" +version = "0.10.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" +dependencies = [ + "block-buffer", + "crypto-common", +] + +[[package]] +name = "doc-comment" +version = "0.3.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fea41bba32d969b513997752735605054bc0dfa92b4c56bf1189f2e174be7a10" + +[[package]] +name = "dyn-clone" +version = "1.0.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "545b22097d44f8a9581187cdf93de7a71e4722bf51200cfaba810865b49a495d" + +[[package]] +name = "equivalent" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" + +[[package]] +name = "errno" +version = "0.3.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a258e46cdc063eb8519c00b9fc845fc47bcfca4130e2f08e88665ceda8474245" +dependencies = [ + "libc", + "windows-sys 0.52.0", +] + +[[package]] +name = "fastrand" +version = "2.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "25cbce373ec4653f1a01a31e8a5e5ec0c622dc27ff9c4e6606eefef5cbbed4a5" + +[[package]] +name = "fixedbitset" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" + +[[package]] +name = "fnv" +version = "1.0.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" + +[[package]] +name = "generic-array" +version = "0.14.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" +dependencies = [ + "typenum", + "version_check", +] + +[[package]] +name = "getopts" +version = "0.2.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "14dbbfd5c71d70241ecf9e6f13737f7b5ce823821063188d7e46c41d371eebd5" +dependencies = [ + "unicode-width", +] + +[[package]] +name = "getrandom" +version = "0.2.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "190092ea657667030ac6a35e305e62fc4dd69fd98ac98631e5d3a2b1575a12b5" +dependencies = [ + "cfg-if", + "libc", + "wasi", +] + +[[package]] +name = "gimli" +version = "0.28.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253" + +[[package]] +name = "hashbrown" +version = "0.14.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "290f1a1d9242c78d09ce40a5e87e7554ee637af1351968159f4952f028f75604" + +[[package]] +name = "heck" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" + +[[package]] +name = "hermit-abi" +version = "0.3.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bd5256b483761cd23699d0da46cc6fd2ee3be420bbe6d020ae4a091e70b7e9fd" + +[[package]] +name = "iana-time-zone" +version = "0.1.60" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e7ffbb5a1b541ea2561f8c41c087286cc091e21e556a4f09a8f6cbf17b69b141" +dependencies = [ + "android_system_properties", + "core-foundation-sys", + "iana-time-zone-haiku", + "js-sys", + "wasm-bindgen", + "windows-core", +] + +[[package]] +name = "iana-time-zone-haiku" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f" +dependencies = [ + "cc", +] + +[[package]] +name = "ident_case" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39" + +[[package]] +name = "indexmap" +version = "2.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "233cf39063f058ea2caae4091bf4a3ef70a653afbc026f5c4a4135d114e3c177" +dependencies = [ + "equivalent", + "hashbrown", +] + +[[package]] +name = "integer-sqrt" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "276ec31bcb4a9ee45f58bec6f9ec700ae4cf4f4f8f2fa7e06cb406bd5ffdd770" +dependencies = [ + "num-traits", +] + +[[package]] +name = "itoa" +version = "1.0.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c" + +[[package]] +name = "js-sys" +version = "0.3.68" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "406cda4b368d531c842222cf9d2600a9a4acce8d29423695379c6868a143a9ee" +dependencies = [ + "wasm-bindgen", +] + +[[package]] +name = "json-schema-diff" +version = "0.1.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3dd0265effd06eb4c3b018b88c74464cd955ff3e56926534ed8cf1a7f11760ac" +dependencies = [ + "pathfinding", + "schemars", + "serde", + "serde_json", + "thiserror", +] + +[[package]] +name = "lazy_static" +version = "1.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" + +[[package]] +name = "libc" +version = "0.2.153" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" + +[[package]] +name = "linux-raw-sys" +version = "0.4.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "01cda141df6706de531b6c46c3a33ecca755538219bd484262fa09410c13539c" + +[[package]] +name = "lock_api" +version = "0.4.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45" +dependencies = [ + "autocfg", + "scopeguard", +] + +[[package]] +name = "log" +version = "0.4.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b5e6163cb8c49088c2c36f57875e58ccd8c87c7427f7fbd50ea6710b2f3f2e8f" + +[[package]] +name = "memchr" +version = "2.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "523dc4f511e55ab87b694dc30d0f820d60906ef06413f93d4d7a1385599cc149" + +[[package]] +name = "miniz_oxide" +version = "0.7.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d811f3e15f28568be3407c8e7fdb6514c1cda3cb30683f15b6a1a1dc4ea14a7" +dependencies = [ + "adler", +] + +[[package]] +name = "mio" +version = "0.8.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8f3d0b296e374a4e6f3c7b0a1f5a51d748a0d34c85e7dc48fc3fa9a87657fe09" +dependencies = [ + "libc", + "wasi", + "windows-sys 0.48.0", +] + +[[package]] +name = "num-traits" +version = "0.2.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da0df0e5185db44f69b44f26786fe401b6c293d1907744beaa7fa62b2e5a517a" +dependencies = [ + "autocfg", +] + +[[package]] +name = "num_cpus" +version = "1.16.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43" +dependencies = [ + "hermit-abi", + "libc", +] + +[[package]] +name = "object" +version = "0.32.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a6a622008b6e321afc04970976f62ee297fdbaa6f95318ca343e3eebb9648441" +dependencies = [ + "memchr", +] + +[[package]] +name = "once_cell" +version = "1.19.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" + +[[package]] +name = "parking_lot" +version = "0.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f" +dependencies = [ + "lock_api", + "parking_lot_core", +] + +[[package]] +name = "parking_lot_core" +version = "0.9.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e" +dependencies = [ + "cfg-if", + "libc", + "redox_syscall", + "smallvec", + "windows-targets 0.48.5", +] + +[[package]] +name = "pathfinding" +version = "4.9.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0a21c30f03223ae4a4c892f077b3189133689b8a659a84372f8422384ce94c9" +dependencies = [ + "deprecate-until", + "fixedbitset", + "indexmap", + "integer-sqrt", + "num-traits", + "rustc-hash", + "thiserror", +] + +[[package]] +name = "pin-project-lite" +version = "0.2.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8afb450f006bf6385ca15ef45d71d2288452bc3683ce2e2cacc0d18e4be60b58" + +[[package]] +name = "ppv-lite86" +version = "0.2.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" + +[[package]] +name = "predicates" +version = "3.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "68b87bfd4605926cdfefc1c3b5f8fe560e3feca9d5552cf68c466d3d8236c7e8" +dependencies = [ + "anstyle", + "difflib", + "predicates-core", +] + +[[package]] +name = "predicates-core" +version = "1.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b794032607612e7abeb4db69adb4e33590fa6cf1149e95fd7cb00e634b92f174" + +[[package]] +name = "predicates-tree" +version = "1.0.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "368ba315fb8c5052ab692e68a0eefec6ec57b23a36959c14496f0b0df2c0cecf" +dependencies = [ + "predicates-core", + "termtree", +] + +[[package]] +name = "prettyplease" +version = "0.2.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a41cf62165e97c7f814d2221421dbb9afcbcdb0a88068e5ea206e19951c2cbb5" +dependencies = [ + "proc-macro2", + "syn 2.0.50", +] + +[[package]] +name = "proc-macro2" +version = "1.0.78" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e2422ad645d89c99f8f3e6b88a9fdeca7fabeac836b1002371c4367c8f984aae" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "pulldown-cmark" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dce76ce678ffc8e5675b22aa1405de0b7037e2fdf8913fea40d1926c6fe1e6e7" +dependencies = [ + "bitflags 2.4.2", + "getopts", + "memchr", + "pulldown-cmark-escape", + "unicase", +] + +[[package]] +name = "pulldown-cmark-escape" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d5d8f9aa0e3cbcfaf8bf00300004ee3b72f74770f9cbac93f6928771f613276b" + +[[package]] +name = "quote" +version = "1.0.35" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "rand" +version = "0.8.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +dependencies = [ + "libc", + "rand_chacha", + "rand_core", +] + +[[package]] +name = "rand_chacha" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" +dependencies = [ + "ppv-lite86", + "rand_core", +] + +[[package]] +name = "rand_core" +version = "0.6.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" +dependencies = [ + "getrandom", +] + +[[package]] +name = "redox_syscall" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa" +dependencies = [ + "bitflags 1.3.2", +] + +[[package]] +name = "regex" +version = "1.10.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b62dbe01f0b06f9d8dc7d49e05a0785f153b00b2c227856282f671e0318c9b15" +dependencies = [ + "aho-corasick", + "memchr", + "regex-automata", + "regex-syntax", +] + +[[package]] +name = "regex-automata" +version = "0.4.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5bb987efffd3c6d0d8f5f89510bb458559eab11e4f869acb20bf845e016259cd" +dependencies = [ + "aho-corasick", + "memchr", + "regex-syntax", +] + +[[package]] +name = "regex-syntax" +version = "0.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c08c74e62047bb2de4ff487b251e4a92e24f48745648451635cec7d591162d9f" + +[[package]] +name = "roscal_cli" +version = "0.1.0" +dependencies = [ + "anyhow", + "assert_cmd", + "chrono", + "clap", + "iana-time-zone", + "rand", + "roscal_lib", + "serde", + "serde_json", + "serde_yaml", + "sha2", + "strum", + "tempfile", + "thiserror", + "tokio", + "walkdir", +] + +[[package]] +name = "roscal_lib" +version = "0.1.0" +dependencies = [ + "chrono", + "derivative", + "derive_builder", + "json-schema-diff", + "lazy_static", + "prettyplease", + "proc-macro2", + "pulldown-cmark", + "quote", + "regex", + "serde", + "serde_json", + "serde_yaml", + "strum", + "syn 2.0.50", + "uriparse", + "uuid", +] + +[[package]] +name = "rustc-demangle" +version = "0.1.23" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76" + +[[package]] +name = "rustc-hash" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" + +[[package]] +name = "rustix" +version = "0.38.31" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ea3e1a662af26cd7a3ba09c0297a31af215563ecf42817c98df621387f4e949" +dependencies = [ + "bitflags 2.4.2", + "errno", + "libc", + "linux-raw-sys", + "windows-sys 0.52.0", +] + +[[package]] +name = "rustversion" +version = "1.0.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7ffc183a10b4478d04cbbbfc96d0873219d962dd5accaff2ffbd4ceb7df837f4" + +[[package]] +name = "ryu" +version = "1.0.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e86697c916019a8588c99b5fac3cead74ec0b4b819707a682fd4d23fa0ce1ba1" + +[[package]] +name = "same-file" +version = "1.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502" +dependencies = [ + "winapi-util", +] + +[[package]] +name = "schemars" +version = "0.8.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "45a28f4c49489add4ce10783f7911893516f15afe45d015608d41faca6bc4d29" +dependencies = [ + "dyn-clone", + "serde", + "serde_json", +] + +[[package]] +name = "scopeguard" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" + +[[package]] +name = "semver" +version = "1.0.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92d43fe69e652f3df9bdc2b85b2854a0825b86e4fb76bc44d945137d053639ca" + +[[package]] +name = "serde" +version = "1.0.197" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3fb1c873e1b9b056a4dc4c0c198b24c3ffa059243875552b2bd0933b1aee4ce2" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde_derive" +version = "1.0.197" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7eb0b34b42edc17f6b7cac84a52a1c5f0e1bb2227e997ca9011ea3dd34e8610b" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.50", +] + +[[package]] +name = "serde_json" +version = "1.0.114" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c5f09b1bd632ef549eaa9f60a1f8de742bdbc698e6cee2095fc84dde5f549ae0" +dependencies = [ + "indexmap", + "itoa", + "ryu", + "serde", +] + +[[package]] +name = "serde_yaml" +version = "0.9.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8fd075d994154d4a774f95b51fb96bdc2832b0ea48425c92546073816cda1f2f" +dependencies = [ + "indexmap", + "itoa", + "ryu", + "serde", + "unsafe-libyaml", +] + +[[package]] +name = "sha1_smol" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ae1a47186c03a32177042e55dbc5fd5aee900b8e0069a8d70fba96a9375cd012" + +[[package]] +name = "sha2" +version = "0.10.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8" +dependencies = [ + "cfg-if", + "cpufeatures", + "digest", +] + +[[package]] +name = "signal-hook-registry" +version = "1.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d8229b473baa5980ac72ef434c4415e70c4b5e71b423043adb4ba059f89c99a1" +dependencies = [ + "libc", +] + +[[package]] +name = "smallvec" +version = "1.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" + +[[package]] +name = "socket2" +version = "0.5.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b5fac59a5cb5dd637972e5fca70daf0523c9067fcdc4842f053dae04a18f8e9" +dependencies = [ + "libc", + "windows-sys 0.48.0", +] + +[[package]] +name = "strsim" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" + +[[package]] +name = "strsim" +version = "0.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5ee073c9e4cd00e28217186dbe12796d692868f432bf2e97ee73bed0c56dfa01" + +[[package]] +name = "strum" +version = "0.26.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "723b93e8addf9aa965ebe2d11da6d7540fa2283fcea14b3371ff055f7ba13f5f" +dependencies = [ + "strum_macros", +] + +[[package]] +name = "strum_macros" +version = "0.26.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7a3417fc93d76740d974a01654a09777cb500428cc874ca9f45edfe0c4d4cd18" +dependencies = [ + "heck", + "proc-macro2", + "quote", + "rustversion", + "syn 2.0.50", +] + +[[package]] +name = "syn" +version = "1.0.109" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "syn" +version = "2.0.50" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "74f1bdc9872430ce9b75da68329d1c1746faf50ffac5f19e02b71e37ff881ffb" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "tempfile" +version = "3.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a365e8cd18e44762ef95d87f284f4b5cd04107fec2ff3052bd6a3e6069669e67" +dependencies = [ + "cfg-if", + "fastrand", + "rustix", + "windows-sys 0.52.0", +] + +[[package]] +name = "termtree" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3369f5ac52d5eb6ab48c6b4ffdc8efbcad6b89c765749064ba298f2c68a16a76" + +[[package]] +name = "thiserror" +version = "1.0.57" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e45bcbe8ed29775f228095caf2cd67af7a4ccf756ebff23a306bf3e8b47b24b" +dependencies = [ + "thiserror-impl", +] + +[[package]] +name = "thiserror-impl" +version = "1.0.57" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a953cb265bef375dae3de6663da4d3804eee9682ea80d8e2542529b73c531c81" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.50", +] + +[[package]] +name = "tokio" +version = "1.36.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "61285f6515fa018fb2d1e46eb21223fff441ee8db5d0f1435e8ab4f5cdb80931" +dependencies = [ + "backtrace", + "bytes", + "libc", + "mio", + "num_cpus", + "parking_lot", + "pin-project-lite", + "signal-hook-registry", + "socket2", + "tokio-macros", + "windows-sys 0.48.0", +] + +[[package]] +name = "tokio-macros" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5b8a1e28f2deaa14e508979454cb3a223b10b938b45af148bc0986de36f1923b" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.50", +] + +[[package]] +name = "typenum" +version = "1.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825" + +[[package]] +name = "unicase" +version = "2.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f7d2d4dafb69621809a81864c9c1b864479e1235c0dd4e199924b9742439ed89" +dependencies = [ + "version_check", +] + +[[package]] +name = "unicode-ident" +version = "1.0.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" + +[[package]] +name = "unicode-width" +version = "0.1.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e51733f11c9c4f72aa0c160008246859e340b00807569a0da0e7a1079b27ba85" + +[[package]] +name = "unsafe-libyaml" +version = "0.2.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ab4c90930b95a82d00dc9e9ac071b4991924390d46cbd0dfe566148667605e4b" + +[[package]] +name = "uriparse" +version = "0.6.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0200d0fc04d809396c2ad43f3c95da3582a2556eba8d453c1087f4120ee352ff" +dependencies = [ + "fnv", + "lazy_static", +] + +[[package]] +name = "utf8parse" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a" + +[[package]] +name = "uuid" +version = "1.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f00cc9702ca12d3c81455259621e676d0f7251cec66a21e98fe2e9a37db93b2a" +dependencies = [ + "getrandom", + "rand", + "serde", + "sha1_smol", +] + +[[package]] +name = "version_check" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" + +[[package]] +name = "wait-timeout" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9f200f5b12eb75f8c1ed65abd4b2db8a6e1b138a20de009dacee265a2498f3f6" +dependencies = [ + "libc", +] + +[[package]] +name = "walkdir" +version = "2.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d71d857dc86794ca4c280d616f7da00d2dbfd8cd788846559a6813e6aa4b54ee" +dependencies = [ + "same-file", + "winapi-util", +] + +[[package]] +name = "wasi" +version = "0.11.0+wasi-snapshot-preview1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" + +[[package]] +name = "wasm-bindgen" +version = "0.2.91" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c1e124130aee3fb58c5bdd6b639a0509486b0338acaaae0c84a5124b0f588b7f" +dependencies = [ + "cfg-if", + "wasm-bindgen-macro", +] + +[[package]] +name = "wasm-bindgen-backend" +version = "0.2.91" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c9e7e1900c352b609c8488ad12639a311045f40a35491fb69ba8c12f758af70b" +dependencies = [ + "bumpalo", + "log", + "once_cell", + "proc-macro2", + "quote", + "syn 2.0.50", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-macro" +version = "0.2.91" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b30af9e2d358182b5c7449424f017eba305ed32a7010509ede96cdc4696c46ed" +dependencies = [ + "quote", + "wasm-bindgen-macro-support", +] + +[[package]] +name = "wasm-bindgen-macro-support" +version = "0.2.91" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "642f325be6301eb8107a83d12a8ac6c1e1c54345a7ef1a9261962dfefda09e66" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.50", + "wasm-bindgen-backend", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-shared" +version = "0.2.91" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4f186bd2dcf04330886ce82d6f33dd75a7bfcf69ecf5763b89fcde53b6ac9838" + +[[package]] +name = "winapi" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +dependencies = [ + "winapi-i686-pc-windows-gnu", + "winapi-x86_64-pc-windows-gnu", +] + +[[package]] +name = "winapi-i686-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" + +[[package]] +name = "winapi-util" +version = "0.1.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f29e6f9198ba0d26b4c9f07dbe6f9ed633e1f3d5b8b414090084349e46a52596" +dependencies = [ + "winapi", +] + +[[package]] +name = "winapi-x86_64-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" + +[[package]] +name = "windows-core" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9" +dependencies = [ + "windows-targets 0.52.3", +] + +[[package]] +name = "windows-sys" +version = "0.48.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" +dependencies = [ + "windows-targets 0.48.5", +] + +[[package]] +name = "windows-sys" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" +dependencies = [ + "windows-targets 0.52.3", +] + +[[package]] +name = "windows-targets" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" +dependencies = [ + "windows_aarch64_gnullvm 0.48.5", + "windows_aarch64_msvc 0.48.5", + "windows_i686_gnu 0.48.5", + "windows_i686_msvc 0.48.5", + "windows_x86_64_gnu 0.48.5", + "windows_x86_64_gnullvm 0.48.5", + "windows_x86_64_msvc 0.48.5", +] + +[[package]] +name = "windows-targets" +version = "0.52.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d380ba1dc7187569a8a9e91ed34b8ccfc33123bbacb8c0aed2d1ad7f3ef2dc5f" +dependencies = [ + "windows_aarch64_gnullvm 0.52.3", + "windows_aarch64_msvc 0.52.3", + "windows_i686_gnu 0.52.3", + "windows_i686_msvc 0.52.3", + "windows_x86_64_gnu 0.52.3", + "windows_x86_64_gnullvm 0.52.3", + "windows_x86_64_msvc 0.52.3", +] + +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" + +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.52.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "68e5dcfb9413f53afd9c8f86e56a7b4d86d9a2fa26090ea2dc9e40fba56c6ec6" + +[[package]] +name = "windows_aarch64_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" + +[[package]] +name = "windows_aarch64_msvc" +version = "0.52.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8dab469ebbc45798319e69eebf92308e541ce46760b49b18c6b3fe5e8965b30f" + +[[package]] +name = "windows_i686_gnu" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" + +[[package]] +name = "windows_i686_gnu" +version = "0.52.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2a4e9b6a7cac734a8b4138a4e1044eac3404d8326b6c0f939276560687a033fb" + +[[package]] +name = "windows_i686_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" + +[[package]] +name = "windows_i686_msvc" +version = "0.52.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "28b0ec9c422ca95ff34a78755cfa6ad4a51371da2a5ace67500cf7ca5f232c58" + +[[package]] +name = "windows_x86_64_gnu" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" + +[[package]] +name = "windows_x86_64_gnu" +version = "0.52.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "704131571ba93e89d7cd43482277d6632589b18ecf4468f591fbae0a8b101614" + +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" + +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.52.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "42079295511643151e98d61c38c0acc444e52dd42ab456f7ccfd5152e8ecf21c" + +[[package]] +name = "windows_x86_64_msvc" +version = "0.48.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" + +[[package]] +name = "windows_x86_64_msvc" +version = "0.52.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0770833d60a970638e989b3fa9fd2bb1aaadcf88963d1659fd7d9990196ed2d6" diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 0000000..99a87ef --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,28 @@ +[workspace] +resolver = "2" +members = ["roscal_lib", "roscal_cli"] + +# Config for 'cargo dist' +[workspace.metadata.dist] +# The preferred cargo-dist version to use in CI (Cargo.toml SemVer syntax) +cargo-dist-version = "0.10.0" +# CI backends to support +ci = ["github"] +# The installers to generate for each app +installers = [] +# Target platforms to build apps for (Rust target-triple syntax) +targets = ["aarch64-apple-darwin", "x86_64-apple-darwin", "x86_64-unknown-linux-gnu"] +# Publish jobs to run in CI +pr-run-mode = "plan" +allow-dirty = ["ci"] + +[profile.release] +lto = true +strip = true +opt-level = 2 +panic = 'abort' + +# The profile that 'cargo dist' will build with +[profile.dist] +inherits = "release" +lto = "thin" diff --git a/LICENSE b/LICENSE-APACHE similarity index 99% rename from LICENSE rename to LICENSE-APACHE index 261eeb9..7b0bd5e 100644 --- a/LICENSE +++ b/LICENSE-APACHE @@ -186,7 +186,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright [yyyy] [name of copyright owner] + Copyright [2024] [Geoffrey Borough ] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -198,4 +198,4 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and - limitations under the License. + limitations under the License. \ No newline at end of file diff --git a/LICENSE-MIT b/LICENSE-MIT new file mode 100644 index 0000000..29e6e26 --- /dev/null +++ b/LICENSE-MIT @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024 Geoffrey Borough + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index d44f119..2b8d841 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,262 @@ -# roscal -Open Security Controls Assessment Language Toolbox +# roscal: Open Security Controls Assessment Language Toolbox + +## Introduction + +This project aims to build a collection of toolings and libraries for +Open Security Controls Assessment Language(OSCAL) developed by NIST in +the Rust programming language ecosystem. One main focus of this project +is to extend the capabilities of OSCAL model building via automated +data gathering and seemless interactions that target a variety of systems, +tasks such as gathering data from telemetry points, CI/CD pipelines, cloud +infrastructures, version control systems etc. System implementations that rely +on the security and control specification from OSCAL models should form a +tight feedback loop where evolving and relevant data also guides the process +of producing and updating the models themselves in an automated fashion, thus +allowing continuous security enforcement and better visibility into one's +security posture. + +One major motivation for this project is to build toolings that are intended +to be used in environments where certain security mandates must be adhere to. +There are unique advantages in using Rust not only for its memory and type safety +characteristics, but also minimal system dependencies and high agility when +it comes to efforts related to automation and integration in these environments. +Most of the time this can be done by simply embedding and running a single binary +or a lean containerised workload throughout. + +The goals and focuses of subsequent development efforts can be found here: + +https://github.com/gborough/roscal/blob/main/ROADMAP.md + +## Components + +The first iteration of this project contains two major components: + +- roscal_lib: A library with referential implementation of the OSCAL models, which +aims to always track the latest OSCAL standard and primarily support roscal_cli +and the building of OSCAL modela programmatically in Rust. + +- roscal_cli: A command line tool for OSCAL model file manipulation, including +but not limited to model file dissection, inspection, editing, merging and +validation etc. + +## Downloads + +Latest CLI Tool Releases: + +## CLI User Manual + +### roscal-cli + +Run: ```roscal --help``` to see available options + +``` +Cli Tool For Manipulating OSCAL Model File + +Usage: roscal + +Commands: + dissect Dissect OSCAL model file and generate a workspace for viewing and editing + Full Example: + roscal dissect --file /dir/catalog.json + --model Catalog + --blocks controls,groups + --output-dir /home/workspace + --parse-markup + merge Merge existing worspace and generate new OSCAL model file + Full Example: + roscal merge --dir /dir/existing_workspace + --output-dir /dir/merged + --output-format yaml + --update-uuid v4 + validate Validate a specific type of OSCAL model file + Full Example: + roscal validate --file /dir/catalog.json + --model Catalog + show-dissect Show available models and blocks for dissect operation + help Print this message or the help of the given subcommand(s) + +Options: + -h, --help Print help + -V, --version Print version +``` + +#### Dissect Option + +The dissect option takes an OSCAL model file and generates a workspace where +a user could operate on the dissected model file into specified blocks inside +a folder named ```modifiable```, this allows the blocks to be easily inspected +and edited so that it could be later merged to produce a new file. Everything is +in YAML format for easy reading and editing. + +Highly recommend to pass in ```--blocks all``` option for the easiest and most +versatile way of editing the entire model file. + +Take care not to modified anything outside the modifiable folder as it might alter +the integrity of the workspace. + +``` +Dissect OSCAL model file and generate a workspace for viewing and editing +Full Example: +roscal dissect --file /dir/catalog.json +--model Catalog +--blocks controls,groups +--output-dir /home/workspace +--parse-markup + +Usage: roscal dissect [OPTIONS] --file --model + +Options: + --file Location of the OSCAL model file + --model Specifiy which OSCAL model to be processed + Run `roscal show-dissect` for available models + --blocks ... Specifiy which blocks to be dissected + Duplicate blocks will be combined + Run `roscal show-dissect` for available blocks + --output-dir Specify where dissect workspace should be created + Optional. Will use current directory if unspecified + --parse-markup Whether to parse markup lines + Currently experimental feature + see https://pages.nist.gov/metaschema/specification/datatypes/#markup-data-types + -h, --help Print help +``` + +#### Merge Option + +The merge options takes an existing workspace generated by the dissect command +and reconstitute its content to produce a new model file with specified output format. +It can also optional update the toplevel uuid should the content differs from the +original one. + +Highly recommend to always pass in ```--output-dir``` for clear separation of the +original and generated. + +Caveat: Currently ```--update-uuid``` only update UUIDs in core types but not recursively +for all eligible UUID fields. This feature will be made available in future releases. + +``` +Merge existing worspace and generate new OSCAL model file +Full Example: +roscal merge --dir /dir/existing_workspace +--output-dir /dir/merged +--output-format yaml +--update-uuid v4 + +Usage: roscal merge [OPTIONS] --output-format + +Options: + --dir Location of existing workspace created by dissect operation + Optional. Can be run directly in existing workspace + --output-dir Specify where merged file should be created + Optional. Can be run directly in existing workspace + --output-format Options: json or yaml + --update-uuid Options: v4 or v5 (as in uuid version) + Optional. No-op if model unchanged or uuid manually updated + -h, --help Print help +``` + +#### Validate Option + +The validate option takes an OSCAL model file and validate against the specified model + +``` +Validate a specific type of OSCAL model file +Full Example: +roscal validate --file /dir/catalog.json +--model Catalog + +Usage: roscal validate --file --model + +Options: + --file Location of OSCAL model file + --model Model type of OSCAL model file + Run `roscal show-dissect` for available models + -h, --help Print help +``` + +#### Show-Dissect Option + +The show-dissect option compliments the dissect option and display all available +models and blocks options to be passed in. + +Run ```roscal show-dissect``` if unsure which models/blocks names available to use + +``` +Show available models and blocks for dissect operation + +Usage: roscal show-dissect + +Options: + -h, --help Print help +``` + +### OSCAL Library + +The roscal library adopts the builder pattern to programmatically build OSCAL +model files. You can find the official documentation here: + + + +Example of building a minimal Catalog model: + +```toml +[dependencies] +roscal = "0.1.0" +uuid = { version = "1.6.1", features = ["v4"] } +chrono = { version = "0.4.31", features = ["serde"] } +``` + +```rust +use roscal_lib::control::catalog::{self, CatalogBuilder, CatalogClassBuilder}; + +fn builder() { + let mut catalog_builder = CatalogBuilder::default(); + let mut catalog_class_builder = CatalogClassBuilder::default(); + + let uuid = uuid::Uuid::new_v4().to_string(); + let last_modified = chrono::DateTime::parse_from_rfc3339("2023-12-31T23:59:59Z") + .unwrap().to_string(); + let metadata = catalog::DocumentMetadataBuilder::default() + .version("1") + .title("catalog") + .oscal_version("1.0.0") + .last_modified(last_modified) + .build() + .expect("unable to build metadata"); + + let catalog_class = catalog_class_builder + .uuid(uuid) + .metadata(metadata) + .build() + .expect("unable to build catalog class"); + let catalog = catalog_builder + .catalog(catalog_class) + .build() + .expect("unable to build catalog"); + + println!("{catalog}") +} +``` + +## Build Instruction + +The roscal library relies on ```quicktype``` to generate Rust structs and then +manipulated the Rust abstract syntax tree to derive various properties. To build +project locally, it's highly recommended to install quicktype via ```npm install -g quicktype``` +before running ```cargo build```, if you have npm available on your OS. + +If you are using nix and have flake enabled, simply run ```nix build```. + +Note: Build under Windows is currently broken due to open issue https://github.com/glideapps/quicktype/issues/1113. Workaround is being worked on at the moment. + +## License + +This project is licensed under dual MIT and Apache 2.0 licenses. + +[MIT license]: https://github.com/gborough/roscal/blob/main/LICENSE-MIT +[APACHE license]: https://github.com/gborough/roscal/blob/main/LICENSE-APACHE + +## Contribution + +Unless you explicitly state otherwise, any contribution intentionally submitted +for inclusion in roscal by you, shall be licensed as MIT or Apache 2.0, without +any additional terms or conditions. \ No newline at end of file diff --git a/ROADMAP.md b/ROADMAP.md new file mode 100644 index 0000000..9249bd0 --- /dev/null +++ b/ROADMAP.md @@ -0,0 +1,59 @@ +# Roadmap And Goals + +If you would like to see your ideas and suggestions getting implemented, please +feel free to make a PR to the roadmap, let's get the conversation started. Any +contributions to the code base are welcome! + +## Immediate Term + +### Conversion and Normalisation + +There is a vast swathe of specialised security toolings such as DAST, SAST, +SCA, various scanners, audit and compliance checkers etc, each producing their +own data schemas and output formats. As the adoption of OSCAL keeps rising, +undoubtedly it will become one of the primary means of documenting and asserting +security controls. How are we going to convert existing data format to OSCAL +in a relevant and standardised way is one of the first set of problems that +need to be addressed urgently, e.g. ingesting data output such as Sarif, Snyk, +SonarQube, Jfrog XRay and produce risk related blocks for Assessment Results, +or how to parse Splunk output and build observation related blocks for Plan of +Action and Milestones? These points are yet to be answered and warrants the +following actions to be taken: + +- Liaise with companies that build these toolings and open up discussions on +normalisation of data +- Obtain advice and feedback from OSCAL end users on what they like to be +implemented, find common ground amongst use cases that can be generalised and +perhaps one day to be standardised +- Build bespoke conversion and normalisation solutions for OSCAL end users and +seek public feedback. Please free free to reach out if your organisation have +such needs + +### Library and CLI +- Support recursive uuid update for all data types(Currently only core types) +- Support generating full-skeleton empty model templates with placeholders +- Generate auditable logs for CLI runs +- Document signing and encryption, better file integrity checks + +## Medium Term + +### Continuously Building OSCAL +- Incorporate into CI/CD pipelines to enable collection of relevant data +- Start looking into annotation/DSL based instrumentation point insertion + +### OSCAL Visualiser +- Build a web application capable of inspecting, generating and editing OSCAL +model files +- Support building task lists, memos, action monitors and external references + +### Library and CLI +- Support XML format?(This is uncertain given the amount of effort required +and somewhat limited use cases) +- Build adaptor to various storage solutions for documentation indexing and +safeguarding + +## Long Term Goals + +### Automatic OSCAL Enforcement +Why use OSCAL at all if the specified controls are not verifiable and enforceable +automatically? This project will explore viable options to achieve this. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..8ef674c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,12 @@ +# Security Policy + +## Reporting a Vulnerability + +To report a security vulnerability, please email the maintainers at `geoffrey.borough@outlook.com`. Please do not create a Github issue +for security vulnerabilities. + +If you can, please include the following details: +* An MCVE (minimum complete verifiable example) – this is a short code snippet which demonstrates the error in the +the simplest possible (or just a simple) way. +* Which versions the vulnerability is present in +* What effects the vulnerability has and how serious the vulnerability is \ No newline at end of file diff --git a/cliff.toml b/cliff.toml new file mode 100644 index 0000000..34e61b5 --- /dev/null +++ b/cliff.toml @@ -0,0 +1,57 @@ +[changelog] +header = """ +# Changelog\n +""" + +body = """ +{% if version -%} + ## [{{ version | trim_start_matches(pat="v") }}] - {{ timestamp | date(format="%Y-%m-%d") }} +{% else -%} + ## [Unreleased] +{% endif -%} +{% for group, commits in commits | group_by(attribute="group") %} + ### {{ group | upper_first }} + {% for commit in commits %} + - {{ commit.message | upper_first }}\ + {% endfor %} +{% endfor %}\n +""" + +footer = """ +{% for release in releases -%} + {% if release.version -%} + {% if release.previous.version -%} + [{{ release.version | trim_start_matches(pat="v") }}]: \ + https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}\ + /compare/{{ release.previous.version }}..{{ release.version }} + {% endif -%} + {% else -%} + [unreleased]: https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}\ + /compare/{{ release.previous.version }}..HEAD + {% endif -%} +{% endfor %} +""" + +trim = true + +[git] +conventional_commits = true +filter_unconventional = false +split_commits = false +commit_parsers = [ + { message = "^.*: add", group = "Added" }, + { message = "^.*: support", group = "Added" }, + { message = "^.*: remove", group = "Removed" }, + { message = "^.*: delete", group = "Removed" }, + { message = "^test", group = "Fixed" }, + { message = "^fix", group = "Fixed" }, + { message = "^.*: fix", group = "Fixed" }, + { message = "^.*", group = "Changed" }, +] +protect_breaking_commits = false +filter_commits = true +tag_pattern = "v[0-9].*" +skip_tags = "v0.1.0-beta.1" +ignore_tags = "" +topo_order = false +sort_commits = "newest" diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..71330e4 --- /dev/null +++ b/default.nix @@ -0,0 +1,10 @@ +(import + ( + let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in + fetchTarball { + url = lock.nodes.flake-compat.locked.url or "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; + sha256 = lock.nodes.flake-compat.locked.narHash; + } + ) + { src = ./.; } +).defaultNix \ No newline at end of file diff --git a/deny.toml b/deny.toml new file mode 100644 index 0000000..dec715c --- /dev/null +++ b/deny.toml @@ -0,0 +1,67 @@ +# See all available configuration options at: +# https://embarkstudios.github.io/cargo-deny/index.html + +# -------------------------------------------------- +# General +# -------------------------------------------------- + +all-features = true +no-default-features = true + +# -------------------------------------------------- +# BANS +# -------------------------------------------------- + +[bans] +highlight = "all" +wildcards = "deny" +multiple-versions = "allow" +workspace-default-features = "allow" +external-default-features = "allow" + +# -------------------------------------------------- +# SOURCES +# -------------------------------------------------- + +[sources] +unknown-git = "deny" +unknown-registry = "deny" +allow-registry = ["https://github.com/rust-lang/crates.io-index"] +allow-git = [] + +# -------------------------------------------------- +# ADVISORIES +# -------------------------------------------------- + +[advisories] +db-urls = ["https://github.com/rustsec/advisory-db"] +db-path = "~/.cargo/advisory-db" +vulnerability = "deny" +unmaintained = "warn" +yanked = "warn" +notice = "warn" +severity-threshold = "None" +ignore = [] + +# -------------------------------------------------- +# LICENSES +# -------------------------------------------------- + +[licenses] +default = "deny" +copyleft = "warn" +unlicensed = "deny" +allow = [ + "MIT", + "Zlib", + "BSL-1.0", + "Apache-2.0", + "BSD-3-Clause", + "Unlicense", +] +confidence-threshold = 0.95 + +[[licenses.exceptions]] +name = "unicode-ident" +version = "*" +allow = ["Unicode-DFS-2016"] \ No newline at end of file diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..a0e4021 --- /dev/null +++ b/flake.lock @@ -0,0 +1,94 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "naersk": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1698420672, + "narHash": "sha256-/TdeHMPRjjdJub7p7+w55vyABrsJlt5QkznPYy55vKA=", + "owner": "nix-community", + "repo": "naersk", + "rev": "aeb58d5e8faead8980a807c840232697982d47b9", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "naersk", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1708407374, + "narHash": "sha256-EECzarm+uqnNDCwaGg/ppXCO11qibZ1iigORShkkDf0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "f33dd27a47ebdf11dc8a5eb05e7c8fbdaf89e73f", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1708407374, + "narHash": "sha256-EECzarm+uqnNDCwaGg/ppXCO11qibZ1iigORShkkDf0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "f33dd27a47ebdf11dc8a5eb05e7c8fbdaf89e73f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "naersk": "naersk", + "nixpkgs": "nixpkgs_2" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..d56011b --- /dev/null +++ b/flake.nix @@ -0,0 +1,30 @@ +{ + description = "roscal"; + inputs = { + flake-utils.url = "github:numtide/flake-utils"; + naersk.url = "github:nix-community/naersk"; + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + }; + + outputs = { self, flake-utils, naersk, nixpkgs }: + flake-utils.lib.eachDefaultSystem (system: + let + pkgs = (import nixpkgs) { + inherit system; + }; + + naersk' = pkgs.callPackage naersk {}; + + in rec { + defaultPackage = naersk'.buildPackage { + src = ./.; + nativeBuildInputs = with pkgs; [ quicktype ]; + doCheck = true; + }; + + devShell = pkgs.mkShell { + nativeBuildInputs = with pkgs; [ rustc cargo quicktype ]; + }; + } + ); +} \ No newline at end of file diff --git a/roscal_cli/Cargo.toml b/roscal_cli/Cargo.toml new file mode 100644 index 0000000..1248a9b --- /dev/null +++ b/roscal_cli/Cargo.toml @@ -0,0 +1,36 @@ +[package] +name = "roscal_cli" +version = "0.1.0" +edition = "2021" +authors = ["Geoffrey Borough "] +homepage = "https://github.com/gborough/roscal" +repository = "https://github.com/gborough/roscal" +license = "MIT OR Apache-2.0" +description = """ +CLI For Open Security Controls Assessment Language In Rust +""" + +[dependencies] +roscal_lib = { version = "0.1.0", path = "../roscal_lib"} + +anyhow = "1.0.80" +clap = { version = "4.4.18", features = ["derive"] } +chrono = { version = "0.4.34", features = ["serde"] } +iana-time-zone = "0.1.60" +rand = "0.8.5" +serde = { version = "1.0.197", features = ["derive"] } +serde_json = { version = "1.0.114", features = ["preserve_order"] } +serde_yaml = "0.9.32" +sha2 = "0.10.8" +strum = { version = "0.26.1", features = ["derive"] } +thiserror = "1.0.56" +tokio = { version = "1.35.1", features = ["full"] } + +[dev-dependencies] +assert_cmd = "2.0.14" +tempfile = "3.10.0" +walkdir = "2.4.0" + +[[bin]] +name = "roscal" +path = "src/main.rs" diff --git a/roscal_cli/src/cli/cli_fn.rs b/roscal_cli/src/cli/cli_fn.rs new file mode 100644 index 0000000..e3ab8c5 --- /dev/null +++ b/roscal_cli/src/cli/cli_fn.rs @@ -0,0 +1,160 @@ +use crate::models::workspace::{Validator, Workspace}; + +use super::cli_opts::{Dissect, Merge, Validate}; + +pub async fn run_dissect( + opts: &Dissect, +) -> Result<(), Box> { + Workspace::dissect(opts).await?; + + Ok(()) +} + +pub async fn run_merge(opts: &Merge) -> Result<(), Box> { + Workspace::merge(opts).await?; + + Ok(()) +} + +pub async fn run_validate( + opts: &Validate, +) -> Result<(), Box> { + Validator::validate(opts).await?; + + Ok(()) +} + +pub async fn show_dissect() -> Result<(), Box> { + let desc = r#" +Available Model Options: + + One of: + - AssessmentPlan + - AssessmentResults + - Poam + - Catalog + - Profile + - ComponentDefinition + - Ssp + +Available Blocks Options: + + Under Assessment Plan Model: + + One of: + - all + + Or + + Any of: + - uuid + - metadata + - import_ssp + - local_definitions + - terms_and_conditions + - reviewed_controls + - assessment_subjects + - assessment_assets + - tasks + - back_matter + + Under Assessment Results Model: + + One of: + - all + + Or + + Any of: + - uuid + - metadata + - import_ap + - local_definitions + - results + - back_matter + + Under Plan of Action and Milestones Model: + + One of: + - all + + Or + + Any of: + - uuid + - metadata + - import_ssp + - system_id + - local_definitions + - observations + - risks + - findings + - poam_items + - back_matter + + Under Catalog Model: + + One of: + - all + + Or + + Any of: + - uuid + - metadata + - params + - controls + - groups + - back_matter + + Under Profile Model: + + One of: + - all + + Or + + Any of: + - uuid + - metadata + - imports + - merge + - modify + - back_matter + + Under Component Definition Model: + + One of: + - all + + Or + + Any of: + - uuid + - metadata + - import_component_definitions + - components + - capabilities + - back_matter + + Under System Security Plan Model: + + One of: + - all + + Or + + Any of: + - uuid + - metadata + - import_profile + - system_characteristics + - system_implementation + - control_implementation + - back_matter + "#; + + println!("{desc}"); + + Ok(()) +} diff --git a/roscal_cli/src/cli/cli_opts.rs b/roscal_cli/src/cli/cli_opts.rs new file mode 100644 index 0000000..e92e711 --- /dev/null +++ b/roscal_cli/src/cli/cli_opts.rs @@ -0,0 +1,97 @@ +use std::path::PathBuf; + +use clap::{Args, Parser, Subcommand}; + +#[derive(Debug, Clone, Parser)] +#[clap(author = "Author: Geoffrey Borough")] +#[clap(version)] +#[clap(about = "Cli Tool For Processing and Manipulating OSCAL Model File")] +pub struct OscalCli { + #[clap(subcommand)] + pub command: Commands, +} + +#[non_exhaustive] +#[derive(Debug, Clone, Subcommand)] +pub enum Commands { + /// Dissect OSCAL model file and generate a workspace for viewing and editing + /// Full Example: + /// roscal dissect --file /dir/catalog.json + /// --model Catalog + /// --blocks controls,groups + /// --output-dir /home/workspace + /// --parse-markup + #[clap(verbatim_doc_comment)] + Dissect(#[clap(flatten)] Dissect), + /// Merge existing worspace and generate new OSCAL model file + /// Full Example: + /// roscal merge --dir /dir/existing_workspace + /// --output-dir /dir/merged + /// --output-format yaml + /// --update-uuid v4 + #[clap(verbatim_doc_comment)] + Merge(#[clap(flatten)] Merge), + /// Validate a specific type of OSCAL model file + /// Full Example: + /// roscal validate --file /dir/catalog.json + /// --model Catalog + #[clap(verbatim_doc_comment)] + Validate(#[clap(flatten)] Validate), + /// Show available models and blocks for dissect operation + ShowDissect, +} + +#[derive(Args, Debug, Default, Clone)] +pub struct Dissect { + /// Location of the OSCAL model file + #[arg(long)] + pub file: PathBuf, + /// Specifiy which OSCAL model to be processed + /// Run `roscal show-dissect` for available models + #[arg(long, verbatim_doc_comment)] + pub model: String, + /// Specifiy which blocks to be dissected + /// Duplicate blocks will be combined + /// Run `roscal show-dissect` for available blocks + #[arg(long, num_args = 1.., value_delimiter = ',', verbatim_doc_comment)] + pub blocks: Vec, + /// Specify where dissect workspace should be created + /// Optional. Will use current directory if unspecified + #[arg(long, verbatim_doc_comment)] + pub output_dir: Option, + /// Whether to parse markup lines + /// Currently experimental feature + /// see https://pages.nist.gov/metaschema/specification/datatypes/#markup-data-types + #[arg(long, verbatim_doc_comment)] + pub parse_markup: bool, +} + +#[derive(Args, Debug, Default, Clone)] +pub struct Merge { + /// Location of existing workspace created by dissect operation + /// Optional. Can be run directly in existing workspace + #[arg(long, verbatim_doc_comment)] + pub dir: Option, + /// Specify where merged file should be created + /// Optional. Can be run directly in existing workspace + #[arg(long, verbatim_doc_comment)] + pub output_dir: Option, + /// Options: json or yaml + #[arg(long)] + pub output_format: String, + /// Options: v4 or v5 (as in uuid version) + /// Optional. No-op if model unchanged or uuid manually updated + #[arg(long, verbatim_doc_comment)] + pub update_uuid: Option, +} + +#[derive(Args, Debug, Default, Clone)] +pub struct Validate { + /// Location of OSCAL model file + #[arg(long)] + pub file: PathBuf, + /// Model type of OSCAL model file + /// Run `roscal show-dissect` for available models + #[arg(long, verbatim_doc_comment)] + pub model: String, +} diff --git a/roscal_cli/src/cli/mod.rs b/roscal_cli/src/cli/mod.rs new file mode 100644 index 0000000..072b81b --- /dev/null +++ b/roscal_cli/src/cli/mod.rs @@ -0,0 +1,2 @@ +pub mod cli_fn; +pub mod cli_opts; diff --git a/roscal_cli/src/lib.rs b/roscal_cli/src/lib.rs new file mode 100644 index 0000000..2a2e7fc --- /dev/null +++ b/roscal_cli/src/lib.rs @@ -0,0 +1,4 @@ +#![forbid(unsafe_code)] + +pub mod cli; +pub mod models; diff --git a/roscal_cli/src/main.rs b/roscal_cli/src/main.rs new file mode 100644 index 0000000..b8eb5ad --- /dev/null +++ b/roscal_cli/src/main.rs @@ -0,0 +1,22 @@ +mod cli; +mod models; + +use clap::Parser; +use cli::{ + cli_fn::{run_dissect, run_merge, run_validate, show_dissect}, + cli_opts::{Commands, OscalCli}, +}; + +#[tokio::main] +async fn main() -> Result<(), Box> { + let cli = OscalCli::parse(); + + match cli.command { + Commands::Dissect(ref opts) => run_dissect(opts).await?, + Commands::Merge(ref opts) => run_merge(opts).await?, + Commands::Validate(ref opts) => run_validate(opts).await?, + Commands::ShowDissect => show_dissect().await?, + } + + Ok(()) +} diff --git a/roscal_cli/src/models/dissect.rs b/roscal_cli/src/models/dissect.rs new file mode 100644 index 0000000..e122a08 --- /dev/null +++ b/roscal_cli/src/models/dissect.rs @@ -0,0 +1,465 @@ +use std::{ + path::{Path, PathBuf}, + str::FromStr, +}; + +use anyhow::{Context, Result}; +use tokio::{ + fs::{create_dir_all, remove_dir_all, File}, + io::{AsyncReadExt, AsyncWriteExt}, +}; + +use crate::cli::cli_opts::Dissect; + +use super::{ + model::{ + AssessmentPlanBlock, AssessmentResultsBlock, CatalogBlock, + ComponentDefinitionBlock, OscalModels, PoamBlock, ProfileBlock, + SspBlock, + }, + utils::{ + gen_created_at, gen_hash_from_path, gen_rand, is_valid_dir, + is_valid_file, + }, + validation::{ + is_valid_assessment_plan_block, is_valid_assessment_results_block, + is_valid_catalog_block, is_valid_component_definition_block, + is_valid_model, is_valid_poam_block, is_valid_profile_block, + is_valid_ssp_block, + }, + workspace::DissectCtx, +}; + +async fn gen_dissect_root( + created_at: &str, + rand: &str, + path: &impl AsRef, + output_dir: &Option, +) -> Result { + let dirname = if is_valid_file(path) { + format!( + "{}_{created_at}_{rand}", + path.as_ref().file_name().unwrap().to_string_lossy() + ) + } else { + std::process::exit(1) + }; + + if let Some(dir) = output_dir { + if is_valid_dir(dir) { + return Ok(format!( + "{}/{}", + dir.canonicalize() + .with_context(|| { + format!( + "Could not determine the output path: `{}`", + dir.display() + ) + })? + .to_string_lossy(), + dirname + )); + } + } + + let cur_dir = format!( + "{}/{}", + PathBuf::from("./") + .canonicalize()? + .to_string_lossy() + .into_owned(), + dirname + ); + + Ok(cur_dir) +} + +async fn gen_dissect_backup(root: &String) -> String { + format!("{}/backup", root) +} + +async fn gen_dissect_modifiable(root: &String) -> String { + format!("{}/modifiable", root) +} + +async fn gen_blocks(opts: &Dissect) -> Result> { + let mut blocks_in = opts.blocks.clone(); + blocks_in.dedup(); + let mut blocks_out: Vec = vec![]; + + if is_valid_model(&opts.model) { + let models = OscalModels::from_str(&opts.model).with_context(|| { + "Could not determine the provided OSCAL model".to_string() + })?; + + match models { + OscalModels::AssessmentPlan => { + if is_valid_assessment_plan_block(&blocks_in) { + if blocks_in[0] == AssessmentPlanBlock::All.to_string() { + let all = vec![ + AssessmentPlanBlock::Uuid.to_string(), + AssessmentPlanBlock::Metadata.to_string(), + AssessmentPlanBlock::ImportSsp.to_string(), + AssessmentPlanBlock::LocalDefinitions.to_string(), + AssessmentPlanBlock::TermsAndConditions.to_string(), + AssessmentPlanBlock::ReviewedControls.to_string(), + AssessmentPlanBlock::AssessmentSubjects.to_string(), + AssessmentPlanBlock::AssessmentAssets.to_string(), + AssessmentPlanBlock::Tasks.to_string(), + AssessmentPlanBlock::BackMatter.to_string(), + ]; + blocks_out.extend(all); + + Ok(blocks_out) + } else { + Ok(blocks_in) + } + } else { + std::process::exit(1) + } + } + OscalModels::AssessmentResults => { + if is_valid_assessment_results_block(&blocks_in) { + if blocks_in[0] == AssessmentResultsBlock::All.to_string() { + let all = vec![ + AssessmentResultsBlock::Uuid.to_string(), + AssessmentResultsBlock::Metadata.to_string(), + AssessmentResultsBlock::ImportAp.to_string(), + AssessmentResultsBlock::LocalDefinitions + .to_string(), + AssessmentResultsBlock::Results.to_string(), + AssessmentResultsBlock::BackMatter.to_string(), + ]; + blocks_out.extend(all); + + Ok(blocks_out) + } else { + Ok(blocks_in) + } + } else { + std::process::exit(1) + } + } + OscalModels::Poam => { + if is_valid_poam_block(&blocks_in) { + if blocks_in[0] == PoamBlock::All.to_string() { + let all = vec![ + PoamBlock::Uuid.to_string(), + PoamBlock::Metadata.to_string(), + PoamBlock::ImportSsp.to_string(), + PoamBlock::SystemId.to_string(), + PoamBlock::LocalDefinitions.to_string(), + PoamBlock::Observations.to_string(), + PoamBlock::Risks.to_string(), + PoamBlock::Findings.to_string(), + PoamBlock::PoamItems.to_string(), + PoamBlock::BackMatter.to_string(), + ]; + blocks_out.extend(all); + + Ok(blocks_out) + } else { + Ok(blocks_in) + } + } else { + std::process::exit(1) + } + } + OscalModels::Catalog => { + if is_valid_catalog_block(&blocks_in) { + if blocks_in[0] == CatalogBlock::All.to_string() { + let all = vec![ + CatalogBlock::Uuid.to_string(), + CatalogBlock::Metadata.to_string(), + CatalogBlock::Params.to_string(), + CatalogBlock::Controls.to_string(), + CatalogBlock::Groups.to_string(), + CatalogBlock::BackMatter.to_string(), + ]; + blocks_out.extend(all); + + Ok(blocks_out) + } else { + Ok(blocks_in) + } + } else { + std::process::exit(1) + } + } + OscalModels::Profile => { + if is_valid_profile_block(&blocks_in) { + if blocks_in[0] == ProfileBlock::All.to_string() { + let all = vec![ + ProfileBlock::Uuid.to_string(), + ProfileBlock::Metadata.to_string(), + ProfileBlock::Imports.to_string(), + ProfileBlock::Merge.to_string(), + ProfileBlock::Modify.to_string(), + ProfileBlock::BackMatter.to_string(), + ]; + blocks_out.extend(all); + + Ok(blocks_out) + } else { + Ok(blocks_in) + } + } else { + std::process::exit(1) + } + } + OscalModels::ComponentDefinition => { + if is_valid_component_definition_block(&blocks_in) { + if blocks_in[0] == ComponentDefinitionBlock::All.to_string() + { + let all = vec![ + ComponentDefinitionBlock::Uuid.to_string(), + ComponentDefinitionBlock::Metadata.to_string(), + ComponentDefinitionBlock::ImportComponentDefinitions.to_string(), + ComponentDefinitionBlock::Components.to_string(), + ComponentDefinitionBlock::Capabilities.to_string(), + ComponentDefinitionBlock::BackMatter.to_string(), + ]; + blocks_out.extend(all); + + Ok(blocks_out) + } else { + Ok(blocks_in) + } + } else { + std::process::exit(1) + } + } + OscalModels::Ssp => { + if is_valid_ssp_block(&blocks_in) { + if blocks_in[0] == SspBlock::All.to_string() { + let all = vec![ + SspBlock::Uuid.to_string(), + SspBlock::Metadata.to_string(), + SspBlock::ImportProfile.to_string(), + SspBlock::SystemCharacteristics.to_string(), + SspBlock::SystemImplementation.to_string(), + SspBlock::ControlImplementation.to_string(), + SspBlock::BackMatter.to_string(), + ]; + blocks_out.extend(all); + + Ok(blocks_out) + } else { + Ok(blocks_in) + } + } else { + std::process::exit(1) + } + } + } + } else { + std::process::exit(1) + } +} + +async fn gen_dissect_files(ctx: &DissectCtx) -> Result<()> { + let models = OscalModels::from_str(&ctx.model).with_context(|| { + "Could not determine the provided OSCAL model".to_string() + })?; + + match models { + OscalModels::AssessmentPlan => { + if is_valid_assessment_plan_block(&ctx.blocks) { + OscalModels::gen_models(&models, ctx).await?; + + Ok(()) + } else { + std::process::exit(1) + } + } + OscalModels::AssessmentResults => { + if is_valid_assessment_results_block(&ctx.blocks) { + OscalModels::gen_models(&models, ctx).await?; + + Ok(()) + } else { + std::process::exit(1) + } + } + OscalModels::Poam => { + if is_valid_poam_block(&ctx.blocks) { + OscalModels::gen_models(&models, ctx).await?; + + Ok(()) + } else { + std::process::exit(1) + } + } + OscalModels::Catalog => { + if is_valid_catalog_block(&ctx.blocks) { + OscalModels::gen_models(&models, ctx).await?; + + Ok(()) + } else { + std::process::exit(1) + } + } + OscalModels::Profile => { + if is_valid_profile_block(&ctx.blocks) { + OscalModels::gen_models(&models, ctx).await?; + + Ok(()) + } else { + std::process::exit(1) + } + } + OscalModels::ComponentDefinition => { + if is_valid_component_definition_block(&ctx.blocks) { + OscalModels::gen_models(&models, ctx).await?; + + Ok(()) + } else { + std::process::exit(1) + } + } + OscalModels::Ssp => { + if is_valid_ssp_block(&ctx.blocks) { + OscalModels::gen_models(&models, ctx).await?; + + Ok(()) + } else { + std::process::exit(1) + } + } + } +} + +async fn dissect_cleanup(ctx: &DissectCtx) -> Result<()> { + remove_dir_all(&ctx.root).await.with_context(|| { + format!( + "Could not clean up folder\nReason: {}\nPlease try manually deleting it", + &ctx.root + ) + })?; + + Ok(()) +} + +pub(super) async fn gen_dissect_dir(ctx: &DissectCtx) -> Result<()> { + create_dir_all(&ctx.backup).await.with_context(|| { + format!("Could not create directory: `{}`", &ctx.backup) + })?; + + create_dir_all(&ctx.modifiable).await.with_context(|| { + format!("Could not create directory: `{}`", &ctx.modifiable) + })?; + + let mut instruction = File::create(format!("{}/instruction", &ctx.root)) + .await + .with_context(|| { + format!( + "Could not create instruction.yaml file at this location: {}", + &ctx.root + ) + })?; + + let content = r#"Directory and File Structure + - modifiable: You should only view and modified your specified blocks content here, please do not modify file name + - backup: A back-up of the original model file for integrity check, please do not modify + - manifest.yaml: This file contains some metadata about yor workspace, please do not modify + "#; + + instruction + .write_all(content.as_bytes()) + .await + .with_context(|| "Could not write to backup YAML file".to_owned())?; + + let mut manifest = + File::create(format!("{}/dissect_manifest.yaml", &ctx.root)) + .await + .with_context(|| { + format!( + "Could not create manifest.yaml file at this location: {}", + &ctx.root + ) + })?; + let ctx_content = serde_yaml::to_string(&ctx) + .with_context(|| "Could not parse manifest.yaml file".to_owned())?; + + let mut manifest_extra = "# Please do not modify this file\n".to_owned(); + + manifest_extra.push_str(&ctx_content); + + manifest + .write_all(manifest_extra.as_bytes()) + .await + .with_context(|| "Could not write to manifest".to_owned())?; + + let mut backup = File::create(format!("{}/backup", &ctx.backup)) + .await + .with_context(|| { + format!( + "Could not create backup file at this location: {}", + &ctx.backup + ) + })?; + + let mut file = File::open(&ctx.model_loc).await.with_context(|| { + format!( + "Could not read backup file at this location: {}", + &ctx.model_loc.display() + ) + })?; + let mut content = String::new(); + file.read_to_string(&mut content) + .await + .with_context(|| "Could not write to backup file".to_string())?; + + backup + .write_all(content.as_bytes()) + .await + .with_context(|| "Could not write to backup YAML file".to_owned())?; + + Ok(()) +} + +pub(super) async fn dissect_workspace(opts: &Dissect) -> Result<()> { + if opts.parse_markup { + std::env::set_var("OSCAL_MARKUP_RENDER_MODE", "ENABLED") + } else { + std::env::set_var("OSCAL_MARKUP_RENDER_MODE", "DISABLED") + } + + let created_at = gen_created_at(); + let model_loc = + PathBuf::from(&opts.file).canonicalize().with_context(|| { + format!( + "Could not determine the full path of the OSCAL model file: `{}`", + &opts.file.display() + ) + })?; + let rand = gen_rand(); + let root = + gen_dissect_root(&created_at, &rand, &opts.file, &opts.output_dir) + .await?; + let backup = gen_dissect_backup(&root).await; + let modifiable = gen_dissect_modifiable(&root).await; + let hash = gen_hash_from_path(&opts.file)?; + let blocks = gen_blocks(opts).await?; + let ctx = DissectCtx { + created_at, + model_loc, + model: opts.model.clone(), + blocks, + rand, + root, + backup, + modifiable, + hash, + }; + + if let Err(e) = gen_dissect_files(&ctx).await { + eprintln!("{e}"); + dissect_cleanup(&ctx).await?; + std::process::exit(1) + } else { + println!("Dissect operation successful!\nYou can locate your workspace at: {}", &ctx.root) + } + + Ok(()) +} diff --git a/roscal_cli/src/models/merge.rs b/roscal_cli/src/models/merge.rs new file mode 100644 index 0000000..49a6074 --- /dev/null +++ b/roscal_cli/src/models/merge.rs @@ -0,0 +1,798 @@ +use std::{ + fs::File, + io::{BufReader, Read, Write}, + path::{Path, PathBuf}, + str::FromStr, +}; + +use anyhow::{Context, Result}; +use roscal_lib::{ + assessment::{ + assessment_plan::AssessmentPlanBuilder, + assessment_results::AssessmentResultsBuilder, + poam::PlanOfActionAndMilestonesBuilder, + }, + control::{catalog::CatalogBuilder, profile::ProfileBuilder}, + implementation::{ + component_definition::ComponentDefinitionBuilder, + ssp::SystemSecurityPlanBuilder, + }, + UpdateUuid, +}; +use strum::EnumString; +use tokio::fs::create_dir_all; + +use crate::cli::cli_opts::Merge; + +use super::{ + model::{ + AssessmentPlanBlock, AssessmentResultsBlock, CatalogBlock, + ComponentDefinitionBlock, OscalModels, PoamBlock, ProfileBlock, + SspBlock, + }, + utils::{gen_created_at, gen_rand}, + workspace::{CliError, DissectCtx, MergeCtx}, +}; +use crate::models::utils::is_valid_dir; + +#[derive(Debug, Clone, PartialEq, EnumString)] +pub enum MergeOpt { + #[strum(serialize = "json")] + Json, + #[strum(serialize = "yaml")] + Yaml, +} + +#[derive(Debug, Clone, PartialEq, EnumString)] +pub enum UpdateUuidOpt { + #[strum(serialize = "v4")] + V4, + #[strum(serialize = "v5")] + V5, +} + +async fn gen_dir( + path: &Option, + default: impl AsRef, +) -> Result { + if let Some(path) = path { + if is_valid_dir(path) { + Ok(format!( + "{}", + Path::new(&path).canonicalize().with_context(|| { + format!("Could not determine the full path of the workspace: `{}`", + path.display()) + })?.to_string_lossy() + )) + } else { + std::process::exit(1) + } + } else { + Ok(format!( + "{}", + default + .as_ref() + .canonicalize() + .with_context(|| { + format!( + "Could not determine the full path of the workspace: `{}`", + default.as_ref().display() + ) + })? + .to_string_lossy() + )) + } +} + +async fn read_dissect_ctx(path: &Option) -> Result { + let dir = gen_dir(path, "./").await?; + let path = Path::new(&dir).join("dissect_manifest.yaml"); + let file = File::open(path).with_context(|| { + format!( + "Could not read dissect manifest file at this location: {}", + &dir + ) + })?; + + let reader = BufReader::new(file); + + let manifest: DissectCtx = serde_yaml::from_reader(reader) + .with_context(|| "Could not determine dissect manifest content")?; + + Ok(manifest) +} + +async fn gen_merge_ctx(opts: &Merge, ctx_ref: DissectCtx) -> Result { + let created_at = gen_created_at(); + let rand = gen_rand(); + let output_dir = gen_dir(&opts.output_dir, "./").await?; + + Ok(MergeCtx { + created_at, + rand, + output_dir, + dissect_workspace_ref: ctx_ref, + ..Default::default() + }) +} + +async fn gen_merge_blocks(ctx: &MergeCtx) -> Result> { + let mut blocks: Vec = vec![]; + for elt in &ctx.dissect_workspace_ref.blocks { + let path = Path::new(&ctx.dissect_workspace_ref.modifiable) + .join(format!("{}.yaml", elt)); + let mut file = File::open(&path).with_context(|| { + format!( + "Could not read workspace modifiable file at this location: {}", + path.display() + ) + })?; + let mut content = String::new(); + file.read_to_string(&mut content)?; + + if !content.is_empty() { + blocks.push(path) + } + } + + Ok(blocks) +} + +async fn gen_merge_dir( + ctx: &mut MergeCtx, + opts: &Merge, + model: String, +) -> Result<()> { + create_dir_all(&ctx.output_dir).await.with_context(|| { + format!("Could not create merge directory: `{}`", &ctx.output_dir) + })?; + + match MergeOpt::from_str(&opts.output_format) + .map_err(|_| CliError::UnknownMergeOpt)? + { + MergeOpt::Json => { + let merged_path = format!("{}/merged.json", &ctx.output_dir); + let mut merged = File::create(&merged_path).with_context(|| { + format!( + "Could not create merged.json file at this location: {}", + &ctx.output_dir + ) + })?; + + merged + .write_all(model.as_bytes()) + .with_context(|| "Could not write to merge file".to_owned())?; + ctx.update_hash(&model)?; + println!("Merge Operation Successful!\nYou can locate you merged JSON file at: {}", merged_path); + } + MergeOpt::Yaml => { + let merged_path = format!("{}/merged.yaml", &ctx.output_dir); + let mut merged = File::create(&merged_path).with_context(|| { + format!( + "Could not create merged.yaml file at this location: {}", + &ctx.output_dir + ) + })?; + merged + .write_all(model.as_bytes()) + .with_context(|| "Could not write to merge file".to_owned())?; + ctx.update_hash(&model)?; + println!("Merge Operation Successful!\nYou can locate you merged YAML file at: {}", merged_path); + } + } + + let manifest_path = format!("{}/merge_manifest.yaml", &ctx.output_dir); + + let mut manifest = File::create(&manifest_path).with_context(|| { + format!( + "Could not create merge_manifest.yaml file at this location: {}", + &ctx.output_dir + ) + })?; + let ctx_content = serde_yaml::to_string(&ctx).with_context(|| { + "Could not parse merge_manifest.yaml file".to_owned() + })?; + + manifest + .write_all(ctx_content.as_bytes()) + .with_context(|| "Could not write to merge manifest".to_owned())?; + print!("You can locate you merge manifest at: {}", manifest_path); + + Ok(()) +} + +async fn process_merge_blocks( + blocks: &Vec, + ctx: &mut MergeCtx, + opts: &Merge, +) -> Result<()> { + let models = OscalModels::from_str(&ctx.dissect_workspace_ref.model) + .with_context(|| { + "Could not determine the provided OSCAL model".to_string() + })?; + let model_loc = + PathBuf::from(&format!("{}/backup", ctx.dissect_workspace_ref.backup)); + + match models { + OscalModels::AssessmentPlan => { + let assessment_plan_orig = + models.read_assessment_plan(&model_loc).await?; + let mut assessment_plan_sap_orig = + assessment_plan_orig.assessment_plan.clone(); + let mut assessment_plan_builder = AssessmentPlanBuilder::default(); + + for elt in blocks { + let path = elt.file_stem().unwrap().to_str().unwrap(); + let block = + AssessmentPlanBlock::from_str(path).with_context(|| { + "Could not determine the provided Assessment Plan block" + .to_string() + })?; + + match block { + AssessmentPlanBlock::Uuid => { + let res = block.read_uuid(elt).await?; + assessment_plan_sap_orig.uuid = res + } + AssessmentPlanBlock::Metadata => { + let res = block.read_metadata(elt).await?; + assessment_plan_sap_orig.metadata = res + } + AssessmentPlanBlock::ImportSsp => { + let res = block.read_import_ssp(elt).await?; + assessment_plan_sap_orig.import_ssp = res + } + AssessmentPlanBlock::LocalDefinitions => { + let res = block.read_local_definitions(elt).await?; + assessment_plan_sap_orig.local_definitions = Some(res) + } + AssessmentPlanBlock::TermsAndConditions => { + let res = block.read_terms_and_conditions(elt).await?; + assessment_plan_sap_orig.terms_and_conditions = + Some(res) + } + AssessmentPlanBlock::ReviewedControls => { + let res = block.read_reviewed_controls(elt).await?; + assessment_plan_sap_orig.reviewed_controls = res + } + AssessmentPlanBlock::AssessmentSubjects => { + let res = block.read_assessment_subjects(elt).await?; + assessment_plan_sap_orig.assessment_subjects = Some(res) + } + AssessmentPlanBlock::AssessmentAssets => { + let res = block.read_assessment_assets(elt).await?; + assessment_plan_sap_orig.assessment_assets = Some(res) + } + AssessmentPlanBlock::Tasks => { + let res = block.read_tasks(elt).await?; + assessment_plan_sap_orig.tasks = Some(res) + } + AssessmentPlanBlock::BackMatter => { + let res = block.read_back_matter(elt).await?; + assessment_plan_sap_orig.back_matter = Some(res) + } + _ => {} + } + } + + if let Some(uuid_opt) = &opts.update_uuid { + match UpdateUuidOpt::from_str(uuid_opt) + .map_err(|_| CliError::UnknownUuidVer)? + { + UpdateUuidOpt::V4 => { + assessment_plan_sap_orig.update_uuid_v4( + &assessment_plan_orig.assessment_plan, + ); + } + UpdateUuidOpt::V5 => { + assessment_plan_sap_orig.update_uuid_v5( + &assessment_plan_orig.assessment_plan, + ); + } + } + } + + let res = assessment_plan_builder + .assessment_plan(assessment_plan_sap_orig) + .build()?; + + let model = match MergeOpt::from_str(&opts.output_format) + .map_err(|_| CliError::UnknownMergeOpt)? + { + MergeOpt::Json => serde_json::to_string(&res) + .with_context(|| "Could not parse model to json file")?, + MergeOpt::Yaml => serde_yaml::to_string(&res) + .with_context(|| "Could not parse model to yaml file")?, + }; + + gen_merge_dir(ctx, opts, model).await?; + + Ok(()) + } + OscalModels::AssessmentResults => { + let assessment_results_orig = + models.read_assessment_results(&model_loc).await?; + let mut assessment_results_sar_orig = + assessment_results_orig.assessment_results.clone(); + let mut assessment_results_builder = + AssessmentResultsBuilder::default(); + + for elt in blocks { + let path = elt.file_stem().unwrap().to_str().unwrap(); + let block = AssessmentResultsBlock::from_str(path).with_context(|| { + "Could not determine the provided Assessment Results block".to_string() + })?; + + match block { + AssessmentResultsBlock::Uuid => { + let res = block.read_uuid(elt).await?; + assessment_results_sar_orig.uuid = res + } + AssessmentResultsBlock::Metadata => { + let res = block.read_metadata(elt).await?; + assessment_results_sar_orig.metadata = res + } + AssessmentResultsBlock::ImportAp => { + let res = block.read_import_ap(elt).await?; + assessment_results_sar_orig.import_ap = res + } + AssessmentResultsBlock::LocalDefinitions => { + let res = block.read_local_definitions(elt).await?; + assessment_results_sar_orig.local_definitions = + Some(res) + } + AssessmentResultsBlock::Results => { + let res = block.read_results(elt).await?; + assessment_results_sar_orig.results = res + } + AssessmentResultsBlock::BackMatter => { + let res = block.read_back_matter(elt).await?; + assessment_results_sar_orig.back_matter = Some(res) + } + _ => {} + } + } + + if let Some(uuid_opt) = &opts.update_uuid { + match UpdateUuidOpt::from_str(uuid_opt) + .map_err(|_| CliError::UnknownUuidVer)? + { + UpdateUuidOpt::V4 => { + assessment_results_sar_orig.update_uuid_v4( + &assessment_results_orig.assessment_results, + ); + } + UpdateUuidOpt::V5 => { + assessment_results_sar_orig.update_uuid_v5( + &assessment_results_orig.assessment_results, + ); + } + } + } + + let res = assessment_results_builder + .assessment_results(assessment_results_sar_orig) + .build()?; + + let model = match MergeOpt::from_str(&opts.output_format) + .map_err(|_| CliError::UnknownMergeOpt)? + { + MergeOpt::Json => serde_json::to_string(&res) + .with_context(|| "Could not parse model to json file")?, + MergeOpt::Yaml => serde_yaml::to_string(&res) + .with_context(|| "Could not parse model to yaml file")?, + }; + + gen_merge_dir(ctx, opts, model).await?; + + Ok(()) + } + OscalModels::Poam => { + let poam_orig = models.read_poam(&model_loc).await?; + let mut poam_poam_orig = + poam_orig.plan_of_action_and_milestones.clone(); + let mut poam_builder = PlanOfActionAndMilestonesBuilder::default(); + + for elt in blocks { + let path = elt.file_stem().unwrap().to_str().unwrap(); + let block = PoamBlock::from_str(path).with_context(|| { + "Could not determine the provided Poam block".to_string() + })?; + + match block { + PoamBlock::Uuid => { + let res = block.read_uuid(elt).await?; + poam_poam_orig.uuid = res + } + PoamBlock::Metadata => { + let res = block.read_metadata(elt).await?; + poam_poam_orig.metadata = res + } + PoamBlock::ImportSsp => { + let res = block.read_import_ssp(elt).await?; + poam_poam_orig.import_ssp = Some(res) + } + PoamBlock::SystemId => { + let res = block.read_system_id(elt).await?; + poam_poam_orig.system_id = Some(res) + } + PoamBlock::LocalDefinitions => { + let res = + block.read_system_local_definitions(elt).await?; + poam_poam_orig.local_definitions = Some(res) + } + PoamBlock::Observations => { + let res = block.read_observations(elt).await?; + poam_poam_orig.observations = Some(res) + } + PoamBlock::Risks => { + let res = block.read_risks(elt).await?; + poam_poam_orig.risks = Some(res) + } + PoamBlock::Findings => { + let res = block.read_findings(elt).await?; + poam_poam_orig.findings = Some(res) + } + PoamBlock::PoamItems => { + let res = block.read_poam_items(elt).await?; + poam_poam_orig.poam_items = res + } + PoamBlock::BackMatter => { + let res = block.read_back_matter(elt).await?; + poam_poam_orig.back_matter = Some(res) + } + _ => {} + } + } + + if let Some(uuid_opt) = &opts.update_uuid { + match UpdateUuidOpt::from_str(uuid_opt) + .map_err(|_| CliError::UnknownUuidVer)? + { + UpdateUuidOpt::V4 => { + poam_poam_orig.update_uuid_v4( + &poam_orig.plan_of_action_and_milestones, + ); + } + UpdateUuidOpt::V5 => { + poam_poam_orig.update_uuid_v5( + &poam_orig.plan_of_action_and_milestones, + ); + } + } + } + + let res = poam_builder + .plan_of_action_and_milestones(poam_poam_orig) + .build()?; + + let model = match MergeOpt::from_str(&opts.output_format) + .map_err(|_| CliError::UnknownMergeOpt)? + { + MergeOpt::Json => serde_json::to_string(&res) + .with_context(|| "Could not parse model as json file")?, + MergeOpt::Yaml => serde_yaml::to_string(&res) + .with_context(|| "Could not parse model as yaml file")?, + }; + + gen_merge_dir(ctx, opts, model).await?; + + Ok(()) + } + OscalModels::Catalog => { + let catalog_orig = models.read_catalog(&model_loc).await?; + let mut catalog_class_orig = catalog_orig.catalog.clone(); + let mut catalog_builder = CatalogBuilder::default(); + + for elt in blocks { + let path = elt.file_stem().unwrap().to_str().unwrap(); + let block = + CatalogBlock::from_str(path).with_context(|| { + "Could not determine the provided Catalog block" + .to_string() + })?; + + match block { + CatalogBlock::Uuid => { + let res = block.read_uuid(elt).await?; + catalog_class_orig.uuid = res + } + CatalogBlock::Metadata => { + let res = block.read_metadata(elt).await?; + catalog_class_orig.metadata = res + } + CatalogBlock::Params => { + let res = block.read_params(elt).await?; + catalog_class_orig.params = Some(res) + } + CatalogBlock::Controls => { + let res = block.read_controls(elt).await?; + catalog_class_orig.controls = Some(res) + } + CatalogBlock::Groups => { + let res = block.read_groups(elt).await?; + catalog_class_orig.groups = Some(res) + } + CatalogBlock::BackMatter => { + let res = block.read_back_matter(elt).await?; + catalog_class_orig.back_matter = Some(res) + } + _ => {} + } + } + + if let Some(uuid_opt) = &opts.update_uuid { + match UpdateUuidOpt::from_str(uuid_opt) + .map_err(|_| CliError::UnknownUuidVer)? + { + UpdateUuidOpt::V4 => { + catalog_class_orig + .update_uuid_v4(&catalog_orig.catalog); + } + UpdateUuidOpt::V5 => { + catalog_class_orig + .update_uuid_v5(&catalog_orig.catalog); + } + } + } + + let res = catalog_builder.catalog(catalog_class_orig).build()?; + + let model = match MergeOpt::from_str(&opts.output_format) + .map_err(|_| CliError::UnknownMergeOpt)? + { + MergeOpt::Json => serde_json::to_string(&res) + .with_context(|| "Could not parse model to json file")?, + MergeOpt::Yaml => serde_yaml::to_string(&res) + .with_context(|| "Could not parse model to yaml file")?, + }; + + gen_merge_dir(ctx, opts, model).await?; + + Ok(()) + } + OscalModels::Profile => { + let profile_orig = models.read_profile(&model_loc).await?; + let mut profile_class_orig = profile_orig.profile.clone(); + let mut profile_builder = ProfileBuilder::default(); + + for elt in blocks { + let path = elt.file_stem().unwrap().to_str().unwrap(); + let block = + ProfileBlock::from_str(path).with_context(|| { + "Could not determine the provided Profile block" + .to_string() + })?; + + match block { + ProfileBlock::Uuid => { + let res = block.read_uuid(elt).await?; + profile_class_orig.uuid = res + } + ProfileBlock::Metadata => { + let res = block.read_metadata(elt).await?; + profile_class_orig.metadata = res + } + ProfileBlock::Imports => { + let res = block.read_imports(elt).await?; + profile_class_orig.imports = res + } + ProfileBlock::Merge => { + let res = block.read_merge(elt).await?; + profile_class_orig.merge = Some(res) + } + ProfileBlock::Modify => { + let res = block.read_modify(elt).await?; + profile_class_orig.modify = Some(res) + } + ProfileBlock::BackMatter => { + let res = block.read_back_matter(elt).await?; + profile_class_orig.back_matter = Some(res) + } + _ => {} + } + } + + if let Some(uuid_opt) = &opts.update_uuid { + match UpdateUuidOpt::from_str(uuid_opt) + .map_err(|_| CliError::UnknownUuidVer)? + { + UpdateUuidOpt::V4 => { + profile_class_orig + .update_uuid_v4(&profile_orig.profile); + } + UpdateUuidOpt::V5 => { + profile_class_orig + .update_uuid_v5(&profile_orig.profile); + } + } + } + + let res = profile_builder.profile(profile_class_orig).build()?; + + let model = match MergeOpt::from_str(&opts.output_format) + .map_err(|_| CliError::UnknownMergeOpt)? + { + MergeOpt::Json => serde_json::to_string(&res) + .with_context(|| "Could not parse model to json file")?, + MergeOpt::Yaml => serde_yaml::to_string(&res) + .with_context(|| "Could not parse model to yaml file")?, + }; + + gen_merge_dir(ctx, opts, model).await?; + + Ok(()) + } + OscalModels::ComponentDefinition => { + let component_definition_orig = + models.read_component_definition(&model_loc).await?; + let mut component_definition_class_orig = + component_definition_orig.component_definition.clone(); + let mut component_definition_builder = + ComponentDefinitionBuilder::default(); + + for elt in blocks { + let path = elt.file_stem().unwrap().to_str().unwrap(); + let block = ComponentDefinitionBlock::from_str(path).with_context(|| { + "Could not determine the provided Component Definition block".to_string() + })?; + + match block { + ComponentDefinitionBlock::Uuid => { + let res = block.read_uuid(elt).await?; + component_definition_class_orig.uuid = res + } + ComponentDefinitionBlock::Metadata => { + let res = block.read_metadata(elt).await?; + component_definition_class_orig.metadata = res + } + ComponentDefinitionBlock::ImportComponentDefinitions => { + let res = block + .read_import_component_definitions(elt) + .await?; + component_definition_class_orig + .import_component_definitions = Some(res) + } + ComponentDefinitionBlock::Components => { + let res = block.read_components(elt).await?; + component_definition_class_orig.components = Some(res) + } + ComponentDefinitionBlock::Capabilities => { + let res = block.read_capabilities(elt).await?; + component_definition_class_orig.capabilities = Some(res) + } + ComponentDefinitionBlock::BackMatter => { + let res = block.read_back_matter(elt).await?; + component_definition_class_orig.back_matter = Some(res) + } + _ => {} + } + } + + if let Some(uuid_opt) = &opts.update_uuid { + match UpdateUuidOpt::from_str(uuid_opt) + .map_err(|_| CliError::UnknownUuidVer)? + { + UpdateUuidOpt::V4 => { + component_definition_class_orig.update_uuid_v4( + &component_definition_orig.component_definition, + ); + } + UpdateUuidOpt::V5 => { + component_definition_class_orig.update_uuid_v5( + &component_definition_orig.component_definition, + ); + } + } + } + + let res = component_definition_builder + .component_definition(component_definition_class_orig) + .build()?; + + let model = match MergeOpt::from_str(&opts.output_format) + .map_err(|_| CliError::UnknownMergeOpt)? + { + MergeOpt::Json => serde_json::to_string(&res) + .with_context(|| "Could not parse model to json file")?, + MergeOpt::Yaml => serde_yaml::to_string(&res) + .with_context(|| "Could not parse model to yaml file")?, + }; + + gen_merge_dir(ctx, opts, model).await?; + + Ok(()) + } + OscalModels::Ssp => { + let ssp_orig = models.read_ssp(&model_loc).await?; + let mut ssp_ssp_orig = ssp_orig.system_security_plan.clone(); + let mut ssp_builder = SystemSecurityPlanBuilder::default(); + + for elt in blocks { + let path = elt.file_stem().unwrap().to_str().unwrap(); + let block = SspBlock::from_str(path).with_context(|| { + "Could not determine the provided System Security Plan block".to_string() + })?; + + match block { + SspBlock::Uuid => { + let res = block.read_uuid(elt).await?; + ssp_ssp_orig.uuid = res + } + SspBlock::Metadata => { + let res = block.read_metadata(elt).await?; + ssp_ssp_orig.metadata = res + } + SspBlock::ImportProfile => { + let res = block.read_import_profile(elt).await?; + ssp_ssp_orig.import_profile = res + } + SspBlock::SystemCharacteristics => { + let res = + block.read_system_characteristics(elt).await?; + ssp_ssp_orig.system_characteristics = res + } + SspBlock::SystemImplementation => { + let res = block.read_system_implementation(elt).await?; + ssp_ssp_orig.system_implementation = res + } + SspBlock::ControlImplementation => { + let res = + block.read_control_implementation(elt).await?; + ssp_ssp_orig.control_implementation = res + } + SspBlock::BackMatter => { + let res = block.read_back_matter(elt).await?; + ssp_ssp_orig.back_matter = Some(res) + } + _ => {} + } + } + + if let Some(uuid_opt) = &opts.update_uuid { + match UpdateUuidOpt::from_str(uuid_opt) + .map_err(|_| CliError::UnknownUuidVer)? + { + UpdateUuidOpt::V4 => { + ssp_ssp_orig + .update_uuid_v4(&ssp_orig.system_security_plan); + } + UpdateUuidOpt::V5 => { + ssp_ssp_orig + .update_uuid_v5(&ssp_orig.system_security_plan); + } + } + } + + let res = ssp_builder.system_security_plan(ssp_ssp_orig).build()?; + + let model = match MergeOpt::from_str(&opts.output_format) + .map_err(|_| CliError::UnknownMergeOpt)? + { + MergeOpt::Json => serde_json::to_string(&res) + .with_context(|| "Could not parse model to json file")?, + MergeOpt::Yaml => serde_yaml::to_string(&res) + .with_context(|| "Could not parse model to yaml file")?, + }; + + gen_merge_dir(ctx, opts, model).await?; + + Ok(()) + } + } +} + +pub(super) async fn merge_workspace(opts: &Merge) -> Result<()> { + let manifest = read_dissect_ctx(&opts.dir).await?; + + if manifest.is_valid_hash()? { + let mut ctx = gen_merge_ctx(opts, manifest).await?; + let blocks = gen_merge_blocks(&ctx).await?; + process_merge_blocks(&blocks, &mut ctx, opts).await?; + } else { + eprintln!("File integrity check faild as the hash does not match the original, program aborted"); + std::process::exit(1) + } + + Ok(()) +} diff --git a/roscal_cli/src/models/mod.rs b/roscal_cli/src/models/mod.rs new file mode 100644 index 0000000..b25ac81 --- /dev/null +++ b/roscal_cli/src/models/mod.rs @@ -0,0 +1,7 @@ +pub mod dissect; +pub mod merge; +pub mod model; +pub mod utils; +pub mod validate; +pub mod validation; +pub mod workspace; diff --git a/roscal_cli/src/models/model.rs b/roscal_cli/src/models/model.rs new file mode 100644 index 0000000..2ed6f35 --- /dev/null +++ b/roscal_cli/src/models/model.rs @@ -0,0 +1,2893 @@ +use std::{ + fs::File, + io::{BufReader, Write}, + path::PathBuf, + str::FromStr, +}; + +use anyhow::{Context, Result}; +use roscal_lib::{ + assessment::{ + assessment_plan::AssessmentPlan, assessment_results::AssessmentResults, + poam::PlanOfActionAndMilestones, + }, + control::{catalog::Catalog, profile::Profile}, + implementation::{ + component_definition::ComponentDefinition, ssp::SystemSecurityPlan, + }, +}; +use strum::{Display, EnumString}; + +use super::{ + dissect::gen_dissect_dir, + workspace::{CliError, DissectCtx}, +}; + +#[non_exhaustive] +#[derive(Debug, Clone, PartialEq, EnumString)] +pub(super) enum OscalModels { + #[strum(serialize = "AssessmentPlan")] + AssessmentPlan, + #[strum(serialize = "AssessmentResults")] + AssessmentResults, + #[strum(serialize = "Poam")] + Poam, + #[strum(serialize = "Catalog")] + Catalog, + #[strum(serialize = "Profile")] + Profile, + #[strum(serialize = "ComponentDefinition")] + ComponentDefinition, + #[strum(serialize = "Ssp")] + Ssp, +} + +impl OscalModels { + async fn read_file(path: &PathBuf) -> Result> { + let file = File::open(path).with_context(|| { + format!("Could not open model file: `{}`", path.display()) + })?; + + Ok(BufReader::new(file)) + } + + pub async fn read_assessment_plan( + &self, + path: &PathBuf, + ) -> Result { + let reader = Self::read_file(path).await?; + let assessment_plan: AssessmentPlan = serde_yaml::from_reader(reader) + .map_err(|e| { + CliError::ParseModel( + "assessment plan".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(assessment_plan) + } + + pub async fn read_assessment_results( + &self, + path: &PathBuf, + ) -> Result { + let reader = Self::read_file(path).await?; + let assessment_results: AssessmentResults = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseModel( + "assessment results".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(assessment_results) + } + + pub async fn read_poam( + &self, + path: &PathBuf, + ) -> Result { + let reader = Self::read_file(path).await?; + let poam: PlanOfActionAndMilestones = serde_yaml::from_reader(reader) + .map_err(|e| { + CliError::ParseModel( + "poam".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(poam) + } + + pub async fn read_catalog(&self, path: &PathBuf) -> Result { + let reader = Self::read_file(path).await?; + let catalog: Catalog = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseModel( + "catalog".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(catalog) + } + + pub async fn read_profile(&self, path: &PathBuf) -> Result { + let reader = Self::read_file(path).await?; + let profile: Profile = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseModel( + "profile".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(profile) + } + + pub async fn read_component_definition( + &self, + path: &PathBuf, + ) -> Result { + let reader = Self::read_file(path).await?; + let component_definition: ComponentDefinition = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseModel( + "component_definition".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(component_definition) + } + + pub async fn read_ssp(&self, path: &PathBuf) -> Result { + let reader = Self::read_file(path).await?; + let ssp: SystemSecurityPlan = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseModel( + "ssp".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(ssp) + } + + pub async fn gen_models(&self, ctx: &DissectCtx) -> Result<()> { + let model_loc = &ctx.model_loc; + gen_dissect_dir(ctx).await?; + + match self { + Self::AssessmentPlan => { + let assessment_plan = + self.read_assessment_plan(model_loc).await?; + + AssessmentPlanBlock::gen_files(assessment_plan, ctx).await?; + + Ok(()) + } + Self::AssessmentResults => { + let assessment_results = + self.read_assessment_results(model_loc).await?; + + AssessmentResultsBlock::gen_files(assessment_results, ctx) + .await?; + + Ok(()) + } + Self::Poam => { + let poam = self.read_poam(model_loc).await?; + + PoamBlock::gen_files(poam, ctx).await?; + + Ok(()) + } + Self::Catalog => { + let catalog = self.read_catalog(model_loc).await?; + + CatalogBlock::gen_files(catalog, ctx).await?; + + Ok(()) + } + Self::Profile => { + let profile = self.read_profile(model_loc).await?; + + ProfileBlock::gen_files(profile, ctx).await?; + + Ok(()) + } + Self::ComponentDefinition => { + let component_definition = + self.read_component_definition(model_loc).await?; + + ComponentDefinitionBlock::gen_files(component_definition, ctx) + .await?; + + Ok(()) + } + Self::Ssp => { + let ssp = self.read_ssp(model_loc).await?; + + SspBlock::gen_files(ssp, ctx).await?; + + Ok(()) + } + } + } +} + +#[non_exhaustive] +#[derive(Debug, Clone, PartialEq, EnumString, Display)] +pub(super) enum AssessmentPlanBlock { + #[strum(serialize = "all")] + All, + #[strum(serialize = "uuid")] + Uuid, + #[strum(serialize = "metadata")] + Metadata, + #[strum(serialize = "import_ssp")] + ImportSsp, + #[strum(serialize = "local_definitions")] + LocalDefinitions, + #[strum(serialize = "terms_and_conditions")] + TermsAndConditions, + #[strum(serialize = "reviewed_controls")] + ReviewedControls, + #[strum(serialize = "assessment_subjects")] + AssessmentSubjects, + #[strum(serialize = "assessment_assets")] + AssessmentAssets, + #[strum(serialize = "tasks")] + Tasks, + #[strum(serialize = "back_matter")] + BackMatter, +} + +impl AssessmentPlanBlock { + async fn gen_uuid( + assessment_plan: &AssessmentPlan, + path: &String, + ) -> Result<()> { + let mut uuid_yaml = File::create(format!("{}/uuid.yaml", path)) + .with_context(|| { + format!( + "Could not create uuid block at this location: {}", + path + ) + })?; + + let uuid = + serde_yaml::to_string(&assessment_plan.assessment_plan.uuid)?; + + uuid_yaml + .write_all(uuid.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_uuid(&self, path: &PathBuf) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let uuid = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "uuid".to_owned(), + "assessment plan".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(uuid) + } + + async fn gen_metadata( + assessment_plan: &AssessmentPlan, + path: &String, + ) -> Result<()> { + let mut metadata_yaml = File::create(format!("{}/metadata.yaml", path)) + .with_context(|| { + format!( + "Could not create metadata block at this location: {}", + path + ) + })?; + + let metadata = + serde_yaml::to_string(&assessment_plan.assessment_plan.metadata)?; + + metadata_yaml + .write_all(metadata.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_metadata( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let metadata = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "metadata".to_owned(), + "assessment plan".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(metadata) + } + + async fn gen_import_ssp( + assessment_plan: &AssessmentPlan, + path: &String, + ) -> Result<()> { + let mut import_ssp_yaml = + File::create(format!("{}/import_ssp.yaml", path)).with_context( + || { + format!( + "Could not create import_ssp block at this location: {}", + path + ) + }, + )?; + + let import_ssp = + serde_yaml::to_string(&assessment_plan.assessment_plan.import_ssp)?; + + import_ssp_yaml + .write_all(import_ssp.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_import_ssp( + &self, + path: &PathBuf, + ) -> Result + { + let file = File::open(path)?; + let reader = BufReader::new(file); + let import_ssp = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "import_ssp".to_owned(), + "assessment plan".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(import_ssp) + } + + async fn gen_local_definitions( + assessment_plan: &AssessmentPlan, + path: &String, + ) -> Result<()> { + let mut local_definitions_yaml = + File::create(format!("{}/local_definitions.yaml", path)) + .with_context(|| { + format!( + "Could not create local_definitions block at this location: {}", + path + ) + })?; + + if assessment_plan.assessment_plan.local_definitions.is_some() { + let local_definitions = serde_yaml::to_string( + &assessment_plan.assessment_plan.local_definitions, + )?; + + local_definitions_yaml + .write_all(local_definitions.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_local_definitions( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let local_definitions = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "local_definition".to_owned(), + "assessment plan".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(local_definitions) + } + + async fn gen_terms_and_conditions( + assessment_plan: &AssessmentPlan, + path: &String, + ) -> Result<()> { + let mut terms_and_conditions_yaml = + File::create(format!("{}/terms_and_conditions.yaml", path)) + .with_context(|| { + format!( + "Could not create terms_and_conditions block at this location: {}", + path + ) + })?; + + if assessment_plan + .assessment_plan + .terms_and_conditions + .is_some() + { + let terms_and_conditions = serde_yaml::to_string( + &assessment_plan.assessment_plan.terms_and_conditions, + )?; + + terms_and_conditions_yaml + .write_all(terms_and_conditions.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_terms_and_conditions( + &self, + path: &PathBuf, + ) -> Result< + roscal_lib::assessment::assessment_plan::AssessmentPlanTermsAndConditions, + >{ + let file = File::open(path)?; + let reader = BufReader::new(file); + let terms_and_conditions = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "terms_and_conditions".to_owned(), + "assessment plan".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(terms_and_conditions) + } + + async fn gen_reviewed_controls( + assessment_plan: &AssessmentPlan, + path: &String, + ) -> Result<()> { + let mut reviewed_controls_yaml = + File::create(format!("{}/reviewed_controls.yaml", path)) + .with_context(|| { + format!( + "Could not create reviewed_controls block at this location: {}", + path + ) + })?; + + let reviewed_controls = serde_yaml::to_string( + &assessment_plan.assessment_plan.reviewed_controls, + )?; + + reviewed_controls_yaml + .write_all(reviewed_controls.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_reviewed_controls(&self, path: &PathBuf) -> Result{ + let file = File::open(path)?; + let reader = BufReader::new(file); + let reviewed_controls = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "reviewed_controls".to_owned(), + "assessment plan".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(reviewed_controls) + } + + async fn gen_assessment_subjects( + assessment_plan: &AssessmentPlan, + path: &String, + ) -> Result<()> { + let mut assessment_subjects_yaml = + File::create(format!("{}/assessment_subjects.yaml", path)) + .with_context(|| { + format!( + "Could not create assessment_subjects block at this location: {}", + path + ) + })?; + + if assessment_plan + .assessment_plan + .assessment_subjects + .is_some() + { + let assessment_subjects = serde_yaml::to_string( + &assessment_plan.assessment_plan.assessment_subjects, + )?; + + assessment_subjects_yaml + .write_all(assessment_subjects.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_assessment_subjects( + &self, + path: &PathBuf, + ) -> Result> + { + let file = File::open(path)?; + let reader = BufReader::new(file); + let assessment_subjects = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "assessment_subjects".to_owned(), + "assessment plan".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(assessment_subjects) + } + + async fn gen_assessment_assets( + assessment_plan: &AssessmentPlan, + path: &String, + ) -> Result<()> { + let mut assessment_assets_yaml = + File::create(format!("{}/assessment_assets.yaml", path)) + .with_context(|| { + format!( + "Could not create assessment_assets block at this location: {}", + path + ) + })?; + + if assessment_plan.assessment_plan.assessment_assets.is_some() { + let assessment_assets = serde_yaml::to_string( + &assessment_plan.assessment_plan.assessment_assets, + )?; + + assessment_assets_yaml + .write_all(assessment_assets.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_assessment_assets( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let assessment_assets = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "assessment_assets".to_owned(), + "assessment plan".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(assessment_assets) + } + + async fn gen_tasks( + assessment_plan: &AssessmentPlan, + path: &String, + ) -> Result<()> { + let mut tasks_yaml = File::create(format!("{}/tasks.yaml", path)) + .with_context(|| { + format!( + "Could not create tasks block at this location: {}", + path + ) + })?; + + if assessment_plan.assessment_plan.tasks.is_some() { + let tasks = + serde_yaml::to_string(&assessment_plan.assessment_plan.tasks)?; + + tasks_yaml + .write_all(tasks.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_tasks( + &self, + path: &PathBuf, + ) -> Result> { + let file = File::open(path)?; + let reader = BufReader::new(file); + let tasks = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "tasks".to_owned(), + "assessment plan".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(tasks) + } + + async fn gen_back_matter( + assessment_plan: &AssessmentPlan, + path: &String, + ) -> Result<()> { + let mut back_matter_yaml = + File::create(format!("{}/back_matter.yaml", path)).with_context( + || { + format!( + "Could not create back_matter block at this location: {}", + path + ) + }, + )?; + + if assessment_plan.assessment_plan.back_matter.is_some() { + let back_matter = serde_yaml::to_string( + &assessment_plan.assessment_plan.back_matter, + )?; + + back_matter_yaml + .write_all(back_matter.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_back_matter( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let back_matter = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "back_matter".to_owned(), + "assessment plan".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(back_matter) + } + + pub async fn gen_files( + assessment_plan: AssessmentPlan, + ctx: &DissectCtx, + ) -> Result<()> { + let modifiable = &ctx.modifiable; + + for i in &ctx.blocks { + let block = Self::from_str(i).with_context(|| { + "Could not determine the provided Assessment Plan block" + .to_string() + })?; + + match block { + Self::All => { + Self::gen_uuid(&assessment_plan, modifiable).await?; + Self::gen_metadata(&assessment_plan, modifiable).await?; + Self::gen_import_ssp(&assessment_plan, modifiable).await?; + Self::gen_local_definitions(&assessment_plan, modifiable) + .await?; + Self::gen_terms_and_conditions( + &assessment_plan, + modifiable, + ) + .await?; + Self::gen_reviewed_controls(&assessment_plan, modifiable) + .await?; + Self::gen_assessment_subjects(&assessment_plan, modifiable) + .await?; + Self::gen_assessment_assets(&assessment_plan, modifiable) + .await?; + Self::gen_tasks(&assessment_plan, modifiable).await?; + Self::gen_back_matter(&assessment_plan, modifiable).await?; + } + Self::Uuid => { + Self::gen_uuid(&assessment_plan, modifiable).await? + } + Self::Metadata => { + Self::gen_metadata(&assessment_plan, modifiable).await? + } + Self::ImportSsp => { + Self::gen_import_ssp(&assessment_plan, modifiable).await? + } + Self::LocalDefinitions => { + Self::gen_local_definitions(&assessment_plan, modifiable) + .await? + } + Self::TermsAndConditions => { + Self::gen_terms_and_conditions(&assessment_plan, modifiable) + .await? + } + Self::ReviewedControls => { + Self::gen_reviewed_controls(&assessment_plan, modifiable) + .await? + } + Self::AssessmentSubjects => { + Self::gen_assessment_subjects(&assessment_plan, modifiable) + .await? + } + Self::AssessmentAssets => { + Self::gen_assessment_assets(&assessment_plan, modifiable) + .await? + } + Self::Tasks => { + Self::gen_tasks(&assessment_plan, modifiable).await? + } + Self::BackMatter => { + Self::gen_back_matter(&assessment_plan, modifiable).await? + } + } + } + + Ok(()) + } +} + +#[non_exhaustive] +#[derive(Debug, Clone, PartialEq, EnumString, Display)] +pub(super) enum AssessmentResultsBlock { + #[strum(serialize = "all")] + All, + #[strum(serialize = "uuid")] + Uuid, + #[strum(serialize = "metadata")] + Metadata, + #[strum(serialize = "import_ap")] + ImportAp, + #[strum(serialize = "local_definitions")] + LocalDefinitions, + #[strum(serialize = "results")] + Results, + #[strum(serialize = "back_matter")] + BackMatter, +} + +impl AssessmentResultsBlock { + async fn gen_uuid( + assessment_results: &AssessmentResults, + path: &String, + ) -> Result<()> { + let mut uuid_yaml = File::create(format!("{}/uuid.yaml", path)) + .with_context(|| { + format!( + "Could not create uuid block at this location: {}", + path + ) + })?; + + let uuid = + serde_yaml::to_string(&assessment_results.assessment_results.uuid)?; + + uuid_yaml + .write_all(uuid.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_uuid(&self, path: &PathBuf) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let uuid = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "uuid".to_owned(), + "assessment results".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(uuid) + } + + async fn gen_metadata( + assessment_results: &AssessmentResults, + path: &String, + ) -> Result<()> { + let mut metadata_yaml = File::create(format!("{}/metadata.yaml", path)) + .with_context(|| { + format!( + "Could not create metadata block at this location: {}", + path + ) + })?; + + let metadata = serde_yaml::to_string( + &assessment_results.assessment_results.metadata, + )?; + + metadata_yaml + .write_all(metadata.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_metadata( + &self, + path: &PathBuf, + ) -> Result + { + let file = File::open(path)?; + let reader = BufReader::new(file); + let metadata = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "metadata".to_owned(), + "assessment results".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(metadata) + } + + async fn gen_import_ap( + assessment_results: &AssessmentResults, + path: &String, + ) -> Result<()> { + let mut import_ap_yaml = + File::create(format!("{}/import_ap.yaml", path)).with_context( + || { + format!( + "Could not create import_ap block at this location: {}", + path + ) + }, + )?; + + let import_ap = serde_yaml::to_string( + &assessment_results.assessment_results.import_ap, + )?; + + import_ap_yaml + .write_all(import_ap.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_import_ap( + &self, + path: &PathBuf, + ) -> Result + { + let file = File::open(path)?; + let reader = BufReader::new(file); + let import_ap = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "import_ap".to_owned(), + "assessment results".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(import_ap) + } + + async fn gen_local_definitions( + assessment_results: &AssessmentResults, + path: &String, + ) -> Result<()> { + let mut local_definitions_yaml = + File::create(format!("{}/local_definitions.yaml", path)) + .with_context(|| { + format!( + "Could not create local_definitions block at this location: {}", + path + ) + })?; + + if assessment_results + .assessment_results + .local_definitions + .is_some() + { + let local_definitions = serde_yaml::to_string( + &assessment_results.assessment_results.local_definitions, + )?; + + local_definitions_yaml + .write_all(local_definitions.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_local_definitions(&self, path: &PathBuf) -> Result{ + let file = File::open(path)?; + let reader = BufReader::new(file); + let local_definitions = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "local_definition".to_owned(), + "assessment results".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(local_definitions) + } + + async fn gen_results( + assessment_results: &AssessmentResults, + path: &String, + ) -> Result<()> { + let mut results_yaml = File::create(format!("{}/results.yaml", path)) + .with_context(|| { + format!("Could not create results block at this location: {}", path) + })?; + + let results = serde_yaml::to_string( + &assessment_results.assessment_results.results, + )?; + + results_yaml + .write_all(results.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_results( + &self, + path: &PathBuf, + ) -> Result> + { + let file = File::open(path)?; + let reader = BufReader::new(file); + let results = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "results".to_owned(), + "assessment results".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(results) + } + + async fn gen_back_matter( + assessment_results: &AssessmentResults, + path: &String, + ) -> Result<()> { + let mut back_matter_yaml = + File::create(format!("{}/back_matter.yaml", path)).with_context( + || { + format!( + "Could not create back_matter block at this location: {}", + path + ) + }, + )?; + + if assessment_results.assessment_results.back_matter.is_some() { + let back_matter = serde_yaml::to_string( + &assessment_results.assessment_results.back_matter, + )?; + + back_matter_yaml + .write_all(back_matter.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_back_matter( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let back_matter = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "back_matter".to_owned(), + "assessment results".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(back_matter) + } + + pub async fn gen_files( + assessment_results: AssessmentResults, + ctx: &DissectCtx, + ) -> Result<()> { + let modifiable = &ctx.modifiable; + + for i in &ctx.blocks { + let block = Self::from_str(i).with_context(|| { + "Could not determine the provided Assessment Result block" + .to_string() + })?; + + match block { + Self::All => { + Self::gen_uuid(&assessment_results, modifiable).await?; + Self::gen_metadata(&assessment_results, modifiable).await?; + Self::gen_import_ap(&assessment_results, modifiable) + .await?; + Self::gen_local_definitions( + &assessment_results, + modifiable, + ) + .await?; + Self::gen_results(&assessment_results, modifiable).await?; + Self::gen_back_matter(&assessment_results, modifiable) + .await?; + } + Self::Uuid => { + Self::gen_uuid(&assessment_results, modifiable).await? + } + Self::Metadata => { + Self::gen_metadata(&assessment_results, modifiable).await? + } + Self::ImportAp => { + Self::gen_import_ap(&assessment_results, modifiable).await? + } + Self::LocalDefinitions => { + Self::gen_local_definitions(&assessment_results, modifiable) + .await? + } + Self::Results => { + Self::gen_results(&assessment_results, modifiable).await? + } + Self::BackMatter => { + Self::gen_back_matter(&assessment_results, modifiable) + .await? + } + } + } + + Ok(()) + } +} + +#[non_exhaustive] +#[derive(Debug, Clone, PartialEq, EnumString, Display)] +pub(super) enum PoamBlock { + #[strum(serialize = "all")] + All, + #[strum(serialize = "uuid")] + Uuid, + #[strum(serialize = "metadata")] + Metadata, + #[strum(serialize = "import_ssp")] + ImportSsp, + #[strum(serialize = "system_id")] + SystemId, + #[strum(serialize = "local_definitions")] + LocalDefinitions, + #[strum(serialize = "observations")] + Observations, + #[strum(serialize = "risks")] + Risks, + #[strum(serialize = "findings")] + Findings, + #[strum(serialize = "poam_items")] + PoamItems, + #[strum(serialize = "back_matter")] + BackMatter, +} + +impl PoamBlock { + async fn gen_uuid( + poam: &PlanOfActionAndMilestones, + path: &String, + ) -> Result<()> { + let mut uuid_yaml = File::create(format!("{}/uuid.yaml", path)) + .with_context(|| { + format!( + "Could not create uuid block at this location: {}", + path + ) + })?; + + let uuid = + serde_yaml::to_string(&poam.plan_of_action_and_milestones.uuid)?; + + uuid_yaml + .write_all(uuid.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_uuid(&self, path: &PathBuf) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let uuid = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "uuid".to_owned(), + "poam".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(uuid) + } + + async fn gen_metadata( + poam: &PlanOfActionAndMilestones, + path: &String, + ) -> Result<()> { + let mut metadata_yaml = File::create(format!("{}/metadata.yaml", path)) + .with_context(|| { + format!( + "Could not create metadata block at this location: {}", + path + ) + })?; + + let metadata = serde_yaml::to_string( + &poam.plan_of_action_and_milestones.metadata, + )?; + + metadata_yaml + .write_all(metadata.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_metadata( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let metadata = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "metadata".to_owned(), + "poam".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(metadata) + } + + async fn gen_import_ssp( + poam: &PlanOfActionAndMilestones, + path: &String, + ) -> Result<()> { + let mut import_ssp_yaml = + File::create(format!("{}/import_ssp.yaml", path)).with_context( + || { + format!( + "Could not create import_ssp block at this location: {}", + path + ) + }, + )?; + + if poam.plan_of_action_and_milestones.import_ssp.is_some() { + let import_ssp = serde_yaml::to_string( + &poam.plan_of_action_and_milestones.import_ssp, + )?; + + import_ssp_yaml + .write_all(import_ssp.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_import_ssp( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let import_ssp = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "import_ssp".to_owned(), + "poam".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(import_ssp) + } + + async fn gen_system_id( + poam: &PlanOfActionAndMilestones, + path: &String, + ) -> Result<()> { + let mut system_id_yaml = + File::create(format!("{}/system_id.yaml", path)).with_context( + || { + format!( + "Could not create system_id block at this location: {}", + path + ) + }, + )?; + + if poam.plan_of_action_and_milestones.system_id.is_some() { + let system_id = serde_yaml::to_string( + &poam.plan_of_action_and_milestones.system_id, + )?; + + system_id_yaml + .write_all(system_id.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_system_id( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let system_id = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "system_id".to_owned(), + "poam".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(system_id) + } + + async fn gen_system_local_definitions( + poam: &PlanOfActionAndMilestones, + path: &String, + ) -> Result<()> { + let mut local_definitions_yaml = + File::create(format!("{}/local_definitions.yaml", path)) + .with_context(|| { + format!( + "Could not create local_definitions block at this location: {}", + path + ) + })?; + + if poam + .plan_of_action_and_milestones + .local_definitions + .is_some() + { + let local_definitions = serde_yaml::to_string( + &poam.plan_of_action_and_milestones.local_definitions, + )?; + + local_definitions_yaml + .write_all(local_definitions.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_system_local_definitions( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let system_local_definitions = serde_yaml::from_reader(reader) + .map_err(|e| { + CliError::ParseBlock( + "system_local_definition".to_owned(), + "poam".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(system_local_definitions) + } + + async fn gen_observations( + poam: &PlanOfActionAndMilestones, + path: &String, + ) -> Result<()> { + let mut observations_yaml = + File::create(format!("{}/observations.yaml", path)).with_context( + || { + format!( + "Could not create observations block at this location: {}", + path + ) + }, + )?; + + if poam.plan_of_action_and_milestones.observations.is_some() { + let observations = serde_yaml::to_string( + &poam.plan_of_action_and_milestones.observations, + )?; + + observations_yaml + .write_all(observations.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_observations( + &self, + path: &PathBuf, + ) -> Result> { + let file = File::open(path)?; + let reader = BufReader::new(file); + let observations = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "observation".to_owned(), + "poam".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(observations) + } + + async fn gen_risks( + poam: &PlanOfActionAndMilestones, + path: &String, + ) -> Result<()> { + let mut risks_yaml = File::create(format!("{}/risks.yaml", path)) + .with_context(|| { + format!( + "Could not create risks block at this location: {}", + path + ) + })?; + + if poam.plan_of_action_and_milestones.risks.is_some() { + let risks = serde_yaml::to_string( + &poam.plan_of_action_and_milestones.risks, + )?; + + risks_yaml + .write_all(risks.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_risks( + &self, + path: &PathBuf, + ) -> Result> { + let file = File::open(path)?; + let reader = BufReader::new(file); + let risks = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "risks".to_owned(), + "poam".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(risks) + } + + async fn gen_findings( + poam: &PlanOfActionAndMilestones, + path: &String, + ) -> Result<()> { + let mut findings_yaml = File::create(format!("{}/findings.yaml", path)) + .with_context(|| { + format!( + "Could not create findings block at this location: {}", + path + ) + })?; + + if poam.plan_of_action_and_milestones.findings.is_some() { + let findings = serde_yaml::to_string( + &poam.plan_of_action_and_milestones.findings, + )?; + + findings_yaml + .write_all(findings.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_findings( + &self, + path: &PathBuf, + ) -> Result> { + let file = File::open(path)?; + let reader = BufReader::new(file); + let findings = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "findings".to_owned(), + "poam".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(findings) + } + + async fn gen_poam_items( + poam: &PlanOfActionAndMilestones, + path: &String, + ) -> Result<()> { + let mut poam_items_yaml = + File::create(format!("{}/poam_items.yaml", path)).with_context( + || { + format!( + "Could not create poam_items block at this location: {}", + path + ) + }, + )?; + + let poam_items = serde_yaml::to_string( + &poam.plan_of_action_and_milestones.poam_items, + )?; + + poam_items_yaml + .write_all(poam_items.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_poam_items( + &self, + path: &PathBuf, + ) -> Result> { + let file = File::open(path)?; + let reader = BufReader::new(file); + let poam_items = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "poam_item".to_owned(), + "poam".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(poam_items) + } + + async fn gen_back_matter( + poam: &PlanOfActionAndMilestones, + path: &String, + ) -> Result<()> { + let mut back_matter_yaml = + File::create(format!("{}/back_matter.yaml", path)).with_context( + || { + format!( + "Could not create back_matter block at this location: {}", + path + ) + }, + )?; + + if poam.plan_of_action_and_milestones.back_matter.is_some() { + let back_matter = serde_yaml::to_string( + &poam.plan_of_action_and_milestones.back_matter, + )?; + + back_matter_yaml + .write_all(back_matter.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_back_matter( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let back_matter = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "back_matter".to_owned(), + "poam".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(back_matter) + } + + pub async fn gen_files( + poam: PlanOfActionAndMilestones, + ctx: &DissectCtx, + ) -> Result<()> { + let modifiable = &ctx.modifiable; + + for i in &ctx.blocks { + let block = Self::from_str(i).with_context(|| { + "Could not determine the provided Poam block".to_string() + })?; + + match block { + Self::All => { + Self::gen_uuid(&poam, modifiable).await?; + Self::gen_metadata(&poam, modifiable).await?; + Self::gen_import_ssp(&poam, modifiable).await?; + Self::gen_system_id(&poam, modifiable).await?; + Self::gen_system_local_definitions(&poam, modifiable) + .await?; + Self::gen_observations(&poam, modifiable).await?; + Self::gen_risks(&poam, modifiable).await?; + Self::gen_findings(&poam, modifiable).await?; + Self::gen_poam_items(&poam, modifiable).await?; + Self::gen_back_matter(&poam, modifiable).await?; + } + Self::Uuid => Self::gen_uuid(&poam, modifiable).await?, + Self::Metadata => Self::gen_metadata(&poam, modifiable).await?, + Self::ImportSsp => { + Self::gen_import_ssp(&poam, modifiable).await? + } + Self::SystemId => { + Self::gen_system_id(&poam, modifiable).await? + } + Self::LocalDefinitions => { + Self::gen_system_local_definitions(&poam, modifiable) + .await? + } + Self::Observations => { + Self::gen_observations(&poam, modifiable).await? + } + Self::Risks => Self::gen_risks(&poam, modifiable).await?, + Self::Findings => Self::gen_findings(&poam, modifiable).await?, + Self::PoamItems => { + Self::gen_poam_items(&poam, modifiable).await? + } + Self::BackMatter => { + Self::gen_back_matter(&poam, modifiable).await? + } + } + } + + Ok(()) + } +} + +#[non_exhaustive] +#[derive(Debug, Clone, PartialEq, EnumString, Display)] +pub(super) enum CatalogBlock { + #[strum(serialize = "all")] + All, + #[strum(serialize = "uuid")] + Uuid, + #[strum(serialize = "metadata")] + Metadata, + #[strum(serialize = "params")] + Params, + #[strum(serialize = "controls")] + Controls, + #[strum(serialize = "groups")] + Groups, + #[strum(serialize = "back_matter")] + BackMatter, +} + +impl CatalogBlock { + async fn gen_uuid(catalog: &Catalog, path: &String) -> Result<()> { + let mut uuid_yaml = File::create(format!("{}/uuid.yaml", path)) + .with_context(|| { + format!( + "Could not create uuid block at this location: {}", + path + ) + })?; + + let uuid = serde_yaml::to_string(&catalog.catalog.uuid)?; + + uuid_yaml + .write_all(uuid.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_uuid(&self, path: &PathBuf) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let uuid = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "uuid".to_owned(), + "catalog".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(uuid) + } + + async fn gen_metadata(catalog: &Catalog, path: &String) -> Result<()> { + let mut metadata_yaml = File::create(format!("{}/metadata.yaml", path)) + .with_context(|| { + format!( + "Could not create metadata block at this location: {}", + path + ) + })?; + + let metadata = serde_yaml::to_string(&catalog.catalog.metadata)?; + + metadata_yaml + .write_all(metadata.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_metadata( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let metadata = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "metadata".to_owned(), + "catalog".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(metadata) + } + + async fn gen_params(catalog: &Catalog, path: &String) -> Result<()> { + let mut params_yaml = File::create(format!("{}/params.yaml", path)) + .with_context(|| { + format!( + "Could not create params block at this location: {}", + path + ) + })?; + + if catalog.catalog.params.is_some() { + let params = serde_yaml::to_string(&catalog.catalog.params)?; + + params_yaml + .write_all(params.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_params( + &self, + path: &PathBuf, + ) -> Result> { + let file = File::open(path)?; + let reader = BufReader::new(file); + let params = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "params".to_owned(), + "catalog".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(params) + } + + async fn gen_controls(catalog: &Catalog, path: &String) -> Result<()> { + let mut controls_yaml = File::create(format!("{}/controls.yaml", path)) + .with_context(|| { + format!( + "Could not create controls block at this location: {}", + path + ) + })?; + + if catalog.catalog.controls.is_some() { + let controls = serde_yaml::to_string(&catalog.catalog.controls)?; + + controls_yaml + .write_all(controls.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_controls( + &self, + path: &PathBuf, + ) -> Result> { + let file = File::open(path)?; + let reader = BufReader::new(file); + let controls = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "controls".to_owned(), + "catalog".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + println!("{:?}", controls); + Ok(controls) + } + + async fn gen_groups(catalog: &Catalog, path: &String) -> Result<()> { + let mut groups_yaml = File::create(format!("{}/groups.yaml", path)) + .with_context(|| { + format!( + "Could not create groups block at this location: {}", + path + ) + })?; + + if catalog.catalog.groups.is_some() { + let groups = serde_yaml::to_string(&catalog.catalog.groups)?; + + groups_yaml + .write_all(groups.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_groups( + &self, + path: &PathBuf, + ) -> Result> { + let file = File::open(path)?; + let reader = BufReader::new(file); + let groups = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "groups".to_owned(), + "catalog".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(groups) + } + + async fn gen_back_matter(catalog: &Catalog, path: &String) -> Result<()> { + let mut back_matter_yaml = + File::create(format!("{}/back_matter.yaml", path)).with_context( + || { + format!( + "Could not create back_matter block at this location: {}", + path + ) + }, + )?; + + if catalog.catalog.back_matter.is_some() { + let back_matter = + serde_yaml::to_string(&catalog.catalog.back_matter) + .with_context(|| { + "Could not convert to YAML file".to_owned() + })?; + + back_matter_yaml + .write_all(back_matter.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_back_matter( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let back_matter = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "back_matter".to_owned(), + "catalog".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(back_matter) + } + + pub async fn gen_files(catalog: Catalog, ctx: &DissectCtx) -> Result<()> { + let modifiable = &ctx.modifiable; + + for i in &ctx.blocks { + let block = Self::from_str(i).with_context(|| { + "Could not determine the provided Catalog block".to_string() + })?; + + match block { + Self::All => { + Self::gen_uuid(&catalog, modifiable).await?; + Self::gen_metadata(&catalog, modifiable).await?; + Self::gen_params(&catalog, modifiable).await?; + Self::gen_controls(&catalog, modifiable).await?; + Self::gen_groups(&catalog, modifiable).await?; + Self::gen_back_matter(&catalog, modifiable).await?; + } + Self::Uuid => Self::gen_uuid(&catalog, modifiable).await?, + Self::Metadata => { + Self::gen_metadata(&catalog, modifiable).await? + } + Self::Params => Self::gen_params(&catalog, modifiable).await?, + Self::Controls => { + Self::gen_controls(&catalog, modifiable).await? + } + Self::Groups => Self::gen_groups(&catalog, modifiable).await?, + Self::BackMatter => { + Self::gen_back_matter(&catalog, modifiable).await? + } + } + } + + Ok(()) + } +} + +#[non_exhaustive] +#[derive(Debug, Clone, PartialEq, EnumString, Display)] +pub(super) enum ProfileBlock { + #[strum(serialize = "all")] + All, + #[strum(serialize = "uuid")] + Uuid, + #[strum(serialize = "metadata")] + Metadata, + #[strum(serialize = "imports")] + Imports, + #[strum(serialize = "merge")] + Merge, + #[strum(serialize = "modify")] + Modify, + #[strum(serialize = "back_matter")] + BackMatter, +} + +impl ProfileBlock { + async fn gen_uuid(profile: &Profile, path: &String) -> Result<()> { + let mut uuid_yaml = File::create(format!("{}/uuid.yaml", path)) + .with_context(|| { + format!( + "Could not create uuid block at this location: {}", + path + ) + })?; + + let uuid = serde_yaml::to_string(&profile.profile.uuid)?; + + uuid_yaml + .write_all(uuid.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_uuid(&self, path: &PathBuf) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let uuid = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "uuid".to_owned(), + "profile".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(uuid) + } + + async fn gen_metadata(profile: &Profile, path: &String) -> Result<()> { + let mut metadata_yaml = File::create(format!("{}/metadata.yaml", path)) + .with_context(|| { + format!( + "Could not create metadata block at this location: {}", + path + ) + })?; + + let metadata = serde_yaml::to_string(&profile.profile.metadata)?; + + metadata_yaml + .write_all(metadata.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_metadata( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let metadata = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "uuid".to_owned(), + "metadata".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(metadata) + } + + async fn gen_imports(profile: &Profile, path: &String) -> Result<()> { + let mut imports_yaml = File::create(format!("{}/imports.yaml", path)) + .with_context(|| { + format!("Could not create imports block at this location: {}", path) + })?; + + let imports = serde_yaml::to_string(&profile.profile.imports)?; + + imports_yaml + .write_all(imports.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_imports( + &self, + path: &PathBuf, + ) -> Result> { + let file = File::open(path)?; + let reader = BufReader::new(file); + let imports = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "imports".to_owned(), + "profile".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(imports) + } + + async fn gen_merge(profile: &Profile, path: &String) -> Result<()> { + let mut merge_yaml = File::create(format!("{}/merge.yaml", path)) + .with_context(|| { + format!( + "Could not create merge block at this location: {}", + path + ) + })?; + + if profile.profile.merge.is_some() { + let merge = serde_yaml::to_string(&profile.profile.merge)?; + + merge_yaml + .write_all(merge.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_merge( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let merge = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "merge".to_owned(), + "profile".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(merge) + } + + async fn gen_modify(profile: &Profile, path: &String) -> Result<()> { + let mut modify_yaml = File::create(format!("{}/modify.yaml", path)) + .with_context(|| { + format!( + "Could not create modify block at this location: {}", + path + ) + })?; + + if profile.profile.modify.is_some() { + let modify = serde_yaml::to_string(&profile.profile.modify)?; + + modify_yaml + .write_all(modify.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_modify( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let modify = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "modify".to_owned(), + "profile".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(modify) + } + + async fn gen_back_matter(profile: &Profile, path: &String) -> Result<()> { + let mut back_matter_yaml = + File::create(format!("{}/back_matter.yaml", path)).with_context( + || { + format!( + "Could not create back_matter block at this location: {}", + path + ) + }, + )?; + + if profile.profile.back_matter.is_some() { + let back_matter = + serde_yaml::to_string(&profile.profile.back_matter) + .with_context(|| { + "Could not convert to YAML file".to_owned() + })?; + + back_matter_yaml + .write_all(back_matter.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_back_matter( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let back_matter = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "back_matter".to_owned(), + "profile".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(back_matter) + } + + pub async fn gen_files(profile: Profile, ctx: &DissectCtx) -> Result<()> { + let modifiable = &ctx.modifiable; + + for i in &ctx.blocks { + let block = Self::from_str(i).with_context(|| { + "Could not determine the provided Profile block".to_string() + })?; + + match block { + Self::All => { + Self::gen_uuid(&profile, modifiable).await?; + Self::gen_metadata(&profile, modifiable).await?; + Self::gen_imports(&profile, modifiable).await?; + Self::gen_merge(&profile, modifiable).await?; + Self::gen_modify(&profile, modifiable).await?; + Self::gen_back_matter(&profile, modifiable).await?; + } + Self::Uuid => Self::gen_uuid(&profile, modifiable).await?, + Self::Metadata => { + Self::gen_metadata(&profile, modifiable).await? + } + Self::Imports => { + Self::gen_imports(&profile, modifiable).await? + } + Self::Merge => Self::gen_merge(&profile, modifiable).await?, + Self::Modify => Self::gen_modify(&profile, modifiable).await?, + Self::BackMatter => { + Self::gen_back_matter(&profile, modifiable).await? + } + } + } + + Ok(()) + } +} + +#[non_exhaustive] +#[derive(Debug, Clone, PartialEq, EnumString, Display)] +pub(super) enum ComponentDefinitionBlock { + #[strum(serialize = "all")] + All, + #[strum(serialize = "uuid")] + Uuid, + #[strum(serialize = "metadata")] + Metadata, + #[strum(serialize = "import_component_definitions")] + ImportComponentDefinitions, + #[strum(serialize = "components")] + Components, + #[strum(serialize = "capabilities")] + Capabilities, + #[strum(serialize = "back_matter")] + BackMatter, +} + +impl ComponentDefinitionBlock { + async fn gen_uuid( + component_definition: &ComponentDefinition, + path: &String, + ) -> Result<()> { + let mut uuid_yaml = File::create(format!("{}/uuid.yaml", path)) + .with_context(|| { + format!( + "Could not create uuid block at this location: {}", + path + ) + })?; + + let uuid = serde_yaml::to_string( + &component_definition.component_definition.uuid, + )?; + + uuid_yaml + .write_all(uuid.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_uuid(&self, path: &PathBuf) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let uuid = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "uuid".to_owned(), + "component definition".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(uuid) + } + + async fn gen_metadata( + component_definition: &ComponentDefinition, + path: &String, + ) -> Result<()> { + let mut metadata_yaml = File::create(format!("{}/metadata.yaml", path)) + .with_context(|| { + format!( + "Could not create metadata block at this location: {}", + path + ) + })?; + + let metadata = serde_yaml::to_string( + &component_definition.component_definition.metadata, + )?; + + metadata_yaml + .write_all(metadata.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_metadata( + &self, + path: &PathBuf, + ) -> Result< + roscal_lib::implementation::component_definition::DocumentMetadata, + > { + let file = File::open(path)?; + let reader = BufReader::new(file); + let metadata = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "metadata".to_owned(), + "component definition".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(metadata) + } + + async fn gen_import_component_definitions( + component_definition: &ComponentDefinition, + path: &String, + ) -> Result<()> { + let mut import_component_definitions_yaml = + File::create(format!("{}/import_component_definitions.yaml", path)) + .with_context(|| { + format!( + "Could not create import_component_definitions block at this location: {}", + path + ) + })?; + + if component_definition + .component_definition + .import_component_definitions + .is_some() + { + let import_component_definitions = serde_yaml::to_string( + &component_definition + .component_definition + .import_component_definitions, + )?; + + import_component_definitions_yaml + .write_all(import_component_definitions.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_import_component_definitions(&self, path: &PathBuf) -> Result>{ + let file = File::open(path)?; + let reader = BufReader::new(file); + let import_component_definitions = serde_yaml::from_reader(reader) + .map_err(|e| { + CliError::ParseBlock( + "import_component_definitions".to_owned(), + "component definition".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(import_component_definitions) + } + + async fn gen_components( + component_definition: &ComponentDefinition, + path: &String, + ) -> Result<()> { + let mut components_yaml = + File::create(format!("{}/components.yaml", path)).with_context( + || { + format!( + "Could not create components block at this location: {}", + path + ) + }, + )?; + + if component_definition + .component_definition + .components + .is_some() + { + let components = serde_yaml::to_string( + &component_definition.component_definition.components, + )?; + + components_yaml + .write_all(components.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_components( + &self, + path: &PathBuf, + ) -> Result> + { + let file = File::open(path)?; + let reader = BufReader::new(file); + let components = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "component".to_owned(), + "component definition".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(components) + } + + async fn gen_capabilities( + component_definition: &ComponentDefinition, + path: &String, + ) -> Result<()> { + let mut capabilities_yaml = + File::create(format!("{}/capabilities.yaml", path)).with_context( + || { + format!( + "Could not create capabilities block at this location: {}", + path + ) + }, + )?; + + if component_definition + .component_definition + .capabilities + .is_some() + { + let capabilities = serde_yaml::to_string( + &component_definition.component_definition.capabilities, + )?; + + capabilities_yaml + .write_all(capabilities.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_capabilities( + &self, + path: &PathBuf, + ) -> Result> + { + let file = File::open(path)?; + let reader = BufReader::new(file); + let capabilities = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "capabilities".to_owned(), + "component definition".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(capabilities) + } + + async fn gen_back_matter( + component_definition: &ComponentDefinition, + path: &String, + ) -> Result<()> { + let mut back_matter_yaml = + File::create(format!("{}/back_matter.yaml", path)).with_context( + || { + format!( + "Could not create back_matter block at this location: {}", + path + ) + }, + )?; + + if component_definition + .component_definition + .back_matter + .is_some() + { + let back_matter = serde_yaml::to_string( + &component_definition.component_definition.back_matter, + )?; + + back_matter_yaml + .write_all(back_matter.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_back_matter( + &self, + path: &PathBuf, + ) -> Result + { + let file = File::open(path)?; + let reader = BufReader::new(file); + let back_matter = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "back_matter".to_owned(), + "component definition".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(back_matter) + } + + pub async fn gen_files( + component_definition: ComponentDefinition, + ctx: &DissectCtx, + ) -> Result<()> { + let modifiable = &ctx.modifiable; + + for i in &ctx.blocks { + let block = Self::from_str(i).with_context(|| { + "Could not determine the provided Component Definition block".to_string() + })?; + + match block { + Self::All => { + Self::gen_uuid(&component_definition, modifiable).await?; + Self::gen_metadata(&component_definition, modifiable) + .await?; + Self::gen_import_component_definitions( + &component_definition, + modifiable, + ) + .await?; + Self::gen_components(&component_definition, modifiable) + .await?; + Self::gen_components(&component_definition, modifiable) + .await?; + Self::gen_capabilities(&component_definition, modifiable) + .await?; + Self::gen_back_matter(&component_definition, modifiable) + .await?; + } + Self::Uuid => { + Self::gen_uuid(&component_definition, modifiable).await? + } + Self::Metadata => { + Self::gen_metadata(&component_definition, modifiable) + .await? + } + Self::ImportComponentDefinitions => { + Self::gen_import_component_definitions( + &component_definition, + modifiable, + ) + .await? + } + Self::Components => { + Self::gen_components(&component_definition, modifiable) + .await? + } + Self::Capabilities => { + Self::gen_capabilities(&component_definition, modifiable) + .await? + } + Self::BackMatter => { + Self::gen_back_matter(&component_definition, modifiable) + .await? + } + } + } + + Ok(()) + } +} + +#[non_exhaustive] +#[derive(Debug, Clone, PartialEq, EnumString, Display)] +pub(super) enum SspBlock { + #[strum(serialize = "all")] + All, + #[strum(serialize = "uuid")] + Uuid, + #[strum(serialize = "metadata")] + Metadata, + #[strum(serialize = "import_profile")] + ImportProfile, + #[strum(serialize = "system_characteristics")] + SystemCharacteristics, + #[strum(serialize = "system_implementation")] + SystemImplementation, + #[strum(serialize = "control_implementation")] + ControlImplementation, + #[strum(serialize = "back_matter")] + BackMatter, +} + +impl SspBlock { + async fn gen_uuid(ssp: &SystemSecurityPlan, path: &String) -> Result<()> { + let mut uuid_yaml = File::create(format!("{}/uuid.yaml", path)) + .with_context(|| { + format!( + "Could not create uuid block at this location: {}", + path + ) + })?; + + let uuid = serde_yaml::to_string(&ssp.system_security_plan.uuid)?; + + uuid_yaml + .write_all(uuid.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_uuid(&self, path: &PathBuf) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let uuid = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "uuid".to_owned(), + "ssp".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(uuid) + } + + async fn gen_metadata( + ssp: &SystemSecurityPlan, + path: &String, + ) -> Result<()> { + let mut metadata_yaml = File::create(format!("{}/metadata.yaml", path)) + .with_context(|| { + format!( + "Could not create metadata block at this location: {}", + path + ) + })?; + + let metadata = + serde_yaml::to_string(&ssp.system_security_plan.metadata)?; + + metadata_yaml + .write_all(metadata.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_metadata( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let metadata = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "metadata".to_owned(), + "ssp".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(metadata) + } + + async fn gen_import_profile( + ssp: &SystemSecurityPlan, + path: &String, + ) -> Result<()> { + let mut import_profile_yaml = + File::create(format!("{}/import_profile.yaml", path)) + .with_context(|| { + format!( + "Could not create import_profile block at this location: {}", + path + ) + })?; + + let import_profile = + serde_yaml::to_string(&ssp.system_security_plan.import_profile)?; + + import_profile_yaml + .write_all(import_profile.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_import_profile( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let import_profile = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "import_profile".to_owned(), + "ssp".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(import_profile) + } + + async fn gen_system_characteristics( + ssp: &SystemSecurityPlan, + path: &String, + ) -> Result<()> { + let mut system_characteristics_yaml = + File::create(format!("{}/system_characteristics.yaml", path)) + .with_context(|| { + format!( + "Could not create system_characteristics block at this location: {}", + path + ) + })?; + + let system_characteristics = serde_yaml::to_string( + &ssp.system_security_plan.system_characteristics, + )?; + + system_characteristics_yaml + .write_all(system_characteristics.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_system_characteristics( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let system_characteristics = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "system_characteristics".to_owned(), + "ssp".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(system_characteristics) + } + + async fn gen_system_implementation( + ssp: &SystemSecurityPlan, + path: &String, + ) -> Result<()> { + let mut system_implementation_yaml = + File::create(format!("{}/system_implementation.yaml", path)) + .with_context(|| { + format!( + "Could not create system_implementation block at this location: {}", + path + ) + })?; + + let system_implementation = serde_yaml::to_string( + &ssp.system_security_plan.system_implementation, + )?; + + system_implementation_yaml + .write_all(system_implementation.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_system_implementation( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let system_implementation = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "system_implementation".to_owned(), + "ssp".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(system_implementation) + } + + async fn gen_control_implementation( + ssp: &SystemSecurityPlan, + path: &String, + ) -> Result<()> { + let mut control_implementation_yaml = + File::create(format!("{}/control_implementation.yaml", path)) + .with_context(|| { + format!( + "Could not create control_implementation block at this location: {}", + path + ) + })?; + + let control_implementation = serde_yaml::to_string( + &ssp.system_security_plan.control_implementation, + )?; + + control_implementation_yaml + .write_all(control_implementation.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + + Ok(()) + } + + pub(super) async fn read_control_implementation( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let control_implementation = + serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "control_implementation".to_owned(), + "ssp".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(control_implementation) + } + + async fn gen_back_matter( + ssp: &SystemSecurityPlan, + path: &String, + ) -> Result<()> { + let mut back_matter_yaml = + File::create(format!("{}/back_matter.yaml", path)).with_context( + || { + format!( + "Could not create back_matter block at this location: {}", + path + ) + }, + )?; + + if ssp.system_security_plan.back_matter.is_some() { + let back_matter = + serde_yaml::to_string(&ssp.system_security_plan.back_matter) + .with_context(|| { + "Could not convert to YAML file".to_owned() + })?; + + back_matter_yaml + .write_all(back_matter.as_bytes()) + .with_context(|| "Could not write to manifest".to_owned())?; + } + + Ok(()) + } + + pub(super) async fn read_back_matter( + &self, + path: &PathBuf, + ) -> Result { + let file = File::open(path)?; + let reader = BufReader::new(file); + let back_matter = serde_yaml::from_reader(reader).map_err(|e| { + CliError::ParseBlock( + "back_matter".to_owned(), + "ssp".to_owned(), + path.to_string_lossy().into_owned(), + e.to_string(), + ) + })?; + + Ok(back_matter) + } + + pub async fn gen_files( + ssp: SystemSecurityPlan, + ctx: &DissectCtx, + ) -> Result<()> { + let modifiable = &ctx.modifiable; + + for i in &ctx.blocks { + let block = Self::from_str(i).with_context(|| { + "Could not determine the provided System Security Plan block".to_string() + })?; + + match block { + Self::All => { + Self::gen_uuid(&ssp, modifiable).await?; + Self::gen_metadata(&ssp, modifiable).await?; + Self::gen_import_profile(&ssp, modifiable).await?; + Self::gen_system_characteristics(&ssp, modifiable).await?; + Self::gen_system_implementation(&ssp, modifiable).await?; + Self::gen_control_implementation(&ssp, modifiable).await?; + Self::gen_back_matter(&ssp, modifiable).await?; + } + Self::Uuid => Self::gen_uuid(&ssp, modifiable).await?, + Self::Metadata => Self::gen_metadata(&ssp, modifiable).await?, + Self::ImportProfile => { + Self::gen_import_profile(&ssp, modifiable).await? + } + Self::SystemCharacteristics => { + Self::gen_system_characteristics(&ssp, modifiable).await? + } + Self::SystemImplementation => { + Self::gen_system_implementation(&ssp, modifiable).await? + } + Self::ControlImplementation => { + Self::gen_control_implementation(&ssp, modifiable).await? + } + Self::BackMatter => { + Self::gen_back_matter(&ssp, modifiable).await? + } + } + } + + Ok(()) + } +} diff --git a/roscal_cli/src/models/utils.rs b/roscal_cli/src/models/utils.rs new file mode 100644 index 0000000..8b68a47 --- /dev/null +++ b/roscal_cli/src/models/utils.rs @@ -0,0 +1,81 @@ +#![allow(clippy::single_char_pattern)] +use std::{fs::File, io::Read, path::Path}; + +use anyhow::{Context, Result}; +use chrono::Utc; +use rand::{distributions::Alphanumeric, thread_rng, Rng}; +use sha2::{Digest, Sha256}; + +pub(super) fn check_filename_len(path: impl AsRef) -> bool { + if path.as_ref().to_string_lossy().as_bytes().len() > 202 { + eprintln!("File name is too long"); + return false; + } + + true +} + +pub(super) fn is_valid_file(path: impl AsRef) -> bool { + if check_filename_len(&path) && !path.as_ref().is_file() { + eprintln!("Invalid file provided: {}", path.as_ref().display()); + return false; + } + + true +} + +pub(super) fn is_valid_dir(path: impl AsRef) -> bool { + if !path.as_ref().is_dir() { + eprintln!( + "Invalid directory provided: {}", + path.as_ref().to_string_lossy() + ); + return false; + } + + true +} + +pub(super) fn gen_created_at() -> String { + let now = Utc::now().to_string(); + + now.as_str().replace(" ", "_") +} + +pub(super) fn gen_rand() -> String { + thread_rng() + .sample_iter(&Alphanumeric) + .take(8) + .map(char::from) + .collect() +} + +pub(super) fn gen_hash_from_path(path: &impl AsRef) -> Result { + let mut file = File::open(path).with_context(|| { + format!("Could not open file: `{}`", path.as_ref().display()) + })?; + + let mut hasher = Sha256::new(); + + let mut buffer = [0; 4096]; + + loop { + let bytes_read = file.read(&mut buffer).with_context(|| { + format!("Could not read file: `{}`", path.as_ref().display()) + })?; + if bytes_read == 0 { + break; + } + hasher.update(&buffer[..bytes_read]); + } + + Ok(format!("{:x}", hasher.finalize())) +} + +pub(super) fn gen_hash_from_str(content: &str) -> Result { + let mut hasher = Sha256::new(); + + hasher.update(content.as_bytes()); + + Ok(format!("{:x}", hasher.finalize())) +} diff --git a/roscal_cli/src/models/validate.rs b/roscal_cli/src/models/validate.rs new file mode 100644 index 0000000..a16defd --- /dev/null +++ b/roscal_cli/src/models/validate.rs @@ -0,0 +1,101 @@ +use std::{fs::File, io::BufReader, str::FromStr}; + +use anyhow::{Context, Result}; +use roscal_lib::{ + assessment::{ + assessment_plan::AssessmentPlan, assessment_results::AssessmentResults, + poam::PlanOfActionAndMilestones, + }, + control::{catalog::Catalog, profile::Profile}, + implementation::{ + component_definition::ComponentDefinition, ssp::SystemSecurityPlan, + }, +}; + +use crate::cli::cli_opts::Validate; + +use super::{model::OscalModels, validation::is_valid_model}; + +pub(super) async fn validate_model(opts: &Validate) -> Result<()> { + if !is_valid_model(&opts.model) { + std::process::exit(1) + } + + let file = File::open(&opts.file).with_context(|| { + format!("Could not open model file: `{}`", &opts.file.display()) + })?; + + let reader = BufReader::new(file); + + match OscalModels::from_str(&opts.model).with_context(|| { + "Could not determine the provided OSCAL model".to_string() + })? { + OscalModels::AssessmentPlan => { + let res: Result = + serde_json::from_reader(reader); + if res.is_ok() { + println!("This is a valid Assessment Plan model") + } else { + println!("This is not a valid Assessment Plan model") + } + } + OscalModels::AssessmentResults => { + let res: Result = + serde_json::from_reader(reader); + if res.is_ok() { + println!("This is a valid Assessment Result model") + } else { + println!("This is not a valid Assessment Result model") + } + } + OscalModels::Poam => { + let res: Result = + serde_json::from_reader(reader); + if res.is_ok() { + println!("This is a valid Plan of Action and Milestones model") + } else { + println!( + "This is not a valid Plan of Action and Milestones model" + ) + } + } + OscalModels::Catalog => { + let res: Result = + serde_json::from_reader(reader); + if res.is_ok() { + println!("This is a valid Catalog model") + } else { + println!("This is not a valid Catalog model") + } + } + OscalModels::Profile => { + let res: Result = + serde_json::from_reader(reader); + if res.is_ok() { + println!("This is a valid Profile model") + } else { + println!("This is not a valid Profile model") + } + } + OscalModels::ComponentDefinition => { + let res: Result = + serde_json::from_reader(reader); + if res.is_ok() { + println!("This is a valid Component Definition model") + } else { + println!("This is not a valid Component Definition model") + } + } + OscalModels::Ssp => { + let res: Result = + serde_json::from_reader(reader); + if res.is_ok() { + println!("This is a valid System Security Plan model") + } else { + println!("This is not a valid System Security Plan model") + } + } + } + + Ok(()) +} diff --git a/roscal_cli/src/models/validation.rs b/roscal_cli/src/models/validation.rs new file mode 100644 index 0000000..4f01b5b --- /dev/null +++ b/roscal_cli/src/models/validation.rs @@ -0,0 +1,161 @@ +use std::str::FromStr; + +use super::model::*; + +pub(super) fn is_valid_model(model: &str) -> bool { + if OscalModels::from_str(model).is_err() { + eprintln!("Invalid model provided: {}", model); + return false; + } + + true +} + +pub(super) fn is_valid_assessment_plan_block(blocks: &Vec) -> bool { + let mut col = String::new(); + + if blocks.len() > 1 && blocks.iter().any(|v| v == "all") { + eprintln!("Multiple block cannot include `all` option"); + return false; + } + + blocks + .iter() + .filter(|v| AssessmentPlanBlock::from_str(v).is_err()) + .for_each(|v| col.push_str(v)); + + if col.is_empty() { + true + } else { + eprintln!("Invalid assessment plan block provided: {:?}", blocks); + false + } +} + +pub(super) fn is_valid_assessment_results_block(blocks: &Vec) -> bool { + let mut col = String::new(); + + if blocks.len() > 1 && blocks.iter().any(|v| v == "all") { + eprintln!("Multiple block cannot include `all` option"); + return false; + } + + blocks + .iter() + .filter(|v| AssessmentResultsBlock::from_str(v).is_err()) + .for_each(|v| col.push_str(v)); + + if col.is_empty() { + true + } else { + eprintln!("Invalid assessment results block provided: {:?}", blocks); + false + } +} + +pub(super) fn is_valid_poam_block(blocks: &Vec) -> bool { + let mut col = String::new(); + + if blocks.len() > 1 && blocks.iter().any(|v| v == "all") { + eprintln!("Multiple block cannot include `all` option"); + return false; + } + + blocks + .iter() + .filter(|v| PoamBlock::from_str(v).is_err()) + .for_each(|v| col.push_str(v)); + + if col.is_empty() { + true + } else { + eprintln!("Invalid poam block provided: {:?}", blocks); + false + } +} + +pub(super) fn is_valid_catalog_block(blocks: &Vec) -> bool { + let mut col = String::new(); + + if blocks.len() > 1 && blocks.iter().any(|v| v == "all") { + eprintln!("Multiple block cannot include `all` option"); + return false; + } + + blocks + .iter() + .filter(|v| CatalogBlock::from_str(v).is_err()) + .for_each(|v| col.push_str(v)); + + if col.is_empty() { + true + } else { + eprintln!("Invalid catalog block provided: {:?}", blocks); + false + } +} + +pub(super) fn is_valid_profile_block(blocks: &Vec) -> bool { + let mut col = String::new(); + + if blocks.len() > 1 && blocks.iter().any(|v| v == "all") { + eprintln!("Multiple block cannot include `all` option"); + return false; + } + + blocks + .iter() + .filter(|v| ProfileBlock::from_str(v).is_err()) + .for_each(|v| col.push_str(v)); + + if col.is_empty() { + true + } else { + eprintln!("Invalid profile block provided: {:?}", blocks); + false + } +} + +pub(super) fn is_valid_component_definition_block( + blocks: &Vec, +) -> bool { + let mut col = String::new(); + + if blocks.len() > 1 && blocks.iter().any(|v| v == "all") { + eprintln!("Multiple block cannot include `all` option"); + return false; + } + + blocks + .iter() + .filter(|v| ComponentDefinitionBlock::from_str(v).is_err()) + .for_each(|v| col.push_str(v)); + + if col.is_empty() { + true + } else { + eprintln!("Invalid component definition block provided: {:?}", blocks); + false + } +} + +pub(super) fn is_valid_ssp_block(blocks: &Vec) -> bool { + let mut col = String::new(); + + if blocks.len() > 1 && blocks.iter().any(|v| v == "all") { + eprintln!("Multiple block cannot include `all` option"); + return false; + } + + blocks + .iter() + .filter(|v| SspBlock::from_str(v).is_err()) + .for_each(|v| col.push_str(v)); + + if col.is_empty() { + true + } else { + eprintln!("Invalid ssp block provided: {:?}", blocks); + false + } +} diff --git a/roscal_cli/src/models/workspace.rs b/roscal_cli/src/models/workspace.rs new file mode 100644 index 0000000..f109f38 --- /dev/null +++ b/roscal_cli/src/models/workspace.rs @@ -0,0 +1,96 @@ +use std::path::PathBuf; + +use anyhow::Result; +use serde::{Deserialize, Serialize}; +use thiserror::Error; + +use crate::cli::cli_opts::{Dissect, Merge, Validate}; + +use super::{ + dissect::dissect_workspace, merge::merge_workspace, utils::*, + validate::validate_model, +}; + +#[derive(Error, Debug)] +pub enum CliError { + #[error("Could not parse {0} model from file: {1}\nCause ---> {2}")] + ParseModel(String, String, String), + #[error("Could not parse {0} field for model {1} from file: {2}\nCause ---> {3}")] + ParseBlock(String, String, String, String), + #[error("Unknown output format. Use json or yaml")] + UnknownMergeOpt, + #[error("Unknown uuid version. Use v4 or v5")] + UnknownUuidVer, +} + +#[derive(Debug, Clone)] +pub struct Workspace; + +impl Workspace { + pub async fn dissect( + opts: &Dissect, + ) -> Result<(), Box> { + dissect_workspace(opts).await?; + + Ok(()) + } + + pub async fn merge(opts: &Merge) -> Result<(), Box> { + merge_workspace(opts).await?; + + Ok(()) + } +} + +#[derive(Debug, Clone)] +pub struct Validator; + +impl Validator { + pub async fn validate( + opts: &Validate, + ) -> Result<(), Box> { + validate_model(opts).await?; + + Ok(()) + } +} + +#[derive(Debug, Default, Clone, Deserialize, Serialize)] +pub struct DissectCtx { + pub created_at: String, + pub model_loc: PathBuf, + pub model: String, + pub blocks: Vec, + pub rand: String, + pub root: String, + pub backup: String, + pub modifiable: String, + pub hash: String, +} + +impl DissectCtx { + pub fn is_valid_hash(&self) -> Result { + let path = format!("{}/backup", &self.backup); + let hash = gen_hash_from_path(&path); + + Ok(hash.is_ok() && hash? == self.hash) + } +} + +#[derive(Debug, Default, Clone, Deserialize, Serialize)] +pub struct MergeCtx { + pub created_at: String, + pub hash: String, + pub rand: String, + pub output_dir: String, + pub dissect_workspace_ref: DissectCtx, +} + +impl MergeCtx { + pub fn update_hash(&mut self, content: &str) -> Result<()> { + let hash = gen_hash_from_str(content)?; + self.hash = hash; + + Ok(()) + } +} diff --git a/roscal_cli/tests/data/ap.yaml b/roscal_cli/tests/data/ap.yaml new file mode 100644 index 0000000..3582571 --- /dev/null +++ b/roscal_cli/tests/data/ap.yaml @@ -0,0 +1,90 @@ +assessment-plan: + uuid: 60077e84-e62f-4375-8c6c-b0e0d4560c5f + metadata: + title: IFA GoodRead Assessment Plan + last-modified: "2024-02-01T13:57:28.355446-04:00" + version: "1.0" + oscal-version: 1.1.2 + roles: + - id: assessor + title: IFA Security Control Assessor + parties: + - uuid: e7730080-71ce-4b20-bec4-84f33136fd58 + type: person + name: Amy Assessor + member-of-organizations: + - 3a675986-b4ff-4030-b178-e953c2e55d64 + - uuid: 3a675986-b4ff-4030-b178-e953c2e55d64 + type: organization + name: Important Federal Agency + short-name: IFA + links: + - href: https://www.ifa.gov + rel: website + responsible-parties: + - role-id: assessor + party-uuids: + - e7730080-71ce-4b20-bec4-84f33136fd58 + import-ssp: + href: ../3-implementation/ssp.oscal.xml + local-definitions: + activities: + - uuid: 52277182-1ba3-4cb6-8d96-b1b97aaf9d6b + title: Examine System Elements for Least Privilege Design and Implementation + description: 'The activity and it steps will be performed by the assessor and facilitated by owner, ISSO, and product team for the IFA GoodRead system with necessary information and access about least privilege design and implementation of the system''s elements: the application, web framework, server, and cloud account infrastructure.' + props: + - name: method + value: EXAMINE + steps: + - uuid: 733e3cbf-e398-46b6-9c02-a2cb534c341e + title: Obtain Network Access via VPN to IFA GoodRead Environment + description: The assessor will obtain network access with appropriately configured VPN account to see admin frontend to the application for PAO staff, which is only accessible via VPN with an appropriately configured role for PAO staff accounts. + - uuid: 4ce7e0b4-d69e-4b80-a700-8600b4d4d933 + title: Obtain Credentials and Access to AwesomeCloud Account for IFA GoodRead System + description: The assessor will obtain access to the GoodRead Product Team's AwesomeCloud account with their single sign-on credentials to a read-only assessor role. + - uuid: 3d0297de-e47b-4360-b9c3-cf5c425f86cd + title: Obtain Applcation Access Provided by Product Team + description: The assessor will obtain non-privileged account credentials with the PAO staff role to test this role in the application does not permit excessive administrative operations. + - uuid: 64ca1ef6-3ad4-4747-97c6-40890222463f + title: Confirm Load Balancer Blocks Access to Admin Frontend from Internet + description: The assessor will confirm that the load balancer for public access does not allow access to Admin Frontend of the application from the Internet. + - uuid: 715f0592-166f-44f6-bb66-d99623e035dc + title: Confirm GoodRead's PAO Role Cannot Manage Users + description: The assessor will confirm that user's logged into the GoodRead Application with the PAO staff role cannot add, modify, or disable users from the system. + - uuid: 4641957b-a0fa-4c61-af1a-d3e9101efe40 + title: Confirm Django Admin Panel Not Available + description: The assessor will confirm with web-based interface and API methods users with the PAO Staff role cannot access the Django admin panel functions and interactively change application's database records. + related-controls: + control-selections: + - include-controls: + - control-id: ac-6.1 + responsible-roles: + - role-id: assessor + party-uuids: + - e7730080-71ce-4b20-bec4-84f33136fd58 + reviewed-controls: + control-selections: + - include-controls: + - control-id: ac-6.1 + control-objective-selections: + - include-all: {} + assessment-subjects: + - type: component + description: The assessor for the IFA GoodRead Project, including the application and infrastructure for this information system, are within scope of this assessment. + include-all: {} + tasks: + - uuid: b3504d22-0e75-4dd7-9247-618661beba4e + type: action + title: Examine Least Privilege Design and Implementation + associated-activities: + - activity-uuid: 0d243b23-a889-478f-9716-6d4870e56209 + subjects: + - type: component + include-all: {} + responsible-roles: + - role-id: assessor + remarks: | + Per IFA's use of NIST SP-800 53A, the assessor, with the support of the owner, information system security officer, and product team for the IFA GoodRead project, will examine least privilege design and implementation with the following: + + * list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized; + * system configuration settings and associated documentation; \ No newline at end of file diff --git a/roscal_cli/tests/data/ar.yaml b/roscal_cli/tests/data/ar.yaml new file mode 100644 index 0000000..4aeab78 --- /dev/null +++ b/roscal_cli/tests/data/ar.yaml @@ -0,0 +1,153 @@ +assessment-results: + uuid: ec0dad37-54e0-40fd-a925-6d0bdea94c0d + metadata: + title: IFA GoodRead Continuous Monitoring Assessment Results June 2023 + last-modified: "2024-02-01T13:57:28.355446-04:00" + version: 202306-002 + oscal-version: 1.1.2 + roles: + - id: assessor + title: IFA Security Controls Assessor + parties: + - uuid: e7730080-71ce-4b20-bec4-84f33136fd58 + type: person + name: Amy Assessor + member-of-organizations: + - 3a675986-b4ff-4030-b178-e953c2e55d64 + - uuid: 3a675986-b4ff-4030-b178-e953c2e55d64 + type: organization + name: Important Federal Agency + short-name: IFA + links: + - href: https://www.ifa.gov + rel: website + responsible-parties: + - role-id: assessor + party-uuids: + - e7730080-71ce-4b20-bec4-84f33136fd58 + import-ap: + href: ./ap.oscal.xml + local-definitions: + activities: + - uuid: cf5d53fe-6043-4c68-9ed6-6b258909febf + title: Test System Elements for Least Privilege Design and Implementation + description: The activity and it steps will be performed by the assessor via their security automation platform to test least privilege design and implementation of the system's elements, specifically the cloud account infrastructure, as part of continuous monitoring. + props: + - name: method + value: TEST + steps: + - uuid: 57f8cfb8-fc3f-41d3-b938-6ab421c92574 + title: Configure Cross-Account IAM Role Trust for GoodRead and Assessor AwesomeCloud Accounts + description: The GoodRead system engineer will coordinate with the assessor's engineering support staff to configure an IAM role trust. A service account for automation with its own role with the assessor's AwesomeCloud account can assume the role for read-only assessor operations within the GoodRead Product Team's AwesomeCloud account for continuous monitoring of least privilege. + remarks: |- + This step is complete. + + GoodRead Product Team and SCA Engineering Support configured the latter's cross-account role trust and authentication and authorization in to the former's account on May 29, 2023. + - uuid: 976aadad-b1ce-475b-aa6c-e082537e7902 + title: Automate Cross-Account Login to GoodRead AwesomeCloud Account + description: The assessor's security automation platform will create a session from their dedicated will obtain access to the GoodRead Product Team's AwesomeCloud account with their single sign-on credentials to a read-only assessor role. + remarks: |- + This step is complete. + + GoodRead Product Team and SCA Engineering Support tested scripts from the security automation platform interactively on May 30, 2023, to confirm they work ahead of June 2023 continuous monitoring cycle. + - uuid: 18ce4e19-7432-4484-8e75-2dd8f05668cf + title: Analyze GoodRead Developer and System Engineer Roles for Least Privilege + description: | + Once authenticated and authorized with a cross-account session, the security automation pipeline will execute scripts developed and maintained by the assessor's engineering support staff. It will analyze the permitted actions for the developer and system engineer roles in the GoodRead Product Team's AwesomeCloud account to confirm they are designed and implement to facilitate only least privilege operation. Examples are included below. + + * For the GoodRead developer role in their AwesomeCloud account, the developer role may only permit the user with this role to check the IP addresses and status of the Awesome Compute Service server instances. This role will not permit the user to create, change, or delete the instances. Similarly, the developer will permit a user to perform actions to see IP addresses of an Awesome Load Balancer instance, but not add, change, or delete the instances. + * For the GoodRead system engineer role in their AwesomeCloud account, the system engineer role may only permit actions where the user can add, change, or delete instances for approved services (i.e. Awesome Compute Service, Awesome Load Balancer, et cetera). The role may not permit actions by the user for any other service. + related-controls: + control-selections: + - include-controls: + - control-id: ac-6.1 + responsible-roles: + - role-id: assessor + party-uuids: + - e7730080-71ce-4b20-bec4-84f33136fd58 + results: + - uuid: a1d20136-37e0-42aa-9834-4e9d8c36d798 + title: IFA GoodRead Continous Monitoring Results June 2023 + description: Automated monthly continuous monitoring of the GoodRead information system's cloud infrastructure recorded observations below. Additionally, contingent upon the confidence level of the observations and possible risks, confirmed findings may be opened. + start: "2023-06-02T08:31:20-04:00" + end: "2023-06-02T08:46:51-04:00" + local-definitions: + tasks: + - uuid: 35876484-aa4b-494d-95a2-0d1cc04eb47e + type: action + title: Test System Elements for Least Privilege Design and Implementation + description: The activity and it steps will be performed by the assessor via their security automation platform to test least privilege design and implementation of the system's elements, specifically the cloud account infrastructure, as part of continuous monitoring. + associated-activities: + - activity-uuid: cf5d53fe-6043-4c68-9ed6-6b258909febf + subjects: + - type: component + include-all: {} + reviewed-controls: + control-selections: + - include-controls: + - control-id: ac-6.1 + observations: + - uuid: 8807eb6e-0c05-43bc-8438-799739615e34 + title: AwesomeCloud IAM Roles Test - GoodRead System Engineer Role + description: Test AwesomeCloud IAM Roles for least privilege design and implementation. + methods: + - TEST + types: + - finding + subjects: + - subject-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + type: component + collected: "2023-06-02T08:31:20-04:00" + expires: "2023-07-01T00:00:00-04:00" + remarks: |- + The assessor's security automation platform analyzed all roles specific to the GoodRead Product Team, not those managed by the Office of Information Technology. The `IFA-GoodRead-SystemEnginer` role in their respective AwesomeCloud account permitted use of the following high-risk actions. + + * awesomecloud:auditlog:DeleteAccountAuditLog + * awesomecloud:secmon:AdministerConfigurations + + + Both of these actions are overly permissive and not appropriate for the business function of the staff member assigned this role. + - uuid: 4a2fb32e-9be9-43cf-b717-e9e47de061bd + title: AwesomeCloud IAM Roles Test - GoodRead Developer Role + description: Test AwesomeCloud IAM Roles for least privilege design and implementation. + methods: + - TEST + types: + - finding + subjects: + - subject-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + type: component + collected: "2023-06-02T08:31:20-04:00" + expires: "2023-07-01T00:00:00-04:00" + remarks: The assessor's security automation platform detected that the developer's role is permitted to perform only permissible actions in the GoodRead AwesomeCloud account in accordance with the agency's least privilege policy and procedures. + risks: + - uuid: 0cfa750e-3553-47ba-a7ba-cf84a884d261 + title: GoodRead System Engineers Have Over-Privileged Access to Cloud Infrastructure Account + description: A user in the GoodRead cloud environment with the privileges of a system engineer can exceed the intended privileges for their related business function. They can delete all historical audit records and remove important security monitoring functions for the IFA Security Operations Center staff. + statement: |- + An account without proper least privilege design and implementation can be used to surreptitiously add, change, or delete cloud infrastructure to the too managing all links to IFA's communication to public citizens, potentially causing significant harm with no forensic evidence to recover the system. Regardless of the extent and duration of a potential incident, such a configuration greatly increases the risk of an insider threat if there were likely to a potential insider threat in the GoodRead Product Team. + + If such an insider threat existed and acted with this misconfigruatio, the resulting event could cause significant financial and reputational risk to IFA's Administrator, executive staff, and the agency overall. + status: investigating + findings: + - uuid: 45d8a6c2-1368-4bad-9ba0-7141f0a32889 + title: GoodRead AwesomeCloud Account's System Engineer Role Permits High Risk Actions + description: |- + The assessor's security automation platform detected that the system engineer's role is permitted to perform the following actions in the GoodRead AwesomeCloud account. + + * Delete and reset account audit logs. + * Add, change, or delete security monitoring configurations in the Awesome Security Monitor service used by the IFA Security Operations Center. + + + The system engineer is not permitted to modify these services and their role was incorrectly configured. + target: + type: objective-id + target-id: ac-6.1_obj + description: This is a finding. + status: + state: not-satisfied + implementation-statement-uuid: d5f9b263-965d-440b-99e7-77f5df670a11 + related-observations: + - observation-uuid: 8807eb6e-0c05-43bc-8438-799739615e34 + related-risks: + - risk-uuid: 0cfa750e-3553-47ba-a7ba-cf84a884d261 \ No newline at end of file diff --git a/roscal_cli/tests/data/catalog.yaml b/roscal_cli/tests/data/catalog.yaml new file mode 100644 index 0000000..9bd2cf3 --- /dev/null +++ b/roscal_cli/tests/data/catalog.yaml @@ -0,0 +1,203 @@ +catalog: + uuid: 74c8ba1e-5cd4-4ad1-bbfd-d888e2f6c724 + metadata: + title: Sample Security Catalog *for Demonstration* and Testing + published: "2023-10-12T00:00:00.000000-04:00" + last-modified: "2023-10-12T00:00:00.000000-04:00" + version: "1.1" + oscal-version: 1.1.1 + remarks: The following is a short excerpt from [ISO/IEC 27002:2013](https://www.iso.org/standard/54533.html), *Information technology — Security techniques — Code of practice for information security controls*. This work is provided here under copyright "fair use" for non-profit, educational purposes only. Copyrights for this work are held by the publisher, the International Organization for Standardization (ISO). + groups: + - id: s1 + title: Organization of Information Security + props: + - name: label + value: "1" + groups: + - id: s1.1 + title: Internal Organization + props: + - name: label + value: "1.1" + parts: + - id: s1.1_smt + name: objective + prose: To establish a management framework to initiate and control the implementation and operation of information security within the organization. + controls: + - id: s1.1.1 + title: Information security roles and responsibilities + params: + - id: s1.1.1-prm1 + label: a choice from a selection + select: + how-many: one-or-more + choice: + - 'initiating a device lock after {{ insert: param, s1.1.1-prm_2 }} of inactivity' + - requiring the user to initiate a device lock before leaving the system unattended + - id: s1.1.1-prm_2 + label: a duration + props: + - name: label + value: 1.1.1 + parts: + - id: s1.1.1_stm + name: statement + prose: |- + All information security responsibilities should be defined and allocated. + + A value has been assigned to {{ insert: param, s1.1.1-prm1 }}. + + A cross link has been established with a choppy syntax: [(choppy)](#s1.2). + - id: s1.1.1_gdn + name: guidance + parts: + - id: s1.1.1_gdn.1 + name: item + prose: Allocation of information security responsibilities should be done in accordance with the information security policies. Responsibilities for the protection of individual assets and for carrying out specific information security processes should be identified. Responsibilities for information security risk management activities and in particular for acceptance of residual risks should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Local responsibilities for the protection of assets and for carrying out specific security processes should be defined. + - id: s1.1.1_gdn.2 + name: item + prose: Individuals with allocated information security responsibilities may delegate security tasks to others. Nevertheless they remain accountable and should determine that any delegated tasks have been correctly performed. + - id: s1.1.1_gdn.3 + name: item + prose: | + Areas for which individuals are responsible should be stated. In particular the following should take place: + + 1. the assets and information security processes should be identified and defined; + 1. the entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented; + 1. authorization levels should be defined and documented; + 1. to be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments; + 1. coordination and oversight of information security aspects of supplier relationships should be identified and documented. + - id: s1.1.1_inf + name: information + props: + - name: label + value: Other information + prose: |- + Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls. + + However, responsibility for resourcing and implementing the controls will often remain with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection. + - id: s1.1.2 + title: Segregation of duties + props: + - name: label + value: 1.1.2 + parts: + - id: s1.1.2_stm + name: statement + prose: Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. + - id: s1.1.2_gdn + name: guidance + parts: + - id: s1.1.2_gdn.1 + name: item + prose: Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls. + - id: s1.1.2_gdn.2 + name: item + prose: Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered. + - id: s1.1.2_inf + name: information + prose: Segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an organization’s assets. + - id: s2 + title: Access control + props: + - name: label + value: "2" + groups: + - id: s2.1 + title: Business requirements of access control + props: + - name: label + value: "2.1" + parts: + - id: s2.1_smt + name: objective + prose: To limit access to information and information processing facilities. + controls: + - id: s2.1.1 + title: Access control policy + props: + - name: label + value: 2.1.1 + parts: + - id: s2.1.1_stm + name: statement + prose: An access control policy should be established, documented and reviewed based on business and information security requirements. + - id: s2.1.1_gdn + name: guidance + parts: + - id: s2.1.1_gdn.1 + name: item + prose: Asset owners should determine appropriate access control rules, access rights and restrictions for specific user roles towards their assets, with the amount of detail and the strictness of the controls reflecting the associated information security risks. + - id: s2.1.1_gdn.2 + name: item + prose: Access controls are both logical and physical and these should be considered together. + - id: s2.1.1_gdn.3 + name: item + prose: Users and service providers should be given a clear statement of the business requirements to be met by access controls. + - id: s2.1.1_gdn.4 + name: item + prose: | + The policy should take account of the following: + + 1. security requirements of business applications; + 1. policies for information dissemination and authorization, e.g. the need-to-know principle and information security levels and classification of information; + 1. consistency between the access rights and information classification policies of systems and networks; + 1. relevant legislation and any contractual obligations regarding limitation of access to data or services; + 1. management of access rights in a distributed and networked environment which recognizes all types of connections available; + 1. segregation of access control roles, e.g. access request, access authorization, access administration; + 1. requirements for formal authorization of access requests; + 1. requirements for periodic review of access rights; + 1. removal of access rights; + 1. archiving of records of all significant events concerning the use and management of user identities and secret authentication information;, + 1. roles with privileged access. + - id: s2.1.1_stm + name: information + parts: + - id: s2.1.1_stm.1 + name: item + prose: | + Care should be taken when specifying access control rules to consider: + + 1. establishing rules based on the premise “Everything is generally forbidden unless expressly permitted” rather than the weaker rule “Everything is generally permitted unless expressly forbidden”; + 1. changes in information labels that are initiated automatically by information processing facilities and those initiated at the discretion of a user; + 1. changes in user permissions that are initiated automatically by the information system and those initiated by an administrator; + 1. rules which require specific approval before enactment and those which do not. + - id: s2.1.1_stm.2 + name: item + prose: Access control rules should be supported by formal procedures and defined responsibilities. + - id: s2.1.1_stm.3 + name: item + prose: Role based access control is an approach used successfully by many organizations to link access rights with business roles. + - id: s2.1.1_stm.4 + name: item + prose: | + Two of the frequent principles directing the access control policy are: + + 1. Need-to-know: you are only granted access to the information you need to perform your tasks (different tasks/roles mean different need-to-know and hence different access profile); + 1. Need-to-use: you are only granted access to the information processing facilities (IT equipment, applications, procedures, rooms) you need to perform your task/job/role. + - id: s2.1.2 + title: Access to networks and network services + props: + - name: label + value: 2.1.2 + parts: + - id: s2.1.2_stm + name: statement + prose: Users should only be provided with access to the network and network services that they have been specifically authorized to use. + - id: s2.1.2_gdn + name: guidance + parts: + - id: s2.1.2_gdn.1 + name: item + prose: | + A policy should be formulated concerning the use of networks and network services. This policy should cover: + + 1. the networks and network services which are allowed to be accessed; + 1. authorization procedures for determining who is allowed to access which networks and networked services; + 1. management controls and procedures to protect access to network connections and network services; + 1. the means used to access networks and network services (e.g. use of VPN or wireless network); + 1. user authentication requirements for accessing various network services; + 1. monitoring of the use of network service + - id: s2.1.2_gdn.2 + name: item + prose: The policy on the use of network services should be consistent with the organization’s access control policy \ No newline at end of file diff --git a/roscal_cli/tests/data/compdef.yaml b/roscal_cli/tests/data/compdef.yaml new file mode 100644 index 0000000..e964982 --- /dev/null +++ b/roscal_cli/tests/data/compdef.yaml @@ -0,0 +1,93 @@ +component-definition: + uuid: a7ba800c-a432-44cd-9075-0862cd66da6b + metadata: + title: MongoDB Component Definition Example + last-modified: "2024-02-01T13:57:28.355446-04:00" + version: "20231012" + oscal-version: 1.1.2 + roles: + - id: provider + title: Provider + parties: + - uuid: ef7c799a-c50e-49ab-83e0-515e989e6df1 + type: organization + name: MongoDB + links: + - href: https://www.mongodb.com + rel: website + components: + - uuid: 91f646c5-b1b6-4786-9ec3-2305a044e217 + type: service + title: MongoDB + description: MongoDB is a source-available, cross-platform document-oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas. + purpose: Provides a NoSQL database service + responsible-roles: + - role-id: provider + party-uuids: + - ef7c799a-c50e-49ab-83e0-515e989e6df1 + - role-id: customer + protocols: + - uuid: 2b4a1b3a-cbc5-4cc8-bde6-7437c28c4e54 + name: mongodb + title: Primary daemon process for the MongoDB system. + port-ranges: + - start: 27017 + end: 27017 + transport: TCP + - uuid: 99d8d4e5-e734-4e05-a2f9-7353097b8b61 + name: mongodb-shardsrv + title: MongoDB protocol for sharding with shardsrv option. + port-ranges: + - start: 27018 + end: 27018 + transport: TCP + - uuid: 6fa762f1-09ca-44d5-a94c-cfceb57debd5 + name: mongodb-configsvr + title: MongoDB protocol for configsrv operation. + port-ranges: + - start: 27019 + end: 27019 + transport: TCP + control-implementations: + - uuid: 49f0b690-ed9f-4f32-aae0-625b77aa6d27 + source: '#ba047e56-faef-430c-bafb-c54e9a87c6e8' + description: MongoDB control implementations for NIST SP 800-53 revision 5. + implemented-requirements: + - uuid: cf8338c5-fb6e-4593-a4a8-b3c4946ee080 + control-id: sc-8 + description: MongoDB's implementation of SC-8 control. The details of the implementation are provided at the statement level. + set-parameters: + - param-id: sc-8_prm_1 + values: + - confidentiality + statements: + - statement-id: sc-8_smt + uuid: bb9219b1-e51c-4680-abb0-616a43bbfbb1 + description: 'MongoDB implements TLS 1.x to protect the {{ insert: param, sc-8_prm_1 }} of transmitted data by encrypting data in transit, preventing unauthorized disclosure or changes to information during transmission.' + - uuid: cf8338c5-fb6e-4593-a4a8-b3c4946ee081 + control-id: sc-8.1 + description: MongoDB implements cryptographic mechanisms (TLS 1.x) to provide cryptographic protection for data in transit. + set-parameters: + - param-id: sc-8.1_prm_1 + values: + - prevent unauthorized disclosure of information + statements: + - statement-id: sc-8.1_smt + uuid: bb9219b1-e51c-4680-abb0-616a43bbfbb1 + description: 'To implement cryptographic mechanisms (aka enable TLS 1.x) to {{ insert: param, sc-8.1_prm_1 }}, customers need to set the `PEMKeyFile` option in the configuration file `/etc/mongod.conf` to the certificate file''s path and restart the component.' + responsible-roles: + - role-id: customer + - uuid: 5227daf8-7a4b-4fe0-aea9-3547b7de2603 + control-id: sa-4.9 + description: Must ensure that MongoDB only listens for network connections on authorized interfaces by configuring the MongoDB configuration file to limit the services exposure to only the network interfaces on which MongoDB instances should listen for incoming connections. + back-matter: + resources: + - uuid: ba047e56-faef-430c-bafb-c54e9a87c6e8 + description: 'NIST Special Publication 800-53 Revision 5: Moderate Baseline Profile' + rlinks: + - href: ../../../nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml + media-type: application/oscal.catalog+xml + - href: ../../../nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile.json + media-type: application/oscal.catalog+json + - href: ../../../nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.yaml + media-type: application/oscal.catalog+yaml \ No newline at end of file diff --git a/roscal_cli/tests/data/edit_back_matter b/roscal_cli/tests/data/edit_back_matter new file mode 100644 index 0000000..7bb4606 --- /dev/null +++ b/roscal_cli/tests/data/edit_back_matter @@ -0,0 +1,10 @@ +resources: + - uuid: 84cbf061-eb87-4ec1-8112-1f529232e907 + description: 'NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations' + rlinks: + - href: ../../../../nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml + media-type: application/oscal.catalog+xml + - href: ../../../../nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json + media-type: application/oscal.catalog+json + - href: ../../../../nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml + media-type: application/oscal.catalog+yaml \ No newline at end of file diff --git a/roscal_cli/tests/data/edit_uuid b/roscal_cli/tests/data/edit_uuid new file mode 100644 index 0000000..02ecca3 --- /dev/null +++ b/roscal_cli/tests/data/edit_uuid @@ -0,0 +1 @@ +74c8ba1e-5cd4-4ad1-bbfd-d888e2f6c721 \ No newline at end of file diff --git a/roscal_cli/tests/data/malformed b/roscal_cli/tests/data/malformed new file mode 100644 index 0000000..17ff855 --- /dev/null +++ b/roscal_cli/tests/data/malformed @@ -0,0 +1,203 @@ +catalog: + uuid: wrong uuid + metadata: + title: Sample Security Catalog *for Demonstration* and Testing + published: "2023-10-12T00:00:00.000000-04:00" + last-modified: "2023-10-12T00:00:00.000000-04:00" + version: "1.1" + oscal-version: 1.1.1 + remarks: The following is a short excerpt from [ISO/IEC 27002:2013](https://www.iso.org/standard/54533.html), *Information technology — Security techniques — Code of practice for information security controls*. This work is provided here under copyright "fair use" for non-profit, educational purposes only. Copyrights for this work are held by the publisher, the International Organization for Standardization (ISO). + groups: + - id: s1 + title: Organization of Information Security + props: + - name: label + value: "1" + groups: + - id: s1.1 + title: Internal Organization + props: + - name: label + value: "1.1" + parts: + - id: s1.1_smt + name: objective + prose: To establish a management framework to initiate and control the implementation and operation of information security within the organization. + controls: + - id: s1.1.1 + title: Information security roles and responsibilities + params: + - id: s1.1.1-prm1 + label: a choice from a selection + select: + how-many: one-or-more + choice: + - 'initiating a device lock after {{ insert: param, s1.1.1-prm_2 }} of inactivity' + - requiring the user to initiate a device lock before leaving the system unattended + - id: s1.1.1-prm_2 + label: a duration + props: + - name: label + value: 1.1.1 + parts: + - id: s1.1.1_stm + name: statement + prose: |- + All information security responsibilities should be defined and allocated. + + A value has been assigned to {{ insert: param, s1.1.1-prm1 }}. + + A cross link has been established with a choppy syntax: [(choppy)](#s1.2). + - id: s1.1.1_gdn + name: guidance + parts: + - id: s1.1.1_gdn.1 + name: item + prose: Allocation of information security responsibilities should be done in accordance with the information security policies. Responsibilities for the protection of individual assets and for carrying out specific information security processes should be identified. Responsibilities for information security risk management activities and in particular for acceptance of residual risks should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Local responsibilities for the protection of assets and for carrying out specific security processes should be defined. + - id: s1.1.1_gdn.2 + name: item + prose: Individuals with allocated information security responsibilities may delegate security tasks to others. Nevertheless they remain accountable and should determine that any delegated tasks have been correctly performed. + - id: s1.1.1_gdn.3 + name: item + prose: | + Areas for which individuals are responsible should be stated. In particular the following should take place: + + 1. the assets and information security processes should be identified and defined; + 1. the entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented; + 1. authorization levels should be defined and documented; + 1. to be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments; + 1. coordination and oversight of information security aspects of supplier relationships should be identified and documented. + - id: s1.1.1_inf + name: information + props: + - name: label + value: Other information + prose: |- + Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls. + + However, responsibility for resourcing and implementing the controls will often remain with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection. + - id: s1.1.2 + title: Segregation of duties + props: + - name: label + value: 1.1.2 + parts: + - id: s1.1.2_stm + name: statement + prose: Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. + - id: s1.1.2_gdn + name: guidance + parts: + - id: s1.1.2_gdn.1 + name: item + prose: Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls. + - id: s1.1.2_gdn.2 + name: item + prose: Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered. + - id: s1.1.2_inf + name: information + prose: Segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an organization’s assets. + - id: s2 + title: Access control + props: + - name: label + value: "2" + groups: + - id: s2.1 + title: Business requirements of access control + props: + - name: label + value: "2.1" + parts: + - id: s2.1_smt + name: objective + prose: To limit access to information and information processing facilities. + controls: + - id: s2.1.1 + title: Access control policy + props: + - name: label + value: 2.1.1 + parts: + - id: s2.1.1_stm + name: statement + prose: An access control policy should be established, documented and reviewed based on business and information security requirements. + - id: s2.1.1_gdn + name: guidance + parts: + - id: s2.1.1_gdn.1 + name: item + prose: Asset owners should determine appropriate access control rules, access rights and restrictions for specific user roles towards their assets, with the amount of detail and the strictness of the controls reflecting the associated information security risks. + - id: s2.1.1_gdn.2 + name: item + prose: Access controls are both logical and physical and these should be considered together. + - id: s2.1.1_gdn.3 + name: item + prose: Users and service providers should be given a clear statement of the business requirements to be met by access controls. + - id: s2.1.1_gdn.4 + name: item + prose: | + The policy should take account of the following: + + 1. security requirements of business applications; + 1. policies for information dissemination and authorization, e.g. the need-to-know principle and information security levels and classification of information; + 1. consistency between the access rights and information classification policies of systems and networks; + 1. relevant legislation and any contractual obligations regarding limitation of access to data or services; + 1. management of access rights in a distributed and networked environment which recognizes all types of connections available; + 1. segregation of access control roles, e.g. access request, access authorization, access administration; + 1. requirements for formal authorization of access requests; + 1. requirements for periodic review of access rights; + 1. removal of access rights; + 1. archiving of records of all significant events concerning the use and management of user identities and secret authentication information;, + 1. roles with privileged access. + - id: s2.1.1_stm + name: information + parts: + - id: s2.1.1_stm.1 + name: item + prose: | + Care should be taken when specifying access control rules to consider: + + 1. establishing rules based on the premise “Everything is generally forbidden unless expressly permitted” rather than the weaker rule “Everything is generally permitted unless expressly forbidden”; + 1. changes in information labels that are initiated automatically by information processing facilities and those initiated at the discretion of a user; + 1. changes in user permissions that are initiated automatically by the information system and those initiated by an administrator; + 1. rules which require specific approval before enactment and those which do not. + - id: s2.1.1_stm.2 + name: item + prose: Access control rules should be supported by formal procedures and defined responsibilities. + - id: s2.1.1_stm.3 + name: item + prose: Role based access control is an approach used successfully by many organizations to link access rights with business roles. + - id: s2.1.1_stm.4 + name: item + prose: | + Two of the frequent principles directing the access control policy are: + + 1. Need-to-know: you are only granted access to the information you need to perform your tasks (different tasks/roles mean different need-to-know and hence different access profile); + 1. Need-to-use: you are only granted access to the information processing facilities (IT equipment, applications, procedures, rooms) you need to perform your task/job/role. + - id: s2.1.2 + title: Access to networks and network services + props: + - name: label + value: 2.1.2 + parts: + - id: s2.1.2_stm + name: statement + prose: Users should only be provided with access to the network and network services that they have been specifically authorized to use. + - id: s2.1.2_gdn + name: guidance + parts: + - id: s2.1.2_gdn.1 + name: item + prose: | + A policy should be formulated concerning the use of networks and network services. This policy should cover: + + 1. the networks and network services which are allowed to be accessed; + 1. authorization procedures for determining who is allowed to access which networks and networked services; + 1. management controls and procedures to protect access to network connections and network services; + 1. the means used to access networks and network services (e.g. use of VPN or wireless network); + 1. user authentication requirements for accessing various network services; + 1. monitoring of the use of network service + - id: s2.1.2_gdn.2 + name: item + prose: The policy on the use of network services should be consistent with the organization’s access control policy \ No newline at end of file diff --git a/roscal_cli/tests/data/poam.yaml b/roscal_cli/tests/data/poam.yaml new file mode 100644 index 0000000..8d869a0 --- /dev/null +++ b/roscal_cli/tests/data/poam.yaml @@ -0,0 +1,144 @@ +plan-of-action-and-milestones: + uuid: 714210d2-f8df-448c-be3e-e2213816cf79 + metadata: + title: IFA GoodRead Plan of Action and Milestones + last-modified: "2024-02-01T13:57:28.355446-04:00" + version: "1.1" + oscal-version: 1.1.2 + import-ssp: + href: ../5-authorize/ssp.oscal.xml + system-id: + identifier-type: http://ietf.org/rfc/rfc4122 + id: 8101e04d-8305-4e73-bb95-6b59f645b143 + observations: + - uuid: 0c4de4fc-9bde-46af-b6fe-3b5e78194dcf + title: Django Framework Examination + description: Examine Django Framework for least privilege design and implementation. + methods: + - EXAMINE + types: + - control-objective + subjects: + - subject-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + type: component + collected: "2023-05-19T12:14:16-04:00" + remarks: The assessor attempted to access the admin panel while logged into the GoodRead application as a PAO staff user. They were able to see the admin panel and directly edit database records for the application using the Django Framework's admin panel. + - uuid: 8807eb6e-0c05-43bc-8438-799739615e34 + title: AwesomeCloud IAM Roles Test - GoodRead System Engineer Role + description: Test AwesomeCloud IAM Roles for least privilege design and implementation. + methods: + - TEST + types: + - finding + subjects: + - subject-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + type: component + collected: "2023-06-02T08:31:20-04:00" + expires: "2023-07-01T00:00:00-04:00" + remarks: |- + The assessor's security automation platform analyzed all roles specific to the GoodRead Product Team, not those managed by the Office of Information Technology. The `IFA-GoodRead-SystemEnginer` role in their respective AwesomeCloud account permitted use of the following high-risk actions. + + * awesomecloud:auditlog:DeleteAccountAuditLog + * awesomecloud:secmon:AdministerConfigurations + + + Both of these actions are overly permissive and not appropriate for the business function of the staff member assigned this role. + risks: + - uuid: 8b8bae66-b28c-4fa5-9a20-b79e7322fc00 + title: 'IFA-GOODREAD-RISK-1: PAO Staff Have Over-Privileged Access to GoodRead System' + description: A user with the privileges of a PAO staff user can exceed the intended privileges for their related business function and directly edit the database for the GoodRead application. + statement: |- + An account without proper least privilege design and implementation can be used to significantly damage links created by the tool for use by public citizens, potentially causing a national outage. If an outage were to occur, IFA and Government policy will require the CIO of the agency to notify the Department of Homeland Security and the public. + + Such an event will cause significant financial and reputational risk to IFA's Administrator, executive staff, and the agency overall. + status: deviation-approved + characterizations: + - origin: + actors: + - type: party + actor-uuid: e7730080-71ce-4b20-bec4-84f33136fd58 + facets: + - name: likelihood + system: https://ifa.gov/division/ociso/sca + value: low + - name: impact + system: https://ifa.gov/division/ociso/sca + value: high + mitigating-factors: + - uuid: 401c15c9-ad6b-4d4a-a591-7d53a3abb3b6 + description: The GoodRead application is designed and implemented to only allow access to the administrative functions for those with PAO staff fole via the VPN via network configuration between the IFA Enterprise Support Systems and the GoodRead AwesomeCloud account. Additionally, the load balanacer configuration only allows access to view shortlinks from the public internet. + deadline: "2024-01-01T05:00:00-04:00" + remediations: + - uuid: d28873f7-0a45-476d-9cd3-1d2ec0b8bca1 + lifecycle: planned + title: 'IFA-GOODREAD-RISK1-RESPONSE: IFA GoodRead Prouct Team Response' + description: The GoodRead Product Team does not have sufficient personnel and budget to implement the required changes in their use of the Django Framework and its configuration in this quarter. With the consultation of the ISSO and the assessor, the owner of the GoodRead system has decided to accept this risk until the end of December 2023. From September to December, budget will be available for the Good Read Product Team's developer and system engineer to completely disable the functionality that is the source of the risk and its originating finding. + props: + - name: type + value: accept + tasks: + - uuid: f8b1d4cb-d1a9-4932-9859-2e93b325f287 + type: milestone + title: End of Year Project Management Report of Developed Remediations + description: The owner, ISSO, and product team of the GoodRead Project intend to complete the necessary development between September 2023 and December 2023. Whether or not the necessary development for remedation is complete, the product team's project manager will submit the final annual report. They will identify this work item and whether it has been completed. + timing: + within-date-range: + start: "2023-09-29T09:00:00-04:00" + end: "2024-01-01T05:00:00-04:00" + related-observations: + - observation-uuid: 0c4de4fc-9bde-46af-b6fe-3b5e78194dcf + - uuid: 1c65d2d3-7735-47fa-8f68-a236744beab7 + title: 'IFA-GOODREAD-RISK-2: GoodRead System Engineers Have Over-Privileged Access to Cloud Infrastructure Account' + description: A user in the GoodRead cloud environment with the privileges of a system engineer can exceed the intended privileges for their related business function. They can delete all historical audit records and remove important security monitoring functions for the IFA Security Operations Center staff. + statement: |- + An account without proper least privilege design and implementation can be used to surreptitiously add, change, or delete cloud infrastructure to the too managing all links to IFA's communication to public citizens, potentially causing significant harm with no forensic evidence to recover the system. Regardless of the extent and duration of a potential incident, such a configuration greatly increases the risk of an insider threat if there were likely to a potential insider threat in the GoodRead Product Team. + + If such an insider threat existed and acted with this misconfigruatio, the resulting event could cause significant financial and reputational risk to IFA's Administrator, executive staff, and the agency overall. + status: open + characterizations: + - origin: + actors: + - type: party + actor-uuid: e7730080-71ce-4b20-bec4-84f33136fd58 + facets: + - name: likelihood + system: https://ifa.gov/division/ociso/sca + value: low + - name: impact + system: https://ifa.gov/division/ociso/sca + value: high + deadline: "2023-06-23T17:00:00-04:00" + remediations: + - uuid: 4676b126-ba6d-40cc-9dc8-f2aa677b03ee + lifecycle: planned + title: 'IFA-GOODREAD-RISK1-RESPONSE: IFA GoodRead Prouct Team Response' + description: The GoodRead Product Team does not have siginficant mitigations or compensating controls to counter this risk, even if likelihood is low. The IFA CISO has cited ongoing guidance that potential insider threat risks be prioritized above alternative categories of risk for this quarter. Additionally, there is sufficient budget and unallocated time for the GoodRead and Office of Information Technology system engineers to modify AwesomeCloud IAM roles on or before the next continuous monitoring cycle beginning in July 2023. The planned completion data is June 23, 2023. + props: + - name: type + value: mitigate + tasks: + - uuid: a0bb457d-0d14-4a74-801a-ffc9bc4cd636 + type: milestone + title: Completion of GoodRead Sprint Ending June 23, 2023 + description: The owner, ISSO, and product team of the GoodRead Project intend to complete the necessary development by June 23. 2023, the last day of the coinciding sprint. Whether or not the necessary development for mitigation is complete, the product team's project manager will write a brief at the end of the sprint to thw owner and ISSO of this system with the final status and determination of this work item in this sprint. + timing: + within-date-range: + start: "2023-06-03T00:00:00-04:00" + end: "2024-06-23T17:00:00-04:00" + related-observations: + - observation-uuid: 8807eb6e-0c05-43bc-8438-799739615e34 + poam-items: + - uuid: e174dfb9-0ae3-4a8f-8e7c-081527b84337 + title: Update Django Framework Configuration to Disable Default Admin Panel + description: Budget and technical staff are needed to re-design and re-implement a part of the GoodRead application's use of a web appplication programming framework to mitigate the risk of low privilege users directly modifying the database of this application. This application is a high-visibility service and integral to future operations of the IFA Office of Public Affairs and its staff. + related-observations: + - observation-uuid: 0c4de4fc-9bde-46af-b6fe-3b5e78194dcf + related-risks: + - risk-uuid: 401c15c9-ad6b-4d4a-a591-7d53a3abb3b6 + - uuid: 48c8368d-43ff-4736-9b28-64b1b1284c03 + title: GoodRead System Engineers Have Over-Privileged Access to Cloud Infrastructure Account + description: Budget and technical staff allocation are available and designated to fix a misconfiguration of the IAM roles for members of the GoodRead Product Team in their AwesomeCloud account to implement least privilege as designed. + related-observations: + - observation-uuid: 8807eb6e-0c05-43bc-8438-799739615e34 + related-risks: + - risk-uuid: 1c65d2d3-7735-47fa-8f68-a236744beab7 \ No newline at end of file diff --git a/roscal_cli/tests/data/profile.yaml b/roscal_cli/tests/data/profile.yaml new file mode 100644 index 0000000..61564bf --- /dev/null +++ b/roscal_cli/tests/data/profile.yaml @@ -0,0 +1,421 @@ +profile: + uuid: cd073316-7c58-4c34-9f5c-9eb5aa722683 + metadata: + title: NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE + last-modified: "2023-12-04T14:55:00.000000-04:00" + version: 5.1.1+u2 + oscal-version: 1.1.1 + roles: + - id: creator + title: Document Creator + - id: contact + title: Contact + parties: + - uuid: c748c806-1d77-4695-bb40-e117b2afa82e + type: organization + name: Joint Task Force, Transformation Initiative + email-addresses: + - sec-cert@nist.gov + addresses: + - addr-lines: + - National Institute of Standards and Technology + - 'Attn: Computer Security Division' + - Information Technology Laboratory + - 100 Bureau Drive (Mail Stop 8930) + city: Gaithersburg + state: MD + postal-code: 20899-8930 + responsible-parties: + - role-id: creator + party-uuids: + - c748c806-1d77-4695-bb40-e117b2afa82e + - role-id: contact + party-uuids: + - c748c806-1d77-4695-bb40-e117b2afa82e + imports: + - href: '#84cbf061-eb87-4ec1-8112-1f529232e907' + include-controls: + - with-ids: + - ac-1 + - ac-2 + - ac-2.1 + - ac-2.2 + - ac-2.3 + - ac-2.4 + - ac-2.5 + - ac-2.11 + - ac-2.12 + - ac-2.13 + - ac-3 + - ac-4 + - ac-4.4 + - ac-5 + - ac-6 + - ac-6.1 + - ac-6.2 + - ac-6.3 + - ac-6.5 + - ac-6.7 + - ac-6.9 + - ac-6.10 + - ac-7 + - ac-8 + - ac-10 + - ac-11 + - ac-11.1 + - ac-12 + - ac-14 + - ac-17 + - ac-17.1 + - ac-17.2 + - ac-17.3 + - ac-17.4 + - ac-18 + - ac-18.1 + - ac-18.3 + - ac-18.4 + - ac-18.5 + - ac-19 + - ac-19.5 + - ac-20 + - ac-20.1 + - ac-20.2 + - ac-21 + - ac-22 + - at-1 + - at-2 + - at-2.2 + - at-2.3 + - at-3 + - at-4 + - au-1 + - au-2 + - au-3 + - au-3.1 + - au-4 + - au-5 + - au-5.1 + - au-5.2 + - au-6 + - au-6.1 + - au-6.3 + - au-6.5 + - au-6.6 + - au-7 + - au-7.1 + - au-8 + - au-9 + - au-9.2 + - au-9.3 + - au-9.4 + - au-10 + - au-11 + - au-12 + - au-12.1 + - au-12.3 + - ca-1 + - ca-2 + - ca-2.1 + - ca-2.2 + - ca-3 + - ca-3.6 + - ca-5 + - ca-6 + - ca-7 + - ca-7.1 + - ca-7.4 + - ca-8 + - ca-8.1 + - ca-9 + - cm-1 + - cm-2 + - cm-2.2 + - cm-2.3 + - cm-2.7 + - cm-3 + - cm-3.1 + - cm-3.2 + - cm-3.4 + - cm-3.6 + - cm-4 + - cm-4.1 + - cm-4.2 + - cm-5 + - cm-5.1 + - cm-6 + - cm-6.1 + - cm-6.2 + - cm-7 + - cm-7.1 + - cm-7.2 + - cm-7.5 + - cm-8 + - cm-8.1 + - cm-8.2 + - cm-8.3 + - cm-8.4 + - cm-9 + - cm-10 + - cm-11 + - cm-12 + - cm-12.1 + - cp-1 + - cp-2 + - cp-2.1 + - cp-2.2 + - cp-2.3 + - cp-2.5 + - cp-2.8 + - cp-3 + - cp-3.1 + - cp-4 + - cp-4.1 + - cp-4.2 + - cp-6 + - cp-6.1 + - cp-6.2 + - cp-6.3 + - cp-7 + - cp-7.1 + - cp-7.2 + - cp-7.3 + - cp-7.4 + - cp-8 + - cp-8.1 + - cp-8.2 + - cp-8.3 + - cp-8.4 + - cp-9 + - cp-9.1 + - cp-9.2 + - cp-9.3 + - cp-9.5 + - cp-9.8 + - cp-10 + - cp-10.2 + - cp-10.4 + - ia-1 + - ia-2 + - ia-2.1 + - ia-2.2 + - ia-2.5 + - ia-2.8 + - ia-2.12 + - ia-3 + - ia-4 + - ia-4.4 + - ia-5 + - ia-5.1 + - ia-5.2 + - ia-5.6 + - ia-6 + - ia-7 + - ia-8 + - ia-8.1 + - ia-8.2 + - ia-8.4 + - ia-11 + - ia-12 + - ia-12.2 + - ia-12.3 + - ia-12.4 + - ia-12.5 + - ir-1 + - ir-2 + - ir-2.1 + - ir-2.2 + - ir-3 + - ir-3.2 + - ir-4 + - ir-4.1 + - ir-4.4 + - ir-4.11 + - ir-5 + - ir-5.1 + - ir-6 + - ir-6.1 + - ir-6.3 + - ir-7 + - ir-7.1 + - ir-8 + - ma-1 + - ma-2 + - ma-2.2 + - ma-3 + - ma-3.1 + - ma-3.2 + - ma-3.3 + - ma-4 + - ma-4.3 + - ma-5 + - ma-5.1 + - ma-6 + - mp-1 + - mp-2 + - mp-3 + - mp-4 + - mp-5 + - mp-6 + - mp-6.1 + - mp-6.2 + - mp-6.3 + - mp-7 + - pe-1 + - pe-2 + - pe-3 + - pe-3.1 + - pe-4 + - pe-5 + - pe-6 + - pe-6.1 + - pe-6.4 + - pe-8 + - pe-8.1 + - pe-9 + - pe-10 + - pe-11 + - pe-11.1 + - pe-12 + - pe-13 + - pe-13.1 + - pe-13.2 + - pe-14 + - pe-15 + - pe-15.1 + - pe-16 + - pe-17 + - pe-18 + - pl-1 + - pl-2 + - pl-4 + - pl-4.1 + - pl-8 + - pl-10 + - pl-11 + - ps-1 + - ps-2 + - ps-3 + - ps-4 + - ps-4.2 + - ps-5 + - ps-6 + - ps-7 + - ps-8 + - ps-9 + - ra-1 + - ra-2 + - ra-3 + - ra-3.1 + - ra-5 + - ra-5.2 + - ra-5.4 + - ra-5.5 + - ra-5.11 + - ra-7 + - ra-9 + - sa-1 + - sa-2 + - sa-3 + - sa-4 + - sa-4.1 + - sa-4.2 + - sa-4.5 + - sa-4.9 + - sa-4.10 + - sa-5 + - sa-8 + - sa-9 + - sa-9.2 + - sa-10 + - sa-11 + - sa-15 + - sa-15.3 + - sa-16 + - sa-17 + - sa-21 + - sa-22 + - sc-1 + - sc-2 + - sc-3 + - sc-4 + - sc-5 + - sc-7 + - sc-7.3 + - sc-7.4 + - sc-7.5 + - sc-7.7 + - sc-7.8 + - sc-7.18 + - sc-7.21 + - sc-8 + - sc-8.1 + - sc-10 + - sc-12 + - sc-12.1 + - sc-13 + - sc-15 + - sc-17 + - sc-18 + - sc-20 + - sc-21 + - sc-22 + - sc-23 + - sc-24 + - sc-28 + - sc-28.1 + - sc-39 + - si-1 + - si-2 + - si-2.2 + - si-3 + - si-4 + - si-4.2 + - si-4.4 + - si-4.5 + - si-4.10 + - si-4.12 + - si-4.14 + - si-4.20 + - si-4.22 + - si-5 + - si-5.1 + - si-6 + - si-7 + - si-7.1 + - si-7.2 + - si-7.5 + - si-7.7 + - si-7.15 + - si-8 + - si-8.2 + - si-10 + - si-11 + - si-12 + - si-16 + - sr-1 + - sr-2 + - sr-2.1 + - sr-3 + - sr-5 + - sr-6 + - sr-8 + - sr-9 + - sr-9.1 + - sr-10 + - sr-11 + - sr-11.1 + - sr-11.2 + - sr-12 + merge: + as-is: true + back-matter: + resources: + - uuid: 84cbf061-eb87-4ec1-8112-1f529232e907 + description: 'NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations' + rlinks: + - href: ../../../../nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml + media-type: application/oscal.catalog+xml + - href: ../../../../nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json + media-type: application/oscal.catalog+json + - href: ../../../../nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml + media-type: application/oscal.catalog+yaml \ No newline at end of file diff --git a/roscal_cli/tests/data/ssp.yaml b/roscal_cli/tests/data/ssp.yaml new file mode 100644 index 0000000..202d6da --- /dev/null +++ b/roscal_cli/tests/data/ssp.yaml @@ -0,0 +1,286 @@ +system-security-plan: + uuid: 5e139edd-86aa-4b65-8431-1192bd276658 + metadata: + title: IFA GoodRead System Security Plan + published: "2023-05-19T14:46:54-04:00" + last-modified: "2024-03-01T13:57:28.355446-04:00" + version: "1.1" + oscal-version: 1.1.2 + roles: + - id: owner + title: IFA GoodRead Owner + - id: developer + title: IFA GoodRead Developer + - id: system-engineer + title: IFA GoodRead System Engineer + - id: public-affairs-office + title: IFA Public Affairs Office + parties: + - uuid: ba9c12bd-e5ef-46b6-95a2-4d8e7f864c1a + type: person + name: Owen Stilskin + member-of-organizations: + - 3a675986-b4ff-4030-b178-e953c2e55d64 + - uuid: 67c04291-dbf6-495a-a3ba-0011638acc94 + type: person + name: Juno Styles + member-of-organizations: + - 3a675986-b4ff-4030-b178-e953c2e55d64 + - uuid: 4ba3f2b7-e894-48d7-b940-91c68661df55 + type: person + name: Xavier Jones + member-of-organizations: + - 3a675986-b4ff-4030-b178-e953c2e55d64 + - uuid: 3a675986-b4ff-4030-b178-e953c2e55d64 + type: organization + name: Important Federal Agency + short-name: IFA + links: + - href: https://www.ifa.gov + rel: website + responsible-parties: + - role-id: owner + party-uuids: + - ba9c12bd-e5ef-46b6-95a2-4d8e7f864c1a + - role-id: developer + party-uuids: + - 67c04291-dbf6-495a-a3ba-0011638acc94 + - role-id: system-engineer + party-uuids: + - 4ba3f2b7-e894-48d7-b940-91c68661df55 + import-profile: + href: ../select/profile.oscal.json + system-characteristics: + system-ids: + - identifier-type: http://ietf.org/rfc/rfc4122 + id: 8101e04d-8305-4e73-bb95-6b59f645b143 + system-name: IFA GoodRead + description: This system acts as a link shortener for IFA employees + date-authorized: "2023-05-19" + security-sensitivity-level: moderate + system-information: + information-types: + - uuid: bccfbb65-a7f3-41ac-989f-01d96eddfdc7 + title: User-provided Links + description: This system maintains a set of user-provided links and their associated shortlinks + categorizations: + - system: https://doi.org/10.6028/NIST.SP.800-60v2r1 + information-type-ids: + - C.2.8.12 + confidentiality-impact: + base: fips-199-low + integrity-impact: + base: fips-199-low + selected: fips-199-moderate + adjustment-justification: Maliciously modified links are a concern + availability-impact: + base: fips-199-low + security-impact-level: + security-objective-confidentiality: low + security-objective-integrity: medium + security-objective-availability: low + status: + state: operational + authorization-boundary: + description: This section describes an attached diagram of the authorization boundary for IFA GoodRead Project's information system. + network-architecture: + description: This section describes an attached diagram of the network architecture for IFA GoodRead Project's information system. + data-flow: + description: This section describes an attached diagram of various dataflows for application and related elements of the IFA GoodRead Project's information system. + system-implementation: + users: + - uuid: 00d323d3-dc3f-4d93-900f-f13430e094d3 + title: Application Administrator + description: The developer of the application supports IFA Public Affairs Officers by administering the application and its infrastructure. + role-ids: + - developer + authorized-privileges: + - title: Application Administrator Privilege + functions-performed: + - user-creation + - user-enablement + - user-disablement + - user-role-modification + - popular-shortlink-cache-reset + - database-export + - database-migration + - uuid: 61405ba7-edb4-4243-8461-79aac5805e5c + title: Public Affairs Officers + description: IFA Public Affairs Officers (PAOs) in each division of the agency review public communications to citizens who are customers of the IFA. PAOs review requests from colleagues to generate and publish content that is the target of a shortlink and can unpublish shortlinks. + role-ids: + - public-affairs-office + authorized-privileges: + - title: Public Affairs Officer Privilege + functions-performed: + - shortlink-generation + - shortlink-approval + - shortlink-rejection + - shortlink-publication + - shortlink-unpublication + - uuid: fb36760a-143d-490b-8fc4-6a8c172fba86 + title: General Public + description: The general public is free to click on shortlinks + authorized-privileges: + - title: General Public Privilege + functions-performed: + - shortlink-view + components: + - uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + type: this-system + title: IFA GoodRead System + description: 'IFA develops, operates, and maintains the GoodRead link shortener system to ' + status: + state: operational + responsible-roles: + - role-id: developer + party-uuids: + - 67c04291-dbf6-495a-a3ba-0011638acc94 + - role-id: system-engineer + party-uuids: + - 4ba3f2b7-e894-48d7-b940-91c68661df55 + inventory-items: + - uuid: 4392599a-9117-416a-87d1-24c7d1b2dd0b + description: This is the custom GoodRead application within the system. + props: + - name: software-name + value: IFA GoodRead + class: webserver-application + - name: software-version + value: 1.0.0 + class: webserver-application + - name: asset-type + value: web-server + class: webserver-application + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: d911b560-f564-4715-8d2a-76f86127ac73 + description: This is the web application framework upon which the developer writes the custom GoodRead application for the user interface and API of this system. + props: + - name: software-name + value: Django Framework + class: webserver-framework + - name: software-version + value: 4.2.1 + class: webserver-framework + - name: asset-type + value: web-server + class: webserver-framework + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: 3e3a8d9a-e3d6-4c7d-b59b-a8d6514fa4a2 + description: This is the database for the custom GoodRead application within the system. + props: + - name: software-name + value: PostgreSQL + class: database + - name: software-version + value: "15.3" + class: database + - name: asset-type + value: database + class: database + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: 0fb95c4c-ebfd-492e-8145-363eb7947dbe + description: This is the operating system for the web server that runs the custom GoodRead application within the system. + props: + - name: software-name + value: Red Hat Enterprise Linux 9 + class: operating-system + - name: asset-type + value: operating-system + class: operating-system + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: cd39f700-23ab-4574-a17e-c9c8f073cbec + description: This inventory item is an instance from the AwesomeCloud Awesome Compute Service (ACS) Service. It is a Linux server. + props: + - name: asset-id + value: instance-abcd1234 + class: linux-server + - name: ipv4-address + value: 172.1.2.3 + class: linux-server + - name: ipv4-address + value: 1.1.2.3 + class: linux-server + - name: uri + value: instance-abcd1234.acs.awesomecloud.systems + class: linux-server + - name: asset-type + value: appliance + class: linux-server + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: d9550535-40b9-4d8b-861c-07aa8786bf43 + description: This inventory item is an instance from the AwesomeCloud Awesome Load Balancer (ALB) Service. It is a Linux server. + props: + - name: asset-type + value: appliance + class: network-load-balancer + - name: asset-id + value: instance-defg7890 + class: linux-server + - name: uri + value: https://instance-defg7890.alb.awesomecloud.systems + class: network-load-balancer + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + control-implementation: + description: This is the control implementation for the application and infrastructure that compose to the IFA GoodRead Project's system. + set-parameters: + - param-id: ac-06.01_odp.01 + values: + - individuals and roles with authorized access to security functions and security-relevant information are defined and not available to all users of the system; + - param-id: ac-06.01_odp.02 + values: + - security functions (deployed in hardware) for authorized access are defined; + - param-id: ac-06.01_odp.03 + values: + - security functions (deployed in soware) for authorized access are defined; + - param-id: ac-06.01_odp.04 + values: + - security functions (deployed in firmware) for authorized access are defined; + - param-id: ac-06.01_odp.05 + values: + - security-relevant information for authorized access is defined; + implemented-requirements: + - uuid: d5f9b263-965d-440b-99e7-77f5df670a11 + control-id: ac-6.1 + by-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + uuid: a4c2d318-26a9-49df-9818-ee0acaf066f2 + description: |- + The IFA GoodRead application and infrastructure are composed as designed and implemented with lease privilege for the elements of this system. + + For the IFA GoodRead application, the custom application is designed and implemented on top of the Django Framework to enforce least privilege. The application has a role for IFA Public Affairs Officers and one for the developers for privileged permissions, respectively. Only the latter can access or change administrative and security configurations and related data. + + The Django Framework and Django REST Framework (DRF), by default, allows any user with the `is_staff` role attribute to access administrative functions in an application using the framework. IFA GoodRead developers have disabled this behavior, relying on the custom roles identified in the relevant section. + + For the IFA GoodRead database, the system account and accredentials for the application to read and write to the system datastore has specific read and write authorization for specific tables. This database service account does not have full administrative permissions to add, modify, or delete all respective tables. For the production environment, only the IFA GoodRead developer has a dedicated account with equivalent permissions. Only local network socket access, within in the Linux server, is permitted by host firewall configuration. Remote access, privileged or unprivileged, is not allowed remotely and the system engineer must locally authenticate for access. + + For the RedHat Linux server upon which the IFA GoodRead application is deployed in this system, only the system engineer has a non-privileged user to log in remotely via the SSH protocol to perform ad-hoc inspection, monthly log review as required by policy and procedure, and emergency debugging of the system. Privileged system administration operations may only be performed with the `sudo` subsystem which requires a password, two-factor authentication, and has enhanced logging of all commands executed. The system engineer must log in remotely and then use `sudo` to elevate privileges. Remote access with the privileged account is prohibited by configuration and attempts are logged. + + For this remote SSH access, least privilege is additionally enforced by allowing this access via a specific network zone in the IFA GoodRead AwesomeCloud account accessible to only the system engineer via IFA's VPN solution, which requires the system engineer use a dedicated account with their own password and two-factor authentication token. + + For cloud account and API access to reconfigure the Linux server and its load balancer, administrative access is only allowed for the system engineer via a special AwesomeCloud IAM role. The authentication and authorization for this role is controlled by an integration with the organization's single sign-on solution. This solution will only be accessible and correctly execute for them when they are on the VPN with their account with traffic forwarded to the appropriate network zone in the IFA GoodRead account in AwesomeCloud. It will not work the developer or any staff users of the application. + implementation-status: + state: implemented \ No newline at end of file diff --git a/roscal_cli/tests/dissect.rs b/roscal_cli/tests/dissect.rs new file mode 100644 index 0000000..f0d5b0f --- /dev/null +++ b/roscal_cli/tests/dissect.rs @@ -0,0 +1,200 @@ +use assert_cmd::Command; +use tempfile::tempdir; + +#[test] +fn cli_dissect_single_block() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "dissect", + "--file", + "tests/data/catalog.yaml", + "--model", + "Catalog", + "--blocks", + "uuid", + "--output-dir", + dir_arg, + ]) + .assert(); + assert.success(); + dir.close().unwrap() +} + +#[test] +fn cli_dissect_all_block() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "dissect", + "--file", + "tests/data/catalog.yaml", + "--model", + "Catalog", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert.success(); + dir.close().unwrap() +} + +#[test] +fn cli_dissect_multiple_blocks() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "dissect", + "--file", + "tests/data/catalog.yaml", + "--model", + "Catalog", + "--blocks", + "uuid,metadata", + "--output-dir", + dir_arg, + ]) + .assert(); + assert.success(); + dir.close().unwrap() +} + +#[test] +fn cli_dissect_multiple_dup_blocks() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "dissect", + "--file", + "tests/data/catalog.yaml", + "--model", + "Catalog", + "--blocks", + "uuid,uuid", + "--output-dir", + dir_arg, + ]) + .assert(); + assert.success(); + dir.close().unwrap() +} + +#[test] +fn cli_dissect_malformed() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "dissect", + "--file", + "tests/data/malformed", + "--model", + "Catalog", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert.failure(); + dir.close().unwrap() +} + +#[test] +fn cli_wrong_file_loc() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "dissect", + "--file", + "tests/data/not", + "--model", + "catalog", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert.stderr("Error: Could not determine the full path of the OSCAL model file: `tests/data/not`\n\nCaused by:\n No such file or directory (os error 2)\n"); + dir.close().unwrap() +} + +#[test] +fn cli_wrong_dissect_model() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "dissect", + "--file", + "tests/data/catalog.yaml", + "--model", + "invalid", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert.stderr("Invalid model provided: invalid\n"); + dir.close().unwrap() +} + +#[test] +fn cli_wrong_dissect_block() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "dissect", + "--file", + "tests/data/catalog.yaml", + "--model", + "Catalog", + "--blocks", + "uuid,not", + "--output-dir", + dir_arg, + ]) + .assert(); + assert.stderr("Invalid catalog block provided: [\"uuid\", \"not\"]\n"); + dir.close().unwrap() +} + +#[test] +fn cli_wrong_dissect_block_multiple_with_all() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "dissect", + "--file", + "tests/data/catalog.yaml", + "--model", + "Catalog", + "--blocks", + "all,uuid", + "--output-dir", + dir_arg, + ]) + .assert(); + assert.stderr("Multiple block cannot include `all` option\n"); + dir.close().unwrap() +} diff --git a/roscal_cli/tests/merge.rs b/roscal_cli/tests/merge.rs new file mode 100644 index 0000000..34c70ce --- /dev/null +++ b/roscal_cli/tests/merge.rs @@ -0,0 +1,260 @@ +use std::{ + fs::{self, read_to_string, File}, + io::BufReader, +}; + +use assert_cmd::Command; +use roscal_lib::control::catalog::Catalog; +use tempfile::tempdir; +use walkdir::WalkDir; + +#[test] +fn cli_merge_update_uuid() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let dissect_dir = format!( + "{}/tests/data/catalog.yaml", + std::env::current_dir().unwrap().to_string_lossy() + ); + + let mut cmd_dissect = Command::cargo_bin("roscal").unwrap(); + let assert_dissect = cmd_dissect + .args(&[ + "dissect", + "--file", + &dissect_dir, + "--model", + "Catalog", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert_dissect.success(); + + for entry in WalkDir::new(dir_arg).min_depth(1).max_depth(1) { + let entry = entry.unwrap(); + let path = entry.path().to_str().unwrap(); + + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert_v4 = cmd + .args(&[ + "merge", + "--dir", + path, + "--output-format", + "yaml", + "--output-dir", + path, + "--update-uuid", + "v4", + ]) + .assert(); + assert_v4.success(); + + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert_v5 = cmd + .args(&[ + "merge", + "--dir", + path, + "--output-format", + "yaml", + "--output-dir", + path, + "--update-uuid", + "v5", + ]) + .assert(); + assert_v5.success(); + } + dir.close().unwrap() +} + +#[test] +fn cli_merge_modify_content() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let dissect_dir = format!( + "{}/tests/data/catalog.yaml", + std::env::current_dir().unwrap().to_string_lossy() + ); + let uuid_dir = format!( + "{}/tests/data/edit_uuid", + std::env::current_dir().unwrap().to_string_lossy() + ); + let back_matter_dir = format!( + "{}/tests/data/edit_back_matter", + std::env::current_dir().unwrap().to_string_lossy() + ); + let uuid = read_to_string(uuid_dir).unwrap(); + let back_matter = read_to_string(back_matter_dir).unwrap(); + + let mut cmd_dissect = Command::cargo_bin("roscal").unwrap(); + let assert_dissect = cmd_dissect + .args(&[ + "dissect", + "--file", + &dissect_dir, + "--model", + "Catalog", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert_dissect.success(); + + for entry in WalkDir::new(dir_arg).min_depth(1).max_depth(1) { + let entry = entry.unwrap(); + let path = entry.path().to_str().unwrap(); + + fs::write(format!("{}/modifiable/uuid.yaml", path), &uuid).unwrap(); + fs::write( + format!("{}/modifiable/back_matter.yaml", path), + &back_matter, + ) + .unwrap(); + + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "merge", + "--dir", + path, + "--output-format", + "yaml", + "--output-dir", + path, + ]) + .assert(); + assert.success(); + + let file = File::open(format!("{}/merged.yaml", path)).unwrap(); + let reader = BufReader::new(file); + let res: Catalog = serde_yaml::from_reader(reader).unwrap(); + assert_eq!( + "84cbf061-eb87-4ec1-8112-1f529232e907", + res.catalog.back_matter.unwrap().resources.unwrap()[0].uuid + ); + assert_eq!("74c8ba1e-5cd4-4ad1-bbfd-d888e2f6c721", res.catalog.uuid); + } + dir.close().unwrap() +} + +#[test] +fn cli_merge_wrong_dir() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "merge", + "--dir", + "tests/data/not", + "--output-format", + "yaml", + "--output-dir", + dir_arg, + ]) + .assert(); + assert.stderr("Invalid directory provided: tests/data/not\n"); + dir.close().unwrap() +} + +#[test] +fn cli_merge_wrong_output_format() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let dissect_dir = format!( + "{}/tests/data/catalog.yaml", + std::env::current_dir().unwrap().to_string_lossy() + ); + + let mut cmd_dissect = Command::cargo_bin("roscal").unwrap(); + let assert_dissect = cmd_dissect + .args(&[ + "dissect", + "--file", + &dissect_dir, + "--model", + "Catalog", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert_dissect.success(); + + for entry in WalkDir::new(dir_arg).min_depth(1).max_depth(1) { + let entry = entry.unwrap(); + let path = entry.path().to_str().unwrap(); + + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "merge", + "--dir", + path, + "--output-format", + "ron", + "--output-dir", + path, + ]) + .assert(); + assert.stderr("Error: Unknown output format. Use json or yaml\n"); + } + dir.close().unwrap() +} + +#[test] +fn cli_merge_wrong_uuid() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let dissect_dir = format!( + "{}/tests/data/catalog.yaml", + std::env::current_dir().unwrap().to_string_lossy() + ); + + let mut cmd_dissect = Command::cargo_bin("roscal").unwrap(); + let assert_dissect = cmd_dissect + .args(&[ + "dissect", + "--file", + &dissect_dir, + "--model", + "Catalog", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert_dissect.success(); + + for entry in WalkDir::new(dir_arg).min_depth(1).max_depth(1) { + let entry = entry.unwrap(); + let path = entry.path().to_str().unwrap(); + + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "merge", + "--dir", + path, + "--output-format", + "yaml", + "--output-dir", + path, + "--update-uuid", + "v8", + ]) + .assert(); + assert.stderr("Error: Unknown uuid version. Use v4 or v5\n"); + } + dir.close().unwrap() +} diff --git a/roscal_cli/tests/roundtrip.rs b/roscal_cli/tests/roundtrip.rs new file mode 100644 index 0000000..2ecdb9b --- /dev/null +++ b/roscal_cli/tests/roundtrip.rs @@ -0,0 +1,279 @@ +use assert_cmd::Command; +use tempfile::tempdir; +use walkdir::WalkDir; + +#[test] +fn cli_roundtrip_ap() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let dissect_dir = format!( + "{}/tests/data/ap.yaml", + std::env::current_dir().unwrap().to_string_lossy() + ); + + let mut cmd_dissect = Command::cargo_bin("roscal").unwrap(); + let assert_dissect = cmd_dissect + .args(&[ + "dissect", + "--file", + &dissect_dir, + "--model", + "AssessmentPlan", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert_dissect.success(); + + for entry in WalkDir::new(dir_arg).min_depth(1).max_depth(1) { + let entry = entry.unwrap(); + let path = entry.path().to_str().unwrap(); + + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "merge", + "--dir", + path, + "--output-format", + "yaml", + "--output-dir", + path, + ]) + .assert(); + assert.success(); + } + dir.close().unwrap() +} + +#[test] +fn cli_roundtrip_ar() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let dissect_dir = format!( + "{}/tests/data/ar.yaml", + std::env::current_dir().unwrap().to_string_lossy() + ); + + let mut cmd_dissect = Command::cargo_bin("roscal").unwrap(); + let assert_dissect = cmd_dissect + .args(&[ + "dissect", + "--file", + &dissect_dir, + "--model", + "AssessmentResults", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert_dissect.success(); + + for entry in WalkDir::new(dir_arg).min_depth(1).max_depth(1) { + let entry = entry.unwrap(); + let path = entry.path().to_str().unwrap(); + + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "merge", + "--dir", + path, + "--output-format", + "yaml", + "--output-dir", + path, + ]) + .assert(); + assert.success(); + } + dir.close().unwrap() +} + +#[test] +fn cli_roundtrip_comp_def() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let dissect_dir = format!( + "{}/tests/data/compdef.yaml", + std::env::current_dir().unwrap().to_string_lossy() + ); + + let mut cmd_dissect = Command::cargo_bin("roscal").unwrap(); + let assert_dissect = cmd_dissect + .args(&[ + "dissect", + "--file", + &dissect_dir, + "--model", + "ComponentDefinition", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert_dissect.success(); + + for entry in WalkDir::new(dir_arg).min_depth(1).max_depth(1) { + let entry = entry.unwrap(); + let path = entry.path().to_str().unwrap(); + + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "merge", + "--dir", + path, + "--output-format", + "yaml", + "--output-dir", + path, + ]) + .assert(); + assert.success(); + } + dir.close().unwrap() +} + +#[test] +fn cli_roundtrip_poam() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let dissect_dir = format!( + "{}/tests/data/poam.yaml", + std::env::current_dir().unwrap().to_string_lossy() + ); + + let mut cmd_dissect = Command::cargo_bin("roscal").unwrap(); + let assert_dissect = cmd_dissect + .args(&[ + "dissect", + "--file", + &dissect_dir, + "--model", + "Poam", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert_dissect.success(); + + for entry in WalkDir::new(dir_arg).min_depth(1).max_depth(1) { + let entry = entry.unwrap(); + let path = entry.path().to_str().unwrap(); + + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "merge", + "--dir", + path, + "--output-format", + "yaml", + "--output-dir", + path, + ]) + .assert(); + assert.success(); + } + dir.close().unwrap() +} + +#[test] +fn cli_roundtrip_profile() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let dissect_dir = format!( + "{}/tests/data/profile.yaml", + std::env::current_dir().unwrap().to_string_lossy() + ); + + let mut cmd_dissect = Command::cargo_bin("roscal").unwrap(); + let assert_dissect = cmd_dissect + .args(&[ + "dissect", + "--file", + &dissect_dir, + "--model", + "Profile", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert_dissect.success(); + + for entry in WalkDir::new(dir_arg).min_depth(1).max_depth(1) { + let entry = entry.unwrap(); + let path = entry.path().to_str().unwrap(); + + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "merge", + "--dir", + path, + "--output-format", + "yaml", + "--output-dir", + path, + ]) + .assert(); + assert.success(); + } + dir.close().unwrap() +} + +#[test] +fn cli_roundtrip_ssp() { + let dir = tempdir().unwrap(); + let dir_arg = dir.as_ref().to_str().unwrap(); + let dissect_dir = format!( + "{}/tests/data/ssp.yaml", + std::env::current_dir().unwrap().to_string_lossy() + ); + + let mut cmd_dissect = Command::cargo_bin("roscal").unwrap(); + let assert_dissect = cmd_dissect + .args(&[ + "dissect", + "--file", + &dissect_dir, + "--model", + "Ssp", + "--blocks", + "all", + "--output-dir", + dir_arg, + ]) + .assert(); + assert_dissect.success(); + + for entry in WalkDir::new(dir_arg).min_depth(1).max_depth(1) { + let entry = entry.unwrap(); + let path = entry.path().to_str().unwrap(); + + let mut cmd = Command::cargo_bin("roscal").unwrap(); + let assert = cmd + .args(&[ + "merge", + "--dir", + path, + "--output-format", + "yaml", + "--output-dir", + path, + ]) + .assert(); + assert.success(); + } + dir.close().unwrap() +} diff --git a/roscal_lib/Cargo.toml b/roscal_lib/Cargo.toml new file mode 100644 index 0000000..88339f6 --- /dev/null +++ b/roscal_lib/Cargo.toml @@ -0,0 +1,39 @@ +[package] +name = "roscal_lib" +version = "0.1.0" +edition = "2021" +authors = ["Geoffrey Borough "] +readme = "README.md" +homepage = "https://github.com/gborough/roscal" +repository = "https://github.com/gborough/roscal" +description = """ +Open Security Controls Assessment Language In Rust +""" +license = "MIT OR Apache-2.0" +keywords = ["OSCAL", "cybersecurity"] +categories = ["api-bindings", "encoding"] +publish = ["crates-io"] + +[dependencies] +chrono = { version = "0.4.34", features = ["serde"] } +derivative = "2.2.0" +derive_builder = "0.20.0" +lazy_static = "1.4.0" +pulldown-cmark = "0.10.0" +regex = "1.10.2" +serde = { version = "1.0.197", features = ["derive"] } +strum = { version = "0.26.1", features = ["derive"] } +uriparse = "0.6.4" +uuid = { version = "1.6.1", features = ["v4", "v5", "fast-rng", "serde"] } + +[dev-dependencies] +serde_json = "1.0.114" +serde_yaml = "0.9.32" + +[build-dependencies] +json-schema-diff = "0.1.7" +prettyplease = "0.2.16" +proc-macro2 = "1.0.78" +serde_json = "1.0.114" +syn = {version = "2.0.50", features = ["full"]} +quote = "1.0.35" \ No newline at end of file diff --git a/roscal_lib/README.md b/roscal_lib/README.md new file mode 100644 index 0000000..2934e15 --- /dev/null +++ b/roscal_lib/README.md @@ -0,0 +1,20 @@ +# roscal_lib: Referential implementation of Open Security Controls Assessment Language(OSCAL) + +This library enables users to programmatically build, and parse various OSCAL +models using the builder pattern, with bi-directional validation enabled on key +fields during serialisation/deserialisation. + +All textual fields are represented as `String` type such as uuid, datetime etc. +This library strives to be unopinionated about which libraries user use to build +certain data fields, therefore it does not re-export some of the libraries used +internally for validation. The libraries for building these types +are specified Cargo.toml such as `chrono`, `uriparse`, `uuid` etc, although you +can follow the OSCAL specification and choose whichever that conforms to the requirements. +See + +Currently the latest v1.x is being tracked by this library and compatible all the way +back to v1.0.0. It primarily supports the roscal_cli tool. + +Note: The generation of Rust structs are done via external tool called quicktype. Future +plan is to migrate away from this and derive structs using a Rust native solution. The +naming of types are subject to change once this is completed. \ No newline at end of file diff --git a/roscal_lib/build.rs b/roscal_lib/build.rs new file mode 100644 index 0000000..947bf00 --- /dev/null +++ b/roscal_lib/build.rs @@ -0,0 +1,2833 @@ +use std::{ + env, + fs::File, + io::{BufReader, Read, Write}, + path::{Path, PathBuf}, + vec, +}; + +// macro_rules! p { +// ($($tokens: tt)*) => { +// println!("cargo:warning={}", format!($($tokens)*)) +// } +// } + +fn check_schema_diff() -> Result<(), Box> { + let current_dir = env::current_dir()?; + + let bu_path = format!( + "{}/jsonschema/baseline_unified/1.0.0.json", + current_dir.to_string_lossy() + ); + + let pu_path = format!( + "{}/jsonschema/previous_unified/1.1.1.json", + current_dir.to_string_lossy() + ); + + let tlu_path = format!( + "{}/jsonschema/tracking_latest_unified/1.1.2.json", + current_dir.to_string_lossy() + ); + + let bu = File::open(bu_path)?; + let bu_reader = BufReader::new(bu); + let pu = File::open(pu_path)?; + let pu_reader = BufReader::new(pu); + let tlu = File::open(tlu_path)?; + let tlu_reader = BufReader::new(tlu); + + let bu_schema: serde_json::Value = serde_json::from_reader(bu_reader)?; + let pu_schema: serde_json::Value = serde_json::from_reader(pu_reader)?; + let tlu_schema: serde_json::Value = serde_json::from_reader(tlu_reader)?; + + assert_eq!( + json_schema_diff::diff(bu_schema, pu_schema.clone())?, + vec![] + ); + assert_eq!(json_schema_diff::diff(pu_schema, tlu_schema)?, vec![]); + + Ok(()) +} + +fn read_file( + path: impl AsRef, +) -> Result> { + let mut file = File::open(path)?; + let mut content = String::new(); + file.read_to_string(&mut content)?; + + Ok(content) +} + +fn create_outout_path( + path: &str, + folder: &str, + parsed: String, +) -> Result<(), Box> { + let current_dir = env::current_dir()?; + let output_path = + format!("{}/src/{}/{}", current_dir.to_string_lossy(), folder, path); + let mut file = File::create(output_path)?; + + file.write_all(parsed.as_bytes())?; + + Ok(()) +} + +fn is_optional_type(path: &syn::Path) -> bool { + path.segments[0].ident == "Option" +} + +fn process_ast_common(ast: &mut syn::File) -> &mut syn::File { + ast.items.insert( + 0, + syn::parse_quote! { + use derive_builder::Builder; + }, + ); + + ast.items.insert( + 0, + syn::parse_quote! { + use strum::EnumString; + + }, + ); + + ast.items.insert( + 0, + syn::parse_quote! { + use derivative::Derivative; + + }, + ); + + ast.items.insert( + 4, + syn::parse_quote! { + use crate::validation; + }, + ); + + ast.items.iter_mut().for_each(|ref mut item| { + if let syn::Item::Struct(item_struct) = item { + item_struct.attrs.insert( + 0, + syn::parse_quote! { + #[derive(ToBeReplaced)] + }, + ); + item_struct.attrs.extend(vec![ + syn::parse_quote! { + #[derive(Builder, Derivative)] + }, + syn::parse_quote! { + #[builder(setter(into, strip_option))] + }, + syn::parse_quote! { + #[derivative(PartialEq)] + }, + syn::parse_quote! { + #[serde(deny_unknown_fields)] + }, + ]); + + (&mut item_struct.fields) + .into_iter() + .for_each(|ref mut field| { + if let syn::Type::Path(typepath) = &field.ty { + if is_optional_type(&typepath.path) { + field.attrs.extend(vec![ + syn::parse_quote!{#[builder(setter(into, strip_option), default)]}, + syn::parse_quote!{#[serde(default, skip_serializing_if = "Option::is_none")]}]) + } + } + + if let Some(ident) = &mut field.ident { + if ident.to_string().as_str() == "remarks" { + field.attrs.push(syn::parse_quote! { + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + }) + } else if ident.to_string().as_str() == "uuid" { + if let syn::Type::Path(typepath) = &field.ty { + if is_optional_type(&typepath.path) { + field.attrs.extend(vec![ + syn::parse_quote! { + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + }, + syn::parse_quote! { + #[derivative(PartialEq="ignore")] + } + ]) + } else { + field.attrs.extend(vec![ + syn::parse_quote! { + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + }, + syn::parse_quote! { + #[derivative(PartialEq="ignore")] + } + ]) + } + } + } else if ident.to_string().as_str() == "activity_uuid" + || ident.to_string().as_str() == "actor_uuid" + || ident.to_string().as_str() == "component_uuid" + || ident.to_string().as_str() == "finding_uuid" + || ident.to_string().as_str() == "observation_uuid" + || ident.to_string().as_str() == "party_uuid" + || ident.to_string().as_str() == "response_uuid" + || ident.to_string().as_str() == "risk_uuid" + || ident.to_string().as_str() == "subject_placeholder_uuid" + || ident.to_string().as_str() == "subject_uuid" + || ident.to_string().as_str() == "subject_uuid" + || ident.to_string().as_str() == "task_uuid" { + field.attrs.push(syn::parse_quote! { + #[derivative(PartialEq="ignore")] + }) + } + } + }); + + let ident = item_struct.ident.to_string().clone(); + + if ident == "Action" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "date" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "action_type" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Activity" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Address" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "address_type" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "AssessedControls" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "AssessmentPart" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "name" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "ns" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "class" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "AssessmentPlatform" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "AssociatedActivity" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "activity_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Base64" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "filename" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "value" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_base64", + deserialize_with = "validation::deser_base64" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Citation" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "text" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Component" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "component_type" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "title" || ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } else if ident.to_string().clone() == "purpose" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Constraint" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde(deserialize_with = "validation::deser_markup_opt")] + ) + ]) + } + } + }, + ) + } else if ident == "ControlGroup" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "id" || ident.to_string().clone() == "class" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } else if ident == "DocumentIdentifier" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "scheme" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "DocumentMetadata" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } else if ident.to_string().clone() == "last_modified" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Facet" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "name" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "system" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri", + deserialize_with = "validation::deser_uri" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Finding" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" || ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } else if ident.to_string().clone() == "implementation_statement_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "FindingRelatedObservation" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "observation_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } else if ident == "FrequencyCondition" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "period" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_positive_int", + deserialize_with = "validation::deser_positive_int" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Guideline" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "prose" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Hash" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "value" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_hash", + deserialize_with = "validation::deser_hash" + )] + ) + ]) + } + } + }, + ) + } else if ident == "IdentifiedSubject" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "subject_placeholder_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } else if ident == "IdentifiedRisk" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" || ident.to_string().clone() == "description" || ident.to_string().clone() == "statement" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } else if ident.to_string().clone() == "status" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "deadline" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "IdentifiesTheSubject" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "subject_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } else if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ImplementedComponent" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "component_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ImportSystemSecurityPlan" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "href" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + ) + ]) + } + } + }, + ) + } else if ident == "InventoryItem" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Link" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "href" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + ) + ]) + } else if ident.to_string().clone() == "rel" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "text" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Location" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "email_addresses" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "urls" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_vec_opt", + deserialize_with = "validation::deser_uri_vec_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "LoggedBy" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "party_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } else if ident.to_string().clone() == "role_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "MitigatingFactor" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "implementation_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Observation" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "collected" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + ) + ]) + } else if ident.to_string().clone() == "expires" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "OriginatingActor" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "actor_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } else if ident.to_string().clone() == "role_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Parameter" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "class" || ident.to_string().clone() == "depends_on" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "label" || ident.to_string().clone() == "usage" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Part" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "name" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "ns" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "class" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "title" || ident.to_string().clone() == "prose" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Party" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "email_addresses" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "member_of_organizations" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "PartyExternalIdentifier" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "scheme" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri", + deserialize_with = "validation::deser_uri" + )] + ) + ]) + } + } + }, + ) + } else if ident == "PortRange" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "start" || ident.to_string().clone() == "end" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_non_neg_int_opt", + deserialize_with = "validation::deser_non_neg_int_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Privilege" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Property" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "name" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "ns" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "class" || ident.to_string().clone() == "group" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ReferencedControlObjectives" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "RelevantEvidence" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "href" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_ref_opt", + deserialize_with = "validation::deser_uri_ref_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "RequiredAsset" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Resource" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" || ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ResourceLink" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "href" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ResponsibleParty" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "role_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "party_uuids" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid_vec", + deserialize_with = "validation::deser_uuid_vec" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ResponsibleRole" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "role_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "party_uuids" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ReviewedControlsAndControlObjectives" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "RevisionHistoryEntry" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "published" || ident.to_string().clone() == "last_modified" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "RiskLogEntry" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" || ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "start" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + ) + ]) + } else if ident.to_string().clone() == "end" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "status_change" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "RiskRelatedObservation" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "observation_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } else if ident == "RiskResponse" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "lifecycle" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "title" || ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } else if ident == "RiskResponseReference" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "response_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Role" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "SelectAssessmentSubject" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "subject_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } else if ident.to_string().clone() == "select_assessment_subject_type" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } + } + }, + ) + } else if ident == "SelectObjective" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "objective_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ServiceProtocolInformation" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "SetParameterValue" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "param_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Step" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } else if ident == "SubjectOfAssessment" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "subject_of_assessment_type" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "SystemIdentification" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "identifier_type" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "SystemUser" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" || ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } else if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "role_ids" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_token_vec_opt" + )] + ) + ]) + } + } + } + }, + ) + } else if ident == "TargetClass" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "target_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "title" || ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Task" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "task_type" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } else if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "TaskDependency" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "task_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } else if ident == "TaskReference" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "task_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ThreatId" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "href" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_ref_opt", + deserialize_with = "validation::deser_uri_ref_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "UsesComponent" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "component_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } + } else if let syn::Item::Enum(item_enum) = item { + item_enum.attrs.extend(vec![ + syn::parse_quote!( + #[non_exhaustive] + ), + syn::parse_quote!( + #[derive(EnumString, Derivative)] + ), + syn::parse_quote!( + #[derivative(PartialEq)] + ) + ]) + } + }); + + ast +} + +fn process_ast_assessment_plan(ast: &mut syn::File) -> String { + let ast = process_ast_common(ast); + + ast.items.iter_mut().for_each(|ref mut item| { + if let syn::Item::Struct(item_struct) = item { + let ident = item_struct.ident.to_string().clone(); + + if ident == "AssessmentSpecificControlObjective" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "control_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "SelectControl" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "control_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "statement_ids" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_vec_opt", + deserialize_with = "validation::deser_token_vec_opt" + )] + ) + ]) + } + } + }, + ) + } + } + }); + + prettyplease::unparse(ast).replace("#[derive(ToBeReplaced)]", "") +} + +fn process_ast_assessment_results(ast: &mut syn::File) -> String { + let ast = process_ast_common(ast); + + ast.items.iter_mut().for_each(|ref mut item| { + if let syn::Item::Struct(item_struct) = item { + let ident = item_struct.ident.to_string().clone(); + + if ident == "AssessmentLogEntry" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" || ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "start" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + ) + ]) + } else if ident.to_string().clone() == "end" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "AssessmentResult" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" || ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } else if ident.to_string().clone() == "start" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + ) + ]) + } else if ident.to_string().clone() == "end" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "AssociatedRisk" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "risk_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ImportAssessmentPlan" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "href" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + ) + ]) + } + } + }, + ) + } else if ident == "SelectControl" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "control_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "statement_ids" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_vec_opt", + deserialize_with = "validation::deser_token_vec_opt" + )] + ) + ]) + } + } + }, + ) + } + } + }); + + prettyplease::unparse(ast).replace("#[derive(ToBeReplaced)]", "") +} + +fn process_ast_poam(ast: &mut syn::File) -> String { + let ast = process_ast_common(ast); + + ast.items.iter_mut().for_each(|ref mut item| { + if let syn::Item::Struct(item_struct) = item { + let ident = item_struct.ident.to_string().clone(); + + if ident == "FindingRelatedRisk" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "risk_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } else if ident == "PoaMItem" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" || ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } else if ident == "PoamItemRelatedObservation" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "observation_uuid" || ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } else if ident == "PoamItemRelatedRisk" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "risk_uuid" || ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } else if ident == "RelatedFinding" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "finding_uuid" || ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } + } + }); + + prettyplease::unparse(ast).replace("#[derive(ToBeReplaced)]", "") +} + +fn process_ast_catalog(ast: &mut syn::File) -> String { + let ast = process_ast_common(ast); + + ast.items.iter_mut().for_each(|ref mut item| { + if let syn::Item::Struct(item_struct) = item { + let ident = item_struct.ident.to_string().clone(); + + if ident == "Control" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } else if ident.to_string().clone() == "class" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } + } + }, + ) + } + } + }); + + prettyplease::unparse(ast).replace("#[derive(ToBeReplaced)]", "") +} + +fn process_ast_profile(ast: &mut syn::File) -> String { + let ast = process_ast_common(ast); + + ast.items.iter_mut().for_each(|ref mut item| { + if let syn::Item::Struct(item_struct) = item { + let ident = item_struct.ident.to_string().clone(); + + if ident == "Addition" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "by_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } else if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Alteration" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "control_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ImportResource" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "href" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Removal" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "by_name" || ident.to_string().clone() == "by_class" || ident.to_string().clone() == "by_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "SelectControl" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "with_ids" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token_vec_opt", + deserialize_with = "validation::deser_token_vec_opt" + )] + ) + ]) + } + } + }, + ) + } + } + }); + + prettyplease::unparse(ast).replace("#[derive(ToBeReplaced)]", "") +} + +fn process_ast_component_definition(ast: &mut syn::File) -> String { + let ast = process_ast_common(ast); + + ast.items.iter_mut().for_each(|ref mut item| { + if let syn::Item::Struct(item_struct) = item { + let ident = item_struct.ident.to_string().clone(); + + if ident == "Capability" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde(deserialize_with = "validation::deser_markup")] + ) + ]) + } + } + }, + ) + } else if ident == "ControlImplementation" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "control_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ControlImplementationSet" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde(deserialize_with = "validation::deser_markup")] + ) + ]) + } + } + }, + ) + } else if ident == "ControlStatementImplementation" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "statement_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } else if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ImportComponentDefinition" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "href" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + ) + ]) + } + } + }, + ) + } else if ident == "IncorporatesComponent" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "component_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } + } + }); + + prettyplease::unparse(ast).replace("#[derive(ToBeReplaced)]", "") +} + +fn process_ast_ssp(ast: &mut syn::File) -> String { + let ast = process_ast_common(ast); + + ast.items.iter_mut().for_each(|ref mut item| { + if let syn::Item::Struct(item_struct) = item { + let ident = item_struct.ident.to_string().clone(); + + if ident == "ComponentControlImplementation" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "component_uuid" || ident.to_string().clone() == "class" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ControlImplementationResponsibility" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "provided_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Diagram" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "caption" || ident.to_string().clone() == "class" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "Export" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ImpactLevel" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "adjustment_justification" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde(deserialize_with = "validation::deser_markup_opt")] + ) + ]) + } + } + }, + ) + } else if ident == "ImportProfile" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "href" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + ) + ]) + } + } + }, + ) + } else if ident == "InheritedControlImplementation" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "provided_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "LeveragedAuthorization" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "title" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } else if ident.to_string().clone() == "party_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + ) + ]) + } else if ident.to_string().clone() == "date_authorized" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_date", + deserialize_with = "validation::deser_date" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ProvidedControlImplementation" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } else if ident == "SatisfiedControlImplementationResponsibility" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "responsibility_uuid" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "SpecificControlStatement" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "statement_id" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + ) + ]) + } + } + }, + ) + } else if ident == "SystemCharacteristics" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } else if ident.to_string().clone() == "date_authorized" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + serialize_with = "validation::ser_date_opt", + deserialize_with = "validation::deser_date_opt" + )] + ) + ]) + } + } + }, + ) + } else if ident == "ControlImplementation" { + (&mut item_struct.fields).into_iter().for_each( + |ref mut field| { + if let Some(ident) = &mut field.ident { + if ident.to_string().clone() == "description" { + field.attrs.extend(vec![ + syn::parse_quote!( + #[serde( + deserialize_with = "validation::deser_markup" + )] + ) + ]) + } + } + }, + ) + } + } + }); + + prettyplease::unparse(ast).replace("#[derive(ToBeReplaced)]", "") +} + +fn main() -> Result<(), Box> { + println!("cargo:rerun-if-changed=jsonschema/"); + + let current_dir = env::current_dir()?; + let out_path = PathBuf::from(env::var("OUT_DIR").unwrap()); + + let assessment_plan_path = format!( + "{}/jsonschema/tracking_latest_models/oscal_assessment-plan_schema.json", + current_dir.to_string_lossy() + ); + let assessment_plan_out_path = + format!("{}/assessment_plan.rs", out_path.to_string_lossy()); + + let assessment_results_path = format!( + "{}/jsonschema/tracking_latest_models/oscal_assessment-results_schema.json", + current_dir.to_string_lossy() + ); + let assessment_results_out_path = + format!("{}/assessment_results.rs", out_path.to_string_lossy()); + + let poam_path = format!( + "{}/jsonschema/tracking_latest_models/oscal_poam_schema.json", + current_dir.to_string_lossy() + ); + let poam_out_path = format!("{}/poam.rs", out_path.to_string_lossy()); + + let catalog_path = format!( + "{}/jsonschema/tracking_latest_models/oscal_catalog_schema.json", + current_dir.to_string_lossy() + ); + let catalog_out_path = format!("{}/catalog.rs", out_path.to_string_lossy()); + + let profile_path = format!( + "{}/jsonschema/tracking_latest_models/oscal_profile_schema.json", + current_dir.to_string_lossy() + ); + let profile_out_path = format!("{}/profile.rs", out_path.to_string_lossy()); + + let component_definition_path = format!( + "{}/jsonschema/tracking_latest_models/oscal_component_schema.json", + current_dir.to_string_lossy() + ); + let component_definition_out_path = + format!("{}/component_definition.rs", out_path.to_string_lossy()); + + let ssp_path = format!( + "{}/jsonschema/tracking_latest_models/oscal_ssp_schema.json", + current_dir.to_string_lossy() + ); + let ssp_path_out_path = format!("{}/ssp.rs", out_path.to_string_lossy()); + + check_schema_diff()?; + + std::process::Command::new("quicktype") + .args([ + &assessment_plan_path, + "--src-lang", + "schema", + "--top-level", + "AssessmentPlan", + "--derive-debug", + "--derive-clone", + "--leading-comments", + "--density", + "dense", + "--visibility", + "public", + "-o", + &assessment_plan_out_path, + ]) + .status() + .expect("quicktype not found"); + + std::process::Command::new("quicktype") + .args([ + &assessment_results_path, + "--src-lang", + "schema", + "--top-level", + "AssessmentResults", + "--derive-debug", + "--derive-clone", + "--leading-comments", + "--density", + "dense", + "--visibility", + "public", + "-o", + &assessment_results_out_path, + ]) + .status() + .expect("quicktype not found"); + + std::process::Command::new("quicktype") + .args([ + &poam_path, + "--src-lang", + "schema", + "--top-level", + "PlanOfActionAndMilestones", + "--derive-debug", + "--derive-clone", + "--leading-comments", + "--density", + "dense", + "--visibility", + "public", + "-o", + &poam_out_path, + ]) + .status() + .expect("quicktype not found"); + + std::process::Command::new("quicktype") + .args([ + &catalog_path, + "--src-lang", + "schema", + "--top-level", + "Catalog", + "--derive-debug", + "--derive-clone", + "--leading-comments", + "--density", + "dense", + "--visibility", + "public", + "-o", + &catalog_out_path, + ]) + .status() + .expect("quicktype not found"); + + std::process::Command::new("quicktype") + .args([ + &profile_path, + "--src-lang", + "schema", + "--top-level", + "Profile", + "--derive-debug", + "--derive-clone", + "--leading-comments", + "--density", + "dense", + "--visibility", + "public", + "-o", + &profile_out_path, + ]) + .status() + .expect("quicktype not found"); + + std::process::Command::new("quicktype") + .args([ + &component_definition_path, + "--src-lang", + "schema", + "--top-level", + "ComponentDefinition", + "--derive-debug", + "--derive-clone", + "--leading-comments", + "--density", + "dense", + "--visibility", + "public", + "-o", + &component_definition_out_path, + ]) + .status() + .expect("quicktype not found"); + + std::process::Command::new("quicktype") + .args([ + &ssp_path, + "--src-lang", + "schema", + "--top-level", + "SystemSecurityPlan", + "--derive-debug", + "--derive-clone", + "--leading-comments", + "--density", + "dense", + "--visibility", + "public", + "-o", + &ssp_path_out_path, + ]) + .status() + .expect("quicktype not found"); + + let assessment_plan = read_file(assessment_plan_out_path)?; + let assessment_results = read_file(assessment_results_out_path)?; + let poam = read_file(poam_out_path)?; + let catalog = read_file(catalog_out_path)?; + let profile = read_file(profile_out_path)?; + let component_definition = read_file(component_definition_out_path)?; + let ssp = read_file(ssp_path_out_path)?; + + let mut assessment_plan_ast = syn::parse_file(&assessment_plan)?; + let mut assessment_results_ast = syn::parse_file(&assessment_results)?; + let mut poam_ast = syn::parse_file(&poam)?; + let mut catalog_ast = syn::parse_file(&catalog)?; + let mut profile_ast = syn::parse_file(&profile)?; + let mut component_definition_ast = syn::parse_file(&component_definition)?; + let mut ssp_ast = syn::parse_file(&ssp)?; + + let assessment_plan_str = + process_ast_assessment_plan(&mut assessment_plan_ast); + let assessment_results_str = + process_ast_assessment_results(&mut assessment_results_ast); + let poam_str = process_ast_poam(&mut poam_ast); + let catalog_str = process_ast_catalog(&mut catalog_ast); + let profile_str = process_ast_profile(&mut profile_ast); + let component_definition_str = + process_ast_component_definition(&mut component_definition_ast); + let ssp_str = process_ast_ssp(&mut ssp_ast); + + create_outout_path( + "assessment_plan.rs", + "assessment", + assessment_plan_str, + )?; + create_outout_path( + "assessment_results.rs", + "assessment", + assessment_results_str, + )?; + create_outout_path("poam.rs", "assessment", poam_str)?; + create_outout_path("catalog.rs", "control", catalog_str)?; + create_outout_path("profile.rs", "control", profile_str)?; + create_outout_path( + "component_definition.rs", + "implementation", + component_definition_str, + )?; + create_outout_path("ssp.rs", "implementation", ssp_str)?; + + Ok(()) +} diff --git a/roscal_lib/jsonschema/baseline_unified/1.0.0.json b/roscal_lib/jsonschema/baseline_unified/1.0.0.json new file mode 100644 index 0000000..93ebf19 --- /dev/null +++ b/roscal_lib/jsonschema/baseline_unified/1.0.0.json @@ -0,0 +1,5542 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://csrc.nist.gov/ns/oscal/1.0/1.0.0/oscal-complete-schema.json", + "$comment": "OSCAL Unified Model of Models: JSON Schema", + "type": "object", + "definitions": { + "oscal-complete-oscal-catalog:catalog": { + "title": "Catalog", + "description": "A collection of controls.", + "$id": "#assembly_oscal-catalog_catalog", + "type": "object", + "properties": { + "uuid": { + "title": "Catalog Universally Unique Identifier", + "description": "A globally unique identifier for this catalog instance. This UUID should be changed when this document is revised.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog-common_parameter" } + }, + "controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_control" } + }, + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_group" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata"], + "additionalProperties": false + }, + "oscal-complete-oscal-catalog:group": { + "title": "Control Group", + "description": "A group of controls, or of groups of controls.", + "$id": "#assembly_oscal-catalog_group", + "type": "object", + "properties": { + "id": { + "title": "Group Identifier", + "description": "A unique identifier for a specific group instance that can be used to reference the group within this and in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same group across minor revisions of the document.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "class": { + "title": "Group Class", + "description": "A textual label that provides a sub-type or characterization of the group.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "title": { + "title": "Group Title", + "description": "A name given to the group, which may be used by a tool for display and navigation.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog-common_parameter" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog-common_part" } + }, + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_group" } + }, + "controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_control" } + } + }, + "required": ["title"], + "additionalProperties": false + }, + "oscal-complete-oscal-catalog:control": { + "title": "Control", + "description": "A structured information object representing a security or privacy control. Each security or privacy control within the Catalog is defined by a distinct control instance.", + "$id": "#assembly_oscal-catalog_control", + "type": "object", + "properties": { + "id": { + "title": "Control Identifier", + "description": "A unique identifier for a specific control instance that can be used to reference the control in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same control across minor revisions of the document.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "class": { + "title": "Control Class", + "description": "A textual label that provides a sub-type or characterization of the control.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "title": { + "title": "Control Title", + "description": "A name given to the control, which may be used by a tool for display and navigation.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog-common_parameter" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog-common_part" } + }, + "controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_control" } + } + }, + "required": ["id", "title"], + "additionalProperties": false + }, + "oscal-complete-oscal-catalog-common:part": { + "title": "Part", + "description": "A partition of a control's definition or a child of another part.", + "$id": "#assembly_oscal-catalog-common_part", + "type": "object", + "properties": { + "id": { + "title": "Part Identifier", + "description": "A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "ns": { + "title": "Part Namespace", + "description": "A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "type": "string", + "format": "uri" + }, + "class": { + "title": "Part Class", + "description": "A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "title": { + "title": "Part Title", + "description": "A name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog-common_part" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-complete-oscal-catalog-common:parameter": { + "title": "Parameter", + "description": "Parameters provide a mechanism for the dynamic assignment of value(s) in a control.", + "$id": "#assembly_oscal-catalog-common_parameter", + "type": "object", + "properties": { + "id": { + "title": "Parameter Identifier", + "description": "A unique identifier for a specific parameter instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same parameter across minor revisions of the document.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the parameter.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "depends-on": { + "title": "Depends on", + "description": "Another parameter invoking this one", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-catalog-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-catalog-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-catalog-common_parameter-value" } + }, + "select": { + "$ref": "#assembly_oscal-catalog-common_parameter-selection" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-complete-oscal-catalog-common:parameter-constraint": { + "title": "Constraint", + "description": "A formal or informal expression of a constraint or test", + "$id": "#assembly_oscal-catalog-common_parameter-constraint", + "type": "object", + "properties": { + "description": { + "title": "Constraint Description", + "description": "A textual summary of the constraint to be applied.", + "type": "string" + }, + "tests": { + "type": "array", + "minItems": 1, + "items": { + "title": "Constraint Test", + "description": "A test expression which is expected to be evaluated by a tool.", + "type": "object", + "properties": { + "expression": { + "title": "Constraint test", + "description": "A formal (executable) expression of a constraint", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["expression"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-catalog-common:parameter-guideline": { + "title": "Guideline", + "description": "A prose statement that provides a recommendation for the use of a parameter.", + "$id": "#assembly_oscal-catalog-common_parameter-guideline", + "type": "object", + "properties": { + "prose": { + "title": "Guideline Text", + "description": "Prose permits multiple paragraphs, lists, tables etc.", + "type": "string" + } + }, + "required": ["prose"], + "additionalProperties": false + }, + "oscal-complete-oscal-catalog-common:parameter-value": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$id": "#field_oscal-catalog-common_parameter-value", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "oscal-complete-oscal-catalog-common:parameter-selection": { + "title": "Selection", + "description": "Presenting a choice among alternatives", + "$id": "#assembly_oscal-catalog-common_parameter-selection", + "type": "object", + "properties": { + "how-many": { + "title": "Parameter Cardinality", + "description": "Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$", + "enum": ["one", "one-or-more"] + }, + "choice": { + "type": "array", + "minItems": 1, + "items": { + "title": "Choice", + "description": "A value selection among several such options", + "type": "string" + } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:metadata": { + "title": "Publication metadata", + "description": "Provides information about the publication and availability of the containing document.", + "$id": "#assembly_oscal-metadata_metadata", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { "$ref": "#field_oscal-metadata_last-modified" }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { "$ref": "#field_oscal-metadata_oscal-version" }, + "revisions": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_revision" } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_role" } + }, + "locations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_location" } + }, + "parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_party" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "last-modified", "version", "oscal-version"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:revision": { + "title": "Revision History Entry", + "description": "An entry in a sequential list of revisions to the containing document in reverse chronological order (i.e., most recent previous revision first).", + "$id": "#assembly_oscal-metadata_revision", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document revision, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { "$ref": "#field_oscal-metadata_last-modified" }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { "$ref": "#field_oscal-metadata_oscal-version" }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:location": { + "title": "Location", + "description": "A location, with associated metadata that can be referenced.", + "$id": "#assembly_oscal-metadata_location", + "type": "object", + "properties": { + "uuid": { + "title": "Location Universally Unique Identifier", + "description": "A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "Location Title", + "description": "A name given to the location, which may be used by a tool for display and navigation.", + "type": "string" + }, + "address": { "$ref": "#assembly_oscal-metadata_address" }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "urls": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location URL", + "description": "The uniform resource locator (URL) for a web site or Internet presence associated with the location.", + "type": "string", + "format": "uri" + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "address"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:location-uuid": { + "title": "Location Reference", + "description": "References a location defined in metadata.", + "$id": "#field_oscal-metadata_location-uuid", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "oscal-complete-oscal-metadata:party": { + "title": "Party (organization or person)", + "description": "A responsible entity which is either a person or an organization.", + "$id": "#assembly_oscal-metadata_party", + "type": "object", + "properties": { + "uuid": { + "title": "Party Universally Unique Identifier", + "description": "A unique identifier that can be used to reference this defined location elsewhere in an OSCAL document. A UUID should be consistently used for a given party across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "type": { + "title": "Party Type", + "description": "A category describing the kind of party the object describes.", + "type": "string", + "pattern": "^\\S(.*\\S)?$", + "enum": ["person", "organization"] + }, + "name": { + "title": "Party Name", + "description": "The full name of the party. This is typically the legal name associated with the party.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "short-name": { + "title": "Party Short Name", + "description": "A short common name, abbreviation, or acronym for the party.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "external-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party External Identifier", + "description": "An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID)", + "type": "object", + "properties": { + "scheme": { + "title": "External Identifier Schema", + "description": "Indicates the type of external identifier.", + "type": "string", + "format": "uri" + }, + "id": { "type": "string" } + }, + "required": ["id", "scheme"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_address" } + }, + "location-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_location-uuid" } + }, + "member-of-organizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Organizational Affiliation", + "description": "Identifies that the party object is a member of the organization associated with the provided UUID.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:party-uuid": { + "title": "Party Reference", + "description": "References a party defined in metadata.", + "$id": "#field_oscal-metadata_party-uuid", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "oscal-complete-oscal-metadata:role": { + "title": "Role", + "description": "Defines a function assumed or expected to be assumed by a party in a specific situation.", + "$id": "#assembly_oscal-metadata_role", + "type": "object", + "properties": { + "id": { + "title": "Role Identifier", + "description": "A unique identifier for a specific role instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same role across minor revisions of the document.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "title": { + "title": "Role Title", + "description": "A name given to the role, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "Role Short Name", + "description": "A short common name, abbreviation, or acronym for the role.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "description": { + "title": "Role Description", + "description": "A summary of the role's purpose and associated responsibilities.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id", "title"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:role-id": { + "title": "Role Identifier Reference", + "description": "A reference to the roles served by the user.", + "$id": "#field_oscal-metadata_role-id", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "oscal-complete-oscal-metadata:back-matter": { + "title": "Back matter", + "description": "A collection of resources, which may be included directly or by reference.", + "$id": "#assembly_oscal-metadata_back-matter", + "type": "object", + "properties": { + "resources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource", + "description": "A resource associated with content in the containing document. A resource may be directly included in the document base64 encoded or may point to one or more equivalent internet resources.", + "type": "object", + "properties": { + "uuid": { + "title": "Resource Universally Unique Identifier", + "description": "A globally unique identifier that can be used to reference this defined resource elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "Resource Title", + "description": "A name given to the resource, which may be used by a tool for display and navigation.", + "type": "string" + }, + "description": { + "title": "Resource Description", + "description": "A short summary of the resource used to indicate the purpose of the resource.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "citation": { + "title": "Citation", + "description": "A citation consisting of end note text and optional structured bibliographic data.", + "type": "object", + "properties": { + "text": { + "title": "Citation Text", + "description": "A line of citation text.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["text"], + "additionalProperties": false + }, + "rlinks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource link", + "description": "A pointer to an external resource with an optional hash for verification and change detection.", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URI reference to a resource.", + "type": "string", + "format": "uri-reference" + }, + "media-type": { + "title": "Media Type", + "description": "Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "hashes": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_hash" } + } + }, + "required": ["href"], + "additionalProperties": false + } + }, + "base64": { + "title": "Base64", + "description": "The Base64 alphabet in RFC 2045 - aligned with XSD.", + "type": "object", + "properties": { + "filename": { + "title": "File Name", + "description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.", + "type": "string", + "format": "uri-reference" + }, + "media-type": { + "title": "Media Type", + "description": "Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "value": { "type": "string" } + }, + "required": ["value"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:property": { + "title": "Property", + "description": "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair. The value of a property is a simple scalar value, which may be expressed as a list of values.", + "$id": "#assembly_oscal-metadata_property", + "type": "object", + "properties": { + "name": { + "title": "Property Name", + "description": "A textual label that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "uuid": { + "title": "Property Universally Unique Identifier", + "description": "A unique identifier that can be used to reference this property elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "ns": { + "title": "Property Namespace", + "description": "A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.", + "type": "string", + "format": "uri" + }, + "value": { + "title": "Property Value", + "description": "Indicates the value of the attribute, characteristic, or quality.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "class": { + "title": "Property Class", + "description": "A textual label that provides a sub-type or characterization of the property's name. This can be used to further distinguish or discriminate between the semantics of multiple properties of the same object with the same name and ns.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "value"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:link": { + "title": "Link", + "description": "A reference to a local or remote resource", + "$id": "#assembly_oscal-metadata_link", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL reference to a resource.", + "type": "string", + "format": "uri-reference" + }, + "rel": { + "title": "Relation", + "description": "Describes the type of relationship provided by the link. This can be an indicator of the link's purpose.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "media-type": { + "title": "Media Type", + "description": "Specifies a media type as defined by the Internet Assigned Numbers Authority (IANA) Media Types Registry.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "text": { + "title": "Link Text", + "description": "A textual label to associate with the link, which may be used for presentation in a tool.", + "type": "string" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:responsible-party": { + "title": "Responsible Party", + "description": "A reference to a set of organizations or persons that have responsibility for performing a referenced role in the context of the containing object.", + "$id": "#assembly_oscal-metadata_responsible-party", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role", + "description": "The role that the party is responsible for.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id", "party-uuids"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:responsible-role": { + "title": "Responsible Role", + "description": "A reference to one or more roles with responsibility for performing a function relative to the containing object.", + "$id": "#assembly_oscal-metadata_responsible-role", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role ID", + "description": "The role that is responsible for the business function.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:hash": { + "title": "Hash", + "description": "A representation of a cryptographic digest generated over a resource using a specified hash algorithm.", + "$id": "#field_oscal-metadata_hash", + "type": "object", + "properties": { + "algorithm": { + "title": "Hash algorithm", + "description": "Method by which a hash is derived", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "value": { "type": "string" } + }, + "required": ["value", "algorithm"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:remarks": { + "title": "Remarks", + "description": "Additional commentary on the containing object.", + "$id": "#field_oscal-metadata_remarks", + "type": "string" + }, + "oscal-complete-oscal-metadata:published": { + "title": "Publication Timestamp", + "description": "The date and time the document was published. The date-time value must be formatted according to RFC 3339 with full time and time zone included.", + "$id": "#field_oscal-metadata_published", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + }, + "oscal-complete-oscal-metadata:last-modified": { + "title": "Last Modified Timestamp", + "description": "The date and time the document was last modified. The date-time value must be formatted according to RFC 3339 with full time and time zone included.", + "$id": "#field_oscal-metadata_last-modified", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + }, + "oscal-complete-oscal-metadata:version": { + "title": "Document Version", + "description": "A string used to distinguish the current version of the document from other previous (and future) versions.", + "$id": "#field_oscal-metadata_version", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "oscal-complete-oscal-metadata:oscal-version": { + "title": "OSCAL version", + "description": "The OSCAL model version the document was authored against.", + "$id": "#field_oscal-metadata_oscal-version", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "oscal-complete-oscal-metadata:email-address": { + "title": "Email Address", + "description": "An email address as defined by RFC 5322 Section 3.4.1.", + "$id": "#field_oscal-metadata_email-address", + "type": "string", + "format": "email", + "pattern": "^.+@.+" + }, + "oscal-complete-oscal-metadata:telephone-number": { + "title": "Telephone Number", + "description": "Contact number by telephone.", + "$id": "#field_oscal-metadata_telephone-number", + "type": "object", + "properties": { + "type": { + "title": "type flag", + "description": "Indicates the type of phone number.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "number": { "type": "string" } + }, + "required": ["number"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:address": { + "title": "Address", + "description": "A postal address for the location.", + "$id": "#assembly_oscal-metadata_address", + "type": "object", + "properties": { + "type": { + "title": "Address Type", + "description": "Indicates the type of address.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "addr-lines": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_addr-line" } + }, + "city": { + "title": "City", + "description": "City, town or geographical region for the mailing address.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "state": { + "title": "State", + "description": "State, province or analogous geographical region for mailing address", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "postal-code": { + "title": "Postal Code", + "description": "Postal or ZIP code for mailing address", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "country": { + "title": "Country Code", + "description": "The ISO 3166-1 alpha-2 country code for the mailing address.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:addr-line": { + "title": "Address line", + "description": "A single line of an address.", + "$id": "#field_oscal-metadata_addr-line", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "oscal-complete-oscal-metadata:document-id": { + "title": "Document Identifier", + "description": "A document identifier qualified by an identifier scheme. A document identifier provides a globally unique identifier for a group of documents that are to be treated as different versions of the same document. If this element does not appear, or if the value of this element is empty, the value of \"document-id\" is equal to the value of the \"uuid\" flag of the top-level root element.", + "$id": "#field_oscal-metadata_document-id", + "type": "object", + "properties": { + "scheme": { + "title": "Document Identification Scheme", + "description": "Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.", + "type": "string", + "format": "uri" + }, + "identifier": { "type": "string" } + }, + "required": ["identifier"], + "additionalProperties": false + }, + "oscal-complete-oscal-profile:profile": { + "title": "Profile", + "description": "Each OSCAL profile is defined by a Profile element", + "$id": "#assembly_oscal-profile_profile", + "type": "object", + "properties": { + "uuid": { + "title": "Catalog Universally Unique Identifier", + "description": "A globally unique identifier for this profile instance. This UUID should be changed when this document is revised.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "imports": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_import" } + }, + "merge": { "$ref": "#assembly_oscal-profile_merge" }, + "modify": { "$ref": "#assembly_oscal-profile_modify" }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "imports"], + "additionalProperties": false + }, + "oscal-complete-oscal-profile:import": { + "title": "Import resource", + "description": "The import designates a catalog, profile, or other resource to be included (referenced and potentially modified) by this profile. The import also identifies which controls to select using the include-all, include-controls, and exclude-controls directives.", + "$id": "#assembly_oscal-profile_import", + "type": "object", + "properties": { + "href": { + "title": "Catalog or Profile Reference", + "description": "A resolvable URL reference to the base catalog or profile that this profile is tailoring.", + "type": "string", + "format": "uri-reference" + }, + "include-all": { "$ref": "#assembly_oscal-profile_include-all" }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-profile:merge": { + "title": "Merge controls", + "description": "A Merge element merges controls in resolution.", + "$id": "#assembly_oscal-profile_merge", + "type": "object", + "properties": { + "combine": { "$ref": "#assembly_oscal-profile_combine" }, + "as-is": { "$ref": "#field_oscal-profile_as-is" }, + "custom": { "$ref": "#assembly_oscal-profile_custom" } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:combine": { + "title": "Combination rule", + "description": "A Combine element defines whether and how to combine multiple (competing) versions of the same control", + "$id": "#assembly_oscal-profile_combine", + "type": "object", + "properties": { + "method": { + "title": "Combination method", + "description": "How clashing controls should be handled", + "type": "string", + "pattern": "^\\S(.*\\S)?$", + "enum": ["use-first", "merge", "keep"] + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:as-is": { + "title": "As is", + "description": "An As-is element indicates that the controls should be structured in resolution as they are structured in their source catalogs. It does not contain any elements or attributes.", + "$id": "#field_oscal-profile_as-is", + "type": "boolean" + }, + "oscal-complete-oscal-profile:custom": { + "title": "Custom grouping", + "description": "A Custom element frames a structure for embedding represented controls in resolution.", + "$id": "#assembly_oscal-profile_custom", + "type": "object", + "properties": { + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_group" } + }, + "insert-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_insert-controls" } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:group": { + "title": "Control group", + "description": "A group of (selected) controls or of groups of controls", + "$id": "#assembly_oscal-profile_group", + "type": "object", + "properties": { + "id": { + "title": "Group Identifier", + "description": "A unique identifier for a specific group instance that can be used to reference the group within this and in other OSCAL documents. This identifier's uniqueness is document scoped and is intended to be consistent for the same group across minor revisions of the document.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "class": { + "title": "Group Class", + "description": "A textual label that provides a sub-type or characterization of the group.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "title": { + "title": "Group Title", + "description": "A name given to the group, which may be used by a tool for display and navigation.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog-common_parameter" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog-common_part" } + }, + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_group" } + }, + "insert-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_insert-controls" } + } + }, + "required": ["title"], + "additionalProperties": false + }, + "oscal-complete-oscal-profile:modify": { + "title": "Modify controls", + "description": "Set parameters or amend controls in resolution", + "$id": "#assembly_oscal-profile_modify", + "type": "object", + "properties": { + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "title": "Parameter Setting", + "description": "A parameter setting, to be propagated to points of insertion", + "type": "object", + "properties": { + "param-id": { + "title": "Parameter ID", + "description": "Indicates the value of the 'id' flag on a target parameter; i.e. which parameter to set", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the parameter.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "depends-on": { + "title": "Depends on", + "description": "Another parameter invoking this one", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-catalog-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-catalog-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#field_oscal-catalog-common_parameter-value" + } + }, + "select": { + "$ref": "#assembly_oscal-catalog-common_parameter-selection" + } + }, + "required": ["param-id"], + "additionalProperties": false + } + }, + "alters": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_alter" } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:insert-controls": { + "title": "Select controls", + "description": "Specifies which controls to use in the containing context.", + "$id": "#assembly_oscal-profile_insert-controls", + "type": "object", + "properties": { + "order": { + "title": "Order", + "description": "A designation of how a selection of controls in a profile is to be ordered.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$", + "enum": ["keep", "ascending", "descending"] + }, + "include-all": { "$ref": "#assembly_oscal-profile_include-all" }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:include-all": { + "title": "Insert All", + "description": "Insert all controls from the imported catalog or profile resources identified in the import directive.", + "$id": "#assembly_oscal-profile_include-all", + "type": "object", + "additionalProperties": false + }, + "oscal-complete-oscal-profile:select-control-by-id": { + "title": "Call", + "description": "Call a control by its ID", + "$id": "#assembly_oscal-profile_select-control-by-id", + "type": "object", + "properties": { + "with-child-controls": { + "title": "Include contained controls with control", + "description": "When a control is included, whether its child (dependent) controls are also included.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$", + "enum": ["yes", "no"] + }, + "with-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Match Controls by Identifier", + "description": "", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + } + }, + "matching": { + "type": "array", + "minItems": 1, + "items": { + "title": "Match Controls by Pattern", + "description": "Select controls by (regular expression) match on ID", + "type": "object", + "properties": { + "pattern": { + "title": "Pattern", + "description": "A glob expression matching the IDs of one or more controls to be selected.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + } + }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:alter": { + "title": "Alteration", + "description": "An Alter element specifies changes to be made to an included control when a profile is resolved.", + "$id": "#assembly_oscal-profile_alter", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "removes": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_remove" } + }, + "adds": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_add" } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:remove": { + "title": "Removal", + "description": "Specifies objects to be removed from a control based on specific aspects of the object that must all match.", + "$id": "#assembly_oscal-profile_remove", + "type": "object", + "properties": { + "by-name": { + "title": "Reference by (assigned) name", + "description": "Identify items to remove by matching their assigned name", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "by-class": { + "title": "Reference by class", + "description": "Identify items to remove by matching their class.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "by-id": { + "title": "Reference by ID", + "description": "Identify items to remove indicated by their id.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "by-item-name": { + "title": "Item Name Reference", + "description": "Identify items to remove by the name of the item's information element name, e.g. title or prop", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "by-ns": { + "title": "Item Namespace Reference", + "description": "Identify items to remove by the item's ns, which is the namespace associated with a part, or prop.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:add": { + "title": "Addition", + "description": "Specifies contents to be added into controls, in resolution", + "$id": "#assembly_oscal-profile_add", + "type": "object", + "properties": { + "position": { + "title": "Position", + "description": "Where to add the new content with respect to the targeted element (beside it or inside it)", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$", + "enum": ["before", "after", "starting", "ending"] + }, + "by-id": { + "title": "Reference by ID", + "description": "Target location of the addition.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "title": { + "title": "Title Change", + "description": "A name given to the control, which may be used by a tool for display and navigation.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog-common_parameter" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog-common_part" } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:component-definition": { + "title": "Component Definition", + "description": "A collection of component descriptions, which may optionally be grouped by capability.", + "$id": "#assembly_oscal-component-definition_component-definition", + "type": "object", + "properties": { + "uuid": { + "title": "Component Definition Universally Unique Identifier", + "description": "A globally unique identifier for this component definition instance. This UUID should be changed when this document is revised.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-component-definitions": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_import-component-definition" + } + }, + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_defined-component" + } + }, + "capabilities": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-component-definition_capability" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:import-component-definition": { + "title": "Import Component Definition", + "description": "Loads a component definition from another resource.", + "$id": "#assembly_oscal-component-definition_import-component-definition", + "type": "object", + "properties": { + "href": { + "title": "Hyperlink Reference", + "description": "A link to a resource that defines a set of components and/or capabilities to import into this collection.", + "type": "string", + "format": "uri-reference" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:defined-component": { + "title": "Component", + "description": "A defined component that can be part of an implemented system.", + "$id": "#assembly_oscal-component-definition_defined-component", + "type": "object", + "properties": { + "uuid": { + "title": "Component Identifier", + "description": "The unique identifier for the component.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "type": { + "title": "Component Type", + "description": "A category describing the purpose of the component.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "title": { + "title": "Component Title", + "description": "A human readable name for the component.", + "type": "string" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + }, + "purpose": { + "title": "Purpose", + "description": "A summary of the technological or business purpose of the component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "protocols": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-implementation-common_protocol" } + }, + "control-implementations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_control-implementation" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:capability": { + "title": "Capability", + "description": "A grouping of other components and/or capabilities.", + "$id": "#assembly_oscal-component-definition_capability", + "type": "object", + "properties": { + "uuid": { + "title": "Capability Identifier", + "description": "A unique identifier for a capability.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "name": { + "title": "Capability Name", + "description": "The capability's human-readable name.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "description": { + "title": "Capability Description", + "description": "A summary of the capability.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "incorporates-components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_incorporates-component" + } + }, + "control-implementations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_control-implementation" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "name", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:incorporates-component": { + "title": "Incorporates Component", + "description": "TBD", + "$id": "#assembly_oscal-component-definition_incorporates-component", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Reference", + "description": "A reference to a component by its identifier", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + } + }, + "required": ["component-uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:control-implementation": { + "title": "Control Implementation Set", + "description": "Defines how the component or capability supports a set of controls.", + "$id": "#assembly_oscal-component-definition_control-implementation", + "type": "object", + "properties": { + "uuid": { + "title": "Control Implementation Set Identifier", + "description": "A unique identifier for the set of implemented controls.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "source": { + "title": "Source Resource Reference", + "description": "A reference to an OSCAL catalog or profile providing the referenced control or subcontrol definition.", + "type": "string", + "format": "uri-reference" + }, + "description": { + "title": "Control Implementation Description", + "description": "A description of how the specified set of controls are implemented for the containing component or capability.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "implemented-requirements": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_implemented-requirement" + } + } + }, + "required": ["uuid", "source", "description", "implemented-requirements"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:implemented-requirement": { + "title": "Control Implementation", + "description": "Describes how the containing component or capability implements an individual control.", + "$id": "#assembly_oscal-component-definition_implemented-requirement", + "type": "object", + "properties": { + "uuid": { + "title": "Control Implementation Identifier", + "description": "A unique identifier for a specific control implementation.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "description": { + "title": "Control Implementation Description", + "description": "A description of how the specified control is implemented for the containing component or capability.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "statements": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-component-definition_statement" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "control-id", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:statement": { + "title": "Control Statement Implementation", + "description": "Identifies which statements within a control are addressed.", + "$id": "#assembly_oscal-component-definition_statement", + "type": "object", + "properties": { + "statement-id": { + "title": "Control Statement Reference", + "description": "A reference to a control statement by its identifier", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "uuid": { + "title": "Control Statement Reference Universally Unique Identifier", + "description": "A globally unique identifier that can be used to reference this control statement entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "description": { + "title": "Statement Implementation Description", + "description": "A summary of how the containing control statement is implemented by the component or capability.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["statement-id", "uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:system-component": { + "title": "Component", + "description": "A defined component that can be part of an implemented system.", + "$id": "#assembly_oscal-implementation-common_system-component", + "type": "object", + "properties": { + "uuid": { + "title": "Component Identifier", + "description": "The unique identifier for the component.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "type": { + "title": "Component Type", + "description": "A category describing the purpose of the component.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "title": { + "title": "Component Title", + "description": "A human readable name for the system component.", + "type": "string" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + }, + "purpose": { + "title": "Purpose", + "description": "A summary of the technological or business purpose of the component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Status", + "description": "Describes the operational status of the system component.", + "type": "object", + "properties": { + "state": { + "title": "State", + "description": "The operational status.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$", + "enum": [ + "under-development", + "operational", + "disposition", + "other" + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "protocols": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-implementation-common_protocol" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title", "description", "status"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:protocol": { + "title": "Service Protocol Information", + "description": "Information about the protocol used to provide a service.", + "$id": "#assembly_oscal-implementation-common_protocol", + "type": "object", + "properties": { + "uuid": { + "title": "Service Protocol Information Universally Unique Identifier", + "description": "A globally unique identifier that can be used to reference this service protocol entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "name": { + "title": "Protocol Name", + "description": "The common name of the protocol, which should be the appropriate \"service name\" from the IANA Service Name and Transport Protocol Port Number Registry.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "title": { + "title": "Protocol Title", + "description": "A human readable name for the protocol (e.g., Transport Layer Security).", + "type": "string" + }, + "port-ranges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_port-range" + } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:port-range": { + "title": "Port Range", + "description": "Where applicable this is the IPv4 port range on which the service operates.", + "$id": "#assembly_oscal-implementation-common_port-range", + "type": "object", + "properties": { + "start": { + "title": "Start", + "description": "Indicates the starting port number in a port range", + "type": "integer", + "multipleOf": 1, + "minimum": 0 + }, + "end": { + "title": "End", + "description": "Indicates the ending port number in a port range", + "type": "integer", + "multipleOf": 1, + "minimum": 0 + }, + "transport": { + "title": "Transport", + "description": "Indicates the transport type.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$", + "enum": ["TCP", "UDP"] + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:implementation-status": { + "title": "Implementation Status", + "description": "Indicates the degree to which the a given control is implemented.", + "$id": "#assembly_oscal-implementation-common_implementation-status", + "type": "object", + "properties": { + "state": { + "title": "Implementation State", + "description": "Identifies the implementation status of the control or control objective.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:system-user": { + "title": "System User", + "description": "A type of user that interacts with the system based on an associated role.", + "$id": "#assembly_oscal-implementation-common_system-user", + "type": "object", + "properties": { + "uuid": { + "title": "User Universally Unique Identifier", + "description": "The unique identifier for the user class.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "User Title", + "description": "A name given to the user, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "User Short Name", + "description": "A short common name, abbreviation, or acronym for the user.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "description": { + "title": "User Description", + "description": "A summary of the user's purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "role-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_role-id" } + }, + "authorized-privileges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_authorized-privilege" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:authorized-privilege": { + "title": "Privilege", + "description": "Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.", + "$id": "#assembly_oscal-implementation-common_authorized-privilege", + "type": "object", + "properties": { + "title": { + "title": "Privilege Title", + "description": "A human readable name for the privilege.", + "type": "string" + }, + "description": { + "title": "Privilege Description", + "description": "A summary of the privilege's purpose within the system.", + "type": "string" + }, + "functions-performed": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#field_oscal-implementation-common_function-performed" + } + } + }, + "required": ["title", "functions-performed"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:function-performed": { + "title": "Functions Performed", + "description": "Describes a function performed for a given authorized privilege by this user class.", + "$id": "#field_oscal-implementation-common_function-performed", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "oscal-complete-oscal-implementation-common:inventory-item": { + "title": "Inventory Item", + "description": "A single managed inventory item within the system.", + "$id": "#assembly_oscal-implementation-common_inventory-item", + "type": "object", + "properties": { + "uuid": { + "title": "Inventory Item Universally Unique Identifier", + "description": "A globally unique identifier that can be used to reference this inventory item entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "description": { + "title": "Inventory Item Description", + "description": "A summary of the inventory item stating its purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "implemented-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Implemented Component", + "description": "The set of components that are implemented in a given system inventory item.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A reference to a component that is implemented as part of an inventory item.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:set-parameter": { + "title": "Set Parameter Value", + "description": "Identifies the parameter that will be set by the enclosed value.", + "$id": "#assembly_oscal-implementation-common_set-parameter", + "type": "object", + "properties": { + "param-id": { + "title": "Parameter ID", + "description": "A reference to a parameter within a control, who's catalog has been imported into the current implementation context.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "values": { + "type": "array", + "minItems": 1, + "items": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["param-id", "values"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:system-id": { + "title": "System Identification", + "description": "A unique identifier for the system described by this system security plan.", + "$id": "#field_oscal-implementation-common_system-id", + "type": "object", + "properties": { + "identifier-type": { + "title": "Identification System Type", + "description": "Identifies the identification system from which the provided identifier was assigned.", + "type": "string", + "format": "uri" + }, + "id": { "type": "string" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:system-security-plan": { + "title": "System Security Plan (SSP)", + "description": "A system security plan, such as those described in NIST SP 800-18", + "$id": "#assembly_oscal-ssp_system-security-plan", + "type": "object", + "properties": { + "uuid": { + "title": "System Security Plan Universally Unique Identifier", + "description": "A globally unique identifier for this catalog instance. This UUID should be changed when this document is revised.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-profile": { "$ref": "#assembly_oscal-ssp_import-profile" }, + "system-characteristics": { + "$ref": "#assembly_oscal-ssp_system-characteristics" + }, + "system-implementation": { + "$ref": "#assembly_oscal-ssp_system-implementation" + }, + "control-implementation": { + "$ref": "#assembly_oscal-ssp_control-implementation" + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": [ + "uuid", + "metadata", + "import-profile", + "system-characteristics", + "system-implementation", + "control-implementation" + ], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:import-profile": { + "title": "Import Profile", + "description": "Used to import the OSCAL profile representing the system's control baseline.", + "$id": "#assembly_oscal-ssp_import-profile", + "type": "object", + "properties": { + "href": { + "title": "Profile Reference", + "description": "A resolvable URL reference to the profile to use as the system's control baseline.", + "type": "string", + "format": "uri-reference" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:system-characteristics": { + "title": "System Characteristics", + "description": "Contains the characteristics of the system, such as its name, purpose, and security impact level.", + "$id": "#assembly_oscal-ssp_system-characteristics", + "type": "object", + "properties": { + "system-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-implementation-common_system-id" } + }, + "system-name": { + "title": "System Name - Full", + "description": "The full name of the system.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "system-name-short": { + "title": "System Name - Short", + "description": "A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "description": { + "title": "System Description", + "description": "A summary of the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "date-authorized": { "$ref": "#field_oscal-ssp_date-authorized" }, + "security-sensitivity-level": { + "title": "Security Sensitivity Level", + "description": "The overall information system sensitivity categorization, such as defined by FIPS-199.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "system-information": { + "$ref": "#assembly_oscal-ssp_system-information" + }, + "security-impact-level": { + "$ref": "#assembly_oscal-ssp_security-impact-level" + }, + "status": { "$ref": "#assembly_oscal-ssp_status" }, + "authorization-boundary": { + "$ref": "#assembly_oscal-ssp_authorization-boundary" + }, + "network-architecture": { + "$ref": "#assembly_oscal-ssp_network-architecture" + }, + "data-flow": { "$ref": "#assembly_oscal-ssp_data-flow" }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": [ + "system-ids", + "system-name", + "description", + "security-sensitivity-level", + "system-information", + "security-impact-level", + "status", + "authorization-boundary" + ], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:system-information": { + "title": "System Information", + "description": "Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.", + "$id": "#assembly_oscal-ssp_system-information", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "information-types": { + "type": "array", + "minItems": 1, + "items": { + "title": "Information Type", + "description": "Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.", + "type": "object", + "properties": { + "uuid": { + "title": "Information Type Universally Unique Identifier", + "description": "A globally unique identifier that can be used to reference this information type entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "title field", + "description": "A human readable name for the information type. This title should be meaningful within the context of the system.", + "type": "string" + }, + "description": { + "title": "Information Type Description", + "description": "A summary of how this information type is used within the system.", + "type": "string" + }, + "categorizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Information Type Categorization", + "description": "A set of information type identifiers qualified by the given identification system used, such as NIST SP 800-60.", + "type": "object", + "properties": { + "system": { + "title": "Information Type Identification System", + "description": "Specifies the information type identification system used.", + "type": "string", + "format": "uri" + }, + "information-type-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Information Type Systematized Identifier", + "description": "An identifier qualified by the given identification system used, such as NIST SP 800-60.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + } + } + }, + "required": ["system"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "confidentiality-impact": { + "title": "Confidentiality Impact Level", + "description": "The expected level of impact resulting from the unauthorized disclosure of the described information.", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "base": { "$ref": "#field_oscal-ssp_base" }, + "selected": { "$ref": "#field_oscal-ssp_selected" }, + "adjustment-justification": { + "$ref": "#field_oscal-ssp_adjustment-justification" + } + }, + "required": ["base"], + "additionalProperties": false + }, + "integrity-impact": { + "title": "Integrity Impact Level", + "description": "The expected level of impact resulting from the unauthorized modification of the described information.", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "base": { "$ref": "#field_oscal-ssp_base" }, + "selected": { "$ref": "#field_oscal-ssp_selected" }, + "adjustment-justification": { + "$ref": "#field_oscal-ssp_adjustment-justification" + } + }, + "required": ["base"], + "additionalProperties": false + }, + "availability-impact": { + "title": "Availability Impact Level", + "description": "The expected level of impact resulting from the disruption of access to or use of the described information or the information system.", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "base": { "$ref": "#field_oscal-ssp_base" }, + "selected": { "$ref": "#field_oscal-ssp_selected" }, + "adjustment-justification": { + "$ref": "#field_oscal-ssp_adjustment-justification" + } + }, + "required": ["base"], + "additionalProperties": false + } + }, + "required": [ + "title", + "description", + "confidentiality-impact", + "integrity-impact", + "availability-impact" + ], + "additionalProperties": false + } + } + }, + "required": ["information-types"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:base": { + "title": "Base Level (Confidentiality, Integrity, or Availability)", + "description": "The prescribed base (Confidentiality, Integrity, or Availability) security impact level.", + "$id": "#field_oscal-ssp_base", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "oscal-complete-oscal-ssp:selected": { + "title": "Selected Level (Confidentiality, Integrity, or Availability)", + "description": "The selected (Confidentiality, Integrity, or Availability) security impact level.", + "$id": "#field_oscal-ssp_selected", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "oscal-complete-oscal-ssp:adjustment-justification": { + "title": "Adjustment Justification", + "description": "If the selected security level is different from the base security level, this contains the justification for the change.", + "$id": "#field_oscal-ssp_adjustment-justification", + "type": "string" + }, + "oscal-complete-oscal-ssp:security-impact-level": { + "title": "Security Impact Level", + "description": "The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.", + "$id": "#assembly_oscal-ssp_security-impact-level", + "type": "object", + "properties": { + "security-objective-confidentiality": { + "title": "Security Objective: Confidentiality", + "description": "A target-level of confidentiality for the system, based on the sensitivity of information within the system.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "security-objective-integrity": { + "title": "Security Objective: Integrity", + "description": "A target-level of integrity for the system, based on the sensitivity of information within the system.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "security-objective-availability": { + "title": "Security Objective: Availability", + "description": "A target-level of availability for the system, based on the sensitivity of information within the system.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + } + }, + "required": [ + "security-objective-confidentiality", + "security-objective-integrity", + "security-objective-availability" + ], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:status": { + "title": "Status", + "description": "Describes the operational status of the system.", + "$id": "#assembly_oscal-ssp_status", + "type": "object", + "properties": { + "state": { + "title": "State", + "description": "The current operating status.", + "type": "string", + "pattern": "^\\S(.*\\S)?$", + "enum": [ + "operational", + "under-development", + "under-major-modification", + "disposition", + "other" + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:date-authorized": { + "title": "System Authorization Date", + "description": "The date the system received its authorization.", + "$id": "#field_oscal-ssp_date-authorized", + "type": "string", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))(Z|[+-][0-9]{2}:[0-9]{2})?$" + }, + "oscal-complete-oscal-ssp:authorization-boundary": { + "title": "Authorization Boundary", + "description": "A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.", + "$id": "#assembly_oscal-ssp_authorization-boundary", + "type": "object", + "properties": { + "description": { + "title": "Authorization Boundary Description", + "description": "A summary of the system's authorization boundary.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "diagrams": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_diagram" } + }, + "remarks": { + "title": "remarks field", + "description": "Commentary about the system's authorization boundary that enhances the diagram.", + "type": "string" + } + }, + "required": ["description"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:diagram": { + "title": "Diagram", + "description": "A graphic that provides a visual representation the system, or some aspect of it.", + "$id": "#assembly_oscal-ssp_diagram", + "type": "object", + "properties": { + "uuid": { + "title": "Diagram ID", + "description": "The identifier for this diagram.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "description": { + "title": "Diagram Description", + "description": "A summary of the diagram.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "caption": { + "title": "Caption", + "description": "A brief caption to annotate the diagram.", + "type": "string" + }, + "remarks": { + "title": "remarks field", + "description": "Commentary about the diagram that enhances it.", + "type": "string" + } + }, + "required": ["uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:network-architecture": { + "title": "Network Architecture", + "description": "A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.", + "$id": "#assembly_oscal-ssp_network-architecture", + "type": "object", + "properties": { + "description": { + "title": "Network Architecture Description", + "description": "A summary of the system's network architecture.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "diagrams": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_diagram" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:data-flow": { + "title": "Data Flow", + "description": "A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.", + "$id": "#assembly_oscal-ssp_data-flow", + "type": "object", + "properties": { + "description": { + "title": "Data Flow Description", + "description": "A summary of the system's data flow.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "diagrams": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_diagram" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:system-implementation": { + "title": "System Implementation", + "description": "Provides information as to how the system is implemented.", + "$id": "#assembly_oscal-ssp_system-implementation", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "leveraged-authorizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Leveraged Authorization", + "description": "A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common control provider.", + "type": "object", + "properties": { + "uuid": { + "title": "Leveraged Authorization Universally Unique Identifier", + "description": "A globally unique identifier that can be used to reference this leveraged authorization entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "title field", + "description": "A human readable name for the leveraged authorization in the context of the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuid": { + "title": "party-uuid field", + "description": "A reference to the party that manages the leveraged system.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "date-authorized": { "$ref": "#field_oscal-ssp_date-authorized" }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "title", "party-uuid", "date-authorized"], + "additionalProperties": false + } + }, + "users": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-user" + } + }, + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["users", "components"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:control-implementation": { + "title": "Control Implementation", + "description": "Describes how the system satisfies a set of controls.", + "$id": "#assembly_oscal-ssp_control-implementation", + "type": "object", + "properties": { + "description": { + "title": "Control Implementation Description", + "description": "A statement describing important things to know about how this set of control satisfaction documentation is approached.", + "type": "string" + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "implemented-requirements": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_implemented-requirement" } + } + }, + "required": ["description", "implemented-requirements"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:implemented-requirement": { + "title": "Control-based Requirement", + "description": "Describes how the system satisfies an individual control.", + "$id": "#assembly_oscal-ssp_implemented-requirement", + "type": "object", + "properties": { + "uuid": { + "title": "Control Requirement Universally Unique Identifier", + "description": "A globally unique identifier that can be used to reference this control requirement entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "statements": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_statement" } + }, + "by-components": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_by-component" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "control-id"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:statement": { + "title": "Specific Control Statement", + "description": "Identifies which statements within a control are addressed.", + "$id": "#assembly_oscal-ssp_statement", + "type": "object", + "properties": { + "statement-id": { + "title": "Control Statement Reference", + "description": "A reference to a control statement by its identifier", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "uuid": { + "title": "Control Statement Reference Universally Unique Identifier", + "description": "A globally unique identifier that can be used to reference this control statement entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "by-components": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_by-component" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["statement-id", "uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:by-component": { + "title": "Component Control Implementation", + "description": "Defines how the referenced component implements a set of controls.", + "$id": "#assembly_oscal-ssp_by-component", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A reference to the component that is implementing a given control or control statement.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "uuid": { + "title": "By-Component Universally Unique Identifier", + "description": "A globally unique identifier that can be used to reference this by-component entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "description": { + "title": "Control Implementation Description", + "description": "An implementation statement that describes how a control or a control statement is implemented within the referenced system component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "implementation-status": { + "$ref": "#assembly_oscal-implementation-common_implementation-status" + }, + "export": { + "title": "Export", + "description": "Identifies content intended for external consumption, such as with leveraged organizations.", + "type": "object", + "properties": { + "description": { + "title": "Control Implementation Export Description", + "description": "An implementation statement that describes the aspects of the control or control statement implementation that can be available to another system leveraging this system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "provided": { + "type": "array", + "minItems": 1, + "items": { + "title": "Provided Control Implementation", + "description": "Describes a capability which may be inherited by a leveraging system.", + "type": "object", + "properties": { + "uuid": { + "title": "Provided Universally Unique Identifier", + "description": "A globally unique identifier that can be used to reference this provided entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "description": { + "title": "Provided Control Implementation Description", + "description": "An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-role" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "responsibilities": { + "type": "array", + "minItems": 1, + "items": { + "title": "Control Implementation Responsibility", + "description": "Describes a control implementation responsibility imposed on a leveraging system.", + "type": "object", + "properties": { + "uuid": { + "title": "Responsibility Universally Unique Identifier", + "description": "A globally unique identifier that can be used to reference this responsibility entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "provided-uuid": { + "title": "Provided UUID", + "description": "Identifies a 'provided' assembly associated with this assembly.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "description": { + "title": "Control Implementation Responsibility Description", + "description": "An implementation statement that describes the aspects of the control or control statement implementation that a leveraging system must implement to satisfy the control provided by a leveraged system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-role" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "inherited": { + "type": "array", + "minItems": 1, + "items": { + "title": "Inherited Control Implementation", + "description": "Describes a control implementation inherited by a leveraging system.", + "type": "object", + "properties": { + "uuid": { + "title": "Inherited Universally Unique Identifier", + "description": "A globally unique identifier that can be used to reference this inherited entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "provided-uuid": { + "title": "Provided UUID", + "description": "Identifies a 'provided' assembly associated with this assembly.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "description": { + "title": "Inherited Control Implementation Description", + "description": "An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is inheriting from a leveraged system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "satisfied": { + "type": "array", + "minItems": 1, + "items": { + "title": "Satisfied Control Implementation Responsibility", + "description": "Describes how this system satisfies a responsibility imposed by a leveraged system.", + "type": "object", + "properties": { + "uuid": { + "title": "Satisfied Universally Unique Identifier", + "description": "A globally unique identifier that can be used to reference this satisfied entry elsewhere in an OSCAL document. A UUID should be consistently used for a given resource across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "responsibility-uuid": { + "title": "Provided UUID", + "description": "Identifies a 'provided' assembly associated with this assembly.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "description": { + "title": "Satisfied Control Implementation Responsibility Description", + "description": "An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is implementing based on a requirement from a leveraged system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid", "uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-ap:assessment-plan": { + "title": "Security Assessment Plan (SAP)", + "description": "An assessment plan, such as those provided by a FedRAMP assessor.", + "$id": "#assembly_oscal-ap_assessment-plan", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Plan Universally Unique Identifier", + "description": "Uniquely identifies this assessment plan. This UUID must be changed each time the content of the plan changes.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-ssp": { + "$ref": "#assembly_oscal-assessment-common_import-ssp" + }, + "local-definitions": { + "title": "Local Definitions", + "description": "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "users": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-user" + } + }, + "objectives-and-methods": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_local-objective" + } + }, + "activities": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_activity" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "terms-and-conditions": { + "title": "Assessment Plan Terms and Conditions", + "description": "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.", + "type": "object", + "properties": { + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + } + }, + "additionalProperties": false + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "assessment-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "assessment-assets": { + "$ref": "#assembly_oscal-assessment-common_assessment-assets" + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "import-ssp", "reviewed-controls"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:import-ssp": { + "title": "Import System Security Plan", + "description": "Used by the assessment plan and POA&M to import information about the system.", + "$id": "#assembly_oscal-assessment-common_import-ssp", + "type": "object", + "properties": { + "href": { + "title": "System Security Plan Reference", + "description": ">A resolvable URL reference to the system security plan for the system being assessed.", + "type": "string", + "format": "uri-reference" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:local-objective": { + "title": "Assessment-Specific Control Objective", + "description": "A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.", + "$id": "#assembly_oscal-assessment-common_local-objective", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "description": { + "title": "Objective Description", + "description": "A human-readable description of this control objective.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog-common_part" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["control-id", "parts"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-method": { + "title": "Assessment Method", + "description": "A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.", + "$id": "#assembly_oscal-assessment-common_assessment-method", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Method Universally Unique Identifier", + "description": "Uniquely identifies this defined assessment method. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given assessment method across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "description": { + "title": "Assessment Method Description", + "description": "A human-readable description of this assessment method.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "part": { "$ref": "#assembly_oscal-assessment-common_assessment-part" }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "part"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:activity": { + "title": "Activity", + "description": "Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.", + "$id": "#assembly_oscal-assessment-common_activity", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Activity Universally Unique Identifier", + "description": "Uniquely identifies this assessment activity. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given included activity across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "Included Activity Title", + "description": "The title for this included activity.", + "type": "string" + }, + "description": { + "title": "Included Activity Description", + "description": "A human-readable description of this included activity.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "steps": { + "type": "array", + "minItems": 1, + "items": { + "title": "Step", + "description": "Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.", + "type": "object", + "properties": { + "uuid": { + "title": "Step Universally Unique Identifier", + "description": "Uniquely identifies a step. This UUID may be referenced elsewhere in an OSCAL document when referring to this step. A UUID should be consistently used for a given test step across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "Step Title", + "description": "The title for this step.", + "type": "string" + }, + "description": { + "title": "Step Description", + "description": "A human-readable description of this step.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "related-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:task": { + "title": "Task", + "description": "Represents a scheduled event or milestone, which may be associated with a series of assessment actions.", + "$id": "#assembly_oscal-assessment-common_task", + "type": "object", + "properties": { + "uuid": { + "title": "Task Universally Unique Identifier", + "description": "Uniquely identifies this assessment task.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "type": { + "title": "Task Type", + "description": "The type of task.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "title": { + "title": "Task Title", + "description": "The title for this task.", + "type": "string" + }, + "description": { + "title": "Task Description", + "description": "A human-readable description of this task.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "timing": { + "title": "Event Timing", + "description": "The timing under which the task is intended to occur.", + "type": "object", + "properties": { + "on-date": { + "title": "On Date Condition", + "description": "The task is intended to occur on the specified date.", + "type": "object", + "properties": { + "date": { + "title": "On Date Condition", + "description": "The task must occur on the specified date.", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + } + }, + "required": ["date"], + "additionalProperties": false + }, + "within-date-range": { + "title": "On Date Range Condition", + "description": "The task is intended to occur within the specified date range.", + "type": "object", + "properties": { + "start": { + "title": "Start Date Condition", + "description": "The task must occur on or after the specified date.", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + }, + "end": { + "title": "End Date Condition", + "description": "The task must occur on or before the specified date.", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + } + }, + "required": ["start", "end"], + "additionalProperties": false + }, + "at-frequency": { + "title": "Frequency Condition", + "description": "The task is intended to occur at the specified frequency.", + "type": "object", + "properties": { + "period": { + "title": "Period", + "description": "The task must occur after the specified period has elapsed.", + "type": "integer", + "multipleOf": 1, + "minimum": 1 + }, + "unit": { + "title": "Time Unit", + "description": "The unit of time for the period.", + "type": "string", + "pattern": "^\\S(.*\\S)?$", + "enum": [ + "seconds", + "minutes", + "hours", + "days", + "months", + "years" + ] + } + }, + "required": ["period", "unit"], + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "dependencies": { + "type": "array", + "minItems": 1, + "items": { + "title": "Task Dependency", + "description": "Used to indicate that a task is dependent on another task.", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier Reference", + "description": "References a unique task by UUID.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["task-uuid"], + "additionalProperties": false + } + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "associated-activities": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Activity", + "description": "Identifies an individual activity to be performed as part of a task.", + "type": "object", + "properties": { + "activity-uuid": { + "title": "Activity Universally Unique Identifier Reference", + "description": "References an activity defined in the list of activities.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["activity-uuid", "subjects"], + "additionalProperties": false + } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:reviewed-controls": { + "title": "Reviewed Controls and Control Objectives", + "description": "Identifies the controls being assessed and their control objectives.", + "$id": "#assembly_oscal-assessment-common_reviewed-controls", + "type": "object", + "properties": { + "description": { + "title": "Control Objective Description", + "description": "A human-readable description of control objectives.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "control-selections": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessed Controls", + "description": "Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.", + "type": "object", + "properties": { + "description": { + "title": "Assessed Controls Description", + "description": "A human-readable description of in-scope controls specified for assessment.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { + "title": "All", + "description": "A key word to indicate all.", + "type": "object", + "additionalProperties": false + }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-control-by-id" + } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-control-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + } + }, + "control-objective-selections": { + "type": "array", + "minItems": 1, + "items": { + "title": "Referenced Control Objectives", + "description": "Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.", + "type": "object", + "properties": { + "description": { + "title": "Control Objectives Description", + "description": "A human-readable description of this collection of control objectives.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { + "title": "All", + "description": "A key word to indicate all.", + "type": "object", + "additionalProperties": false + }, + "include-objectives": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-objective-by-id" + } + }, + "exclude-objectives": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-objective-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["control-selections"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:select-control-by-id": { + "title": "Select Control", + "description": "Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.", + "$id": "#assembly_oscal-assessment-common_select-control-by-id", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "statement-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Include Specific Statements", + "description": "Used to constrain the selection to only specificity identified statements.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + } + } + }, + "required": ["control-id"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:select-objective-by-id": { + "title": "Select Objective", + "description": "Used to select a control objective for inclusion/exclusion based on the control objective's identifier.", + "$id": "#assembly_oscal-assessment-common_select-objective-by-id", + "type": "object", + "properties": { + "objective-id": { + "title": "Objective ID", + "description": "Points to an assessment objective.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + } + }, + "required": ["objective-id"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-subject-placeholder": { + "title": "Assessment Subject Placeholder", + "description": "Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.", + "$id": "#assembly_oscal-assessment-common_assessment-subject-placeholder", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Subject Placeholder Universally Unique Identifier", + "description": "Uniquely identifies a set of assessment subjects that will be identified by a task or an activity that is part of a task.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "description": { + "title": "Assessment Subject Placeholder Description", + "description": "A human-readable description of intent of this assessment subject placeholder.", + "type": "string" + }, + "sources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Subject Source", + "description": "Assessment subjects will be identified while conducting the referenced activity-instance.", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier", + "description": "Uniquely identifies an assessment activity to be performed as part of the event. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "required": ["task-uuid"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "sources"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-subject": { + "title": "Subject of Assessment", + "description": "Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.", + "$id": "#assembly_oscal-assessment-common_assessment-subject", + "type": "object", + "properties": { + "type": { + "title": "Subject Type", + "description": "Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "description": { + "title": "Include Subjects Description", + "description": "A human-readable description of the collection of subjects being included in this assessment.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { + "title": "All", + "description": "A key word to indicate all.", + "type": "object", + "additionalProperties": false + }, + "include-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-subject-by-id" + } + }, + "exclude-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-subject-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["type"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:select-subject-by-id": { + "title": "Select Assessment Subject", + "description": "Identifies a set of assessment subjects to include/exclude by UUID.", + "$id": "#assembly_oscal-assessment-common_select-subject-by-id", + "type": "object", + "properties": { + "subject-uuid": { + "title": "Subject Universally Unique Identifier Reference", + "description": "A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "type": { + "title": "Subject Universally Unique Identifier Reference Type", + "description": "Used to indicate the type of object pointed to by the uuid-ref within a subject.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["subject-uuid", "type"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:subject-reference": { + "title": "Identifies the Subject", + "description": "A pointer to a resource based on its universally unique identifier (UUID). Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.", + "$id": "#assembly_oscal-assessment-common_subject-reference", + "type": "object", + "properties": { + "subject-uuid": { + "title": "Subject Universally Unique Identifier Reference", + "description": "A pointer to a component, inventory-item, location, party, user, or resource using it's UUID.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "type": { + "title": "Subject Universally Unique Identifier Reference Type", + "description": "Used to indicate the type of object pointed to by the uuid-ref within a subject.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "title": { + "title": "Subject Reference Title", + "description": "The title or name for the referenced subject.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["subject-uuid", "type"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-assets": { + "title": "Assessment Assets", + "description": "Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.", + "$id": "#assembly_oscal-assessment-common_assessment-assets", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "assessment-platforms": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Platform", + "description": "Used to represent the toolset used to perform aspects of the assessment.", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Platform Universally Unique Identifier", + "description": "Uniquely identifies this assessment Platform.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "Assessment Platform Title", + "description": "The title or name for the assessment platform.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "uses-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Uses Component", + "description": "The set of components that are used by the assessment platform.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A reference to a component that is implemented as part of an inventory item.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "required": ["assessment-platforms"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:finding-target": { + "title": "Objective Status", + "description": "Captures an assessor's conclusions regarding the degree to which an objective is satisfied.", + "$id": "#assembly_oscal-assessment-common_finding-target", + "type": "object", + "properties": { + "type": { + "title": "Finding Target Type", + "description": "Identifies the type of the target.", + "type": "string", + "pattern": "^\\S(.*\\S)?$", + "enum": ["statement-id", "objective-id"] + }, + "target-id": { + "title": "Finding Target Identifier Reference", + "description": "Identifies the specific target qualified by the type.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "title": { + "title": "Objective Status Title", + "description": "The title for this objective status.", + "type": "string" + }, + "description": { + "title": "Objective Status Description", + "description": "A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Objective Status", + "description": "A determination of if the objective is satisfied or not within a given system.", + "type": "object", + "properties": { + "state": { + "title": "Objective Status State", + "description": "An indication as to whether the objective is satisfied or not.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$", + "enum": ["satisfied", "not-satisfied"] + }, + "reason": { + "title": "Objective Status Reason", + "description": "The reason the objective was given it's status.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "implementation-status": { + "$ref": "#assembly_oscal-implementation-common_implementation-status" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["type", "target-id", "status"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:observation": { + "title": "Observation", + "description": "Describes an individual observation.", + "$id": "#assembly_oscal-assessment-common_observation", + "type": "object", + "properties": { + "uuid": { + "title": "Observation Universally Unique Identifier", + "description": "Uniquely identifies this observation. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given observation across revisions.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "Observation Title", + "description": "The title for this observation.", + "type": "string" + }, + "description": { + "title": "Observation Description", + "description": "A human-readable description of this assessment observation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "methods": { + "type": "array", + "minItems": 1, + "items": { + "title": "Observation Method", + "description": "Identifies how the observation was made.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + } + }, + "types": { + "type": "array", + "minItems": 1, + "items": { + "title": "Observation Type", + "description": "Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + }, + "relevant-evidence": { + "type": "array", + "minItems": 1, + "items": { + "title": "Relevant Evidence", + "description": "Links this observation to relevant evidence.", + "type": "object", + "properties": { + "href": { + "title": "Relevant Evidence Reference", + "description": ">A resolvable URL reference to relevant evidence.", + "type": "string", + "format": "uri-reference" + }, + "description": { + "title": "Relevant Evidence Description", + "description": "A human-readable description of this evidence.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + } + }, + "collected": { + "title": "collected field", + "description": "Date/time stamp identifying when the finding information was collected.", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + }, + "expires": { + "title": "expires field", + "description": "Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description", "methods", "collected"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:origin": { + "title": "Origin", + "description": "Identifies the source of the finding, such as a tool, interviewed person, or activity.", + "$id": "#assembly_oscal-assessment-common_origin", + "type": "object", + "properties": { + "actors": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin-actor" } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_related-task" } + } + }, + "required": ["actors"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:origin-actor": { + "title": "Originating Actor", + "description": "The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.", + "$id": "#assembly_oscal-assessment-common_origin-actor", + "type": "object", + "properties": { + "type": { + "title": "Actor Type", + "description": "The kind of actor.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$", + "enum": ["tool", "assessment-platform", "party"] + }, + "actor-uuid": { + "title": "Actor Universally Unique Identifier Reference", + "description": "A pointer to the tool or person based on the associated type.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "role-id": { + "title": "Actor Role", + "description": "For a party, this can optionally be used to specify the role the actor was performing.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["type", "actor-uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:related-task": { + "title": "Task Reference", + "description": "Identifies an individual task for which the containing object is a consequence of.", + "$id": "#assembly_oscal-assessment-common_related-task", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier Reference", + "description": "References a unique task by UUID.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "identified-subject": { + "title": "Identified Subject", + "description": "Used to detail assessment subjects that were identfied by this task.", + "type": "object", + "properties": { + "subject-placeholder-uuid": { + "title": "Assessment Subject Placeholder Universally Unique Identifier Reference", + "description": "References a unique assessment subject placeholder defined by this task.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + } + }, + "required": ["subject-placeholder-uuid", "subjects"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["task-uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:threat-id": { + "title": "Threat ID", + "description": "A pointer, by ID, to an externally-defined threat.", + "$id": "#field_oscal-assessment-common_threat-id", + "type": "object", + "properties": { + "system": { + "title": "Threat Type Identification System", + "description": "Specifies the source of the threat information.", + "type": "string", + "format": "uri" + }, + "href": { + "title": "Threat Information Resource Reference", + "description": "An optional location for the threat data, from which this ID originates.", + "type": "string", + "format": "uri-reference" + }, + "id": { "type": "string" } + }, + "required": ["id", "system"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:risk": { + "title": "Identified Risk", + "description": "An identified risk.", + "$id": "#assembly_oscal-assessment-common_risk", + "type": "object", + "properties": { + "uuid": { + "title": "Risk Universally Unique Identifier", + "description": "Uniquely identifies this risk. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given risk across revisions.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "Risk Title", + "description": "The title for this risk.", + "type": "string" + }, + "description": { + "title": "Risk Description", + "description": "A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.", + "type": "string" + }, + "statement": { + "title": "Risk Statement", + "description": "An summary of impact for how the risk affects the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Status", + "description": "Describes the status of the associated risk.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "threat-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-assessment-common_threat-id" } + }, + "characterizations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_characterization" + } + }, + "mitigating-factors": { + "type": "array", + "minItems": 1, + "items": { + "title": "Mitigating Factor", + "description": "Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.", + "type": "object", + "properties": { + "uuid": { + "title": "Mitigating Factor Universally Unique Identifier", + "description": "Uniquely identifies this mitigating factor. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given mitigating factor across revisions.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "implementation-uuid": { + "title": "Implementation UUID", + "description": "Points to an implementation statement in the SSP.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "description": { + "title": "Mitigating Factor Description", + "description": "A human-readable description of this mitigating factor.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "deadline": { + "title": "Risk Resolution Deadline", + "description": "The date/time by which the risk must be resolved.", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + }, + "remediations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_response" } + }, + "risk-log": { + "title": "Risk Log", + "description": "A log of all risk-related tasks taken.", + "type": "object", + "properties": { + "entries": { + "type": "array", + "minItems": 1, + "items": { + "title": "Risk Log Entry", + "description": "Identifies an individual risk response that occurred as part of managing an identified risk.", + "type": "object", + "properties": { + "uuid": { + "title": "Risk Log Entry Universally Unique Identifier", + "description": "Uniquely identifies a risk log entry. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "Title", + "description": "The title for this risk log entry.", + "type": "string" + }, + "description": { + "title": "Risk Task Description", + "description": "A human-readable description of what was done regarding the risk.", + "type": "string" + }, + "start": { + "title": "Start", + "description": "Identifies the start date and time of the event.", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + }, + "end": { + "title": "End", + "description": "Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time.", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "logged-by": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_logged-by" + } + }, + "status-change": { + "$ref": "#field_oscal-assessment-common_risk-status" + }, + "related-responses": { + "type": "array", + "minItems": 1, + "items": { + "title": "Risk Response Reference", + "description": "Identifies an individual risk response that this log entry is for.", + "type": "object", + "properties": { + "response-uuid": { + "title": "Response Universally Unique Identifier Reference", + "description": "References a unique risk response by UUID.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_property" + } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_related-task" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["response-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "start"], + "additionalProperties": false + } + } + }, + "required": ["entries"], + "additionalProperties": false + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the finding to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "References an observation defined in the list of observations.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + } + }, + "required": ["uuid", "title", "description", "statement", "status"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:logged-by": { + "title": "Logged By", + "description": "Used to indicate who created a log entry in what role.", + "$id": "#assembly_oscal-assessment-common_logged-by", + "type": "object", + "properties": { + "party-uuid": { + "title": "Party UUID Reference", + "description": "A pointer to the party who is making the log entry.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "role-id": { + "title": "Actor Role", + "description": "A point to the role-id of the role in which the party is making the log entry.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + } + }, + "required": ["party-uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:risk-status": { + "title": "Risk Status", + "description": "Describes the status of the associated risk.", + "$id": "#field_oscal-assessment-common_risk-status", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "oscal-complete-oscal-assessment-common:characterization": { + "title": "Characterization", + "description": "A collection of descriptive data about the containing object from a specific origin.", + "$id": "#assembly_oscal-assessment-common_characterization", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origin": { "$ref": "#assembly_oscal-assessment-common_origin" }, + "facets": { + "type": "array", + "minItems": 1, + "items": { + "title": "Facet", + "description": "An individual characteristic that is part of a larger set produced by the same actor.", + "type": "object", + "properties": { + "name": { + "title": "Facet Name", + "description": "The name of the risk metric within the specified system.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "system": { + "title": "Naming System", + "description": "Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash.", + "type": "string", + "format": "uri" + }, + "value": { + "title": "Facet Value", + "description": "Indicates the value of the facet.", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "system", "value"], + "additionalProperties": false + } + } + }, + "required": ["origin", "facets"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:response": { + "title": "Risk Response", + "description": "Describes either recommended or an actual plan for addressing the risk.", + "$id": "#assembly_oscal-assessment-common_response", + "type": "object", + "properties": { + "uuid": { + "title": "Remediation Universally Unique Identifier", + "description": "Uniquely identifies this remediation. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given remediation across revisions.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "lifecycle": { + "title": "Remediation Intent", + "description": "Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "title": { + "title": "Response Title", + "description": "The title for this response activity.", + "type": "string" + }, + "description": { + "title": "Response Description", + "description": "A human-readable description of this response plan.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "required-assets": { + "type": "array", + "minItems": 1, + "items": { + "title": "Required Asset", + "description": "Identifies an asset required to achieve remediation.", + "type": "object", + "properties": { + "uuid": { + "title": "Required Universally Unique Identifier", + "description": "Uniquely identifies this required asset. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given required asset across revisions.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + }, + "title": { + "title": "Title for Required Asset", + "description": "The title for this required asset.", + "type": "string" + }, + "description": { + "title": "Description of Required Asset", + "description": "A human-readable description of this required asset.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "lifecycle", "title", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-part": { + "title": "Assessment Part", + "description": "A partition of an assessment plan or results or a child of another part.", + "$id": "#assembly_oscal-assessment-common_assessment-part", + "type": "object", + "properties": { + "uuid": { + "title": "Part Identifier", + "description": "A unique identifier for a specific part instance. This identifier's uniqueness is document scoped and is intended to be consistent for the same part across minor revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "ns": { + "title": "Part Namespace", + "description": "A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "type": "string", + "format": "uri" + }, + "class": { + "title": "Part Class", + "description": "A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.", + "type": "string", + "pattern": "^[_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD][_A-Za-z\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD\\-\\.0-9\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$" + }, + "title": { + "title": "Part Title", + "description": "A name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-complete-oscal-ar:assessment-results": { + "title": "Security Assessment Results (SAR)", + "description": "Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.", + "$id": "#assembly_oscal-ar_assessment-results", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Results Universally Unique Identifier", + "description": "Uniquely identifies this assessment results file. This UUID must be changed each time the content of the results changes.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-ap": { "$ref": "#assembly_oscal-ar_import-ap" }, + "local-definitions": { + "title": "Local Definitions", + "description": "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", + "type": "object", + "properties": { + "objectives-and-methods": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_local-objective" + } + }, + "activities": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_activity" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "results": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ar_result" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "import-ap", "results"], + "additionalProperties": false + }, + "oscal-complete-oscal-ar:result": { + "title": "Assessment Result", + "description": "Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.", + "$id": "#assembly_oscal-ar_result", + "type": "object", + "properties": { + "uuid": { + "title": "Results Universally Unique Identifier", + "description": "Uniquely identifies this set of results. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given set of results across revisions.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "Results Title", + "description": "The title for this set of results.", + "type": "string" + }, + "description": { + "title": "Results Description", + "description": "A human-readable description of this set of test results.", + "type": "string" + }, + "start": { + "title": "start field", + "description": "Date/time stamp identifying the start of the evidence collection reflected in these results.", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + }, + "end": { + "title": "end field", + "description": "Date/time stamp identifying the end of the evidence collection reflected in these results. In a continuous motoring scenario, this may contain the same value as start if appropriate.", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + }, + "prop": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "local-definitions": { + "title": "Local Definitions", + "description": "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "users": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-user" + } + }, + "assessment-assets": { + "$ref": "#assembly_oscal-assessment-common_assessment-assets" + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + } + }, + "additionalProperties": false + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "attestations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Attestation Statements", + "description": "A set of textual statements, typically written by the assessor.", + "type": "object", + "properties": { + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + } + }, + "required": ["parts"], + "additionalProperties": false + } + }, + "assessment-log": { + "title": "Assessment Log", + "description": "A log of all assessment-related actions taken.", + "type": "object", + "properties": { + "entries": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Log Entry", + "description": "Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Log Entry Universally Unique Identifier", + "description": "Uniquely identifies an assessment event. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for this schedule across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "Action Title", + "description": "The title for this event.", + "type": "string" + }, + "description": { + "title": "Action Description", + "description": "A human-readable description of this event.", + "type": "string" + }, + "start": { + "title": "Start", + "description": "Identifies the start date and time of an event.", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + }, + "end": { + "title": "End", + "description": "Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time.", + "type": "string", + "format": "date-time", + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "logged-by": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_logged-by" + } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_related-task" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "start"], + "additionalProperties": false + } + } + }, + "required": ["entries"], + "additionalProperties": false + }, + "observations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_observation" } + }, + "risks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_risk" } + }, + "findings": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ar_finding" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": [ + "uuid", + "title", + "description", + "start", + "reviewed-controls" + ], + "additionalProperties": false + }, + "oscal-complete-oscal-ar:finding": { + "title": "Finding", + "description": "Describes an individual finding.", + "$id": "#assembly_oscal-ar_finding", + "type": "object", + "properties": { + "uuid": { + "title": "Finding Universally Unique Identifier", + "description": "Uniquely identifies this finding. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. Once assigned, a UUID should be consistently used for a given finding across revisions.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "Finding Title", + "description": "The title for this finding.", + "type": "string" + }, + "description": { + "title": "Finding Description", + "description": "A human-readable description of this finding.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "target": { + "$ref": "#assembly_oscal-assessment-common_finding-target" + }, + "implementation-statement-uuid": { + "title": "Implementation Statement UUID", + "description": "Identifies the implementation statement in the SSP to which this finding is related.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the finding to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "References an observation defined in the list of observations.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + }, + "related-risks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Risk", + "description": "Relates the finding to a set of referenced risks that were used to determine the finding.", + "type": "object", + "properties": { + "risk-uuid": { + "title": "Risk Universally Unique Identifier Reference", + "description": "References an risk defined in the list of risks.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "required": ["risk-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "title", "description", "target"], + "additionalProperties": false + }, + "oscal-complete-oscal-ar:import-ap": { + "title": "Import Assessment Plan", + "description": "Used by assessment-results to import information about the original plan for assessing the system.", + "$id": "#assembly_oscal-ar_import-ap", + "type": "object", + "properties": { + "href": { + "title": "Assessment Plan Reference", + "description": ">A resolvable URL reference to the assessment plan governing the assessment activities.", + "type": "string", + "format": "uri-reference" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-poam:plan-of-action-and-milestones": { + "title": "Plan of Action and Milestones (POA&M)", + "description": "A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP.", + "$id": "#assembly_oscal-poam_plan-of-action-and-milestones", + "type": "object", + "properties": { + "uuid": { + "title": "POA&M Universally Unique Identifier", + "description": "Uniquely identifies this POA&M. This UUID must be changed each time the content of the POA&M changes.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-ssp": { + "$ref": "#assembly_oscal-assessment-common_import-ssp" + }, + "system-id": { "$ref": "#field_oscal-implementation-common_system-id" }, + "local-definitions": { + "$ref": "#assembly_oscal-poam_local-definitions" + }, + "observations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_observation" } + }, + "risks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_risk" } + }, + "poam-items": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-poam_poam-item" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "poam-items"], + "additionalProperties": false + }, + "oscal-complete-oscal-poam:local-definitions": { + "title": "Local Definitions", + "description": "Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.", + "$id": "#assembly_oscal-poam_local-definitions", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-poam:poam-item": { + "title": "POA&M Item", + "description": "Describes an individual POA&M item.", + "$id": "#assembly_oscal-poam_poam-item", + "type": "object", + "properties": { + "uuid": { + "title": "POA&M Item Universally Unique Identifier", + "description": "Uniquely identifies the POA&M entry. This UUID may be referenced elsewhere in an OSCAL document when referring to this information. A UUID should be consistently used for a given POA&M item across revisions of the document.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + }, + "title": { + "title": "POA&M Item Title", + "description": "The title or name for this POA&M item .", + "type": "string" + }, + "description": { + "title": "POA&M Item Description", + "description": "A human-readable description of POA&M item.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { + "title": "Origin", + "description": "Identifies the source of the finding, such as a tool or person.", + "type": "object", + "properties": { + "actors": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_origin-actor" + } + } + }, + "required": ["actors"], + "additionalProperties": false + } + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the poam-item to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "References an observation defined in the list of observations.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + }, + "related-risks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Risk", + "description": "Relates the finding to a set of referenced risks that were used to determine the finding.", + "type": "object", + "properties": { + "risk-uuid": { + "title": "Risk Universally Unique Identifier Reference", + "description": "References an risk defined in the list of risks.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "required": ["risk-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "description"], + "additionalProperties": false + } + }, + "oneOf": [ + { + "properties": { + "catalog": { "$ref": "#assembly_oscal-catalog_catalog" } + }, + "required": ["catalog"], + "additionalProperties": false, + "maxProperties": 1 + }, + + { + "properties": { + "profile": { "$ref": "#assembly_oscal-profile_profile" } + }, + "required": ["profile"], + "additionalProperties": false, + "maxProperties": 1 + }, + + { + "properties": { + "component-definition": { + "$ref": "#assembly_oscal-component-definition_component-definition" + } + }, + "required": ["component-definition"], + "additionalProperties": false, + "maxProperties": 1 + }, + + { + "properties": { + "system-security-plan": { + "$ref": "#assembly_oscal-ssp_system-security-plan" + } + }, + "required": ["system-security-plan"], + "additionalProperties": false, + "maxProperties": 1 + }, + + { + "properties": { + "assessment-plan": { "$ref": "#assembly_oscal-ap_assessment-plan" } + }, + "required": ["assessment-plan"], + "additionalProperties": false, + "maxProperties": 1 + }, + + { + "properties": { + "assessment-results": { + "$ref": "#assembly_oscal-ar_assessment-results" + } + }, + "required": ["assessment-results"], + "additionalProperties": false, + "maxProperties": 1 + }, + + { + "properties": { + "plan-of-action-and-milestones": { + "$ref": "#assembly_oscal-poam_plan-of-action-and-milestones" + } + }, + "required": ["plan-of-action-and-milestones"], + "additionalProperties": false, + "maxProperties": 1 + } + ] +} diff --git a/roscal_lib/jsonschema/baseline_unified/loc b/roscal_lib/jsonschema/baseline_unified/loc new file mode 100644 index 0000000..7e2b4e8 --- /dev/null +++ b/roscal_lib/jsonschema/baseline_unified/loc @@ -0,0 +1 @@ +https://github.com/usnistgov/OSCAL/releases/download/v1.0.0/oscal_complete_schema.json \ No newline at end of file diff --git a/roscal_lib/jsonschema/previous_unified/1.1.1.json b/roscal_lib/jsonschema/previous_unified/1.1.1.json new file mode 100644 index 0000000..c937f25 --- /dev/null +++ b/roscal_lib/jsonschema/previous_unified/1.1.1.json @@ -0,0 +1,5659 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://csrc.nist.gov/ns/oscal/1.0/1.1.1/oscal-complete-schema.json", + "$comment": "OSCAL Unified Model of Models: JSON Schema", + "type": "object", + "definitions": { + "json-schema-directive": { + "title": "Schema Directive", + "description": "A JSON Schema directive to bind a specific schema to its document instance.", + "$id": "#json-schema-directive", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "oscal-complete-oscal-catalog:catalog": { + "title": "Catalog", + "description": "A structured, organized collection of control information.", + "$id": "#assembly_oscal-catalog_catalog", + "type": "object", + "properties": { + "uuid": { + "title": "Catalog Universally Unique Identifier", + "description": "Provides a globally unique means to identify a given catalog instance.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_parameter" } + }, + "controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_control" } + }, + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_group" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata"], + "additionalProperties": false + }, + "oscal-complete-oscal-catalog:group": { + "title": "Control Group", + "description": "A group of controls, or of groups of controls.", + "$id": "#assembly_oscal-catalog_group", + "type": "object", + "properties": { + "id": { + "title": "Group Identifier", + "description": "Identifies the group for the purpose of cross-linking within the defining instance or from other instances that reference the catalog.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Group Class", + "description": "A textual label that provides a sub-type or characterization of the group.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Group Title", + "description": "A name given to the group, which may be used by a tool for display and navigation.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_parameter" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_group" } + }, + "controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_control" } + } + }, + "required": ["title"], + "additionalProperties": false + }, + "oscal-complete-oscal-catalog:control": { + "title": "Control", + "description": "A structured object representing a requirement or guideline, which when implemented will reduce an aspect of risk related to an information system and its information.", + "$id": "#assembly_oscal-catalog_control", + "type": "object", + "properties": { + "id": { + "title": "Control Identifier", + "description": "Identifies a control such that it can be referenced in the defining catalog and other OSCAL instances (e.g., profiles).", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Control Class", + "description": "A textual label that provides a sub-type or characterization of the control.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Control Title", + "description": "A name given to the control, which may be used by a tool for display and navigation.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_parameter" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_control" } + } + }, + "required": ["id", "title"], + "additionalProperties": false + }, + "oscal-complete-oscal-control-common:part": { + "title": "Part", + "description": "An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.", + "$id": "#assembly_oscal-control-common_part", + "type": "object", + "properties": { + "id": { + "title": "Part Identifier", + "description": "A unique identifier for the part.", + "$ref": "#/definitions/TokenDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type, which exists in a value space qualified by the ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "ns": { + "title": "Part Namespace", + "description": "An optional namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "An optional textual providing a sub-type or characterization of the part's name, or a category to which the part belongs.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "An optional name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-complete-oscal-control-common:parameter": { + "title": "Parameter", + "description": "Parameters provide a mechanism for the dynamic assignment of value(s) in a control.", + "$id": "#assembly_oscal-control-common_parameter", + "type": "object", + "properties": { + "id": { + "title": "Parameter Identifier", + "description": "A unique identifier for the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the type, purpose, use or scope of the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "depends-on": { + "title": "Depends on", + "description": "(deprecated) Another parameter invoking this one. This construct has been deprecated and should not be used.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter.", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-control-common_parameter-value" } + }, + "select": { + "$ref": "#assembly_oscal-control-common_parameter-selection" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-complete-oscal-control-common:parameter-constraint": { + "title": "Constraint", + "description": "A formal or informal expression of a constraint or test.", + "$id": "#assembly_oscal-control-common_parameter-constraint", + "type": "object", + "properties": { + "description": { + "title": "Constraint Description", + "description": "A textual summary of the constraint to be applied.", + "type": "string" + }, + "tests": { + "type": "array", + "minItems": 1, + "items": { + "title": "Constraint Test", + "description": "A test expression which is expected to be evaluated by a tool.", + "type": "object", + "properties": { + "expression": { + "title": "Constraint test", + "description": "A formal (executable) expression of a constraint.", + "$ref": "#/definitions/StringDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["expression"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-control-common:parameter-guideline": { + "title": "Guideline", + "description": "A prose statement that provides a recommendation for the use of a parameter.", + "$id": "#assembly_oscal-control-common_parameter-guideline", + "type": "object", + "properties": { + "prose": { + "title": "Guideline Text", + "description": "Prose permits multiple paragraphs, lists, tables etc.", + "type": "string" + } + }, + "required": ["prose"], + "additionalProperties": false + }, + "oscal-complete-oscal-control-common:parameter-value": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$id": "#field_oscal-control-common_parameter-value", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-control-common:parameter-selection": { + "title": "Selection", + "description": "Presenting a choice among alternatives.", + "$id": "#assembly_oscal-control-common_parameter-selection", + "type": "object", + "properties": { + "how-many": { + "title": "Parameter Cardinality", + "description": "Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["one", "one-or-more"] } + ] + }, + "choice": { + "type": "array", + "minItems": 1, + "items": { + "title": "Choice", + "description": "A value selection among several such options.", + "type": "string" + } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-control-common:include-all": { + "title": "Include All", + "description": "Include all controls from the imported catalog or profile resources.", + "$id": "#assembly_oscal-control-common_include-all", + "type": "object", + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:metadata": { + "title": "Document Metadata", + "description": "Provides information about the containing document, and defines concepts that are shared across the document.", + "$id": "#assembly_oscal-metadata_metadata", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { "$ref": "#field_oscal-metadata_last-modified" }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { "$ref": "#field_oscal-metadata_oscal-version" }, + "revisions": { + "type": "array", + "minItems": 1, + "items": { + "title": "Revision History Entry", + "description": "An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document revision, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { + "$ref": "#field_oscal-metadata_last-modified" + }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { + "$ref": "#field_oscal-metadata_oscal-version" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["version"], + "additionalProperties": false + } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "roles": { + "type": "array", + "minItems": 1, + "items": { + "title": "Role", + "description": "Defines a function, which might be assigned to a party in a specific situation.", + "type": "object", + "properties": { + "id": { + "title": "Role Identifier", + "description": "A unique identifier for the role.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Role Title", + "description": "A name given to the role, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "Role Short Name", + "description": "A short common name, abbreviation, or acronym for the role.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "Role Description", + "description": "A summary of the role's purpose and associated responsibilities.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id", "title"], + "additionalProperties": false + } + }, + "locations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location", + "description": "A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Location Universally Unique Identifier", + "description": "A unique ID for the location, for reference.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Location Title", + "description": "A name given to the location, which may be used by a tool for display and navigation.", + "type": "string" + }, + "address": { "$ref": "#assembly_oscal-metadata_address" }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "urls": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location URL", + "description": "The uniform resource locator (URL) for a web site or other resource associated with the location.", + "$ref": "#/definitions/URIDatatype" + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + }, + "parties": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party", + "description": "An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Party Universally Unique Identifier", + "description": "A unique identifier for the party.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Party Type", + "description": "A category describing the kind of party the object describes.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["person", "organization"] } + ] + }, + "name": { + "title": "Party Name", + "description": "The full name of the party. This is typically the legal name associated with the party.", + "$ref": "#/definitions/StringDatatype" + }, + "short-name": { + "title": "Party Short Name", + "description": "A short common name, abbreviation, or acronym for the party.", + "$ref": "#/definitions/StringDatatype" + }, + "external-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party External Identifier", + "description": "An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID).", + "type": "object", + "properties": { + "scheme": { + "title": "External Identifier Schema", + "description": "Indicates the type of external identifier.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://orcid.org/"] } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id", "scheme"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_address" } + }, + "location-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_location-uuid" } + }, + "member-of-organizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Organizational Affiliation", + "description": "A reference to another party by UUID, typically an organization, that this subject is associated with.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type"], + "additionalProperties": false + } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "actions": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_action" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "last-modified", "version", "oscal-version"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:location-uuid": { + "title": "Location Universally Unique Identifier Reference", + "description": "Reference to a location by UUID.", + "$id": "#field_oscal-metadata_location-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-complete-oscal-metadata:party-uuid": { + "title": "Party Universally Unique Identifier Reference", + "description": "Reference to a party by UUID.", + "$id": "#field_oscal-metadata_party-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-complete-oscal-metadata:role-id": { + "title": "Role Identifier Reference", + "description": "Reference to a role by UUID.", + "$id": "#field_oscal-metadata_role-id", + "$ref": "#/definitions/TokenDatatype" + }, + "oscal-complete-oscal-metadata:back-matter": { + "title": "Back matter", + "description": "A collection of resources that may be referenced from within the OSCAL document instance.", + "$id": "#assembly_oscal-metadata_back-matter", + "type": "object", + "properties": { + "resources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource", + "description": "A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources.", + "type": "object", + "properties": { + "uuid": { + "title": "Resource Universally Unique Identifier", + "description": "A unique identifier for a resource.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Resource Title", + "description": "An optional name given to the resource, which may be used by a tool for display and navigation.", + "type": "string" + }, + "description": { + "title": "Resource Description", + "description": "An optional short summary of the resource used to indicate the purpose of the resource.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "citation": { + "title": "Citation", + "description": "An optional citation consisting of end note text using structured markup.", + "type": "object", + "properties": { + "text": { + "title": "Citation Text", + "description": "A line of citation text.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["text"], + "additionalProperties": false + }, + "rlinks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource link", + "description": "A URL-based pointer to an external resource with an optional hash for verification and change detection.", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL pointing to the referenced resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "hashes": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_hash" } + } + }, + "required": ["href"], + "additionalProperties": false + } + }, + "base64": { + "title": "Base64", + "description": "A resource encoded using the Base64 alphabet defined by RFC 2045.", + "type": "object", + "properties": { + "filename": { + "title": "File Name", + "description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.", + "$ref": "#/definitions/TokenDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "value": { "$ref": "#/definitions/Base64Datatype" } + }, + "required": ["value"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:property": { + "title": "Property", + "description": "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", + "$id": "#assembly_oscal-metadata_property", + "type": "object", + "properties": { + "name": { + "title": "Property Name", + "description": "A textual label, within a namespace, that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Property Universally Unique Identifier", + "description": "A unique identifier for a property.", + "$ref": "#/definitions/UUIDDatatype" + }, + "ns": { + "title": "Property Namespace", + "description": "A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "value": { + "title": "Property Value", + "description": "Indicates the value of the attribute, characteristic, or quality.", + "$ref": "#/definitions/StringDatatype" + }, + "class": { + "title": "Property Class", + "description": "A textual label that provides a sub-type or characterization of the property's name.", + "$ref": "#/definitions/TokenDatatype" + }, + "group": { + "title": "Property Group", + "description": "An identifier for relating distinct sets of properties.", + "$ref": "#/definitions/TokenDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "value"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:link": { + "title": "Link", + "description": "A reference to a local or remote resource, that has a specific relation to the containing object.", + "$id": "#assembly_oscal-metadata_link", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL reference to a resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "rel": { + "title": "Link Relation Type", + "description": "Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["reference"] } + ] + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "resource-fragment": { + "title": "Resource Fragment", + "description": "In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.", + "$ref": "#/definitions/StringDatatype" + }, + "text": { + "title": "Link Text", + "description": "A textual label to associate with the link, which may be used for presentation in a tool.", + "type": "string" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:responsible-party": { + "title": "Responsible Party", + "description": "A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.", + "$id": "#assembly_oscal-metadata_responsible-party", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role", + "description": "A reference to a role performed by a party.", + "$ref": "#/definitions/TokenDatatype" + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id", "party-uuids"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:action": { + "title": "Action", + "description": "An action applied by a role within a given party to the content.", + "$id": "#assembly_oscal-metadata_action", + "type": "object", + "properties": { + "uuid": { + "title": "Action Universally Unique Identifier", + "description": "A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "date": { + "title": "Action Occurrence Date", + "description": "The date and time when the action occurred.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "type": { + "title": "Action Type", + "description": "The type of action documented by the assembly, such as an approval.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Action Type System", + "description": "Specifies the action type system used.", + "$ref": "#/definitions/URIDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "system"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:responsible-role": { + "title": "Responsible Role", + "description": "A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.", + "$id": "#assembly_oscal-metadata_responsible-role", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role ID", + "description": "A human-oriented identifier reference to a role performed.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:hash": { + "title": "Hash", + "description": "A representation of a cryptographic digest generated over a resource using a specified hash algorithm.", + "$id": "#field_oscal-metadata_hash", + "type": "object", + "properties": { + "algorithm": { + "title": "Hash algorithm", + "description": "The digest method by which a hash is derived.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "SHA-224", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-224", + "SHA3-256", + "SHA3-384", + "SHA3-512" + ] + } + ] + }, + "value": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["value", "algorithm"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:remarks": { + "title": "Remarks", + "description": "Additional commentary about the containing object.", + "$id": "#field_oscal-metadata_remarks", + "type": "string" + }, + "oscal-complete-oscal-metadata:published": { + "title": "Publication Timestamp", + "description": "The date and time the document was last made available.", + "$id": "#field_oscal-metadata_published", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-complete-oscal-metadata:last-modified": { + "title": "Last Modified Timestamp", + "description": "The date and time the document was last stored for later retrieval.", + "$id": "#field_oscal-metadata_last-modified", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-complete-oscal-metadata:version": { + "title": "Document Version", + "description": "Used to distinguish a specific revision of an OSCAL document from other previous and future versions.", + "$id": "#field_oscal-metadata_version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-metadata:oscal-version": { + "title": "OSCAL Version", + "description": "The OSCAL model version the document was authored against and will conform to as valid.", + "$id": "#field_oscal-metadata_oscal-version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-metadata:email-address": { + "title": "Email Address", + "description": "An email address as defined by RFC 5322 Section 3.4.1.", + "$id": "#field_oscal-metadata_email-address", + "$ref": "#/definitions/EmailAddressDatatype" + }, + "oscal-complete-oscal-metadata:telephone-number": { + "title": "Telephone Number", + "description": "A telephone service number as defined by ITU-T E.164.", + "$id": "#field_oscal-metadata_telephone-number", + "type": "object", + "properties": { + "type": { + "title": "type flag", + "description": "Indicates the type of phone number.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["home", "office", "mobile"] } + ] + }, + "number": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["number"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:address": { + "title": "Address", + "description": "A postal address for the location.", + "$id": "#assembly_oscal-metadata_address", + "type": "object", + "properties": { + "type": { + "title": "Address Type", + "description": "Indicates the type of address.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["home", "work"] } + ] + }, + "addr-lines": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_addr-line" } + }, + "city": { + "title": "City", + "description": "City, town or geographical region for the mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "state": { + "title": "State", + "description": "State, province or analogous geographical region for a mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "postal-code": { + "title": "Postal Code", + "description": "Postal or ZIP code for mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "country": { + "title": "Country Code", + "description": "The ISO 3166-1 alpha-2 country code for the mailing address.", + "$ref": "#/definitions/StringDatatype" + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:addr-line": { + "title": "Address line", + "description": "A single line of an address.", + "$id": "#field_oscal-metadata_addr-line", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-metadata:document-id": { + "title": "Document Identifier", + "description": "A document identifier qualified by an identifier scheme.", + "$id": "#field_oscal-metadata_document-id", + "type": "object", + "properties": { + "scheme": { + "title": "Document Identification Scheme", + "description": "Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://www.doi.org/"] } + ] + }, + "identifier": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["identifier"], + "additionalProperties": false + }, + "oscal-complete-oscal-profile:profile": { + "title": "Profile", + "description": "Each OSCAL profile is defined by a profile element.", + "$id": "#assembly_oscal-profile_profile", + "type": "object", + "properties": { + "uuid": { + "title": "Profile Universally Unique Identifier", + "description": "Provides a globally unique means to identify a given profile instance.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "imports": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_import" } + }, + "merge": { "$ref": "#assembly_oscal-profile_merge" }, + "modify": { "$ref": "#assembly_oscal-profile_modify" }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "imports"], + "additionalProperties": false + }, + "oscal-complete-oscal-profile:import": { + "title": "Import Resource", + "description": "Designates a referenced source catalog or profile that provides a source of control information for use in creating a new overlay or baseline.", + "$id": "#assembly_oscal-profile_import", + "type": "object", + "properties": { + "href": { + "title": "Catalog or Profile Reference", + "description": "A resolvable URL reference to the base catalog or profile that this profile is tailoring.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "include-all": { "$ref": "#assembly_oscal-control-common_include-all" }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-profile:merge": { + "title": "Merge Controls", + "description": "Provides structuring directives that instruct how controls are organized after profile resolution.", + "$id": "#assembly_oscal-profile_merge", + "type": "object", + "properties": { + "combine": { + "title": "Combination Rule", + "description": "A Combine element defines how to resolve duplicate instances of the same control (e.g., controls with the same ID).", + "type": "object", + "properties": { + "method": { + "title": "Combination Method", + "description": "Declare how clashing controls should be handled.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["use-first", "merge", "keep"] } + ] + } + }, + "additionalProperties": false + }, + "flat": { + "title": "Flat Without Grouping", + "description": "Directs that controls appear without any grouping structure.", + "type": "object", + "additionalProperties": false + }, + "as-is": { + "title": "Group As-Is", + "description": "Indicates that the controls selected should retain their original grouping as defined in the import source.", + "$ref": "#/definitions/BooleanDatatype" + }, + "custom": { + "title": "Custom Grouping", + "description": "Provides an alternate grouping structure that selected controls will be placed in.", + "type": "object", + "properties": { + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_group" } + }, + "insert-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_insert-controls" } + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:group": { + "title": "Control Group", + "description": "A group of (selected) controls or of groups of controls.", + "$id": "#assembly_oscal-profile_group", + "type": "object", + "properties": { + "id": { + "title": "Group Identifier", + "description": "Identifies the group.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Group Class", + "description": "A textual label that provides a sub-type or characterization of the group.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Group Title", + "description": "A name to be given to the group for use in display.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_parameter" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_group" } + }, + "insert-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_insert-controls" } + } + }, + "required": ["title"], + "additionalProperties": false + }, + "oscal-complete-oscal-profile:modify": { + "title": "Modify Controls", + "description": "Set parameters or amend controls in resolution.", + "$id": "#assembly_oscal-profile_modify", + "type": "object", + "properties": { + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "title": "Parameter Setting", + "description": "A parameter setting, to be propagated to points of insertion.", + "type": "object", + "properties": { + "param-id": { + "title": "Parameter ID", + "description": "An identifier for the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "depends-on": { + "title": "Depends On", + "description": "**(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter.", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#field_oscal-control-common_parameter-value" + } + }, + "select": { + "$ref": "#assembly_oscal-control-common_parameter-selection" + } + }, + "required": ["param-id"], + "additionalProperties": false + } + }, + "alters": { + "type": "array", + "minItems": 1, + "items": { + "title": "Alteration", + "description": "Specifies changes to be made to an included control when a profile is resolved.", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "removes": { + "type": "array", + "minItems": 1, + "items": { + "title": "Removal", + "description": "Specifies objects to be removed from a control based on specific aspects of the object that must all match.", + "type": "object", + "properties": { + "by-name": { + "title": "Reference by (assigned) name", + "description": "Identify items remove by matching their assigned name.", + "$ref": "#/definitions/TokenDatatype" + }, + "by-class": { + "title": "Reference by class", + "description": "Identify items to remove by matching their class.", + "$ref": "#/definitions/TokenDatatype" + }, + "by-id": { + "title": "Reference by ID", + "description": "Identify items to remove indicated by their id.", + "$ref": "#/definitions/TokenDatatype" + }, + "by-item-name": { + "title": "Item Name Reference", + "description": "Identify items to remove by the name of the item's information object name, e.g. title or prop.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "param", + "prop", + "link", + "part", + "mapping", + "map" + ] + } + ] + }, + "by-ns": { + "title": "Item Namespace Reference", + "description": "Identify items to remove by the item's ns, which is the namespace associated with a part, or prop.", + "$ref": "#/definitions/TokenDatatype" + } + }, + "additionalProperties": false + } + }, + "adds": { + "type": "array", + "minItems": 1, + "items": { + "title": "Addition", + "description": "Specifies contents to be added into controls, in resolution.", + "type": "object", + "properties": { + "position": { + "title": "Position", + "description": "Where to add the new content with respect to the targeted element (beside it or inside it).", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["before", "after", "starting", "ending"] } + ] + }, + "by-id": { + "title": "Reference by ID", + "description": "Target location of the addition.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Title Change", + "description": "A name given to the control, which may be used by a tool for display and navigation.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter" + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + } + }, + "additionalProperties": false + } + } + }, + "required": ["control-id"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:insert-controls": { + "title": "Insert Controls", + "description": "Specifies which controls to use in the containing context.", + "$id": "#assembly_oscal-profile_insert-controls", + "type": "object", + "properties": { + "order": { + "title": "Order", + "description": "A designation of how a selection of controls in a profile is to be ordered.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["keep", "ascending", "descending"] } + ] + }, + "include-all": { "$ref": "#assembly_oscal-control-common_include-all" }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:select-control-by-id": { + "title": "Select Control", + "description": "Select a control or controls from an imported control set.", + "$id": "#assembly_oscal-profile_select-control-by-id", + "type": "object", + "properties": { + "with-child-controls": { + "title": "Include Contained Controls with Control", + "description": "When a control is included, whether its child (dependent) controls are also included.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["yes", "no"] } + ] + }, + "with-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-profile_with-id" } + }, + "matching": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_matching" } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:with-id": { + "title": "Match Controls by Identifier", + "description": "Selecting a control by its ID given as a literal.", + "$id": "#field_oscal-profile_with-id", + "$ref": "#/definitions/TokenDatatype" + }, + "oscal-complete-oscal-profile:matching": { + "title": "Match Controls by Pattern", + "description": "Selecting a set of controls by matching their IDs with a wildcard pattern.", + "$id": "#assembly_oscal-profile_matching", + "type": "object", + "properties": { + "pattern": { + "title": "Pattern", + "description": "A glob expression matching the IDs of one or more controls to be selected.", + "$ref": "#/definitions/StringDatatype" + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:component-definition": { + "title": "Component Definition", + "description": "A collection of component descriptions, which may optionally be grouped by capability.", + "$id": "#assembly_oscal-component-definition_component-definition", + "type": "object", + "properties": { + "uuid": { + "title": "Component Definition Universally Unique Identifier", + "description": "Provides a globally unique means to identify a given component definition instance.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-component-definitions": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_import-component-definition" + } + }, + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_defined-component" + } + }, + "capabilities": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-component-definition_capability" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:import-component-definition": { + "title": "Import Component Definition", + "description": "Loads a component definition from another resource.", + "$id": "#assembly_oscal-component-definition_import-component-definition", + "type": "object", + "properties": { + "href": { + "title": "Hyperlink Reference", + "description": "A link to a resource that defines a set of components and/or capabilities to import into this collection.", + "$ref": "#/definitions/URIReferenceDatatype" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:defined-component": { + "title": "Component", + "description": "A defined component that can be part of an implemented system.", + "$id": "#assembly_oscal-component-definition_defined-component", + "type": "object", + "properties": { + "uuid": { + "title": "Component Identifier", + "description": "Provides a globally unique means to identify a given component.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Component Type", + "description": "A category describing the purpose of the component.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "interconnection", + "software", + "hardware", + "service", + "policy", + "physical", + "process-procedure", + "plan", + "guidance", + "standard", + "validation" + ] + } + ] + }, + "title": { + "title": "Component Title", + "description": "A human readable name for the component.", + "type": "string" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + }, + "purpose": { + "title": "Purpose", + "description": "A summary of the technological or business purpose of the component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "protocols": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-implementation-common_protocol" } + }, + "control-implementations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_control-implementation" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:capability": { + "title": "Capability", + "description": "A grouping of other components and/or capabilities.", + "$id": "#assembly_oscal-component-definition_capability", + "type": "object", + "properties": { + "uuid": { + "title": "Capability Identifier", + "description": "Provides a globally unique means to identify a given capability.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Capability Name", + "description": "The capability's human-readable name.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "Capability Description", + "description": "A summary of the capability.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "incorporates-components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_incorporates-component" + } + }, + "control-implementations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_control-implementation" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "name", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:incorporates-component": { + "title": "Incorporates Component", + "description": "The collection of components comprising this capability.", + "$id": "#assembly_oscal-component-definition_incorporates-component", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Reference", + "description": "A machine-oriented identifier reference to a component.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + } + }, + "required": ["component-uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:control-implementation": { + "title": "Control Implementation Set", + "description": "Defines how the component or capability supports a set of controls.", + "$id": "#assembly_oscal-component-definition_control-implementation", + "type": "object", + "properties": { + "uuid": { + "title": "Control Implementation Set Identifier", + "description": "Provides a means to identify a set of control implementations that are supported by a given component or capability.", + "$ref": "#/definitions/UUIDDatatype" + }, + "source": { + "title": "Source Resource Reference", + "description": "A reference to an OSCAL catalog or profile providing the referenced control or subcontrol definition.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "description": { + "title": "Control Implementation Description", + "description": "A description of how the specified set of controls are implemented for the containing component or capability.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "implemented-requirements": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_implemented-requirement" + } + } + }, + "required": ["uuid", "source", "description", "implemented-requirements"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:implemented-requirement": { + "title": "Control Implementation", + "description": "Describes how the containing component or capability implements an individual control.", + "$id": "#assembly_oscal-component-definition_implemented-requirement", + "type": "object", + "properties": { + "uuid": { + "title": "Control Implementation Identifier", + "description": "Provides a globally unique means to identify a given control implementation by a component.", + "$ref": "#/definitions/UUIDDatatype" + }, + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "description": { + "title": "Control Implementation Description", + "description": "A suggestion from the supplier (e.g., component vendor or author) for how the specified control may be implemented if the containing component or capability is instantiated in a system security plan.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "statements": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-component-definition_statement" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "control-id", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:statement": { + "title": "Control Statement Implementation", + "description": "Identifies which statements within a control are addressed.", + "$id": "#assembly_oscal-component-definition_statement", + "type": "object", + "properties": { + "statement-id": { + "title": "Control Statement Reference", + "description": "A human-oriented identifier reference to a control statement.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Control Statement Reference Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Statement Implementation Description", + "description": "A summary of how the containing control statement is implemented by the component or capability.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["statement-id", "uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:system-component": { + "title": "Component", + "description": "A defined component that can be part of an implemented system.", + "$id": "#assembly_oscal-implementation-common_system-component", + "type": "object", + "properties": { + "uuid": { + "title": "Component Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Component Type", + "description": "A category describing the purpose of the component.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "this-system", + "system", + "interconnection", + "software", + "hardware", + "service", + "policy", + "physical", + "process-procedure", + "plan", + "guidance", + "standard", + "validation", + "network" + ] + } + ] + }, + "title": { + "title": "Component Title", + "description": "A human readable name for the system component.", + "type": "string" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + }, + "purpose": { + "title": "Purpose", + "description": "A summary of the technological or business purpose of the component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Status", + "description": "Describes the operational status of the system component.", + "type": "object", + "properties": { + "state": { + "title": "State", + "description": "The operational status.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "under-development", + "operational", + "disposition", + "other" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "protocols": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-implementation-common_protocol" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title", "description", "status"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:protocol": { + "title": "Service Protocol Information", + "description": "Information about the protocol used to provide a service.", + "$id": "#assembly_oscal-implementation-common_protocol", + "type": "object", + "properties": { + "uuid": { + "title": "Service Protocol Information Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Protocol Name", + "description": "The common name of the protocol, which should be the appropriate \"service name\" from the IANA Service Name and Transport Protocol Port Number Registry.", + "$ref": "#/definitions/StringDatatype" + }, + "title": { + "title": "Protocol Title", + "description": "A human readable name for the protocol (e.g., Transport Layer Security).", + "type": "string" + }, + "port-ranges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_port-range" + } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:port-range": { + "title": "Port Range", + "description": "Where applicable this is the IPv4 port range on which the service operates.", + "$id": "#assembly_oscal-implementation-common_port-range", + "type": "object", + "properties": { + "start": { + "title": "Start", + "description": "Indicates the starting port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "end": { + "title": "End", + "description": "Indicates the ending port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "transport": { + "title": "Transport", + "description": "Indicates the transport type.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["TCP", "UDP"] } + ] + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:implementation-status": { + "title": "Implementation Status", + "description": "Indicates the degree to which the a given control is implemented.", + "$id": "#assembly_oscal-implementation-common_implementation-status", + "type": "object", + "properties": { + "state": { + "title": "Implementation State", + "description": "Identifies the implementation status of the control or control objective.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "implemented", + "partial", + "planned", + "alternative", + "not-applicable" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:system-user": { + "title": "System User", + "description": "A type of user that interacts with the system based on an associated role.", + "$id": "#assembly_oscal-implementation-common_system-user", + "type": "object", + "properties": { + "uuid": { + "title": "User Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "User Title", + "description": "A name given to the user, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "User Short Name", + "description": "A short common name, abbreviation, or acronym for the user.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "User Description", + "description": "A summary of the user's purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "role-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_role-id" } + }, + "authorized-privileges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_authorized-privilege" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:authorized-privilege": { + "title": "Privilege", + "description": "Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.", + "$id": "#assembly_oscal-implementation-common_authorized-privilege", + "type": "object", + "properties": { + "title": { + "title": "Privilege Title", + "description": "A human readable name for the privilege.", + "type": "string" + }, + "description": { + "title": "Privilege Description", + "description": "A summary of the privilege's purpose within the system.", + "type": "string" + }, + "functions-performed": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#field_oscal-implementation-common_function-performed" + } + } + }, + "required": ["title", "functions-performed"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:function-performed": { + "title": "Functions Performed", + "description": "Describes a function performed for a given authorized privilege by this user class.", + "$id": "#field_oscal-implementation-common_function-performed", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-implementation-common:inventory-item": { + "title": "Inventory Item", + "description": "A single managed inventory item within the system.", + "$id": "#assembly_oscal-implementation-common_inventory-item", + "type": "object", + "properties": { + "uuid": { + "title": "Inventory Item Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Inventory Item Description", + "description": "A summary of the inventory item stating its purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "implemented-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Implemented Component", + "description": "The set of components that are implemented in a given system inventory item.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component that is implemented as part of an inventory item.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:set-parameter": { + "title": "Set Parameter Value", + "description": "Identifies the parameter that will be set by the enclosed value.", + "$id": "#assembly_oscal-implementation-common_set-parameter", + "type": "object", + "properties": { + "param-id": { + "title": "Parameter ID", + "description": "A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.", + "$ref": "#/definitions/TokenDatatype" + }, + "values": { + "type": "array", + "minItems": 1, + "items": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$ref": "#/definitions/StringDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["param-id", "values"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:system-id": { + "title": "System Identification", + "description": "A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document.", + "$id": "#field_oscal-implementation-common_system-id", + "type": "object", + "properties": { + "identifier-type": { + "title": "Identification System Type", + "description": "Identifies the identification system from which the provided identifier was assigned.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": [ + "https://fedramp.gov", + "http://fedramp.gov/ns/oscal", + "https://ietf.org/rfc/rfc4122", + "http://ietf.org/rfc/rfc4122" + ] + } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:system-security-plan": { + "title": "System Security Plan (SSP)", + "description": "A system security plan, such as those described in NIST SP 800-18.", + "$id": "#assembly_oscal-ssp_system-security-plan", + "type": "object", + "properties": { + "uuid": { + "title": "System Security Plan Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. The locally defined UUID of the SSP can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-profile": { "$ref": "#assembly_oscal-ssp_import-profile" }, + "system-characteristics": { + "$ref": "#assembly_oscal-ssp_system-characteristics" + }, + "system-implementation": { + "$ref": "#assembly_oscal-ssp_system-implementation" + }, + "control-implementation": { + "$ref": "#assembly_oscal-ssp_control-implementation" + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": [ + "uuid", + "metadata", + "import-profile", + "system-characteristics", + "system-implementation", + "control-implementation" + ], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:import-profile": { + "title": "Import Profile", + "description": "Used to import the OSCAL profile representing the system's control baseline.", + "$id": "#assembly_oscal-ssp_import-profile", + "type": "object", + "properties": { + "href": { + "title": "Profile Reference", + "description": "A resolvable URL reference to the profile or catalog to use as the system's control baseline.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:system-characteristics": { + "title": "System Characteristics", + "description": "Contains the characteristics of the system, such as its name, purpose, and security impact level.", + "$id": "#assembly_oscal-ssp_system-characteristics", + "type": "object", + "properties": { + "system-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-implementation-common_system-id" } + }, + "system-name": { + "title": "System Name - Full", + "description": "The full name of the system.", + "$ref": "#/definitions/StringDatatype" + }, + "system-name-short": { + "title": "System Name - Short", + "description": "A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "System Description", + "description": "A summary of the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "date-authorized": { "$ref": "#field_oscal-ssp_date-authorized" }, + "security-sensitivity-level": { + "title": "Security Sensitivity Level", + "description": "The overall information system sensitivity categorization, such as defined by FIPS-199.", + "$ref": "#/definitions/StringDatatype" + }, + "system-information": { + "$ref": "#assembly_oscal-ssp_system-information" + }, + "security-impact-level": { + "$ref": "#assembly_oscal-ssp_security-impact-level" + }, + "status": { "$ref": "#assembly_oscal-ssp_status" }, + "authorization-boundary": { + "$ref": "#assembly_oscal-ssp_authorization-boundary" + }, + "network-architecture": { + "$ref": "#assembly_oscal-ssp_network-architecture" + }, + "data-flow": { "$ref": "#assembly_oscal-ssp_data-flow" }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": [ + "system-ids", + "system-name", + "description", + "system-information", + "status", + "authorization-boundary" + ], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:system-information": { + "title": "System Information", + "description": "Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.", + "$id": "#assembly_oscal-ssp_system-information", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "information-types": { + "type": "array", + "minItems": 1, + "items": { + "title": "Information Type", + "description": "Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.", + "type": "object", + "properties": { + "uuid": { + "title": "Information Type Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this information type elsewhere in this or other OSCAL instances. The locally defined UUID of the information type can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "title field", + "description": "A human readable name for the information type. This title should be meaningful within the context of the system.", + "type": "string" + }, + "description": { + "title": "Information Type Description", + "description": "A summary of how this information type is used within the system.", + "type": "string" + }, + "categorizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Information Type Categorization", + "description": "A set of information type identifiers qualified by the given identification system used, such as NIST SP 800-60.", + "type": "object", + "properties": { + "system": { + "title": "Information Type Identification System", + "description": "Specifies the information type identification system used.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": ["http://doi.org/10.6028/NIST.SP.800-60v2r1"] + } + ] + }, + "information-type-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Information Type Systematized Identifier", + "description": "A human-oriented, globally unique identifier qualified by the given identification system used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to reference this system elsewhere in this or other OSCAL instances. This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/StringDatatype" + } + } + }, + "required": ["system"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "confidentiality-impact": { + "$ref": "#assembly_oscal-ssp_impact" + }, + "integrity-impact": { "$ref": "#assembly_oscal-ssp_impact" }, + "availability-impact": { "$ref": "#assembly_oscal-ssp_impact" } + }, + "required": ["title", "description"], + "additionalProperties": false + } + } + }, + "required": ["information-types"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:impact": { + "title": "Impact Level", + "description": "The expected level of impact resulting from the described information.", + "$id": "#assembly_oscal-ssp_impact", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "base": { "$ref": "#field_oscal-ssp_base" }, + "selected": { "$ref": "#field_oscal-ssp_selected" }, + "adjustment-justification": { + "$ref": "#field_oscal-ssp_adjustment-justification" + } + }, + "required": ["base"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:base": { + "title": "Base Level (Confidentiality, Integrity, or Availability)", + "description": "The prescribed base (Confidentiality, Integrity, or Availability) security impact level.", + "$id": "#field_oscal-ssp_base", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-ssp:selected": { + "title": "Selected Level (Confidentiality, Integrity, or Availability)", + "description": "The selected (Confidentiality, Integrity, or Availability) security impact level.", + "$id": "#field_oscal-ssp_selected", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-ssp:adjustment-justification": { + "title": "Adjustment Justification", + "description": "If the selected security level is different from the base security level, this contains the justification for the change.", + "$id": "#field_oscal-ssp_adjustment-justification", + "type": "string" + }, + "oscal-complete-oscal-ssp:security-impact-level": { + "title": "Security Impact Level", + "description": "The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.", + "$id": "#assembly_oscal-ssp_security-impact-level", + "type": "object", + "properties": { + "security-objective-confidentiality": { + "title": "Security Objective: Confidentiality", + "description": "A target-level of confidentiality for the system, based on the sensitivity of information within the system.", + "$ref": "#/definitions/StringDatatype" + }, + "security-objective-integrity": { + "title": "Security Objective: Integrity", + "description": "A target-level of integrity for the system, based on the sensitivity of information within the system.", + "$ref": "#/definitions/StringDatatype" + }, + "security-objective-availability": { + "title": "Security Objective: Availability", + "description": "A target-level of availability for the system, based on the sensitivity of information within the system.", + "$ref": "#/definitions/StringDatatype" + } + }, + "required": [ + "security-objective-confidentiality", + "security-objective-integrity", + "security-objective-availability" + ], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:status": { + "title": "Status", + "description": "Describes the operational status of the system.", + "$id": "#assembly_oscal-ssp_status", + "type": "object", + "properties": { + "state": { + "title": "State", + "description": "The current operating status.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "operational", + "under-development", + "under-major-modification", + "disposition", + "other" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:date-authorized": { + "title": "System Authorization Date", + "description": "The date the system received its authorization.", + "$id": "#field_oscal-ssp_date-authorized", + "$ref": "#/definitions/DateDatatype" + }, + "oscal-complete-oscal-ssp:authorization-boundary": { + "title": "Authorization Boundary", + "description": "A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.", + "$id": "#assembly_oscal-ssp_authorization-boundary", + "type": "object", + "properties": { + "description": { + "title": "Authorization Boundary Description", + "description": "A summary of the system's authorization boundary.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "diagrams": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_diagram" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:diagram": { + "title": "Diagram", + "description": "A graphic that provides a visual representation the system, or some aspect of it.", + "$id": "#assembly_oscal-ssp_diagram", + "type": "object", + "properties": { + "uuid": { + "title": "Diagram ID", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this diagram elsewhere in this or other OSCAL instances. The locally defined UUID of the diagram can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Diagram Description", + "description": "A summary of the diagram.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "caption": { + "title": "Caption", + "description": "A brief caption to annotate the diagram.", + "type": "string" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:network-architecture": { + "title": "Network Architecture", + "description": "A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.", + "$id": "#assembly_oscal-ssp_network-architecture", + "type": "object", + "properties": { + "description": { + "title": "Network Architecture Description", + "description": "A summary of the system's network architecture.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "diagrams": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_diagram" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:data-flow": { + "title": "Data Flow", + "description": "A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.", + "$id": "#assembly_oscal-ssp_data-flow", + "type": "object", + "properties": { + "description": { + "title": "Data Flow Description", + "description": "A summary of the system's data flow.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "diagrams": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_diagram" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:system-implementation": { + "title": "System Implementation", + "description": "Provides information as to how the system is implemented.", + "$id": "#assembly_oscal-ssp_system-implementation", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "leveraged-authorizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Leveraged Authorization", + "description": "A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common control provider.", + "type": "object", + "properties": { + "uuid": { + "title": "Leveraged Authorization Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope and can be used to reference this leveraged authorization elsewhere in this or other OSCAL instances. The locally defined UUID of the leveraged authorization can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "title field", + "description": "A human readable name for the leveraged authorization in the context of the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuid": { + "title": "party-uuid field", + "description": "A machine-oriented identifier reference to the party that manages the leveraged system.", + "$ref": "#/definitions/UUIDDatatype" + }, + "date-authorized": { "$ref": "#field_oscal-ssp_date-authorized" }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "title", "party-uuid", "date-authorized"], + "additionalProperties": false + } + }, + "users": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-user" + } + }, + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["users", "components"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:control-implementation": { + "title": "Control Implementation", + "description": "Describes how the system satisfies a set of controls.", + "$id": "#assembly_oscal-ssp_control-implementation", + "type": "object", + "properties": { + "description": { + "title": "Control Implementation Description", + "description": "A statement describing important things to know about how this set of control satisfaction documentation is approached.", + "type": "string" + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "implemented-requirements": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_implemented-requirement" } + } + }, + "required": ["description", "implemented-requirements"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:implemented-requirement": { + "title": "Control-based Requirement", + "description": "Describes how the system satisfies the requirements of an individual control.", + "$id": "#assembly_oscal-ssp_implemented-requirement", + "type": "object", + "properties": { + "uuid": { + "title": "Control Requirement Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control requirement elsewhere in this or other OSCAL instances. The locally defined UUID of the control requirement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "statements": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_statement" } + }, + "by-components": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_by-component" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "control-id"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:statement": { + "title": "Specific Control Statement", + "description": "Identifies which statements within a control are addressed.", + "$id": "#assembly_oscal-ssp_statement", + "type": "object", + "properties": { + "statement-id": { + "title": "Control Statement Reference", + "description": "A human-oriented identifier reference to a control statement.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Control Statement Reference Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "by-components": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_by-component" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["statement-id", "uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:by-component": { + "title": "Component Control Implementation", + "description": "Defines how the referenced component implements a set of controls.", + "$id": "#assembly_oscal-ssp_by-component", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to the component that is implemeting a given control.", + "$ref": "#/definitions/UUIDDatatype" + }, + "uuid": { + "title": "By-Component Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this by-component entry elsewhere in this or other OSCAL instances. The locally defined UUID of the by-component entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Control Implementation Description", + "description": "An implementation statement that describes how a control or a control statement is implemented within the referenced system component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "implementation-status": { + "$ref": "#assembly_oscal-implementation-common_implementation-status" + }, + "export": { + "title": "Export", + "description": "Identifies content intended for external consumption, such as with leveraged organizations.", + "type": "object", + "properties": { + "description": { + "title": "Control Implementation Export Description", + "description": "An implementation statement that describes the aspects of the control or control statement implementation that can be available to another system leveraging this system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "provided": { + "type": "array", + "minItems": 1, + "items": { + "title": "Provided Control Implementation", + "description": "Describes a capability which may be inherited by a leveraging system.", + "type": "object", + "properties": { + "uuid": { + "title": "Provided Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this provided entry elsewhere in this or other OSCAL instances. The locally defined UUID of the provided entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Provided Control Implementation Description", + "description": "An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-role" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "responsibilities": { + "type": "array", + "minItems": 1, + "items": { + "title": "Control Implementation Responsibility", + "description": "Describes a control implementation responsibility imposed on a leveraging system.", + "type": "object", + "properties": { + "uuid": { + "title": "Responsibility Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this responsibility elsewhere in this or other OSCAL instances. The locally defined UUID of the responsibility can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "provided-uuid": { + "title": "Provided UUID", + "description": "A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Control Implementation Responsibility Description", + "description": "An implementation statement that describes the aspects of the control or control statement implementation that a leveraging system must implement to satisfy the control provided by a leveraged system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-role" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "inherited": { + "type": "array", + "minItems": 1, + "items": { + "title": "Inherited Control Implementation", + "description": "Describes a control implementation inherited by a leveraging system.", + "type": "object", + "properties": { + "uuid": { + "title": "Inherited Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inherited entry elsewhere in this or other OSCAL instances. The locally defined UUID of the inherited control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "provided-uuid": { + "title": "Provided UUID", + "description": "A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Inherited Control Implementation Description", + "description": "An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is inheriting from a leveraged system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "satisfied": { + "type": "array", + "minItems": 1, + "items": { + "title": "Satisfied Control Implementation Responsibility", + "description": "Describes how this system satisfies a responsibility imposed by a leveraged system.", + "type": "object", + "properties": { + "uuid": { + "title": "Satisfied Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this satisfied control implementation entry elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "responsibility-uuid": { + "title": "Responsibility UUID", + "description": "A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Satisfied Control Implementation Responsibility Description", + "description": "An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is implementing based on a requirement from a leveraged system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid", "uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-ap:assessment-plan": { + "title": "Security Assessment Plan (SAP)", + "description": "An assessment plan, such as those provided by a FedRAMP assessor.", + "$id": "#assembly_oscal-ap_assessment-plan", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Plan Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment plan in this or other OSCAL instances. The locally defined UUID of the assessment plan can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-ssp": { + "$ref": "#assembly_oscal-assessment-common_import-ssp" + }, + "local-definitions": { + "title": "Local Definitions", + "description": "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "users": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-user" + } + }, + "objectives-and-methods": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_local-objective" + } + }, + "activities": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_activity" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "terms-and-conditions": { + "title": "Assessment Plan Terms and Conditions", + "description": "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.", + "type": "object", + "properties": { + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + } + }, + "additionalProperties": false + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "assessment-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "assessment-assets": { + "$ref": "#assembly_oscal-assessment-common_assessment-assets" + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "import-ssp", "reviewed-controls"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:import-ssp": { + "title": "Import System Security Plan", + "description": "Used by the assessment plan and POA&M to import information about the system.", + "$id": "#assembly_oscal-assessment-common_import-ssp", + "type": "object", + "properties": { + "href": { + "title": "System Security Plan Reference", + "description": "A resolvable URL reference to the system security plan for the system being assessed.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:local-objective": { + "title": "Assessment-Specific Control Objective", + "description": "A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.", + "$id": "#assembly_oscal-assessment-common_local-objective", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "description": { + "title": "Objective Description", + "description": "A human-readable description of this control objective.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["control-id", "parts"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-method": { + "title": "Assessment Method", + "description": "A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.", + "$id": "#assembly_oscal-assessment-common_assessment-method", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Method Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment method elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment method can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Assessment Method Description", + "description": "A human-readable description of this assessment method.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "part": { "$ref": "#assembly_oscal-assessment-common_assessment-part" }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "part"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:activity": { + "title": "Activity", + "description": "Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.", + "$id": "#assembly_oscal-assessment-common_activity", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Activity Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Included Activity Title", + "description": "The title for this included activity.", + "type": "string" + }, + "description": { + "title": "Included Activity Description", + "description": "A human-readable description of this included activity.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "steps": { + "type": "array", + "minItems": 1, + "items": { + "title": "Step", + "description": "Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.", + "type": "object", + "properties": { + "uuid": { + "title": "Step Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Step Title", + "description": "The title for this step.", + "type": "string" + }, + "description": { + "title": "Step Description", + "description": "A human-readable description of this step.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "related-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:task": { + "title": "Task", + "description": "Represents a scheduled event or milestone, which may be associated with a series of assessment actions.", + "$id": "#assembly_oscal-assessment-common_task", + "type": "object", + "properties": { + "uuid": { + "title": "Task Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this task elsewhere in this or other OSCAL instances. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Task Type", + "description": "The type of task.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["milestone", "action"] } + ] + }, + "title": { + "title": "Task Title", + "description": "The title for this task.", + "type": "string" + }, + "description": { + "title": "Task Description", + "description": "A human-readable description of this task.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "timing": { + "title": "Event Timing", + "description": "The timing under which the task is intended to occur.", + "type": "object", + "properties": { + "on-date": { + "title": "On Date Condition", + "description": "The task is intended to occur on the specified date.", + "type": "object", + "properties": { + "date": { + "title": "On Date Condition", + "description": "The task must occur on the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + } + }, + "required": ["date"], + "additionalProperties": false + }, + "within-date-range": { + "title": "On Date Range Condition", + "description": "The task is intended to occur within the specified date range.", + "type": "object", + "properties": { + "start": { + "title": "Start Date Condition", + "description": "The task must occur on or after the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "End Date Condition", + "description": "The task must occur on or before the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + } + }, + "required": ["start", "end"], + "additionalProperties": false + }, + "at-frequency": { + "title": "Frequency Condition", + "description": "The task is intended to occur at the specified frequency.", + "type": "object", + "properties": { + "period": { + "title": "Period", + "description": "The task must occur after the specified period has elapsed.", + "$ref": "#/definitions/PositiveIntegerDatatype" + }, + "unit": { + "title": "Time Unit", + "description": "The unit of time for the period.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "seconds", + "minutes", + "hours", + "days", + "months", + "years" + ] + } + ] + } + }, + "required": ["period", "unit"], + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "dependencies": { + "type": "array", + "minItems": 1, + "items": { + "title": "Task Dependency", + "description": "Used to indicate that a task is dependent on another task.", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["task-uuid"], + "additionalProperties": false + } + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "associated-activities": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Activity", + "description": "Identifies an individual activity to be performed as part of a task.", + "type": "object", + "properties": { + "activity-uuid": { + "title": "Activity Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an activity defined in the list of activities.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["activity-uuid", "subjects"], + "additionalProperties": false + } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:reviewed-controls": { + "title": "Reviewed Controls and Control Objectives", + "description": "Identifies the controls being assessed and their control objectives.", + "$id": "#assembly_oscal-assessment-common_reviewed-controls", + "type": "object", + "properties": { + "description": { + "title": "Control Objective Description", + "description": "A human-readable description of control objectives.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "control-selections": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessed Controls", + "description": "Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.", + "type": "object", + "properties": { + "description": { + "title": "Assessed Controls Description", + "description": "A human-readable description of in-scope controls specified for assessment.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { + "$ref": "#assembly_oscal-control-common_include-all" + }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-control-by-id" + } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-control-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + } + }, + "control-objective-selections": { + "type": "array", + "minItems": 1, + "items": { + "title": "Referenced Control Objectives", + "description": "Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.", + "type": "object", + "properties": { + "description": { + "title": "Control Objectives Description", + "description": "A human-readable description of this collection of control objectives.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { + "$ref": "#assembly_oscal-control-common_include-all" + }, + "include-objectives": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-objective-by-id" + } + }, + "exclude-objectives": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-objective-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["control-selections"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:select-control-by-id": { + "title": "Select Control", + "description": "Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.", + "$id": "#assembly_oscal-assessment-common_select-control-by-id", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "statement-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Include Specific Statements", + "description": "Used to constrain the selection to only specificity identified statements.", + "$ref": "#/definitions/TokenDatatype" + } + } + }, + "required": ["control-id"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:select-objective-by-id": { + "title": "Select Objective", + "description": "Used to select a control objective for inclusion/exclusion based on the control objective's identifier.", + "$id": "#assembly_oscal-assessment-common_select-objective-by-id", + "type": "object", + "properties": { + "objective-id": { + "title": "Objective ID", + "description": "Points to an assessment objective.", + "$ref": "#/definitions/TokenDatatype" + } + }, + "required": ["objective-id"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-subject-placeholder": { + "title": "Assessment Subject Placeholder", + "description": "Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.", + "$id": "#assembly_oscal-assessment-common_assessment-subject-placeholder", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Subject Placeholder Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier for a set of assessment subjects that will be identified by a task or an activity that is part of a task. The locally defined UUID of the assessment subject placeholder can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Assessment Subject Placeholder Description", + "description": "A human-readable description of intent of this assessment subject placeholder.", + "type": "string" + }, + "sources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Subject Source", + "description": "Assessment subjects will be identified while conducting the referenced activity-instance.", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference (in this or other OSCAL instances) an assessment activity to be performed as part of the event. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["task-uuid"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "sources"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-subject": { + "title": "Subject of Assessment", + "description": "Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.", + "$id": "#assembly_oscal-assessment-common_assessment-subject", + "type": "object", + "properties": { + "type": { + "title": "Subject Type", + "description": "Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user" + ] + } + ] + }, + "description": { + "title": "Include Subjects Description", + "description": "A human-readable description of the collection of subjects being included in this assessment.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { "$ref": "#assembly_oscal-control-common_include-all" }, + "include-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-subject-by-id" + } + }, + "exclude-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-subject-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["type"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:select-subject-by-id": { + "title": "Select Assessment Subject", + "description": "Identifies a set of assessment subjects to include/exclude by UUID.", + "$id": "#assembly_oscal-assessment-common_select-subject-by-id", + "type": "object", + "properties": { + "subject-uuid": { + "title": "Subject Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Subject Universally Unique Identifier Reference Type", + "description": "Used to indicate the type of object pointed to by the uuid-ref within a subject.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user", + "resource" + ] + } + ] + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["subject-uuid", "type"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:subject-reference": { + "title": "Identifies the Subject", + "description": "A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.", + "$id": "#assembly_oscal-assessment-common_subject-reference", + "type": "object", + "properties": { + "subject-uuid": { + "title": "Subject Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Subject Universally Unique Identifier Reference Type", + "description": "Used to indicate the type of object pointed to by the uuid-ref within a subject.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user", + "resource" + ] + } + ] + }, + "title": { + "title": "Subject Reference Title", + "description": "The title or name for the referenced subject.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["subject-uuid", "type"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-assets": { + "title": "Assessment Assets", + "description": "Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.", + "$id": "#assembly_oscal-assessment-common_assessment-assets", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "assessment-platforms": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Platform", + "description": "Used to represent the toolset used to perform aspects of the assessment.", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Platform Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment platform elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment platform can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Assessment Platform Title", + "description": "The title or name for the assessment platform.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "uses-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Uses Component", + "description": "The set of components that are used by the assessment platform.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component that is implemented as part of an inventory item.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "required": ["assessment-platforms"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:finding-target": { + "title": "Objective Status", + "description": "Captures an assessor's conclusions regarding the degree to which an objective is satisfied.", + "$id": "#assembly_oscal-assessment-common_finding-target", + "type": "object", + "properties": { + "type": { + "title": "Finding Target Type", + "description": "Identifies the type of the target.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["statement-id", "objective-id"] } + ] + }, + "target-id": { + "title": "Finding Target Identifier Reference", + "description": "A machine-oriented identifier reference for a specific target qualified by the type.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Objective Status Title", + "description": "The title for this objective status.", + "type": "string" + }, + "description": { + "title": "Objective Status Description", + "description": "A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Objective Status", + "description": "A determination of if the objective is satisfied or not within a given system.", + "type": "object", + "properties": { + "state": { + "title": "Objective Status State", + "description": "An indication as to whether the objective is satisfied or not.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["satisfied", "not-satisfied"] } + ] + }, + "reason": { + "title": "Objective Status Reason", + "description": "The reason the objective was given it's status.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["pass", "fail", "other"] } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "implementation-status": { + "$ref": "#assembly_oscal-implementation-common_implementation-status" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["type", "target-id", "status"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:finding": { + "title": "Finding", + "description": "Describes an individual finding.", + "$id": "#assembly_oscal-assessment-common_finding", + "type": "object", + "properties": { + "uuid": { + "title": "Finding Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this finding in this or other OSCAL instances. The locally defined UUID of the finding can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Finding Title", + "description": "The title for this finding.", + "type": "string" + }, + "description": { + "title": "Finding Description", + "description": "A human-readable description of this finding.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "target": { + "$ref": "#assembly_oscal-assessment-common_finding-target" + }, + "implementation-statement-uuid": { + "title": "Implementation Statement UUID", + "description": "A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related.", + "$ref": "#/definitions/UUIDDatatype" + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the finding to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an observation defined in the list of observations.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + }, + "related-risks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Risk", + "description": "Relates the finding to a set of referenced risks that were used to determine the finding.", + "type": "object", + "properties": { + "risk-uuid": { + "title": "Risk Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a risk defined in the list of risks.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["risk-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "title", "description", "target"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:observation": { + "title": "Observation", + "description": "Describes an individual observation.", + "$id": "#assembly_oscal-assessment-common_observation", + "type": "object", + "properties": { + "uuid": { + "title": "Observation Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this observation elsewhere in this or other OSCAL instances. The locally defined UUID of the observation can be used to reference the data item locally or globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Observation Title", + "description": "The title for this observation.", + "type": "string" + }, + "description": { + "title": "Observation Description", + "description": "A human-readable description of this assessment observation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "methods": { + "type": "array", + "minItems": 1, + "items": { + "title": "Observation Method", + "description": "Identifies how the observation was made.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["EXAMINE", "INTERVIEW", "TEST", "UNKNOWN"] } + ] + } + }, + "types": { + "type": "array", + "minItems": 1, + "items": { + "title": "Observation Type", + "description": "Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "ssp-statement-issue", + "control-objective", + "mitigation", + "finding", + "historic" + ] + } + ] + } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + }, + "relevant-evidence": { + "type": "array", + "minItems": 1, + "items": { + "title": "Relevant Evidence", + "description": "Links this observation to relevant evidence.", + "type": "object", + "properties": { + "href": { + "title": "Relevant Evidence Reference", + "description": "A resolvable URL reference to relevant evidence.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "description": { + "title": "Relevant Evidence Description", + "description": "A human-readable description of this evidence.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + } + }, + "collected": { + "title": "Collected Field", + "description": "Date/time stamp identifying when the finding information was collected.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "expires": { + "title": "Expires Field", + "description": "Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description", "methods", "collected"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:origin": { + "title": "Origin", + "description": "Identifies the source of the finding, such as a tool, interviewed person, or activity.", + "$id": "#assembly_oscal-assessment-common_origin", + "type": "object", + "properties": { + "actors": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin-actor" } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_related-task" } + } + }, + "required": ["actors"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:origin-actor": { + "title": "Originating Actor", + "description": "The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.", + "$id": "#assembly_oscal-assessment-common_origin-actor", + "type": "object", + "properties": { + "type": { + "title": "Actor Type", + "description": "The kind of actor.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["tool", "assessment-platform", "party"] } + ] + }, + "actor-uuid": { + "title": "Actor Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to the tool or person based on the associated type.", + "$ref": "#/definitions/UUIDDatatype" + }, + "role-id": { + "title": "Actor Role", + "description": "For a party, this can optionally be used to specify the role the actor was performing.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["type", "actor-uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:related-task": { + "title": "Task Reference", + "description": "Identifies an individual task for which the containing object is a consequence of.", + "$id": "#assembly_oscal-assessment-common_related-task", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "identified-subject": { + "title": "Identified Subject", + "description": "Used to detail assessment subjects that were identfied by this task.", + "type": "object", + "properties": { + "subject-placeholder-uuid": { + "title": "Assessment Subject Placeholder Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + } + }, + "required": ["subject-placeholder-uuid", "subjects"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["task-uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:threat-id": { + "title": "Threat ID", + "description": "A pointer, by ID, to an externally-defined threat.", + "$id": "#field_oscal-assessment-common_threat-id", + "type": "object", + "properties": { + "system": { + "title": "Threat Type Identification System", + "description": "Specifies the source of the threat information.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://fedramp.gov", "http://fedramp.gov/ns/oscal"] } + ] + }, + "href": { + "title": "Threat Information Resource Reference", + "description": "An optional location for the threat data, from which this ID originates.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "id": { "$ref": "#/definitions/URIDatatype" } + }, + "required": ["id", "system"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:risk": { + "title": "Identified Risk", + "description": "An identified risk.", + "$id": "#assembly_oscal-assessment-common_risk", + "type": "object", + "properties": { + "uuid": { + "title": "Risk Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk elsewhere in this or other OSCAL instances. The locally defined UUID of the risk can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Risk Title", + "description": "The title for this risk.", + "type": "string" + }, + "description": { + "title": "Risk Description", + "description": "A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.", + "type": "string" + }, + "statement": { + "title": "Risk Statement", + "description": "An summary of impact for how the risk affects the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { "$ref": "#field_oscal-assessment-common_risk-status" }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "threat-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-assessment-common_threat-id" } + }, + "characterizations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_characterization" + } + }, + "mitigating-factors": { + "type": "array", + "minItems": 1, + "items": { + "title": "Mitigating Factor", + "description": "Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.", + "type": "object", + "properties": { + "uuid": { + "title": "Mitigating Factor Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mitigating factor elsewhere in this or other OSCAL instances. The locally defined UUID of the mitigating factor can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "implementation-uuid": { + "title": "Implementation UUID", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Mitigating Factor Description", + "description": "A human-readable description of this mitigating factor.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "deadline": { + "title": "Risk Resolution Deadline", + "description": "The date/time by which the risk must be resolved.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "remediations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_response" } + }, + "risk-log": { + "title": "Risk Log", + "description": "A log of all risk-related tasks taken.", + "type": "object", + "properties": { + "entries": { + "type": "array", + "minItems": 1, + "items": { + "title": "Risk Log Entry", + "description": "Identifies an individual risk response that occurred as part of managing an identified risk.", + "type": "object", + "properties": { + "uuid": { + "title": "Risk Log Entry Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk log entry elsewhere in this or other OSCAL instances. The locally defined UUID of the risk log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Title", + "description": "The title for this risk log entry.", + "type": "string" + }, + "description": { + "title": "Risk Task Description", + "description": "A human-readable description of what was done regarding the risk.", + "type": "string" + }, + "start": { + "title": "Start", + "description": "Identifies the start date and time of the event.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "End", + "description": "Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "logged-by": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_logged-by" + } + }, + "status-change": { + "$ref": "#field_oscal-assessment-common_risk-status" + }, + "related-responses": { + "type": "array", + "minItems": 1, + "items": { + "title": "Risk Response Reference", + "description": "Identifies an individual risk response that this log entry is for.", + "type": "object", + "properties": { + "response-uuid": { + "title": "Response Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique risk response.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_property" + } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_related-task" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["response-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "start"], + "additionalProperties": false + } + } + }, + "required": ["entries"], + "additionalProperties": false + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the finding to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an observation defined in the list of observations.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + } + }, + "required": ["uuid", "title", "description", "statement", "status"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:logged-by": { + "title": "Logged By", + "description": "Used to indicate who created a log entry in what role.", + "$id": "#assembly_oscal-assessment-common_logged-by", + "type": "object", + "properties": { + "party-uuid": { + "title": "Party UUID Reference", + "description": "A machine-oriented identifier reference to the party who is making the log entry.", + "$ref": "#/definitions/UUIDDatatype" + }, + "role-id": { + "title": "Actor Role", + "description": "A point to the role-id of the role in which the party is making the log entry.", + "$ref": "#/definitions/TokenDatatype" + } + }, + "required": ["party-uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:risk-status": { + "title": "Risk Status", + "description": "Describes the status of the associated risk.", + "$id": "#field_oscal-assessment-common_risk-status", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "open", + "investigating", + "remediating", + "deviation-requested", + "deviation-approved", + "closed" + ] + } + ] + }, + "oscal-complete-oscal-assessment-common:characterization": { + "title": "Characterization", + "description": "A collection of descriptive data about the containing object from a specific origin.", + "$id": "#assembly_oscal-assessment-common_characterization", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origin": { "$ref": "#assembly_oscal-assessment-common_origin" }, + "facets": { + "type": "array", + "minItems": 1, + "items": { + "title": "Facet", + "description": "An individual characteristic that is part of a larger set produced by the same actor.", + "type": "object", + "properties": { + "name": { + "title": "Facet Name", + "description": "The name of the risk metric within the specified system.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Naming System", + "description": "Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": [ + "http://fedramp.gov", + "http://fedramp.gov/ns/oscal", + "http://csrc.nist.gov/ns/oscal", + "http://csrc.nist.gov/ns/oscal/unknown", + "http://cve.mitre.org", + "http://www.first.org/cvss/v2.0", + "http://www.first.org/cvss/v3.0", + "http://www.first.org/cvss/v3.1" + ] + } + ] + }, + "value": { + "title": "Facet Value", + "description": "Indicates the value of the facet.", + "$ref": "#/definitions/StringDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "system", "value"], + "additionalProperties": false + } + } + }, + "required": ["origin", "facets"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:response": { + "title": "Risk Response", + "description": "Describes either recommended or an actual plan for addressing the risk.", + "$id": "#assembly_oscal-assessment-common_response", + "type": "object", + "properties": { + "uuid": { + "title": "Remediation Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this remediation elsewhere in this or other OSCAL instances. The locally defined UUID of the risk response can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "lifecycle": { + "title": "Remediation Intent", + "description": "Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["recommendation", "planned", "completed"] } + ] + }, + "title": { + "title": "Response Title", + "description": "The title for this response activity.", + "type": "string" + }, + "description": { + "title": "Response Description", + "description": "A human-readable description of this response plan.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "required-assets": { + "type": "array", + "minItems": 1, + "items": { + "title": "Required Asset", + "description": "Identifies an asset required to achieve remediation.", + "type": "object", + "properties": { + "uuid": { + "title": "Required Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this required asset elsewhere in this or other OSCAL instances. The locally defined UUID of the asset can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + }, + "title": { + "title": "Title for Required Asset", + "description": "The title for this required asset.", + "type": "string" + }, + "description": { + "title": "Description of Required Asset", + "description": "A human-readable description of this required asset.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "lifecycle", "title", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-part": { + "title": "Assessment Part", + "description": "A partition of an assessment plan or results or a child of another part.", + "$id": "#assembly_oscal-assessment-common_assessment-part", + "type": "object", + "properties": { + "uuid": { + "title": "Part Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["asset", "method", "objective"] } + ] + }, + "ns": { + "title": "Part Namespace", + "description": "A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "A name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-complete-oscal-ar:assessment-results": { + "title": "Security Assessment Results (SAR)", + "description": "Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.", + "$id": "#assembly_oscal-ar_assessment-results", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Results Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment results instance in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-ap": { "$ref": "#assembly_oscal-ar_import-ap" }, + "local-definitions": { + "title": "Local Definitions", + "description": "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", + "type": "object", + "properties": { + "objectives-and-methods": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_local-objective" + } + }, + "activities": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_activity" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "results": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ar_result" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "import-ap", "results"], + "additionalProperties": false + }, + "oscal-complete-oscal-ar:result": { + "title": "Assessment Result", + "description": "Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.", + "$id": "#assembly_oscal-ar_result", + "type": "object", + "properties": { + "uuid": { + "title": "Results Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this set of results in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Results Title", + "description": "The title for this set of results.", + "type": "string" + }, + "description": { + "title": "Results Description", + "description": "A human-readable description of this set of test results.", + "type": "string" + }, + "start": { + "title": "start field", + "description": "Date/time stamp identifying the start of the evidence collection reflected in these results.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "end field", + "description": "Date/time stamp identifying the end of the evidence collection reflected in these results. In a continuous motoring scenario, this may contain the same value as start if appropriate.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "local-definitions": { + "title": "Local Definitions", + "description": "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "users": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-user" + } + }, + "assessment-assets": { + "$ref": "#assembly_oscal-assessment-common_assessment-assets" + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + } + }, + "additionalProperties": false + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "attestations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Attestation Statements", + "description": "A set of textual statements, typically written by the assessor.", + "type": "object", + "properties": { + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + } + }, + "required": ["parts"], + "additionalProperties": false + } + }, + "assessment-log": { + "title": "Assessment Log", + "description": "A log of all assessment-related actions taken.", + "type": "object", + "properties": { + "entries": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Log Entry", + "description": "Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Log Entry Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference an assessment event in this or other OSCAL instances. The locally defined UUID of the assessment log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Action Title", + "description": "The title for this event.", + "type": "string" + }, + "description": { + "title": "Action Description", + "description": "A human-readable description of this event.", + "type": "string" + }, + "start": { + "title": "Start", + "description": "Identifies the start date and time of an event.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "End", + "description": "Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "logged-by": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_logged-by" + } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_related-task" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "start"], + "additionalProperties": false + } + } + }, + "required": ["entries"], + "additionalProperties": false + }, + "observations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_observation" } + }, + "risks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_risk" } + }, + "findings": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_finding" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": [ + "uuid", + "title", + "description", + "start", + "reviewed-controls" + ], + "additionalProperties": false + }, + "oscal-complete-oscal-ar:import-ap": { + "title": "Import Assessment Plan", + "description": "Used by assessment-results to import information about the original plan for assessing the system.", + "$id": "#assembly_oscal-ar_import-ap", + "type": "object", + "properties": { + "href": { + "title": "Assessment Plan Reference", + "description": "A resolvable URL reference to the assessment plan governing the assessment activities.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-poam:plan-of-action-and-milestones": { + "title": "Plan of Action and Milestones (POA&M)", + "description": "A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP.", + "$id": "#assembly_oscal-poam_plan-of-action-and-milestones", + "type": "object", + "properties": { + "uuid": { + "title": "POA&M Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with instancescope that can be used to reference this POA&M instance in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-ssp": { + "$ref": "#assembly_oscal-assessment-common_import-ssp" + }, + "system-id": { "$ref": "#field_oscal-implementation-common_system-id" }, + "local-definitions": { + "$ref": "#assembly_oscal-poam_local-definitions" + }, + "observations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_observation" } + }, + "risks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_risk" } + }, + "findings": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_finding" } + }, + "poam-items": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-poam_poam-item" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "poam-items"], + "additionalProperties": false + }, + "oscal-complete-oscal-poam:local-definitions": { + "title": "Local Definitions", + "description": "Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.", + "$id": "#assembly_oscal-poam_local-definitions", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "assessment-assets": { + "$ref": "#assembly_oscal-assessment-common_assessment-assets" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-poam:poam-item": { + "title": "POA&M Item", + "description": "Describes an individual POA&M item.", + "$id": "#assembly_oscal-poam_poam-item", + "type": "object", + "properties": { + "uuid": { + "title": "POA&M Item Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with instance scope that can be used to reference this POA&M item entry in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "POA&M Item Title", + "description": "The title or name for this POA&M item .", + "type": "string" + }, + "description": { + "title": "POA&M Item Description", + "description": "A human-readable description of POA&M item.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { + "title": "Origin", + "description": "Identifies the source of the finding, such as a tool or person.", + "type": "object", + "properties": { + "actors": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_origin-actor" + } + } + }, + "required": ["actors"], + "additionalProperties": false + } + }, + "related-findings": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Finding", + "description": "Relates the poam-item to referenced finding(s).", + "type": "object", + "properties": { + "finding-uuid": { + "title": "Finding Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a finding defined in the list of findings.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["finding-uuid"], + "additionalProperties": false + } + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the poam-item to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an observation defined in the list of observations.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + }, + "related-risks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Risk", + "description": "Relates the finding to a set of referenced risks that were used to determine the finding.", + "type": "object", + "properties": { + "risk-uuid": { + "title": "Risk Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a risk defined in the list of risks.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["risk-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "description"], + "additionalProperties": false + }, + "Base64Datatype": { + "description": "Binary data encoded using the Base 64 encoding algorithm as defined by RFC4648.", + "type": "string", + "pattern": "^[0-9A-Za-z+/]+={0,2}$", + "contentEncoding": "base64" + }, + "BooleanDatatype": { + "description": "A binary value that is either: true or false.", + "type": "boolean" + }, + "DateDatatype": { + "description": "A string representing a 24-hour period with an optional timezone.", + "type": "string", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))(Z|[+-][0-9]{2}:[0-9]{2})?$" + }, + "DateTimeWithTimezoneDatatype": { + "description": "A string representing a point in time with a required timezone.", + "type": "string", + "format": "date-time", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$" + }, + "EmailAddressDatatype": { + "description": "An email address string formatted according to RFC 6531.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "type": "string", "format": "email", "pattern": "^.+@.+$" } + ] + }, + "IntegerDatatype": { + "description": "A whole number value.", + "type": "integer" + }, + "NonNegativeIntegerDatatype": { + "description": "An integer value that is equal to or greater than 0.", + "allOf": [ + { "$ref": "#/definitions/IntegerDatatype" }, + + { "type": "number", "minimum": 0 } + ] + }, + "PositiveIntegerDatatype": { + "description": "An integer value that is greater than 0.", + "allOf": [ + { "$ref": "#/definitions/IntegerDatatype" }, + + { "type": "number", "minimum": 1 } + ] + }, + "StringDatatype": { + "description": "A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ \n\t]+", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "TokenDatatype": { + "description": "A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.", + "type": "string", + "pattern": "^(\\p{L}|_)(\\p{L}|\\p{N}|[.\\-_])*$" + }, + "URIDatatype": { + "description": "A universal resource identifier (URI) formatted according to RFC3986.", + "type": "string", + "format": "uri", + "pattern": "^[a-zA-Z][a-zA-Z0-9+\\-.]+:.+$" + }, + "URIReferenceDatatype": { + "description": "A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.", + "type": "string", + "format": "uri-reference" + }, + "UUIDDatatype": { + "description": "A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "oneOf": [ + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "catalog": { "$ref": "#assembly_oscal-catalog_catalog" } + }, + "required": ["catalog"], + "additionalProperties": false + }, + + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "profile": { "$ref": "#assembly_oscal-profile_profile" } + }, + "required": ["profile"], + "additionalProperties": false + }, + + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "component-definition": { + "$ref": "#assembly_oscal-component-definition_component-definition" + } + }, + "required": ["component-definition"], + "additionalProperties": false + }, + + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "system-security-plan": { + "$ref": "#assembly_oscal-ssp_system-security-plan" + } + }, + "required": ["system-security-plan"], + "additionalProperties": false + }, + + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "assessment-plan": { "$ref": "#assembly_oscal-ap_assessment-plan" } + }, + "required": ["assessment-plan"], + "additionalProperties": false + }, + + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "assessment-results": { + "$ref": "#assembly_oscal-ar_assessment-results" + } + }, + "required": ["assessment-results"], + "additionalProperties": false + }, + + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "plan-of-action-and-milestones": { + "$ref": "#assembly_oscal-poam_plan-of-action-and-milestones" + } + }, + "required": ["plan-of-action-and-milestones"], + "additionalProperties": false + } + ] +} diff --git a/roscal_lib/jsonschema/previous_unified/loc b/roscal_lib/jsonschema/previous_unified/loc new file mode 100644 index 0000000..136c871 --- /dev/null +++ b/roscal_lib/jsonschema/previous_unified/loc @@ -0,0 +1 @@ +https://github.com/usnistgov/OSCAL/releases/download/v1.1.1/oscal_complete_schema.json \ No newline at end of file diff --git a/roscal_lib/jsonschema/tracking_latest_models/oscal_assessment-plan_schema.json b/roscal_lib/jsonschema/tracking_latest_models/oscal_assessment-plan_schema.json new file mode 100644 index 0000000..ddcb405 --- /dev/null +++ b/roscal_lib/jsonschema/tracking_latest_models/oscal_assessment-plan_schema.json @@ -0,0 +1,3310 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://csrc.nist.gov/ns/oscal/1.1.2/oscal-ap-schema.json", + "$comment": "OSCAL Assessment Plan Model: JSON Schema", + "type": "object", + "definitions": { + "json-schema-directive": { + "title": "Schema Directive", + "description": "A JSON Schema directive to bind a specific schema to its document instance.", + "$id": "#json-schema-directive", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "oscal-ap-oscal-ap:assessment-plan": { + "title": "Security Assessment Plan (SAP)", + "description": "An assessment plan, such as those provided by a FedRAMP assessor.", + "$id": "#assembly_oscal-ap_assessment-plan", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Plan Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment plan in this or other OSCAL instances. The locally defined UUID of the assessment plan can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-ssp": { + "$ref": "#assembly_oscal-assessment-common_import-ssp" + }, + "local-definitions": { + "title": "Local Definitions", + "description": "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "users": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-user" + } + }, + "objectives-and-methods": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_local-objective" + } + }, + "activities": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_activity" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "terms-and-conditions": { + "title": "Assessment Plan Terms and Conditions", + "description": "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.", + "type": "object", + "properties": { + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + } + }, + "additionalProperties": false + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "assessment-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "assessment-assets": { + "$ref": "#assembly_oscal-assessment-common_assessment-assets" + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "import-ssp", "reviewed-controls"], + "additionalProperties": false + }, + "oscal-ap-oscal-metadata:metadata": { + "title": "Document Metadata", + "description": "Provides information about the containing document, and defines concepts that are shared across the document.", + "$id": "#assembly_oscal-metadata_metadata", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { "$ref": "#field_oscal-metadata_last-modified" }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { "$ref": "#field_oscal-metadata_oscal-version" }, + "revisions": { + "type": "array", + "minItems": 1, + "items": { + "title": "Revision History Entry", + "description": "An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document revision, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { + "$ref": "#field_oscal-metadata_last-modified" + }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { + "$ref": "#field_oscal-metadata_oscal-version" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["version"], + "additionalProperties": false + } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "roles": { + "type": "array", + "minItems": 1, + "items": { + "title": "Role", + "description": "Defines a function, which might be assigned to a party in a specific situation.", + "type": "object", + "properties": { + "id": { + "title": "Role Identifier", + "description": "A unique identifier for the role.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Role Title", + "description": "A name given to the role, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "Role Short Name", + "description": "A short common name, abbreviation, or acronym for the role.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "Role Description", + "description": "A summary of the role's purpose and associated responsibilities.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id", "title"], + "additionalProperties": false + } + }, + "locations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location", + "description": "A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Location Universally Unique Identifier", + "description": "A unique ID for the location, for reference.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Location Title", + "description": "A name given to the location, which may be used by a tool for display and navigation.", + "type": "string" + }, + "address": { "$ref": "#assembly_oscal-metadata_address" }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "urls": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location URL", + "description": "The uniform resource locator (URL) for a web site or other resource associated with the location.", + "$ref": "#/definitions/URIDatatype" + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + }, + "parties": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party", + "description": "An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Party Universally Unique Identifier", + "description": "A unique identifier for the party.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Party Type", + "description": "A category describing the kind of party the object describes.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["person", "organization"] } + ] + }, + "name": { + "title": "Party Name", + "description": "The full name of the party. This is typically the legal name associated with the party.", + "$ref": "#/definitions/StringDatatype" + }, + "short-name": { + "title": "Party Short Name", + "description": "A short common name, abbreviation, or acronym for the party.", + "$ref": "#/definitions/StringDatatype" + }, + "external-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party External Identifier", + "description": "An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID).", + "type": "object", + "properties": { + "scheme": { + "title": "External Identifier Schema", + "description": "Indicates the type of external identifier.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://orcid.org/"] } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id", "scheme"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_address" } + }, + "location-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_location-uuid" } + }, + "member-of-organizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Organizational Affiliation", + "description": "A reference to another party by UUID, typically an organization, that this subject is associated with.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type"], + "additionalProperties": false + } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "actions": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_action" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "last-modified", "version", "oscal-version"], + "additionalProperties": false + }, + "oscal-ap-oscal-metadata:location-uuid": { + "title": "Location Universally Unique Identifier Reference", + "description": "Reference to a location by UUID.", + "$id": "#field_oscal-metadata_location-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-ap-oscal-metadata:party-uuid": { + "title": "Party Universally Unique Identifier Reference", + "description": "Reference to a party by UUID.", + "$id": "#field_oscal-metadata_party-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-ap-oscal-metadata:role-id": { + "title": "Role Identifier Reference", + "description": "Reference to a role by UUID.", + "$id": "#field_oscal-metadata_role-id", + "$ref": "#/definitions/TokenDatatype" + }, + "oscal-ap-oscal-metadata:back-matter": { + "title": "Back matter", + "description": "A collection of resources that may be referenced from within the OSCAL document instance.", + "$id": "#assembly_oscal-metadata_back-matter", + "type": "object", + "properties": { + "resources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource", + "description": "A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources.", + "type": "object", + "properties": { + "uuid": { + "title": "Resource Universally Unique Identifier", + "description": "A unique identifier for a resource.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Resource Title", + "description": "An optional name given to the resource, which may be used by a tool for display and navigation.", + "type": "string" + }, + "description": { + "title": "Resource Description", + "description": "An optional short summary of the resource used to indicate the purpose of the resource.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "citation": { + "title": "Citation", + "description": "An optional citation consisting of end note text using structured markup.", + "type": "object", + "properties": { + "text": { + "title": "Citation Text", + "description": "A line of citation text.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["text"], + "additionalProperties": false + }, + "rlinks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource link", + "description": "A URL-based pointer to an external resource with an optional hash for verification and change detection.", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL pointing to the referenced resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "hashes": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_hash" } + } + }, + "required": ["href"], + "additionalProperties": false + } + }, + "base64": { + "title": "Base64", + "description": "A resource encoded using the Base64 alphabet defined by RFC 2045.", + "type": "object", + "properties": { + "filename": { + "title": "File Name", + "description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.", + "$ref": "#/definitions/TokenDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "value": { "$ref": "#/definitions/Base64Datatype" } + }, + "required": ["value"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-ap-oscal-metadata:property": { + "title": "Property", + "description": "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", + "$id": "#assembly_oscal-metadata_property", + "type": "object", + "properties": { + "name": { + "title": "Property Name", + "description": "A textual label, within a namespace, that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Property Universally Unique Identifier", + "description": "A unique identifier for a property.", + "$ref": "#/definitions/UUIDDatatype" + }, + "ns": { + "title": "Property Namespace", + "description": "A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "value": { + "title": "Property Value", + "description": "Indicates the value of the attribute, characteristic, or quality.", + "$ref": "#/definitions/StringDatatype" + }, + "class": { + "title": "Property Class", + "description": "A textual label that provides a sub-type or characterization of the property's name.", + "$ref": "#/definitions/TokenDatatype" + }, + "group": { + "title": "Property Group", + "description": "An identifier for relating distinct sets of properties.", + "$ref": "#/definitions/TokenDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "value"], + "additionalProperties": false + }, + "oscal-ap-oscal-metadata:link": { + "title": "Link", + "description": "A reference to a local or remote resource, that has a specific relation to the containing object.", + "$id": "#assembly_oscal-metadata_link", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL reference to a resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "rel": { + "title": "Link Relation Type", + "description": "Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["reference"] } + ] + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "resource-fragment": { + "title": "Resource Fragment", + "description": "In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.", + "$ref": "#/definitions/StringDatatype" + }, + "text": { + "title": "Link Text", + "description": "A textual label to associate with the link, which may be used for presentation in a tool.", + "type": "string" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-ap-oscal-metadata:responsible-party": { + "title": "Responsible Party", + "description": "A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.", + "$id": "#assembly_oscal-metadata_responsible-party", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role", + "description": "A reference to a role performed by a party.", + "$ref": "#/definitions/TokenDatatype" + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id", "party-uuids"], + "additionalProperties": false + }, + "oscal-ap-oscal-metadata:action": { + "title": "Action", + "description": "An action applied by a role within a given party to the content.", + "$id": "#assembly_oscal-metadata_action", + "type": "object", + "properties": { + "uuid": { + "title": "Action Universally Unique Identifier", + "description": "A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "date": { + "title": "Action Occurrence Date", + "description": "The date and time when the action occurred.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "type": { + "title": "Action Type", + "description": "The type of action documented by the assembly, such as an approval.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Action Type System", + "description": "Specifies the action type system used.", + "$ref": "#/definitions/URIDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "system"], + "additionalProperties": false + }, + "oscal-ap-oscal-metadata:responsible-role": { + "title": "Responsible Role", + "description": "A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.", + "$id": "#assembly_oscal-metadata_responsible-role", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role ID", + "description": "A human-oriented identifier reference to a role performed.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id"], + "additionalProperties": false + }, + "oscal-ap-oscal-metadata:hash": { + "title": "Hash", + "description": "A representation of a cryptographic digest generated over a resource using a specified hash algorithm.", + "$id": "#field_oscal-metadata_hash", + "type": "object", + "properties": { + "algorithm": { + "title": "Hash algorithm", + "description": "The digest method by which a hash is derived.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "SHA-224", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-224", + "SHA3-256", + "SHA3-384", + "SHA3-512" + ] + } + ] + }, + "value": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["value", "algorithm"], + "additionalProperties": false + }, + "oscal-ap-oscal-metadata:remarks": { + "title": "Remarks", + "description": "Additional commentary about the containing object.", + "$id": "#field_oscal-metadata_remarks", + "type": "string" + }, + "oscal-ap-oscal-metadata:published": { + "title": "Publication Timestamp", + "description": "The date and time the document was last made available.", + "$id": "#field_oscal-metadata_published", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-ap-oscal-metadata:last-modified": { + "title": "Last Modified Timestamp", + "description": "The date and time the document was last stored for later retrieval.", + "$id": "#field_oscal-metadata_last-modified", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-ap-oscal-metadata:version": { + "title": "Document Version", + "description": "Used to distinguish a specific revision of an OSCAL document from other previous and future versions.", + "$id": "#field_oscal-metadata_version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ap-oscal-metadata:oscal-version": { + "title": "OSCAL Version", + "description": "The OSCAL model version the document was authored against and will conform to as valid.", + "$id": "#field_oscal-metadata_oscal-version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ap-oscal-metadata:email-address": { + "title": "Email Address", + "description": "An email address as defined by RFC 5322 Section 3.4.1.", + "$id": "#field_oscal-metadata_email-address", + "$ref": "#/definitions/EmailAddressDatatype" + }, + "oscal-ap-oscal-metadata:telephone-number": { + "title": "Telephone Number", + "description": "A telephone service number as defined by ITU-T E.164.", + "$id": "#field_oscal-metadata_telephone-number", + "type": "object", + "properties": { + "type": { + "title": "type flag", + "description": "Indicates the type of phone number.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["home", "office", "mobile"] } + ] + }, + "number": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["number"], + "additionalProperties": false + }, + "oscal-ap-oscal-metadata:address": { + "title": "Address", + "description": "A postal address for the location.", + "$id": "#assembly_oscal-metadata_address", + "type": "object", + "properties": { + "type": { + "title": "Address Type", + "description": "Indicates the type of address.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["home", "work"] } + ] + }, + "addr-lines": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_addr-line" } + }, + "city": { + "title": "City", + "description": "City, town or geographical region for the mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "state": { + "title": "State", + "description": "State, province or analogous geographical region for a mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "postal-code": { + "title": "Postal Code", + "description": "Postal or ZIP code for mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "country": { + "title": "Country Code", + "description": "The ISO 3166-1 alpha-2 country code for the mailing address.", + "$ref": "#/definitions/StringDatatype" + } + }, + "additionalProperties": false + }, + "oscal-ap-oscal-metadata:addr-line": { + "title": "Address line", + "description": "A single line of an address.", + "$id": "#field_oscal-metadata_addr-line", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ap-oscal-metadata:document-id": { + "title": "Document Identifier", + "description": "A document identifier qualified by an identifier scheme.", + "$id": "#field_oscal-metadata_document-id", + "type": "object", + "properties": { + "scheme": { + "title": "Document Identification Scheme", + "description": "Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://www.doi.org/"] } + ] + }, + "identifier": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["identifier"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:import-ssp": { + "title": "Import System Security Plan", + "description": "Used by the assessment plan and POA&M to import information about the system.", + "$id": "#assembly_oscal-assessment-common_import-ssp", + "type": "object", + "properties": { + "href": { + "title": "System Security Plan Reference", + "description": "A resolvable URL reference to the system security plan for the system being assessed.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:local-objective": { + "title": "Assessment-Specific Control Objective", + "description": "A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.", + "$id": "#assembly_oscal-assessment-common_local-objective", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "description": { + "title": "Objective Description", + "description": "A human-readable description of this control objective.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["control-id", "parts"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:assessment-method": { + "title": "Assessment Method", + "description": "A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.", + "$id": "#assembly_oscal-assessment-common_assessment-method", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Method Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment method elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment method can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Assessment Method Description", + "description": "A human-readable description of this assessment method.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "part": { "$ref": "#assembly_oscal-assessment-common_assessment-part" }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "part"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:activity": { + "title": "Activity", + "description": "Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.", + "$id": "#assembly_oscal-assessment-common_activity", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Activity Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Included Activity Title", + "description": "The title for this included activity.", + "type": "string" + }, + "description": { + "title": "Included Activity Description", + "description": "A human-readable description of this included activity.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "steps": { + "type": "array", + "minItems": 1, + "items": { + "title": "Step", + "description": "Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.", + "type": "object", + "properties": { + "uuid": { + "title": "Step Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Step Title", + "description": "The title for this step.", + "type": "string" + }, + "description": { + "title": "Step Description", + "description": "A human-readable description of this step.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "related-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:task": { + "title": "Task", + "description": "Represents a scheduled event or milestone, which may be associated with a series of assessment actions.", + "$id": "#assembly_oscal-assessment-common_task", + "type": "object", + "properties": { + "uuid": { + "title": "Task Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this task elsewhere in this or other OSCAL instances. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Task Type", + "description": "The type of task.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["milestone", "action"] } + ] + }, + "title": { + "title": "Task Title", + "description": "The title for this task.", + "type": "string" + }, + "description": { + "title": "Task Description", + "description": "A human-readable description of this task.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "timing": { + "title": "Event Timing", + "description": "The timing under which the task is intended to occur.", + "type": "object", + "properties": { + "on-date": { + "title": "On Date Condition", + "description": "The task is intended to occur on the specified date.", + "type": "object", + "properties": { + "date": { + "title": "On Date Condition", + "description": "The task must occur on the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + } + }, + "required": ["date"], + "additionalProperties": false + }, + "within-date-range": { + "title": "On Date Range Condition", + "description": "The task is intended to occur within the specified date range.", + "type": "object", + "properties": { + "start": { + "title": "Start Date Condition", + "description": "The task must occur on or after the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "End Date Condition", + "description": "The task must occur on or before the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + } + }, + "required": ["start", "end"], + "additionalProperties": false + }, + "at-frequency": { + "title": "Frequency Condition", + "description": "The task is intended to occur at the specified frequency.", + "type": "object", + "properties": { + "period": { + "title": "Period", + "description": "The task must occur after the specified period has elapsed.", + "$ref": "#/definitions/PositiveIntegerDatatype" + }, + "unit": { + "title": "Time Unit", + "description": "The unit of time for the period.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "seconds", + "minutes", + "hours", + "days", + "months", + "years" + ] + } + ] + } + }, + "required": ["period", "unit"], + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "dependencies": { + "type": "array", + "minItems": 1, + "items": { + "title": "Task Dependency", + "description": "Used to indicate that a task is dependent on another task.", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["task-uuid"], + "additionalProperties": false + } + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "associated-activities": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Activity", + "description": "Identifies an individual activity to be performed as part of a task.", + "type": "object", + "properties": { + "activity-uuid": { + "title": "Activity Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an activity defined in the list of activities.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["activity-uuid", "subjects"], + "additionalProperties": false + } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:reviewed-controls": { + "title": "Reviewed Controls and Control Objectives", + "description": "Identifies the controls being assessed and their control objectives.", + "$id": "#assembly_oscal-assessment-common_reviewed-controls", + "type": "object", + "properties": { + "description": { + "title": "Control Objective Description", + "description": "A human-readable description of control objectives.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "control-selections": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessed Controls", + "description": "Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.", + "type": "object", + "properties": { + "description": { + "title": "Assessed Controls Description", + "description": "A human-readable description of in-scope controls specified for assessment.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { + "$ref": "#assembly_oscal-control-common_include-all" + }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-control-by-id" + } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-control-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + } + }, + "control-objective-selections": { + "type": "array", + "minItems": 1, + "items": { + "title": "Referenced Control Objectives", + "description": "Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.", + "type": "object", + "properties": { + "description": { + "title": "Control Objectives Description", + "description": "A human-readable description of this collection of control objectives.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { + "$ref": "#assembly_oscal-control-common_include-all" + }, + "include-objectives": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-objective-by-id" + } + }, + "exclude-objectives": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-objective-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["control-selections"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:select-control-by-id": { + "title": "Select Control", + "description": "Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.", + "$id": "#assembly_oscal-assessment-common_select-control-by-id", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "statement-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Include Specific Statements", + "description": "Used to constrain the selection to only specificity identified statements.", + "$ref": "#/definitions/TokenDatatype" + } + } + }, + "required": ["control-id"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:select-objective-by-id": { + "title": "Select Objective", + "description": "Used to select a control objective for inclusion/exclusion based on the control objective's identifier.", + "$id": "#assembly_oscal-assessment-common_select-objective-by-id", + "type": "object", + "properties": { + "objective-id": { + "title": "Objective ID", + "description": "Points to an assessment objective.", + "$ref": "#/definitions/TokenDatatype" + } + }, + "required": ["objective-id"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:assessment-subject-placeholder": { + "title": "Assessment Subject Placeholder", + "description": "Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.", + "$id": "#assembly_oscal-assessment-common_assessment-subject-placeholder", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Subject Placeholder Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier for a set of assessment subjects that will be identified by a task or an activity that is part of a task. The locally defined UUID of the assessment subject placeholder can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Assessment Subject Placeholder Description", + "description": "A human-readable description of intent of this assessment subject placeholder.", + "type": "string" + }, + "sources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Subject Source", + "description": "Assessment subjects will be identified while conducting the referenced activity-instance.", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference (in this or other OSCAL instances) an assessment activity to be performed as part of the event. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["task-uuid"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "sources"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:assessment-subject": { + "title": "Subject of Assessment", + "description": "Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.", + "$id": "#assembly_oscal-assessment-common_assessment-subject", + "type": "object", + "properties": { + "type": { + "title": "Subject Type", + "description": "Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user" + ] + } + ] + }, + "description": { + "title": "Include Subjects Description", + "description": "A human-readable description of the collection of subjects being included in this assessment.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { "$ref": "#assembly_oscal-control-common_include-all" }, + "include-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-subject-by-id" + } + }, + "exclude-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-subject-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["type"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:select-subject-by-id": { + "title": "Select Assessment Subject", + "description": "Identifies a set of assessment subjects to include/exclude by UUID.", + "$id": "#assembly_oscal-assessment-common_select-subject-by-id", + "type": "object", + "properties": { + "subject-uuid": { + "title": "Subject Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Subject Universally Unique Identifier Reference Type", + "description": "Used to indicate the type of object pointed to by the uuid-ref within a subject.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user", + "resource" + ] + } + ] + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["subject-uuid", "type"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:subject-reference": { + "title": "Identifies the Subject", + "description": "A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.", + "$id": "#assembly_oscal-assessment-common_subject-reference", + "type": "object", + "properties": { + "subject-uuid": { + "title": "Subject Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Subject Universally Unique Identifier Reference Type", + "description": "Used to indicate the type of object pointed to by the uuid-ref within a subject.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user", + "resource" + ] + } + ] + }, + "title": { + "title": "Subject Reference Title", + "description": "The title or name for the referenced subject.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["subject-uuid", "type"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:assessment-assets": { + "title": "Assessment Assets", + "description": "Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.", + "$id": "#assembly_oscal-assessment-common_assessment-assets", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "assessment-platforms": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Platform", + "description": "Used to represent the toolset used to perform aspects of the assessment.", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Platform Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment platform elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment platform can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Assessment Platform Title", + "description": "The title or name for the assessment platform.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "uses-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Uses Component", + "description": "The set of components that are used by the assessment platform.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component that is implemented as part of an inventory item.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "required": ["assessment-platforms"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:finding-target": { + "title": "Objective Status", + "description": "Captures an assessor's conclusions regarding the degree to which an objective is satisfied.", + "$id": "#assembly_oscal-assessment-common_finding-target", + "type": "object", + "properties": { + "type": { + "title": "Finding Target Type", + "description": "Identifies the type of the target.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["statement-id", "objective-id"] } + ] + }, + "target-id": { + "title": "Finding Target Identifier Reference", + "description": "A machine-oriented identifier reference for a specific target qualified by the type.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Objective Status Title", + "description": "The title for this objective status.", + "type": "string" + }, + "description": { + "title": "Objective Status Description", + "description": "A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Objective Status", + "description": "A determination of if the objective is satisfied or not within a given system.", + "type": "object", + "properties": { + "state": { + "title": "Objective Status State", + "description": "An indication as to whether the objective is satisfied or not.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["satisfied", "not-satisfied"] } + ] + }, + "reason": { + "title": "Objective Status Reason", + "description": "The reason the objective was given it's status.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["pass", "fail", "other"] } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "implementation-status": { + "$ref": "#assembly_oscal-implementation-common_implementation-status" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["type", "target-id", "status"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:finding": { + "title": "Finding", + "description": "Describes an individual finding.", + "$id": "#assembly_oscal-assessment-common_finding", + "type": "object", + "properties": { + "uuid": { + "title": "Finding Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this finding in this or other OSCAL instances. The locally defined UUID of the finding can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Finding Title", + "description": "The title for this finding.", + "type": "string" + }, + "description": { + "title": "Finding Description", + "description": "A human-readable description of this finding.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "target": { + "$ref": "#assembly_oscal-assessment-common_finding-target" + }, + "implementation-statement-uuid": { + "title": "Implementation Statement UUID", + "description": "A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related.", + "$ref": "#/definitions/UUIDDatatype" + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the finding to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an observation defined in the list of observations.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + }, + "related-risks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Risk", + "description": "Relates the finding to a set of referenced risks that were used to determine the finding.", + "type": "object", + "properties": { + "risk-uuid": { + "title": "Risk Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a risk defined in the list of risks.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["risk-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "title", "description", "target"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:observation": { + "title": "Observation", + "description": "Describes an individual observation.", + "$id": "#assembly_oscal-assessment-common_observation", + "type": "object", + "properties": { + "uuid": { + "title": "Observation Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this observation elsewhere in this or other OSCAL instances. The locally defined UUID of the observation can be used to reference the data item locally or globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Observation Title", + "description": "The title for this observation.", + "type": "string" + }, + "description": { + "title": "Observation Description", + "description": "A human-readable description of this assessment observation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "methods": { + "type": "array", + "minItems": 1, + "items": { + "title": "Observation Method", + "description": "Identifies how the observation was made.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["EXAMINE", "INTERVIEW", "TEST", "UNKNOWN"] } + ] + } + }, + "types": { + "type": "array", + "minItems": 1, + "items": { + "title": "Observation Type", + "description": "Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "ssp-statement-issue", + "control-objective", + "mitigation", + "finding", + "historic" + ] + } + ] + } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + }, + "relevant-evidence": { + "type": "array", + "minItems": 1, + "items": { + "title": "Relevant Evidence", + "description": "Links this observation to relevant evidence.", + "type": "object", + "properties": { + "href": { + "title": "Relevant Evidence Reference", + "description": "A resolvable URL reference to relevant evidence.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "description": { + "title": "Relevant Evidence Description", + "description": "A human-readable description of this evidence.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + } + }, + "collected": { + "title": "Collected Field", + "description": "Date/time stamp identifying when the finding information was collected.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "expires": { + "title": "Expires Field", + "description": "Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description", "methods", "collected"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:origin": { + "title": "Origin", + "description": "Identifies the source of the finding, such as a tool, interviewed person, or activity.", + "$id": "#assembly_oscal-assessment-common_origin", + "type": "object", + "properties": { + "actors": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin-actor" } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_related-task" } + } + }, + "required": ["actors"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:origin-actor": { + "title": "Originating Actor", + "description": "The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.", + "$id": "#assembly_oscal-assessment-common_origin-actor", + "type": "object", + "properties": { + "type": { + "title": "Actor Type", + "description": "The kind of actor.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["tool", "assessment-platform", "party"] } + ] + }, + "actor-uuid": { + "title": "Actor Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to the tool or person based on the associated type.", + "$ref": "#/definitions/UUIDDatatype" + }, + "role-id": { + "title": "Actor Role", + "description": "For a party, this can optionally be used to specify the role the actor was performing.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["type", "actor-uuid"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:related-task": { + "title": "Task Reference", + "description": "Identifies an individual task for which the containing object is a consequence of.", + "$id": "#assembly_oscal-assessment-common_related-task", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "identified-subject": { + "title": "Identified Subject", + "description": "Used to detail assessment subjects that were identfied by this task.", + "type": "object", + "properties": { + "subject-placeholder-uuid": { + "title": "Assessment Subject Placeholder Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + } + }, + "required": ["subject-placeholder-uuid", "subjects"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["task-uuid"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:threat-id": { + "title": "Threat ID", + "description": "A pointer, by ID, to an externally-defined threat.", + "$id": "#field_oscal-assessment-common_threat-id", + "type": "object", + "properties": { + "system": { + "title": "Threat Type Identification System", + "description": "Specifies the source of the threat information.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://fedramp.gov", "http://fedramp.gov/ns/oscal"] } + ] + }, + "href": { + "title": "Threat Information Resource Reference", + "description": "An optional location for the threat data, from which this ID originates.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "id": { "$ref": "#/definitions/URIDatatype" } + }, + "required": ["id", "system"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:risk": { + "title": "Identified Risk", + "description": "An identified risk.", + "$id": "#assembly_oscal-assessment-common_risk", + "type": "object", + "properties": { + "uuid": { + "title": "Risk Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk elsewhere in this or other OSCAL instances. The locally defined UUID of the risk can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Risk Title", + "description": "The title for this risk.", + "type": "string" + }, + "description": { + "title": "Risk Description", + "description": "A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.", + "type": "string" + }, + "statement": { + "title": "Risk Statement", + "description": "An summary of impact for how the risk affects the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { "$ref": "#field_oscal-assessment-common_risk-status" }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "threat-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-assessment-common_threat-id" } + }, + "characterizations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_characterization" + } + }, + "mitigating-factors": { + "type": "array", + "minItems": 1, + "items": { + "title": "Mitigating Factor", + "description": "Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.", + "type": "object", + "properties": { + "uuid": { + "title": "Mitigating Factor Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mitigating factor elsewhere in this or other OSCAL instances. The locally defined UUID of the mitigating factor can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "implementation-uuid": { + "title": "Implementation UUID", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Mitigating Factor Description", + "description": "A human-readable description of this mitigating factor.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "deadline": { + "title": "Risk Resolution Deadline", + "description": "The date/time by which the risk must be resolved.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "remediations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_response" } + }, + "risk-log": { + "title": "Risk Log", + "description": "A log of all risk-related tasks taken.", + "type": "object", + "properties": { + "entries": { + "type": "array", + "minItems": 1, + "items": { + "title": "Risk Log Entry", + "description": "Identifies an individual risk response that occurred as part of managing an identified risk.", + "type": "object", + "properties": { + "uuid": { + "title": "Risk Log Entry Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk log entry elsewhere in this or other OSCAL instances. The locally defined UUID of the risk log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Title", + "description": "The title for this risk log entry.", + "type": "string" + }, + "description": { + "title": "Risk Task Description", + "description": "A human-readable description of what was done regarding the risk.", + "type": "string" + }, + "start": { + "title": "Start", + "description": "Identifies the start date and time of the event.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "End", + "description": "Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "logged-by": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_logged-by" + } + }, + "status-change": { + "$ref": "#field_oscal-assessment-common_risk-status" + }, + "related-responses": { + "type": "array", + "minItems": 1, + "items": { + "title": "Risk Response Reference", + "description": "Identifies an individual risk response that this log entry is for.", + "type": "object", + "properties": { + "response-uuid": { + "title": "Response Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique risk response.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_property" + } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_related-task" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["response-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "start"], + "additionalProperties": false + } + } + }, + "required": ["entries"], + "additionalProperties": false + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the finding to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an observation defined in the list of observations.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + } + }, + "required": ["uuid", "title", "description", "statement", "status"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:logged-by": { + "title": "Logged By", + "description": "Used to indicate who created a log entry in what role.", + "$id": "#assembly_oscal-assessment-common_logged-by", + "type": "object", + "properties": { + "party-uuid": { + "title": "Party UUID Reference", + "description": "A machine-oriented identifier reference to the party who is making the log entry.", + "$ref": "#/definitions/UUIDDatatype" + }, + "role-id": { + "title": "Actor Role", + "description": "A point to the role-id of the role in which the party is making the log entry.", + "$ref": "#/definitions/TokenDatatype" + } + }, + "required": ["party-uuid"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:risk-status": { + "title": "Risk Status", + "description": "Describes the status of the associated risk.", + "$id": "#field_oscal-assessment-common_risk-status", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "open", + "investigating", + "remediating", + "deviation-requested", + "deviation-approved", + "closed" + ] + } + ] + }, + "oscal-ap-oscal-assessment-common:characterization": { + "title": "Characterization", + "description": "A collection of descriptive data about the containing object from a specific origin.", + "$id": "#assembly_oscal-assessment-common_characterization", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origin": { "$ref": "#assembly_oscal-assessment-common_origin" }, + "facets": { + "type": "array", + "minItems": 1, + "items": { + "title": "Facet", + "description": "An individual characteristic that is part of a larger set produced by the same actor.", + "type": "object", + "properties": { + "name": { + "title": "Facet Name", + "description": "The name of the risk metric within the specified system.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Naming System", + "description": "Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": [ + "http://fedramp.gov", + "http://fedramp.gov/ns/oscal", + "http://csrc.nist.gov/ns/oscal", + "http://csrc.nist.gov/ns/oscal/unknown", + "http://cve.mitre.org", + "http://www.first.org/cvss/v2.0", + "http://www.first.org/cvss/v3.0", + "http://www.first.org/cvss/v3.1" + ] + } + ] + }, + "value": { + "title": "Facet Value", + "description": "Indicates the value of the facet.", + "$ref": "#/definitions/StringDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "system", "value"], + "additionalProperties": false + } + } + }, + "required": ["origin", "facets"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:response": { + "title": "Risk Response", + "description": "Describes either recommended or an actual plan for addressing the risk.", + "$id": "#assembly_oscal-assessment-common_response", + "type": "object", + "properties": { + "uuid": { + "title": "Remediation Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this remediation elsewhere in this or other OSCAL instances. The locally defined UUID of the risk response can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "lifecycle": { + "title": "Remediation Intent", + "description": "Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["recommendation", "planned", "completed"] } + ] + }, + "title": { + "title": "Response Title", + "description": "The title for this response activity.", + "type": "string" + }, + "description": { + "title": "Response Description", + "description": "A human-readable description of this response plan.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "required-assets": { + "type": "array", + "minItems": 1, + "items": { + "title": "Required Asset", + "description": "Identifies an asset required to achieve remediation.", + "type": "object", + "properties": { + "uuid": { + "title": "Required Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this required asset elsewhere in this or other OSCAL instances. The locally defined UUID of the asset can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + }, + "title": { + "title": "Title for Required Asset", + "description": "The title for this required asset.", + "type": "string" + }, + "description": { + "title": "Description of Required Asset", + "description": "A human-readable description of this required asset.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "lifecycle", "title", "description"], + "additionalProperties": false + }, + "oscal-ap-oscal-assessment-common:assessment-part": { + "title": "Assessment Part", + "description": "A partition of an assessment plan or results or a child of another part.", + "$id": "#assembly_oscal-assessment-common_assessment-part", + "type": "object", + "properties": { + "uuid": { + "title": "Part Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["asset", "method", "objective"] } + ] + }, + "ns": { + "title": "Part Namespace", + "description": "A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "A name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-ap-oscal-control-common:part": { + "title": "Part", + "description": "An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.", + "$id": "#assembly_oscal-control-common_part", + "type": "object", + "properties": { + "id": { + "title": "Part Identifier", + "description": "A unique identifier for the part.", + "$ref": "#/definitions/TokenDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type, which exists in a value space qualified by the ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "ns": { + "title": "Part Namespace", + "description": "An optional namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "An optional textual providing a sub-type or characterization of the part's name, or a category to which the part belongs.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "An optional name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-ap-oscal-control-common:parameter": { + "title": "Parameter", + "description": "Parameters provide a mechanism for the dynamic assignment of value(s) in a control.", + "$id": "#assembly_oscal-control-common_parameter", + "type": "object", + "properties": { + "id": { + "title": "Parameter Identifier", + "description": "A unique identifier for the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the type, purpose, use or scope of the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "depends-on": { + "title": "Depends on", + "description": "(deprecated) Another parameter invoking this one. This construct has been deprecated and should not be used.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter.", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-control-common_parameter-value" } + }, + "select": { + "$ref": "#assembly_oscal-control-common_parameter-selection" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-ap-oscal-control-common:parameter-constraint": { + "title": "Constraint", + "description": "A formal or informal expression of a constraint or test.", + "$id": "#assembly_oscal-control-common_parameter-constraint", + "type": "object", + "properties": { + "description": { + "title": "Constraint Description", + "description": "A textual summary of the constraint to be applied.", + "type": "string" + }, + "tests": { + "type": "array", + "minItems": 1, + "items": { + "title": "Constraint Test", + "description": "A test expression which is expected to be evaluated by a tool.", + "type": "object", + "properties": { + "expression": { + "title": "Constraint test", + "description": "A formal (executable) expression of a constraint.", + "$ref": "#/definitions/StringDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["expression"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-ap-oscal-control-common:parameter-guideline": { + "title": "Guideline", + "description": "A prose statement that provides a recommendation for the use of a parameter.", + "$id": "#assembly_oscal-control-common_parameter-guideline", + "type": "object", + "properties": { + "prose": { + "title": "Guideline Text", + "description": "Prose permits multiple paragraphs, lists, tables etc.", + "type": "string" + } + }, + "required": ["prose"], + "additionalProperties": false + }, + "oscal-ap-oscal-control-common:parameter-value": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$id": "#field_oscal-control-common_parameter-value", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ap-oscal-control-common:parameter-selection": { + "title": "Selection", + "description": "Presenting a choice among alternatives.", + "$id": "#assembly_oscal-control-common_parameter-selection", + "type": "object", + "properties": { + "how-many": { + "title": "Parameter Cardinality", + "description": "Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["one", "one-or-more"] } + ] + }, + "choice": { + "type": "array", + "minItems": 1, + "items": { + "title": "Choice", + "description": "A value selection among several such options.", + "type": "string" + } + } + }, + "additionalProperties": false + }, + "oscal-ap-oscal-control-common:include-all": { + "title": "Include All", + "description": "Include all controls from the imported catalog or profile resources.", + "$id": "#assembly_oscal-control-common_include-all", + "type": "object", + "additionalProperties": false + }, + "oscal-ap-oscal-implementation-common:system-component": { + "title": "Component", + "description": "A defined component that can be part of an implemented system.", + "$id": "#assembly_oscal-implementation-common_system-component", + "type": "object", + "properties": { + "uuid": { + "title": "Component Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Component Type", + "description": "A category describing the purpose of the component.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "this-system", + "system", + "interconnection", + "software", + "hardware", + "service", + "policy", + "physical", + "process-procedure", + "plan", + "guidance", + "standard", + "validation", + "network" + ] + } + ] + }, + "title": { + "title": "Component Title", + "description": "A human readable name for the system component.", + "type": "string" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + }, + "purpose": { + "title": "Purpose", + "description": "A summary of the technological or business purpose of the component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Status", + "description": "Describes the operational status of the system component.", + "type": "object", + "properties": { + "state": { + "title": "State", + "description": "The operational status.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "under-development", + "operational", + "disposition", + "other" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "protocols": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-implementation-common_protocol" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title", "description", "status"], + "additionalProperties": false + }, + "oscal-ap-oscal-implementation-common:protocol": { + "title": "Service Protocol Information", + "description": "Information about the protocol used to provide a service.", + "$id": "#assembly_oscal-implementation-common_protocol", + "type": "object", + "properties": { + "uuid": { + "title": "Service Protocol Information Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Protocol Name", + "description": "The common name of the protocol, which should be the appropriate \"service name\" from the IANA Service Name and Transport Protocol Port Number Registry.", + "$ref": "#/definitions/StringDatatype" + }, + "title": { + "title": "Protocol Title", + "description": "A human readable name for the protocol (e.g., Transport Layer Security).", + "type": "string" + }, + "port-ranges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_port-range" + } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-ap-oscal-implementation-common:port-range": { + "title": "Port Range", + "description": "Where applicable this is the IPv4 port range on which the service operates.", + "$id": "#assembly_oscal-implementation-common_port-range", + "type": "object", + "properties": { + "start": { + "title": "Start", + "description": "Indicates the starting port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "end": { + "title": "End", + "description": "Indicates the ending port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "transport": { + "title": "Transport", + "description": "Indicates the transport type.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["TCP", "UDP"] } + ] + } + }, + "additionalProperties": false + }, + "oscal-ap-oscal-implementation-common:implementation-status": { + "title": "Implementation Status", + "description": "Indicates the degree to which the a given control is implemented.", + "$id": "#assembly_oscal-implementation-common_implementation-status", + "type": "object", + "properties": { + "state": { + "title": "Implementation State", + "description": "Identifies the implementation status of the control or control objective.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "implemented", + "partial", + "planned", + "alternative", + "not-applicable" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "oscal-ap-oscal-implementation-common:system-user": { + "title": "System User", + "description": "A type of user that interacts with the system based on an associated role.", + "$id": "#assembly_oscal-implementation-common_system-user", + "type": "object", + "properties": { + "uuid": { + "title": "User Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "User Title", + "description": "A name given to the user, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "User Short Name", + "description": "A short common name, abbreviation, or acronym for the user.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "User Description", + "description": "A summary of the user's purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "role-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_role-id" } + }, + "authorized-privileges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_authorized-privilege" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + }, + "oscal-ap-oscal-implementation-common:authorized-privilege": { + "title": "Privilege", + "description": "Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.", + "$id": "#assembly_oscal-implementation-common_authorized-privilege", + "type": "object", + "properties": { + "title": { + "title": "Privilege Title", + "description": "A human readable name for the privilege.", + "type": "string" + }, + "description": { + "title": "Privilege Description", + "description": "A summary of the privilege's purpose within the system.", + "type": "string" + }, + "functions-performed": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#field_oscal-implementation-common_function-performed" + } + } + }, + "required": ["title", "functions-performed"], + "additionalProperties": false + }, + "oscal-ap-oscal-implementation-common:function-performed": { + "title": "Functions Performed", + "description": "Describes a function performed for a given authorized privilege by this user class.", + "$id": "#field_oscal-implementation-common_function-performed", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ap-oscal-implementation-common:inventory-item": { + "title": "Inventory Item", + "description": "A single managed inventory item within the system.", + "$id": "#assembly_oscal-implementation-common_inventory-item", + "type": "object", + "properties": { + "uuid": { + "title": "Inventory Item Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Inventory Item Description", + "description": "A summary of the inventory item stating its purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "implemented-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Implemented Component", + "description": "The set of components that are implemented in a given system inventory item.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component that is implemented as part of an inventory item.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-ap-oscal-implementation-common:set-parameter": { + "title": "Set Parameter Value", + "description": "Identifies the parameter that will be set by the enclosed value.", + "$id": "#assembly_oscal-implementation-common_set-parameter", + "type": "object", + "properties": { + "param-id": { + "title": "Parameter ID", + "description": "A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.", + "$ref": "#/definitions/TokenDatatype" + }, + "values": { + "type": "array", + "minItems": 1, + "items": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$ref": "#/definitions/StringDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["param-id", "values"], + "additionalProperties": false + }, + "oscal-ap-oscal-implementation-common:system-id": { + "title": "System Identification", + "description": "A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document.", + "$id": "#field_oscal-implementation-common_system-id", + "type": "object", + "properties": { + "identifier-type": { + "title": "Identification System Type", + "description": "Identifies the identification system from which the provided identifier was assigned.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": [ + "https://fedramp.gov", + "http://fedramp.gov/ns/oscal", + "https://ietf.org/rfc/rfc4122", + "http://ietf.org/rfc/rfc4122" + ] + } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id"], + "additionalProperties": false + }, + "Base64Datatype": { + "description": "Binary data encoded using the Base 64 encoding algorithm as defined by RFC4648.", + "type": "string", + "pattern": "^[0-9A-Za-z+/]+={0,2}$", + "contentEncoding": "base64" + }, + "DateTimeWithTimezoneDatatype": { + "description": "A string representing a point in time with a required timezone.", + "type": "string", + "format": "date-time", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$" + }, + "EmailAddressDatatype": { + "description": "An email address string formatted according to RFC 6531.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "type": "string", "format": "email", "pattern": "^.+@.+$" } + ] + }, + "IntegerDatatype": { + "description": "A whole number value.", + "type": "integer" + }, + "NonNegativeIntegerDatatype": { + "description": "An integer value that is equal to or greater than 0.", + "allOf": [ + { "$ref": "#/definitions/IntegerDatatype" }, + + { "type": "number", "minimum": 0 } + ] + }, + "PositiveIntegerDatatype": { + "description": "An integer value that is greater than 0.", + "allOf": [ + { "$ref": "#/definitions/IntegerDatatype" }, + + { "type": "number", "minimum": 1 } + ] + }, + "StringDatatype": { + "description": "A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ \n\t]+", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "TokenDatatype": { + "description": "A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.", + "type": "string", + "pattern": "^(\\p{L}|_)(\\p{L}|\\p{N}|[.\\-_])*$" + }, + "URIDatatype": { + "description": "A universal resource identifier (URI) formatted according to RFC3986.", + "type": "string", + "format": "uri", + "pattern": "^[a-zA-Z][a-zA-Z0-9+\\-.]+:.+$" + }, + "URIReferenceDatatype": { + "description": "A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.", + "type": "string", + "format": "uri-reference" + }, + "UUIDDatatype": { + "description": "A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "assessment-plan": { "$ref": "#assembly_oscal-ap_assessment-plan" } + }, + "required": ["assessment-plan"], + "additionalProperties": false +} diff --git a/roscal_lib/jsonschema/tracking_latest_models/oscal_assessment-results_schema.json b/roscal_lib/jsonschema/tracking_latest_models/oscal_assessment-results_schema.json new file mode 100644 index 0000000..7403ad5 --- /dev/null +++ b/roscal_lib/jsonschema/tracking_latest_models/oscal_assessment-results_schema.json @@ -0,0 +1,3481 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://csrc.nist.gov/ns/oscal/1.1.2/oscal-ar-schema.json", + "$comment": "OSCAL Assessment Results Model: JSON Schema", + "type": "object", + "definitions": { + "json-schema-directive": { + "title": "Schema Directive", + "description": "A JSON Schema directive to bind a specific schema to its document instance.", + "$id": "#json-schema-directive", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "oscal-ar-oscal-ar:assessment-results": { + "title": "Security Assessment Results (SAR)", + "description": "Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.", + "$id": "#assembly_oscal-ar_assessment-results", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Results Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment results instance in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-ap": { "$ref": "#assembly_oscal-ar_import-ap" }, + "local-definitions": { + "title": "Local Definitions", + "description": "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", + "type": "object", + "properties": { + "objectives-and-methods": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_local-objective" + } + }, + "activities": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_activity" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "results": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ar_result" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "import-ap", "results"], + "additionalProperties": false + }, + "oscal-ar-oscal-ar:result": { + "title": "Assessment Result", + "description": "Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.", + "$id": "#assembly_oscal-ar_result", + "type": "object", + "properties": { + "uuid": { + "title": "Results Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this set of results in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Results Title", + "description": "The title for this set of results.", + "type": "string" + }, + "description": { + "title": "Results Description", + "description": "A human-readable description of this set of test results.", + "type": "string" + }, + "start": { + "title": "start field", + "description": "Date/time stamp identifying the start of the evidence collection reflected in these results.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "end field", + "description": "Date/time stamp identifying the end of the evidence collection reflected in these results. In a continuous motoring scenario, this may contain the same value as start if appropriate.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "local-definitions": { + "title": "Local Definitions", + "description": "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "users": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-user" + } + }, + "assessment-assets": { + "$ref": "#assembly_oscal-assessment-common_assessment-assets" + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + } + }, + "additionalProperties": false + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "attestations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Attestation Statements", + "description": "A set of textual statements, typically written by the assessor.", + "type": "object", + "properties": { + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + } + }, + "required": ["parts"], + "additionalProperties": false + } + }, + "assessment-log": { + "title": "Assessment Log", + "description": "A log of all assessment-related actions taken.", + "type": "object", + "properties": { + "entries": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Log Entry", + "description": "Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Log Entry Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference an assessment event in this or other OSCAL instances. The locally defined UUID of the assessment log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Action Title", + "description": "The title for this event.", + "type": "string" + }, + "description": { + "title": "Action Description", + "description": "A human-readable description of this event.", + "type": "string" + }, + "start": { + "title": "Start", + "description": "Identifies the start date and time of an event.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "End", + "description": "Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "logged-by": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_logged-by" + } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_related-task" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "start"], + "additionalProperties": false + } + } + }, + "required": ["entries"], + "additionalProperties": false + }, + "observations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_observation" } + }, + "risks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_risk" } + }, + "findings": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_finding" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": [ + "uuid", + "title", + "description", + "start", + "reviewed-controls" + ], + "additionalProperties": false + }, + "oscal-ar-oscal-ar:import-ap": { + "title": "Import Assessment Plan", + "description": "Used by assessment-results to import information about the original plan for assessing the system.", + "$id": "#assembly_oscal-ar_import-ap", + "type": "object", + "properties": { + "href": { + "title": "Assessment Plan Reference", + "description": "A resolvable URL reference to the assessment plan governing the assessment activities.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-ar-oscal-metadata:metadata": { + "title": "Document Metadata", + "description": "Provides information about the containing document, and defines concepts that are shared across the document.", + "$id": "#assembly_oscal-metadata_metadata", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { "$ref": "#field_oscal-metadata_last-modified" }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { "$ref": "#field_oscal-metadata_oscal-version" }, + "revisions": { + "type": "array", + "minItems": 1, + "items": { + "title": "Revision History Entry", + "description": "An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document revision, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { + "$ref": "#field_oscal-metadata_last-modified" + }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { + "$ref": "#field_oscal-metadata_oscal-version" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["version"], + "additionalProperties": false + } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "roles": { + "type": "array", + "minItems": 1, + "items": { + "title": "Role", + "description": "Defines a function, which might be assigned to a party in a specific situation.", + "type": "object", + "properties": { + "id": { + "title": "Role Identifier", + "description": "A unique identifier for the role.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Role Title", + "description": "A name given to the role, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "Role Short Name", + "description": "A short common name, abbreviation, or acronym for the role.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "Role Description", + "description": "A summary of the role's purpose and associated responsibilities.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id", "title"], + "additionalProperties": false + } + }, + "locations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location", + "description": "A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Location Universally Unique Identifier", + "description": "A unique ID for the location, for reference.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Location Title", + "description": "A name given to the location, which may be used by a tool for display and navigation.", + "type": "string" + }, + "address": { "$ref": "#assembly_oscal-metadata_address" }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "urls": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location URL", + "description": "The uniform resource locator (URL) for a web site or other resource associated with the location.", + "$ref": "#/definitions/URIDatatype" + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + }, + "parties": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party", + "description": "An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Party Universally Unique Identifier", + "description": "A unique identifier for the party.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Party Type", + "description": "A category describing the kind of party the object describes.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["person", "organization"] } + ] + }, + "name": { + "title": "Party Name", + "description": "The full name of the party. This is typically the legal name associated with the party.", + "$ref": "#/definitions/StringDatatype" + }, + "short-name": { + "title": "Party Short Name", + "description": "A short common name, abbreviation, or acronym for the party.", + "$ref": "#/definitions/StringDatatype" + }, + "external-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party External Identifier", + "description": "An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID).", + "type": "object", + "properties": { + "scheme": { + "title": "External Identifier Schema", + "description": "Indicates the type of external identifier.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://orcid.org/"] } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id", "scheme"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_address" } + }, + "location-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_location-uuid" } + }, + "member-of-organizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Organizational Affiliation", + "description": "A reference to another party by UUID, typically an organization, that this subject is associated with.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type"], + "additionalProperties": false + } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "actions": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_action" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "last-modified", "version", "oscal-version"], + "additionalProperties": false + }, + "oscal-ar-oscal-metadata:location-uuid": { + "title": "Location Universally Unique Identifier Reference", + "description": "Reference to a location by UUID.", + "$id": "#field_oscal-metadata_location-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-ar-oscal-metadata:party-uuid": { + "title": "Party Universally Unique Identifier Reference", + "description": "Reference to a party by UUID.", + "$id": "#field_oscal-metadata_party-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-ar-oscal-metadata:role-id": { + "title": "Role Identifier Reference", + "description": "Reference to a role by UUID.", + "$id": "#field_oscal-metadata_role-id", + "$ref": "#/definitions/TokenDatatype" + }, + "oscal-ar-oscal-metadata:back-matter": { + "title": "Back matter", + "description": "A collection of resources that may be referenced from within the OSCAL document instance.", + "$id": "#assembly_oscal-metadata_back-matter", + "type": "object", + "properties": { + "resources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource", + "description": "A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources.", + "type": "object", + "properties": { + "uuid": { + "title": "Resource Universally Unique Identifier", + "description": "A unique identifier for a resource.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Resource Title", + "description": "An optional name given to the resource, which may be used by a tool for display and navigation.", + "type": "string" + }, + "description": { + "title": "Resource Description", + "description": "An optional short summary of the resource used to indicate the purpose of the resource.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "citation": { + "title": "Citation", + "description": "An optional citation consisting of end note text using structured markup.", + "type": "object", + "properties": { + "text": { + "title": "Citation Text", + "description": "A line of citation text.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["text"], + "additionalProperties": false + }, + "rlinks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource link", + "description": "A URL-based pointer to an external resource with an optional hash for verification and change detection.", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL pointing to the referenced resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "hashes": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_hash" } + } + }, + "required": ["href"], + "additionalProperties": false + } + }, + "base64": { + "title": "Base64", + "description": "A resource encoded using the Base64 alphabet defined by RFC 2045.", + "type": "object", + "properties": { + "filename": { + "title": "File Name", + "description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.", + "$ref": "#/definitions/TokenDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "value": { "$ref": "#/definitions/Base64Datatype" } + }, + "required": ["value"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-ar-oscal-metadata:property": { + "title": "Property", + "description": "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", + "$id": "#assembly_oscal-metadata_property", + "type": "object", + "properties": { + "name": { + "title": "Property Name", + "description": "A textual label, within a namespace, that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Property Universally Unique Identifier", + "description": "A unique identifier for a property.", + "$ref": "#/definitions/UUIDDatatype" + }, + "ns": { + "title": "Property Namespace", + "description": "A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "value": { + "title": "Property Value", + "description": "Indicates the value of the attribute, characteristic, or quality.", + "$ref": "#/definitions/StringDatatype" + }, + "class": { + "title": "Property Class", + "description": "A textual label that provides a sub-type or characterization of the property's name.", + "$ref": "#/definitions/TokenDatatype" + }, + "group": { + "title": "Property Group", + "description": "An identifier for relating distinct sets of properties.", + "$ref": "#/definitions/TokenDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "value"], + "additionalProperties": false + }, + "oscal-ar-oscal-metadata:link": { + "title": "Link", + "description": "A reference to a local or remote resource, that has a specific relation to the containing object.", + "$id": "#assembly_oscal-metadata_link", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL reference to a resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "rel": { + "title": "Link Relation Type", + "description": "Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["reference"] } + ] + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "resource-fragment": { + "title": "Resource Fragment", + "description": "In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.", + "$ref": "#/definitions/StringDatatype" + }, + "text": { + "title": "Link Text", + "description": "A textual label to associate with the link, which may be used for presentation in a tool.", + "type": "string" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-ar-oscal-metadata:responsible-party": { + "title": "Responsible Party", + "description": "A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.", + "$id": "#assembly_oscal-metadata_responsible-party", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role", + "description": "A reference to a role performed by a party.", + "$ref": "#/definitions/TokenDatatype" + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id", "party-uuids"], + "additionalProperties": false + }, + "oscal-ar-oscal-metadata:action": { + "title": "Action", + "description": "An action applied by a role within a given party to the content.", + "$id": "#assembly_oscal-metadata_action", + "type": "object", + "properties": { + "uuid": { + "title": "Action Universally Unique Identifier", + "description": "A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "date": { + "title": "Action Occurrence Date", + "description": "The date and time when the action occurred.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "type": { + "title": "Action Type", + "description": "The type of action documented by the assembly, such as an approval.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Action Type System", + "description": "Specifies the action type system used.", + "$ref": "#/definitions/URIDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "system"], + "additionalProperties": false + }, + "oscal-ar-oscal-metadata:responsible-role": { + "title": "Responsible Role", + "description": "A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.", + "$id": "#assembly_oscal-metadata_responsible-role", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role ID", + "description": "A human-oriented identifier reference to a role performed.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id"], + "additionalProperties": false + }, + "oscal-ar-oscal-metadata:hash": { + "title": "Hash", + "description": "A representation of a cryptographic digest generated over a resource using a specified hash algorithm.", + "$id": "#field_oscal-metadata_hash", + "type": "object", + "properties": { + "algorithm": { + "title": "Hash algorithm", + "description": "The digest method by which a hash is derived.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "SHA-224", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-224", + "SHA3-256", + "SHA3-384", + "SHA3-512" + ] + } + ] + }, + "value": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["value", "algorithm"], + "additionalProperties": false + }, + "oscal-ar-oscal-metadata:remarks": { + "title": "Remarks", + "description": "Additional commentary about the containing object.", + "$id": "#field_oscal-metadata_remarks", + "type": "string" + }, + "oscal-ar-oscal-metadata:published": { + "title": "Publication Timestamp", + "description": "The date and time the document was last made available.", + "$id": "#field_oscal-metadata_published", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-ar-oscal-metadata:last-modified": { + "title": "Last Modified Timestamp", + "description": "The date and time the document was last stored for later retrieval.", + "$id": "#field_oscal-metadata_last-modified", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-ar-oscal-metadata:version": { + "title": "Document Version", + "description": "Used to distinguish a specific revision of an OSCAL document from other previous and future versions.", + "$id": "#field_oscal-metadata_version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ar-oscal-metadata:oscal-version": { + "title": "OSCAL Version", + "description": "The OSCAL model version the document was authored against and will conform to as valid.", + "$id": "#field_oscal-metadata_oscal-version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ar-oscal-metadata:email-address": { + "title": "Email Address", + "description": "An email address as defined by RFC 5322 Section 3.4.1.", + "$id": "#field_oscal-metadata_email-address", + "$ref": "#/definitions/EmailAddressDatatype" + }, + "oscal-ar-oscal-metadata:telephone-number": { + "title": "Telephone Number", + "description": "A telephone service number as defined by ITU-T E.164.", + "$id": "#field_oscal-metadata_telephone-number", + "type": "object", + "properties": { + "type": { + "title": "type flag", + "description": "Indicates the type of phone number.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["home", "office", "mobile"] } + ] + }, + "number": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["number"], + "additionalProperties": false + }, + "oscal-ar-oscal-metadata:address": { + "title": "Address", + "description": "A postal address for the location.", + "$id": "#assembly_oscal-metadata_address", + "type": "object", + "properties": { + "type": { + "title": "Address Type", + "description": "Indicates the type of address.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["home", "work"] } + ] + }, + "addr-lines": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_addr-line" } + }, + "city": { + "title": "City", + "description": "City, town or geographical region for the mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "state": { + "title": "State", + "description": "State, province or analogous geographical region for a mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "postal-code": { + "title": "Postal Code", + "description": "Postal or ZIP code for mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "country": { + "title": "Country Code", + "description": "The ISO 3166-1 alpha-2 country code for the mailing address.", + "$ref": "#/definitions/StringDatatype" + } + }, + "additionalProperties": false + }, + "oscal-ar-oscal-metadata:addr-line": { + "title": "Address line", + "description": "A single line of an address.", + "$id": "#field_oscal-metadata_addr-line", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ar-oscal-metadata:document-id": { + "title": "Document Identifier", + "description": "A document identifier qualified by an identifier scheme.", + "$id": "#field_oscal-metadata_document-id", + "type": "object", + "properties": { + "scheme": { + "title": "Document Identification Scheme", + "description": "Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://www.doi.org/"] } + ] + }, + "identifier": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["identifier"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:import-ssp": { + "title": "Import System Security Plan", + "description": "Used by the assessment plan and POA&M to import information about the system.", + "$id": "#assembly_oscal-assessment-common_import-ssp", + "type": "object", + "properties": { + "href": { + "title": "System Security Plan Reference", + "description": "A resolvable URL reference to the system security plan for the system being assessed.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:local-objective": { + "title": "Assessment-Specific Control Objective", + "description": "A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.", + "$id": "#assembly_oscal-assessment-common_local-objective", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "description": { + "title": "Objective Description", + "description": "A human-readable description of this control objective.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["control-id", "parts"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:assessment-method": { + "title": "Assessment Method", + "description": "A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.", + "$id": "#assembly_oscal-assessment-common_assessment-method", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Method Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment method elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment method can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Assessment Method Description", + "description": "A human-readable description of this assessment method.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "part": { "$ref": "#assembly_oscal-assessment-common_assessment-part" }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "part"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:activity": { + "title": "Activity", + "description": "Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.", + "$id": "#assembly_oscal-assessment-common_activity", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Activity Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Included Activity Title", + "description": "The title for this included activity.", + "type": "string" + }, + "description": { + "title": "Included Activity Description", + "description": "A human-readable description of this included activity.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "steps": { + "type": "array", + "minItems": 1, + "items": { + "title": "Step", + "description": "Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.", + "type": "object", + "properties": { + "uuid": { + "title": "Step Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Step Title", + "description": "The title for this step.", + "type": "string" + }, + "description": { + "title": "Step Description", + "description": "A human-readable description of this step.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "related-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:task": { + "title": "Task", + "description": "Represents a scheduled event or milestone, which may be associated with a series of assessment actions.", + "$id": "#assembly_oscal-assessment-common_task", + "type": "object", + "properties": { + "uuid": { + "title": "Task Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this task elsewhere in this or other OSCAL instances. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Task Type", + "description": "The type of task.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["milestone", "action"] } + ] + }, + "title": { + "title": "Task Title", + "description": "The title for this task.", + "type": "string" + }, + "description": { + "title": "Task Description", + "description": "A human-readable description of this task.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "timing": { + "title": "Event Timing", + "description": "The timing under which the task is intended to occur.", + "type": "object", + "properties": { + "on-date": { + "title": "On Date Condition", + "description": "The task is intended to occur on the specified date.", + "type": "object", + "properties": { + "date": { + "title": "On Date Condition", + "description": "The task must occur on the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + } + }, + "required": ["date"], + "additionalProperties": false + }, + "within-date-range": { + "title": "On Date Range Condition", + "description": "The task is intended to occur within the specified date range.", + "type": "object", + "properties": { + "start": { + "title": "Start Date Condition", + "description": "The task must occur on or after the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "End Date Condition", + "description": "The task must occur on or before the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + } + }, + "required": ["start", "end"], + "additionalProperties": false + }, + "at-frequency": { + "title": "Frequency Condition", + "description": "The task is intended to occur at the specified frequency.", + "type": "object", + "properties": { + "period": { + "title": "Period", + "description": "The task must occur after the specified period has elapsed.", + "$ref": "#/definitions/PositiveIntegerDatatype" + }, + "unit": { + "title": "Time Unit", + "description": "The unit of time for the period.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "seconds", + "minutes", + "hours", + "days", + "months", + "years" + ] + } + ] + } + }, + "required": ["period", "unit"], + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "dependencies": { + "type": "array", + "minItems": 1, + "items": { + "title": "Task Dependency", + "description": "Used to indicate that a task is dependent on another task.", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["task-uuid"], + "additionalProperties": false + } + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "associated-activities": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Activity", + "description": "Identifies an individual activity to be performed as part of a task.", + "type": "object", + "properties": { + "activity-uuid": { + "title": "Activity Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an activity defined in the list of activities.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["activity-uuid", "subjects"], + "additionalProperties": false + } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:reviewed-controls": { + "title": "Reviewed Controls and Control Objectives", + "description": "Identifies the controls being assessed and their control objectives.", + "$id": "#assembly_oscal-assessment-common_reviewed-controls", + "type": "object", + "properties": { + "description": { + "title": "Control Objective Description", + "description": "A human-readable description of control objectives.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "control-selections": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessed Controls", + "description": "Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.", + "type": "object", + "properties": { + "description": { + "title": "Assessed Controls Description", + "description": "A human-readable description of in-scope controls specified for assessment.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { + "$ref": "#assembly_oscal-control-common_include-all" + }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-control-by-id" + } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-control-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + } + }, + "control-objective-selections": { + "type": "array", + "minItems": 1, + "items": { + "title": "Referenced Control Objectives", + "description": "Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.", + "type": "object", + "properties": { + "description": { + "title": "Control Objectives Description", + "description": "A human-readable description of this collection of control objectives.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { + "$ref": "#assembly_oscal-control-common_include-all" + }, + "include-objectives": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-objective-by-id" + } + }, + "exclude-objectives": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-objective-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["control-selections"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:select-control-by-id": { + "title": "Select Control", + "description": "Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.", + "$id": "#assembly_oscal-assessment-common_select-control-by-id", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "statement-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Include Specific Statements", + "description": "Used to constrain the selection to only specificity identified statements.", + "$ref": "#/definitions/TokenDatatype" + } + } + }, + "required": ["control-id"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:select-objective-by-id": { + "title": "Select Objective", + "description": "Used to select a control objective for inclusion/exclusion based on the control objective's identifier.", + "$id": "#assembly_oscal-assessment-common_select-objective-by-id", + "type": "object", + "properties": { + "objective-id": { + "title": "Objective ID", + "description": "Points to an assessment objective.", + "$ref": "#/definitions/TokenDatatype" + } + }, + "required": ["objective-id"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:assessment-subject-placeholder": { + "title": "Assessment Subject Placeholder", + "description": "Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.", + "$id": "#assembly_oscal-assessment-common_assessment-subject-placeholder", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Subject Placeholder Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier for a set of assessment subjects that will be identified by a task or an activity that is part of a task. The locally defined UUID of the assessment subject placeholder can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Assessment Subject Placeholder Description", + "description": "A human-readable description of intent of this assessment subject placeholder.", + "type": "string" + }, + "sources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Subject Source", + "description": "Assessment subjects will be identified while conducting the referenced activity-instance.", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference (in this or other OSCAL instances) an assessment activity to be performed as part of the event. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["task-uuid"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "sources"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:assessment-subject": { + "title": "Subject of Assessment", + "description": "Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.", + "$id": "#assembly_oscal-assessment-common_assessment-subject", + "type": "object", + "properties": { + "type": { + "title": "Subject Type", + "description": "Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user" + ] + } + ] + }, + "description": { + "title": "Include Subjects Description", + "description": "A human-readable description of the collection of subjects being included in this assessment.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { "$ref": "#assembly_oscal-control-common_include-all" }, + "include-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-subject-by-id" + } + }, + "exclude-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-subject-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["type"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:select-subject-by-id": { + "title": "Select Assessment Subject", + "description": "Identifies a set of assessment subjects to include/exclude by UUID.", + "$id": "#assembly_oscal-assessment-common_select-subject-by-id", + "type": "object", + "properties": { + "subject-uuid": { + "title": "Subject Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Subject Universally Unique Identifier Reference Type", + "description": "Used to indicate the type of object pointed to by the uuid-ref within a subject.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user", + "resource" + ] + } + ] + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["subject-uuid", "type"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:subject-reference": { + "title": "Identifies the Subject", + "description": "A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.", + "$id": "#assembly_oscal-assessment-common_subject-reference", + "type": "object", + "properties": { + "subject-uuid": { + "title": "Subject Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Subject Universally Unique Identifier Reference Type", + "description": "Used to indicate the type of object pointed to by the uuid-ref within a subject.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user", + "resource" + ] + } + ] + }, + "title": { + "title": "Subject Reference Title", + "description": "The title or name for the referenced subject.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["subject-uuid", "type"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:assessment-assets": { + "title": "Assessment Assets", + "description": "Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.", + "$id": "#assembly_oscal-assessment-common_assessment-assets", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "assessment-platforms": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Platform", + "description": "Used to represent the toolset used to perform aspects of the assessment.", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Platform Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment platform elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment platform can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Assessment Platform Title", + "description": "The title or name for the assessment platform.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "uses-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Uses Component", + "description": "The set of components that are used by the assessment platform.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component that is implemented as part of an inventory item.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "required": ["assessment-platforms"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:finding-target": { + "title": "Objective Status", + "description": "Captures an assessor's conclusions regarding the degree to which an objective is satisfied.", + "$id": "#assembly_oscal-assessment-common_finding-target", + "type": "object", + "properties": { + "type": { + "title": "Finding Target Type", + "description": "Identifies the type of the target.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["statement-id", "objective-id"] } + ] + }, + "target-id": { + "title": "Finding Target Identifier Reference", + "description": "A machine-oriented identifier reference for a specific target qualified by the type.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Objective Status Title", + "description": "The title for this objective status.", + "type": "string" + }, + "description": { + "title": "Objective Status Description", + "description": "A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Objective Status", + "description": "A determination of if the objective is satisfied or not within a given system.", + "type": "object", + "properties": { + "state": { + "title": "Objective Status State", + "description": "An indication as to whether the objective is satisfied or not.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["satisfied", "not-satisfied"] } + ] + }, + "reason": { + "title": "Objective Status Reason", + "description": "The reason the objective was given it's status.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["pass", "fail", "other"] } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "implementation-status": { + "$ref": "#assembly_oscal-implementation-common_implementation-status" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["type", "target-id", "status"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:finding": { + "title": "Finding", + "description": "Describes an individual finding.", + "$id": "#assembly_oscal-assessment-common_finding", + "type": "object", + "properties": { + "uuid": { + "title": "Finding Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this finding in this or other OSCAL instances. The locally defined UUID of the finding can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Finding Title", + "description": "The title for this finding.", + "type": "string" + }, + "description": { + "title": "Finding Description", + "description": "A human-readable description of this finding.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "target": { + "$ref": "#assembly_oscal-assessment-common_finding-target" + }, + "implementation-statement-uuid": { + "title": "Implementation Statement UUID", + "description": "A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related.", + "$ref": "#/definitions/UUIDDatatype" + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the finding to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an observation defined in the list of observations.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + }, + "related-risks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Risk", + "description": "Relates the finding to a set of referenced risks that were used to determine the finding.", + "type": "object", + "properties": { + "risk-uuid": { + "title": "Risk Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a risk defined in the list of risks.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["risk-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "title", "description", "target"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:observation": { + "title": "Observation", + "description": "Describes an individual observation.", + "$id": "#assembly_oscal-assessment-common_observation", + "type": "object", + "properties": { + "uuid": { + "title": "Observation Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this observation elsewhere in this or other OSCAL instances. The locally defined UUID of the observation can be used to reference the data item locally or globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Observation Title", + "description": "The title for this observation.", + "type": "string" + }, + "description": { + "title": "Observation Description", + "description": "A human-readable description of this assessment observation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "methods": { + "type": "array", + "minItems": 1, + "items": { + "title": "Observation Method", + "description": "Identifies how the observation was made.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["EXAMINE", "INTERVIEW", "TEST", "UNKNOWN"] } + ] + } + }, + "types": { + "type": "array", + "minItems": 1, + "items": { + "title": "Observation Type", + "description": "Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "ssp-statement-issue", + "control-objective", + "mitigation", + "finding", + "historic" + ] + } + ] + } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + }, + "relevant-evidence": { + "type": "array", + "minItems": 1, + "items": { + "title": "Relevant Evidence", + "description": "Links this observation to relevant evidence.", + "type": "object", + "properties": { + "href": { + "title": "Relevant Evidence Reference", + "description": "A resolvable URL reference to relevant evidence.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "description": { + "title": "Relevant Evidence Description", + "description": "A human-readable description of this evidence.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + } + }, + "collected": { + "title": "Collected Field", + "description": "Date/time stamp identifying when the finding information was collected.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "expires": { + "title": "Expires Field", + "description": "Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description", "methods", "collected"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:origin": { + "title": "Origin", + "description": "Identifies the source of the finding, such as a tool, interviewed person, or activity.", + "$id": "#assembly_oscal-assessment-common_origin", + "type": "object", + "properties": { + "actors": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin-actor" } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_related-task" } + } + }, + "required": ["actors"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:origin-actor": { + "title": "Originating Actor", + "description": "The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.", + "$id": "#assembly_oscal-assessment-common_origin-actor", + "type": "object", + "properties": { + "type": { + "title": "Actor Type", + "description": "The kind of actor.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["tool", "assessment-platform", "party"] } + ] + }, + "actor-uuid": { + "title": "Actor Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to the tool or person based on the associated type.", + "$ref": "#/definitions/UUIDDatatype" + }, + "role-id": { + "title": "Actor Role", + "description": "For a party, this can optionally be used to specify the role the actor was performing.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["type", "actor-uuid"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:related-task": { + "title": "Task Reference", + "description": "Identifies an individual task for which the containing object is a consequence of.", + "$id": "#assembly_oscal-assessment-common_related-task", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "identified-subject": { + "title": "Identified Subject", + "description": "Used to detail assessment subjects that were identfied by this task.", + "type": "object", + "properties": { + "subject-placeholder-uuid": { + "title": "Assessment Subject Placeholder Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + } + }, + "required": ["subject-placeholder-uuid", "subjects"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["task-uuid"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:threat-id": { + "title": "Threat ID", + "description": "A pointer, by ID, to an externally-defined threat.", + "$id": "#field_oscal-assessment-common_threat-id", + "type": "object", + "properties": { + "system": { + "title": "Threat Type Identification System", + "description": "Specifies the source of the threat information.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://fedramp.gov", "http://fedramp.gov/ns/oscal"] } + ] + }, + "href": { + "title": "Threat Information Resource Reference", + "description": "An optional location for the threat data, from which this ID originates.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "id": { "$ref": "#/definitions/URIDatatype" } + }, + "required": ["id", "system"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:risk": { + "title": "Identified Risk", + "description": "An identified risk.", + "$id": "#assembly_oscal-assessment-common_risk", + "type": "object", + "properties": { + "uuid": { + "title": "Risk Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk elsewhere in this or other OSCAL instances. The locally defined UUID of the risk can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Risk Title", + "description": "The title for this risk.", + "type": "string" + }, + "description": { + "title": "Risk Description", + "description": "A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.", + "type": "string" + }, + "statement": { + "title": "Risk Statement", + "description": "An summary of impact for how the risk affects the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { "$ref": "#field_oscal-assessment-common_risk-status" }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "threat-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-assessment-common_threat-id" } + }, + "characterizations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_characterization" + } + }, + "mitigating-factors": { + "type": "array", + "minItems": 1, + "items": { + "title": "Mitigating Factor", + "description": "Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.", + "type": "object", + "properties": { + "uuid": { + "title": "Mitigating Factor Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mitigating factor elsewhere in this or other OSCAL instances. The locally defined UUID of the mitigating factor can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "implementation-uuid": { + "title": "Implementation UUID", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Mitigating Factor Description", + "description": "A human-readable description of this mitigating factor.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "deadline": { + "title": "Risk Resolution Deadline", + "description": "The date/time by which the risk must be resolved.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "remediations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_response" } + }, + "risk-log": { + "title": "Risk Log", + "description": "A log of all risk-related tasks taken.", + "type": "object", + "properties": { + "entries": { + "type": "array", + "minItems": 1, + "items": { + "title": "Risk Log Entry", + "description": "Identifies an individual risk response that occurred as part of managing an identified risk.", + "type": "object", + "properties": { + "uuid": { + "title": "Risk Log Entry Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk log entry elsewhere in this or other OSCAL instances. The locally defined UUID of the risk log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Title", + "description": "The title for this risk log entry.", + "type": "string" + }, + "description": { + "title": "Risk Task Description", + "description": "A human-readable description of what was done regarding the risk.", + "type": "string" + }, + "start": { + "title": "Start", + "description": "Identifies the start date and time of the event.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "End", + "description": "Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "logged-by": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_logged-by" + } + }, + "status-change": { + "$ref": "#field_oscal-assessment-common_risk-status" + }, + "related-responses": { + "type": "array", + "minItems": 1, + "items": { + "title": "Risk Response Reference", + "description": "Identifies an individual risk response that this log entry is for.", + "type": "object", + "properties": { + "response-uuid": { + "title": "Response Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique risk response.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_property" + } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_related-task" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["response-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "start"], + "additionalProperties": false + } + } + }, + "required": ["entries"], + "additionalProperties": false + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the finding to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an observation defined in the list of observations.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + } + }, + "required": ["uuid", "title", "description", "statement", "status"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:logged-by": { + "title": "Logged By", + "description": "Used to indicate who created a log entry in what role.", + "$id": "#assembly_oscal-assessment-common_logged-by", + "type": "object", + "properties": { + "party-uuid": { + "title": "Party UUID Reference", + "description": "A machine-oriented identifier reference to the party who is making the log entry.", + "$ref": "#/definitions/UUIDDatatype" + }, + "role-id": { + "title": "Actor Role", + "description": "A point to the role-id of the role in which the party is making the log entry.", + "$ref": "#/definitions/TokenDatatype" + } + }, + "required": ["party-uuid"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:risk-status": { + "title": "Risk Status", + "description": "Describes the status of the associated risk.", + "$id": "#field_oscal-assessment-common_risk-status", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "open", + "investigating", + "remediating", + "deviation-requested", + "deviation-approved", + "closed" + ] + } + ] + }, + "oscal-ar-oscal-assessment-common:characterization": { + "title": "Characterization", + "description": "A collection of descriptive data about the containing object from a specific origin.", + "$id": "#assembly_oscal-assessment-common_characterization", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origin": { "$ref": "#assembly_oscal-assessment-common_origin" }, + "facets": { + "type": "array", + "minItems": 1, + "items": { + "title": "Facet", + "description": "An individual characteristic that is part of a larger set produced by the same actor.", + "type": "object", + "properties": { + "name": { + "title": "Facet Name", + "description": "The name of the risk metric within the specified system.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Naming System", + "description": "Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": [ + "http://fedramp.gov", + "http://fedramp.gov/ns/oscal", + "http://csrc.nist.gov/ns/oscal", + "http://csrc.nist.gov/ns/oscal/unknown", + "http://cve.mitre.org", + "http://www.first.org/cvss/v2.0", + "http://www.first.org/cvss/v3.0", + "http://www.first.org/cvss/v3.1" + ] + } + ] + }, + "value": { + "title": "Facet Value", + "description": "Indicates the value of the facet.", + "$ref": "#/definitions/StringDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "system", "value"], + "additionalProperties": false + } + } + }, + "required": ["origin", "facets"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:response": { + "title": "Risk Response", + "description": "Describes either recommended or an actual plan for addressing the risk.", + "$id": "#assembly_oscal-assessment-common_response", + "type": "object", + "properties": { + "uuid": { + "title": "Remediation Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this remediation elsewhere in this or other OSCAL instances. The locally defined UUID of the risk response can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "lifecycle": { + "title": "Remediation Intent", + "description": "Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["recommendation", "planned", "completed"] } + ] + }, + "title": { + "title": "Response Title", + "description": "The title for this response activity.", + "type": "string" + }, + "description": { + "title": "Response Description", + "description": "A human-readable description of this response plan.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "required-assets": { + "type": "array", + "minItems": 1, + "items": { + "title": "Required Asset", + "description": "Identifies an asset required to achieve remediation.", + "type": "object", + "properties": { + "uuid": { + "title": "Required Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this required asset elsewhere in this or other OSCAL instances. The locally defined UUID of the asset can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + }, + "title": { + "title": "Title for Required Asset", + "description": "The title for this required asset.", + "type": "string" + }, + "description": { + "title": "Description of Required Asset", + "description": "A human-readable description of this required asset.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "lifecycle", "title", "description"], + "additionalProperties": false + }, + "oscal-ar-oscal-assessment-common:assessment-part": { + "title": "Assessment Part", + "description": "A partition of an assessment plan or results or a child of another part.", + "$id": "#assembly_oscal-assessment-common_assessment-part", + "type": "object", + "properties": { + "uuid": { + "title": "Part Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["asset", "method", "objective"] } + ] + }, + "ns": { + "title": "Part Namespace", + "description": "A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "A name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-ar-oscal-control-common:part": { + "title": "Part", + "description": "An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.", + "$id": "#assembly_oscal-control-common_part", + "type": "object", + "properties": { + "id": { + "title": "Part Identifier", + "description": "A unique identifier for the part.", + "$ref": "#/definitions/TokenDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type, which exists in a value space qualified by the ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "ns": { + "title": "Part Namespace", + "description": "An optional namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "An optional textual providing a sub-type or characterization of the part's name, or a category to which the part belongs.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "An optional name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-ar-oscal-control-common:parameter": { + "title": "Parameter", + "description": "Parameters provide a mechanism for the dynamic assignment of value(s) in a control.", + "$id": "#assembly_oscal-control-common_parameter", + "type": "object", + "properties": { + "id": { + "title": "Parameter Identifier", + "description": "A unique identifier for the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the type, purpose, use or scope of the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "depends-on": { + "title": "Depends on", + "description": "(deprecated) Another parameter invoking this one. This construct has been deprecated and should not be used.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter.", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-control-common_parameter-value" } + }, + "select": { + "$ref": "#assembly_oscal-control-common_parameter-selection" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-ar-oscal-control-common:parameter-constraint": { + "title": "Constraint", + "description": "A formal or informal expression of a constraint or test.", + "$id": "#assembly_oscal-control-common_parameter-constraint", + "type": "object", + "properties": { + "description": { + "title": "Constraint Description", + "description": "A textual summary of the constraint to be applied.", + "type": "string" + }, + "tests": { + "type": "array", + "minItems": 1, + "items": { + "title": "Constraint Test", + "description": "A test expression which is expected to be evaluated by a tool.", + "type": "object", + "properties": { + "expression": { + "title": "Constraint test", + "description": "A formal (executable) expression of a constraint.", + "$ref": "#/definitions/StringDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["expression"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-ar-oscal-control-common:parameter-guideline": { + "title": "Guideline", + "description": "A prose statement that provides a recommendation for the use of a parameter.", + "$id": "#assembly_oscal-control-common_parameter-guideline", + "type": "object", + "properties": { + "prose": { + "title": "Guideline Text", + "description": "Prose permits multiple paragraphs, lists, tables etc.", + "type": "string" + } + }, + "required": ["prose"], + "additionalProperties": false + }, + "oscal-ar-oscal-control-common:parameter-value": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$id": "#field_oscal-control-common_parameter-value", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ar-oscal-control-common:parameter-selection": { + "title": "Selection", + "description": "Presenting a choice among alternatives.", + "$id": "#assembly_oscal-control-common_parameter-selection", + "type": "object", + "properties": { + "how-many": { + "title": "Parameter Cardinality", + "description": "Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["one", "one-or-more"] } + ] + }, + "choice": { + "type": "array", + "minItems": 1, + "items": { + "title": "Choice", + "description": "A value selection among several such options.", + "type": "string" + } + } + }, + "additionalProperties": false + }, + "oscal-ar-oscal-control-common:include-all": { + "title": "Include All", + "description": "Include all controls from the imported catalog or profile resources.", + "$id": "#assembly_oscal-control-common_include-all", + "type": "object", + "additionalProperties": false + }, + "oscal-ar-oscal-implementation-common:system-component": { + "title": "Component", + "description": "A defined component that can be part of an implemented system.", + "$id": "#assembly_oscal-implementation-common_system-component", + "type": "object", + "properties": { + "uuid": { + "title": "Component Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Component Type", + "description": "A category describing the purpose of the component.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "this-system", + "system", + "interconnection", + "software", + "hardware", + "service", + "policy", + "physical", + "process-procedure", + "plan", + "guidance", + "standard", + "validation", + "network" + ] + } + ] + }, + "title": { + "title": "Component Title", + "description": "A human readable name for the system component.", + "type": "string" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + }, + "purpose": { + "title": "Purpose", + "description": "A summary of the technological or business purpose of the component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Status", + "description": "Describes the operational status of the system component.", + "type": "object", + "properties": { + "state": { + "title": "State", + "description": "The operational status.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "under-development", + "operational", + "disposition", + "other" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "protocols": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-implementation-common_protocol" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title", "description", "status"], + "additionalProperties": false + }, + "oscal-ar-oscal-implementation-common:protocol": { + "title": "Service Protocol Information", + "description": "Information about the protocol used to provide a service.", + "$id": "#assembly_oscal-implementation-common_protocol", + "type": "object", + "properties": { + "uuid": { + "title": "Service Protocol Information Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Protocol Name", + "description": "The common name of the protocol, which should be the appropriate \"service name\" from the IANA Service Name and Transport Protocol Port Number Registry.", + "$ref": "#/definitions/StringDatatype" + }, + "title": { + "title": "Protocol Title", + "description": "A human readable name for the protocol (e.g., Transport Layer Security).", + "type": "string" + }, + "port-ranges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_port-range" + } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-ar-oscal-implementation-common:port-range": { + "title": "Port Range", + "description": "Where applicable this is the IPv4 port range on which the service operates.", + "$id": "#assembly_oscal-implementation-common_port-range", + "type": "object", + "properties": { + "start": { + "title": "Start", + "description": "Indicates the starting port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "end": { + "title": "End", + "description": "Indicates the ending port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "transport": { + "title": "Transport", + "description": "Indicates the transport type.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["TCP", "UDP"] } + ] + } + }, + "additionalProperties": false + }, + "oscal-ar-oscal-implementation-common:implementation-status": { + "title": "Implementation Status", + "description": "Indicates the degree to which the a given control is implemented.", + "$id": "#assembly_oscal-implementation-common_implementation-status", + "type": "object", + "properties": { + "state": { + "title": "Implementation State", + "description": "Identifies the implementation status of the control or control objective.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "implemented", + "partial", + "planned", + "alternative", + "not-applicable" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "oscal-ar-oscal-implementation-common:system-user": { + "title": "System User", + "description": "A type of user that interacts with the system based on an associated role.", + "$id": "#assembly_oscal-implementation-common_system-user", + "type": "object", + "properties": { + "uuid": { + "title": "User Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "User Title", + "description": "A name given to the user, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "User Short Name", + "description": "A short common name, abbreviation, or acronym for the user.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "User Description", + "description": "A summary of the user's purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "role-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_role-id" } + }, + "authorized-privileges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_authorized-privilege" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + }, + "oscal-ar-oscal-implementation-common:authorized-privilege": { + "title": "Privilege", + "description": "Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.", + "$id": "#assembly_oscal-implementation-common_authorized-privilege", + "type": "object", + "properties": { + "title": { + "title": "Privilege Title", + "description": "A human readable name for the privilege.", + "type": "string" + }, + "description": { + "title": "Privilege Description", + "description": "A summary of the privilege's purpose within the system.", + "type": "string" + }, + "functions-performed": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#field_oscal-implementation-common_function-performed" + } + } + }, + "required": ["title", "functions-performed"], + "additionalProperties": false + }, + "oscal-ar-oscal-implementation-common:function-performed": { + "title": "Functions Performed", + "description": "Describes a function performed for a given authorized privilege by this user class.", + "$id": "#field_oscal-implementation-common_function-performed", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ar-oscal-implementation-common:inventory-item": { + "title": "Inventory Item", + "description": "A single managed inventory item within the system.", + "$id": "#assembly_oscal-implementation-common_inventory-item", + "type": "object", + "properties": { + "uuid": { + "title": "Inventory Item Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Inventory Item Description", + "description": "A summary of the inventory item stating its purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "implemented-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Implemented Component", + "description": "The set of components that are implemented in a given system inventory item.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component that is implemented as part of an inventory item.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-ar-oscal-implementation-common:set-parameter": { + "title": "Set Parameter Value", + "description": "Identifies the parameter that will be set by the enclosed value.", + "$id": "#assembly_oscal-implementation-common_set-parameter", + "type": "object", + "properties": { + "param-id": { + "title": "Parameter ID", + "description": "A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.", + "$ref": "#/definitions/TokenDatatype" + }, + "values": { + "type": "array", + "minItems": 1, + "items": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$ref": "#/definitions/StringDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["param-id", "values"], + "additionalProperties": false + }, + "oscal-ar-oscal-implementation-common:system-id": { + "title": "System Identification", + "description": "A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document.", + "$id": "#field_oscal-implementation-common_system-id", + "type": "object", + "properties": { + "identifier-type": { + "title": "Identification System Type", + "description": "Identifies the identification system from which the provided identifier was assigned.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": [ + "https://fedramp.gov", + "http://fedramp.gov/ns/oscal", + "https://ietf.org/rfc/rfc4122", + "http://ietf.org/rfc/rfc4122" + ] + } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id"], + "additionalProperties": false + }, + "Base64Datatype": { + "description": "Binary data encoded using the Base 64 encoding algorithm as defined by RFC4648.", + "type": "string", + "pattern": "^[0-9A-Za-z+/]+={0,2}$", + "contentEncoding": "base64" + }, + "DateTimeWithTimezoneDatatype": { + "description": "A string representing a point in time with a required timezone.", + "type": "string", + "format": "date-time", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$" + }, + "EmailAddressDatatype": { + "description": "An email address string formatted according to RFC 6531.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "type": "string", "format": "email", "pattern": "^.+@.+$" } + ] + }, + "IntegerDatatype": { + "description": "A whole number value.", + "type": "integer" + }, + "NonNegativeIntegerDatatype": { + "description": "An integer value that is equal to or greater than 0.", + "allOf": [ + { "$ref": "#/definitions/IntegerDatatype" }, + + { "type": "number", "minimum": 0 } + ] + }, + "PositiveIntegerDatatype": { + "description": "An integer value that is greater than 0.", + "allOf": [ + { "$ref": "#/definitions/IntegerDatatype" }, + + { "type": "number", "minimum": 1 } + ] + }, + "StringDatatype": { + "description": "A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ \n\t]+", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "TokenDatatype": { + "description": "A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.", + "type": "string", + "pattern": "^(\\p{L}|_)(\\p{L}|\\p{N}|[.\\-_])*$" + }, + "URIDatatype": { + "description": "A universal resource identifier (URI) formatted according to RFC3986.", + "type": "string", + "format": "uri", + "pattern": "^[a-zA-Z][a-zA-Z0-9+\\-.]+:.+$" + }, + "URIReferenceDatatype": { + "description": "A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.", + "type": "string", + "format": "uri-reference" + }, + "UUIDDatatype": { + "description": "A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "assessment-results": { "$ref": "#assembly_oscal-ar_assessment-results" } + }, + "required": ["assessment-results"], + "additionalProperties": false +} diff --git a/roscal_lib/jsonschema/tracking_latest_models/oscal_catalog_schema.json b/roscal_lib/jsonschema/tracking_latest_models/oscal_catalog_schema.json new file mode 100644 index 0000000..b37bdd4 --- /dev/null +++ b/roscal_lib/jsonschema/tracking_latest_models/oscal_catalog_schema.json @@ -0,0 +1,1176 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://csrc.nist.gov/ns/oscal/1.1.2/oscal-catalog-schema.json", + "$comment": "OSCAL Control Catalog Model: JSON Schema", + "type": "object", + "definitions": { + "json-schema-directive": { + "title": "Schema Directive", + "description": "A JSON Schema directive to bind a specific schema to its document instance.", + "$id": "#json-schema-directive", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "oscal-catalog-oscal-catalog:catalog": { + "title": "Catalog", + "description": "A structured, organized collection of control information.", + "$id": "#assembly_oscal-catalog_catalog", + "type": "object", + "properties": { + "uuid": { + "title": "Catalog Universally Unique Identifier", + "description": "Provides a globally unique means to identify a given catalog instance.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_parameter" } + }, + "controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_control" } + }, + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_group" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata"], + "additionalProperties": false + }, + "oscal-catalog-oscal-catalog:group": { + "title": "Control Group", + "description": "A group of controls, or of groups of controls.", + "$id": "#assembly_oscal-catalog_group", + "type": "object", + "properties": { + "id": { + "title": "Group Identifier", + "description": "Identifies the group for the purpose of cross-linking within the defining instance or from other instances that reference the catalog.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Group Class", + "description": "A textual label that provides a sub-type or characterization of the group.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Group Title", + "description": "A name given to the group, which may be used by a tool for display and navigation.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_parameter" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_group" } + }, + "controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_control" } + } + }, + "required": ["title"], + "additionalProperties": false + }, + "oscal-catalog-oscal-catalog:control": { + "title": "Control", + "description": "A structured object representing a requirement or guideline, which when implemented will reduce an aspect of risk related to an information system and its information.", + "$id": "#assembly_oscal-catalog_control", + "type": "object", + "properties": { + "id": { + "title": "Control Identifier", + "description": "Identifies a control such that it can be referenced in the defining catalog and other OSCAL instances (e.g., profiles).", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Control Class", + "description": "A textual label that provides a sub-type or characterization of the control.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Control Title", + "description": "A name given to the control, which may be used by a tool for display and navigation.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_parameter" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_control" } + } + }, + "required": ["id", "title"], + "additionalProperties": false + }, + "oscal-catalog-oscal-control-common:part": { + "title": "Part", + "description": "An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.", + "$id": "#assembly_oscal-control-common_part", + "type": "object", + "properties": { + "id": { + "title": "Part Identifier", + "description": "A unique identifier for the part.", + "$ref": "#/definitions/TokenDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type, which exists in a value space qualified by the ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "ns": { + "title": "Part Namespace", + "description": "An optional namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "An optional textual providing a sub-type or characterization of the part's name, or a category to which the part belongs.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "An optional name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-catalog-oscal-control-common:parameter": { + "title": "Parameter", + "description": "Parameters provide a mechanism for the dynamic assignment of value(s) in a control.", + "$id": "#assembly_oscal-control-common_parameter", + "type": "object", + "properties": { + "id": { + "title": "Parameter Identifier", + "description": "A unique identifier for the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the type, purpose, use or scope of the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "depends-on": { + "title": "Depends on", + "description": "(deprecated) Another parameter invoking this one. This construct has been deprecated and should not be used.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter.", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-control-common_parameter-value" } + }, + "select": { + "$ref": "#assembly_oscal-control-common_parameter-selection" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-catalog-oscal-control-common:parameter-constraint": { + "title": "Constraint", + "description": "A formal or informal expression of a constraint or test.", + "$id": "#assembly_oscal-control-common_parameter-constraint", + "type": "object", + "properties": { + "description": { + "title": "Constraint Description", + "description": "A textual summary of the constraint to be applied.", + "type": "string" + }, + "tests": { + "type": "array", + "minItems": 1, + "items": { + "title": "Constraint Test", + "description": "A test expression which is expected to be evaluated by a tool.", + "type": "object", + "properties": { + "expression": { + "title": "Constraint test", + "description": "A formal (executable) expression of a constraint.", + "$ref": "#/definitions/StringDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["expression"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-catalog-oscal-control-common:parameter-guideline": { + "title": "Guideline", + "description": "A prose statement that provides a recommendation for the use of a parameter.", + "$id": "#assembly_oscal-control-common_parameter-guideline", + "type": "object", + "properties": { + "prose": { + "title": "Guideline Text", + "description": "Prose permits multiple paragraphs, lists, tables etc.", + "type": "string" + } + }, + "required": ["prose"], + "additionalProperties": false + }, + "oscal-catalog-oscal-control-common:parameter-value": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$id": "#field_oscal-control-common_parameter-value", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-catalog-oscal-control-common:parameter-selection": { + "title": "Selection", + "description": "Presenting a choice among alternatives.", + "$id": "#assembly_oscal-control-common_parameter-selection", + "type": "object", + "properties": { + "how-many": { + "title": "Parameter Cardinality", + "description": "Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["one", "one-or-more"] } + ] + }, + "choice": { + "type": "array", + "minItems": 1, + "items": { + "title": "Choice", + "description": "A value selection among several such options.", + "type": "string" + } + } + }, + "additionalProperties": false + }, + "oscal-catalog-oscal-control-common:include-all": { + "title": "Include All", + "description": "Include all controls from the imported catalog or profile resources.", + "$id": "#assembly_oscal-control-common_include-all", + "type": "object", + "additionalProperties": false + }, + "oscal-catalog-oscal-metadata:metadata": { + "title": "Document Metadata", + "description": "Provides information about the containing document, and defines concepts that are shared across the document.", + "$id": "#assembly_oscal-metadata_metadata", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { "$ref": "#field_oscal-metadata_last-modified" }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { "$ref": "#field_oscal-metadata_oscal-version" }, + "revisions": { + "type": "array", + "minItems": 1, + "items": { + "title": "Revision History Entry", + "description": "An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document revision, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { + "$ref": "#field_oscal-metadata_last-modified" + }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { + "$ref": "#field_oscal-metadata_oscal-version" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["version"], + "additionalProperties": false + } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "roles": { + "type": "array", + "minItems": 1, + "items": { + "title": "Role", + "description": "Defines a function, which might be assigned to a party in a specific situation.", + "type": "object", + "properties": { + "id": { + "title": "Role Identifier", + "description": "A unique identifier for the role.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Role Title", + "description": "A name given to the role, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "Role Short Name", + "description": "A short common name, abbreviation, or acronym for the role.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "Role Description", + "description": "A summary of the role's purpose and associated responsibilities.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id", "title"], + "additionalProperties": false + } + }, + "locations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location", + "description": "A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Location Universally Unique Identifier", + "description": "A unique ID for the location, for reference.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Location Title", + "description": "A name given to the location, which may be used by a tool for display and navigation.", + "type": "string" + }, + "address": { "$ref": "#assembly_oscal-metadata_address" }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "urls": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location URL", + "description": "The uniform resource locator (URL) for a web site or other resource associated with the location.", + "$ref": "#/definitions/URIDatatype" + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + }, + "parties": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party", + "description": "An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Party Universally Unique Identifier", + "description": "A unique identifier for the party.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Party Type", + "description": "A category describing the kind of party the object describes.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["person", "organization"] } + ] + }, + "name": { + "title": "Party Name", + "description": "The full name of the party. This is typically the legal name associated with the party.", + "$ref": "#/definitions/StringDatatype" + }, + "short-name": { + "title": "Party Short Name", + "description": "A short common name, abbreviation, or acronym for the party.", + "$ref": "#/definitions/StringDatatype" + }, + "external-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party External Identifier", + "description": "An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID).", + "type": "object", + "properties": { + "scheme": { + "title": "External Identifier Schema", + "description": "Indicates the type of external identifier.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://orcid.org/"] } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id", "scheme"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_address" } + }, + "location-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_location-uuid" } + }, + "member-of-organizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Organizational Affiliation", + "description": "A reference to another party by UUID, typically an organization, that this subject is associated with.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type"], + "additionalProperties": false + } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "actions": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_action" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "last-modified", "version", "oscal-version"], + "additionalProperties": false + }, + "oscal-catalog-oscal-metadata:location-uuid": { + "title": "Location Universally Unique Identifier Reference", + "description": "Reference to a location by UUID.", + "$id": "#field_oscal-metadata_location-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-catalog-oscal-metadata:party-uuid": { + "title": "Party Universally Unique Identifier Reference", + "description": "Reference to a party by UUID.", + "$id": "#field_oscal-metadata_party-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-catalog-oscal-metadata:role-id": { + "title": "Role Identifier Reference", + "description": "Reference to a role by UUID.", + "$id": "#field_oscal-metadata_role-id", + "$ref": "#/definitions/TokenDatatype" + }, + "oscal-catalog-oscal-metadata:back-matter": { + "title": "Back matter", + "description": "A collection of resources that may be referenced from within the OSCAL document instance.", + "$id": "#assembly_oscal-metadata_back-matter", + "type": "object", + "properties": { + "resources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource", + "description": "A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources.", + "type": "object", + "properties": { + "uuid": { + "title": "Resource Universally Unique Identifier", + "description": "A unique identifier for a resource.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Resource Title", + "description": "An optional name given to the resource, which may be used by a tool for display and navigation.", + "type": "string" + }, + "description": { + "title": "Resource Description", + "description": "An optional short summary of the resource used to indicate the purpose of the resource.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "citation": { + "title": "Citation", + "description": "An optional citation consisting of end note text using structured markup.", + "type": "object", + "properties": { + "text": { + "title": "Citation Text", + "description": "A line of citation text.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["text"], + "additionalProperties": false + }, + "rlinks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource link", + "description": "A URL-based pointer to an external resource with an optional hash for verification and change detection.", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL pointing to the referenced resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "hashes": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_hash" } + } + }, + "required": ["href"], + "additionalProperties": false + } + }, + "base64": { + "title": "Base64", + "description": "A resource encoded using the Base64 alphabet defined by RFC 2045.", + "type": "object", + "properties": { + "filename": { + "title": "File Name", + "description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.", + "$ref": "#/definitions/TokenDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "value": { "$ref": "#/definitions/Base64Datatype" } + }, + "required": ["value"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-catalog-oscal-metadata:property": { + "title": "Property", + "description": "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", + "$id": "#assembly_oscal-metadata_property", + "type": "object", + "properties": { + "name": { + "title": "Property Name", + "description": "A textual label, within a namespace, that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Property Universally Unique Identifier", + "description": "A unique identifier for a property.", + "$ref": "#/definitions/UUIDDatatype" + }, + "ns": { + "title": "Property Namespace", + "description": "A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "value": { + "title": "Property Value", + "description": "Indicates the value of the attribute, characteristic, or quality.", + "$ref": "#/definitions/StringDatatype" + }, + "class": { + "title": "Property Class", + "description": "A textual label that provides a sub-type or characterization of the property's name.", + "$ref": "#/definitions/TokenDatatype" + }, + "group": { + "title": "Property Group", + "description": "An identifier for relating distinct sets of properties.", + "$ref": "#/definitions/TokenDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "value"], + "additionalProperties": false + }, + "oscal-catalog-oscal-metadata:link": { + "title": "Link", + "description": "A reference to a local or remote resource, that has a specific relation to the containing object.", + "$id": "#assembly_oscal-metadata_link", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL reference to a resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "rel": { + "title": "Link Relation Type", + "description": "Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["reference"] } + ] + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "resource-fragment": { + "title": "Resource Fragment", + "description": "In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.", + "$ref": "#/definitions/StringDatatype" + }, + "text": { + "title": "Link Text", + "description": "A textual label to associate with the link, which may be used for presentation in a tool.", + "type": "string" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-catalog-oscal-metadata:responsible-party": { + "title": "Responsible Party", + "description": "A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.", + "$id": "#assembly_oscal-metadata_responsible-party", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role", + "description": "A reference to a role performed by a party.", + "$ref": "#/definitions/TokenDatatype" + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id", "party-uuids"], + "additionalProperties": false + }, + "oscal-catalog-oscal-metadata:action": { + "title": "Action", + "description": "An action applied by a role within a given party to the content.", + "$id": "#assembly_oscal-metadata_action", + "type": "object", + "properties": { + "uuid": { + "title": "Action Universally Unique Identifier", + "description": "A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "date": { + "title": "Action Occurrence Date", + "description": "The date and time when the action occurred.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "type": { + "title": "Action Type", + "description": "The type of action documented by the assembly, such as an approval.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Action Type System", + "description": "Specifies the action type system used.", + "$ref": "#/definitions/URIDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "system"], + "additionalProperties": false + }, + "oscal-catalog-oscal-metadata:responsible-role": { + "title": "Responsible Role", + "description": "A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.", + "$id": "#assembly_oscal-metadata_responsible-role", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role ID", + "description": "A human-oriented identifier reference to a role performed.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id"], + "additionalProperties": false + }, + "oscal-catalog-oscal-metadata:hash": { + "title": "Hash", + "description": "A representation of a cryptographic digest generated over a resource using a specified hash algorithm.", + "$id": "#field_oscal-metadata_hash", + "type": "object", + "properties": { + "algorithm": { + "title": "Hash algorithm", + "description": "The digest method by which a hash is derived.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "SHA-224", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-224", + "SHA3-256", + "SHA3-384", + "SHA3-512" + ] + } + ] + }, + "value": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["value", "algorithm"], + "additionalProperties": false + }, + "oscal-catalog-oscal-metadata:remarks": { + "title": "Remarks", + "description": "Additional commentary about the containing object.", + "$id": "#field_oscal-metadata_remarks", + "type": "string" + }, + "oscal-catalog-oscal-metadata:published": { + "title": "Publication Timestamp", + "description": "The date and time the document was last made available.", + "$id": "#field_oscal-metadata_published", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-catalog-oscal-metadata:last-modified": { + "title": "Last Modified Timestamp", + "description": "The date and time the document was last stored for later retrieval.", + "$id": "#field_oscal-metadata_last-modified", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-catalog-oscal-metadata:version": { + "title": "Document Version", + "description": "Used to distinguish a specific revision of an OSCAL document from other previous and future versions.", + "$id": "#field_oscal-metadata_version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-catalog-oscal-metadata:oscal-version": { + "title": "OSCAL Version", + "description": "The OSCAL model version the document was authored against and will conform to as valid.", + "$id": "#field_oscal-metadata_oscal-version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-catalog-oscal-metadata:email-address": { + "title": "Email Address", + "description": "An email address as defined by RFC 5322 Section 3.4.1.", + "$id": "#field_oscal-metadata_email-address", + "$ref": "#/definitions/EmailAddressDatatype" + }, + "oscal-catalog-oscal-metadata:telephone-number": { + "title": "Telephone Number", + "description": "A telephone service number as defined by ITU-T E.164.", + "$id": "#field_oscal-metadata_telephone-number", + "type": "object", + "properties": { + "type": { + "title": "type flag", + "description": "Indicates the type of phone number.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["home", "office", "mobile"] } + ] + }, + "number": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["number"], + "additionalProperties": false + }, + "oscal-catalog-oscal-metadata:address": { + "title": "Address", + "description": "A postal address for the location.", + "$id": "#assembly_oscal-metadata_address", + "type": "object", + "properties": { + "type": { + "title": "Address Type", + "description": "Indicates the type of address.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["home", "work"] } + ] + }, + "addr-lines": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_addr-line" } + }, + "city": { + "title": "City", + "description": "City, town or geographical region for the mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "state": { + "title": "State", + "description": "State, province or analogous geographical region for a mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "postal-code": { + "title": "Postal Code", + "description": "Postal or ZIP code for mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "country": { + "title": "Country Code", + "description": "The ISO 3166-1 alpha-2 country code for the mailing address.", + "$ref": "#/definitions/StringDatatype" + } + }, + "additionalProperties": false + }, + "oscal-catalog-oscal-metadata:addr-line": { + "title": "Address line", + "description": "A single line of an address.", + "$id": "#field_oscal-metadata_addr-line", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-catalog-oscal-metadata:document-id": { + "title": "Document Identifier", + "description": "A document identifier qualified by an identifier scheme.", + "$id": "#field_oscal-metadata_document-id", + "type": "object", + "properties": { + "scheme": { + "title": "Document Identification Scheme", + "description": "Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://www.doi.org/"] } + ] + }, + "identifier": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["identifier"], + "additionalProperties": false + }, + "Base64Datatype": { + "description": "Binary data encoded using the Base 64 encoding algorithm as defined by RFC4648.", + "type": "string", + "pattern": "^[0-9A-Za-z+/]+={0,2}$", + "contentEncoding": "base64" + }, + "DateTimeWithTimezoneDatatype": { + "description": "A string representing a point in time with a required timezone.", + "type": "string", + "format": "date-time", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$" + }, + "EmailAddressDatatype": { + "description": "An email address string formatted according to RFC 6531.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "type": "string", "format": "email", "pattern": "^.+@.+$" } + ] + }, + "StringDatatype": { + "description": "A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ \n\t]+", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "TokenDatatype": { + "description": "A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.", + "type": "string", + "pattern": "^(\\p{L}|_)(\\p{L}|\\p{N}|[.\\-_])*$" + }, + "URIDatatype": { + "description": "A universal resource identifier (URI) formatted according to RFC3986.", + "type": "string", + "format": "uri", + "pattern": "^[a-zA-Z][a-zA-Z0-9+\\-.]+:.+$" + }, + "URIReferenceDatatype": { + "description": "A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.", + "type": "string", + "format": "uri-reference" + }, + "UUIDDatatype": { + "description": "A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "catalog": { "$ref": "#assembly_oscal-catalog_catalog" } + }, + "required": ["catalog"], + "additionalProperties": false +} diff --git a/roscal_lib/jsonschema/tracking_latest_models/oscal_component_schema.json b/roscal_lib/jsonschema/tracking_latest_models/oscal_component_schema.json new file mode 100644 index 0000000..bcb0a6c --- /dev/null +++ b/roscal_lib/jsonschema/tracking_latest_models/oscal_component_schema.json @@ -0,0 +1,1799 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://csrc.nist.gov/ns/oscal/1.1.2/oscal-component-definition-schema.json", + "$comment": "OSCAL Component Definition Model: JSON Schema", + "type": "object", + "definitions": { + "json-schema-directive": { + "title": "Schema Directive", + "description": "A JSON Schema directive to bind a specific schema to its document instance.", + "$id": "#json-schema-directive", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "oscal-component-definition-oscal-component-definition:component-definition": { + "title": "Component Definition", + "description": "A collection of component descriptions, which may optionally be grouped by capability.", + "$id": "#assembly_oscal-component-definition_component-definition", + "type": "object", + "properties": { + "uuid": { + "title": "Component Definition Universally Unique Identifier", + "description": "Provides a globally unique means to identify a given component definition instance.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-component-definitions": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_import-component-definition" + } + }, + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_defined-component" + } + }, + "capabilities": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-component-definition_capability" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-component-definition:import-component-definition": { + "title": "Import Component Definition", + "description": "Loads a component definition from another resource.", + "$id": "#assembly_oscal-component-definition_import-component-definition", + "type": "object", + "properties": { + "href": { + "title": "Hyperlink Reference", + "description": "A link to a resource that defines a set of components and/or capabilities to import into this collection.", + "$ref": "#/definitions/URIReferenceDatatype" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-component-definition:defined-component": { + "title": "Component", + "description": "A defined component that can be part of an implemented system.", + "$id": "#assembly_oscal-component-definition_defined-component", + "type": "object", + "properties": { + "uuid": { + "title": "Component Identifier", + "description": "Provides a globally unique means to identify a given component.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Component Type", + "description": "A category describing the purpose of the component.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "interconnection", + "software", + "hardware", + "service", + "policy", + "physical", + "process-procedure", + "plan", + "guidance", + "standard", + "validation" + ] + } + ] + }, + "title": { + "title": "Component Title", + "description": "A human readable name for the component.", + "type": "string" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + }, + "purpose": { + "title": "Purpose", + "description": "A summary of the technological or business purpose of the component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "protocols": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-implementation-common_protocol" } + }, + "control-implementations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_control-implementation" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title", "description"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-component-definition:capability": { + "title": "Capability", + "description": "A grouping of other components and/or capabilities.", + "$id": "#assembly_oscal-component-definition_capability", + "type": "object", + "properties": { + "uuid": { + "title": "Capability Identifier", + "description": "Provides a globally unique means to identify a given capability.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Capability Name", + "description": "The capability's human-readable name.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "Capability Description", + "description": "A summary of the capability.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "incorporates-components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_incorporates-component" + } + }, + "control-implementations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_control-implementation" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "name", "description"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-component-definition:incorporates-component": { + "title": "Incorporates Component", + "description": "The collection of components comprising this capability.", + "$id": "#assembly_oscal-component-definition_incorporates-component", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Reference", + "description": "A machine-oriented identifier reference to a component.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + } + }, + "required": ["component-uuid", "description"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-component-definition:control-implementation": { + "title": "Control Implementation Set", + "description": "Defines how the component or capability supports a set of controls.", + "$id": "#assembly_oscal-component-definition_control-implementation", + "type": "object", + "properties": { + "uuid": { + "title": "Control Implementation Set Identifier", + "description": "Provides a means to identify a set of control implementations that are supported by a given component or capability.", + "$ref": "#/definitions/UUIDDatatype" + }, + "source": { + "title": "Source Resource Reference", + "description": "A reference to an OSCAL catalog or profile providing the referenced control or subcontrol definition.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "description": { + "title": "Control Implementation Description", + "description": "A description of how the specified set of controls are implemented for the containing component or capability.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "implemented-requirements": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_implemented-requirement" + } + } + }, + "required": ["uuid", "source", "description", "implemented-requirements"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-component-definition:implemented-requirement": { + "title": "Control Implementation", + "description": "Describes how the containing component or capability implements an individual control.", + "$id": "#assembly_oscal-component-definition_implemented-requirement", + "type": "object", + "properties": { + "uuid": { + "title": "Control Implementation Identifier", + "description": "Provides a globally unique means to identify a given control implementation by a component.", + "$ref": "#/definitions/UUIDDatatype" + }, + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "description": { + "title": "Control Implementation Description", + "description": "A suggestion from the supplier (e.g., component vendor or author) for how the specified control may be implemented if the containing component or capability is instantiated in a system security plan.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "statements": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-component-definition_statement" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "control-id", "description"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-component-definition:statement": { + "title": "Control Statement Implementation", + "description": "Identifies which statements within a control are addressed.", + "$id": "#assembly_oscal-component-definition_statement", + "type": "object", + "properties": { + "statement-id": { + "title": "Control Statement Reference", + "description": "A human-oriented identifier reference to a control statement.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Control Statement Reference Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Statement Implementation Description", + "description": "A summary of how the containing control statement is implemented by the component or capability.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["statement-id", "uuid", "description"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-implementation-common:system-component": { + "title": "Component", + "description": "A defined component that can be part of an implemented system.", + "$id": "#assembly_oscal-implementation-common_system-component", + "type": "object", + "properties": { + "uuid": { + "title": "Component Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Component Type", + "description": "A category describing the purpose of the component.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "this-system", + "system", + "interconnection", + "software", + "hardware", + "service", + "policy", + "physical", + "process-procedure", + "plan", + "guidance", + "standard", + "validation", + "network" + ] + } + ] + }, + "title": { + "title": "Component Title", + "description": "A human readable name for the system component.", + "type": "string" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + }, + "purpose": { + "title": "Purpose", + "description": "A summary of the technological or business purpose of the component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Status", + "description": "Describes the operational status of the system component.", + "type": "object", + "properties": { + "state": { + "title": "State", + "description": "The operational status.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "under-development", + "operational", + "disposition", + "other" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "protocols": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-implementation-common_protocol" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title", "description", "status"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-implementation-common:protocol": { + "title": "Service Protocol Information", + "description": "Information about the protocol used to provide a service.", + "$id": "#assembly_oscal-implementation-common_protocol", + "type": "object", + "properties": { + "uuid": { + "title": "Service Protocol Information Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Protocol Name", + "description": "The common name of the protocol, which should be the appropriate \"service name\" from the IANA Service Name and Transport Protocol Port Number Registry.", + "$ref": "#/definitions/StringDatatype" + }, + "title": { + "title": "Protocol Title", + "description": "A human readable name for the protocol (e.g., Transport Layer Security).", + "type": "string" + }, + "port-ranges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_port-range" + } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-implementation-common:port-range": { + "title": "Port Range", + "description": "Where applicable this is the IPv4 port range on which the service operates.", + "$id": "#assembly_oscal-implementation-common_port-range", + "type": "object", + "properties": { + "start": { + "title": "Start", + "description": "Indicates the starting port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "end": { + "title": "End", + "description": "Indicates the ending port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "transport": { + "title": "Transport", + "description": "Indicates the transport type.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["TCP", "UDP"] } + ] + } + }, + "additionalProperties": false + }, + "oscal-component-definition-oscal-implementation-common:implementation-status": { + "title": "Implementation Status", + "description": "Indicates the degree to which the a given control is implemented.", + "$id": "#assembly_oscal-implementation-common_implementation-status", + "type": "object", + "properties": { + "state": { + "title": "Implementation State", + "description": "Identifies the implementation status of the control or control objective.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "implemented", + "partial", + "planned", + "alternative", + "not-applicable" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-implementation-common:system-user": { + "title": "System User", + "description": "A type of user that interacts with the system based on an associated role.", + "$id": "#assembly_oscal-implementation-common_system-user", + "type": "object", + "properties": { + "uuid": { + "title": "User Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "User Title", + "description": "A name given to the user, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "User Short Name", + "description": "A short common name, abbreviation, or acronym for the user.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "User Description", + "description": "A summary of the user's purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "role-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_role-id" } + }, + "authorized-privileges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_authorized-privilege" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-implementation-common:authorized-privilege": { + "title": "Privilege", + "description": "Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.", + "$id": "#assembly_oscal-implementation-common_authorized-privilege", + "type": "object", + "properties": { + "title": { + "title": "Privilege Title", + "description": "A human readable name for the privilege.", + "type": "string" + }, + "description": { + "title": "Privilege Description", + "description": "A summary of the privilege's purpose within the system.", + "type": "string" + }, + "functions-performed": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#field_oscal-implementation-common_function-performed" + } + } + }, + "required": ["title", "functions-performed"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-implementation-common:function-performed": { + "title": "Functions Performed", + "description": "Describes a function performed for a given authorized privilege by this user class.", + "$id": "#field_oscal-implementation-common_function-performed", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-component-definition-oscal-implementation-common:inventory-item": { + "title": "Inventory Item", + "description": "A single managed inventory item within the system.", + "$id": "#assembly_oscal-implementation-common_inventory-item", + "type": "object", + "properties": { + "uuid": { + "title": "Inventory Item Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Inventory Item Description", + "description": "A summary of the inventory item stating its purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "implemented-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Implemented Component", + "description": "The set of components that are implemented in a given system inventory item.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component that is implemented as part of an inventory item.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-implementation-common:set-parameter": { + "title": "Set Parameter Value", + "description": "Identifies the parameter that will be set by the enclosed value.", + "$id": "#assembly_oscal-implementation-common_set-parameter", + "type": "object", + "properties": { + "param-id": { + "title": "Parameter ID", + "description": "A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.", + "$ref": "#/definitions/TokenDatatype" + }, + "values": { + "type": "array", + "minItems": 1, + "items": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$ref": "#/definitions/StringDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["param-id", "values"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-implementation-common:system-id": { + "title": "System Identification", + "description": "A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document.", + "$id": "#field_oscal-implementation-common_system-id", + "type": "object", + "properties": { + "identifier-type": { + "title": "Identification System Type", + "description": "Identifies the identification system from which the provided identifier was assigned.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": [ + "https://fedramp.gov", + "http://fedramp.gov/ns/oscal", + "https://ietf.org/rfc/rfc4122", + "http://ietf.org/rfc/rfc4122" + ] + } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-metadata:metadata": { + "title": "Document Metadata", + "description": "Provides information about the containing document, and defines concepts that are shared across the document.", + "$id": "#assembly_oscal-metadata_metadata", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { "$ref": "#field_oscal-metadata_last-modified" }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { "$ref": "#field_oscal-metadata_oscal-version" }, + "revisions": { + "type": "array", + "minItems": 1, + "items": { + "title": "Revision History Entry", + "description": "An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document revision, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { + "$ref": "#field_oscal-metadata_last-modified" + }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { + "$ref": "#field_oscal-metadata_oscal-version" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["version"], + "additionalProperties": false + } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "roles": { + "type": "array", + "minItems": 1, + "items": { + "title": "Role", + "description": "Defines a function, which might be assigned to a party in a specific situation.", + "type": "object", + "properties": { + "id": { + "title": "Role Identifier", + "description": "A unique identifier for the role.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Role Title", + "description": "A name given to the role, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "Role Short Name", + "description": "A short common name, abbreviation, or acronym for the role.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "Role Description", + "description": "A summary of the role's purpose and associated responsibilities.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id", "title"], + "additionalProperties": false + } + }, + "locations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location", + "description": "A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Location Universally Unique Identifier", + "description": "A unique ID for the location, for reference.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Location Title", + "description": "A name given to the location, which may be used by a tool for display and navigation.", + "type": "string" + }, + "address": { "$ref": "#assembly_oscal-metadata_address" }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "urls": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location URL", + "description": "The uniform resource locator (URL) for a web site or other resource associated with the location.", + "$ref": "#/definitions/URIDatatype" + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + }, + "parties": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party", + "description": "An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Party Universally Unique Identifier", + "description": "A unique identifier for the party.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Party Type", + "description": "A category describing the kind of party the object describes.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["person", "organization"] } + ] + }, + "name": { + "title": "Party Name", + "description": "The full name of the party. This is typically the legal name associated with the party.", + "$ref": "#/definitions/StringDatatype" + }, + "short-name": { + "title": "Party Short Name", + "description": "A short common name, abbreviation, or acronym for the party.", + "$ref": "#/definitions/StringDatatype" + }, + "external-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party External Identifier", + "description": "An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID).", + "type": "object", + "properties": { + "scheme": { + "title": "External Identifier Schema", + "description": "Indicates the type of external identifier.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://orcid.org/"] } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id", "scheme"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_address" } + }, + "location-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_location-uuid" } + }, + "member-of-organizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Organizational Affiliation", + "description": "A reference to another party by UUID, typically an organization, that this subject is associated with.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type"], + "additionalProperties": false + } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "actions": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_action" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "last-modified", "version", "oscal-version"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-metadata:location-uuid": { + "title": "Location Universally Unique Identifier Reference", + "description": "Reference to a location by UUID.", + "$id": "#field_oscal-metadata_location-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-component-definition-oscal-metadata:party-uuid": { + "title": "Party Universally Unique Identifier Reference", + "description": "Reference to a party by UUID.", + "$id": "#field_oscal-metadata_party-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-component-definition-oscal-metadata:role-id": { + "title": "Role Identifier Reference", + "description": "Reference to a role by UUID.", + "$id": "#field_oscal-metadata_role-id", + "$ref": "#/definitions/TokenDatatype" + }, + "oscal-component-definition-oscal-metadata:back-matter": { + "title": "Back matter", + "description": "A collection of resources that may be referenced from within the OSCAL document instance.", + "$id": "#assembly_oscal-metadata_back-matter", + "type": "object", + "properties": { + "resources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource", + "description": "A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources.", + "type": "object", + "properties": { + "uuid": { + "title": "Resource Universally Unique Identifier", + "description": "A unique identifier for a resource.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Resource Title", + "description": "An optional name given to the resource, which may be used by a tool for display and navigation.", + "type": "string" + }, + "description": { + "title": "Resource Description", + "description": "An optional short summary of the resource used to indicate the purpose of the resource.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "citation": { + "title": "Citation", + "description": "An optional citation consisting of end note text using structured markup.", + "type": "object", + "properties": { + "text": { + "title": "Citation Text", + "description": "A line of citation text.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["text"], + "additionalProperties": false + }, + "rlinks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource link", + "description": "A URL-based pointer to an external resource with an optional hash for verification and change detection.", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL pointing to the referenced resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "hashes": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_hash" } + } + }, + "required": ["href"], + "additionalProperties": false + } + }, + "base64": { + "title": "Base64", + "description": "A resource encoded using the Base64 alphabet defined by RFC 2045.", + "type": "object", + "properties": { + "filename": { + "title": "File Name", + "description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.", + "$ref": "#/definitions/TokenDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "value": { "$ref": "#/definitions/Base64Datatype" } + }, + "required": ["value"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-component-definition-oscal-metadata:property": { + "title": "Property", + "description": "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", + "$id": "#assembly_oscal-metadata_property", + "type": "object", + "properties": { + "name": { + "title": "Property Name", + "description": "A textual label, within a namespace, that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Property Universally Unique Identifier", + "description": "A unique identifier for a property.", + "$ref": "#/definitions/UUIDDatatype" + }, + "ns": { + "title": "Property Namespace", + "description": "A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "value": { + "title": "Property Value", + "description": "Indicates the value of the attribute, characteristic, or quality.", + "$ref": "#/definitions/StringDatatype" + }, + "class": { + "title": "Property Class", + "description": "A textual label that provides a sub-type or characterization of the property's name.", + "$ref": "#/definitions/TokenDatatype" + }, + "group": { + "title": "Property Group", + "description": "An identifier for relating distinct sets of properties.", + "$ref": "#/definitions/TokenDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "value"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-metadata:link": { + "title": "Link", + "description": "A reference to a local or remote resource, that has a specific relation to the containing object.", + "$id": "#assembly_oscal-metadata_link", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL reference to a resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "rel": { + "title": "Link Relation Type", + "description": "Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["reference"] } + ] + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "resource-fragment": { + "title": "Resource Fragment", + "description": "In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.", + "$ref": "#/definitions/StringDatatype" + }, + "text": { + "title": "Link Text", + "description": "A textual label to associate with the link, which may be used for presentation in a tool.", + "type": "string" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-metadata:responsible-party": { + "title": "Responsible Party", + "description": "A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.", + "$id": "#assembly_oscal-metadata_responsible-party", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role", + "description": "A reference to a role performed by a party.", + "$ref": "#/definitions/TokenDatatype" + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id", "party-uuids"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-metadata:action": { + "title": "Action", + "description": "An action applied by a role within a given party to the content.", + "$id": "#assembly_oscal-metadata_action", + "type": "object", + "properties": { + "uuid": { + "title": "Action Universally Unique Identifier", + "description": "A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "date": { + "title": "Action Occurrence Date", + "description": "The date and time when the action occurred.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "type": { + "title": "Action Type", + "description": "The type of action documented by the assembly, such as an approval.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Action Type System", + "description": "Specifies the action type system used.", + "$ref": "#/definitions/URIDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "system"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-metadata:responsible-role": { + "title": "Responsible Role", + "description": "A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.", + "$id": "#assembly_oscal-metadata_responsible-role", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role ID", + "description": "A human-oriented identifier reference to a role performed.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-metadata:hash": { + "title": "Hash", + "description": "A representation of a cryptographic digest generated over a resource using a specified hash algorithm.", + "$id": "#field_oscal-metadata_hash", + "type": "object", + "properties": { + "algorithm": { + "title": "Hash algorithm", + "description": "The digest method by which a hash is derived.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "SHA-224", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-224", + "SHA3-256", + "SHA3-384", + "SHA3-512" + ] + } + ] + }, + "value": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["value", "algorithm"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-metadata:remarks": { + "title": "Remarks", + "description": "Additional commentary about the containing object.", + "$id": "#field_oscal-metadata_remarks", + "type": "string" + }, + "oscal-component-definition-oscal-metadata:published": { + "title": "Publication Timestamp", + "description": "The date and time the document was last made available.", + "$id": "#field_oscal-metadata_published", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-component-definition-oscal-metadata:last-modified": { + "title": "Last Modified Timestamp", + "description": "The date and time the document was last stored for later retrieval.", + "$id": "#field_oscal-metadata_last-modified", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-component-definition-oscal-metadata:version": { + "title": "Document Version", + "description": "Used to distinguish a specific revision of an OSCAL document from other previous and future versions.", + "$id": "#field_oscal-metadata_version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-component-definition-oscal-metadata:oscal-version": { + "title": "OSCAL Version", + "description": "The OSCAL model version the document was authored against and will conform to as valid.", + "$id": "#field_oscal-metadata_oscal-version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-component-definition-oscal-metadata:email-address": { + "title": "Email Address", + "description": "An email address as defined by RFC 5322 Section 3.4.1.", + "$id": "#field_oscal-metadata_email-address", + "$ref": "#/definitions/EmailAddressDatatype" + }, + "oscal-component-definition-oscal-metadata:telephone-number": { + "title": "Telephone Number", + "description": "A telephone service number as defined by ITU-T E.164.", + "$id": "#field_oscal-metadata_telephone-number", + "type": "object", + "properties": { + "type": { + "title": "type flag", + "description": "Indicates the type of phone number.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["home", "office", "mobile"] } + ] + }, + "number": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["number"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-metadata:address": { + "title": "Address", + "description": "A postal address for the location.", + "$id": "#assembly_oscal-metadata_address", + "type": "object", + "properties": { + "type": { + "title": "Address Type", + "description": "Indicates the type of address.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["home", "work"] } + ] + }, + "addr-lines": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_addr-line" } + }, + "city": { + "title": "City", + "description": "City, town or geographical region for the mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "state": { + "title": "State", + "description": "State, province or analogous geographical region for a mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "postal-code": { + "title": "Postal Code", + "description": "Postal or ZIP code for mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "country": { + "title": "Country Code", + "description": "The ISO 3166-1 alpha-2 country code for the mailing address.", + "$ref": "#/definitions/StringDatatype" + } + }, + "additionalProperties": false + }, + "oscal-component-definition-oscal-metadata:addr-line": { + "title": "Address line", + "description": "A single line of an address.", + "$id": "#field_oscal-metadata_addr-line", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-component-definition-oscal-metadata:document-id": { + "title": "Document Identifier", + "description": "A document identifier qualified by an identifier scheme.", + "$id": "#field_oscal-metadata_document-id", + "type": "object", + "properties": { + "scheme": { + "title": "Document Identification Scheme", + "description": "Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://www.doi.org/"] } + ] + }, + "identifier": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["identifier"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-control-common:part": { + "title": "Part", + "description": "An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.", + "$id": "#assembly_oscal-control-common_part", + "type": "object", + "properties": { + "id": { + "title": "Part Identifier", + "description": "A unique identifier for the part.", + "$ref": "#/definitions/TokenDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type, which exists in a value space qualified by the ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "ns": { + "title": "Part Namespace", + "description": "An optional namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "An optional textual providing a sub-type or characterization of the part's name, or a category to which the part belongs.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "An optional name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-control-common:parameter": { + "title": "Parameter", + "description": "Parameters provide a mechanism for the dynamic assignment of value(s) in a control.", + "$id": "#assembly_oscal-control-common_parameter", + "type": "object", + "properties": { + "id": { + "title": "Parameter Identifier", + "description": "A unique identifier for the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the type, purpose, use or scope of the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "depends-on": { + "title": "Depends on", + "description": "(deprecated) Another parameter invoking this one. This construct has been deprecated and should not be used.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter.", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-control-common_parameter-value" } + }, + "select": { + "$ref": "#assembly_oscal-control-common_parameter-selection" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-control-common:parameter-constraint": { + "title": "Constraint", + "description": "A formal or informal expression of a constraint or test.", + "$id": "#assembly_oscal-control-common_parameter-constraint", + "type": "object", + "properties": { + "description": { + "title": "Constraint Description", + "description": "A textual summary of the constraint to be applied.", + "type": "string" + }, + "tests": { + "type": "array", + "minItems": 1, + "items": { + "title": "Constraint Test", + "description": "A test expression which is expected to be evaluated by a tool.", + "type": "object", + "properties": { + "expression": { + "title": "Constraint test", + "description": "A formal (executable) expression of a constraint.", + "$ref": "#/definitions/StringDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["expression"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-component-definition-oscal-control-common:parameter-guideline": { + "title": "Guideline", + "description": "A prose statement that provides a recommendation for the use of a parameter.", + "$id": "#assembly_oscal-control-common_parameter-guideline", + "type": "object", + "properties": { + "prose": { + "title": "Guideline Text", + "description": "Prose permits multiple paragraphs, lists, tables etc.", + "type": "string" + } + }, + "required": ["prose"], + "additionalProperties": false + }, + "oscal-component-definition-oscal-control-common:parameter-value": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$id": "#field_oscal-control-common_parameter-value", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-component-definition-oscal-control-common:parameter-selection": { + "title": "Selection", + "description": "Presenting a choice among alternatives.", + "$id": "#assembly_oscal-control-common_parameter-selection", + "type": "object", + "properties": { + "how-many": { + "title": "Parameter Cardinality", + "description": "Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["one", "one-or-more"] } + ] + }, + "choice": { + "type": "array", + "minItems": 1, + "items": { + "title": "Choice", + "description": "A value selection among several such options.", + "type": "string" + } + } + }, + "additionalProperties": false + }, + "oscal-component-definition-oscal-control-common:include-all": { + "title": "Include All", + "description": "Include all controls from the imported catalog or profile resources.", + "$id": "#assembly_oscal-control-common_include-all", + "type": "object", + "additionalProperties": false + }, + "Base64Datatype": { + "description": "Binary data encoded using the Base 64 encoding algorithm as defined by RFC4648.", + "type": "string", + "pattern": "^[0-9A-Za-z+/]+={0,2}$", + "contentEncoding": "base64" + }, + "DateTimeWithTimezoneDatatype": { + "description": "A string representing a point in time with a required timezone.", + "type": "string", + "format": "date-time", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$" + }, + "EmailAddressDatatype": { + "description": "An email address string formatted according to RFC 6531.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "type": "string", "format": "email", "pattern": "^.+@.+$" } + ] + }, + "IntegerDatatype": { + "description": "A whole number value.", + "type": "integer" + }, + "NonNegativeIntegerDatatype": { + "description": "An integer value that is equal to or greater than 0.", + "allOf": [ + { "$ref": "#/definitions/IntegerDatatype" }, + + { "type": "number", "minimum": 0 } + ] + }, + "StringDatatype": { + "description": "A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ \n\t]+", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "TokenDatatype": { + "description": "A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.", + "type": "string", + "pattern": "^(\\p{L}|_)(\\p{L}|\\p{N}|[.\\-_])*$" + }, + "URIDatatype": { + "description": "A universal resource identifier (URI) formatted according to RFC3986.", + "type": "string", + "format": "uri", + "pattern": "^[a-zA-Z][a-zA-Z0-9+\\-.]+:.+$" + }, + "URIReferenceDatatype": { + "description": "A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.", + "type": "string", + "format": "uri-reference" + }, + "UUIDDatatype": { + "description": "A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "component-definition": { + "$ref": "#assembly_oscal-component-definition_component-definition" + } + }, + "required": ["component-definition"], + "additionalProperties": false +} diff --git a/roscal_lib/jsonschema/tracking_latest_models/oscal_poam_schema.json b/roscal_lib/jsonschema/tracking_latest_models/oscal_poam_schema.json new file mode 100644 index 0000000..cd0336d --- /dev/null +++ b/roscal_lib/jsonschema/tracking_latest_models/oscal_poam_schema.json @@ -0,0 +1,3398 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://csrc.nist.gov/ns/oscal/1.1.2/oscal-poam-schema.json", + "$comment": "OSCAL Plan of Action and Milestones (POA&M) Model: JSON Schema", + "type": "object", + "definitions": { + "json-schema-directive": { + "title": "Schema Directive", + "description": "A JSON Schema directive to bind a specific schema to its document instance.", + "$id": "#json-schema-directive", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "oscal-poam-oscal-poam:plan-of-action-and-milestones": { + "title": "Plan of Action and Milestones (POA&M)", + "description": "A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP.", + "$id": "#assembly_oscal-poam_plan-of-action-and-milestones", + "type": "object", + "properties": { + "uuid": { + "title": "POA&M Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with instancescope that can be used to reference this POA&M instance in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-ssp": { + "$ref": "#assembly_oscal-assessment-common_import-ssp" + }, + "system-id": { "$ref": "#field_oscal-implementation-common_system-id" }, + "local-definitions": { + "$ref": "#assembly_oscal-poam_local-definitions" + }, + "observations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_observation" } + }, + "risks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_risk" } + }, + "findings": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_finding" } + }, + "poam-items": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-poam_poam-item" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "poam-items"], + "additionalProperties": false + }, + "oscal-poam-oscal-poam:local-definitions": { + "title": "Local Definitions", + "description": "Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.", + "$id": "#assembly_oscal-poam_local-definitions", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "assessment-assets": { + "$ref": "#assembly_oscal-assessment-common_assessment-assets" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "oscal-poam-oscal-poam:poam-item": { + "title": "POA&M Item", + "description": "Describes an individual POA&M item.", + "$id": "#assembly_oscal-poam_poam-item", + "type": "object", + "properties": { + "uuid": { + "title": "POA&M Item Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with instance scope that can be used to reference this POA&M item entry in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "POA&M Item Title", + "description": "The title or name for this POA&M item .", + "type": "string" + }, + "description": { + "title": "POA&M Item Description", + "description": "A human-readable description of POA&M item.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { + "title": "Origin", + "description": "Identifies the source of the finding, such as a tool or person.", + "type": "object", + "properties": { + "actors": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_origin-actor" + } + } + }, + "required": ["actors"], + "additionalProperties": false + } + }, + "related-findings": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Finding", + "description": "Relates the poam-item to referenced finding(s).", + "type": "object", + "properties": { + "finding-uuid": { + "title": "Finding Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a finding defined in the list of findings.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["finding-uuid"], + "additionalProperties": false + } + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the poam-item to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an observation defined in the list of observations.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + }, + "related-risks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Risk", + "description": "Relates the finding to a set of referenced risks that were used to determine the finding.", + "type": "object", + "properties": { + "risk-uuid": { + "title": "Risk Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a risk defined in the list of risks.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["risk-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "description"], + "additionalProperties": false + }, + "oscal-poam-oscal-metadata:metadata": { + "title": "Document Metadata", + "description": "Provides information about the containing document, and defines concepts that are shared across the document.", + "$id": "#assembly_oscal-metadata_metadata", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { "$ref": "#field_oscal-metadata_last-modified" }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { "$ref": "#field_oscal-metadata_oscal-version" }, + "revisions": { + "type": "array", + "minItems": 1, + "items": { + "title": "Revision History Entry", + "description": "An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document revision, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { + "$ref": "#field_oscal-metadata_last-modified" + }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { + "$ref": "#field_oscal-metadata_oscal-version" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["version"], + "additionalProperties": false + } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "roles": { + "type": "array", + "minItems": 1, + "items": { + "title": "Role", + "description": "Defines a function, which might be assigned to a party in a specific situation.", + "type": "object", + "properties": { + "id": { + "title": "Role Identifier", + "description": "A unique identifier for the role.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Role Title", + "description": "A name given to the role, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "Role Short Name", + "description": "A short common name, abbreviation, or acronym for the role.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "Role Description", + "description": "A summary of the role's purpose and associated responsibilities.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id", "title"], + "additionalProperties": false + } + }, + "locations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location", + "description": "A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Location Universally Unique Identifier", + "description": "A unique ID for the location, for reference.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Location Title", + "description": "A name given to the location, which may be used by a tool for display and navigation.", + "type": "string" + }, + "address": { "$ref": "#assembly_oscal-metadata_address" }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "urls": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location URL", + "description": "The uniform resource locator (URL) for a web site or other resource associated with the location.", + "$ref": "#/definitions/URIDatatype" + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + }, + "parties": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party", + "description": "An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Party Universally Unique Identifier", + "description": "A unique identifier for the party.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Party Type", + "description": "A category describing the kind of party the object describes.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["person", "organization"] } + ] + }, + "name": { + "title": "Party Name", + "description": "The full name of the party. This is typically the legal name associated with the party.", + "$ref": "#/definitions/StringDatatype" + }, + "short-name": { + "title": "Party Short Name", + "description": "A short common name, abbreviation, or acronym for the party.", + "$ref": "#/definitions/StringDatatype" + }, + "external-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party External Identifier", + "description": "An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID).", + "type": "object", + "properties": { + "scheme": { + "title": "External Identifier Schema", + "description": "Indicates the type of external identifier.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://orcid.org/"] } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id", "scheme"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_address" } + }, + "location-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_location-uuid" } + }, + "member-of-organizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Organizational Affiliation", + "description": "A reference to another party by UUID, typically an organization, that this subject is associated with.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type"], + "additionalProperties": false + } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "actions": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_action" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "last-modified", "version", "oscal-version"], + "additionalProperties": false + }, + "oscal-poam-oscal-metadata:location-uuid": { + "title": "Location Universally Unique Identifier Reference", + "description": "Reference to a location by UUID.", + "$id": "#field_oscal-metadata_location-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-poam-oscal-metadata:party-uuid": { + "title": "Party Universally Unique Identifier Reference", + "description": "Reference to a party by UUID.", + "$id": "#field_oscal-metadata_party-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-poam-oscal-metadata:role-id": { + "title": "Role Identifier Reference", + "description": "Reference to a role by UUID.", + "$id": "#field_oscal-metadata_role-id", + "$ref": "#/definitions/TokenDatatype" + }, + "oscal-poam-oscal-metadata:back-matter": { + "title": "Back matter", + "description": "A collection of resources that may be referenced from within the OSCAL document instance.", + "$id": "#assembly_oscal-metadata_back-matter", + "type": "object", + "properties": { + "resources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource", + "description": "A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources.", + "type": "object", + "properties": { + "uuid": { + "title": "Resource Universally Unique Identifier", + "description": "A unique identifier for a resource.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Resource Title", + "description": "An optional name given to the resource, which may be used by a tool for display and navigation.", + "type": "string" + }, + "description": { + "title": "Resource Description", + "description": "An optional short summary of the resource used to indicate the purpose of the resource.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "citation": { + "title": "Citation", + "description": "An optional citation consisting of end note text using structured markup.", + "type": "object", + "properties": { + "text": { + "title": "Citation Text", + "description": "A line of citation text.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["text"], + "additionalProperties": false + }, + "rlinks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource link", + "description": "A URL-based pointer to an external resource with an optional hash for verification and change detection.", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL pointing to the referenced resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "hashes": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_hash" } + } + }, + "required": ["href"], + "additionalProperties": false + } + }, + "base64": { + "title": "Base64", + "description": "A resource encoded using the Base64 alphabet defined by RFC 2045.", + "type": "object", + "properties": { + "filename": { + "title": "File Name", + "description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.", + "$ref": "#/definitions/TokenDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "value": { "$ref": "#/definitions/Base64Datatype" } + }, + "required": ["value"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-poam-oscal-metadata:property": { + "title": "Property", + "description": "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", + "$id": "#assembly_oscal-metadata_property", + "type": "object", + "properties": { + "name": { + "title": "Property Name", + "description": "A textual label, within a namespace, that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Property Universally Unique Identifier", + "description": "A unique identifier for a property.", + "$ref": "#/definitions/UUIDDatatype" + }, + "ns": { + "title": "Property Namespace", + "description": "A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "value": { + "title": "Property Value", + "description": "Indicates the value of the attribute, characteristic, or quality.", + "$ref": "#/definitions/StringDatatype" + }, + "class": { + "title": "Property Class", + "description": "A textual label that provides a sub-type or characterization of the property's name.", + "$ref": "#/definitions/TokenDatatype" + }, + "group": { + "title": "Property Group", + "description": "An identifier for relating distinct sets of properties.", + "$ref": "#/definitions/TokenDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "value"], + "additionalProperties": false + }, + "oscal-poam-oscal-metadata:link": { + "title": "Link", + "description": "A reference to a local or remote resource, that has a specific relation to the containing object.", + "$id": "#assembly_oscal-metadata_link", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL reference to a resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "rel": { + "title": "Link Relation Type", + "description": "Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["reference"] } + ] + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "resource-fragment": { + "title": "Resource Fragment", + "description": "In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.", + "$ref": "#/definitions/StringDatatype" + }, + "text": { + "title": "Link Text", + "description": "A textual label to associate with the link, which may be used for presentation in a tool.", + "type": "string" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-poam-oscal-metadata:responsible-party": { + "title": "Responsible Party", + "description": "A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.", + "$id": "#assembly_oscal-metadata_responsible-party", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role", + "description": "A reference to a role performed by a party.", + "$ref": "#/definitions/TokenDatatype" + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id", "party-uuids"], + "additionalProperties": false + }, + "oscal-poam-oscal-metadata:action": { + "title": "Action", + "description": "An action applied by a role within a given party to the content.", + "$id": "#assembly_oscal-metadata_action", + "type": "object", + "properties": { + "uuid": { + "title": "Action Universally Unique Identifier", + "description": "A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "date": { + "title": "Action Occurrence Date", + "description": "The date and time when the action occurred.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "type": { + "title": "Action Type", + "description": "The type of action documented by the assembly, such as an approval.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Action Type System", + "description": "Specifies the action type system used.", + "$ref": "#/definitions/URIDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "system"], + "additionalProperties": false + }, + "oscal-poam-oscal-metadata:responsible-role": { + "title": "Responsible Role", + "description": "A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.", + "$id": "#assembly_oscal-metadata_responsible-role", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role ID", + "description": "A human-oriented identifier reference to a role performed.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id"], + "additionalProperties": false + }, + "oscal-poam-oscal-metadata:hash": { + "title": "Hash", + "description": "A representation of a cryptographic digest generated over a resource using a specified hash algorithm.", + "$id": "#field_oscal-metadata_hash", + "type": "object", + "properties": { + "algorithm": { + "title": "Hash algorithm", + "description": "The digest method by which a hash is derived.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "SHA-224", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-224", + "SHA3-256", + "SHA3-384", + "SHA3-512" + ] + } + ] + }, + "value": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["value", "algorithm"], + "additionalProperties": false + }, + "oscal-poam-oscal-metadata:remarks": { + "title": "Remarks", + "description": "Additional commentary about the containing object.", + "$id": "#field_oscal-metadata_remarks", + "type": "string" + }, + "oscal-poam-oscal-metadata:published": { + "title": "Publication Timestamp", + "description": "The date and time the document was last made available.", + "$id": "#field_oscal-metadata_published", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-poam-oscal-metadata:last-modified": { + "title": "Last Modified Timestamp", + "description": "The date and time the document was last stored for later retrieval.", + "$id": "#field_oscal-metadata_last-modified", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-poam-oscal-metadata:version": { + "title": "Document Version", + "description": "Used to distinguish a specific revision of an OSCAL document from other previous and future versions.", + "$id": "#field_oscal-metadata_version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-poam-oscal-metadata:oscal-version": { + "title": "OSCAL Version", + "description": "The OSCAL model version the document was authored against and will conform to as valid.", + "$id": "#field_oscal-metadata_oscal-version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-poam-oscal-metadata:email-address": { + "title": "Email Address", + "description": "An email address as defined by RFC 5322 Section 3.4.1.", + "$id": "#field_oscal-metadata_email-address", + "$ref": "#/definitions/EmailAddressDatatype" + }, + "oscal-poam-oscal-metadata:telephone-number": { + "title": "Telephone Number", + "description": "A telephone service number as defined by ITU-T E.164.", + "$id": "#field_oscal-metadata_telephone-number", + "type": "object", + "properties": { + "type": { + "title": "type flag", + "description": "Indicates the type of phone number.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["home", "office", "mobile"] } + ] + }, + "number": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["number"], + "additionalProperties": false + }, + "oscal-poam-oscal-metadata:address": { + "title": "Address", + "description": "A postal address for the location.", + "$id": "#assembly_oscal-metadata_address", + "type": "object", + "properties": { + "type": { + "title": "Address Type", + "description": "Indicates the type of address.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["home", "work"] } + ] + }, + "addr-lines": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_addr-line" } + }, + "city": { + "title": "City", + "description": "City, town or geographical region for the mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "state": { + "title": "State", + "description": "State, province or analogous geographical region for a mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "postal-code": { + "title": "Postal Code", + "description": "Postal or ZIP code for mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "country": { + "title": "Country Code", + "description": "The ISO 3166-1 alpha-2 country code for the mailing address.", + "$ref": "#/definitions/StringDatatype" + } + }, + "additionalProperties": false + }, + "oscal-poam-oscal-metadata:addr-line": { + "title": "Address line", + "description": "A single line of an address.", + "$id": "#field_oscal-metadata_addr-line", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-poam-oscal-metadata:document-id": { + "title": "Document Identifier", + "description": "A document identifier qualified by an identifier scheme.", + "$id": "#field_oscal-metadata_document-id", + "type": "object", + "properties": { + "scheme": { + "title": "Document Identification Scheme", + "description": "Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://www.doi.org/"] } + ] + }, + "identifier": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["identifier"], + "additionalProperties": false + }, + "oscal-poam-oscal-implementation-common:system-component": { + "title": "Component", + "description": "A defined component that can be part of an implemented system.", + "$id": "#assembly_oscal-implementation-common_system-component", + "type": "object", + "properties": { + "uuid": { + "title": "Component Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Component Type", + "description": "A category describing the purpose of the component.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "this-system", + "system", + "interconnection", + "software", + "hardware", + "service", + "policy", + "physical", + "process-procedure", + "plan", + "guidance", + "standard", + "validation", + "network" + ] + } + ] + }, + "title": { + "title": "Component Title", + "description": "A human readable name for the system component.", + "type": "string" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + }, + "purpose": { + "title": "Purpose", + "description": "A summary of the technological or business purpose of the component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Status", + "description": "Describes the operational status of the system component.", + "type": "object", + "properties": { + "state": { + "title": "State", + "description": "The operational status.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "under-development", + "operational", + "disposition", + "other" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "protocols": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-implementation-common_protocol" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title", "description", "status"], + "additionalProperties": false + }, + "oscal-poam-oscal-implementation-common:protocol": { + "title": "Service Protocol Information", + "description": "Information about the protocol used to provide a service.", + "$id": "#assembly_oscal-implementation-common_protocol", + "type": "object", + "properties": { + "uuid": { + "title": "Service Protocol Information Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Protocol Name", + "description": "The common name of the protocol, which should be the appropriate \"service name\" from the IANA Service Name and Transport Protocol Port Number Registry.", + "$ref": "#/definitions/StringDatatype" + }, + "title": { + "title": "Protocol Title", + "description": "A human readable name for the protocol (e.g., Transport Layer Security).", + "type": "string" + }, + "port-ranges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_port-range" + } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-poam-oscal-implementation-common:port-range": { + "title": "Port Range", + "description": "Where applicable this is the IPv4 port range on which the service operates.", + "$id": "#assembly_oscal-implementation-common_port-range", + "type": "object", + "properties": { + "start": { + "title": "Start", + "description": "Indicates the starting port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "end": { + "title": "End", + "description": "Indicates the ending port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "transport": { + "title": "Transport", + "description": "Indicates the transport type.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["TCP", "UDP"] } + ] + } + }, + "additionalProperties": false + }, + "oscal-poam-oscal-implementation-common:implementation-status": { + "title": "Implementation Status", + "description": "Indicates the degree to which the a given control is implemented.", + "$id": "#assembly_oscal-implementation-common_implementation-status", + "type": "object", + "properties": { + "state": { + "title": "Implementation State", + "description": "Identifies the implementation status of the control or control objective.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "implemented", + "partial", + "planned", + "alternative", + "not-applicable" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "oscal-poam-oscal-implementation-common:system-user": { + "title": "System User", + "description": "A type of user that interacts with the system based on an associated role.", + "$id": "#assembly_oscal-implementation-common_system-user", + "type": "object", + "properties": { + "uuid": { + "title": "User Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "User Title", + "description": "A name given to the user, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "User Short Name", + "description": "A short common name, abbreviation, or acronym for the user.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "User Description", + "description": "A summary of the user's purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "role-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_role-id" } + }, + "authorized-privileges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_authorized-privilege" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + }, + "oscal-poam-oscal-implementation-common:authorized-privilege": { + "title": "Privilege", + "description": "Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.", + "$id": "#assembly_oscal-implementation-common_authorized-privilege", + "type": "object", + "properties": { + "title": { + "title": "Privilege Title", + "description": "A human readable name for the privilege.", + "type": "string" + }, + "description": { + "title": "Privilege Description", + "description": "A summary of the privilege's purpose within the system.", + "type": "string" + }, + "functions-performed": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#field_oscal-implementation-common_function-performed" + } + } + }, + "required": ["title", "functions-performed"], + "additionalProperties": false + }, + "oscal-poam-oscal-implementation-common:function-performed": { + "title": "Functions Performed", + "description": "Describes a function performed for a given authorized privilege by this user class.", + "$id": "#field_oscal-implementation-common_function-performed", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-poam-oscal-implementation-common:inventory-item": { + "title": "Inventory Item", + "description": "A single managed inventory item within the system.", + "$id": "#assembly_oscal-implementation-common_inventory-item", + "type": "object", + "properties": { + "uuid": { + "title": "Inventory Item Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Inventory Item Description", + "description": "A summary of the inventory item stating its purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "implemented-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Implemented Component", + "description": "The set of components that are implemented in a given system inventory item.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component that is implemented as part of an inventory item.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-poam-oscal-implementation-common:set-parameter": { + "title": "Set Parameter Value", + "description": "Identifies the parameter that will be set by the enclosed value.", + "$id": "#assembly_oscal-implementation-common_set-parameter", + "type": "object", + "properties": { + "param-id": { + "title": "Parameter ID", + "description": "A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.", + "$ref": "#/definitions/TokenDatatype" + }, + "values": { + "type": "array", + "minItems": 1, + "items": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$ref": "#/definitions/StringDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["param-id", "values"], + "additionalProperties": false + }, + "oscal-poam-oscal-implementation-common:system-id": { + "title": "System Identification", + "description": "A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document.", + "$id": "#field_oscal-implementation-common_system-id", + "type": "object", + "properties": { + "identifier-type": { + "title": "Identification System Type", + "description": "Identifies the identification system from which the provided identifier was assigned.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": [ + "https://fedramp.gov", + "http://fedramp.gov/ns/oscal", + "https://ietf.org/rfc/rfc4122", + "http://ietf.org/rfc/rfc4122" + ] + } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-poam-oscal-control-common:part": { + "title": "Part", + "description": "An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.", + "$id": "#assembly_oscal-control-common_part", + "type": "object", + "properties": { + "id": { + "title": "Part Identifier", + "description": "A unique identifier for the part.", + "$ref": "#/definitions/TokenDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type, which exists in a value space qualified by the ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "ns": { + "title": "Part Namespace", + "description": "An optional namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "An optional textual providing a sub-type or characterization of the part's name, or a category to which the part belongs.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "An optional name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-poam-oscal-control-common:parameter": { + "title": "Parameter", + "description": "Parameters provide a mechanism for the dynamic assignment of value(s) in a control.", + "$id": "#assembly_oscal-control-common_parameter", + "type": "object", + "properties": { + "id": { + "title": "Parameter Identifier", + "description": "A unique identifier for the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the type, purpose, use or scope of the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "depends-on": { + "title": "Depends on", + "description": "(deprecated) Another parameter invoking this one. This construct has been deprecated and should not be used.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter.", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-control-common_parameter-value" } + }, + "select": { + "$ref": "#assembly_oscal-control-common_parameter-selection" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-poam-oscal-control-common:parameter-constraint": { + "title": "Constraint", + "description": "A formal or informal expression of a constraint or test.", + "$id": "#assembly_oscal-control-common_parameter-constraint", + "type": "object", + "properties": { + "description": { + "title": "Constraint Description", + "description": "A textual summary of the constraint to be applied.", + "type": "string" + }, + "tests": { + "type": "array", + "minItems": 1, + "items": { + "title": "Constraint Test", + "description": "A test expression which is expected to be evaluated by a tool.", + "type": "object", + "properties": { + "expression": { + "title": "Constraint test", + "description": "A formal (executable) expression of a constraint.", + "$ref": "#/definitions/StringDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["expression"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-poam-oscal-control-common:parameter-guideline": { + "title": "Guideline", + "description": "A prose statement that provides a recommendation for the use of a parameter.", + "$id": "#assembly_oscal-control-common_parameter-guideline", + "type": "object", + "properties": { + "prose": { + "title": "Guideline Text", + "description": "Prose permits multiple paragraphs, lists, tables etc.", + "type": "string" + } + }, + "required": ["prose"], + "additionalProperties": false + }, + "oscal-poam-oscal-control-common:parameter-value": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$id": "#field_oscal-control-common_parameter-value", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-poam-oscal-control-common:parameter-selection": { + "title": "Selection", + "description": "Presenting a choice among alternatives.", + "$id": "#assembly_oscal-control-common_parameter-selection", + "type": "object", + "properties": { + "how-many": { + "title": "Parameter Cardinality", + "description": "Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["one", "one-or-more"] } + ] + }, + "choice": { + "type": "array", + "minItems": 1, + "items": { + "title": "Choice", + "description": "A value selection among several such options.", + "type": "string" + } + } + }, + "additionalProperties": false + }, + "oscal-poam-oscal-control-common:include-all": { + "title": "Include All", + "description": "Include all controls from the imported catalog or profile resources.", + "$id": "#assembly_oscal-control-common_include-all", + "type": "object", + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:import-ssp": { + "title": "Import System Security Plan", + "description": "Used by the assessment plan and POA&M to import information about the system.", + "$id": "#assembly_oscal-assessment-common_import-ssp", + "type": "object", + "properties": { + "href": { + "title": "System Security Plan Reference", + "description": "A resolvable URL reference to the system security plan for the system being assessed.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:local-objective": { + "title": "Assessment-Specific Control Objective", + "description": "A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.", + "$id": "#assembly_oscal-assessment-common_local-objective", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "description": { + "title": "Objective Description", + "description": "A human-readable description of this control objective.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["control-id", "parts"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:assessment-method": { + "title": "Assessment Method", + "description": "A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.", + "$id": "#assembly_oscal-assessment-common_assessment-method", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Method Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment method elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment method can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Assessment Method Description", + "description": "A human-readable description of this assessment method.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "part": { "$ref": "#assembly_oscal-assessment-common_assessment-part" }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "part"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:activity": { + "title": "Activity", + "description": "Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.", + "$id": "#assembly_oscal-assessment-common_activity", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Activity Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Included Activity Title", + "description": "The title for this included activity.", + "type": "string" + }, + "description": { + "title": "Included Activity Description", + "description": "A human-readable description of this included activity.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "steps": { + "type": "array", + "minItems": 1, + "items": { + "title": "Step", + "description": "Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.", + "type": "object", + "properties": { + "uuid": { + "title": "Step Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Step Title", + "description": "The title for this step.", + "type": "string" + }, + "description": { + "title": "Step Description", + "description": "A human-readable description of this step.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "related-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:task": { + "title": "Task", + "description": "Represents a scheduled event or milestone, which may be associated with a series of assessment actions.", + "$id": "#assembly_oscal-assessment-common_task", + "type": "object", + "properties": { + "uuid": { + "title": "Task Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this task elsewhere in this or other OSCAL instances. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Task Type", + "description": "The type of task.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["milestone", "action"] } + ] + }, + "title": { + "title": "Task Title", + "description": "The title for this task.", + "type": "string" + }, + "description": { + "title": "Task Description", + "description": "A human-readable description of this task.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "timing": { + "title": "Event Timing", + "description": "The timing under which the task is intended to occur.", + "type": "object", + "properties": { + "on-date": { + "title": "On Date Condition", + "description": "The task is intended to occur on the specified date.", + "type": "object", + "properties": { + "date": { + "title": "On Date Condition", + "description": "The task must occur on the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + } + }, + "required": ["date"], + "additionalProperties": false + }, + "within-date-range": { + "title": "On Date Range Condition", + "description": "The task is intended to occur within the specified date range.", + "type": "object", + "properties": { + "start": { + "title": "Start Date Condition", + "description": "The task must occur on or after the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "End Date Condition", + "description": "The task must occur on or before the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + } + }, + "required": ["start", "end"], + "additionalProperties": false + }, + "at-frequency": { + "title": "Frequency Condition", + "description": "The task is intended to occur at the specified frequency.", + "type": "object", + "properties": { + "period": { + "title": "Period", + "description": "The task must occur after the specified period has elapsed.", + "$ref": "#/definitions/PositiveIntegerDatatype" + }, + "unit": { + "title": "Time Unit", + "description": "The unit of time for the period.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "seconds", + "minutes", + "hours", + "days", + "months", + "years" + ] + } + ] + } + }, + "required": ["period", "unit"], + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "dependencies": { + "type": "array", + "minItems": 1, + "items": { + "title": "Task Dependency", + "description": "Used to indicate that a task is dependent on another task.", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["task-uuid"], + "additionalProperties": false + } + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "associated-activities": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Activity", + "description": "Identifies an individual activity to be performed as part of a task.", + "type": "object", + "properties": { + "activity-uuid": { + "title": "Activity Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an activity defined in the list of activities.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["activity-uuid", "subjects"], + "additionalProperties": false + } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:reviewed-controls": { + "title": "Reviewed Controls and Control Objectives", + "description": "Identifies the controls being assessed and their control objectives.", + "$id": "#assembly_oscal-assessment-common_reviewed-controls", + "type": "object", + "properties": { + "description": { + "title": "Control Objective Description", + "description": "A human-readable description of control objectives.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "control-selections": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessed Controls", + "description": "Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.", + "type": "object", + "properties": { + "description": { + "title": "Assessed Controls Description", + "description": "A human-readable description of in-scope controls specified for assessment.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { + "$ref": "#assembly_oscal-control-common_include-all" + }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-control-by-id" + } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-control-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + } + }, + "control-objective-selections": { + "type": "array", + "minItems": 1, + "items": { + "title": "Referenced Control Objectives", + "description": "Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.", + "type": "object", + "properties": { + "description": { + "title": "Control Objectives Description", + "description": "A human-readable description of this collection of control objectives.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { + "$ref": "#assembly_oscal-control-common_include-all" + }, + "include-objectives": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-objective-by-id" + } + }, + "exclude-objectives": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-objective-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["control-selections"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:select-control-by-id": { + "title": "Select Control", + "description": "Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.", + "$id": "#assembly_oscal-assessment-common_select-control-by-id", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "statement-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Include Specific Statements", + "description": "Used to constrain the selection to only specificity identified statements.", + "$ref": "#/definitions/TokenDatatype" + } + } + }, + "required": ["control-id"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:select-objective-by-id": { + "title": "Select Objective", + "description": "Used to select a control objective for inclusion/exclusion based on the control objective's identifier.", + "$id": "#assembly_oscal-assessment-common_select-objective-by-id", + "type": "object", + "properties": { + "objective-id": { + "title": "Objective ID", + "description": "Points to an assessment objective.", + "$ref": "#/definitions/TokenDatatype" + } + }, + "required": ["objective-id"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:assessment-subject-placeholder": { + "title": "Assessment Subject Placeholder", + "description": "Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.", + "$id": "#assembly_oscal-assessment-common_assessment-subject-placeholder", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Subject Placeholder Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier for a set of assessment subjects that will be identified by a task or an activity that is part of a task. The locally defined UUID of the assessment subject placeholder can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Assessment Subject Placeholder Description", + "description": "A human-readable description of intent of this assessment subject placeholder.", + "type": "string" + }, + "sources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Subject Source", + "description": "Assessment subjects will be identified while conducting the referenced activity-instance.", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference (in this or other OSCAL instances) an assessment activity to be performed as part of the event. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["task-uuid"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "sources"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:assessment-subject": { + "title": "Subject of Assessment", + "description": "Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.", + "$id": "#assembly_oscal-assessment-common_assessment-subject", + "type": "object", + "properties": { + "type": { + "title": "Subject Type", + "description": "Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user" + ] + } + ] + }, + "description": { + "title": "Include Subjects Description", + "description": "A human-readable description of the collection of subjects being included in this assessment.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { "$ref": "#assembly_oscal-control-common_include-all" }, + "include-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-subject-by-id" + } + }, + "exclude-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-subject-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["type"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:select-subject-by-id": { + "title": "Select Assessment Subject", + "description": "Identifies a set of assessment subjects to include/exclude by UUID.", + "$id": "#assembly_oscal-assessment-common_select-subject-by-id", + "type": "object", + "properties": { + "subject-uuid": { + "title": "Subject Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Subject Universally Unique Identifier Reference Type", + "description": "Used to indicate the type of object pointed to by the uuid-ref within a subject.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user", + "resource" + ] + } + ] + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["subject-uuid", "type"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:subject-reference": { + "title": "Identifies the Subject", + "description": "A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.", + "$id": "#assembly_oscal-assessment-common_subject-reference", + "type": "object", + "properties": { + "subject-uuid": { + "title": "Subject Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Subject Universally Unique Identifier Reference Type", + "description": "Used to indicate the type of object pointed to by the uuid-ref within a subject.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user", + "resource" + ] + } + ] + }, + "title": { + "title": "Subject Reference Title", + "description": "The title or name for the referenced subject.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["subject-uuid", "type"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:assessment-assets": { + "title": "Assessment Assets", + "description": "Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.", + "$id": "#assembly_oscal-assessment-common_assessment-assets", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "assessment-platforms": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Platform", + "description": "Used to represent the toolset used to perform aspects of the assessment.", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Platform Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment platform elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment platform can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Assessment Platform Title", + "description": "The title or name for the assessment platform.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "uses-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Uses Component", + "description": "The set of components that are used by the assessment platform.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component that is implemented as part of an inventory item.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "required": ["assessment-platforms"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:finding-target": { + "title": "Objective Status", + "description": "Captures an assessor's conclusions regarding the degree to which an objective is satisfied.", + "$id": "#assembly_oscal-assessment-common_finding-target", + "type": "object", + "properties": { + "type": { + "title": "Finding Target Type", + "description": "Identifies the type of the target.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["statement-id", "objective-id"] } + ] + }, + "target-id": { + "title": "Finding Target Identifier Reference", + "description": "A machine-oriented identifier reference for a specific target qualified by the type.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Objective Status Title", + "description": "The title for this objective status.", + "type": "string" + }, + "description": { + "title": "Objective Status Description", + "description": "A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Objective Status", + "description": "A determination of if the objective is satisfied or not within a given system.", + "type": "object", + "properties": { + "state": { + "title": "Objective Status State", + "description": "An indication as to whether the objective is satisfied or not.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["satisfied", "not-satisfied"] } + ] + }, + "reason": { + "title": "Objective Status Reason", + "description": "The reason the objective was given it's status.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["pass", "fail", "other"] } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "implementation-status": { + "$ref": "#assembly_oscal-implementation-common_implementation-status" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["type", "target-id", "status"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:finding": { + "title": "Finding", + "description": "Describes an individual finding.", + "$id": "#assembly_oscal-assessment-common_finding", + "type": "object", + "properties": { + "uuid": { + "title": "Finding Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this finding in this or other OSCAL instances. The locally defined UUID of the finding can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Finding Title", + "description": "The title for this finding.", + "type": "string" + }, + "description": { + "title": "Finding Description", + "description": "A human-readable description of this finding.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "target": { + "$ref": "#assembly_oscal-assessment-common_finding-target" + }, + "implementation-statement-uuid": { + "title": "Implementation Statement UUID", + "description": "A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related.", + "$ref": "#/definitions/UUIDDatatype" + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the finding to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an observation defined in the list of observations.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + }, + "related-risks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Risk", + "description": "Relates the finding to a set of referenced risks that were used to determine the finding.", + "type": "object", + "properties": { + "risk-uuid": { + "title": "Risk Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a risk defined in the list of risks.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["risk-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "title", "description", "target"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:observation": { + "title": "Observation", + "description": "Describes an individual observation.", + "$id": "#assembly_oscal-assessment-common_observation", + "type": "object", + "properties": { + "uuid": { + "title": "Observation Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this observation elsewhere in this or other OSCAL instances. The locally defined UUID of the observation can be used to reference the data item locally or globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Observation Title", + "description": "The title for this observation.", + "type": "string" + }, + "description": { + "title": "Observation Description", + "description": "A human-readable description of this assessment observation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "methods": { + "type": "array", + "minItems": 1, + "items": { + "title": "Observation Method", + "description": "Identifies how the observation was made.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["EXAMINE", "INTERVIEW", "TEST", "UNKNOWN"] } + ] + } + }, + "types": { + "type": "array", + "minItems": 1, + "items": { + "title": "Observation Type", + "description": "Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "ssp-statement-issue", + "control-objective", + "mitigation", + "finding", + "historic" + ] + } + ] + } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + }, + "relevant-evidence": { + "type": "array", + "minItems": 1, + "items": { + "title": "Relevant Evidence", + "description": "Links this observation to relevant evidence.", + "type": "object", + "properties": { + "href": { + "title": "Relevant Evidence Reference", + "description": "A resolvable URL reference to relevant evidence.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "description": { + "title": "Relevant Evidence Description", + "description": "A human-readable description of this evidence.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + } + }, + "collected": { + "title": "Collected Field", + "description": "Date/time stamp identifying when the finding information was collected.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "expires": { + "title": "Expires Field", + "description": "Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description", "methods", "collected"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:origin": { + "title": "Origin", + "description": "Identifies the source of the finding, such as a tool, interviewed person, or activity.", + "$id": "#assembly_oscal-assessment-common_origin", + "type": "object", + "properties": { + "actors": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin-actor" } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_related-task" } + } + }, + "required": ["actors"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:origin-actor": { + "title": "Originating Actor", + "description": "The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.", + "$id": "#assembly_oscal-assessment-common_origin-actor", + "type": "object", + "properties": { + "type": { + "title": "Actor Type", + "description": "The kind of actor.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["tool", "assessment-platform", "party"] } + ] + }, + "actor-uuid": { + "title": "Actor Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to the tool or person based on the associated type.", + "$ref": "#/definitions/UUIDDatatype" + }, + "role-id": { + "title": "Actor Role", + "description": "For a party, this can optionally be used to specify the role the actor was performing.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["type", "actor-uuid"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:related-task": { + "title": "Task Reference", + "description": "Identifies an individual task for which the containing object is a consequence of.", + "$id": "#assembly_oscal-assessment-common_related-task", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "identified-subject": { + "title": "Identified Subject", + "description": "Used to detail assessment subjects that were identfied by this task.", + "type": "object", + "properties": { + "subject-placeholder-uuid": { + "title": "Assessment Subject Placeholder Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + } + }, + "required": ["subject-placeholder-uuid", "subjects"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["task-uuid"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:threat-id": { + "title": "Threat ID", + "description": "A pointer, by ID, to an externally-defined threat.", + "$id": "#field_oscal-assessment-common_threat-id", + "type": "object", + "properties": { + "system": { + "title": "Threat Type Identification System", + "description": "Specifies the source of the threat information.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://fedramp.gov", "http://fedramp.gov/ns/oscal"] } + ] + }, + "href": { + "title": "Threat Information Resource Reference", + "description": "An optional location for the threat data, from which this ID originates.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "id": { "$ref": "#/definitions/URIDatatype" } + }, + "required": ["id", "system"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:risk": { + "title": "Identified Risk", + "description": "An identified risk.", + "$id": "#assembly_oscal-assessment-common_risk", + "type": "object", + "properties": { + "uuid": { + "title": "Risk Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk elsewhere in this or other OSCAL instances. The locally defined UUID of the risk can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Risk Title", + "description": "The title for this risk.", + "type": "string" + }, + "description": { + "title": "Risk Description", + "description": "A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.", + "type": "string" + }, + "statement": { + "title": "Risk Statement", + "description": "An summary of impact for how the risk affects the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { "$ref": "#field_oscal-assessment-common_risk-status" }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "threat-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-assessment-common_threat-id" } + }, + "characterizations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_characterization" + } + }, + "mitigating-factors": { + "type": "array", + "minItems": 1, + "items": { + "title": "Mitigating Factor", + "description": "Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.", + "type": "object", + "properties": { + "uuid": { + "title": "Mitigating Factor Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mitigating factor elsewhere in this or other OSCAL instances. The locally defined UUID of the mitigating factor can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "implementation-uuid": { + "title": "Implementation UUID", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Mitigating Factor Description", + "description": "A human-readable description of this mitigating factor.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "deadline": { + "title": "Risk Resolution Deadline", + "description": "The date/time by which the risk must be resolved.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "remediations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_response" } + }, + "risk-log": { + "title": "Risk Log", + "description": "A log of all risk-related tasks taken.", + "type": "object", + "properties": { + "entries": { + "type": "array", + "minItems": 1, + "items": { + "title": "Risk Log Entry", + "description": "Identifies an individual risk response that occurred as part of managing an identified risk.", + "type": "object", + "properties": { + "uuid": { + "title": "Risk Log Entry Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk log entry elsewhere in this or other OSCAL instances. The locally defined UUID of the risk log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Title", + "description": "The title for this risk log entry.", + "type": "string" + }, + "description": { + "title": "Risk Task Description", + "description": "A human-readable description of what was done regarding the risk.", + "type": "string" + }, + "start": { + "title": "Start", + "description": "Identifies the start date and time of the event.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "End", + "description": "Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "logged-by": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_logged-by" + } + }, + "status-change": { + "$ref": "#field_oscal-assessment-common_risk-status" + }, + "related-responses": { + "type": "array", + "minItems": 1, + "items": { + "title": "Risk Response Reference", + "description": "Identifies an individual risk response that this log entry is for.", + "type": "object", + "properties": { + "response-uuid": { + "title": "Response Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique risk response.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_property" + } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_related-task" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["response-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "start"], + "additionalProperties": false + } + } + }, + "required": ["entries"], + "additionalProperties": false + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the finding to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an observation defined in the list of observations.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + } + }, + "required": ["uuid", "title", "description", "statement", "status"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:logged-by": { + "title": "Logged By", + "description": "Used to indicate who created a log entry in what role.", + "$id": "#assembly_oscal-assessment-common_logged-by", + "type": "object", + "properties": { + "party-uuid": { + "title": "Party UUID Reference", + "description": "A machine-oriented identifier reference to the party who is making the log entry.", + "$ref": "#/definitions/UUIDDatatype" + }, + "role-id": { + "title": "Actor Role", + "description": "A point to the role-id of the role in which the party is making the log entry.", + "$ref": "#/definitions/TokenDatatype" + } + }, + "required": ["party-uuid"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:risk-status": { + "title": "Risk Status", + "description": "Describes the status of the associated risk.", + "$id": "#field_oscal-assessment-common_risk-status", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "open", + "investigating", + "remediating", + "deviation-requested", + "deviation-approved", + "closed" + ] + } + ] + }, + "oscal-poam-oscal-assessment-common:characterization": { + "title": "Characterization", + "description": "A collection of descriptive data about the containing object from a specific origin.", + "$id": "#assembly_oscal-assessment-common_characterization", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origin": { "$ref": "#assembly_oscal-assessment-common_origin" }, + "facets": { + "type": "array", + "minItems": 1, + "items": { + "title": "Facet", + "description": "An individual characteristic that is part of a larger set produced by the same actor.", + "type": "object", + "properties": { + "name": { + "title": "Facet Name", + "description": "The name of the risk metric within the specified system.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Naming System", + "description": "Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": [ + "http://fedramp.gov", + "http://fedramp.gov/ns/oscal", + "http://csrc.nist.gov/ns/oscal", + "http://csrc.nist.gov/ns/oscal/unknown", + "http://cve.mitre.org", + "http://www.first.org/cvss/v2.0", + "http://www.first.org/cvss/v3.0", + "http://www.first.org/cvss/v3.1" + ] + } + ] + }, + "value": { + "title": "Facet Value", + "description": "Indicates the value of the facet.", + "$ref": "#/definitions/StringDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "system", "value"], + "additionalProperties": false + } + } + }, + "required": ["origin", "facets"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:response": { + "title": "Risk Response", + "description": "Describes either recommended or an actual plan for addressing the risk.", + "$id": "#assembly_oscal-assessment-common_response", + "type": "object", + "properties": { + "uuid": { + "title": "Remediation Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this remediation elsewhere in this or other OSCAL instances. The locally defined UUID of the risk response can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "lifecycle": { + "title": "Remediation Intent", + "description": "Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["recommendation", "planned", "completed"] } + ] + }, + "title": { + "title": "Response Title", + "description": "The title for this response activity.", + "type": "string" + }, + "description": { + "title": "Response Description", + "description": "A human-readable description of this response plan.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "required-assets": { + "type": "array", + "minItems": 1, + "items": { + "title": "Required Asset", + "description": "Identifies an asset required to achieve remediation.", + "type": "object", + "properties": { + "uuid": { + "title": "Required Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this required asset elsewhere in this or other OSCAL instances. The locally defined UUID of the asset can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + }, + "title": { + "title": "Title for Required Asset", + "description": "The title for this required asset.", + "type": "string" + }, + "description": { + "title": "Description of Required Asset", + "description": "A human-readable description of this required asset.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "lifecycle", "title", "description"], + "additionalProperties": false + }, + "oscal-poam-oscal-assessment-common:assessment-part": { + "title": "Assessment Part", + "description": "A partition of an assessment plan or results or a child of another part.", + "$id": "#assembly_oscal-assessment-common_assessment-part", + "type": "object", + "properties": { + "uuid": { + "title": "Part Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["asset", "method", "objective"] } + ] + }, + "ns": { + "title": "Part Namespace", + "description": "A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "A name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "Base64Datatype": { + "description": "Binary data encoded using the Base 64 encoding algorithm as defined by RFC4648.", + "type": "string", + "pattern": "^[0-9A-Za-z+/]+={0,2}$", + "contentEncoding": "base64" + }, + "DateTimeWithTimezoneDatatype": { + "description": "A string representing a point in time with a required timezone.", + "type": "string", + "format": "date-time", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$" + }, + "EmailAddressDatatype": { + "description": "An email address string formatted according to RFC 6531.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "type": "string", "format": "email", "pattern": "^.+@.+$" } + ] + }, + "IntegerDatatype": { + "description": "A whole number value.", + "type": "integer" + }, + "NonNegativeIntegerDatatype": { + "description": "An integer value that is equal to or greater than 0.", + "allOf": [ + { "$ref": "#/definitions/IntegerDatatype" }, + + { "type": "number", "minimum": 0 } + ] + }, + "PositiveIntegerDatatype": { + "description": "An integer value that is greater than 0.", + "allOf": [ + { "$ref": "#/definitions/IntegerDatatype" }, + + { "type": "number", "minimum": 1 } + ] + }, + "StringDatatype": { + "description": "A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ \n\t]+", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "TokenDatatype": { + "description": "A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.", + "type": "string", + "pattern": "^(\\p{L}|_)(\\p{L}|\\p{N}|[.\\-_])*$" + }, + "URIDatatype": { + "description": "A universal resource identifier (URI) formatted according to RFC3986.", + "type": "string", + "format": "uri", + "pattern": "^[a-zA-Z][a-zA-Z0-9+\\-.]+:.+$" + }, + "URIReferenceDatatype": { + "description": "A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.", + "type": "string", + "format": "uri-reference" + }, + "UUIDDatatype": { + "description": "A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "plan-of-action-and-milestones": { + "$ref": "#assembly_oscal-poam_plan-of-action-and-milestones" + } + }, + "required": ["plan-of-action-and-milestones"], + "additionalProperties": false +} diff --git a/roscal_lib/jsonschema/tracking_latest_models/oscal_profile_schema.json b/roscal_lib/jsonschema/tracking_latest_models/oscal_profile_schema.json new file mode 100644 index 0000000..defc773 --- /dev/null +++ b/roscal_lib/jsonschema/tracking_latest_models/oscal_profile_schema.json @@ -0,0 +1,1482 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://csrc.nist.gov/ns/oscal/1.1.2/oscal-profile-schema.json", + "$comment": "OSCAL Profile Model: JSON Schema", + "type": "object", + "definitions": { + "json-schema-directive": { + "title": "Schema Directive", + "description": "A JSON Schema directive to bind a specific schema to its document instance.", + "$id": "#json-schema-directive", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "oscal-profile-oscal-profile:profile": { + "title": "Profile", + "description": "Each OSCAL profile is defined by a profile element.", + "$id": "#assembly_oscal-profile_profile", + "type": "object", + "properties": { + "uuid": { + "title": "Profile Universally Unique Identifier", + "description": "Provides a globally unique means to identify a given profile instance.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "imports": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_import" } + }, + "merge": { "$ref": "#assembly_oscal-profile_merge" }, + "modify": { "$ref": "#assembly_oscal-profile_modify" }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "imports"], + "additionalProperties": false + }, + "oscal-profile-oscal-profile:import": { + "title": "Import Resource", + "description": "Designates a referenced source catalog or profile that provides a source of control information for use in creating a new overlay or baseline.", + "$id": "#assembly_oscal-profile_import", + "type": "object", + "properties": { + "href": { + "title": "Catalog or Profile Reference", + "description": "A resolvable URL reference to the base catalog or profile that this profile is tailoring.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "include-all": { "$ref": "#assembly_oscal-control-common_include-all" }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-profile-oscal-profile:merge": { + "title": "Merge Controls", + "description": "Provides structuring directives that instruct how controls are organized after profile resolution.", + "$id": "#assembly_oscal-profile_merge", + "type": "object", + "properties": { + "combine": { + "title": "Combination Rule", + "description": "A Combine element defines how to resolve duplicate instances of the same control (e.g., controls with the same ID).", + "type": "object", + "properties": { + "method": { + "title": "Combination Method", + "description": "Declare how clashing controls should be handled.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["use-first", "merge", "keep"] } + ] + } + }, + "additionalProperties": false + }, + "flat": { + "title": "Flat Without Grouping", + "description": "Directs that controls appear without any grouping structure.", + "type": "object", + "additionalProperties": false + }, + "as-is": { + "title": "Group As-Is", + "description": "Indicates that the controls selected should retain their original grouping as defined in the import source.", + "$ref": "#/definitions/BooleanDatatype" + }, + "custom": { + "title": "Custom Grouping", + "description": "Provides an alternate grouping structure that selected controls will be placed in.", + "type": "object", + "properties": { + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_group" } + }, + "insert-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_insert-controls" } + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "oscal-profile-oscal-profile:group": { + "title": "Control Group", + "description": "A group of (selected) controls or of groups of controls.", + "$id": "#assembly_oscal-profile_group", + "type": "object", + "properties": { + "id": { + "title": "Group Identifier", + "description": "Identifies the group.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Group Class", + "description": "A textual label that provides a sub-type or characterization of the group.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Group Title", + "description": "A name to be given to the group for use in display.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_parameter" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_group" } + }, + "insert-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_insert-controls" } + } + }, + "required": ["title"], + "additionalProperties": false + }, + "oscal-profile-oscal-profile:modify": { + "title": "Modify Controls", + "description": "Set parameters or amend controls in resolution.", + "$id": "#assembly_oscal-profile_modify", + "type": "object", + "properties": { + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "title": "Parameter Setting", + "description": "A parameter setting, to be propagated to points of insertion.", + "type": "object", + "properties": { + "param-id": { + "title": "Parameter ID", + "description": "An identifier for the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "depends-on": { + "title": "Depends On", + "description": "**(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter.", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#field_oscal-control-common_parameter-value" + } + }, + "select": { + "$ref": "#assembly_oscal-control-common_parameter-selection" + } + }, + "required": ["param-id"], + "additionalProperties": false + } + }, + "alters": { + "type": "array", + "minItems": 1, + "items": { + "title": "Alteration", + "description": "Specifies changes to be made to an included control when a profile is resolved.", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "removes": { + "type": "array", + "minItems": 1, + "items": { + "title": "Removal", + "description": "Specifies objects to be removed from a control based on specific aspects of the object that must all match.", + "type": "object", + "properties": { + "by-name": { + "title": "Reference by (assigned) name", + "description": "Identify items remove by matching their assigned name.", + "$ref": "#/definitions/TokenDatatype" + }, + "by-class": { + "title": "Reference by class", + "description": "Identify items to remove by matching their class.", + "$ref": "#/definitions/TokenDatatype" + }, + "by-id": { + "title": "Reference by ID", + "description": "Identify items to remove indicated by their id.", + "$ref": "#/definitions/TokenDatatype" + }, + "by-item-name": { + "title": "Item Name Reference", + "description": "Identify items to remove by the name of the item's information object name, e.g. title or prop.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "param", + "prop", + "link", + "part", + "mapping", + "map" + ] + } + ] + }, + "by-ns": { + "title": "Item Namespace Reference", + "description": "Identify items to remove by the item's ns, which is the namespace associated with a part, or prop.", + "$ref": "#/definitions/TokenDatatype" + } + }, + "additionalProperties": false + } + }, + "adds": { + "type": "array", + "minItems": 1, + "items": { + "title": "Addition", + "description": "Specifies contents to be added into controls, in resolution.", + "type": "object", + "properties": { + "position": { + "title": "Position", + "description": "Where to add the new content with respect to the targeted element (beside it or inside it).", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["before", "after", "starting", "ending"] } + ] + }, + "by-id": { + "title": "Reference by ID", + "description": "Target location of the addition.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Title Change", + "description": "A name given to the control, which may be used by a tool for display and navigation.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter" + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + } + }, + "additionalProperties": false + } + } + }, + "required": ["control-id"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-profile-oscal-profile:insert-controls": { + "title": "Insert Controls", + "description": "Specifies which controls to use in the containing context.", + "$id": "#assembly_oscal-profile_insert-controls", + "type": "object", + "properties": { + "order": { + "title": "Order", + "description": "A designation of how a selection of controls in a profile is to be ordered.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["keep", "ascending", "descending"] } + ] + }, + "include-all": { "$ref": "#assembly_oscal-control-common_include-all" }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + } + }, + "additionalProperties": false + }, + "oscal-profile-oscal-profile:select-control-by-id": { + "title": "Select Control", + "description": "Select a control or controls from an imported control set.", + "$id": "#assembly_oscal-profile_select-control-by-id", + "type": "object", + "properties": { + "with-child-controls": { + "title": "Include Contained Controls with Control", + "description": "When a control is included, whether its child (dependent) controls are also included.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["yes", "no"] } + ] + }, + "with-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-profile_with-id" } + }, + "matching": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_matching" } + } + }, + "additionalProperties": false + }, + "oscal-profile-oscal-profile:with-id": { + "title": "Match Controls by Identifier", + "description": "Selecting a control by its ID given as a literal.", + "$id": "#field_oscal-profile_with-id", + "$ref": "#/definitions/TokenDatatype" + }, + "oscal-profile-oscal-profile:matching": { + "title": "Match Controls by Pattern", + "description": "Selecting a set of controls by matching their IDs with a wildcard pattern.", + "$id": "#assembly_oscal-profile_matching", + "type": "object", + "properties": { + "pattern": { + "title": "Pattern", + "description": "A glob expression matching the IDs of one or more controls to be selected.", + "$ref": "#/definitions/StringDatatype" + } + }, + "additionalProperties": false + }, + "oscal-profile-oscal-metadata:metadata": { + "title": "Document Metadata", + "description": "Provides information about the containing document, and defines concepts that are shared across the document.", + "$id": "#assembly_oscal-metadata_metadata", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { "$ref": "#field_oscal-metadata_last-modified" }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { "$ref": "#field_oscal-metadata_oscal-version" }, + "revisions": { + "type": "array", + "minItems": 1, + "items": { + "title": "Revision History Entry", + "description": "An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document revision, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { + "$ref": "#field_oscal-metadata_last-modified" + }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { + "$ref": "#field_oscal-metadata_oscal-version" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["version"], + "additionalProperties": false + } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "roles": { + "type": "array", + "minItems": 1, + "items": { + "title": "Role", + "description": "Defines a function, which might be assigned to a party in a specific situation.", + "type": "object", + "properties": { + "id": { + "title": "Role Identifier", + "description": "A unique identifier for the role.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Role Title", + "description": "A name given to the role, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "Role Short Name", + "description": "A short common name, abbreviation, or acronym for the role.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "Role Description", + "description": "A summary of the role's purpose and associated responsibilities.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id", "title"], + "additionalProperties": false + } + }, + "locations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location", + "description": "A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Location Universally Unique Identifier", + "description": "A unique ID for the location, for reference.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Location Title", + "description": "A name given to the location, which may be used by a tool for display and navigation.", + "type": "string" + }, + "address": { "$ref": "#assembly_oscal-metadata_address" }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "urls": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location URL", + "description": "The uniform resource locator (URL) for a web site or other resource associated with the location.", + "$ref": "#/definitions/URIDatatype" + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + }, + "parties": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party", + "description": "An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Party Universally Unique Identifier", + "description": "A unique identifier for the party.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Party Type", + "description": "A category describing the kind of party the object describes.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["person", "organization"] } + ] + }, + "name": { + "title": "Party Name", + "description": "The full name of the party. This is typically the legal name associated with the party.", + "$ref": "#/definitions/StringDatatype" + }, + "short-name": { + "title": "Party Short Name", + "description": "A short common name, abbreviation, or acronym for the party.", + "$ref": "#/definitions/StringDatatype" + }, + "external-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party External Identifier", + "description": "An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID).", + "type": "object", + "properties": { + "scheme": { + "title": "External Identifier Schema", + "description": "Indicates the type of external identifier.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://orcid.org/"] } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id", "scheme"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_address" } + }, + "location-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_location-uuid" } + }, + "member-of-organizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Organizational Affiliation", + "description": "A reference to another party by UUID, typically an organization, that this subject is associated with.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type"], + "additionalProperties": false + } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "actions": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_action" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "last-modified", "version", "oscal-version"], + "additionalProperties": false + }, + "oscal-profile-oscal-metadata:location-uuid": { + "title": "Location Universally Unique Identifier Reference", + "description": "Reference to a location by UUID.", + "$id": "#field_oscal-metadata_location-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-profile-oscal-metadata:party-uuid": { + "title": "Party Universally Unique Identifier Reference", + "description": "Reference to a party by UUID.", + "$id": "#field_oscal-metadata_party-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-profile-oscal-metadata:role-id": { + "title": "Role Identifier Reference", + "description": "Reference to a role by UUID.", + "$id": "#field_oscal-metadata_role-id", + "$ref": "#/definitions/TokenDatatype" + }, + "oscal-profile-oscal-metadata:back-matter": { + "title": "Back matter", + "description": "A collection of resources that may be referenced from within the OSCAL document instance.", + "$id": "#assembly_oscal-metadata_back-matter", + "type": "object", + "properties": { + "resources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource", + "description": "A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources.", + "type": "object", + "properties": { + "uuid": { + "title": "Resource Universally Unique Identifier", + "description": "A unique identifier for a resource.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Resource Title", + "description": "An optional name given to the resource, which may be used by a tool for display and navigation.", + "type": "string" + }, + "description": { + "title": "Resource Description", + "description": "An optional short summary of the resource used to indicate the purpose of the resource.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "citation": { + "title": "Citation", + "description": "An optional citation consisting of end note text using structured markup.", + "type": "object", + "properties": { + "text": { + "title": "Citation Text", + "description": "A line of citation text.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["text"], + "additionalProperties": false + }, + "rlinks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource link", + "description": "A URL-based pointer to an external resource with an optional hash for verification and change detection.", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL pointing to the referenced resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "hashes": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_hash" } + } + }, + "required": ["href"], + "additionalProperties": false + } + }, + "base64": { + "title": "Base64", + "description": "A resource encoded using the Base64 alphabet defined by RFC 2045.", + "type": "object", + "properties": { + "filename": { + "title": "File Name", + "description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.", + "$ref": "#/definitions/TokenDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "value": { "$ref": "#/definitions/Base64Datatype" } + }, + "required": ["value"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-profile-oscal-metadata:property": { + "title": "Property", + "description": "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", + "$id": "#assembly_oscal-metadata_property", + "type": "object", + "properties": { + "name": { + "title": "Property Name", + "description": "A textual label, within a namespace, that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Property Universally Unique Identifier", + "description": "A unique identifier for a property.", + "$ref": "#/definitions/UUIDDatatype" + }, + "ns": { + "title": "Property Namespace", + "description": "A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "value": { + "title": "Property Value", + "description": "Indicates the value of the attribute, characteristic, or quality.", + "$ref": "#/definitions/StringDatatype" + }, + "class": { + "title": "Property Class", + "description": "A textual label that provides a sub-type or characterization of the property's name.", + "$ref": "#/definitions/TokenDatatype" + }, + "group": { + "title": "Property Group", + "description": "An identifier for relating distinct sets of properties.", + "$ref": "#/definitions/TokenDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "value"], + "additionalProperties": false + }, + "oscal-profile-oscal-metadata:link": { + "title": "Link", + "description": "A reference to a local or remote resource, that has a specific relation to the containing object.", + "$id": "#assembly_oscal-metadata_link", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL reference to a resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "rel": { + "title": "Link Relation Type", + "description": "Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["reference"] } + ] + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "resource-fragment": { + "title": "Resource Fragment", + "description": "In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.", + "$ref": "#/definitions/StringDatatype" + }, + "text": { + "title": "Link Text", + "description": "A textual label to associate with the link, which may be used for presentation in a tool.", + "type": "string" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-profile-oscal-metadata:responsible-party": { + "title": "Responsible Party", + "description": "A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.", + "$id": "#assembly_oscal-metadata_responsible-party", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role", + "description": "A reference to a role performed by a party.", + "$ref": "#/definitions/TokenDatatype" + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id", "party-uuids"], + "additionalProperties": false + }, + "oscal-profile-oscal-metadata:action": { + "title": "Action", + "description": "An action applied by a role within a given party to the content.", + "$id": "#assembly_oscal-metadata_action", + "type": "object", + "properties": { + "uuid": { + "title": "Action Universally Unique Identifier", + "description": "A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "date": { + "title": "Action Occurrence Date", + "description": "The date and time when the action occurred.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "type": { + "title": "Action Type", + "description": "The type of action documented by the assembly, such as an approval.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Action Type System", + "description": "Specifies the action type system used.", + "$ref": "#/definitions/URIDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "system"], + "additionalProperties": false + }, + "oscal-profile-oscal-metadata:responsible-role": { + "title": "Responsible Role", + "description": "A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.", + "$id": "#assembly_oscal-metadata_responsible-role", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role ID", + "description": "A human-oriented identifier reference to a role performed.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id"], + "additionalProperties": false + }, + "oscal-profile-oscal-metadata:hash": { + "title": "Hash", + "description": "A representation of a cryptographic digest generated over a resource using a specified hash algorithm.", + "$id": "#field_oscal-metadata_hash", + "type": "object", + "properties": { + "algorithm": { + "title": "Hash algorithm", + "description": "The digest method by which a hash is derived.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "SHA-224", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-224", + "SHA3-256", + "SHA3-384", + "SHA3-512" + ] + } + ] + }, + "value": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["value", "algorithm"], + "additionalProperties": false + }, + "oscal-profile-oscal-metadata:remarks": { + "title": "Remarks", + "description": "Additional commentary about the containing object.", + "$id": "#field_oscal-metadata_remarks", + "type": "string" + }, + "oscal-profile-oscal-metadata:published": { + "title": "Publication Timestamp", + "description": "The date and time the document was last made available.", + "$id": "#field_oscal-metadata_published", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-profile-oscal-metadata:last-modified": { + "title": "Last Modified Timestamp", + "description": "The date and time the document was last stored for later retrieval.", + "$id": "#field_oscal-metadata_last-modified", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-profile-oscal-metadata:version": { + "title": "Document Version", + "description": "Used to distinguish a specific revision of an OSCAL document from other previous and future versions.", + "$id": "#field_oscal-metadata_version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-profile-oscal-metadata:oscal-version": { + "title": "OSCAL Version", + "description": "The OSCAL model version the document was authored against and will conform to as valid.", + "$id": "#field_oscal-metadata_oscal-version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-profile-oscal-metadata:email-address": { + "title": "Email Address", + "description": "An email address as defined by RFC 5322 Section 3.4.1.", + "$id": "#field_oscal-metadata_email-address", + "$ref": "#/definitions/EmailAddressDatatype" + }, + "oscal-profile-oscal-metadata:telephone-number": { + "title": "Telephone Number", + "description": "A telephone service number as defined by ITU-T E.164.", + "$id": "#field_oscal-metadata_telephone-number", + "type": "object", + "properties": { + "type": { + "title": "type flag", + "description": "Indicates the type of phone number.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["home", "office", "mobile"] } + ] + }, + "number": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["number"], + "additionalProperties": false + }, + "oscal-profile-oscal-metadata:address": { + "title": "Address", + "description": "A postal address for the location.", + "$id": "#assembly_oscal-metadata_address", + "type": "object", + "properties": { + "type": { + "title": "Address Type", + "description": "Indicates the type of address.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["home", "work"] } + ] + }, + "addr-lines": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_addr-line" } + }, + "city": { + "title": "City", + "description": "City, town or geographical region for the mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "state": { + "title": "State", + "description": "State, province or analogous geographical region for a mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "postal-code": { + "title": "Postal Code", + "description": "Postal or ZIP code for mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "country": { + "title": "Country Code", + "description": "The ISO 3166-1 alpha-2 country code for the mailing address.", + "$ref": "#/definitions/StringDatatype" + } + }, + "additionalProperties": false + }, + "oscal-profile-oscal-metadata:addr-line": { + "title": "Address line", + "description": "A single line of an address.", + "$id": "#field_oscal-metadata_addr-line", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-profile-oscal-metadata:document-id": { + "title": "Document Identifier", + "description": "A document identifier qualified by an identifier scheme.", + "$id": "#field_oscal-metadata_document-id", + "type": "object", + "properties": { + "scheme": { + "title": "Document Identification Scheme", + "description": "Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://www.doi.org/"] } + ] + }, + "identifier": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["identifier"], + "additionalProperties": false + }, + "oscal-profile-oscal-control-common:part": { + "title": "Part", + "description": "An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.", + "$id": "#assembly_oscal-control-common_part", + "type": "object", + "properties": { + "id": { + "title": "Part Identifier", + "description": "A unique identifier for the part.", + "$ref": "#/definitions/TokenDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type, which exists in a value space qualified by the ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "ns": { + "title": "Part Namespace", + "description": "An optional namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "An optional textual providing a sub-type or characterization of the part's name, or a category to which the part belongs.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "An optional name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-profile-oscal-control-common:parameter": { + "title": "Parameter", + "description": "Parameters provide a mechanism for the dynamic assignment of value(s) in a control.", + "$id": "#assembly_oscal-control-common_parameter", + "type": "object", + "properties": { + "id": { + "title": "Parameter Identifier", + "description": "A unique identifier for the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the type, purpose, use or scope of the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "depends-on": { + "title": "Depends on", + "description": "(deprecated) Another parameter invoking this one. This construct has been deprecated and should not be used.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter.", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-control-common_parameter-value" } + }, + "select": { + "$ref": "#assembly_oscal-control-common_parameter-selection" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-profile-oscal-control-common:parameter-constraint": { + "title": "Constraint", + "description": "A formal or informal expression of a constraint or test.", + "$id": "#assembly_oscal-control-common_parameter-constraint", + "type": "object", + "properties": { + "description": { + "title": "Constraint Description", + "description": "A textual summary of the constraint to be applied.", + "type": "string" + }, + "tests": { + "type": "array", + "minItems": 1, + "items": { + "title": "Constraint Test", + "description": "A test expression which is expected to be evaluated by a tool.", + "type": "object", + "properties": { + "expression": { + "title": "Constraint test", + "description": "A formal (executable) expression of a constraint.", + "$ref": "#/definitions/StringDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["expression"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-profile-oscal-control-common:parameter-guideline": { + "title": "Guideline", + "description": "A prose statement that provides a recommendation for the use of a parameter.", + "$id": "#assembly_oscal-control-common_parameter-guideline", + "type": "object", + "properties": { + "prose": { + "title": "Guideline Text", + "description": "Prose permits multiple paragraphs, lists, tables etc.", + "type": "string" + } + }, + "required": ["prose"], + "additionalProperties": false + }, + "oscal-profile-oscal-control-common:parameter-value": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$id": "#field_oscal-control-common_parameter-value", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-profile-oscal-control-common:parameter-selection": { + "title": "Selection", + "description": "Presenting a choice among alternatives.", + "$id": "#assembly_oscal-control-common_parameter-selection", + "type": "object", + "properties": { + "how-many": { + "title": "Parameter Cardinality", + "description": "Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["one", "one-or-more"] } + ] + }, + "choice": { + "type": "array", + "minItems": 1, + "items": { + "title": "Choice", + "description": "A value selection among several such options.", + "type": "string" + } + } + }, + "additionalProperties": false + }, + "oscal-profile-oscal-control-common:include-all": { + "title": "Include All", + "description": "Include all controls from the imported catalog or profile resources.", + "$id": "#assembly_oscal-control-common_include-all", + "type": "object", + "additionalProperties": false + }, + "Base64Datatype": { + "description": "Binary data encoded using the Base 64 encoding algorithm as defined by RFC4648.", + "type": "string", + "pattern": "^[0-9A-Za-z+/]+={0,2}$", + "contentEncoding": "base64" + }, + "BooleanDatatype": { + "description": "A binary value that is either: true or false.", + "type": "boolean" + }, + "DateTimeWithTimezoneDatatype": { + "description": "A string representing a point in time with a required timezone.", + "type": "string", + "format": "date-time", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$" + }, + "EmailAddressDatatype": { + "description": "An email address string formatted according to RFC 6531.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "type": "string", "format": "email", "pattern": "^.+@.+$" } + ] + }, + "StringDatatype": { + "description": "A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ \n\t]+", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "TokenDatatype": { + "description": "A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.", + "type": "string", + "pattern": "^(\\p{L}|_)(\\p{L}|\\p{N}|[.\\-_])*$" + }, + "URIDatatype": { + "description": "A universal resource identifier (URI) formatted according to RFC3986.", + "type": "string", + "format": "uri", + "pattern": "^[a-zA-Z][a-zA-Z0-9+\\-.]+:.+$" + }, + "URIReferenceDatatype": { + "description": "A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.", + "type": "string", + "format": "uri-reference" + }, + "UUIDDatatype": { + "description": "A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "profile": { "$ref": "#assembly_oscal-profile_profile" } + }, + "required": ["profile"], + "additionalProperties": false +} diff --git a/roscal_lib/jsonschema/tracking_latest_models/oscal_ssp_schema.json b/roscal_lib/jsonschema/tracking_latest_models/oscal_ssp_schema.json new file mode 100644 index 0000000..174db45 --- /dev/null +++ b/roscal_lib/jsonschema/tracking_latest_models/oscal_ssp_schema.json @@ -0,0 +1,2365 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://csrc.nist.gov/ns/oscal/1.1.2/oscal-ssp-schema.json", + "$comment": "OSCAL System Security Plan (SSP) Model: JSON Schema", + "type": "object", + "definitions": { + "json-schema-directive": { + "title": "Schema Directive", + "description": "A JSON Schema directive to bind a specific schema to its document instance.", + "$id": "#json-schema-directive", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "oscal-ssp-oscal-ssp:system-security-plan": { + "title": "System Security Plan (SSP)", + "description": "A system security plan, such as those described in NIST SP 800-18.", + "$id": "#assembly_oscal-ssp_system-security-plan", + "type": "object", + "properties": { + "uuid": { + "title": "System Security Plan Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. The locally defined UUID of the SSP can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-profile": { "$ref": "#assembly_oscal-ssp_import-profile" }, + "system-characteristics": { + "$ref": "#assembly_oscal-ssp_system-characteristics" + }, + "system-implementation": { + "$ref": "#assembly_oscal-ssp_system-implementation" + }, + "control-implementation": { + "$ref": "#assembly_oscal-ssp_control-implementation" + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": [ + "uuid", + "metadata", + "import-profile", + "system-characteristics", + "system-implementation", + "control-implementation" + ], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:import-profile": { + "title": "Import Profile", + "description": "Used to import the OSCAL profile representing the system's control baseline.", + "$id": "#assembly_oscal-ssp_import-profile", + "type": "object", + "properties": { + "href": { + "title": "Profile Reference", + "description": "A resolvable URL reference to the profile or catalog to use as the system's control baseline.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:system-characteristics": { + "title": "System Characteristics", + "description": "Contains the characteristics of the system, such as its name, purpose, and security impact level.", + "$id": "#assembly_oscal-ssp_system-characteristics", + "type": "object", + "properties": { + "system-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-implementation-common_system-id" } + }, + "system-name": { + "title": "System Name - Full", + "description": "The full name of the system.", + "$ref": "#/definitions/StringDatatype" + }, + "system-name-short": { + "title": "System Name - Short", + "description": "A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "System Description", + "description": "A summary of the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "date-authorized": { "$ref": "#field_oscal-ssp_date-authorized" }, + "security-sensitivity-level": { + "title": "Security Sensitivity Level", + "description": "The overall information system sensitivity categorization, such as defined by FIPS-199.", + "$ref": "#/definitions/StringDatatype" + }, + "system-information": { + "$ref": "#assembly_oscal-ssp_system-information" + }, + "security-impact-level": { + "$ref": "#assembly_oscal-ssp_security-impact-level" + }, + "status": { "$ref": "#assembly_oscal-ssp_status" }, + "authorization-boundary": { + "$ref": "#assembly_oscal-ssp_authorization-boundary" + }, + "network-architecture": { + "$ref": "#assembly_oscal-ssp_network-architecture" + }, + "data-flow": { "$ref": "#assembly_oscal-ssp_data-flow" }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": [ + "system-ids", + "system-name", + "description", + "system-information", + "status", + "authorization-boundary" + ], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:system-information": { + "title": "System Information", + "description": "Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.", + "$id": "#assembly_oscal-ssp_system-information", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "information-types": { + "type": "array", + "minItems": 1, + "items": { + "title": "Information Type", + "description": "Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.", + "type": "object", + "properties": { + "uuid": { + "title": "Information Type Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this information type elsewhere in this or other OSCAL instances. The locally defined UUID of the information type can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "title field", + "description": "A human readable name for the information type. This title should be meaningful within the context of the system.", + "type": "string" + }, + "description": { + "title": "Information Type Description", + "description": "A summary of how this information type is used within the system.", + "type": "string" + }, + "categorizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Information Type Categorization", + "description": "A set of information type identifiers qualified by the given identification system used, such as NIST SP 800-60.", + "type": "object", + "properties": { + "system": { + "title": "Information Type Identification System", + "description": "Specifies the information type identification system used.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": ["http://doi.org/10.6028/NIST.SP.800-60v2r1"] + } + ] + }, + "information-type-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Information Type Systematized Identifier", + "description": "A human-oriented, globally unique identifier qualified by the given identification system used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to reference this system elsewhere in this or other OSCAL instances. This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/StringDatatype" + } + } + }, + "required": ["system"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "confidentiality-impact": { + "$ref": "#assembly_oscal-ssp_impact" + }, + "integrity-impact": { "$ref": "#assembly_oscal-ssp_impact" }, + "availability-impact": { "$ref": "#assembly_oscal-ssp_impact" } + }, + "required": ["title", "description"], + "additionalProperties": false + } + } + }, + "required": ["information-types"], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:impact": { + "title": "Impact Level", + "description": "The expected level of impact resulting from the described information.", + "$id": "#assembly_oscal-ssp_impact", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "base": { "$ref": "#field_oscal-ssp_base" }, + "selected": { "$ref": "#field_oscal-ssp_selected" }, + "adjustment-justification": { + "$ref": "#field_oscal-ssp_adjustment-justification" + } + }, + "required": ["base"], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:base": { + "title": "Base Level (Confidentiality, Integrity, or Availability)", + "description": "The prescribed base (Confidentiality, Integrity, or Availability) security impact level.", + "$id": "#field_oscal-ssp_base", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ssp-oscal-ssp:selected": { + "title": "Selected Level (Confidentiality, Integrity, or Availability)", + "description": "The selected (Confidentiality, Integrity, or Availability) security impact level.", + "$id": "#field_oscal-ssp_selected", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ssp-oscal-ssp:adjustment-justification": { + "title": "Adjustment Justification", + "description": "If the selected security level is different from the base security level, this contains the justification for the change.", + "$id": "#field_oscal-ssp_adjustment-justification", + "type": "string" + }, + "oscal-ssp-oscal-ssp:security-impact-level": { + "title": "Security Impact Level", + "description": "The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.", + "$id": "#assembly_oscal-ssp_security-impact-level", + "type": "object", + "properties": { + "security-objective-confidentiality": { + "title": "Security Objective: Confidentiality", + "description": "A target-level of confidentiality for the system, based on the sensitivity of information within the system.", + "$ref": "#/definitions/StringDatatype" + }, + "security-objective-integrity": { + "title": "Security Objective: Integrity", + "description": "A target-level of integrity for the system, based on the sensitivity of information within the system.", + "$ref": "#/definitions/StringDatatype" + }, + "security-objective-availability": { + "title": "Security Objective: Availability", + "description": "A target-level of availability for the system, based on the sensitivity of information within the system.", + "$ref": "#/definitions/StringDatatype" + } + }, + "required": [ + "security-objective-confidentiality", + "security-objective-integrity", + "security-objective-availability" + ], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:status": { + "title": "Status", + "description": "Describes the operational status of the system.", + "$id": "#assembly_oscal-ssp_status", + "type": "object", + "properties": { + "state": { + "title": "State", + "description": "The current operating status.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "operational", + "under-development", + "under-major-modification", + "disposition", + "other" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:date-authorized": { + "title": "System Authorization Date", + "description": "The date the system received its authorization.", + "$id": "#field_oscal-ssp_date-authorized", + "$ref": "#/definitions/DateDatatype" + }, + "oscal-ssp-oscal-ssp:authorization-boundary": { + "title": "Authorization Boundary", + "description": "A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.", + "$id": "#assembly_oscal-ssp_authorization-boundary", + "type": "object", + "properties": { + "description": { + "title": "Authorization Boundary Description", + "description": "A summary of the system's authorization boundary.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "diagrams": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_diagram" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:diagram": { + "title": "Diagram", + "description": "A graphic that provides a visual representation the system, or some aspect of it.", + "$id": "#assembly_oscal-ssp_diagram", + "type": "object", + "properties": { + "uuid": { + "title": "Diagram ID", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this diagram elsewhere in this or other OSCAL instances. The locally defined UUID of the diagram can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Diagram Description", + "description": "A summary of the diagram.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "caption": { + "title": "Caption", + "description": "A brief caption to annotate the diagram.", + "type": "string" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:network-architecture": { + "title": "Network Architecture", + "description": "A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.", + "$id": "#assembly_oscal-ssp_network-architecture", + "type": "object", + "properties": { + "description": { + "title": "Network Architecture Description", + "description": "A summary of the system's network architecture.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "diagrams": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_diagram" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:data-flow": { + "title": "Data Flow", + "description": "A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.", + "$id": "#assembly_oscal-ssp_data-flow", + "type": "object", + "properties": { + "description": { + "title": "Data Flow Description", + "description": "A summary of the system's data flow.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "diagrams": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_diagram" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:system-implementation": { + "title": "System Implementation", + "description": "Provides information as to how the system is implemented.", + "$id": "#assembly_oscal-ssp_system-implementation", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "leveraged-authorizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Leveraged Authorization", + "description": "A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common control provider.", + "type": "object", + "properties": { + "uuid": { + "title": "Leveraged Authorization Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope and can be used to reference this leveraged authorization elsewhere in this or other OSCAL instances. The locally defined UUID of the leveraged authorization can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "title field", + "description": "A human readable name for the leveraged authorization in the context of the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuid": { + "title": "party-uuid field", + "description": "A machine-oriented identifier reference to the party that manages the leveraged system.", + "$ref": "#/definitions/UUIDDatatype" + }, + "date-authorized": { "$ref": "#field_oscal-ssp_date-authorized" }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "title", "party-uuid", "date-authorized"], + "additionalProperties": false + } + }, + "users": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-user" + } + }, + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["users", "components"], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:control-implementation": { + "title": "Control Implementation", + "description": "Describes how the system satisfies a set of controls.", + "$id": "#assembly_oscal-ssp_control-implementation", + "type": "object", + "properties": { + "description": { + "title": "Control Implementation Description", + "description": "A statement describing important things to know about how this set of control satisfaction documentation is approached.", + "type": "string" + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "implemented-requirements": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_implemented-requirement" } + } + }, + "required": ["description", "implemented-requirements"], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:implemented-requirement": { + "title": "Control-based Requirement", + "description": "Describes how the system satisfies the requirements of an individual control.", + "$id": "#assembly_oscal-ssp_implemented-requirement", + "type": "object", + "properties": { + "uuid": { + "title": "Control Requirement Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control requirement elsewhere in this or other OSCAL instances. The locally defined UUID of the control requirement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "statements": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_statement" } + }, + "by-components": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_by-component" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "control-id"], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:statement": { + "title": "Specific Control Statement", + "description": "Identifies which statements within a control are addressed.", + "$id": "#assembly_oscal-ssp_statement", + "type": "object", + "properties": { + "statement-id": { + "title": "Control Statement Reference", + "description": "A human-oriented identifier reference to a control statement.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Control Statement Reference Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "by-components": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_by-component" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["statement-id", "uuid"], + "additionalProperties": false + }, + "oscal-ssp-oscal-ssp:by-component": { + "title": "Component Control Implementation", + "description": "Defines how the referenced component implements a set of controls.", + "$id": "#assembly_oscal-ssp_by-component", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to the component that is implemeting a given control.", + "$ref": "#/definitions/UUIDDatatype" + }, + "uuid": { + "title": "By-Component Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this by-component entry elsewhere in this or other OSCAL instances. The locally defined UUID of the by-component entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Control Implementation Description", + "description": "An implementation statement that describes how a control or a control statement is implemented within the referenced system component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "implementation-status": { + "$ref": "#assembly_oscal-implementation-common_implementation-status" + }, + "export": { + "title": "Export", + "description": "Identifies content intended for external consumption, such as with leveraged organizations.", + "type": "object", + "properties": { + "description": { + "title": "Control Implementation Export Description", + "description": "An implementation statement that describes the aspects of the control or control statement implementation that can be available to another system leveraging this system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "provided": { + "type": "array", + "minItems": 1, + "items": { + "title": "Provided Control Implementation", + "description": "Describes a capability which may be inherited by a leveraging system.", + "type": "object", + "properties": { + "uuid": { + "title": "Provided Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this provided entry elsewhere in this or other OSCAL instances. The locally defined UUID of the provided entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Provided Control Implementation Description", + "description": "An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-role" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "responsibilities": { + "type": "array", + "minItems": 1, + "items": { + "title": "Control Implementation Responsibility", + "description": "Describes a control implementation responsibility imposed on a leveraging system.", + "type": "object", + "properties": { + "uuid": { + "title": "Responsibility Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this responsibility elsewhere in this or other OSCAL instances. The locally defined UUID of the responsibility can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "provided-uuid": { + "title": "Provided UUID", + "description": "A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Control Implementation Responsibility Description", + "description": "An implementation statement that describes the aspects of the control or control statement implementation that a leveraging system must implement to satisfy the control provided by a leveraged system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-role" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "inherited": { + "type": "array", + "minItems": 1, + "items": { + "title": "Inherited Control Implementation", + "description": "Describes a control implementation inherited by a leveraging system.", + "type": "object", + "properties": { + "uuid": { + "title": "Inherited Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inherited entry elsewhere in this or other OSCAL instances. The locally defined UUID of the inherited control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "provided-uuid": { + "title": "Provided UUID", + "description": "A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Inherited Control Implementation Description", + "description": "An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is inheriting from a leveraged system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "satisfied": { + "type": "array", + "minItems": 1, + "items": { + "title": "Satisfied Control Implementation Responsibility", + "description": "Describes how this system satisfies a responsibility imposed by a leveraged system.", + "type": "object", + "properties": { + "uuid": { + "title": "Satisfied Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this satisfied control implementation entry elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "responsibility-uuid": { + "title": "Responsibility UUID", + "description": "A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Satisfied Control Implementation Responsibility Description", + "description": "An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is implementing based on a requirement from a leveraged system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid", "uuid", "description"], + "additionalProperties": false + }, + "oscal-ssp-oscal-metadata:metadata": { + "title": "Document Metadata", + "description": "Provides information about the containing document, and defines concepts that are shared across the document.", + "$id": "#assembly_oscal-metadata_metadata", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { "$ref": "#field_oscal-metadata_last-modified" }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { "$ref": "#field_oscal-metadata_oscal-version" }, + "revisions": { + "type": "array", + "minItems": 1, + "items": { + "title": "Revision History Entry", + "description": "An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document revision, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { + "$ref": "#field_oscal-metadata_last-modified" + }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { + "$ref": "#field_oscal-metadata_oscal-version" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["version"], + "additionalProperties": false + } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "roles": { + "type": "array", + "minItems": 1, + "items": { + "title": "Role", + "description": "Defines a function, which might be assigned to a party in a specific situation.", + "type": "object", + "properties": { + "id": { + "title": "Role Identifier", + "description": "A unique identifier for the role.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Role Title", + "description": "A name given to the role, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "Role Short Name", + "description": "A short common name, abbreviation, or acronym for the role.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "Role Description", + "description": "A summary of the role's purpose and associated responsibilities.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id", "title"], + "additionalProperties": false + } + }, + "locations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location", + "description": "A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Location Universally Unique Identifier", + "description": "A unique ID for the location, for reference.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Location Title", + "description": "A name given to the location, which may be used by a tool for display and navigation.", + "type": "string" + }, + "address": { "$ref": "#assembly_oscal-metadata_address" }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "urls": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location URL", + "description": "The uniform resource locator (URL) for a web site or other resource associated with the location.", + "$ref": "#/definitions/URIDatatype" + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + }, + "parties": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party", + "description": "An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Party Universally Unique Identifier", + "description": "A unique identifier for the party.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Party Type", + "description": "A category describing the kind of party the object describes.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["person", "organization"] } + ] + }, + "name": { + "title": "Party Name", + "description": "The full name of the party. This is typically the legal name associated with the party.", + "$ref": "#/definitions/StringDatatype" + }, + "short-name": { + "title": "Party Short Name", + "description": "A short common name, abbreviation, or acronym for the party.", + "$ref": "#/definitions/StringDatatype" + }, + "external-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party External Identifier", + "description": "An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID).", + "type": "object", + "properties": { + "scheme": { + "title": "External Identifier Schema", + "description": "Indicates the type of external identifier.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://orcid.org/"] } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id", "scheme"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_address" } + }, + "location-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_location-uuid" } + }, + "member-of-organizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Organizational Affiliation", + "description": "A reference to another party by UUID, typically an organization, that this subject is associated with.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type"], + "additionalProperties": false + } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "actions": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_action" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "last-modified", "version", "oscal-version"], + "additionalProperties": false + }, + "oscal-ssp-oscal-metadata:location-uuid": { + "title": "Location Universally Unique Identifier Reference", + "description": "Reference to a location by UUID.", + "$id": "#field_oscal-metadata_location-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-ssp-oscal-metadata:party-uuid": { + "title": "Party Universally Unique Identifier Reference", + "description": "Reference to a party by UUID.", + "$id": "#field_oscal-metadata_party-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-ssp-oscal-metadata:role-id": { + "title": "Role Identifier Reference", + "description": "Reference to a role by UUID.", + "$id": "#field_oscal-metadata_role-id", + "$ref": "#/definitions/TokenDatatype" + }, + "oscal-ssp-oscal-metadata:back-matter": { + "title": "Back matter", + "description": "A collection of resources that may be referenced from within the OSCAL document instance.", + "$id": "#assembly_oscal-metadata_back-matter", + "type": "object", + "properties": { + "resources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource", + "description": "A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources.", + "type": "object", + "properties": { + "uuid": { + "title": "Resource Universally Unique Identifier", + "description": "A unique identifier for a resource.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Resource Title", + "description": "An optional name given to the resource, which may be used by a tool for display and navigation.", + "type": "string" + }, + "description": { + "title": "Resource Description", + "description": "An optional short summary of the resource used to indicate the purpose of the resource.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "citation": { + "title": "Citation", + "description": "An optional citation consisting of end note text using structured markup.", + "type": "object", + "properties": { + "text": { + "title": "Citation Text", + "description": "A line of citation text.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["text"], + "additionalProperties": false + }, + "rlinks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource link", + "description": "A URL-based pointer to an external resource with an optional hash for verification and change detection.", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL pointing to the referenced resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "hashes": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_hash" } + } + }, + "required": ["href"], + "additionalProperties": false + } + }, + "base64": { + "title": "Base64", + "description": "A resource encoded using the Base64 alphabet defined by RFC 2045.", + "type": "object", + "properties": { + "filename": { + "title": "File Name", + "description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.", + "$ref": "#/definitions/TokenDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "value": { "$ref": "#/definitions/Base64Datatype" } + }, + "required": ["value"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-ssp-oscal-metadata:property": { + "title": "Property", + "description": "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", + "$id": "#assembly_oscal-metadata_property", + "type": "object", + "properties": { + "name": { + "title": "Property Name", + "description": "A textual label, within a namespace, that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Property Universally Unique Identifier", + "description": "A unique identifier for a property.", + "$ref": "#/definitions/UUIDDatatype" + }, + "ns": { + "title": "Property Namespace", + "description": "A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "value": { + "title": "Property Value", + "description": "Indicates the value of the attribute, characteristic, or quality.", + "$ref": "#/definitions/StringDatatype" + }, + "class": { + "title": "Property Class", + "description": "A textual label that provides a sub-type or characterization of the property's name.", + "$ref": "#/definitions/TokenDatatype" + }, + "group": { + "title": "Property Group", + "description": "An identifier for relating distinct sets of properties.", + "$ref": "#/definitions/TokenDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "value"], + "additionalProperties": false + }, + "oscal-ssp-oscal-metadata:link": { + "title": "Link", + "description": "A reference to a local or remote resource, that has a specific relation to the containing object.", + "$id": "#assembly_oscal-metadata_link", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL reference to a resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "rel": { + "title": "Link Relation Type", + "description": "Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["reference"] } + ] + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "resource-fragment": { + "title": "Resource Fragment", + "description": "In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.", + "$ref": "#/definitions/StringDatatype" + }, + "text": { + "title": "Link Text", + "description": "A textual label to associate with the link, which may be used for presentation in a tool.", + "type": "string" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-ssp-oscal-metadata:responsible-party": { + "title": "Responsible Party", + "description": "A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.", + "$id": "#assembly_oscal-metadata_responsible-party", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role", + "description": "A reference to a role performed by a party.", + "$ref": "#/definitions/TokenDatatype" + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id", "party-uuids"], + "additionalProperties": false + }, + "oscal-ssp-oscal-metadata:action": { + "title": "Action", + "description": "An action applied by a role within a given party to the content.", + "$id": "#assembly_oscal-metadata_action", + "type": "object", + "properties": { + "uuid": { + "title": "Action Universally Unique Identifier", + "description": "A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "date": { + "title": "Action Occurrence Date", + "description": "The date and time when the action occurred.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "type": { + "title": "Action Type", + "description": "The type of action documented by the assembly, such as an approval.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Action Type System", + "description": "Specifies the action type system used.", + "$ref": "#/definitions/URIDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "system"], + "additionalProperties": false + }, + "oscal-ssp-oscal-metadata:responsible-role": { + "title": "Responsible Role", + "description": "A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.", + "$id": "#assembly_oscal-metadata_responsible-role", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role ID", + "description": "A human-oriented identifier reference to a role performed.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id"], + "additionalProperties": false + }, + "oscal-ssp-oscal-metadata:hash": { + "title": "Hash", + "description": "A representation of a cryptographic digest generated over a resource using a specified hash algorithm.", + "$id": "#field_oscal-metadata_hash", + "type": "object", + "properties": { + "algorithm": { + "title": "Hash algorithm", + "description": "The digest method by which a hash is derived.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "SHA-224", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-224", + "SHA3-256", + "SHA3-384", + "SHA3-512" + ] + } + ] + }, + "value": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["value", "algorithm"], + "additionalProperties": false + }, + "oscal-ssp-oscal-metadata:remarks": { + "title": "Remarks", + "description": "Additional commentary about the containing object.", + "$id": "#field_oscal-metadata_remarks", + "type": "string" + }, + "oscal-ssp-oscal-metadata:published": { + "title": "Publication Timestamp", + "description": "The date and time the document was last made available.", + "$id": "#field_oscal-metadata_published", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-ssp-oscal-metadata:last-modified": { + "title": "Last Modified Timestamp", + "description": "The date and time the document was last stored for later retrieval.", + "$id": "#field_oscal-metadata_last-modified", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-ssp-oscal-metadata:version": { + "title": "Document Version", + "description": "Used to distinguish a specific revision of an OSCAL document from other previous and future versions.", + "$id": "#field_oscal-metadata_version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ssp-oscal-metadata:oscal-version": { + "title": "OSCAL Version", + "description": "The OSCAL model version the document was authored against and will conform to as valid.", + "$id": "#field_oscal-metadata_oscal-version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ssp-oscal-metadata:email-address": { + "title": "Email Address", + "description": "An email address as defined by RFC 5322 Section 3.4.1.", + "$id": "#field_oscal-metadata_email-address", + "$ref": "#/definitions/EmailAddressDatatype" + }, + "oscal-ssp-oscal-metadata:telephone-number": { + "title": "Telephone Number", + "description": "A telephone service number as defined by ITU-T E.164.", + "$id": "#field_oscal-metadata_telephone-number", + "type": "object", + "properties": { + "type": { + "title": "type flag", + "description": "Indicates the type of phone number.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["home", "office", "mobile"] } + ] + }, + "number": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["number"], + "additionalProperties": false + }, + "oscal-ssp-oscal-metadata:address": { + "title": "Address", + "description": "A postal address for the location.", + "$id": "#assembly_oscal-metadata_address", + "type": "object", + "properties": { + "type": { + "title": "Address Type", + "description": "Indicates the type of address.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["home", "work"] } + ] + }, + "addr-lines": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_addr-line" } + }, + "city": { + "title": "City", + "description": "City, town or geographical region for the mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "state": { + "title": "State", + "description": "State, province or analogous geographical region for a mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "postal-code": { + "title": "Postal Code", + "description": "Postal or ZIP code for mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "country": { + "title": "Country Code", + "description": "The ISO 3166-1 alpha-2 country code for the mailing address.", + "$ref": "#/definitions/StringDatatype" + } + }, + "additionalProperties": false + }, + "oscal-ssp-oscal-metadata:addr-line": { + "title": "Address line", + "description": "A single line of an address.", + "$id": "#field_oscal-metadata_addr-line", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ssp-oscal-metadata:document-id": { + "title": "Document Identifier", + "description": "A document identifier qualified by an identifier scheme.", + "$id": "#field_oscal-metadata_document-id", + "type": "object", + "properties": { + "scheme": { + "title": "Document Identification Scheme", + "description": "Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://www.doi.org/"] } + ] + }, + "identifier": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["identifier"], + "additionalProperties": false + }, + "oscal-ssp-oscal-implementation-common:system-component": { + "title": "Component", + "description": "A defined component that can be part of an implemented system.", + "$id": "#assembly_oscal-implementation-common_system-component", + "type": "object", + "properties": { + "uuid": { + "title": "Component Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Component Type", + "description": "A category describing the purpose of the component.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "this-system", + "system", + "interconnection", + "software", + "hardware", + "service", + "policy", + "physical", + "process-procedure", + "plan", + "guidance", + "standard", + "validation", + "network" + ] + } + ] + }, + "title": { + "title": "Component Title", + "description": "A human readable name for the system component.", + "type": "string" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + }, + "purpose": { + "title": "Purpose", + "description": "A summary of the technological or business purpose of the component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Status", + "description": "Describes the operational status of the system component.", + "type": "object", + "properties": { + "state": { + "title": "State", + "description": "The operational status.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "under-development", + "operational", + "disposition", + "other" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "protocols": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-implementation-common_protocol" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title", "description", "status"], + "additionalProperties": false + }, + "oscal-ssp-oscal-implementation-common:protocol": { + "title": "Service Protocol Information", + "description": "Information about the protocol used to provide a service.", + "$id": "#assembly_oscal-implementation-common_protocol", + "type": "object", + "properties": { + "uuid": { + "title": "Service Protocol Information Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Protocol Name", + "description": "The common name of the protocol, which should be the appropriate \"service name\" from the IANA Service Name and Transport Protocol Port Number Registry.", + "$ref": "#/definitions/StringDatatype" + }, + "title": { + "title": "Protocol Title", + "description": "A human readable name for the protocol (e.g., Transport Layer Security).", + "type": "string" + }, + "port-ranges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_port-range" + } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-ssp-oscal-implementation-common:port-range": { + "title": "Port Range", + "description": "Where applicable this is the IPv4 port range on which the service operates.", + "$id": "#assembly_oscal-implementation-common_port-range", + "type": "object", + "properties": { + "start": { + "title": "Start", + "description": "Indicates the starting port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "end": { + "title": "End", + "description": "Indicates the ending port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "transport": { + "title": "Transport", + "description": "Indicates the transport type.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["TCP", "UDP"] } + ] + } + }, + "additionalProperties": false + }, + "oscal-ssp-oscal-implementation-common:implementation-status": { + "title": "Implementation Status", + "description": "Indicates the degree to which the a given control is implemented.", + "$id": "#assembly_oscal-implementation-common_implementation-status", + "type": "object", + "properties": { + "state": { + "title": "Implementation State", + "description": "Identifies the implementation status of the control or control objective.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "implemented", + "partial", + "planned", + "alternative", + "not-applicable" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "oscal-ssp-oscal-implementation-common:system-user": { + "title": "System User", + "description": "A type of user that interacts with the system based on an associated role.", + "$id": "#assembly_oscal-implementation-common_system-user", + "type": "object", + "properties": { + "uuid": { + "title": "User Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "User Title", + "description": "A name given to the user, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "User Short Name", + "description": "A short common name, abbreviation, or acronym for the user.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "User Description", + "description": "A summary of the user's purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "role-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_role-id" } + }, + "authorized-privileges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_authorized-privilege" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + }, + "oscal-ssp-oscal-implementation-common:authorized-privilege": { + "title": "Privilege", + "description": "Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.", + "$id": "#assembly_oscal-implementation-common_authorized-privilege", + "type": "object", + "properties": { + "title": { + "title": "Privilege Title", + "description": "A human readable name for the privilege.", + "type": "string" + }, + "description": { + "title": "Privilege Description", + "description": "A summary of the privilege's purpose within the system.", + "type": "string" + }, + "functions-performed": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#field_oscal-implementation-common_function-performed" + } + } + }, + "required": ["title", "functions-performed"], + "additionalProperties": false + }, + "oscal-ssp-oscal-implementation-common:function-performed": { + "title": "Functions Performed", + "description": "Describes a function performed for a given authorized privilege by this user class.", + "$id": "#field_oscal-implementation-common_function-performed", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ssp-oscal-implementation-common:inventory-item": { + "title": "Inventory Item", + "description": "A single managed inventory item within the system.", + "$id": "#assembly_oscal-implementation-common_inventory-item", + "type": "object", + "properties": { + "uuid": { + "title": "Inventory Item Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Inventory Item Description", + "description": "A summary of the inventory item stating its purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "implemented-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Implemented Component", + "description": "The set of components that are implemented in a given system inventory item.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component that is implemented as part of an inventory item.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-ssp-oscal-implementation-common:set-parameter": { + "title": "Set Parameter Value", + "description": "Identifies the parameter that will be set by the enclosed value.", + "$id": "#assembly_oscal-implementation-common_set-parameter", + "type": "object", + "properties": { + "param-id": { + "title": "Parameter ID", + "description": "A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.", + "$ref": "#/definitions/TokenDatatype" + }, + "values": { + "type": "array", + "minItems": 1, + "items": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$ref": "#/definitions/StringDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["param-id", "values"], + "additionalProperties": false + }, + "oscal-ssp-oscal-implementation-common:system-id": { + "title": "System Identification", + "description": "A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document.", + "$id": "#field_oscal-implementation-common_system-id", + "type": "object", + "properties": { + "identifier-type": { + "title": "Identification System Type", + "description": "Identifies the identification system from which the provided identifier was assigned.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": [ + "https://fedramp.gov", + "http://fedramp.gov/ns/oscal", + "https://ietf.org/rfc/rfc4122", + "http://ietf.org/rfc/rfc4122" + ] + } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-ssp-oscal-control-common:part": { + "title": "Part", + "description": "An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.", + "$id": "#assembly_oscal-control-common_part", + "type": "object", + "properties": { + "id": { + "title": "Part Identifier", + "description": "A unique identifier for the part.", + "$ref": "#/definitions/TokenDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type, which exists in a value space qualified by the ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "ns": { + "title": "Part Namespace", + "description": "An optional namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "An optional textual providing a sub-type or characterization of the part's name, or a category to which the part belongs.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "An optional name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-ssp-oscal-control-common:parameter": { + "title": "Parameter", + "description": "Parameters provide a mechanism for the dynamic assignment of value(s) in a control.", + "$id": "#assembly_oscal-control-common_parameter", + "type": "object", + "properties": { + "id": { + "title": "Parameter Identifier", + "description": "A unique identifier for the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the type, purpose, use or scope of the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "depends-on": { + "title": "Depends on", + "description": "(deprecated) Another parameter invoking this one. This construct has been deprecated and should not be used.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter.", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-control-common_parameter-value" } + }, + "select": { + "$ref": "#assembly_oscal-control-common_parameter-selection" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-ssp-oscal-control-common:parameter-constraint": { + "title": "Constraint", + "description": "A formal or informal expression of a constraint or test.", + "$id": "#assembly_oscal-control-common_parameter-constraint", + "type": "object", + "properties": { + "description": { + "title": "Constraint Description", + "description": "A textual summary of the constraint to be applied.", + "type": "string" + }, + "tests": { + "type": "array", + "minItems": 1, + "items": { + "title": "Constraint Test", + "description": "A test expression which is expected to be evaluated by a tool.", + "type": "object", + "properties": { + "expression": { + "title": "Constraint test", + "description": "A formal (executable) expression of a constraint.", + "$ref": "#/definitions/StringDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["expression"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-ssp-oscal-control-common:parameter-guideline": { + "title": "Guideline", + "description": "A prose statement that provides a recommendation for the use of a parameter.", + "$id": "#assembly_oscal-control-common_parameter-guideline", + "type": "object", + "properties": { + "prose": { + "title": "Guideline Text", + "description": "Prose permits multiple paragraphs, lists, tables etc.", + "type": "string" + } + }, + "required": ["prose"], + "additionalProperties": false + }, + "oscal-ssp-oscal-control-common:parameter-value": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$id": "#field_oscal-control-common_parameter-value", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-ssp-oscal-control-common:parameter-selection": { + "title": "Selection", + "description": "Presenting a choice among alternatives.", + "$id": "#assembly_oscal-control-common_parameter-selection", + "type": "object", + "properties": { + "how-many": { + "title": "Parameter Cardinality", + "description": "Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["one", "one-or-more"] } + ] + }, + "choice": { + "type": "array", + "minItems": 1, + "items": { + "title": "Choice", + "description": "A value selection among several such options.", + "type": "string" + } + } + }, + "additionalProperties": false + }, + "oscal-ssp-oscal-control-common:include-all": { + "title": "Include All", + "description": "Include all controls from the imported catalog or profile resources.", + "$id": "#assembly_oscal-control-common_include-all", + "type": "object", + "additionalProperties": false + }, + "Base64Datatype": { + "description": "Binary data encoded using the Base 64 encoding algorithm as defined by RFC4648.", + "type": "string", + "pattern": "^[0-9A-Za-z+/]+={0,2}$", + "contentEncoding": "base64" + }, + "DateDatatype": { + "description": "A string representing a 24-hour period with an optional timezone.", + "type": "string", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))?$" + }, + "DateTimeWithTimezoneDatatype": { + "description": "A string representing a point in time with a required timezone.", + "type": "string", + "format": "date-time", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$" + }, + "EmailAddressDatatype": { + "description": "An email address string formatted according to RFC 6531.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "type": "string", "format": "email", "pattern": "^.+@.+$" } + ] + }, + "IntegerDatatype": { + "description": "A whole number value.", + "type": "integer" + }, + "NonNegativeIntegerDatatype": { + "description": "An integer value that is equal to or greater than 0.", + "allOf": [ + { "$ref": "#/definitions/IntegerDatatype" }, + + { "type": "number", "minimum": 0 } + ] + }, + "StringDatatype": { + "description": "A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ \n\t]+", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "TokenDatatype": { + "description": "A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.", + "type": "string", + "pattern": "^(\\p{L}|_)(\\p{L}|\\p{N}|[.\\-_])*$" + }, + "URIDatatype": { + "description": "A universal resource identifier (URI) formatted according to RFC3986.", + "type": "string", + "format": "uri", + "pattern": "^[a-zA-Z][a-zA-Z0-9+\\-.]+:.+$" + }, + "URIReferenceDatatype": { + "description": "A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.", + "type": "string", + "format": "uri-reference" + }, + "UUIDDatatype": { + "description": "A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "system-security-plan": { + "$ref": "#assembly_oscal-ssp_system-security-plan" + } + }, + "required": ["system-security-plan"], + "additionalProperties": false +} diff --git a/roscal_lib/jsonschema/tracking_latest_unified/1.1.2.json b/roscal_lib/jsonschema/tracking_latest_unified/1.1.2.json new file mode 100644 index 0000000..4d1624b --- /dev/null +++ b/roscal_lib/jsonschema/tracking_latest_unified/1.1.2.json @@ -0,0 +1,5659 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://csrc.nist.gov/ns/oscal/1.0/1.1.2/oscal-complete-schema.json", + "$comment": "OSCAL Unified Model of Models: JSON Schema", + "type": "object", + "definitions": { + "json-schema-directive": { + "title": "Schema Directive", + "description": "A JSON Schema directive to bind a specific schema to its document instance.", + "$id": "#json-schema-directive", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "oscal-complete-oscal-catalog:catalog": { + "title": "Catalog", + "description": "A structured, organized collection of control information.", + "$id": "#assembly_oscal-catalog_catalog", + "type": "object", + "properties": { + "uuid": { + "title": "Catalog Universally Unique Identifier", + "description": "Provides a globally unique means to identify a given catalog instance.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_parameter" } + }, + "controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_control" } + }, + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_group" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata"], + "additionalProperties": false + }, + "oscal-complete-oscal-catalog:group": { + "title": "Control Group", + "description": "A group of controls, or of groups of controls.", + "$id": "#assembly_oscal-catalog_group", + "type": "object", + "properties": { + "id": { + "title": "Group Identifier", + "description": "Identifies the group for the purpose of cross-linking within the defining instance or from other instances that reference the catalog.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Group Class", + "description": "A textual label that provides a sub-type or characterization of the group.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Group Title", + "description": "A name given to the group, which may be used by a tool for display and navigation.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_parameter" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_group" } + }, + "controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_control" } + } + }, + "required": ["title"], + "additionalProperties": false + }, + "oscal-complete-oscal-catalog:control": { + "title": "Control", + "description": "A structured object representing a requirement or guideline, which when implemented will reduce an aspect of risk related to an information system and its information.", + "$id": "#assembly_oscal-catalog_control", + "type": "object", + "properties": { + "id": { + "title": "Control Identifier", + "description": "Identifies a control such that it can be referenced in the defining catalog and other OSCAL instances (e.g., profiles).", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Control Class", + "description": "A textual label that provides a sub-type or characterization of the control.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Control Title", + "description": "A name given to the control, which may be used by a tool for display and navigation.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_parameter" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-catalog_control" } + } + }, + "required": ["id", "title"], + "additionalProperties": false + }, + "oscal-complete-oscal-control-common:part": { + "title": "Part", + "description": "An annotated, markup-based textual element of a control's or catalog group's definition, or a child of another part.", + "$id": "#assembly_oscal-control-common_part", + "type": "object", + "properties": { + "id": { + "title": "Part Identifier", + "description": "A unique identifier for the part.", + "$ref": "#/definitions/TokenDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type, which exists in a value space qualified by the ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "ns": { + "title": "Part Namespace", + "description": "An optional namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "An optional textual providing a sub-type or characterization of the part's name, or a category to which the part belongs.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "An optional name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-complete-oscal-control-common:parameter": { + "title": "Parameter", + "description": "Parameters provide a mechanism for the dynamic assignment of value(s) in a control.", + "$id": "#assembly_oscal-control-common_parameter", + "type": "object", + "properties": { + "id": { + "title": "Parameter Identifier", + "description": "A unique identifier for the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the type, purpose, use or scope of the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "depends-on": { + "title": "Depends on", + "description": "(deprecated) Another parameter invoking this one. This construct has been deprecated and should not be used.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter.", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-control-common_parameter-value" } + }, + "select": { + "$ref": "#assembly_oscal-control-common_parameter-selection" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-complete-oscal-control-common:parameter-constraint": { + "title": "Constraint", + "description": "A formal or informal expression of a constraint or test.", + "$id": "#assembly_oscal-control-common_parameter-constraint", + "type": "object", + "properties": { + "description": { + "title": "Constraint Description", + "description": "A textual summary of the constraint to be applied.", + "type": "string" + }, + "tests": { + "type": "array", + "minItems": 1, + "items": { + "title": "Constraint Test", + "description": "A test expression which is expected to be evaluated by a tool.", + "type": "object", + "properties": { + "expression": { + "title": "Constraint test", + "description": "A formal (executable) expression of a constraint.", + "$ref": "#/definitions/StringDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["expression"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-control-common:parameter-guideline": { + "title": "Guideline", + "description": "A prose statement that provides a recommendation for the use of a parameter.", + "$id": "#assembly_oscal-control-common_parameter-guideline", + "type": "object", + "properties": { + "prose": { + "title": "Guideline Text", + "description": "Prose permits multiple paragraphs, lists, tables etc.", + "type": "string" + } + }, + "required": ["prose"], + "additionalProperties": false + }, + "oscal-complete-oscal-control-common:parameter-value": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$id": "#field_oscal-control-common_parameter-value", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-control-common:parameter-selection": { + "title": "Selection", + "description": "Presenting a choice among alternatives.", + "$id": "#assembly_oscal-control-common_parameter-selection", + "type": "object", + "properties": { + "how-many": { + "title": "Parameter Cardinality", + "description": "Describes the number of selections that must occur. Without this setting, only one value should be assumed to be permitted.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["one", "one-or-more"] } + ] + }, + "choice": { + "type": "array", + "minItems": 1, + "items": { + "title": "Choice", + "description": "A value selection among several such options.", + "type": "string" + } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-control-common:include-all": { + "title": "Include All", + "description": "Include all controls from the imported catalog or profile resources.", + "$id": "#assembly_oscal-control-common_include-all", + "type": "object", + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:metadata": { + "title": "Document Metadata", + "description": "Provides information about the containing document, and defines concepts that are shared across the document.", + "$id": "#assembly_oscal-metadata_metadata", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { "$ref": "#field_oscal-metadata_last-modified" }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { "$ref": "#field_oscal-metadata_oscal-version" }, + "revisions": { + "type": "array", + "minItems": 1, + "items": { + "title": "Revision History Entry", + "description": "An entry in a sequential list of revisions to the containing document, expected to be in reverse chronological order (i.e. latest first).", + "type": "object", + "properties": { + "title": { + "title": "Document Title", + "description": "A name given to the document revision, which may be used by a tool for display and navigation.", + "type": "string" + }, + "published": { "$ref": "#field_oscal-metadata_published" }, + "last-modified": { + "$ref": "#field_oscal-metadata_last-modified" + }, + "version": { "$ref": "#field_oscal-metadata_version" }, + "oscal-version": { + "$ref": "#field_oscal-metadata_oscal-version" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["version"], + "additionalProperties": false + } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "roles": { + "type": "array", + "minItems": 1, + "items": { + "title": "Role", + "description": "Defines a function, which might be assigned to a party in a specific situation.", + "type": "object", + "properties": { + "id": { + "title": "Role Identifier", + "description": "A unique identifier for the role.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Role Title", + "description": "A name given to the role, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "Role Short Name", + "description": "A short common name, abbreviation, or acronym for the role.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "Role Description", + "description": "A summary of the role's purpose and associated responsibilities.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["id", "title"], + "additionalProperties": false + } + }, + "locations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location", + "description": "A physical point of presence, which may be associated with people, organizations, or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Location Universally Unique Identifier", + "description": "A unique ID for the location, for reference.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Location Title", + "description": "A name given to the location, which may be used by a tool for display and navigation.", + "type": "string" + }, + "address": { "$ref": "#assembly_oscal-metadata_address" }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "urls": { + "type": "array", + "minItems": 1, + "items": { + "title": "Location URL", + "description": "The uniform resource locator (URL) for a web site or other resource associated with the location.", + "$ref": "#/definitions/URIDatatype" + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + }, + "parties": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party", + "description": "An organization or person, which may be associated with roles or other concepts within the current or linked OSCAL document.", + "type": "object", + "properties": { + "uuid": { + "title": "Party Universally Unique Identifier", + "description": "A unique identifier for the party.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Party Type", + "description": "A category describing the kind of party the object describes.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["person", "organization"] } + ] + }, + "name": { + "title": "Party Name", + "description": "The full name of the party. This is typically the legal name associated with the party.", + "$ref": "#/definitions/StringDatatype" + }, + "short-name": { + "title": "Party Short Name", + "description": "A short common name, abbreviation, or acronym for the party.", + "$ref": "#/definitions/StringDatatype" + }, + "external-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Party External Identifier", + "description": "An identifier for a person or organization using a designated scheme. e.g. an Open Researcher and Contributor ID (ORCID).", + "type": "object", + "properties": { + "scheme": { + "title": "External Identifier Schema", + "description": "Indicates the type of external identifier.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://orcid.org/"] } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id", "scheme"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "email-addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_email-address" } + }, + "telephone-numbers": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_telephone-number" } + }, + "addresses": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_address" } + }, + "location-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_location-uuid" } + }, + "member-of-organizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Organizational Affiliation", + "description": "A reference to another party by UUID, typically an organization, that this subject is associated with.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type"], + "additionalProperties": false + } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "actions": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_action" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "last-modified", "version", "oscal-version"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:location-uuid": { + "title": "Location Universally Unique Identifier Reference", + "description": "Reference to a location by UUID.", + "$id": "#field_oscal-metadata_location-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-complete-oscal-metadata:party-uuid": { + "title": "Party Universally Unique Identifier Reference", + "description": "Reference to a party by UUID.", + "$id": "#field_oscal-metadata_party-uuid", + "$ref": "#/definitions/UUIDDatatype" + }, + "oscal-complete-oscal-metadata:role-id": { + "title": "Role Identifier Reference", + "description": "Reference to a role by UUID.", + "$id": "#field_oscal-metadata_role-id", + "$ref": "#/definitions/TokenDatatype" + }, + "oscal-complete-oscal-metadata:back-matter": { + "title": "Back matter", + "description": "A collection of resources that may be referenced from within the OSCAL document instance.", + "$id": "#assembly_oscal-metadata_back-matter", + "type": "object", + "properties": { + "resources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource", + "description": "A resource associated with content in the containing document instance. A resource may be directly included in the document using base64 encoding or may point to one or more equivalent internet resources.", + "type": "object", + "properties": { + "uuid": { + "title": "Resource Universally Unique Identifier", + "description": "A unique identifier for a resource.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Resource Title", + "description": "An optional name given to the resource, which may be used by a tool for display and navigation.", + "type": "string" + }, + "description": { + "title": "Resource Description", + "description": "An optional short summary of the resource used to indicate the purpose of the resource.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "document-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_document-id" } + }, + "citation": { + "title": "Citation", + "description": "An optional citation consisting of end note text using structured markup.", + "type": "object", + "properties": { + "text": { + "title": "Citation Text", + "description": "A line of citation text.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["text"], + "additionalProperties": false + }, + "rlinks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Resource link", + "description": "A URL-based pointer to an external resource with an optional hash for verification and change detection.", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL pointing to the referenced resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "hashes": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_hash" } + } + }, + "required": ["href"], + "additionalProperties": false + } + }, + "base64": { + "title": "Base64", + "description": "A resource encoded using the Base64 alphabet defined by RFC 2045.", + "type": "object", + "properties": { + "filename": { + "title": "File Name", + "description": "Name of the file before it was encoded as Base64 to be embedded in a resource. This is the name that will be assigned to the file when the file is decoded.", + "$ref": "#/definitions/TokenDatatype" + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "value": { "$ref": "#/definitions/Base64Datatype" } + }, + "required": ["value"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:property": { + "title": "Property", + "description": "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", + "$id": "#assembly_oscal-metadata_property", + "type": "object", + "properties": { + "name": { + "title": "Property Name", + "description": "A textual label, within a namespace, that uniquely identifies a specific attribute, characteristic, or quality of the property's containing object.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Property Universally Unique Identifier", + "description": "A unique identifier for a property.", + "$ref": "#/definitions/UUIDDatatype" + }, + "ns": { + "title": "Property Namespace", + "description": "A namespace qualifying the property's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "value": { + "title": "Property Value", + "description": "Indicates the value of the attribute, characteristic, or quality.", + "$ref": "#/definitions/StringDatatype" + }, + "class": { + "title": "Property Class", + "description": "A textual label that provides a sub-type or characterization of the property's name.", + "$ref": "#/definitions/TokenDatatype" + }, + "group": { + "title": "Property Group", + "description": "An identifier for relating distinct sets of properties.", + "$ref": "#/definitions/TokenDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "value"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:link": { + "title": "Link", + "description": "A reference to a local or remote resource, that has a specific relation to the containing object.", + "$id": "#assembly_oscal-metadata_link", + "type": "object", + "properties": { + "href": { + "title": "Hypertext Reference", + "description": "A resolvable URL reference to a resource.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "rel": { + "title": "Link Relation Type", + "description": "Describes the type of relationship provided by the link's hypertext reference. This can be an indicator of the link's purpose.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["reference"] } + ] + }, + "media-type": { + "title": "Media Type", + "description": "A label that indicates the nature of a resource, as a data serialization or format.", + "$ref": "#/definitions/StringDatatype" + }, + "resource-fragment": { + "title": "Resource Fragment", + "description": "In case where the href points to a back-matter/resource, this value will indicate the URI fragment to append to any rlink associated with the resource. This value MUST be URI encoded.", + "$ref": "#/definitions/StringDatatype" + }, + "text": { + "title": "Link Text", + "description": "A textual label to associate with the link, which may be used for presentation in a tool.", + "type": "string" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:responsible-party": { + "title": "Responsible Party", + "description": "A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.", + "$id": "#assembly_oscal-metadata_responsible-party", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role", + "description": "A reference to a role performed by a party.", + "$ref": "#/definitions/TokenDatatype" + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id", "party-uuids"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:action": { + "title": "Action", + "description": "An action applied by a role within a given party to the content.", + "$id": "#assembly_oscal-metadata_action", + "type": "object", + "properties": { + "uuid": { + "title": "Action Universally Unique Identifier", + "description": "A unique identifier that can be used to reference this defined action elsewhere in an OSCAL document. A UUID should be consistently used for a given location across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "date": { + "title": "Action Occurrence Date", + "description": "The date and time when the action occurred.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "type": { + "title": "Action Type", + "description": "The type of action documented by the assembly, such as an approval.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Action Type System", + "description": "Specifies the action type system used.", + "$ref": "#/definitions/URIDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "system"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:responsible-role": { + "title": "Responsible Role", + "description": "A reference to a role with responsibility for performing a function relative to the containing object, optionally associated with a set of persons and/or organizations that perform that role.", + "$id": "#assembly_oscal-metadata_responsible-role", + "type": "object", + "properties": { + "role-id": { + "title": "Responsible Role ID", + "description": "A human-oriented identifier reference to a role performed.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_party-uuid" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["role-id"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:hash": { + "title": "Hash", + "description": "A representation of a cryptographic digest generated over a resource using a specified hash algorithm.", + "$id": "#field_oscal-metadata_hash", + "type": "object", + "properties": { + "algorithm": { + "title": "Hash algorithm", + "description": "The digest method by which a hash is derived.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "SHA-224", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-224", + "SHA3-256", + "SHA3-384", + "SHA3-512" + ] + } + ] + }, + "value": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["value", "algorithm"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:remarks": { + "title": "Remarks", + "description": "Additional commentary about the containing object.", + "$id": "#field_oscal-metadata_remarks", + "type": "string" + }, + "oscal-complete-oscal-metadata:published": { + "title": "Publication Timestamp", + "description": "The date and time the document was last made available.", + "$id": "#field_oscal-metadata_published", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-complete-oscal-metadata:last-modified": { + "title": "Last Modified Timestamp", + "description": "The date and time the document was last stored for later retrieval.", + "$id": "#field_oscal-metadata_last-modified", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "oscal-complete-oscal-metadata:version": { + "title": "Document Version", + "description": "Used to distinguish a specific revision of an OSCAL document from other previous and future versions.", + "$id": "#field_oscal-metadata_version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-metadata:oscal-version": { + "title": "OSCAL Version", + "description": "The OSCAL model version the document was authored against and will conform to as valid.", + "$id": "#field_oscal-metadata_oscal-version", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-metadata:email-address": { + "title": "Email Address", + "description": "An email address as defined by RFC 5322 Section 3.4.1.", + "$id": "#field_oscal-metadata_email-address", + "$ref": "#/definitions/EmailAddressDatatype" + }, + "oscal-complete-oscal-metadata:telephone-number": { + "title": "Telephone Number", + "description": "A telephone service number as defined by ITU-T E.164.", + "$id": "#field_oscal-metadata_telephone-number", + "type": "object", + "properties": { + "type": { + "title": "type flag", + "description": "Indicates the type of phone number.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["home", "office", "mobile"] } + ] + }, + "number": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["number"], + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:address": { + "title": "Address", + "description": "A postal address for the location.", + "$id": "#assembly_oscal-metadata_address", + "type": "object", + "properties": { + "type": { + "title": "Address Type", + "description": "Indicates the type of address.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["home", "work"] } + ] + }, + "addr-lines": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_addr-line" } + }, + "city": { + "title": "City", + "description": "City, town or geographical region for the mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "state": { + "title": "State", + "description": "State, province or analogous geographical region for a mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "postal-code": { + "title": "Postal Code", + "description": "Postal or ZIP code for mailing address.", + "$ref": "#/definitions/StringDatatype" + }, + "country": { + "title": "Country Code", + "description": "The ISO 3166-1 alpha-2 country code for the mailing address.", + "$ref": "#/definitions/StringDatatype" + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-metadata:addr-line": { + "title": "Address line", + "description": "A single line of an address.", + "$id": "#field_oscal-metadata_addr-line", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-metadata:document-id": { + "title": "Document Identifier", + "description": "A document identifier qualified by an identifier scheme.", + "$id": "#field_oscal-metadata_document-id", + "type": "object", + "properties": { + "scheme": { + "title": "Document Identification Scheme", + "description": "Qualifies the kind of document identifier using a URI. If the scheme is not provided the value of the element will be interpreted as a string of characters.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://www.doi.org/"] } + ] + }, + "identifier": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["identifier"], + "additionalProperties": false + }, + "oscal-complete-oscal-profile:profile": { + "title": "Profile", + "description": "Each OSCAL profile is defined by a profile element.", + "$id": "#assembly_oscal-profile_profile", + "type": "object", + "properties": { + "uuid": { + "title": "Profile Universally Unique Identifier", + "description": "Provides a globally unique means to identify a given profile instance.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "imports": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_import" } + }, + "merge": { "$ref": "#assembly_oscal-profile_merge" }, + "modify": { "$ref": "#assembly_oscal-profile_modify" }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "imports"], + "additionalProperties": false + }, + "oscal-complete-oscal-profile:import": { + "title": "Import Resource", + "description": "Designates a referenced source catalog or profile that provides a source of control information for use in creating a new overlay or baseline.", + "$id": "#assembly_oscal-profile_import", + "type": "object", + "properties": { + "href": { + "title": "Catalog or Profile Reference", + "description": "A resolvable URL reference to the base catalog or profile that this profile is tailoring.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "include-all": { "$ref": "#assembly_oscal-control-common_include-all" }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-profile:merge": { + "title": "Merge Controls", + "description": "Provides structuring directives that instruct how controls are organized after profile resolution.", + "$id": "#assembly_oscal-profile_merge", + "type": "object", + "properties": { + "combine": { + "title": "Combination Rule", + "description": "A Combine element defines how to resolve duplicate instances of the same control (e.g., controls with the same ID).", + "type": "object", + "properties": { + "method": { + "title": "Combination Method", + "description": "Declare how clashing controls should be handled.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["use-first", "merge", "keep"] } + ] + } + }, + "additionalProperties": false + }, + "flat": { + "title": "Flat Without Grouping", + "description": "Directs that controls appear without any grouping structure.", + "type": "object", + "additionalProperties": false + }, + "as-is": { + "title": "Group As-Is", + "description": "Indicates that the controls selected should retain their original grouping as defined in the import source.", + "$ref": "#/definitions/BooleanDatatype" + }, + "custom": { + "title": "Custom Grouping", + "description": "Provides an alternate grouping structure that selected controls will be placed in.", + "type": "object", + "properties": { + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_group" } + }, + "insert-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_insert-controls" } + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:group": { + "title": "Control Group", + "description": "A group of (selected) controls or of groups of controls.", + "$id": "#assembly_oscal-profile_group", + "type": "object", + "properties": { + "id": { + "title": "Group Identifier", + "description": "Identifies the group.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Group Class", + "description": "A textual label that provides a sub-type or characterization of the group.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Group Title", + "description": "A name to be given to the group for use in display.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_parameter" } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "groups": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_group" } + }, + "insert-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_insert-controls" } + } + }, + "required": ["title"], + "additionalProperties": false + }, + "oscal-complete-oscal-profile:modify": { + "title": "Modify Controls", + "description": "Set parameters or amend controls in resolution.", + "$id": "#assembly_oscal-profile_modify", + "type": "object", + "properties": { + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "title": "Parameter Setting", + "description": "A parameter setting, to be propagated to points of insertion.", + "type": "object", + "properties": { + "param-id": { + "title": "Parameter ID", + "description": "An identifier for the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "class": { + "title": "Parameter Class", + "description": "A textual label that provides a characterization of the parameter.", + "$ref": "#/definitions/TokenDatatype" + }, + "depends-on": { + "title": "Depends On", + "description": "**(deprecated)** Another parameter invoking this one. This construct has been deprecated and should not be used.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "label": { + "title": "Parameter Label", + "description": "A short, placeholder name for the parameter, which can be used as a substitute for a value if no value is assigned.", + "type": "string" + }, + "usage": { + "title": "Parameter Usage Description", + "description": "Describes the purpose and use of a parameter.", + "type": "string" + }, + "constraints": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-constraint" + } + }, + "guidelines": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter-guideline" + } + }, + "values": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#field_oscal-control-common_parameter-value" + } + }, + "select": { + "$ref": "#assembly_oscal-control-common_parameter-selection" + } + }, + "required": ["param-id"], + "additionalProperties": false + } + }, + "alters": { + "type": "array", + "minItems": 1, + "items": { + "title": "Alteration", + "description": "Specifies changes to be made to an included control when a profile is resolved.", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "removes": { + "type": "array", + "minItems": 1, + "items": { + "title": "Removal", + "description": "Specifies objects to be removed from a control based on specific aspects of the object that must all match.", + "type": "object", + "properties": { + "by-name": { + "title": "Reference by (assigned) name", + "description": "Identify items remove by matching their assigned name.", + "$ref": "#/definitions/TokenDatatype" + }, + "by-class": { + "title": "Reference by class", + "description": "Identify items to remove by matching their class.", + "$ref": "#/definitions/TokenDatatype" + }, + "by-id": { + "title": "Reference by ID", + "description": "Identify items to remove indicated by their id.", + "$ref": "#/definitions/TokenDatatype" + }, + "by-item-name": { + "title": "Item Name Reference", + "description": "Identify items to remove by the name of the item's information object name, e.g. title or prop.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "param", + "prop", + "link", + "part", + "mapping", + "map" + ] + } + ] + }, + "by-ns": { + "title": "Item Namespace Reference", + "description": "Identify items to remove by the item's ns, which is the namespace associated with a part, or prop.", + "$ref": "#/definitions/TokenDatatype" + } + }, + "additionalProperties": false + } + }, + "adds": { + "type": "array", + "minItems": 1, + "items": { + "title": "Addition", + "description": "Specifies contents to be added into controls, in resolution.", + "type": "object", + "properties": { + "position": { + "title": "Position", + "description": "Where to add the new content with respect to the targeted element (beside it or inside it).", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["before", "after", "starting", "ending"] } + ] + }, + "by-id": { + "title": "Reference by ID", + "description": "Target location of the addition.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Title Change", + "description": "A name given to the control, which may be used by a tool for display and navigation.", + "type": "string" + }, + "params": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-control-common_parameter" + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + } + }, + "additionalProperties": false + } + } + }, + "required": ["control-id"], + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:insert-controls": { + "title": "Insert Controls", + "description": "Specifies which controls to use in the containing context.", + "$id": "#assembly_oscal-profile_insert-controls", + "type": "object", + "properties": { + "order": { + "title": "Order", + "description": "A designation of how a selection of controls in a profile is to be ordered.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["keep", "ascending", "descending"] } + ] + }, + "include-all": { "$ref": "#assembly_oscal-control-common_include-all" }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_select-control-by-id" } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:select-control-by-id": { + "title": "Select Control", + "description": "Select a control or controls from an imported control set.", + "$id": "#assembly_oscal-profile_select-control-by-id", + "type": "object", + "properties": { + "with-child-controls": { + "title": "Include Contained Controls with Control", + "description": "When a control is included, whether its child (dependent) controls are also included.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["yes", "no"] } + ] + }, + "with-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-profile_with-id" } + }, + "matching": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-profile_matching" } + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-profile:with-id": { + "title": "Match Controls by Identifier", + "description": "Selecting a control by its ID given as a literal.", + "$id": "#field_oscal-profile_with-id", + "$ref": "#/definitions/TokenDatatype" + }, + "oscal-complete-oscal-profile:matching": { + "title": "Match Controls by Pattern", + "description": "Selecting a set of controls by matching their IDs with a wildcard pattern.", + "$id": "#assembly_oscal-profile_matching", + "type": "object", + "properties": { + "pattern": { + "title": "Pattern", + "description": "A glob expression matching the IDs of one or more controls to be selected.", + "$ref": "#/definitions/StringDatatype" + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:component-definition": { + "title": "Component Definition", + "description": "A collection of component descriptions, which may optionally be grouped by capability.", + "$id": "#assembly_oscal-component-definition_component-definition", + "type": "object", + "properties": { + "uuid": { + "title": "Component Definition Universally Unique Identifier", + "description": "Provides a globally unique means to identify a given component definition instance.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-component-definitions": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_import-component-definition" + } + }, + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_defined-component" + } + }, + "capabilities": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-component-definition_capability" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:import-component-definition": { + "title": "Import Component Definition", + "description": "Loads a component definition from another resource.", + "$id": "#assembly_oscal-component-definition_import-component-definition", + "type": "object", + "properties": { + "href": { + "title": "Hyperlink Reference", + "description": "A link to a resource that defines a set of components and/or capabilities to import into this collection.", + "$ref": "#/definitions/URIReferenceDatatype" + } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:defined-component": { + "title": "Component", + "description": "A defined component that can be part of an implemented system.", + "$id": "#assembly_oscal-component-definition_defined-component", + "type": "object", + "properties": { + "uuid": { + "title": "Component Identifier", + "description": "Provides a globally unique means to identify a given component.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Component Type", + "description": "A category describing the purpose of the component.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "interconnection", + "software", + "hardware", + "service", + "policy", + "physical", + "process-procedure", + "plan", + "guidance", + "standard", + "validation" + ] + } + ] + }, + "title": { + "title": "Component Title", + "description": "A human readable name for the component.", + "type": "string" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + }, + "purpose": { + "title": "Purpose", + "description": "A summary of the technological or business purpose of the component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "protocols": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-implementation-common_protocol" } + }, + "control-implementations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_control-implementation" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:capability": { + "title": "Capability", + "description": "A grouping of other components and/or capabilities.", + "$id": "#assembly_oscal-component-definition_capability", + "type": "object", + "properties": { + "uuid": { + "title": "Capability Identifier", + "description": "Provides a globally unique means to identify a given capability.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Capability Name", + "description": "The capability's human-readable name.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "Capability Description", + "description": "A summary of the capability.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "incorporates-components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_incorporates-component" + } + }, + "control-implementations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_control-implementation" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "name", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:incorporates-component": { + "title": "Incorporates Component", + "description": "The collection of components comprising this capability.", + "$id": "#assembly_oscal-component-definition_incorporates-component", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Reference", + "description": "A machine-oriented identifier reference to a component.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + } + }, + "required": ["component-uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:control-implementation": { + "title": "Control Implementation Set", + "description": "Defines how the component or capability supports a set of controls.", + "$id": "#assembly_oscal-component-definition_control-implementation", + "type": "object", + "properties": { + "uuid": { + "title": "Control Implementation Set Identifier", + "description": "Provides a means to identify a set of control implementations that are supported by a given component or capability.", + "$ref": "#/definitions/UUIDDatatype" + }, + "source": { + "title": "Source Resource Reference", + "description": "A reference to an OSCAL catalog or profile providing the referenced control or subcontrol definition.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "description": { + "title": "Control Implementation Description", + "description": "A description of how the specified set of controls are implemented for the containing component or capability.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "implemented-requirements": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-component-definition_implemented-requirement" + } + } + }, + "required": ["uuid", "source", "description", "implemented-requirements"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:implemented-requirement": { + "title": "Control Implementation", + "description": "Describes how the containing component or capability implements an individual control.", + "$id": "#assembly_oscal-component-definition_implemented-requirement", + "type": "object", + "properties": { + "uuid": { + "title": "Control Implementation Identifier", + "description": "Provides a globally unique means to identify a given control implementation by a component.", + "$ref": "#/definitions/UUIDDatatype" + }, + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "description": { + "title": "Control Implementation Description", + "description": "A suggestion from the supplier (e.g., component vendor or author) for how the specified control may be implemented if the containing component or capability is instantiated in a system security plan.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "statements": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-component-definition_statement" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "control-id", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-component-definition:statement": { + "title": "Control Statement Implementation", + "description": "Identifies which statements within a control are addressed.", + "$id": "#assembly_oscal-component-definition_statement", + "type": "object", + "properties": { + "statement-id": { + "title": "Control Statement Reference", + "description": "A human-oriented identifier reference to a control statement.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Control Statement Reference Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Statement Implementation Description", + "description": "A summary of how the containing control statement is implemented by the component or capability.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["statement-id", "uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:system-component": { + "title": "Component", + "description": "A defined component that can be part of an implemented system.", + "$id": "#assembly_oscal-implementation-common_system-component", + "type": "object", + "properties": { + "uuid": { + "title": "Component Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this component elsewhere in this or other OSCAL instances. The locally defined UUID of the component can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Component Type", + "description": "A category describing the purpose of the component.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "this-system", + "system", + "interconnection", + "software", + "hardware", + "service", + "policy", + "physical", + "process-procedure", + "plan", + "guidance", + "standard", + "validation", + "network" + ] + } + ] + }, + "title": { + "title": "Component Title", + "description": "A human readable name for the system component.", + "type": "string" + }, + "description": { + "title": "Component Description", + "description": "A description of the component, including information about its function.", + "type": "string" + }, + "purpose": { + "title": "Purpose", + "description": "A summary of the technological or business purpose of the component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Status", + "description": "Describes the operational status of the system component.", + "type": "object", + "properties": { + "state": { + "title": "State", + "description": "The operational status.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "under-development", + "operational", + "disposition", + "other" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "protocols": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-implementation-common_protocol" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title", "description", "status"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:protocol": { + "title": "Service Protocol Information", + "description": "Information about the protocol used to provide a service.", + "$id": "#assembly_oscal-implementation-common_protocol", + "type": "object", + "properties": { + "uuid": { + "title": "Service Protocol Information Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this service protocol information elsewhere in this or other OSCAL instances. The locally defined UUID of the service protocol can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Protocol Name", + "description": "The common name of the protocol, which should be the appropriate \"service name\" from the IANA Service Name and Transport Protocol Port Number Registry.", + "$ref": "#/definitions/StringDatatype" + }, + "title": { + "title": "Protocol Title", + "description": "A human readable name for the protocol (e.g., Transport Layer Security).", + "type": "string" + }, + "port-ranges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_port-range" + } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:port-range": { + "title": "Port Range", + "description": "Where applicable this is the IPv4 port range on which the service operates.", + "$id": "#assembly_oscal-implementation-common_port-range", + "type": "object", + "properties": { + "start": { + "title": "Start", + "description": "Indicates the starting port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "end": { + "title": "End", + "description": "Indicates the ending port number in a port range", + "$ref": "#/definitions/NonNegativeIntegerDatatype" + }, + "transport": { + "title": "Transport", + "description": "Indicates the transport type.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["TCP", "UDP"] } + ] + } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:implementation-status": { + "title": "Implementation Status", + "description": "Indicates the degree to which the a given control is implemented.", + "$id": "#assembly_oscal-implementation-common_implementation-status", + "type": "object", + "properties": { + "state": { + "title": "Implementation State", + "description": "Identifies the implementation status of the control or control objective.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "implemented", + "partial", + "planned", + "alternative", + "not-applicable" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:system-user": { + "title": "System User", + "description": "A type of user that interacts with the system based on an associated role.", + "$id": "#assembly_oscal-implementation-common_system-user", + "type": "object", + "properties": { + "uuid": { + "title": "User Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this user class elsewhere in this or other OSCAL instances. The locally defined UUID of the system user can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "User Title", + "description": "A name given to the user, which may be used by a tool for display and navigation.", + "type": "string" + }, + "short-name": { + "title": "User Short Name", + "description": "A short common name, abbreviation, or acronym for the user.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "User Description", + "description": "A summary of the user's purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "role-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-metadata_role-id" } + }, + "authorized-privileges": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_authorized-privilege" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:authorized-privilege": { + "title": "Privilege", + "description": "Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege.", + "$id": "#assembly_oscal-implementation-common_authorized-privilege", + "type": "object", + "properties": { + "title": { + "title": "Privilege Title", + "description": "A human readable name for the privilege.", + "type": "string" + }, + "description": { + "title": "Privilege Description", + "description": "A summary of the privilege's purpose within the system.", + "type": "string" + }, + "functions-performed": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#field_oscal-implementation-common_function-performed" + } + } + }, + "required": ["title", "functions-performed"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:function-performed": { + "title": "Functions Performed", + "description": "Describes a function performed for a given authorized privilege by this user class.", + "$id": "#field_oscal-implementation-common_function-performed", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-implementation-common:inventory-item": { + "title": "Inventory Item", + "description": "A single managed inventory item within the system.", + "$id": "#assembly_oscal-implementation-common_inventory-item", + "type": "object", + "properties": { + "uuid": { + "title": "Inventory Item Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inventory item elsewhere in this or other OSCAL instances. The locally defined UUID of the inventory item can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Inventory Item Description", + "description": "A summary of the inventory item stating its purpose within the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "implemented-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Implemented Component", + "description": "The set of components that are implemented in a given system inventory item.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component that is implemented as part of an inventory item.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:set-parameter": { + "title": "Set Parameter Value", + "description": "Identifies the parameter that will be set by the enclosed value.", + "$id": "#assembly_oscal-implementation-common_set-parameter", + "type": "object", + "properties": { + "param-id": { + "title": "Parameter ID", + "description": "A human-oriented reference to a parameter within a control, who's catalog has been imported into the current implementation context.", + "$ref": "#/definitions/TokenDatatype" + }, + "values": { + "type": "array", + "minItems": 1, + "items": { + "title": "Parameter Value", + "description": "A parameter value or set of values.", + "$ref": "#/definitions/StringDatatype" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["param-id", "values"], + "additionalProperties": false + }, + "oscal-complete-oscal-implementation-common:system-id": { + "title": "System Identification", + "description": "A human-oriented, globally unique identifier with cross-instance scope that can be used to reference this system identification property elsewhere in this or other OSCAL instances. When referencing an externally defined system identification, the system identification must be used in the context of the external / imported OSCAL instance (e.g., uri-reference). This string should be assigned per-subject, which means it should be consistently used to identify the same system across revisions of the document.", + "$id": "#field_oscal-implementation-common_system-id", + "type": "object", + "properties": { + "identifier-type": { + "title": "Identification System Type", + "description": "Identifies the identification system from which the provided identifier was assigned.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": [ + "https://fedramp.gov", + "http://fedramp.gov/ns/oscal", + "https://ietf.org/rfc/rfc4122", + "http://ietf.org/rfc/rfc4122" + ] + } + ] + }, + "id": { "$ref": "#/definitions/StringDatatype" } + }, + "required": ["id"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:system-security-plan": { + "title": "System Security Plan (SSP)", + "description": "A system security plan, such as those described in NIST SP 800-18.", + "$id": "#assembly_oscal-ssp_system-security-plan", + "type": "object", + "properties": { + "uuid": { + "title": "System Security Plan Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. The locally defined UUID of the SSP can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-profile": { "$ref": "#assembly_oscal-ssp_import-profile" }, + "system-characteristics": { + "$ref": "#assembly_oscal-ssp_system-characteristics" + }, + "system-implementation": { + "$ref": "#assembly_oscal-ssp_system-implementation" + }, + "control-implementation": { + "$ref": "#assembly_oscal-ssp_control-implementation" + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": [ + "uuid", + "metadata", + "import-profile", + "system-characteristics", + "system-implementation", + "control-implementation" + ], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:import-profile": { + "title": "Import Profile", + "description": "Used to import the OSCAL profile representing the system's control baseline.", + "$id": "#assembly_oscal-ssp_import-profile", + "type": "object", + "properties": { + "href": { + "title": "Profile Reference", + "description": "A resolvable URL reference to the profile or catalog to use as the system's control baseline.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:system-characteristics": { + "title": "System Characteristics", + "description": "Contains the characteristics of the system, such as its name, purpose, and security impact level.", + "$id": "#assembly_oscal-ssp_system-characteristics", + "type": "object", + "properties": { + "system-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-implementation-common_system-id" } + }, + "system-name": { + "title": "System Name - Full", + "description": "The full name of the system.", + "$ref": "#/definitions/StringDatatype" + }, + "system-name-short": { + "title": "System Name - Short", + "description": "A short name for the system, such as an acronym, that is suitable for display in a data table or summary list.", + "$ref": "#/definitions/StringDatatype" + }, + "description": { + "title": "System Description", + "description": "A summary of the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "date-authorized": { "$ref": "#field_oscal-ssp_date-authorized" }, + "security-sensitivity-level": { + "title": "Security Sensitivity Level", + "description": "The overall information system sensitivity categorization, such as defined by FIPS-199.", + "$ref": "#/definitions/StringDatatype" + }, + "system-information": { + "$ref": "#assembly_oscal-ssp_system-information" + }, + "security-impact-level": { + "$ref": "#assembly_oscal-ssp_security-impact-level" + }, + "status": { "$ref": "#assembly_oscal-ssp_status" }, + "authorization-boundary": { + "$ref": "#assembly_oscal-ssp_authorization-boundary" + }, + "network-architecture": { + "$ref": "#assembly_oscal-ssp_network-architecture" + }, + "data-flow": { "$ref": "#assembly_oscal-ssp_data-flow" }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": [ + "system-ids", + "system-name", + "description", + "system-information", + "status", + "authorization-boundary" + ], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:system-information": { + "title": "System Information", + "description": "Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.", + "$id": "#assembly_oscal-ssp_system-information", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "information-types": { + "type": "array", + "minItems": 1, + "items": { + "title": "Information Type", + "description": "Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60.", + "type": "object", + "properties": { + "uuid": { + "title": "Information Type Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this information type elsewhere in this or other OSCAL instances. The locally defined UUID of the information type can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "title field", + "description": "A human readable name for the information type. This title should be meaningful within the context of the system.", + "type": "string" + }, + "description": { + "title": "Information Type Description", + "description": "A summary of how this information type is used within the system.", + "type": "string" + }, + "categorizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Information Type Categorization", + "description": "A set of information type identifiers qualified by the given identification system used, such as NIST SP 800-60.", + "type": "object", + "properties": { + "system": { + "title": "Information Type Identification System", + "description": "Specifies the information type identification system used.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": ["http://doi.org/10.6028/NIST.SP.800-60v2r1"] + } + ] + }, + "information-type-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Information Type Systematized Identifier", + "description": "A human-oriented, globally unique identifier qualified by the given identification system used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to reference this system elsewhere in this or other OSCAL instances. This id should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/StringDatatype" + } + } + }, + "required": ["system"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "confidentiality-impact": { + "$ref": "#assembly_oscal-ssp_impact" + }, + "integrity-impact": { "$ref": "#assembly_oscal-ssp_impact" }, + "availability-impact": { "$ref": "#assembly_oscal-ssp_impact" } + }, + "required": ["title", "description"], + "additionalProperties": false + } + } + }, + "required": ["information-types"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:impact": { + "title": "Impact Level", + "description": "The expected level of impact resulting from the described information.", + "$id": "#assembly_oscal-ssp_impact", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "base": { "$ref": "#field_oscal-ssp_base" }, + "selected": { "$ref": "#field_oscal-ssp_selected" }, + "adjustment-justification": { + "$ref": "#field_oscal-ssp_adjustment-justification" + } + }, + "required": ["base"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:base": { + "title": "Base Level (Confidentiality, Integrity, or Availability)", + "description": "The prescribed base (Confidentiality, Integrity, or Availability) security impact level.", + "$id": "#field_oscal-ssp_base", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-ssp:selected": { + "title": "Selected Level (Confidentiality, Integrity, or Availability)", + "description": "The selected (Confidentiality, Integrity, or Availability) security impact level.", + "$id": "#field_oscal-ssp_selected", + "$ref": "#/definitions/StringDatatype" + }, + "oscal-complete-oscal-ssp:adjustment-justification": { + "title": "Adjustment Justification", + "description": "If the selected security level is different from the base security level, this contains the justification for the change.", + "$id": "#field_oscal-ssp_adjustment-justification", + "type": "string" + }, + "oscal-complete-oscal-ssp:security-impact-level": { + "title": "Security Impact Level", + "description": "The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information.", + "$id": "#assembly_oscal-ssp_security-impact-level", + "type": "object", + "properties": { + "security-objective-confidentiality": { + "title": "Security Objective: Confidentiality", + "description": "A target-level of confidentiality for the system, based on the sensitivity of information within the system.", + "$ref": "#/definitions/StringDatatype" + }, + "security-objective-integrity": { + "title": "Security Objective: Integrity", + "description": "A target-level of integrity for the system, based on the sensitivity of information within the system.", + "$ref": "#/definitions/StringDatatype" + }, + "security-objective-availability": { + "title": "Security Objective: Availability", + "description": "A target-level of availability for the system, based on the sensitivity of information within the system.", + "$ref": "#/definitions/StringDatatype" + } + }, + "required": [ + "security-objective-confidentiality", + "security-objective-integrity", + "security-objective-availability" + ], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:status": { + "title": "Status", + "description": "Describes the operational status of the system.", + "$id": "#assembly_oscal-ssp_status", + "type": "object", + "properties": { + "state": { + "title": "State", + "description": "The current operating status.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "operational", + "under-development", + "under-major-modification", + "disposition", + "other" + ] + } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:date-authorized": { + "title": "System Authorization Date", + "description": "The date the system received its authorization.", + "$id": "#field_oscal-ssp_date-authorized", + "$ref": "#/definitions/DateDatatype" + }, + "oscal-complete-oscal-ssp:authorization-boundary": { + "title": "Authorization Boundary", + "description": "A description of this system's authorization boundary, optionally supplemented by diagrams that illustrate the authorization boundary.", + "$id": "#assembly_oscal-ssp_authorization-boundary", + "type": "object", + "properties": { + "description": { + "title": "Authorization Boundary Description", + "description": "A summary of the system's authorization boundary.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "diagrams": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_diagram" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:diagram": { + "title": "Diagram", + "description": "A graphic that provides a visual representation the system, or some aspect of it.", + "$id": "#assembly_oscal-ssp_diagram", + "type": "object", + "properties": { + "uuid": { + "title": "Diagram ID", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this diagram elsewhere in this or other OSCAL instances. The locally defined UUID of the diagram can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Diagram Description", + "description": "A summary of the diagram.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "caption": { + "title": "Caption", + "description": "A brief caption to annotate the diagram.", + "type": "string" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:network-architecture": { + "title": "Network Architecture", + "description": "A description of the system's network architecture, optionally supplemented by diagrams that illustrate the network architecture.", + "$id": "#assembly_oscal-ssp_network-architecture", + "type": "object", + "properties": { + "description": { + "title": "Network Architecture Description", + "description": "A summary of the system's network architecture.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "diagrams": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_diagram" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:data-flow": { + "title": "Data Flow", + "description": "A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illustrate these flows.", + "$id": "#assembly_oscal-ssp_data-flow", + "type": "object", + "properties": { + "description": { + "title": "Data Flow Description", + "description": "A summary of the system's data flow.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "diagrams": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_diagram" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:system-implementation": { + "title": "System Implementation", + "description": "Provides information as to how the system is implemented.", + "$id": "#assembly_oscal-ssp_system-implementation", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "leveraged-authorizations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Leveraged Authorization", + "description": "A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common control provider.", + "type": "object", + "properties": { + "uuid": { + "title": "Leveraged Authorization Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope and can be used to reference this leveraged authorization elsewhere in this or other OSCAL instances. The locally defined UUID of the leveraged authorization can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "title field", + "description": "A human readable name for the leveraged authorization in the context of the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "party-uuid": { + "title": "party-uuid field", + "description": "A machine-oriented identifier reference to the party that manages the leveraged system.", + "$ref": "#/definitions/UUIDDatatype" + }, + "date-authorized": { "$ref": "#field_oscal-ssp_date-authorized" }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "title", "party-uuid", "date-authorized"], + "additionalProperties": false + } + }, + "users": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-user" + } + }, + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["users", "components"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:control-implementation": { + "title": "Control Implementation", + "description": "Describes how the system satisfies a set of controls.", + "$id": "#assembly_oscal-ssp_control-implementation", + "type": "object", + "properties": { + "description": { + "title": "Control Implementation Description", + "description": "A statement describing important things to know about how this set of control satisfaction documentation is approached.", + "type": "string" + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "implemented-requirements": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_implemented-requirement" } + } + }, + "required": ["description", "implemented-requirements"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:implemented-requirement": { + "title": "Control-based Requirement", + "description": "Describes how the system satisfies the requirements of an individual control.", + "$id": "#assembly_oscal-ssp_implemented-requirement", + "type": "object", + "properties": { + "uuid": { + "title": "Control Requirement Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control requirement elsewhere in this or other OSCAL instances. The locally defined UUID of the control requirement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "statements": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_statement" } + }, + "by-components": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_by-component" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "control-id"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:statement": { + "title": "Specific Control Statement", + "description": "Identifies which statements within a control are addressed.", + "$id": "#assembly_oscal-ssp_statement", + "type": "object", + "properties": { + "statement-id": { + "title": "Control Statement Reference", + "description": "A human-oriented identifier reference to a control statement.", + "$ref": "#/definitions/TokenDatatype" + }, + "uuid": { + "title": "Control Statement Reference Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this control statement elsewhere in this or other OSCAL instances. The UUID of the control statement in the source OSCAL instance is sufficient to reference the data item locally or globally (e.g., in an imported OSCAL instance).", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "by-components": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ssp_by-component" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["statement-id", "uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-ssp:by-component": { + "title": "Component Control Implementation", + "description": "Defines how the referenced component implements a set of controls.", + "$id": "#assembly_oscal-ssp_by-component", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to the component that is implemeting a given control.", + "$ref": "#/definitions/UUIDDatatype" + }, + "uuid": { + "title": "By-Component Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this by-component entry elsewhere in this or other OSCAL instances. The locally defined UUID of the by-component entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Control Implementation Description", + "description": "An implementation statement that describes how a control or a control statement is implemented within the referenced system component.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "set-parameters": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_set-parameter" + } + }, + "implementation-status": { + "$ref": "#assembly_oscal-implementation-common_implementation-status" + }, + "export": { + "title": "Export", + "description": "Identifies content intended for external consumption, such as with leveraged organizations.", + "type": "object", + "properties": { + "description": { + "title": "Control Implementation Export Description", + "description": "An implementation statement that describes the aspects of the control or control statement implementation that can be available to another system leveraging this system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "provided": { + "type": "array", + "minItems": 1, + "items": { + "title": "Provided Control Implementation", + "description": "Describes a capability which may be inherited by a leveraging system.", + "type": "object", + "properties": { + "uuid": { + "title": "Provided Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this provided entry elsewhere in this or other OSCAL instances. The locally defined UUID of the provided entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Provided Control Implementation Description", + "description": "An implementation statement that describes the aspects of the control or control statement implementation that can be provided to another system leveraging this system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-role" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "responsibilities": { + "type": "array", + "minItems": 1, + "items": { + "title": "Control Implementation Responsibility", + "description": "Describes a control implementation responsibility imposed on a leveraging system.", + "type": "object", + "properties": { + "uuid": { + "title": "Responsibility Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this responsibility elsewhere in this or other OSCAL instances. The locally defined UUID of the responsibility can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "provided-uuid": { + "title": "Provided UUID", + "description": "A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Control Implementation Responsibility Description", + "description": "An implementation statement that describes the aspects of the control or control statement implementation that a leveraging system must implement to satisfy the control provided by a leveraged system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-role" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "inherited": { + "type": "array", + "minItems": 1, + "items": { + "title": "Inherited Control Implementation", + "description": "Describes a control implementation inherited by a leveraging system.", + "type": "object", + "properties": { + "uuid": { + "title": "Inherited Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this inherited entry elsewhere in this or other OSCAL instances. The locally defined UUID of the inherited control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "provided-uuid": { + "title": "Provided UUID", + "description": "A machine-oriented identifier reference to an inherited control implementation that a leveraging system is inheriting from a leveraged system.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Inherited Control Implementation Description", + "description": "An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is inheriting from a leveraged system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "satisfied": { + "type": "array", + "minItems": 1, + "items": { + "title": "Satisfied Control Implementation Responsibility", + "description": "Describes how this system satisfies a responsibility imposed by a leveraged system.", + "type": "object", + "properties": { + "uuid": { + "title": "Satisfied Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this satisfied control implementation entry elsewhere in this or other OSCAL instances. The locally defined UUID of the control implementation can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "responsibility-uuid": { + "title": "Responsibility UUID", + "description": "A machine-oriented identifier reference to a control implementation that satisfies a responsibility imposed by a leveraged system.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Satisfied Control Implementation Responsibility Description", + "description": "An implementation statement that describes the aspects of a control or control statement implementation that a leveraging system is implementing based on a requirement from a leveraged system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid", "uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-ap:assessment-plan": { + "title": "Security Assessment Plan (SAP)", + "description": "An assessment plan, such as those provided by a FedRAMP assessor.", + "$id": "#assembly_oscal-ap_assessment-plan", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Plan Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment plan in this or other OSCAL instances. The locally defined UUID of the assessment plan can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-ssp": { + "$ref": "#assembly_oscal-assessment-common_import-ssp" + }, + "local-definitions": { + "title": "Local Definitions", + "description": "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "users": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-user" + } + }, + "objectives-and-methods": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_local-objective" + } + }, + "activities": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_activity" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "terms-and-conditions": { + "title": "Assessment Plan Terms and Conditions", + "description": "Used to define various terms and conditions under which an assessment, described by the plan, can be performed. Each child part defines a different type of term or condition.", + "type": "object", + "properties": { + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + } + }, + "additionalProperties": false + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "assessment-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "assessment-assets": { + "$ref": "#assembly_oscal-assessment-common_assessment-assets" + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "import-ssp", "reviewed-controls"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:import-ssp": { + "title": "Import System Security Plan", + "description": "Used by the assessment plan and POA&M to import information about the system.", + "$id": "#assembly_oscal-assessment-common_import-ssp", + "type": "object", + "properties": { + "href": { + "title": "System Security Plan Reference", + "description": "A resolvable URL reference to the system security plan for the system being assessed.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:local-objective": { + "title": "Assessment-Specific Control Objective", + "description": "A local definition of a control objective for this assessment. Uses catalog syntax for control objective and assessment actions.", + "$id": "#assembly_oscal-assessment-common_local-objective", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "description": { + "title": "Objective Description", + "description": "A human-readable description of this control objective.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-control-common_part" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["control-id", "parts"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-method": { + "title": "Assessment Method", + "description": "A local definition of a control objective. Uses catalog syntax for control objective and assessment activities.", + "$id": "#assembly_oscal-assessment-common_assessment-method", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Method Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment method elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment method can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Assessment Method Description", + "description": "A human-readable description of this assessment method.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "part": { "$ref": "#assembly_oscal-assessment-common_assessment-part" }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "part"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:activity": { + "title": "Activity", + "description": "Identifies an assessment or related process that can be performed. In the assessment plan, this is an intended activity which may be associated with an assessment task. In the assessment results, this an activity that was actually performed as part of an assessment.", + "$id": "#assembly_oscal-assessment-common_activity", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Activity Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment activity elsewhere in this or other OSCAL instances. The locally defined UUID of the activity can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Included Activity Title", + "description": "The title for this included activity.", + "type": "string" + }, + "description": { + "title": "Included Activity Description", + "description": "A human-readable description of this included activity.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "steps": { + "type": "array", + "minItems": 1, + "items": { + "title": "Step", + "description": "Identifies an individual step in a series of steps related to an activity, such as an assessment test or examination procedure.", + "type": "object", + "properties": { + "uuid": { + "title": "Step Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this step elsewhere in this or other OSCAL instances. The locally defined UUID of the step (in a series of steps) can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Step Title", + "description": "The title for this step.", + "type": "string" + }, + "description": { + "title": "Step Description", + "description": "A human-readable description of this step.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "related-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:task": { + "title": "Task", + "description": "Represents a scheduled event or milestone, which may be associated with a series of assessment actions.", + "$id": "#assembly_oscal-assessment-common_task", + "type": "object", + "properties": { + "uuid": { + "title": "Task Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this task elsewhere in this or other OSCAL instances. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Task Type", + "description": "The type of task.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["milestone", "action"] } + ] + }, + "title": { + "title": "Task Title", + "description": "The title for this task.", + "type": "string" + }, + "description": { + "title": "Task Description", + "description": "A human-readable description of this task.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "timing": { + "title": "Event Timing", + "description": "The timing under which the task is intended to occur.", + "type": "object", + "properties": { + "on-date": { + "title": "On Date Condition", + "description": "The task is intended to occur on the specified date.", + "type": "object", + "properties": { + "date": { + "title": "On Date Condition", + "description": "The task must occur on the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + } + }, + "required": ["date"], + "additionalProperties": false + }, + "within-date-range": { + "title": "On Date Range Condition", + "description": "The task is intended to occur within the specified date range.", + "type": "object", + "properties": { + "start": { + "title": "Start Date Condition", + "description": "The task must occur on or after the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "End Date Condition", + "description": "The task must occur on or before the specified date.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + } + }, + "required": ["start", "end"], + "additionalProperties": false + }, + "at-frequency": { + "title": "Frequency Condition", + "description": "The task is intended to occur at the specified frequency.", + "type": "object", + "properties": { + "period": { + "title": "Period", + "description": "The task must occur after the specified period has elapsed.", + "$ref": "#/definitions/PositiveIntegerDatatype" + }, + "unit": { + "title": "Time Unit", + "description": "The unit of time for the period.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { + "enum": [ + "seconds", + "minutes", + "hours", + "days", + "months", + "years" + ] + } + ] + } + }, + "required": ["period", "unit"], + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "dependencies": { + "type": "array", + "minItems": 1, + "items": { + "title": "Task Dependency", + "description": "Used to indicate that a task is dependent on another task.", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["task-uuid"], + "additionalProperties": false + } + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "associated-activities": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Activity", + "description": "Identifies an individual activity to be performed as part of a task.", + "type": "object", + "properties": { + "activity-uuid": { + "title": "Activity Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an activity defined in the list of activities.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["activity-uuid", "subjects"], + "additionalProperties": false + } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "responsible-roles": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-role" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "type", "title"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:reviewed-controls": { + "title": "Reviewed Controls and Control Objectives", + "description": "Identifies the controls being assessed and their control objectives.", + "$id": "#assembly_oscal-assessment-common_reviewed-controls", + "type": "object", + "properties": { + "description": { + "title": "Control Objective Description", + "description": "A human-readable description of control objectives.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "control-selections": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessed Controls", + "description": "Identifies the controls being assessed. In the assessment plan, these are the planned controls. In the assessment results, these are the actual controls, and reflects any changes from the plan.", + "type": "object", + "properties": { + "description": { + "title": "Assessed Controls Description", + "description": "A human-readable description of in-scope controls specified for assessment.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { + "$ref": "#assembly_oscal-control-common_include-all" + }, + "include-controls": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-control-by-id" + } + }, + "exclude-controls": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-control-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + } + }, + "control-objective-selections": { + "type": "array", + "minItems": 1, + "items": { + "title": "Referenced Control Objectives", + "description": "Identifies the control objectives of the assessment. In the assessment plan, these are the planned objectives. In the assessment results, these are the assessed objectives, and reflects any changes from the plan.", + "type": "object", + "properties": { + "description": { + "title": "Control Objectives Description", + "description": "A human-readable description of this collection of control objectives.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { + "$ref": "#assembly_oscal-control-common_include-all" + }, + "include-objectives": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-objective-by-id" + } + }, + "exclude-objectives": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-objective-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["control-selections"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:select-control-by-id": { + "title": "Select Control", + "description": "Used to select a control for inclusion/exclusion based on one or more control identifiers. A set of statement identifiers can be used to target the inclusion/exclusion to only specific control statements providing more granularity over the specific statements that are within the asessment scope.", + "$id": "#assembly_oscal-assessment-common_select-control-by-id", + "type": "object", + "properties": { + "control-id": { + "title": "Control Identifier Reference", + "description": "A reference to a control with a corresponding id value. When referencing an externally defined control, the Control Identifier Reference must be used in the context of the external / imported OSCAL instance (e.g., uri-reference).", + "$ref": "#/definitions/TokenDatatype" + }, + "statement-ids": { + "type": "array", + "minItems": 1, + "items": { + "title": "Include Specific Statements", + "description": "Used to constrain the selection to only specificity identified statements.", + "$ref": "#/definitions/TokenDatatype" + } + } + }, + "required": ["control-id"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:select-objective-by-id": { + "title": "Select Objective", + "description": "Used to select a control objective for inclusion/exclusion based on the control objective's identifier.", + "$id": "#assembly_oscal-assessment-common_select-objective-by-id", + "type": "object", + "properties": { + "objective-id": { + "title": "Objective ID", + "description": "Points to an assessment objective.", + "$ref": "#/definitions/TokenDatatype" + } + }, + "required": ["objective-id"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-subject-placeholder": { + "title": "Assessment Subject Placeholder", + "description": "Used when the assessment subjects will be determined as part of one or more other assessment activities. These assessment subjects will be recorded in the assessment results in the assessment log.", + "$id": "#assembly_oscal-assessment-common_assessment-subject-placeholder", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Subject Placeholder Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier for a set of assessment subjects that will be identified by a task or an activity that is part of a task. The locally defined UUID of the assessment subject placeholder can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Assessment Subject Placeholder Description", + "description": "A human-readable description of intent of this assessment subject placeholder.", + "type": "string" + }, + "sources": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Subject Source", + "description": "Assessment subjects will be identified while conducting the referenced activity-instance.", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference (in this or other OSCAL instances) an assessment activity to be performed as part of the event. The locally defined UUID of the task can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["task-uuid"], + "additionalProperties": false + } + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "sources"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-subject": { + "title": "Subject of Assessment", + "description": "Identifies system elements being assessed, such as components, inventory items, and locations. In the assessment plan, this identifies a planned assessment subject. In the assessment results this is an actual assessment subject, and reflects any changes from the plan. exactly what will be the focus of this assessment. Any subjects not identified in this way are out-of-scope.", + "$id": "#assembly_oscal-assessment-common_assessment-subject", + "type": "object", + "properties": { + "type": { + "title": "Subject Type", + "description": "Indicates the type of assessment subject, such as a component, inventory, item, location, or party represented by this selection statement.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user" + ] + } + ] + }, + "description": { + "title": "Include Subjects Description", + "description": "A human-readable description of the collection of subjects being included in this assessment.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "include-all": { "$ref": "#assembly_oscal-control-common_include-all" }, + "include-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-subject-by-id" + } + }, + "exclude-subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_select-subject-by-id" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["type"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:select-subject-by-id": { + "title": "Select Assessment Subject", + "description": "Identifies a set of assessment subjects to include/exclude by UUID.", + "$id": "#assembly_oscal-assessment-common_select-subject-by-id", + "type": "object", + "properties": { + "subject-uuid": { + "title": "Subject Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Subject Universally Unique Identifier Reference Type", + "description": "Used to indicate the type of object pointed to by the uuid-ref within a subject.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user", + "resource" + ] + } + ] + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["subject-uuid", "type"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:subject-reference": { + "title": "Identifies the Subject", + "description": "A human-oriented identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.", + "$id": "#assembly_oscal-assessment-common_subject-reference", + "type": "object", + "properties": { + "subject-uuid": { + "title": "Subject Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component, inventory-item, location, party, user, or resource using it's UUID.", + "$ref": "#/definitions/UUIDDatatype" + }, + "type": { + "title": "Subject Universally Unique Identifier Reference Type", + "description": "Used to indicate the type of object pointed to by the uuid-ref within a subject.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "component", + "inventory-item", + "location", + "party", + "user", + "resource" + ] + } + ] + }, + "title": { + "title": "Subject Reference Title", + "description": "The title or name for the referenced subject.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["subject-uuid", "type"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-assets": { + "title": "Assessment Assets", + "description": "Identifies the assets used to perform this assessment, such as the assessment team, scanning tools, and assumptions.", + "$id": "#assembly_oscal-assessment-common_assessment-assets", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "assessment-platforms": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Platform", + "description": "Used to represent the toolset used to perform aspects of the assessment.", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Platform Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment platform elsewhere in this or other OSCAL instances. The locally defined UUID of the assessment platform can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Assessment Platform Title", + "description": "The title or name for the assessment platform.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "uses-components": { + "type": "array", + "minItems": 1, + "items": { + "title": "Uses Component", + "description": "The set of components that are used by the assessment platform.", + "type": "object", + "properties": { + "component-uuid": { + "title": "Component Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a component that is implemented as part of an inventory item.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["component-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid"], + "additionalProperties": false + } + } + }, + "required": ["assessment-platforms"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:finding-target": { + "title": "Objective Status", + "description": "Captures an assessor's conclusions regarding the degree to which an objective is satisfied.", + "$id": "#assembly_oscal-assessment-common_finding-target", + "type": "object", + "properties": { + "type": { + "title": "Finding Target Type", + "description": "Identifies the type of the target.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["statement-id", "objective-id"] } + ] + }, + "target-id": { + "title": "Finding Target Identifier Reference", + "description": "A machine-oriented identifier reference for a specific target qualified by the type.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Objective Status Title", + "description": "The title for this objective status.", + "type": "string" + }, + "description": { + "title": "Objective Status Description", + "description": "A human-readable description of the assessor's conclusions regarding the degree to which an objective is satisfied.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { + "title": "Objective Status", + "description": "A determination of if the objective is satisfied or not within a given system.", + "type": "object", + "properties": { + "state": { + "title": "Objective Status State", + "description": "An indication as to whether the objective is satisfied or not.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["satisfied", "not-satisfied"] } + ] + }, + "reason": { + "title": "Objective Status Reason", + "description": "The reason the objective was given it's status.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["pass", "fail", "other"] } + ] + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["state"], + "additionalProperties": false + }, + "implementation-status": { + "$ref": "#assembly_oscal-implementation-common_implementation-status" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["type", "target-id", "status"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:finding": { + "title": "Finding", + "description": "Describes an individual finding.", + "$id": "#assembly_oscal-assessment-common_finding", + "type": "object", + "properties": { + "uuid": { + "title": "Finding Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this finding in this or other OSCAL instances. The locally defined UUID of the finding can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Finding Title", + "description": "The title for this finding.", + "type": "string" + }, + "description": { + "title": "Finding Description", + "description": "A human-readable description of this finding.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "target": { + "$ref": "#assembly_oscal-assessment-common_finding-target" + }, + "implementation-statement-uuid": { + "title": "Implementation Statement UUID", + "description": "A machine-oriented identifier reference to the implementation statement in the SSP to which this finding is related.", + "$ref": "#/definitions/UUIDDatatype" + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the finding to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an observation defined in the list of observations.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + }, + "related-risks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Risk", + "description": "Relates the finding to a set of referenced risks that were used to determine the finding.", + "type": "object", + "properties": { + "risk-uuid": { + "title": "Risk Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a risk defined in the list of risks.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["risk-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "title", "description", "target"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:observation": { + "title": "Observation", + "description": "Describes an individual observation.", + "$id": "#assembly_oscal-assessment-common_observation", + "type": "object", + "properties": { + "uuid": { + "title": "Observation Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this observation elsewhere in this or other OSCAL instances. The locally defined UUID of the observation can be used to reference the data item locally or globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Observation Title", + "description": "The title for this observation.", + "type": "string" + }, + "description": { + "title": "Observation Description", + "description": "A human-readable description of this assessment observation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "methods": { + "type": "array", + "minItems": 1, + "items": { + "title": "Observation Method", + "description": "Identifies how the observation was made.", + "anyOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "enum": ["EXAMINE", "INTERVIEW", "TEST", "UNKNOWN"] } + ] + } + }, + "types": { + "type": "array", + "minItems": 1, + "items": { + "title": "Observation Type", + "description": "Identifies the nature of the observation. More than one may be used to further qualify and enable filtering.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "ssp-statement-issue", + "control-objective", + "mitigation", + "finding", + "historic" + ] + } + ] + } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + }, + "relevant-evidence": { + "type": "array", + "minItems": 1, + "items": { + "title": "Relevant Evidence", + "description": "Links this observation to relevant evidence.", + "type": "object", + "properties": { + "href": { + "title": "Relevant Evidence Reference", + "description": "A resolvable URL reference to relevant evidence.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "description": { + "title": "Relevant Evidence Description", + "description": "A human-readable description of this evidence.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["description"], + "additionalProperties": false + } + }, + "collected": { + "title": "Collected Field", + "description": "Date/time stamp identifying when the finding information was collected.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "expires": { + "title": "Expires Field", + "description": "Date/time identifying when the finding information is out-of-date and no longer valid. Typically used with continuous assessment scenarios.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description", "methods", "collected"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:origin": { + "title": "Origin", + "description": "Identifies the source of the finding, such as a tool, interviewed person, or activity.", + "$id": "#assembly_oscal-assessment-common_origin", + "type": "object", + "properties": { + "actors": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin-actor" } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_related-task" } + } + }, + "required": ["actors"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:origin-actor": { + "title": "Originating Actor", + "description": "The actor that produces an observation, a finding, or a risk. One or more actor type can be used to specify a person that is using a tool.", + "$id": "#assembly_oscal-assessment-common_origin-actor", + "type": "object", + "properties": { + "type": { + "title": "Actor Type", + "description": "The kind of actor.", + "allOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["tool", "assessment-platform", "party"] } + ] + }, + "actor-uuid": { + "title": "Actor Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to the tool or person based on the associated type.", + "$ref": "#/definitions/UUIDDatatype" + }, + "role-id": { + "title": "Actor Role", + "description": "For a party, this can optionally be used to specify the role the actor was performing.", + "$ref": "#/definitions/TokenDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["type", "actor-uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:related-task": { + "title": "Task Reference", + "description": "Identifies an individual task for which the containing object is a consequence of.", + "$id": "#assembly_oscal-assessment-common_related-task", + "type": "object", + "properties": { + "task-uuid": { + "title": "Task Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_responsible-party" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + }, + "identified-subject": { + "title": "Identified Subject", + "description": "Used to detail assessment subjects that were identfied by this task.", + "type": "object", + "properties": { + "subject-placeholder-uuid": { + "title": "Assessment Subject Placeholder Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique assessment subject placeholder defined by this task.", + "$ref": "#/definitions/UUIDDatatype" + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-subject" + } + } + }, + "required": ["subject-placeholder-uuid", "subjects"], + "additionalProperties": false + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["task-uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:threat-id": { + "title": "Threat ID", + "description": "A pointer, by ID, to an externally-defined threat.", + "$id": "#field_oscal-assessment-common_threat-id", + "type": "object", + "properties": { + "system": { + "title": "Threat Type Identification System", + "description": "Specifies the source of the threat information.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { "enum": ["http://fedramp.gov", "http://fedramp.gov/ns/oscal"] } + ] + }, + "href": { + "title": "Threat Information Resource Reference", + "description": "An optional location for the threat data, from which this ID originates.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "id": { "$ref": "#/definitions/URIDatatype" } + }, + "required": ["id", "system"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:risk": { + "title": "Identified Risk", + "description": "An identified risk.", + "$id": "#assembly_oscal-assessment-common_risk", + "type": "object", + "properties": { + "uuid": { + "title": "Risk Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk elsewhere in this or other OSCAL instances. The locally defined UUID of the risk can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Risk Title", + "description": "The title for this risk.", + "type": "string" + }, + "description": { + "title": "Risk Description", + "description": "A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.", + "type": "string" + }, + "statement": { + "title": "Risk Statement", + "description": "An summary of impact for how the risk affects the system.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "status": { "$ref": "#field_oscal-assessment-common_risk-status" }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "threat-ids": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#field_oscal-assessment-common_threat-id" } + }, + "characterizations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_characterization" + } + }, + "mitigating-factors": { + "type": "array", + "minItems": 1, + "items": { + "title": "Mitigating Factor", + "description": "Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.", + "type": "object", + "properties": { + "uuid": { + "title": "Mitigating Factor Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this mitigating factor elsewhere in this or other OSCAL instances. The locally defined UUID of the mitigating factor can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "implementation-uuid": { + "title": "Implementation UUID", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this implementation statement elsewhere in this or other OSCAL instancess. The locally defined UUID of the implementation statement can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "description": { + "title": "Mitigating Factor Description", + "description": "A human-readable description of this mitigating factor.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "deadline": { + "title": "Risk Resolution Deadline", + "description": "The date/time by which the risk must be resolved.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "remediations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_response" } + }, + "risk-log": { + "title": "Risk Log", + "description": "A log of all risk-related tasks taken.", + "type": "object", + "properties": { + "entries": { + "type": "array", + "minItems": 1, + "items": { + "title": "Risk Log Entry", + "description": "Identifies an individual risk response that occurred as part of managing an identified risk.", + "type": "object", + "properties": { + "uuid": { + "title": "Risk Log Entry Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this risk log entry elsewhere in this or other OSCAL instances. The locally defined UUID of the risk log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Title", + "description": "The title for this risk log entry.", + "type": "string" + }, + "description": { + "title": "Risk Task Description", + "description": "A human-readable description of what was done regarding the risk.", + "type": "string" + }, + "start": { + "title": "Start", + "description": "Identifies the start date and time of the event.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "End", + "description": "Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "logged-by": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_logged-by" + } + }, + "status-change": { + "$ref": "#field_oscal-assessment-common_risk-status" + }, + "related-responses": { + "type": "array", + "minItems": 1, + "items": { + "title": "Risk Response Reference", + "description": "Identifies an individual risk response that this log entry is for.", + "type": "object", + "properties": { + "response-uuid": { + "title": "Response Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a unique risk response.", + "$ref": "#/definitions/UUIDDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_property" + } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_related-task" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["response-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "start"], + "additionalProperties": false + } + } + }, + "required": ["entries"], + "additionalProperties": false + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the finding to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an observation defined in the list of observations.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + } + }, + "required": ["uuid", "title", "description", "statement", "status"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:logged-by": { + "title": "Logged By", + "description": "Used to indicate who created a log entry in what role.", + "$id": "#assembly_oscal-assessment-common_logged-by", + "type": "object", + "properties": { + "party-uuid": { + "title": "Party UUID Reference", + "description": "A machine-oriented identifier reference to the party who is making the log entry.", + "$ref": "#/definitions/UUIDDatatype" + }, + "role-id": { + "title": "Actor Role", + "description": "A point to the role-id of the role in which the party is making the log entry.", + "$ref": "#/definitions/TokenDatatype" + } + }, + "required": ["party-uuid"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:risk-status": { + "title": "Risk Status", + "description": "Describes the status of the associated risk.", + "$id": "#field_oscal-assessment-common_risk-status", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { + "enum": [ + "open", + "investigating", + "remediating", + "deviation-requested", + "deviation-approved", + "closed" + ] + } + ] + }, + "oscal-complete-oscal-assessment-common:characterization": { + "title": "Characterization", + "description": "A collection of descriptive data about the containing object from a specific origin.", + "$id": "#assembly_oscal-assessment-common_characterization", + "type": "object", + "properties": { + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origin": { "$ref": "#assembly_oscal-assessment-common_origin" }, + "facets": { + "type": "array", + "minItems": 1, + "items": { + "title": "Facet", + "description": "An individual characteristic that is part of a larger set produced by the same actor.", + "type": "object", + "properties": { + "name": { + "title": "Facet Name", + "description": "The name of the risk metric within the specified system.", + "$ref": "#/definitions/TokenDatatype" + }, + "system": { + "title": "Naming System", + "description": "Specifies the naming system under which this risk metric is organized, which allows for the same names to be used in different systems controlled by different parties. This avoids the potential of a name clash.", + "anyOf": [ + { "$ref": "#/definitions/URIDatatype" }, + + { + "enum": [ + "http://fedramp.gov", + "http://fedramp.gov/ns/oscal", + "http://csrc.nist.gov/ns/oscal", + "http://csrc.nist.gov/ns/oscal/unknown", + "http://cve.mitre.org", + "http://www.first.org/cvss/v2.0", + "http://www.first.org/cvss/v3.0", + "http://www.first.org/cvss/v3.1" + ] + } + ] + }, + "value": { + "title": "Facet Value", + "description": "Indicates the value of the facet.", + "$ref": "#/definitions/StringDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["name", "system", "value"], + "additionalProperties": false + } + } + }, + "required": ["origin", "facets"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:response": { + "title": "Risk Response", + "description": "Describes either recommended or an actual plan for addressing the risk.", + "$id": "#assembly_oscal-assessment-common_response", + "type": "object", + "properties": { + "uuid": { + "title": "Remediation Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this remediation elsewhere in this or other OSCAL instances. The locally defined UUID of the risk response can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "lifecycle": { + "title": "Remediation Intent", + "description": "Identifies whether this is a recommendation, such as from an assessor or tool, or an actual plan accepted by the system owner.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["recommendation", "planned", "completed"] } + ] + }, + "title": { + "title": "Response Title", + "description": "The title for this response activity.", + "type": "string" + }, + "description": { + "title": "Response Description", + "description": "A human-readable description of this response plan.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_origin" } + }, + "required-assets": { + "type": "array", + "minItems": 1, + "items": { + "title": "Required Asset", + "description": "Identifies an asset required to achieve remediation.", + "type": "object", + "properties": { + "uuid": { + "title": "Required Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this required asset elsewhere in this or other OSCAL instances. The locally defined UUID of the asset can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "subjects": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_subject-reference" + } + }, + "title": { + "title": "Title for Required Asset", + "description": "The title for this required asset.", + "type": "string" + }, + "description": { + "title": "Description of Required Asset", + "description": "A human-readable description of this required asset.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "description"], + "additionalProperties": false + } + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "lifecycle", "title", "description"], + "additionalProperties": false + }, + "oscal-complete-oscal-assessment-common:assessment-part": { + "title": "Assessment Part", + "description": "A partition of an assessment plan or results or a child of another part.", + "$id": "#assembly_oscal-assessment-common_assessment-part", + "type": "object", + "properties": { + "uuid": { + "title": "Part Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this part elsewhere in this or other OSCAL instances. The locally defined UUID of the part can be used to reference the data item locally or globally (e.g., in an ported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "name": { + "title": "Part Name", + "description": "A textual label that uniquely identifies the part's semantic type.", + "anyOf": [ + { "$ref": "#/definitions/TokenDatatype" }, + + { "enum": ["asset", "method", "objective"] } + ] + }, + "ns": { + "title": "Part Namespace", + "description": "A namespace qualifying the part's name. This allows different organizations to associate distinct semantics with the same name.", + "$ref": "#/definitions/URIDatatype" + }, + "class": { + "title": "Part Class", + "description": "A textual label that provides a sub-type or characterization of the part's name. This can be used to further distinguish or discriminate between the semantics of multiple parts of the same control with the same name and ns.", + "$ref": "#/definitions/TokenDatatype" + }, + "title": { + "title": "Part Title", + "description": "A name given to the part, which may be used by a tool for display and navigation.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "prose": { + "title": "Part Text", + "description": "Permits multiple paragraphs, lists, tables etc.", + "type": "string" + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + } + }, + "required": ["name"], + "additionalProperties": false + }, + "oscal-complete-oscal-ar:assessment-results": { + "title": "Security Assessment Results (SAR)", + "description": "Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP Security Assessment Report.", + "$id": "#assembly_oscal-ar_assessment-results", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Results Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this assessment results instance in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-ap": { "$ref": "#assembly_oscal-ar_import-ap" }, + "local-definitions": { + "title": "Local Definitions", + "description": "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", + "type": "object", + "properties": { + "objectives-and-methods": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_local-objective" + } + }, + "activities": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_activity" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "results": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-ar_result" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "import-ap", "results"], + "additionalProperties": false + }, + "oscal-complete-oscal-ar:result": { + "title": "Assessment Result", + "description": "Used by the assessment results and POA&M. In the assessment results, this identifies all of the assessment observations and findings, initial and residual risks, deviations, and disposition. In the POA&M, this identifies initial and residual risks, deviations, and disposition.", + "$id": "#assembly_oscal-ar_result", + "type": "object", + "properties": { + "uuid": { + "title": "Results Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference this set of results in this or other OSCAL instances. The locally defined UUID of the assessment result can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Results Title", + "description": "The title for this set of results.", + "type": "string" + }, + "description": { + "title": "Results Description", + "description": "A human-readable description of this set of test results.", + "type": "string" + }, + "start": { + "title": "start field", + "description": "Date/time stamp identifying the start of the evidence collection reflected in these results.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "end field", + "description": "Date/time stamp identifying the end of the evidence collection reflected in these results. In a continuous motoring scenario, this may contain the same value as start if appropriate.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "local-definitions": { + "title": "Local Definitions", + "description": "Used to define data objects that are used in the assessment plan, that do not appear in the referenced SSP.", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "users": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-user" + } + }, + "assessment-assets": { + "$ref": "#assembly_oscal-assessment-common_assessment-assets" + }, + "tasks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_task" } + } + }, + "additionalProperties": false + }, + "reviewed-controls": { + "$ref": "#assembly_oscal-assessment-common_reviewed-controls" + }, + "attestations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Attestation Statements", + "description": "A set of textual statements, typically written by the assessor.", + "type": "object", + "properties": { + "responsible-parties": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-metadata_responsible-party" + } + }, + "parts": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_assessment-part" + } + } + }, + "required": ["parts"], + "additionalProperties": false + } + }, + "assessment-log": { + "title": "Assessment Log", + "description": "A log of all assessment-related actions taken.", + "type": "object", + "properties": { + "entries": { + "type": "array", + "minItems": 1, + "items": { + "title": "Assessment Log Entry", + "description": "Identifies the result of an action and/or task that occurred as part of executing an assessment plan or an assessment event that occurred in producing the assessment results.", + "type": "object", + "properties": { + "uuid": { + "title": "Assessment Log Entry Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with cross-instance scope that can be used to reference an assessment event in this or other OSCAL instances. The locally defined UUID of the assessment log entry can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "Action Title", + "description": "The title for this event.", + "type": "string" + }, + "description": { + "title": "Action Description", + "description": "A human-readable description of this event.", + "type": "string" + }, + "start": { + "title": "Start", + "description": "Identifies the start date and time of an event.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "end": { + "title": "End", + "description": "Identifies the end date and time of an event. If the event is a point in time, the start and end will be the same date and time.", + "$ref": "#/definitions/DateTimeWithTimezoneDatatype" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "logged-by": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_logged-by" + } + }, + "related-tasks": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_related-task" + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["uuid", "start"], + "additionalProperties": false + } + } + }, + "required": ["entries"], + "additionalProperties": false + }, + "observations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_observation" } + }, + "risks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_risk" } + }, + "findings": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_finding" } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": [ + "uuid", + "title", + "description", + "start", + "reviewed-controls" + ], + "additionalProperties": false + }, + "oscal-complete-oscal-ar:import-ap": { + "title": "Import Assessment Plan", + "description": "Used by assessment-results to import information about the original plan for assessing the system.", + "$id": "#assembly_oscal-ar_import-ap", + "type": "object", + "properties": { + "href": { + "title": "Assessment Plan Reference", + "description": "A resolvable URL reference to the assessment plan governing the assessment activities.", + "$ref": "#/definitions/URIReferenceDatatype" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["href"], + "additionalProperties": false + }, + "oscal-complete-oscal-poam:plan-of-action-and-milestones": { + "title": "Plan of Action and Milestones (POA&M)", + "description": "A plan of action and milestones which identifies initial and residual risks, deviations, and disposition, such as those required by FedRAMP.", + "$id": "#assembly_oscal-poam_plan-of-action-and-milestones", + "type": "object", + "properties": { + "uuid": { + "title": "POA&M Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with instancescope that can be used to reference this POA&M instance in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "metadata": { "$ref": "#assembly_oscal-metadata_metadata" }, + "import-ssp": { + "$ref": "#assembly_oscal-assessment-common_import-ssp" + }, + "system-id": { "$ref": "#field_oscal-implementation-common_system-id" }, + "local-definitions": { + "$ref": "#assembly_oscal-poam_local-definitions" + }, + "observations": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_observation" } + }, + "risks": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_risk" } + }, + "findings": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-assessment-common_finding" } + }, + "poam-items": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-poam_poam-item" } + }, + "back-matter": { "$ref": "#assembly_oscal-metadata_back-matter" } + }, + "required": ["uuid", "metadata", "poam-items"], + "additionalProperties": false + }, + "oscal-complete-oscal-poam:local-definitions": { + "title": "Local Definitions", + "description": "Allows components, and inventory-items to be defined within the POA&M for circumstances where no OSCAL-based SSP exists, or is not delivered with the POA&M.", + "$id": "#assembly_oscal-poam_local-definitions", + "type": "object", + "properties": { + "components": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_system-component" + } + }, + "inventory-items": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-implementation-common_inventory-item" + } + }, + "assessment-assets": { + "$ref": "#assembly_oscal-assessment-common_assessment-assets" + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "additionalProperties": false + }, + "oscal-complete-oscal-poam:poam-item": { + "title": "POA&M Item", + "description": "Describes an individual POA&M item.", + "$id": "#assembly_oscal-poam_poam-item", + "type": "object", + "properties": { + "uuid": { + "title": "POA&M Item Universally Unique Identifier", + "description": "A machine-oriented, globally unique identifier with instance scope that can be used to reference this POA&M item entry in this OSCAL instance. This UUID should be assigned per-subject, which means it should be consistently used to identify the same subject across revisions of the document.", + "$ref": "#/definitions/UUIDDatatype" + }, + "title": { + "title": "POA&M Item Title", + "description": "The title or name for this POA&M item .", + "type": "string" + }, + "description": { + "title": "POA&M Item Description", + "description": "A human-readable description of POA&M item.", + "type": "string" + }, + "props": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_property" } + }, + "links": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#assembly_oscal-metadata_link" } + }, + "origins": { + "type": "array", + "minItems": 1, + "items": { + "title": "Origin", + "description": "Identifies the source of the finding, such as a tool or person.", + "type": "object", + "properties": { + "actors": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#assembly_oscal-assessment-common_origin-actor" + } + } + }, + "required": ["actors"], + "additionalProperties": false + } + }, + "related-findings": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Finding", + "description": "Relates the poam-item to referenced finding(s).", + "type": "object", + "properties": { + "finding-uuid": { + "title": "Finding Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a finding defined in the list of findings.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["finding-uuid"], + "additionalProperties": false + } + }, + "related-observations": { + "type": "array", + "minItems": 1, + "items": { + "title": "Related Observation", + "description": "Relates the poam-item to a set of referenced observations that were used to determine the finding.", + "type": "object", + "properties": { + "observation-uuid": { + "title": "Observation Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to an observation defined in the list of observations.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["observation-uuid"], + "additionalProperties": false + } + }, + "related-risks": { + "type": "array", + "minItems": 1, + "items": { + "title": "Associated Risk", + "description": "Relates the finding to a set of referenced risks that were used to determine the finding.", + "type": "object", + "properties": { + "risk-uuid": { + "title": "Risk Universally Unique Identifier Reference", + "description": "A machine-oriented identifier reference to a risk defined in the list of risks.", + "$ref": "#/definitions/UUIDDatatype" + } + }, + "required": ["risk-uuid"], + "additionalProperties": false + } + }, + "remarks": { "$ref": "#field_oscal-metadata_remarks" } + }, + "required": ["title", "description"], + "additionalProperties": false + }, + "Base64Datatype": { + "description": "Binary data encoded using the Base 64 encoding algorithm as defined by RFC4648.", + "type": "string", + "pattern": "^[0-9A-Za-z+/]+={0,2}$", + "contentEncoding": "base64" + }, + "BooleanDatatype": { + "description": "A binary value that is either: true or false.", + "type": "boolean" + }, + "DateDatatype": { + "description": "A string representing a 24-hour period with an optional timezone.", + "type": "string", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))?$" + }, + "DateTimeWithTimezoneDatatype": { + "description": "A string representing a point in time with a required timezone.", + "type": "string", + "format": "date-time", + "pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|(-((0[0-9]|1[0-2]):00|0[39]:30)|\\+((0[0-9]|1[0-4]):00|(0[34569]|10):30|(0[58]|12):45)))$" + }, + "EmailAddressDatatype": { + "description": "An email address string formatted according to RFC 6531.", + "allOf": [ + { "$ref": "#/definitions/StringDatatype" }, + + { "type": "string", "format": "email", "pattern": "^.+@.+$" } + ] + }, + "IntegerDatatype": { + "description": "A whole number value.", + "type": "integer" + }, + "NonNegativeIntegerDatatype": { + "description": "An integer value that is equal to or greater than 0.", + "allOf": [ + { "$ref": "#/definitions/IntegerDatatype" }, + + { "type": "number", "minimum": 0 } + ] + }, + "PositiveIntegerDatatype": { + "description": "An integer value that is greater than 0.", + "allOf": [ + { "$ref": "#/definitions/IntegerDatatype" }, + + { "type": "number", "minimum": 1 } + ] + }, + "StringDatatype": { + "description": "A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, U+10, U+32 or [ \n\t]+", + "type": "string", + "pattern": "^\\S(.*\\S)?$" + }, + "TokenDatatype": { + "description": "A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. https://www.w3.org/TR/xmlschema11-2/#NCName.", + "type": "string", + "pattern": "^(\\p{L}|_)(\\p{L}|\\p{N}|[.\\-_])*$" + }, + "URIDatatype": { + "description": "A universal resource identifier (URI) formatted according to RFC3986.", + "type": "string", + "format": "uri", + "pattern": "^[a-zA-Z][a-zA-Z0-9+\\-.]+:.+$" + }, + "URIReferenceDatatype": { + "description": "A URI Reference, either a URI or a relative-reference, formatted according to section 4.1 of RFC3986.", + "type": "string", + "format": "uri-reference" + }, + "UUIDDatatype": { + "description": "A type 4 ('random' or 'pseudorandom') or type 5 UUID per RFC 4122.", + "type": "string", + "pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[45][0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$" + } + }, + "oneOf": [ + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "catalog": { "$ref": "#assembly_oscal-catalog_catalog" } + }, + "required": ["catalog"], + "additionalProperties": false + }, + + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "profile": { "$ref": "#assembly_oscal-profile_profile" } + }, + "required": ["profile"], + "additionalProperties": false + }, + + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "component-definition": { + "$ref": "#assembly_oscal-component-definition_component-definition" + } + }, + "required": ["component-definition"], + "additionalProperties": false + }, + + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "system-security-plan": { + "$ref": "#assembly_oscal-ssp_system-security-plan" + } + }, + "required": ["system-security-plan"], + "additionalProperties": false + }, + + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "assessment-plan": { "$ref": "#assembly_oscal-ap_assessment-plan" } + }, + "required": ["assessment-plan"], + "additionalProperties": false + }, + + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "assessment-results": { + "$ref": "#assembly_oscal-ar_assessment-results" + } + }, + "required": ["assessment-results"], + "additionalProperties": false + }, + + { + "properties": { + "$schema": { "$ref": "#json-schema-directive" }, + "plan-of-action-and-milestones": { + "$ref": "#assembly_oscal-poam_plan-of-action-and-milestones" + } + }, + "required": ["plan-of-action-and-milestones"], + "additionalProperties": false + } + ] +} diff --git a/roscal_lib/jsonschema/tracking_latest_unified/loc b/roscal_lib/jsonschema/tracking_latest_unified/loc new file mode 100644 index 0000000..66d4048 --- /dev/null +++ b/roscal_lib/jsonschema/tracking_latest_unified/loc @@ -0,0 +1 @@ +https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_complete_schema.json \ No newline at end of file diff --git a/roscal_lib/src/assessment/assessment_plan.rs b/roscal_lib/src/assessment/assessment_plan.rs new file mode 100644 index 0000000..8c29786 --- /dev/null +++ b/roscal_lib/src/assessment/assessment_plan.rs @@ -0,0 +1,2136 @@ +use derivative::Derivative; +use strum::EnumString; +use derive_builder::Builder; +use serde::{Serialize, Deserialize}; +use crate::validation; + +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentPlan { + #[serde(rename = "$schema")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub schema: Option, + pub assessment_plan: SecurityAssessmentPlanSap, +} + +/// An assessment plan, such as those provided by a FedRAMP assessor. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SecurityAssessmentPlanSap { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub assessment_assets: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub assessment_subjects: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub back_matter: Option, + pub import_ssp: ImportSystemSecurityPlan, + /// Used to define data objects that are used in the assessment plan, that do not appear in + /// the referenced SSP. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub local_definitions: Option, + pub metadata: DocumentMetadata, + pub reviewed_controls: ReviewedControlsAndControlObjectives, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tasks: Option>, + /// Used to define various terms and conditions under which an assessment, described by the + /// plan, can be performed. Each child part defines a different type of term or condition. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub terms_and_conditions: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this assessment plan in this or other OSCAL instances. The locally defined + /// UUID of the assessment plan can be used to reference the data item locally or globally + /// (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + /// means it should be consistently used to identify the same subject across revisions of the + /// document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies the assets used to perform this assessment, such as the assessment team, +/// scanning tools, and assumptions. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentAssets { + pub assessment_platforms: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub components: Option>, +} + +/// Used to represent the toolset used to perform aspects of the assessment. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentPlatform { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// The title or name for the assessment platform. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub uses_components: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this assessment platform elsewhere in this or other OSCAL instances. The + /// locally defined UUID of the assessment platform can be used to reference the data item + /// locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + /// per-subject, which means it should be consistently used to identify the same subject + /// across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A reference to a local or remote resource, that has a specific relation to the containing +/// object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Link { + /// A resolvable URL reference to a resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + /// Describes the type of relationship provided by the link's hypertext reference. This can + /// be an indicator of the link's purpose. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub rel: Option, + /// In case where the href points to a back-matter/resource, this value will indicate the URI + /// fragment to append to any rlink associated with the resource. This value MUST be URI + /// encoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resource_fragment: Option, + /// A textual label to associate with the link, which may be used for presentation in a tool. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub text: Option, +} + +/// An attribute, characteristic, or quality of the containing object expressed as a +/// namespace qualified name/value pair. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Property { + /// A textual label that provides a sub-type or characterization of the property's name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + /// An identifier for relating distinct sets of properties. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub group: Option, + /// A textual label, within a namespace, that uniquely identifies a specific attribute, + /// characteristic, or quality of the property's containing object. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + /// A namespace qualifying the property's name. This allows different organizations to + /// associate distinct semantics with the same name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub ns: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A unique identifier for a property. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, + /// Indicates the value of the attribute, characteristic, or quality. + pub value: String, +} + +/// The set of components that are used by the assessment platform. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct UsesComponent { + /// A machine-oriented identifier reference to a component that is implemented as part of an + /// inventory item. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub component_uuid: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, +} + +/// A reference to a set of persons and/or organizations that have responsibility for +/// performing the referenced role in the context of the containing object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResponsibleParty { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[serde( + serialize_with = "validation::ser_uuid_vec", + deserialize_with = "validation::deser_uuid_vec" + )] + pub party_uuids: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A reference to a role performed by a party. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub role_id: String, +} + +/// A defined component that can be part of an implemented system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Component { + /// A description of the component, including information about its function. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub protocols: Option>, + /// A summary of the technological or business purpose of the component. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub purpose: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + /// Describes the operational status of the system component. + pub status: Status, + /// A human readable name for the system component. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A category describing the purpose of the component. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub component_type: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this component elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the component can be used to reference the data item locally or globally + /// (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + /// means it should be consistently used to identify the same subject across revisions of the + /// document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Information about the protocol used to provide a service. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ServiceProtocolInformation { + /// The common name of the protocol, which should be the appropriate "service name" from the + /// IANA Service Name and Transport Protocol Port Number Registry. + pub name: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port_ranges: Option>, + /// A human readable name for the protocol (e.g., Transport Layer Security). + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this service protocol information elsewhere in this or other OSCAL + /// instances. The locally defined UUID of the service protocol can be used to reference the + /// data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + /// assigned per-subject, which means it should be consistently used to identify the same + /// subject across revisions of the document. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, +} + +/// Where applicable this is the IPv4 port range on which the service operates. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PortRange { + /// Indicates the ending port number in a port range + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_non_neg_int_opt", + deserialize_with = "validation::deser_non_neg_int_opt" + )] + pub end: Option, + /// Indicates the starting port number in a port range + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_non_neg_int_opt", + deserialize_with = "validation::deser_non_neg_int_opt" + )] + pub start: Option, + /// Indicates the transport type. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub transport: Option, +} +/// Indicates the transport type. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// A reference to a role performed by a party. +/// +/// A human-oriented identifier reference to a role performed. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// Points to an assessment objective. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// Used to constrain the selection to only specificity identified statements. +/// +/// An optional textual providing a sub-type or characterization of the part's name, or a +/// category to which the part belongs. +/// +/// A unique identifier for the part. +/// +/// A textual label that uniquely identifies the part's semantic type, which exists in a +/// value space qualified by the ns. +/// +/// Reference to a role by UUID. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// A textual label that provides a sub-type or characterization of the part's name. This can +/// be used to further distinguish or discriminate between the semantics of multiple parts of +/// the same control with the same name and ns. +/// +/// Used to indicate the type of object pointed to by the uuid-ref within a subject. +/// +/// Indicates the type of assessment subject, such as a component, inventory, item, location, +/// or party represented by this selection statement. +/// +/// Indicates the type of address. +/// +/// The type of task. +/// +/// A textual label that uniquely identifies the part's semantic type. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum Transport { + #[serde(rename = "TCP")] + Tcp, + #[serde(rename = "UDP")] + Udp, +} + +/// A reference to a role with responsibility for performing a function relative to the +/// containing object, optionally associated with a set of persons and/or organizations that +/// perform that role. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResponsibleRole { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + pub party_uuids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A human-oriented identifier reference to a role performed. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub role_id: String, +} + +/// Describes the operational status of the system component. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Status { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// The operational status. + pub state: State, +} +/// The operational status. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// A reference to a role performed by a party. +/// +/// A human-oriented identifier reference to a role performed. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// Points to an assessment objective. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// Used to constrain the selection to only specificity identified statements. +/// +/// An optional textual providing a sub-type or characterization of the part's name, or a +/// category to which the part belongs. +/// +/// A unique identifier for the part. +/// +/// A textual label that uniquely identifies the part's semantic type, which exists in a +/// value space qualified by the ns. +/// +/// Reference to a role by UUID. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// A textual label that provides a sub-type or characterization of the part's name. This can +/// be used to further distinguish or discriminate between the semantics of multiple parts of +/// the same control with the same name and ns. +/// +/// Used to indicate the type of object pointed to by the uuid-ref within a subject. +/// +/// Indicates the type of assessment subject, such as a component, inventory, item, location, +/// or party represented by this selection statement. +/// +/// Indicates the type of address. +/// +/// The type of task. +/// +/// A textual label that uniquely identifies the part's semantic type. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum State { + Disposition, + Operational, + Other, + #[serde(rename = "under-development")] + UnderDevelopment, +} + +/// Identifies system elements being assessed, such as components, inventory items, and +/// locations. In the assessment plan, this identifies a planned assessment subject. In the +/// assessment results this is an actual assessment subject, and reflects any changes from +/// the plan. exactly what will be the focus of this assessment. Any subjects not identified +/// in this way are out-of-scope. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SubjectOfAssessment { + /// A human-readable description of the collection of subjects being included in this + /// assessment. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exclude_subjects: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_all: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_subjects: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// Indicates the type of assessment subject, such as a component, inventory, item, location, + /// or party represented by this selection statement. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub subject_of_assessment_type: String, +} + +/// Identifies a set of assessment subjects to include/exclude by UUID. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SelectAssessmentSubject { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A machine-oriented identifier reference to a component, inventory-item, location, party, + /// user, or resource using it's UUID. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub subject_uuid: String, + /// Used to indicate the type of object pointed to by the uuid-ref within a subject. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub select_assessment_subject_type: String, +} + +/// Include all controls from the imported catalog or profile resources. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct IncludeAll {} + +/// A collection of resources that may be referenced from within the OSCAL document instance. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct BackMatter { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option>, +} + +/// A resource associated with content in the containing document instance. A resource may be +/// directly included in the document using base64 encoding or may point to one or more +/// equivalent internet resources. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Resource { + /// A resource encoded using the Base64 alphabet defined by RFC 2045. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub base64: Option, + /// An optional citation consisting of end note text using structured markup. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub citation: Option, + /// An optional short summary of the resource used to indicate the purpose of the resource. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rlinks: Option>, + /// An optional name given to the resource, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A unique identifier for a resource. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A resource encoded using the Base64 alphabet defined by RFC 2045. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Base64 { + /// Name of the file before it was encoded as Base64 to be embedded in a resource. This is + /// the name that will be assigned to the file when the file is decoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub filename: Option, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + #[serde( + serialize_with = "validation::ser_base64", + deserialize_with = "validation::deser_base64" + )] + pub value: String, +} + +/// An optional citation consisting of end note text using structured markup. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Citation { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A line of citation text. + #[serde(deserialize_with = "validation::deser_markup")] + pub text: String, +} + +/// A document identifier qualified by an identifier scheme. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentIdentifier { + pub identifier: String, + /// Qualifies the kind of document identifier using a URI. If the scheme is not provided the + /// value of the element will be interpreted as a string of characters. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub scheme: Option, +} + +/// A URL-based pointer to an external resource with an optional hash for verification and +/// change detection. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResourceLink { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub hashes: Option>, + /// A resolvable URL pointing to the referenced resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, +} + +/// A representation of a cryptographic digest generated over a resource using a specified +/// hash algorithm. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Hash { + /// The digest method by which a hash is derived. + pub algorithm: String, + #[serde( + serialize_with = "validation::ser_hash", + deserialize_with = "validation::deser_hash" + )] + pub value: String, +} + +/// Used by the assessment plan and POA&M to import information about the system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImportSystemSecurityPlan { + /// A resolvable URL reference to the system security plan for the system being assessed. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// Used to define data objects that are used in the assessment plan, that do not appear in +/// the referenced SSP. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct LocalDefinitions { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub activities: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub components: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub inventory_items: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub objectives_and_methods: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub users: Option>, +} + +/// Identifies an assessment or related process that can be performed. In the assessment +/// plan, this is an intended activity which may be associated with an assessment task. In +/// the assessment results, this an activity that was actually performed as part of an +/// assessment. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Activity { + /// A human-readable description of this included activity. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_controls: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub steps: Option>, + /// The title for this included activity. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this assessment activity elsewhere in this or other OSCAL instances. The + /// locally defined UUID of the activity can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies the controls being assessed and their control objectives. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ReviewedControlsAndControlObjectives { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub control_objective_selections: Option>, + pub control_selections: Vec, + /// A human-readable description of control objectives. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// Identifies the control objectives of the assessment. In the assessment plan, these are +/// the planned objectives. In the assessment results, these are the assessed objectives, and +/// reflects any changes from the plan. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ReferencedControlObjectives { + /// A human-readable description of this collection of control objectives. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exclude_objectives: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_all: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_objectives: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// Used to select a control objective for inclusion/exclusion based on the control +/// objective's identifier. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SelectObjective { + /// Points to an assessment objective. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub objective_id: String, +} + +/// Identifies the controls being assessed. In the assessment plan, these are the planned +/// controls. In the assessment results, these are the actual controls, and reflects any +/// changes from the plan. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessedControls { + /// A human-readable description of in-scope controls specified for assessment. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exclude_controls: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_all: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_controls: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// Used to select a control for inclusion/exclusion based on one or more control +/// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +/// to only specific control statements providing more granularity over the specific +/// statements that are within the asessment scope. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SelectControl { + /// A reference to a control with a corresponding id value. When referencing an externally + /// defined control, the Control Identifier Reference must be used in the context of the + /// external / imported OSCAL instance (e.g., uri-reference). + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub control_id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_vec_opt", + deserialize_with = "validation::deser_token_vec_opt" + )] + pub statement_ids: Option>, +} + +/// Identifies an individual step in a series of steps related to an activity, such as an +/// assessment test or examination procedure. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Step { + /// A human-readable description of this step. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub reviewed_controls: Option, + /// The title for this step. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this step elsewhere in this or other OSCAL instances. The locally defined + /// UUID of the step (in a series of steps) can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A single managed inventory item within the system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct InventoryItem { + /// A summary of the inventory item stating its purpose within the system. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub implemented_components: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this inventory item elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the inventory item can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// The set of components that are implemented in a given system inventory item. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImplementedComponent { + /// A machine-oriented identifier reference to a component that is implemented as part of an + /// inventory item. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub component_uuid: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, +} + +/// A local definition of a control objective for this assessment. Uses catalog syntax for +/// control objective and assessment actions. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentSpecificControlObjective { + /// A reference to a control with a corresponding id value. When referencing an externally + /// defined control, the Control Identifier Reference must be used in the context of the + /// external / imported OSCAL instance (e.g., uri-reference). + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub control_id: String, + /// A human-readable description of this control objective. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + pub parts: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// An annotated, markup-based textual element of a control's or catalog group's definition, +/// or a child of another part. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Part { + /// An optional textual providing a sub-type or characterization of the part's name, or a + /// category to which the part belongs. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + /// A unique identifier for the part. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub id: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + /// A textual label that uniquely identifies the part's semantic type, which exists in a + /// value space qualified by the ns. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + /// An optional namespace qualifying the part's name. This allows different organizations to + /// associate distinct semantics with the same name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub ns: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parts: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// Permits multiple paragraphs, lists, tables etc. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub prose: Option, + /// An optional name given to the part, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, +} + +/// A type of user that interacts with the system based on an associated role. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SystemUser { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub authorized_privileges: Option>, + /// A summary of the user's purpose within the system. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_token_vec_opt")] + pub role_ids: Option>, + /// A short common name, abbreviation, or acronym for the user. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + /// A name given to the user, which may be used by a tool for display and navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this user class elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the system user can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies a specific system privilege held by the user, along with an associated +/// description and/or rationale for the privilege. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Privilege { + /// A summary of the privilege's purpose within the system. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + pub functions_performed: Vec, + /// A human readable name for the privilege. + pub title: String, +} + +/// Provides information about the containing document, and defines concepts that are shared +/// across the document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentMetadata { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub actions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + pub last_modified: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub locations: Option>, + pub oscal_version: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub revisions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub roles: Option>, + /// A name given to the document, which may be used by a tool for display and navigation. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + pub version: String, +} + +/// An action applied by a role within a given party to the content. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Action { + /// The date and time when the action occurred. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub date: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + /// Specifies the action type system used. + pub system: String, + /// The type of action documented by the assembly, such as an approval. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub action_type: String, + /// A unique identifier that can be used to reference this defined action elsewhere in an + /// OSCAL document. A UUID should be consistently used for a given location across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A physical point of presence, which may be associated with people, organizations, or +/// other concepts within the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Location { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option
, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A name given to the location, which may be used by a tool for display and navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_vec_opt", + deserialize_with = "validation::deser_uri_vec_opt" + )] + pub urls: Option>, + /// A unique ID for the location, for reference. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A postal address for the location. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Address { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addr_lines: Option>, + /// City, town or geographical region for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub city: Option, + /// The ISO 3166-1 alpha-2 country code for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub country: Option, + /// Postal or ZIP code for mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub postal_code: Option, + /// State, province or analogous geographical region for a mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub state: Option, + /// Indicates the type of address. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub address_type: Option, +} + +/// A telephone service number as defined by ITU-T E.164. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TelephoneNumber { + pub number: String, + /// Indicates the type of phone number. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_number_type: Option, +} + +/// An organization or person, which may be associated with roles or other concepts within +/// the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Party { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub external_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub location_uuids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + pub member_of_organizations: Option>, + /// The full name of the party. This is typically the legal name associated with the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A category describing the kind of party the object describes. + #[serde(rename = "type")] + pub party_type: PartyType, + /// A unique identifier for the party. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// An identifier for a person or organization using a designated scheme. e.g. an Open +/// Researcher and Contributor ID (ORCID). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PartyExternalIdentifier { + pub id: String, + /// Indicates the type of external identifier. + #[serde( + serialize_with = "validation::ser_uri", + deserialize_with = "validation::deser_uri" + )] + pub scheme: String, +} +/// A category describing the kind of party the object describes. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// The common name of the protocol, which should be the appropriate "service name" from the +/// IANA Service Name and Transport Protocol Port Number Registry. +/// +/// Describes a function performed for a given authorized privilege by this user class. +/// +/// A short common name, abbreviation, or acronym for the user. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// A category describing the purpose of the component. +/// +/// The digest method by which a hash is derived. +/// +/// Indicates the type of phone number. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum PartyType { + Organization, + Person, +} + +/// An entry in a sequential list of revisions to the containing document, expected to be in +/// reverse chronological order (i.e. latest first). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RevisionHistoryEntry { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub last_modified: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oscal_version: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A name given to the document revision, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + pub version: String, +} + +/// Defines a function, which might be assigned to a party in a specific situation. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Role { + /// A summary of the role's purpose and associated responsibilities. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + /// A unique identifier for the role. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the role. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + /// A name given to the role, which may be used by a tool for display and navigation. + pub title: String, +} + +/// Represents a scheduled event or milestone, which may be associated with a series of +/// assessment actions. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Task { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub associated_activities: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub dependencies: Option>, + /// A human-readable description of this task. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subjects: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tasks: Option>, + /// The timing under which the task is intended to occur. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub timing: Option, + /// The title for this task. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// The type of task. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub task_type: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this task elsewhere in this or other OSCAL instances. The locally defined + /// UUID of the task can be used to reference the data item locally or globally (e.g., in an + /// imported OSCAL instance). This UUID should be assigned per-subject, which means it should + /// be consistently used to identify the same subject across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies an individual activity to be performed as part of a task. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssociatedActivity { + /// A machine-oriented identifier reference to an activity defined in the list of activities. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub activity_uuid: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + pub subjects: Vec, +} + +/// Used to indicate that a task is dependent on another task. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TaskDependency { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A machine-oriented identifier reference to a unique task. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub task_uuid: String, +} + +/// The timing under which the task is intended to occur. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct EventTiming { + /// The task is intended to occur at the specified frequency. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub at_frequency: Option, + /// The task is intended to occur on the specified date. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub on_date: Option, + /// The task is intended to occur within the specified date range. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub within_date_range: Option, +} + +/// The task is intended to occur at the specified frequency. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct FrequencyCondition { + /// The task must occur after the specified period has elapsed. + #[serde( + serialize_with = "validation::ser_positive_int", + deserialize_with = "validation::deser_positive_int" + )] + pub period: i64, + /// The unit of time for the period. + pub unit: TimeUnit, +} +/// The unit of time for the period. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// The common name of the protocol, which should be the appropriate "service name" from the +/// IANA Service Name and Transport Protocol Port Number Registry. +/// +/// Describes a function performed for a given authorized privilege by this user class. +/// +/// A short common name, abbreviation, or acronym for the user. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// A category describing the purpose of the component. +/// +/// The digest method by which a hash is derived. +/// +/// Indicates the type of phone number. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum TimeUnit { + Days, + Hours, + Minutes, + Months, + Seconds, + Years, +} + +/// The task is intended to occur on the specified date. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct OnDateCondition { + /// The task must occur on the specified date. + pub date: String, +} + +/// The task is intended to occur within the specified date range. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct OnDateRangeCondition { + /// The task must occur on or before the specified date. + pub end: String, + /// The task must occur on or after the specified date. + pub start: String, +} + +/// Used to define various terms and conditions under which an assessment, described by the +/// plan, can be performed. Each child part defines a different type of term or condition. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentPlanTermsAndConditions { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parts: Option>, +} + +/// A partition of an assessment plan or results or a child of another part. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentPart { + /// A textual label that provides a sub-type or characterization of the part's name. This can + /// be used to further distinguish or discriminate between the semantics of multiple parts of + /// the same control with the same name and ns. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + /// A textual label that uniquely identifies the part's semantic type. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + /// A namespace qualifying the part's name. This allows different organizations to associate + /// distinct semantics with the same name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub ns: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parts: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// Permits multiple paragraphs, lists, tables etc. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prose: Option, + /// A name given to the part, which may be used by a tool for display and navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this part elsewhere in this or other OSCAL instances. The locally defined + /// UUID of the part can be used to reference the data item locally or globally (e.g., in an + /// ported OSCAL instance). This UUID should be assigned per-subject, which means it should + /// be consistently used to identify the same subject across revisions of the document. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, +} diff --git a/roscal_lib/src/assessment/assessment_results.rs b/roscal_lib/src/assessment/assessment_results.rs new file mode 100644 index 0000000..521786c --- /dev/null +++ b/roscal_lib/src/assessment/assessment_results.rs @@ -0,0 +1,3431 @@ +use derivative::Derivative; +use strum::EnumString; +use derive_builder::Builder; +use serde::{Serialize, Deserialize}; +use crate::validation; + +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentResults { + #[serde(rename = "$schema")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub schema: Option, + pub assessment_results: SecurityAssessmentResultsSar, +} + +/// Security assessment results, such as those provided by a FedRAMP assessor in the FedRAMP +/// Security Assessment Report. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SecurityAssessmentResultsSar { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub back_matter: Option, + pub import_ap: ImportAssessmentPlan, + /// Used to define data objects that are used in the assessment plan, that do not appear in + /// the referenced SSP. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub local_definitions: Option, + pub metadata: DocumentMetadata, + pub results: Vec, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this assessment results instance in this or other OSCAL instances. The + /// locally defined UUID of the assessment result can be used to reference the data item + /// locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + /// per-subject, which means it should be consistently used to identify the same subject + /// across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A collection of resources that may be referenced from within the OSCAL document instance. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct BackMatter { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option>, +} + +/// A resource associated with content in the containing document instance. A resource may be +/// directly included in the document using base64 encoding or may point to one or more +/// equivalent internet resources. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Resource { + /// A resource encoded using the Base64 alphabet defined by RFC 2045. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub base64: Option, + /// An optional citation consisting of end note text using structured markup. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub citation: Option, + /// An optional short summary of the resource used to indicate the purpose of the resource. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rlinks: Option>, + /// An optional name given to the resource, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A unique identifier for a resource. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A resource encoded using the Base64 alphabet defined by RFC 2045. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Base64 { + /// Name of the file before it was encoded as Base64 to be embedded in a resource. This is + /// the name that will be assigned to the file when the file is decoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub filename: Option, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + #[serde( + serialize_with = "validation::ser_base64", + deserialize_with = "validation::deser_base64" + )] + pub value: String, +} + +/// An optional citation consisting of end note text using structured markup. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Citation { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A line of citation text. + #[serde(deserialize_with = "validation::deser_markup")] + pub text: String, +} + +/// A reference to a local or remote resource, that has a specific relation to the containing +/// object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Link { + /// A resolvable URL reference to a resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + /// Describes the type of relationship provided by the link's hypertext reference. This can + /// be an indicator of the link's purpose. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub rel: Option, + /// In case where the href points to a back-matter/resource, this value will indicate the URI + /// fragment to append to any rlink associated with the resource. This value MUST be URI + /// encoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resource_fragment: Option, + /// A textual label to associate with the link, which may be used for presentation in a tool. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub text: Option, +} + +/// An attribute, characteristic, or quality of the containing object expressed as a +/// namespace qualified name/value pair. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Property { + /// A textual label that provides a sub-type or characterization of the property's name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + /// An identifier for relating distinct sets of properties. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub group: Option, + /// A textual label, within a namespace, that uniquely identifies a specific attribute, + /// characteristic, or quality of the property's containing object. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + /// A namespace qualifying the property's name. This allows different organizations to + /// associate distinct semantics with the same name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub ns: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A unique identifier for a property. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, + /// Indicates the value of the attribute, characteristic, or quality. + pub value: String, +} + +/// A document identifier qualified by an identifier scheme. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentIdentifier { + pub identifier: String, + /// Qualifies the kind of document identifier using a URI. If the scheme is not provided the + /// value of the element will be interpreted as a string of characters. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub scheme: Option, +} + +/// A URL-based pointer to an external resource with an optional hash for verification and +/// change detection. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResourceLink { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub hashes: Option>, + /// A resolvable URL pointing to the referenced resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, +} + +/// A representation of a cryptographic digest generated over a resource using a specified +/// hash algorithm. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Hash { + /// The digest method by which a hash is derived. + pub algorithm: String, + #[serde( + serialize_with = "validation::ser_hash", + deserialize_with = "validation::deser_hash" + )] + pub value: String, +} + +/// Used by assessment-results to import information about the original plan for assessing +/// the system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImportAssessmentPlan { + /// A resolvable URL reference to the assessment plan governing the assessment activities. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// Used to define data objects that are used in the assessment plan, that do not appear in +/// the referenced SSP. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentResultsLocalDefinitions { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub activities: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub objectives_and_methods: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// Identifies an assessment or related process that can be performed. In the assessment +/// plan, this is an intended activity which may be associated with an assessment task. In +/// the assessment results, this an activity that was actually performed as part of an +/// assessment. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Activity { + /// A human-readable description of this included activity. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_controls: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub steps: Option>, + /// The title for this included activity. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this assessment activity elsewhere in this or other OSCAL instances. The + /// locally defined UUID of the activity can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies the controls being assessed and their control objectives. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ReviewedControlsAndControlObjectives { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub control_objective_selections: Option>, + pub control_selections: Vec, + /// A human-readable description of control objectives. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// Identifies the control objectives of the assessment. In the assessment plan, these are +/// the planned objectives. In the assessment results, these are the assessed objectives, and +/// reflects any changes from the plan. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ReferencedControlObjectives { + /// A human-readable description of this collection of control objectives. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exclude_objectives: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_all: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_objectives: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// Used to select a control objective for inclusion/exclusion based on the control +/// objective's identifier. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SelectObjective { + /// Points to an assessment objective. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub objective_id: String, +} + +/// Include all controls from the imported catalog or profile resources. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct IncludeAll {} + +/// Identifies the controls being assessed. In the assessment plan, these are the planned +/// controls. In the assessment results, these are the actual controls, and reflects any +/// changes from the plan. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessedControls { + /// A human-readable description of in-scope controls specified for assessment. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exclude_controls: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_all: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_controls: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// Used to select a control for inclusion/exclusion based on one or more control +/// identifiers. A set of statement identifiers can be used to target the inclusion/exclusion +/// to only specific control statements providing more granularity over the specific +/// statements that are within the asessment scope. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SelectControl { + /// A reference to a control with a corresponding id value. When referencing an externally + /// defined control, the Control Identifier Reference must be used in the context of the + /// external / imported OSCAL instance (e.g., uri-reference). + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub control_id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_vec_opt", + deserialize_with = "validation::deser_token_vec_opt" + )] + pub statement_ids: Option>, +} + +/// A reference to a role with responsibility for performing a function relative to the +/// containing object, optionally associated with a set of persons and/or organizations that +/// perform that role. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResponsibleRole { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + pub party_uuids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A human-oriented identifier reference to a role performed. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub role_id: String, +} + +/// Identifies an individual step in a series of steps related to an activity, such as an +/// assessment test or examination procedure. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Step { + /// A human-readable description of this step. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub reviewed_controls: Option, + /// The title for this step. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this step elsewhere in this or other OSCAL instances. The locally defined + /// UUID of the step (in a series of steps) can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A local definition of a control objective for this assessment. Uses catalog syntax for +/// control objective and assessment actions. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentSpecificControlObjective { + /// A reference to a control with a corresponding id value. When referencing an externally + /// defined control, the Control Identifier Reference must be used in the context of the + /// external / imported OSCAL instance (e.g., uri-reference). + pub control_id: String, + /// A human-readable description of this control objective. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + pub parts: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// An annotated, markup-based textual element of a control's or catalog group's definition, +/// or a child of another part. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Part { + /// An optional textual providing a sub-type or characterization of the part's name, or a + /// category to which the part belongs. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + /// A unique identifier for the part. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub id: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + /// A textual label that uniquely identifies the part's semantic type, which exists in a + /// value space qualified by the ns. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + /// An optional namespace qualifying the part's name. This allows different organizations to + /// associate distinct semantics with the same name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub ns: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parts: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// Permits multiple paragraphs, lists, tables etc. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub prose: Option, + /// An optional name given to the part, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, +} + +/// Provides information about the containing document, and defines concepts that are shared +/// across the document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentMetadata { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub actions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + pub last_modified: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub locations: Option>, + pub oscal_version: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub revisions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub roles: Option>, + /// A name given to the document, which may be used by a tool for display and navigation. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + pub version: String, +} + +/// An action applied by a role within a given party to the content. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Action { + /// The date and time when the action occurred. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub date: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + /// Specifies the action type system used. + pub system: String, + /// The type of action documented by the assembly, such as an approval. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub action_type: String, + /// A unique identifier that can be used to reference this defined action elsewhere in an + /// OSCAL document. A UUID should be consistently used for a given location across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A reference to a set of persons and/or organizations that have responsibility for +/// performing the referenced role in the context of the containing object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResponsibleParty { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[serde( + serialize_with = "validation::ser_uuid_vec", + deserialize_with = "validation::deser_uuid_vec" + )] + pub party_uuids: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A reference to a role performed by a party. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub role_id: String, +} + +/// A physical point of presence, which may be associated with people, organizations, or +/// other concepts within the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Location { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option
, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A name given to the location, which may be used by a tool for display and navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_vec_opt", + deserialize_with = "validation::deser_uri_vec_opt" + )] + pub urls: Option>, + /// A unique ID for the location, for reference. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A postal address for the location. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Address { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addr_lines: Option>, + /// City, town or geographical region for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub city: Option, + /// The ISO 3166-1 alpha-2 country code for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub country: Option, + /// Postal or ZIP code for mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub postal_code: Option, + /// State, province or analogous geographical region for a mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub state: Option, + /// Indicates the type of address. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub address_type: Option, +} + +/// A telephone service number as defined by ITU-T E.164. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TelephoneNumber { + pub number: String, + /// Indicates the type of phone number. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_number_type: Option, +} + +/// An organization or person, which may be associated with roles or other concepts within +/// the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Party { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub external_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub location_uuids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + pub member_of_organizations: Option>, + /// The full name of the party. This is typically the legal name associated with the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A category describing the kind of party the object describes. + #[serde(rename = "type")] + pub party_type: PartyType, + /// A unique identifier for the party. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// An identifier for a person or organization using a designated scheme. e.g. an Open +/// Researcher and Contributor ID (ORCID). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PartyExternalIdentifier { + pub id: String, + /// Indicates the type of external identifier. + #[serde( + serialize_with = "validation::ser_uri", + deserialize_with = "validation::deser_uri" + )] + pub scheme: String, +} +/// A category describing the kind of party the object describes. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// The common name of the protocol, which should be the appropriate "service name" from the +/// IANA Service Name and Transport Protocol Port Number Registry. +/// +/// Describes a function performed for a given authorized privilege by this user class. +/// +/// A short common name, abbreviation, or acronym for the user. +/// +/// Indicates the value of the facet. +/// +/// The digest method by which a hash is derived. +/// +/// Indicates the type of phone number. +/// +/// A category describing the purpose of the component. +/// +/// Identifies how the observation was made. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum PartyType { + Organization, + Person, +} + +/// An entry in a sequential list of revisions to the containing document, expected to be in +/// reverse chronological order (i.e. latest first). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RevisionHistoryEntry { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub last_modified: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oscal_version: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A name given to the document revision, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + pub version: String, +} + +/// Defines a function, which might be assigned to a party in a specific situation. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Role { + /// A summary of the role's purpose and associated responsibilities. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + /// A unique identifier for the role. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the role. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + /// A name given to the role, which may be used by a tool for display and navigation. + pub title: String, +} + +/// Used by the assessment results and POA&M. In the assessment results, this identifies all +/// of the assessment observations and findings, initial and residual risks, deviations, and +/// disposition. In the POA&M, this identifies initial and residual risks, deviations, and +/// disposition. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentResult { + /// A log of all assessment-related actions taken. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub assessment_log: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub attestations: Option>, + /// A human-readable description of this set of test results. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + /// Date/time stamp identifying the end of the evidence collection reflected in these + /// results. In a continuous motoring scenario, this may contain the same value as start if + /// appropriate. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub end: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub findings: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + /// Used to define data objects that are used in the assessment plan, that do not appear in + /// the referenced SSP. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub local_definitions: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub observations: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + pub reviewed_controls: ReviewedControlsAndControlObjectives, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub risks: Option>, + /// Date/time stamp identifying the start of the evidence collection reflected in these + /// results. + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + pub start: String, + /// The title for this set of results. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this set of results in this or other OSCAL instances. The locally defined + /// UUID of the assessment result can be used to reference the data item locally or globally + /// (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + /// means it should be consistently used to identify the same subject across revisions of the + /// document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A log of all assessment-related actions taken. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentLog { + pub entries: Vec, +} + +/// Identifies the result of an action and/or task that occurred as part of executing an +/// assessment plan or an assessment event that occurred in producing the assessment results. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentLogEntry { + /// A human-readable description of this event. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + /// Identifies the end date and time of an event. If the event is a point in time, the start + /// and end will be the same date and time. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub end: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub logged_by: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_tasks: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// Identifies the start date and time of an event. + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + pub start: String, + /// The title for this event. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference an assessment event in this or other OSCAL instances. The locally defined + /// UUID of the assessment log entry can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Used to indicate who created a log entry in what role. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct LoggedBy { + /// A machine-oriented identifier reference to the party who is making the log entry. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub party_uuid: String, + /// A point to the role-id of the role in which the party is making the log entry. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub role_id: Option, +} + +/// Identifies an individual task for which the containing object is a consequence of. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TaskReference { + /// Used to detail assessment subjects that were identfied by this task. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub identified_subject: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subjects: Option>, + /// A machine-oriented identifier reference to a unique task. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub task_uuid: String, +} + +/// Used to detail assessment subjects that were identfied by this task. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct IdentifiedSubject { + /// A machine-oriented identifier reference to a unique assessment subject placeholder + /// defined by this task. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub subject_placeholder_uuid: String, + pub subjects: Vec, +} + +/// Identifies system elements being assessed, such as components, inventory items, and +/// locations. In the assessment plan, this identifies a planned assessment subject. In the +/// assessment results this is an actual assessment subject, and reflects any changes from +/// the plan. exactly what will be the focus of this assessment. Any subjects not identified +/// in this way are out-of-scope. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SubjectOfAssessment { + /// A human-readable description of the collection of subjects being included in this + /// assessment. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exclude_subjects: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_all: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_subjects: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// Indicates the type of assessment subject, such as a component, inventory, item, location, + /// or party represented by this selection statement. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub subject_of_assessment_type: String, +} + +/// Identifies a set of assessment subjects to include/exclude by UUID. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SelectAssessmentSubject { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A machine-oriented identifier reference to a component, inventory-item, location, party, + /// user, or resource using it's UUID. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub subject_uuid: String, + /// Used to indicate the type of object pointed to by the uuid-ref within a subject. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub select_assessment_subject_type: String, +} + +/// A set of textual statements, typically written by the assessor. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AttestationStatements { + pub parts: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, +} + +/// A partition of an assessment plan or results or a child of another part. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentPart { + /// A textual label that provides a sub-type or characterization of the part's name. This can + /// be used to further distinguish or discriminate between the semantics of multiple parts of + /// the same control with the same name and ns. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + /// A textual label that uniquely identifies the part's semantic type. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + /// A namespace qualifying the part's name. This allows different organizations to associate + /// distinct semantics with the same name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub ns: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parts: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// Permits multiple paragraphs, lists, tables etc. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub prose: Option, + /// A name given to the part, which may be used by a tool for display and navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this part elsewhere in this or other OSCAL instances. The locally defined + /// UUID of the part can be used to reference the data item locally or globally (e.g., in an + /// ported OSCAL instance). This UUID should be assigned per-subject, which means it should + /// be consistently used to identify the same subject across revisions of the document. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, +} + +/// Describes an individual finding. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Finding { + /// A human-readable description of this finding. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + /// A machine-oriented identifier reference to the implementation statement in the SSP to + /// which this finding is related. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + pub implementation_statement_uuid: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub origins: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_observations: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_risks: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + pub target: TargetClass, + /// The title for this finding. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this finding in this or other OSCAL instances. The locally defined UUID of + /// the finding can be used to reference the data item locally or globally (e.g., in an + /// imported OSCAL instance). This UUID should be assigned per-subject, which means it should + /// be consistently used to identify the same subject across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies the source of the finding, such as a tool, interviewed person, or activity. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Origin { + pub actors: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_tasks: Option>, +} + +/// The actor that produces an observation, a finding, or a risk. One or more actor type can +/// be used to specify a person that is using a tool. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct OriginatingActor { + /// A machine-oriented identifier reference to the tool or person based on the associated + /// type. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub actor_uuid: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// For a party, this can optionally be used to specify the role the actor was performing. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub role_id: Option, + /// The kind of actor. + #[serde(rename = "type")] + pub originating_actor_type: ActorType, +} +/// The kind of actor. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// Points to an assessment objective. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// Used to constrain the selection to only specificity identified statements. +/// +/// A human-oriented identifier reference to a role performed. +/// +/// An optional textual providing a sub-type or characterization of the part's name, or a +/// category to which the part belongs. +/// +/// A unique identifier for the part. +/// +/// A textual label that uniquely identifies the part's semantic type, which exists in a +/// value space qualified by the ns. +/// +/// A reference to a role performed by a party. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// A point to the role-id of the role in which the party is making the log entry. +/// +/// A textual label that provides a sub-type or characterization of the part's name. This can +/// be used to further distinguish or discriminate between the semantics of multiple parts of +/// the same control with the same name and ns. +/// +/// For a party, this can optionally be used to specify the role the actor was performing. +/// +/// A machine-oriented identifier reference for a specific target qualified by the type. +/// +/// Reference to a role by UUID. +/// +/// The name of the risk metric within the specified system. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Indicates the type of address. +/// +/// Used to indicate the type of object pointed to by the uuid-ref within a subject. +/// +/// Indicates the type of assessment subject, such as a component, inventory, item, location, +/// or party represented by this selection statement. +/// +/// A textual label that uniquely identifies the part's semantic type. +/// +/// Identifies the implementation status of the control or control objective. +/// +/// The reason the objective was given it's status. +/// +/// The type of task. +/// +/// Identifies the nature of the observation. More than one may be used to further qualify +/// and enable filtering. +/// +/// Identifies whether this is a recommendation, such as from an assessor or tool, or an +/// actual plan accepted by the system owner. +/// +/// Describes the status of the associated risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum ActorType { + #[serde(rename = "assessment-platform")] + AssessmentPlatform, + Party, + Tool, +} + +/// Relates the finding to a set of referenced observations that were used to determine the +/// finding. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct FindingRelatedObservation { + /// A machine-oriented identifier reference to an observation defined in the list of + /// observations. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub observation_uuid: String, +} + +/// Relates the finding to a set of referenced risks that were used to determine the finding. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssociatedRisk { + /// A machine-oriented identifier reference to a risk defined in the list of risks. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub risk_uuid: String, +} + +/// Captures an assessor's conclusions regarding the degree to which an objective is +/// satisfied. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TargetClass { + /// A human-readable description of the assessor's conclusions regarding the degree to which + /// an objective is satisfied. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub implementation_status: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A determination of if the objective is satisfied or not within a given system. + pub status: StatusClass, + /// A machine-oriented identifier reference for a specific target qualified by the type. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub target_id: String, + /// The title for this objective status. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// Identifies the type of the target. + #[serde(rename = "type")] + pub objective_status_type: FindingTargetType, +} + +/// Indicates the degree to which the a given control is implemented. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImplementationStatus { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// Identifies the implementation status of the control or control objective. + pub state: String, +} +/// Identifies the type of the target. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// The common name of the protocol, which should be the appropriate "service name" from the +/// IANA Service Name and Transport Protocol Port Number Registry. +/// +/// Describes a function performed for a given authorized privilege by this user class. +/// +/// A short common name, abbreviation, or acronym for the user. +/// +/// Indicates the value of the facet. +/// +/// The digest method by which a hash is derived. +/// +/// Indicates the type of phone number. +/// +/// A category describing the purpose of the component. +/// +/// Identifies how the observation was made. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum FindingTargetType { + #[serde(rename = "objective-id")] + ObjectiveId, + #[serde(rename = "statement-id")] + StatementId, +} + +/// A determination of if the objective is satisfied or not within a given system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct StatusClass { + /// The reason the objective was given it's status. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub reason: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// An indication as to whether the objective is satisfied or not. + pub state: ObjectiveStatusState, +} +/// An indication as to whether the objective is satisfied or not. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// Points to an assessment objective. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// Used to constrain the selection to only specificity identified statements. +/// +/// A human-oriented identifier reference to a role performed. +/// +/// An optional textual providing a sub-type or characterization of the part's name, or a +/// category to which the part belongs. +/// +/// A unique identifier for the part. +/// +/// A textual label that uniquely identifies the part's semantic type, which exists in a +/// value space qualified by the ns. +/// +/// A reference to a role performed by a party. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// A point to the role-id of the role in which the party is making the log entry. +/// +/// A textual label that provides a sub-type or characterization of the part's name. This can +/// be used to further distinguish or discriminate between the semantics of multiple parts of +/// the same control with the same name and ns. +/// +/// For a party, this can optionally be used to specify the role the actor was performing. +/// +/// A machine-oriented identifier reference for a specific target qualified by the type. +/// +/// Reference to a role by UUID. +/// +/// The name of the risk metric within the specified system. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Indicates the type of address. +/// +/// Used to indicate the type of object pointed to by the uuid-ref within a subject. +/// +/// Indicates the type of assessment subject, such as a component, inventory, item, location, +/// or party represented by this selection statement. +/// +/// A textual label that uniquely identifies the part's semantic type. +/// +/// Identifies the implementation status of the control or control objective. +/// +/// The reason the objective was given it's status. +/// +/// The type of task. +/// +/// Identifies the nature of the observation. More than one may be used to further qualify +/// and enable filtering. +/// +/// Identifies whether this is a recommendation, such as from an assessor or tool, or an +/// actual plan accepted by the system owner. +/// +/// Describes the status of the associated risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum ObjectiveStatusState { + #[serde(rename = "not-satisfied")] + NotSatisfied, + Satisfied, +} + +/// Used to define data objects that are used in the assessment plan, that do not appear in +/// the referenced SSP. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResultLocalDefinitions { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub assessment_assets: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub components: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub inventory_items: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tasks: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub users: Option>, +} + +/// Identifies the assets used to perform this assessment, such as the assessment team, +/// scanning tools, and assumptions. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentAssets { + pub assessment_platforms: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub components: Option>, +} + +/// Used to represent the toolset used to perform aspects of the assessment. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentPlatform { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// The title or name for the assessment platform. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub uses_components: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this assessment platform elsewhere in this or other OSCAL instances. The + /// locally defined UUID of the assessment platform can be used to reference the data item + /// locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + /// per-subject, which means it should be consistently used to identify the same subject + /// across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// The set of components that are used by the assessment platform. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct UsesComponent { + /// A machine-oriented identifier reference to a component that is implemented as part of an + /// inventory item. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub component_uuid: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, +} + +/// A defined component that can be part of an implemented system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Component { + /// A description of the component, including information about its function. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub protocols: Option>, + /// A summary of the technological or business purpose of the component. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub purpose: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + /// Describes the operational status of the system component. + pub status: Status, + /// A human readable name for the system component. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A category describing the purpose of the component. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub component_type: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this component elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the component can be used to reference the data item locally or globally + /// (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + /// means it should be consistently used to identify the same subject across revisions of the + /// document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Information about the protocol used to provide a service. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ServiceProtocolInformation { + /// The common name of the protocol, which should be the appropriate "service name" from the + /// IANA Service Name and Transport Protocol Port Number Registry. + pub name: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port_ranges: Option>, + /// A human readable name for the protocol (e.g., Transport Layer Security). + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this service protocol information elsewhere in this or other OSCAL + /// instances. The locally defined UUID of the service protocol can be used to reference the + /// data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + /// assigned per-subject, which means it should be consistently used to identify the same + /// subject across revisions of the document. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, +} + +/// Where applicable this is the IPv4 port range on which the service operates. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PortRange { + /// Indicates the ending port number in a port range + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_non_neg_int_opt", + deserialize_with = "validation::deser_non_neg_int_opt" + )] + pub end: Option, + /// Indicates the starting port number in a port range + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_non_neg_int_opt", + deserialize_with = "validation::deser_non_neg_int_opt" + )] + pub start: Option, + /// Indicates the transport type. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub transport: Option, +} +/// Indicates the transport type. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// Points to an assessment objective. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// Used to constrain the selection to only specificity identified statements. +/// +/// A human-oriented identifier reference to a role performed. +/// +/// An optional textual providing a sub-type or characterization of the part's name, or a +/// category to which the part belongs. +/// +/// A unique identifier for the part. +/// +/// A textual label that uniquely identifies the part's semantic type, which exists in a +/// value space qualified by the ns. +/// +/// A reference to a role performed by a party. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// A point to the role-id of the role in which the party is making the log entry. +/// +/// A textual label that provides a sub-type or characterization of the part's name. This can +/// be used to further distinguish or discriminate between the semantics of multiple parts of +/// the same control with the same name and ns. +/// +/// For a party, this can optionally be used to specify the role the actor was performing. +/// +/// A machine-oriented identifier reference for a specific target qualified by the type. +/// +/// Reference to a role by UUID. +/// +/// The name of the risk metric within the specified system. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Indicates the type of address. +/// +/// Used to indicate the type of object pointed to by the uuid-ref within a subject. +/// +/// Indicates the type of assessment subject, such as a component, inventory, item, location, +/// or party represented by this selection statement. +/// +/// A textual label that uniquely identifies the part's semantic type. +/// +/// Identifies the implementation status of the control or control objective. +/// +/// The reason the objective was given it's status. +/// +/// The type of task. +/// +/// Identifies the nature of the observation. More than one may be used to further qualify +/// and enable filtering. +/// +/// Identifies whether this is a recommendation, such as from an assessor or tool, or an +/// actual plan accepted by the system owner. +/// +/// Describes the status of the associated risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum Transport { + #[serde(rename = "TCP")] + Tcp, + #[serde(rename = "UDP")] + Udp, +} + +/// Describes the operational status of the system component. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Status { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// The operational status. + pub state: State, +} +/// The operational status. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// Points to an assessment objective. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// Used to constrain the selection to only specificity identified statements. +/// +/// A human-oriented identifier reference to a role performed. +/// +/// An optional textual providing a sub-type or characterization of the part's name, or a +/// category to which the part belongs. +/// +/// A unique identifier for the part. +/// +/// A textual label that uniquely identifies the part's semantic type, which exists in a +/// value space qualified by the ns. +/// +/// A reference to a role performed by a party. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// A point to the role-id of the role in which the party is making the log entry. +/// +/// A textual label that provides a sub-type or characterization of the part's name. This can +/// be used to further distinguish or discriminate between the semantics of multiple parts of +/// the same control with the same name and ns. +/// +/// For a party, this can optionally be used to specify the role the actor was performing. +/// +/// A machine-oriented identifier reference for a specific target qualified by the type. +/// +/// Reference to a role by UUID. +/// +/// The name of the risk metric within the specified system. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Indicates the type of address. +/// +/// Used to indicate the type of object pointed to by the uuid-ref within a subject. +/// +/// Indicates the type of assessment subject, such as a component, inventory, item, location, +/// or party represented by this selection statement. +/// +/// A textual label that uniquely identifies the part's semantic type. +/// +/// Identifies the implementation status of the control or control objective. +/// +/// The reason the objective was given it's status. +/// +/// The type of task. +/// +/// Identifies the nature of the observation. More than one may be used to further qualify +/// and enable filtering. +/// +/// Identifies whether this is a recommendation, such as from an assessor or tool, or an +/// actual plan accepted by the system owner. +/// +/// Describes the status of the associated risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum State { + Disposition, + Operational, + Other, + #[serde(rename = "under-development")] + UnderDevelopment, +} + +/// A single managed inventory item within the system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct InventoryItem { + /// A summary of the inventory item stating its purpose within the system. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub implemented_components: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this inventory item elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the inventory item can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// The set of components that are implemented in a given system inventory item. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImplementedComponent { + /// A machine-oriented identifier reference to a component that is implemented as part of an + /// inventory item. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub component_uuid: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, +} + +/// Represents a scheduled event or milestone, which may be associated with a series of +/// assessment actions. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Task { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub associated_activities: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub dependencies: Option>, + /// A human-readable description of this task. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subjects: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tasks: Option>, + /// The timing under which the task is intended to occur. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub timing: Option, + /// The title for this task. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// The type of task. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub task_type: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this task elsewhere in this or other OSCAL instances. The locally defined + /// UUID of the task can be used to reference the data item locally or globally (e.g., in an + /// imported OSCAL instance). This UUID should be assigned per-subject, which means it should + /// be consistently used to identify the same subject across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies an individual activity to be performed as part of a task. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssociatedActivity { + /// A machine-oriented identifier reference to an activity defined in the list of activities. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub activity_uuid: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + pub subjects: Vec, +} + +/// Used to indicate that a task is dependent on another task. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TaskDependency { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A machine-oriented identifier reference to a unique task. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub task_uuid: String, +} + +/// The timing under which the task is intended to occur. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct EventTiming { + /// The task is intended to occur at the specified frequency. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub at_frequency: Option, + /// The task is intended to occur on the specified date. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub on_date: Option, + /// The task is intended to occur within the specified date range. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub within_date_range: Option, +} + +/// The task is intended to occur at the specified frequency. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct FrequencyCondition { + /// The task must occur after the specified period has elapsed. + #[serde( + serialize_with = "validation::ser_positive_int", + deserialize_with = "validation::deser_positive_int" + )] + pub period: i64, + /// The unit of time for the period. + pub unit: TimeUnit, +} +/// The unit of time for the period. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// The common name of the protocol, which should be the appropriate "service name" from the +/// IANA Service Name and Transport Protocol Port Number Registry. +/// +/// Describes a function performed for a given authorized privilege by this user class. +/// +/// A short common name, abbreviation, or acronym for the user. +/// +/// Indicates the value of the facet. +/// +/// The digest method by which a hash is derived. +/// +/// Indicates the type of phone number. +/// +/// A category describing the purpose of the component. +/// +/// Identifies how the observation was made. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum TimeUnit { + Days, + Hours, + Minutes, + Months, + Seconds, + Years, +} + +/// The task is intended to occur on the specified date. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct OnDateCondition { + /// The task must occur on the specified date. + pub date: String, +} + +/// The task is intended to occur within the specified date range. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct OnDateRangeCondition { + /// The task must occur on or before the specified date. + pub end: String, + /// The task must occur on or after the specified date. + pub start: String, +} + +/// A type of user that interacts with the system based on an associated role. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SystemUser { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub authorized_privileges: Option>, + /// A summary of the user's purpose within the system. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_token_vec_opt")] + pub role_ids: Option>, + /// A short common name, abbreviation, or acronym for the user. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + /// A name given to the user, which may be used by a tool for display and navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this user class elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the system user can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies a specific system privilege held by the user, along with an associated +/// description and/or rationale for the privilege. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Privilege { + /// A summary of the privilege's purpose within the system. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + pub functions_performed: Vec, + /// A human readable name for the privilege. + pub title: String, +} + +/// Describes an individual observation. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Observation { + /// Date/time stamp identifying when the finding information was collected. + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + pub collected: String, + /// A human-readable description of this assessment observation. + pub description: String, + /// Date/time identifying when the finding information is out-of-date and no longer valid. + /// Typically used with continuous assessment scenarios. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub expires: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + pub methods: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub origins: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub relevant_evidence: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subjects: Option>, + /// The title for this observation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub types: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this observation elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the observation can be used to reference the data item locally or + /// globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Links this observation to relevant evidence. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RelevantEvidence { + /// A human-readable description of this evidence. + pub description: String, + /// A resolvable URL reference to relevant evidence. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_ref_opt", + deserialize_with = "validation::deser_uri_ref_opt" + )] + pub href: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// A human-oriented identifier reference to a resource. Use type to indicate whether the +/// identified resource is a component, inventory item, location, user, or something else. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct IdentifiesTheSubject { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A machine-oriented identifier reference to a component, inventory-item, location, party, + /// user, or resource using it's UUID. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub subject_uuid: String, + /// The title or name for the referenced subject. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub title: Option, + /// Used to indicate the type of object pointed to by the uuid-ref within a subject. + #[serde(rename = "type")] + pub identifies_the_subject_type: String, +} + +/// An identified risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct IdentifiedRisk { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub characterizations: Option>, + /// The date/time by which the risk must be resolved. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub deadline: Option, + /// A human-readable summary of the identified risk, to include a statement of how the risk + /// impacts the system. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub mitigating_factors: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub origins: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_observations: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub remediations: Option>, + /// A log of all risk-related tasks taken. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub risk_log: Option, + /// An summary of impact for how the risk affects the system. + #[serde(deserialize_with = "validation::deser_markup")] + pub statement: String, + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub status: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub threat_ids: Option>, + /// The title for this risk. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this risk elsewhere in this or other OSCAL instances. The locally defined + /// UUID of the risk can be used to reference the data item locally or globally (e.g., in an + /// imported OSCAL instance). This UUID should be assigned per-subject, which means it should + /// be consistently used to identify the same subject across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A collection of descriptive data about the containing object from a specific origin. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Characterization { + pub facets: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + pub origin: Origin, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, +} + +/// An individual characteristic that is part of a larger set produced by the same actor. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Facet { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + /// The name of the risk metric within the specified system. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// Specifies the naming system under which this risk metric is organized, which allows for + /// the same names to be used in different systems controlled by different parties. This + /// avoids the potential of a name clash. + #[serde( + serialize_with = "validation::ser_uri", + deserialize_with = "validation::deser_uri" + )] + pub system: String, + /// Indicates the value of the facet. + pub value: String, +} + +/// Describes an existing mitigating factor that may affect the overall determination of the +/// risk, with an optional link to an implementation statement in the SSP. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct MitigatingFactor { + /// A human-readable description of this mitigating factor. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this implementation statement elsewhere in this or other OSCAL instancess. + /// The locally defined UUID of the implementation statement can be used to reference the + /// data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + /// assigned per-subject, which means it should be consistently used to identify the same + /// subject across revisions of the document. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + pub implementation_uuid: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subjects: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this mitigating factor elsewhere in this or other OSCAL instances. The + /// locally defined UUID of the mitigating factor can be used to reference the data item + /// locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + /// per-subject, which means it should be consistently used to identify the same subject + /// across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Relates the finding to a set of referenced observations that were used to determine the +/// finding. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RiskRelatedObservation { + /// A machine-oriented identifier reference to an observation defined in the list of + /// observations. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub observation_uuid: String, +} + +/// Describes either recommended or an actual plan for addressing the risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RiskResponse { + /// A human-readable description of this response plan. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + /// Identifies whether this is a recommendation, such as from an assessor or tool, or an + /// actual plan accepted by the system owner. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub lifecycle: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub origins: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub required_assets: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tasks: Option>, + /// The title for this response activity. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this remediation elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the risk response can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies an asset required to achieve remediation. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RequiredAsset { + /// A human-readable description of this required asset. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subjects: Option>, + /// The title for this required asset. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this required asset elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the asset can be used to reference the data item locally or globally + /// (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + /// means it should be consistently used to identify the same subject across revisions of the + /// document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A log of all risk-related tasks taken. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RiskLog { + pub entries: Vec, +} + +/// Identifies an individual risk response that occurred as part of managing an identified +/// risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RiskLogEntry { + /// A human-readable description of what was done regarding the risk. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + /// Identifies the end date and time of the event. If the event is a point in time, the start + /// and end will be the same date and time. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub end: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub logged_by: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_responses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// Identifies the start date and time of the event. + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + pub start: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub status_change: Option, + /// The title for this risk log entry. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the risk log entry can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies an individual risk response that this log entry is for. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RiskResponseReference { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_tasks: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A machine-oriented identifier reference to a unique risk response. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub response_uuid: String, +} + +/// A pointer, by ID, to an externally-defined threat. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ThreatId { + /// An optional location for the threat data, from which this ID originates. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_ref_opt", + deserialize_with = "validation::deser_uri_ref_opt" + )] + pub href: Option, + pub id: String, + /// Specifies the source of the threat information. + pub system: String, +} diff --git a/roscal_lib/src/assessment/mod.rs b/roscal_lib/src/assessment/mod.rs new file mode 100644 index 0000000..06b7c38 --- /dev/null +++ b/roscal_lib/src/assessment/mod.rs @@ -0,0 +1,8 @@ +//! OSCAL Assessment Layer. + +/// Assessment Plan Model +pub mod assessment_plan; +/// Assessment Results Model +pub mod assessment_results; +/// Plan of Action and Milestones Model +pub mod poam; diff --git a/roscal_lib/src/assessment/poam.rs b/roscal_lib/src/assessment/poam.rs new file mode 100644 index 0000000..609ffea --- /dev/null +++ b/roscal_lib/src/assessment/poam.rs @@ -0,0 +1,2803 @@ +use derivative::Derivative; +use strum::EnumString; +use derive_builder::Builder; +use serde::{Serialize, Deserialize}; +use crate::validation; + +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PlanOfActionAndMilestones { + #[serde(rename = "$schema")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub schema: Option, + pub plan_of_action_and_milestones: PlanOfActionAndMilestonesPoaM, +} + +/// A plan of action and milestones which identifies initial and residual risks, deviations, +/// and disposition, such as those required by FedRAMP. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PlanOfActionAndMilestonesPoaM { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub back_matter: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub findings: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub import_ssp: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub local_definitions: Option, + pub metadata: DocumentMetadata, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub observations: Option>, + pub poam_items: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub risks: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub system_id: Option, + /// A machine-oriented, globally unique identifier with instancescope that can be used to + /// reference this POA&M instance in this OSCAL instance. This UUID should be assigned + /// per-subject, which means it should be consistently used to identify the same subject + /// across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A collection of resources that may be referenced from within the OSCAL document instance. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct BackMatter { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option>, +} + +/// A resource associated with content in the containing document instance. A resource may be +/// directly included in the document using base64 encoding or may point to one or more +/// equivalent internet resources. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Resource { + /// A resource encoded using the Base64 alphabet defined by RFC 2045. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub base64: Option, + /// An optional citation consisting of end note text using structured markup. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub citation: Option, + /// An optional short summary of the resource used to indicate the purpose of the resource. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rlinks: Option>, + /// An optional name given to the resource, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A unique identifier for a resource. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A resource encoded using the Base64 alphabet defined by RFC 2045. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Base64 { + /// Name of the file before it was encoded as Base64 to be embedded in a resource. This is + /// the name that will be assigned to the file when the file is decoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub filename: Option, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + #[serde( + serialize_with = "validation::ser_base64", + deserialize_with = "validation::deser_base64" + )] + pub value: String, +} + +/// An optional citation consisting of end note text using structured markup. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Citation { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A line of citation text. + #[serde(deserialize_with = "validation::deser_markup")] + pub text: String, +} + +/// A reference to a local or remote resource, that has a specific relation to the containing +/// object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Link { + /// A resolvable URL reference to a resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + /// Describes the type of relationship provided by the link's hypertext reference. This can + /// be an indicator of the link's purpose. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub rel: Option, + /// In case where the href points to a back-matter/resource, this value will indicate the URI + /// fragment to append to any rlink associated with the resource. This value MUST be URI + /// encoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resource_fragment: Option, + /// A textual label to associate with the link, which may be used for presentation in a tool. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub text: Option, +} + +/// An attribute, characteristic, or quality of the containing object expressed as a +/// namespace qualified name/value pair. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Property { + /// A textual label that provides a sub-type or characterization of the property's name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + /// An identifier for relating distinct sets of properties. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub group: Option, + /// A textual label, within a namespace, that uniquely identifies a specific attribute, + /// characteristic, or quality of the property's containing object. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + /// A namespace qualifying the property's name. This allows different organizations to + /// associate distinct semantics with the same name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub ns: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A unique identifier for a property. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, + /// Indicates the value of the attribute, characteristic, or quality. + pub value: String, +} + +/// A document identifier qualified by an identifier scheme. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentIdentifier { + pub identifier: String, + /// Qualifies the kind of document identifier using a URI. If the scheme is not provided the + /// value of the element will be interpreted as a string of characters. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub scheme: Option, +} + +/// A URL-based pointer to an external resource with an optional hash for verification and +/// change detection. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResourceLink { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub hashes: Option>, + /// A resolvable URL pointing to the referenced resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, +} + +/// A representation of a cryptographic digest generated over a resource using a specified +/// hash algorithm. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Hash { + /// The digest method by which a hash is derived. + pub algorithm: String, + #[serde( + serialize_with = "validation::ser_hash", + deserialize_with = "validation::deser_hash" + )] + pub value: String, +} + +/// Describes an individual finding. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Finding { + /// A human-readable description of this finding. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + /// A machine-oriented identifier reference to the implementation statement in the SSP to + /// which this finding is related. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + pub implementation_statement_uuid: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub origins: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_observations: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_risks: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + pub target: TargetClass, + /// The title for this finding. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this finding in this or other OSCAL instances. The locally defined UUID of + /// the finding can be used to reference the data item locally or globally (e.g., in an + /// imported OSCAL instance). This UUID should be assigned per-subject, which means it should + /// be consistently used to identify the same subject across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies the source of the finding, such as a tool, interviewed person, or activity. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct FindingOrigin { + pub actors: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_tasks: Option>, +} + +/// The actor that produces an observation, a finding, or a risk. One or more actor type can +/// be used to specify a person that is using a tool. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct OriginatingActor { + /// A machine-oriented identifier reference to the tool or person based on the associated + /// type. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub actor_uuid: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// For a party, this can optionally be used to specify the role the actor was performing. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub role_id: Option, + /// The kind of actor. + #[serde(rename = "type")] + pub originating_actor_type: ActorType, +} +/// The kind of actor. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// For a party, this can optionally be used to specify the role the actor was performing. +/// +/// A reference to a role performed by a party. +/// +/// A machine-oriented identifier reference for a specific target qualified by the type. +/// +/// A human-oriented identifier reference to a role performed. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// The name of the risk metric within the specified system. +/// +/// A point to the role-id of the role in which the party is making the log entry. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Used to indicate the type of object pointed to by the uuid-ref within a subject. +/// +/// Indicates the type of assessment subject, such as a component, inventory, item, location, +/// or party represented by this selection statement. +/// +/// Identifies the implementation status of the control or control objective. +/// +/// The reason the objective was given it's status. +/// +/// Indicates the type of address. +/// +/// Identifies the nature of the observation. More than one may be used to further qualify +/// and enable filtering. +/// +/// Identifies whether this is a recommendation, such as from an assessor or tool, or an +/// actual plan accepted by the system owner. +/// +/// The type of task. +/// +/// Describes the status of the associated risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum ActorType { + #[serde(rename = "assessment-platform")] + AssessmentPlatform, + Party, + Tool, +} + +/// Identifies an individual task for which the containing object is a consequence of. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TaskReference { + /// Used to detail assessment subjects that were identfied by this task. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub identified_subject: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subjects: Option>, + /// A machine-oriented identifier reference to a unique task. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub task_uuid: String, +} + +/// Used to detail assessment subjects that were identfied by this task. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct IdentifiedSubject { + /// A machine-oriented identifier reference to a unique assessment subject placeholder + /// defined by this task. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub subject_placeholder_uuid: String, + pub subjects: Vec, +} + +/// Identifies system elements being assessed, such as components, inventory items, and +/// locations. In the assessment plan, this identifies a planned assessment subject. In the +/// assessment results this is an actual assessment subject, and reflects any changes from +/// the plan. exactly what will be the focus of this assessment. Any subjects not identified +/// in this way are out-of-scope. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SubjectOfAssessment { + /// A human-readable description of the collection of subjects being included in this + /// assessment. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exclude_subjects: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_all: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_subjects: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// Indicates the type of assessment subject, such as a component, inventory, item, location, + /// or party represented by this selection statement. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub subject_of_assessment_type: String, +} + +/// Identifies a set of assessment subjects to include/exclude by UUID. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SelectAssessmentSubject { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A machine-oriented identifier reference to a component, inventory-item, location, party, + /// user, or resource using it's UUID. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub subject_uuid: String, + /// Used to indicate the type of object pointed to by the uuid-ref within a subject. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub select_assessment_subject_type: String, +} + +/// Include all controls from the imported catalog or profile resources. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct IncludeAll {} + +/// A reference to a set of persons and/or organizations that have responsibility for +/// performing the referenced role in the context of the containing object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResponsibleParty { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[serde( + serialize_with = "validation::ser_uuid_vec", + deserialize_with = "validation::deser_uuid_vec" + )] + pub party_uuids: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A reference to a role performed by a party. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub role_id: String, +} + +/// Relates the finding to a set of referenced observations that were used to determine the +/// finding. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct FindingRelatedObservation { + /// A machine-oriented identifier reference to an observation defined in the list of + /// observations. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub observation_uuid: String, +} + +/// Relates the finding to a set of referenced risks that were used to determine the finding. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct FindingRelatedRisk { + /// A machine-oriented identifier reference to a risk defined in the list of risks. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub risk_uuid: String, +} + +/// Captures an assessor's conclusions regarding the degree to which an objective is +/// satisfied. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TargetClass { + /// A human-readable description of the assessor's conclusions regarding the degree to which + /// an objective is satisfied. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub implementation_status: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A determination of if the objective is satisfied or not within a given system. + pub status: StatusClass, + /// A machine-oriented identifier reference for a specific target qualified by the type. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub target_id: String, + /// The title for this objective status. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// Identifies the type of the target. + #[serde(rename = "type")] + pub objective_status_type: FindingTargetType, +} + +/// Indicates the degree to which the a given control is implemented. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImplementationStatus { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// Identifies the implementation status of the control or control objective. + pub state: String, +} +/// Identifies the type of the target. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// The common name of the protocol, which should be the appropriate "service name" from the +/// IANA Service Name and Transport Protocol Port Number Registry. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// Indicates the value of the facet. +/// +/// The digest method by which a hash is derived. +/// +/// A category describing the purpose of the component. +/// +/// Indicates the type of phone number. +/// +/// Identifies how the observation was made. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum FindingTargetType { + #[serde(rename = "objective-id")] + ObjectiveId, + #[serde(rename = "statement-id")] + StatementId, +} + +/// A determination of if the objective is satisfied or not within a given system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct StatusClass { + /// The reason the objective was given it's status. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub reason: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// An indication as to whether the objective is satisfied or not. + pub state: ObjectiveStatusState, +} +/// An indication as to whether the objective is satisfied or not. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// For a party, this can optionally be used to specify the role the actor was performing. +/// +/// A reference to a role performed by a party. +/// +/// A machine-oriented identifier reference for a specific target qualified by the type. +/// +/// A human-oriented identifier reference to a role performed. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// The name of the risk metric within the specified system. +/// +/// A point to the role-id of the role in which the party is making the log entry. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Used to indicate the type of object pointed to by the uuid-ref within a subject. +/// +/// Indicates the type of assessment subject, such as a component, inventory, item, location, +/// or party represented by this selection statement. +/// +/// Identifies the implementation status of the control or control objective. +/// +/// The reason the objective was given it's status. +/// +/// Indicates the type of address. +/// +/// Identifies the nature of the observation. More than one may be used to further qualify +/// and enable filtering. +/// +/// Identifies whether this is a recommendation, such as from an assessor or tool, or an +/// actual plan accepted by the system owner. +/// +/// The type of task. +/// +/// Describes the status of the associated risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum ObjectiveStatusState { + #[serde(rename = "not-satisfied")] + NotSatisfied, + Satisfied, +} + +/// Used by the assessment plan and POA&M to import information about the system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImportSystemSecurityPlan { + /// A resolvable URL reference to the system security plan for the system being assessed. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// Allows components, and inventory-items to be defined within the POA&M for circumstances +/// where no OSCAL-based SSP exists, or is not delivered with the POA&M. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct LocalDefinitions { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub assessment_assets: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub components: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub inventory_items: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// Identifies the assets used to perform this assessment, such as the assessment team, +/// scanning tools, and assumptions. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentAssets { + pub assessment_platforms: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub components: Option>, +} + +/// Used to represent the toolset used to perform aspects of the assessment. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssessmentPlatform { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// The title or name for the assessment platform. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub uses_components: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this assessment platform elsewhere in this or other OSCAL instances. The + /// locally defined UUID of the assessment platform can be used to reference the data item + /// locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + /// per-subject, which means it should be consistently used to identify the same subject + /// across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// The set of components that are used by the assessment platform. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct UsesComponent { + /// A machine-oriented identifier reference to a component that is implemented as part of an + /// inventory item. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub component_uuid: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, +} + +/// A defined component that can be part of an implemented system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Component { + /// A description of the component, including information about its function. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub protocols: Option>, + /// A summary of the technological or business purpose of the component. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub purpose: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + /// Describes the operational status of the system component. + pub status: Status, + /// A human readable name for the system component. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A category describing the purpose of the component. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub component_type: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this component elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the component can be used to reference the data item locally or globally + /// (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + /// means it should be consistently used to identify the same subject across revisions of the + /// document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Information about the protocol used to provide a service. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ServiceProtocolInformation { + /// The common name of the protocol, which should be the appropriate "service name" from the + /// IANA Service Name and Transport Protocol Port Number Registry. + pub name: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port_ranges: Option>, + /// A human readable name for the protocol (e.g., Transport Layer Security). + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this service protocol information elsewhere in this or other OSCAL + /// instances. The locally defined UUID of the service protocol can be used to reference the + /// data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + /// assigned per-subject, which means it should be consistently used to identify the same + /// subject across revisions of the document. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, +} + +/// Where applicable this is the IPv4 port range on which the service operates. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PortRange { + /// Indicates the ending port number in a port range + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_non_neg_int_opt", + deserialize_with = "validation::deser_non_neg_int_opt" + )] + pub end: Option, + /// Indicates the starting port number in a port range + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_non_neg_int_opt", + deserialize_with = "validation::deser_non_neg_int_opt" + )] + pub start: Option, + /// Indicates the transport type. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub transport: Option, +} +/// Indicates the transport type. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// For a party, this can optionally be used to specify the role the actor was performing. +/// +/// A reference to a role performed by a party. +/// +/// A machine-oriented identifier reference for a specific target qualified by the type. +/// +/// A human-oriented identifier reference to a role performed. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// The name of the risk metric within the specified system. +/// +/// A point to the role-id of the role in which the party is making the log entry. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Used to indicate the type of object pointed to by the uuid-ref within a subject. +/// +/// Indicates the type of assessment subject, such as a component, inventory, item, location, +/// or party represented by this selection statement. +/// +/// Identifies the implementation status of the control or control objective. +/// +/// The reason the objective was given it's status. +/// +/// Indicates the type of address. +/// +/// Identifies the nature of the observation. More than one may be used to further qualify +/// and enable filtering. +/// +/// Identifies whether this is a recommendation, such as from an assessor or tool, or an +/// actual plan accepted by the system owner. +/// +/// The type of task. +/// +/// Describes the status of the associated risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum Transport { + #[serde(rename = "TCP")] + Tcp, + #[serde(rename = "UDP")] + Udp, +} + +/// A reference to a role with responsibility for performing a function relative to the +/// containing object, optionally associated with a set of persons and/or organizations that +/// perform that role. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResponsibleRole { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + pub party_uuids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A human-oriented identifier reference to a role performed. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub role_id: String, +} + +/// Describes the operational status of the system component. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Status { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// The operational status. + pub state: State, +} +/// The operational status. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// For a party, this can optionally be used to specify the role the actor was performing. +/// +/// A reference to a role performed by a party. +/// +/// A machine-oriented identifier reference for a specific target qualified by the type. +/// +/// A human-oriented identifier reference to a role performed. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// The name of the risk metric within the specified system. +/// +/// A point to the role-id of the role in which the party is making the log entry. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Used to indicate the type of object pointed to by the uuid-ref within a subject. +/// +/// Indicates the type of assessment subject, such as a component, inventory, item, location, +/// or party represented by this selection statement. +/// +/// Identifies the implementation status of the control or control objective. +/// +/// The reason the objective was given it's status. +/// +/// Indicates the type of address. +/// +/// Identifies the nature of the observation. More than one may be used to further qualify +/// and enable filtering. +/// +/// Identifies whether this is a recommendation, such as from an assessor or tool, or an +/// actual plan accepted by the system owner. +/// +/// The type of task. +/// +/// Describes the status of the associated risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum State { + Disposition, + Operational, + Other, + #[serde(rename = "under-development")] + UnderDevelopment, +} + +/// A single managed inventory item within the system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct InventoryItem { + /// A summary of the inventory item stating its purpose within the system. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub implemented_components: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this inventory item elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the inventory item can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// The set of components that are implemented in a given system inventory item. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImplementedComponent { + /// A machine-oriented identifier reference to a component that is implemented as part of an + /// inventory item. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub component_uuid: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, +} + +/// Provides information about the containing document, and defines concepts that are shared +/// across the document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentMetadata { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub actions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + pub last_modified: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub locations: Option>, + pub oscal_version: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub revisions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub roles: Option>, + /// A name given to the document, which may be used by a tool for display and navigation. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + pub version: String, +} + +/// An action applied by a role within a given party to the content. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Action { + /// The date and time when the action occurred. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub date: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + /// Specifies the action type system used. + pub system: String, + /// The type of action documented by the assembly, such as an approval. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub action_type: String, + /// A unique identifier that can be used to reference this defined action elsewhere in an + /// OSCAL document. A UUID should be consistently used for a given location across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A physical point of presence, which may be associated with people, organizations, or +/// other concepts within the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Location { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option
, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A name given to the location, which may be used by a tool for display and navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_vec_opt", + deserialize_with = "validation::deser_uri_vec_opt" + )] + pub urls: Option>, + /// A unique ID for the location, for reference. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A postal address for the location. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Address { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addr_lines: Option>, + /// City, town or geographical region for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub city: Option, + /// The ISO 3166-1 alpha-2 country code for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub country: Option, + /// Postal or ZIP code for mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub postal_code: Option, + /// State, province or analogous geographical region for a mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub state: Option, + /// Indicates the type of address. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub address_type: Option, +} + +/// A telephone service number as defined by ITU-T E.164. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TelephoneNumber { + pub number: String, + /// Indicates the type of phone number. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_number_type: Option, +} + +/// An organization or person, which may be associated with roles or other concepts within +/// the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Party { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub external_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub location_uuids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + pub member_of_organizations: Option>, + /// The full name of the party. This is typically the legal name associated with the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A category describing the kind of party the object describes. + #[serde(rename = "type")] + pub party_type: PartyType, + /// A unique identifier for the party. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// An identifier for a person or organization using a designated scheme. e.g. an Open +/// Researcher and Contributor ID (ORCID). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PartyExternalIdentifier { + pub id: String, + /// Indicates the type of external identifier. + #[serde( + serialize_with = "validation::ser_uri", + deserialize_with = "validation::deser_uri" + )] + pub scheme: String, +} +/// A category describing the kind of party the object describes. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// The common name of the protocol, which should be the appropriate "service name" from the +/// IANA Service Name and Transport Protocol Port Number Registry. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// Indicates the value of the facet. +/// +/// The digest method by which a hash is derived. +/// +/// A category describing the purpose of the component. +/// +/// Indicates the type of phone number. +/// +/// Identifies how the observation was made. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum PartyType { + Organization, + Person, +} + +/// An entry in a sequential list of revisions to the containing document, expected to be in +/// reverse chronological order (i.e. latest first). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RevisionHistoryEntry { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub last_modified: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oscal_version: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A name given to the document revision, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + pub version: String, +} + +/// Defines a function, which might be assigned to a party in a specific situation. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Role { + /// A summary of the role's purpose and associated responsibilities. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + /// A unique identifier for the role. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the role. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + /// A name given to the role, which may be used by a tool for display and navigation. + pub title: String, +} + +/// Describes an individual observation. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Observation { + /// Date/time stamp identifying when the finding information was collected. + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + pub collected: String, + /// A human-readable description of this assessment observation. + pub description: String, + /// Date/time identifying when the finding information is out-of-date and no longer valid. + /// Typically used with continuous assessment scenarios. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub expires: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + pub methods: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub origins: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub relevant_evidence: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subjects: Option>, + /// The title for this observation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub types: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this observation elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the observation can be used to reference the data item locally or + /// globally (e.g., in an imorted OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Links this observation to relevant evidence. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RelevantEvidence { + /// A human-readable description of this evidence. + pub description: String, + /// A resolvable URL reference to relevant evidence. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_ref_opt", + deserialize_with = "validation::deser_uri_ref_opt" + )] + pub href: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// A human-oriented identifier reference to a resource. Use type to indicate whether the +/// identified resource is a component, inventory item, location, user, or something else. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct IdentifiesTheSubject { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A machine-oriented identifier reference to a component, inventory-item, location, party, + /// user, or resource using it's UUID. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub subject_uuid: String, + /// The title or name for the referenced subject. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub title: Option, + /// Used to indicate the type of object pointed to by the uuid-ref within a subject. + #[serde(rename = "type")] + pub identifies_the_subject_type: String, +} + +/// Describes an individual POA&M item. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PoaMItem { + /// A human-readable description of POA&M item. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub origins: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_findings: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_observations: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_risks: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// The title or name for this POA&M item . + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A machine-oriented, globally unique identifier with instance scope that can be used to + /// reference this POA&M item entry in this OSCAL instance. This UUID should be assigned + /// per-subject, which means it should be consistently used to identify the same subject + /// across revisions of the document. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, +} + +/// Identifies the source of the finding, such as a tool or person. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PoamItemOrigin { + pub actors: Vec, +} + +/// Relates the poam-item to referenced finding(s). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RelatedFinding { + /// A machine-oriented identifier reference to a finding defined in the list of findings. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub finding_uuid: String, +} + +/// Relates the poam-item to a set of referenced observations that were used to determine the +/// finding. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PoamItemRelatedObservation { + /// A machine-oriented identifier reference to an observation defined in the list of + /// observations. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub observation_uuid: String, +} + +/// Relates the finding to a set of referenced risks that were used to determine the finding. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PoamItemRelatedRisk { + /// A machine-oriented identifier reference to a risk defined in the list of risks. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub risk_uuid: String, +} + +/// An identified risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct IdentifiedRisk { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub characterizations: Option>, + /// The date/time by which the risk must be resolved. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub deadline: Option, + /// A human-readable summary of the identified risk, to include a statement of how the risk + /// impacts the system. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub mitigating_factors: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub origins: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_observations: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub remediations: Option>, + /// A log of all risk-related tasks taken. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub risk_log: Option, + /// An summary of impact for how the risk affects the system. + #[serde(deserialize_with = "validation::deser_markup")] + pub statement: String, + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub status: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub threat_ids: Option>, + /// The title for this risk. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this risk elsewhere in this or other OSCAL instances. The locally defined + /// UUID of the risk can be used to reference the data item locally or globally (e.g., in an + /// imported OSCAL instance). This UUID should be assigned per-subject, which means it should + /// be consistently used to identify the same subject across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A collection of descriptive data about the containing object from a specific origin. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Characterization { + pub facets: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + pub origin: FindingOrigin, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, +} + +/// An individual characteristic that is part of a larger set produced by the same actor. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Facet { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + /// The name of the risk metric within the specified system. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// Specifies the naming system under which this risk metric is organized, which allows for + /// the same names to be used in different systems controlled by different parties. This + /// avoids the potential of a name clash. + #[serde( + serialize_with = "validation::ser_uri", + deserialize_with = "validation::deser_uri" + )] + pub system: String, + /// Indicates the value of the facet. + pub value: String, +} + +/// Describes an existing mitigating factor that may affect the overall determination of the +/// risk, with an optional link to an implementation statement in the SSP. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct MitigatingFactor { + /// A human-readable description of this mitigating factor. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this implementation statement elsewhere in this or other OSCAL instancess. + /// The locally defined UUID of the implementation statement can be used to reference the + /// data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + /// assigned per-subject, which means it should be consistently used to identify the same + /// subject across revisions of the document. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + pub implementation_uuid: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subjects: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this mitigating factor elsewhere in this or other OSCAL instances. The + /// locally defined UUID of the mitigating factor can be used to reference the data item + /// locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + /// per-subject, which means it should be consistently used to identify the same subject + /// across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Relates the finding to a set of referenced observations that were used to determine the +/// finding. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RiskRelatedObservation { + /// A machine-oriented identifier reference to an observation defined in the list of + /// observations. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub observation_uuid: String, +} + +/// Describes either recommended or an actual plan for addressing the risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RiskResponse { + /// A human-readable description of this response plan. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + /// Identifies whether this is a recommendation, such as from an assessor or tool, or an + /// actual plan accepted by the system owner. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub lifecycle: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub origins: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub required_assets: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tasks: Option>, + /// The title for this response activity. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this remediation elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the risk response can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies an asset required to achieve remediation. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RequiredAsset { + /// A human-readable description of this required asset. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subjects: Option>, + /// The title for this required asset. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this required asset elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the asset can be used to reference the data item locally or globally + /// (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + /// means it should be consistently used to identify the same subject across revisions of the + /// document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Represents a scheduled event or milestone, which may be associated with a series of +/// assessment actions. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Task { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub associated_activities: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub dependencies: Option>, + /// A human-readable description of this task. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub subjects: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tasks: Option>, + /// The timing under which the task is intended to occur. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub timing: Option, + /// The title for this task. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// The type of task. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub task_type: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this task elsewhere in this or other OSCAL instances. The locally defined + /// UUID of the task can be used to reference the data item locally or globally (e.g., in an + /// imported OSCAL instance). This UUID should be assigned per-subject, which means it should + /// be consistently used to identify the same subject across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies an individual activity to be performed as part of a task. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AssociatedActivity { + /// A machine-oriented identifier reference to an activity defined in the list of activities. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub activity_uuid: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + pub subjects: Vec, +} + +/// Used to indicate that a task is dependent on another task. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TaskDependency { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A machine-oriented identifier reference to a unique task. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub task_uuid: String, +} + +/// The timing under which the task is intended to occur. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct EventTiming { + /// The task is intended to occur at the specified frequency. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub at_frequency: Option, + /// The task is intended to occur on the specified date. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub on_date: Option, + /// The task is intended to occur within the specified date range. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub within_date_range: Option, +} + +/// The task is intended to occur at the specified frequency. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct FrequencyCondition { + /// The task must occur after the specified period has elapsed. + #[serde( + serialize_with = "validation::ser_positive_int", + deserialize_with = "validation::deser_positive_int" + )] + pub period: i64, + /// The unit of time for the period. + pub unit: TimeUnit, +} +/// The unit of time for the period. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// The common name of the protocol, which should be the appropriate "service name" from the +/// IANA Service Name and Transport Protocol Port Number Registry. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// Indicates the value of the facet. +/// +/// The digest method by which a hash is derived. +/// +/// A category describing the purpose of the component. +/// +/// Indicates the type of phone number. +/// +/// Identifies how the observation was made. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum TimeUnit { + Days, + Hours, + Minutes, + Months, + Seconds, + Years, +} + +/// The task is intended to occur on the specified date. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct OnDateCondition { + /// The task must occur on the specified date. + pub date: String, +} + +/// The task is intended to occur within the specified date range. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct OnDateRangeCondition { + /// The task must occur on or before the specified date. + pub end: String, + /// The task must occur on or after the specified date. + pub start: String, +} + +/// A log of all risk-related tasks taken. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RiskLog { + pub entries: Vec, +} + +/// Identifies an individual risk response that occurred as part of managing an identified +/// risk. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RiskLogEntry { + /// A human-readable description of what was done regarding the risk. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + /// Identifies the end date and time of the event. If the event is a point in time, the start + /// and end will be the same date and time. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub end: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub logged_by: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_responses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// Identifies the start date and time of the event. + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + pub start: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub status_change: Option, + /// The title for this risk log entry. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this risk log entry elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the risk log entry can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Used to indicate who created a log entry in what role. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct LoggedBy { + /// A machine-oriented identifier reference to the party who is making the log entry. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub party_uuid: String, + /// A point to the role-id of the role in which the party is making the log entry. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub role_id: Option, +} + +/// Identifies an individual risk response that this log entry is for. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RiskResponseReference { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub related_tasks: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A machine-oriented identifier reference to a unique risk response. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub response_uuid: String, +} + +/// A pointer, by ID, to an externally-defined threat. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ThreatId { + /// An optional location for the threat data, from which this ID originates. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_ref_opt", + deserialize_with = "validation::deser_uri_ref_opt" + )] + pub href: Option, + pub id: String, + /// Specifies the source of the threat information. + pub system: String, +} + +/// A human-oriented, globally unique identifier with cross-instance scope that can be used +/// to reference this system identification property elsewhere in this or other OSCAL +/// instances. When referencing an externally defined system identification, the system +/// identification must be used in the context of the external / imported OSCAL instance +/// (e.g., uri-reference). This string should be assigned per-subject, which means it should +/// be consistently used to identify the same system across revisions of the document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SystemIdentification { + pub id: String, + /// Identifies the identification system from which the provided identifier was assigned. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub identifier_type: Option, +} diff --git a/roscal_lib/src/common_impl.rs b/roscal_lib/src/common_impl.rs new file mode 100644 index 0000000..c02c92d --- /dev/null +++ b/roscal_lib/src/common_impl.rs @@ -0,0 +1,408 @@ +use crate::{assessment::*, control::*, implementation::*}; + +macro_rules! impl_conversion { + ( $( $t:ty ),* ) => { + $( + impl AsRef<$t> for $t { + fn as_ref(&self) -> &Self { + self + } + } + + impl AsMut<$t> for $t { + fn as_mut(&mut self) -> &mut Self { + self + } + } + + impl From<&$t> for $t { + fn from(value: &$t) -> Self { + value.clone() + } + } + + impl std::fmt::Display for $t { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + write!(f, "{self:?}") + } + } + )* + }; +} + +impl_conversion!( + assessment_plan::Action, + assessment_plan::Activity, + assessment_plan::Address, + assessment_plan::AssessedControls, + assessment_plan::AssessmentAssets, + assessment_plan::AssessmentPart, + assessment_plan::AssessmentPlan, + assessment_plan::AssessmentPlanTermsAndConditions, + assessment_plan::AssessmentPlatform, + assessment_plan::AssessmentSpecificControlObjective, + assessment_plan::AssociatedActivity, + assessment_plan::BackMatter, + assessment_plan::Base64, + assessment_plan::Citation, + assessment_plan::Component, + assessment_plan::DocumentIdentifier, + assessment_plan::DocumentMetadata, + assessment_plan::EventTiming, + assessment_plan::FrequencyCondition, + assessment_plan::Hash, + assessment_plan::ImplementedComponent, + assessment_plan::ImportSystemSecurityPlan, + assessment_plan::IncludeAll, + assessment_plan::InventoryItem, + assessment_plan::Link, + assessment_plan::LocalDefinitions, + assessment_plan::Location, + assessment_plan::OnDateCondition, + assessment_plan::OnDateRangeCondition, + assessment_plan::Part, + assessment_plan::Party, + assessment_plan::PartyExternalIdentifier, + assessment_plan::PortRange, + assessment_plan::Privilege, + assessment_plan::Property, + assessment_plan::ReferencedControlObjectives, + assessment_plan::Resource, + assessment_plan::ResourceLink, + assessment_plan::ResponsibleParty, + assessment_plan::ResponsibleRole, + assessment_plan::ReviewedControlsAndControlObjectives, + assessment_plan::RevisionHistoryEntry, + assessment_plan::Role, + assessment_plan::SecurityAssessmentPlanSap, + assessment_plan::SelectAssessmentSubject, + assessment_plan::SelectControl, + assessment_plan::SelectObjective, + assessment_plan::ServiceProtocolInformation, + assessment_plan::Status, + assessment_plan::Step, + assessment_plan::SubjectOfAssessment, + assessment_plan::SystemUser, + assessment_plan::Task, + assessment_plan::TaskDependency, + assessment_plan::TelephoneNumber, + assessment_plan::UsesComponent, + assessment_results::Action, + assessment_results::Activity, + assessment_results::Address, + assessment_results::AssessedControls, + assessment_results::AssessmentAssets, + assessment_results::AssessmentLog, + assessment_results::AssessmentLogEntry, + assessment_results::AssessmentPart, + assessment_results::AssessmentPlatform, + assessment_results::AssessmentResult, + assessment_results::AssessmentResults, + assessment_results::AssessmentResultsLocalDefinitions, + assessment_results::AssessmentSpecificControlObjective, + assessment_results::AssociatedActivity, + assessment_results::AssociatedRisk, + assessment_results::AttestationStatements, + assessment_results::BackMatter, + assessment_results::Base64, + assessment_results::Characterization, + assessment_results::Citation, + assessment_results::Component, + assessment_results::DocumentIdentifier, + assessment_results::DocumentMetadata, + assessment_results::EventTiming, + assessment_results::Facet, + assessment_results::Finding, + assessment_results::FindingRelatedObservation, + assessment_results::FrequencyCondition, + assessment_results::Hash, + assessment_results::IdentifiedRisk, + assessment_results::IdentifiedSubject, + assessment_results::IdentifiesTheSubject, + assessment_results::ImplementationStatus, + assessment_results::ImplementedComponent, + assessment_results::ImportAssessmentPlan, + assessment_results::IncludeAll, + assessment_results::InventoryItem, + assessment_results::Link, + assessment_results::Location, + assessment_results::LoggedBy, + assessment_results::MitigatingFactor, + assessment_results::Observation, + assessment_results::OnDateCondition, + assessment_results::OnDateRangeCondition, + assessment_results::Origin, + assessment_results::OriginatingActor, + assessment_results::Part, + assessment_results::Party, + assessment_results::PartyExternalIdentifier, + assessment_results::PortRange, + assessment_results::Privilege, + assessment_results::Property, + assessment_results::ReferencedControlObjectives, + assessment_results::RelevantEvidence, + assessment_results::RequiredAsset, + assessment_results::Resource, + assessment_results::ResourceLink, + assessment_results::ResponsibleParty, + assessment_results::ResponsibleRole, + assessment_results::ResultLocalDefinitions, + assessment_results::ReviewedControlsAndControlObjectives, + assessment_results::RevisionHistoryEntry, + assessment_results::RiskLog, + assessment_results::RiskLogEntry, + assessment_results::RiskRelatedObservation, + assessment_results::RiskResponse, + assessment_results::RiskResponseReference, + assessment_results::Role, + assessment_results::SecurityAssessmentResultsSar, + assessment_results::SelectAssessmentSubject, + assessment_results::SelectControl, + assessment_results::SelectObjective, + assessment_results::ServiceProtocolInformation, + assessment_results::Status, + assessment_results::StatusClass, + assessment_results::Step, + assessment_results::SubjectOfAssessment, + assessment_results::SystemUser, + assessment_results::TargetClass, + assessment_results::Task, + assessment_results::TaskDependency, + assessment_results::TaskReference, + assessment_results::TelephoneNumber, + assessment_results::ThreatId, + assessment_results::UsesComponent, + poam::Action, + poam::Address, + poam::AssessmentAssets, + poam::AssessmentPlatform, + poam::AssociatedActivity, + poam::BackMatter, + poam::Base64, + poam::Characterization, + poam::Citation, + poam::Component, + poam::DocumentIdentifier, + poam::DocumentMetadata, + poam::EventTiming, + poam::Facet, + poam::Finding, + poam::FindingOrigin, + poam::FindingRelatedObservation, + poam::FindingRelatedRisk, + poam::FrequencyCondition, + poam::Hash, + poam::IdentifiedRisk, + poam::IdentifiedSubject, + poam::IdentifiesTheSubject, + poam::ImplementationStatus, + poam::ImplementedComponent, + poam::ImportSystemSecurityPlan, + poam::IncludeAll, + poam::InventoryItem, + poam::Link, + poam::LocalDefinitions, + poam::Location, + poam::LoggedBy, + poam::MitigatingFactor, + poam::Observation, + poam::OnDateCondition, + poam::OnDateRangeCondition, + poam::OriginatingActor, + poam::Party, + poam::PartyExternalIdentifier, + poam::PlanOfActionAndMilestones, + poam::PlanOfActionAndMilestonesPoaM, + poam::PoaMItem, + poam::PoamItemOrigin, + poam::PoamItemRelatedObservation, + poam::PoamItemRelatedRisk, + poam::PortRange, + poam::Property, + poam::RelatedFinding, + poam::RelevantEvidence, + poam::RequiredAsset, + poam::Resource, + poam::ResourceLink, + poam::ResponsibleParty, + poam::ResponsibleRole, + poam::RevisionHistoryEntry, + poam::RiskLog, + poam::RiskLogEntry, + poam::RiskRelatedObservation, + poam::RiskResponse, + poam::RiskResponseReference, + poam::Role, + poam::SelectAssessmentSubject, + poam::ServiceProtocolInformation, + poam::Status, + poam::StatusClass, + poam::SubjectOfAssessment, + poam::SystemIdentification, + poam::TargetClass, + poam::Task, + poam::TaskDependency, + poam::TaskReference, + poam::TelephoneNumber, + poam::ThreatId, + poam::UsesComponent, + catalog::Action, + catalog::Address, + catalog::BackMatter, + catalog::Base64, + catalog::Catalog, + catalog::CatalogClass, + catalog::Citation, + catalog::Constraint, + catalog::ConstraintTest, + catalog::Control, + catalog::ControlGroup, + catalog::DocumentIdentifier, + catalog::DocumentMetadata, + catalog::Guideline, + catalog::Hash, + catalog::Link, + catalog::Location, + catalog::Parameter, + catalog::Part, + catalog::Party, + catalog::PartyExternalIdentifier, + catalog::Property, + catalog::Resource, + catalog::ResourceLink, + catalog::ResponsibleParty, + catalog::RevisionHistoryEntry, + catalog::Role, + catalog::Selection, + catalog::TelephoneNumber, + profile::Action, + profile::Addition, + profile::Address, + profile::Alteration, + profile::BackMatter, + profile::Base64, + profile::Citation, + profile::CombinationRule, + profile::Constraint, + profile::ConstraintTest, + profile::ControlGroup, + profile::CustomGrouping, + profile::DocumentIdentifier, + profile::DocumentMetadata, + profile::FlatWithoutGrouping, + profile::Guideline, + profile::Hash, + profile::ImportResource, + profile::IncludeAll, + profile::InsertControls, + profile::Link, + profile::Location, + profile::MatchControlsByPattern, + profile::MergeControls, + profile::ModifyControls, + profile::Parameter, + profile::ParameterSetting, + profile::Part, + profile::Party, + profile::PartyExternalIdentifier, + profile::Profile, + profile::ProfileClass, + profile::Property, + profile::Removal, + profile::Resource, + profile::ResourceLink, + profile::ResponsibleParty, + profile::RevisionHistoryEntry, + profile::Role, + profile::SelectControl, + profile::Selection, + profile::TelephoneNumber, + component_definition::Action, + component_definition::Address, + component_definition::BackMatter, + component_definition::Base64, + component_definition::Capability, + component_definition::Citation, + component_definition::Component, + component_definition::ComponentDefinition, + component_definition::ComponentDefinitionClass, + component_definition::ControlImplementation, + component_definition::ControlImplementationSet, + component_definition::ControlStatementImplementation, + component_definition::DocumentIdentifier, + component_definition::DocumentMetadata, + component_definition::Hash, + component_definition::ImportComponentDefinition, + component_definition::IncorporatesComponent, + component_definition::Link, + component_definition::Location, + component_definition::Party, + component_definition::PartyExternalIdentifier, + component_definition::PortRange, + component_definition::Property, + component_definition::Resource, + component_definition::ResourceLink, + component_definition::ResponsibleParty, + component_definition::ResponsibleRole, + component_definition::RevisionHistoryEntry, + component_definition::Role, + component_definition::ServiceProtocolInformation, + component_definition::SetParameterValue, + component_definition::TelephoneNumber, + ssp::Action, + ssp::Address, + ssp::AuthorizationBoundary, + ssp::BackMatter, + ssp::Base64, + ssp::Citation, + ssp::Component, + ssp::ComponentControlImplementation, + ssp::ComponentStatus, + ssp::ControlBasedRequirement, + ssp::ControlImplementation, + ssp::ControlImplementationResponsibility, + ssp::DataFlow, + ssp::Diagram, + ssp::DocumentIdentifier, + ssp::DocumentMetadata, + ssp::Export, + ssp::Hash, + ssp::ImpactLevel, + ssp::ImplementationStatus, + ssp::ImplementedComponent, + ssp::ImportProfile, + ssp::InformationType, + ssp::InformationTypeCategorization, + ssp::InheritedControlImplementation, + ssp::InventoryItem, + ssp::LeveragedAuthorization, + ssp::Link, + ssp::Location, + ssp::NetworkArchitecture, + ssp::Party, + ssp::PartyExternalIdentifier, + ssp::PortRange, + ssp::Privilege, + ssp::Property, + ssp::ProvidedControlImplementation, + ssp::Resource, + ssp::ResourceLink, + ssp::ResponsibleParty, + ssp::ResponsibleRole, + ssp::RevisionHistoryEntry, + ssp::Role, + ssp::SatisfiedControlImplementationResponsibility, + ssp::SecurityImpactLevel, + ssp::ServiceProtocolInformation, + ssp::SetParameterValue, + ssp::SpecificControlStatement, + ssp::SystemCharacteristics, + ssp::SystemCharacteristicsStatus, + ssp::SystemIdentification, + ssp::SystemImplementation, + ssp::SystemInformation, + ssp::SystemSecurityPlan, + ssp::SystemSecurityPlanSsp, + ssp::SystemUser, + ssp::TelephoneNumber +); diff --git a/roscal_lib/src/control/catalog.rs b/roscal_lib/src/control/catalog.rs new file mode 100644 index 0000000..86fabfd --- /dev/null +++ b/roscal_lib/src/control/catalog.rs @@ -0,0 +1,1116 @@ +use derivative::Derivative; +use strum::EnumString; +use derive_builder::Builder; +use serde::{Serialize, Deserialize}; +use crate::validation; + +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Catalog { + #[serde(rename = "$schema")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub schema: Option, + pub catalog: CatalogClass, +} + +/// A structured, organized collection of control information. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct CatalogClass { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub back_matter: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub controls: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub groups: Option>, + pub metadata: DocumentMetadata, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub params: Option>, + /// Provides a globally unique means to identify a given catalog instance. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A collection of resources that may be referenced from within the OSCAL document instance. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct BackMatter { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option>, +} + +/// A resource associated with content in the containing document instance. A resource may be +/// directly included in the document using base64 encoding or may point to one or more +/// equivalent internet resources. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Resource { + /// A resource encoded using the Base64 alphabet defined by RFC 2045. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub base64: Option, + /// An optional citation consisting of end note text using structured markup. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub citation: Option, + /// An optional short summary of the resource used to indicate the purpose of the resource. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rlinks: Option>, + /// An optional name given to the resource, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A unique identifier for a resource. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A resource encoded using the Base64 alphabet defined by RFC 2045. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Base64 { + /// Name of the file before it was encoded as Base64 to be embedded in a resource. This is + /// the name that will be assigned to the file when the file is decoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub filename: Option, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + #[serde( + serialize_with = "validation::ser_base64", + deserialize_with = "validation::deser_base64" + )] + pub value: String, +} + +/// An optional citation consisting of end note text using structured markup. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Citation { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A line of citation text. + #[serde(deserialize_with = "validation::deser_markup")] + pub text: String, +} + +/// A reference to a local or remote resource, that has a specific relation to the containing +/// object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Link { + /// A resolvable URL reference to a resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + /// Describes the type of relationship provided by the link's hypertext reference. This can + /// be an indicator of the link's purpose. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub rel: Option, + /// In case where the href points to a back-matter/resource, this value will indicate the URI + /// fragment to append to any rlink associated with the resource. This value MUST be URI + /// encoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resource_fragment: Option, + /// A textual label to associate with the link, which may be used for presentation in a tool. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub text: Option, +} + +/// An attribute, characteristic, or quality of the containing object expressed as a +/// namespace qualified name/value pair. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Property { + /// A textual label that provides a sub-type or characterization of the property's name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + /// An identifier for relating distinct sets of properties. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub group: Option, + /// A textual label, within a namespace, that uniquely identifies a specific attribute, + /// characteristic, or quality of the property's containing object. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + /// A namespace qualifying the property's name. This allows different organizations to + /// associate distinct semantics with the same name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub ns: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A unique identifier for a property. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, + /// Indicates the value of the attribute, characteristic, or quality. + pub value: String, +} + +/// A document identifier qualified by an identifier scheme. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentIdentifier { + pub identifier: String, + /// Qualifies the kind of document identifier using a URI. If the scheme is not provided the + /// value of the element will be interpreted as a string of characters. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub scheme: Option, +} + +/// A URL-based pointer to an external resource with an optional hash for verification and +/// change detection. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResourceLink { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub hashes: Option>, + /// A resolvable URL pointing to the referenced resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, +} + +/// A representation of a cryptographic digest generated over a resource using a specified +/// hash algorithm. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Hash { + /// The digest method by which a hash is derived. + pub algorithm: String, + #[serde( + serialize_with = "validation::ser_hash", + deserialize_with = "validation::deser_hash" + )] + pub value: String, +} + +/// A structured object representing a requirement or guideline, which when implemented will +/// reduce an aspect of risk related to an information system and its information. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Control { + /// A textual label that provides a sub-type or characterization of the control. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub controls: Option>, + /// Identifies a control such that it can be referenced in the defining catalog and other + /// OSCAL instances (e.g., profiles). + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub params: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parts: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A name given to the control, which may be used by a tool for display and navigation. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, +} + +/// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Parameter { + /// A textual label that provides a characterization of the type, purpose, use or scope of + /// the parameter. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub constraints: Option>, + /// (deprecated) Another parameter invoking this one. This construct has been deprecated and + /// should not be used. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub depends_on: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub guidelines: Option>, + /// A unique identifier for the parameter. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub id: String, + /// A short, placeholder name for the parameter, which can be used as a substitute for a + /// value if no value is assigned. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub label: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub select: Option, + /// Describes the purpose and use of a parameter. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub usage: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + +/// A formal or informal expression of a constraint or test. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Constraint { + /// A textual summary of the constraint to be applied. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tests: Option>, +} + +/// A test expression which is expected to be evaluated by a tool. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ConstraintTest { + /// A formal (executable) expression of a constraint. + pub expression: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// A prose statement that provides a recommendation for the use of a parameter. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Guideline { + /// Prose permits multiple paragraphs, lists, tables etc. + #[serde(deserialize_with = "validation::deser_markup")] + pub prose: String, +} + +/// Presenting a choice among alternatives. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Selection { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub choice: Option>, + /// Describes the number of selections that must occur. Without this setting, only one value + /// should be assumed to be permitted. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub how_many: Option, +} +/// Describes the number of selections that must occur. Without this setting, only one value +/// should be assumed to be permitted. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// A textual label that provides a sub-type or characterization of the control. +/// +/// Identifies a control such that it can be referenced in the defining catalog and other +/// OSCAL instances (e.g., profiles). +/// +/// A textual label that provides a characterization of the type, purpose, use or scope of +/// the parameter. +/// +/// (deprecated) Another parameter invoking this one. This construct has been deprecated and +/// should not be used. +/// +/// A unique identifier for the parameter. +/// +/// An optional textual providing a sub-type or characterization of the part's name, or a +/// category to which the part belongs. +/// +/// A unique identifier for the part. +/// +/// A textual label that uniquely identifies the part's semantic type, which exists in a +/// value space qualified by the ns. +/// +/// A textual label that provides a sub-type or characterization of the group. +/// +/// Identifies the group for the purpose of cross-linking within the defining instance or +/// from other instances that reference the catalog. +/// +/// A reference to a role performed by a party. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Indicates the type of address. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum ParameterCardinality { + One, + #[serde(rename = "one-or-more")] + OneOrMore, +} + +/// An annotated, markup-based textual element of a control's or catalog group's definition, +/// or a child of another part. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Part { + /// An optional textual providing a sub-type or characterization of the part's name, or a + /// category to which the part belongs. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + /// A unique identifier for the part. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub id: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + /// A textual label that uniquely identifies the part's semantic type, which exists in a + /// value space qualified by the ns. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + /// An optional namespace qualifying the part's name. This allows different organizations to + /// associate distinct semantics with the same name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub ns: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parts: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// Permits multiple paragraphs, lists, tables etc. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub prose: Option, + /// An optional name given to the part, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, +} + +/// A group of controls, or of groups of controls. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ControlGroup { + /// A textual label that provides a sub-type or characterization of the group. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub controls: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub groups: Option>, + /// Identifies the group for the purpose of cross-linking within the defining instance or + /// from other instances that reference the catalog. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub id: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub params: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parts: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A name given to the group, which may be used by a tool for display and navigation. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, +} + +/// Provides information about the containing document, and defines concepts that are shared +/// across the document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentMetadata { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub actions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + pub last_modified: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub locations: Option>, + pub oscal_version: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub revisions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub roles: Option>, + /// A name given to the document, which may be used by a tool for display and navigation. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + pub version: String, +} + +/// An action applied by a role within a given party to the content. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Action { + /// The date and time when the action occurred. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub date: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + /// Specifies the action type system used. + pub system: String, + /// The type of action documented by the assembly, such as an approval. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub action_type: String, + /// A unique identifier that can be used to reference this defined action elsewhere in an + /// OSCAL document. A UUID should be consistently used for a given location across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A reference to a set of persons and/or organizations that have responsibility for +/// performing the referenced role in the context of the containing object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResponsibleParty { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[serde( + serialize_with = "validation::ser_uuid_vec", + deserialize_with = "validation::deser_uuid_vec" + )] + pub party_uuids: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A reference to a role performed by a party. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub role_id: String, +} + +/// A physical point of presence, which may be associated with people, organizations, or +/// other concepts within the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Location { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option
, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A name given to the location, which may be used by a tool for display and navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_vec_opt", + deserialize_with = "validation::deser_uri_vec_opt" + )] + pub urls: Option>, + /// A unique ID for the location, for reference. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A postal address for the location. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Address { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addr_lines: Option>, + /// City, town or geographical region for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub city: Option, + /// The ISO 3166-1 alpha-2 country code for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub country: Option, + /// Postal or ZIP code for mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub postal_code: Option, + /// State, province or analogous geographical region for a mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub state: Option, + /// Indicates the type of address. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub address_type: Option, +} + +/// A telephone service number as defined by ITU-T E.164. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TelephoneNumber { + pub number: String, + /// Indicates the type of phone number. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_number_type: Option, +} + +/// An organization or person, which may be associated with roles or other concepts within +/// the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Party { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub external_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub location_uuids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + pub member_of_organizations: Option>, + /// The full name of the party. This is typically the legal name associated with the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A category describing the kind of party the object describes. + #[serde(rename = "type")] + pub party_type: PartyType, + /// A unique identifier for the party. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// An identifier for a person or organization using a designated scheme. e.g. an Open +/// Researcher and Contributor ID (ORCID). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PartyExternalIdentifier { + pub id: String, + /// Indicates the type of external identifier. + #[serde( + serialize_with = "validation::ser_uri", + deserialize_with = "validation::deser_uri" + )] + pub scheme: String, +} +/// A category describing the kind of party the object describes. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// A formal (executable) expression of a constraint. +/// +/// A parameter value or set of values. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// The digest method by which a hash is derived. +/// +/// Indicates the type of phone number. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum PartyType { + Organization, + Person, +} + +/// An entry in a sequential list of revisions to the containing document, expected to be in +/// reverse chronological order (i.e. latest first). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RevisionHistoryEntry { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub last_modified: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oscal_version: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A name given to the document revision, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + pub version: String, +} + +/// Defines a function, which might be assigned to a party in a specific situation. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Role { + /// A summary of the role's purpose and associated responsibilities. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + /// A unique identifier for the role. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the role. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + /// A name given to the role, which may be used by a tool for display and navigation. + pub title: String, +} diff --git a/roscal_lib/src/control/mod.rs b/roscal_lib/src/control/mod.rs new file mode 100644 index 0000000..82bb9cd --- /dev/null +++ b/roscal_lib/src/control/mod.rs @@ -0,0 +1,6 @@ +//! OSCAL Control Layer. + +/// Catalog Model +pub mod catalog; +/// Profile Model +pub mod profile; diff --git a/roscal_lib/src/control/profile.rs b/roscal_lib/src/control/profile.rs new file mode 100644 index 0000000..3ed9270 --- /dev/null +++ b/roscal_lib/src/control/profile.rs @@ -0,0 +1,1801 @@ +use derivative::Derivative; +use strum::EnumString; +use derive_builder::Builder; +use serde::{Serialize, Deserialize}; +use crate::validation; + +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Profile { + #[serde(rename = "$schema")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub schema: Option, + pub profile: ProfileClass, +} + +/// Each OSCAL profile is defined by a profile element. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ProfileClass { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub back_matter: Option, + pub imports: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub merge: Option, + pub metadata: DocumentMetadata, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub modify: Option, + /// Provides a globally unique means to identify a given profile instance. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A collection of resources that may be referenced from within the OSCAL document instance. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct BackMatter { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option>, +} + +/// A resource associated with content in the containing document instance. A resource may be +/// directly included in the document using base64 encoding or may point to one or more +/// equivalent internet resources. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Resource { + /// A resource encoded using the Base64 alphabet defined by RFC 2045. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub base64: Option, + /// An optional citation consisting of end note text using structured markup. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub citation: Option, + /// An optional short summary of the resource used to indicate the purpose of the resource. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rlinks: Option>, + /// An optional name given to the resource, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A unique identifier for a resource. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A resource encoded using the Base64 alphabet defined by RFC 2045. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Base64 { + /// Name of the file before it was encoded as Base64 to be embedded in a resource. This is + /// the name that will be assigned to the file when the file is decoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub filename: Option, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + #[serde( + serialize_with = "validation::ser_base64", + deserialize_with = "validation::deser_base64" + )] + pub value: String, +} + +/// An optional citation consisting of end note text using structured markup. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Citation { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A line of citation text. + #[serde(deserialize_with = "validation::deser_markup")] + pub text: String, +} + +/// A reference to a local or remote resource, that has a specific relation to the containing +/// object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Link { + /// A resolvable URL reference to a resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + /// Describes the type of relationship provided by the link's hypertext reference. This can + /// be an indicator of the link's purpose. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub rel: Option, + /// In case where the href points to a back-matter/resource, this value will indicate the URI + /// fragment to append to any rlink associated with the resource. This value MUST be URI + /// encoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resource_fragment: Option, + /// A textual label to associate with the link, which may be used for presentation in a tool. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub text: Option, +} + +/// An attribute, characteristic, or quality of the containing object expressed as a +/// namespace qualified name/value pair. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Property { + /// A textual label that provides a sub-type or characterization of the property's name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + /// An identifier for relating distinct sets of properties. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub group: Option, + /// A textual label, within a namespace, that uniquely identifies a specific attribute, + /// characteristic, or quality of the property's containing object. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + /// A namespace qualifying the property's name. This allows different organizations to + /// associate distinct semantics with the same name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub ns: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A unique identifier for a property. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, + /// Indicates the value of the attribute, characteristic, or quality. + pub value: String, +} + +/// A document identifier qualified by an identifier scheme. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentIdentifier { + pub identifier: String, + /// Qualifies the kind of document identifier using a URI. If the scheme is not provided the + /// value of the element will be interpreted as a string of characters. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub scheme: Option, +} + +/// A URL-based pointer to an external resource with an optional hash for verification and +/// change detection. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResourceLink { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub hashes: Option>, + /// A resolvable URL pointing to the referenced resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, +} + +/// A representation of a cryptographic digest generated over a resource using a specified +/// hash algorithm. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Hash { + /// The digest method by which a hash is derived. + pub algorithm: String, + #[serde( + serialize_with = "validation::ser_hash", + deserialize_with = "validation::deser_hash" + )] + pub value: String, +} + +/// Designates a referenced source catalog or profile that provides a source of control +/// information for use in creating a new overlay or baseline. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImportResource { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exclude_controls: Option>, + /// A resolvable URL reference to the base catalog or profile that this profile is tailoring. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_all: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_controls: Option>, +} + +/// Select a control or controls from an imported control set. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SelectControl { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub matching: Option>, + /// When a control is included, whether its child (dependent) controls are also included. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub with_child_controls: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_vec_opt", + deserialize_with = "validation::deser_token_vec_opt" + )] + pub with_ids: Option>, +} + +/// Selecting a set of controls by matching their IDs with a wildcard pattern. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct MatchControlsByPattern { + /// A glob expression matching the IDs of one or more controls to be selected. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub pattern: Option, +} +/// When a control is included, whether its child (dependent) controls are also included. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// Selecting a control by its ID given as a literal. +/// +/// A textual label that provides a sub-type or characterization of the group. +/// +/// Identifies the group. +/// +/// A textual label that provides a characterization of the type, purpose, use or scope of +/// the parameter. +/// +/// (deprecated) Another parameter invoking this one. This construct has been deprecated and +/// should not be used. +/// +/// A unique identifier for the parameter. +/// +/// An optional textual providing a sub-type or characterization of the part's name, or a +/// category to which the part belongs. +/// +/// A unique identifier for the part. +/// +/// A textual label that uniquely identifies the part's semantic type, which exists in a +/// value space qualified by the ns. +/// +/// A reference to a role performed by a party. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// Target location of the addition. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// Identify items to remove by matching their class. +/// +/// Identify items to remove indicated by their id. +/// +/// Identify items remove by matching their assigned name. +/// +/// Identify items to remove by the item's ns, which is the namespace associated with a part, +/// or prop. +/// +/// A textual label that provides a characterization of the parameter. +/// +/// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +/// and should not be used. +/// +/// An identifier for the parameter. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Indicates the type of address. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum IncludeContainedControlsWithControl { + No, + Yes, +} + +/// Include all controls from the imported catalog or profile resources. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct IncludeAll {} + +/// Provides structuring directives that instruct how controls are organized after profile +/// resolution. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct MergeControls { + /// Indicates that the controls selected should retain their original grouping as defined in + /// the import source. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub as_is: Option, + /// A Combine element defines how to resolve duplicate instances of the same control (e.g., + /// controls with the same ID). + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub combine: Option, + /// Provides an alternate grouping structure that selected controls will be placed in. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub custom: Option, + /// Directs that controls appear without any grouping structure. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub flat: Option, +} + +/// A Combine element defines how to resolve duplicate instances of the same control (e.g., +/// controls with the same ID). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct CombinationRule { + /// Declare how clashing controls should be handled. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub method: Option, +} +/// Declare how clashing controls should be handled. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// A glob expression matching the IDs of one or more controls to be selected. +/// +/// A formal (executable) expression of a constraint. +/// +/// A parameter value or set of values. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// The digest method by which a hash is derived. +/// +/// Indicates the type of phone number. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum CombinationMethod { + Keep, + Merge, + #[serde(rename = "use-first")] + UseFirst, +} + +/// Provides an alternate grouping structure that selected controls will be placed in. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct CustomGrouping { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub groups: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub insert_controls: Option>, +} + +/// A group of (selected) controls or of groups of controls. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ControlGroup { + /// A textual label that provides a sub-type or characterization of the group. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub groups: Option>, + /// Identifies the group. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub id: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub insert_controls: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub params: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parts: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A name to be given to the group for use in display. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, +} + +/// Specifies which controls to use in the containing context. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct InsertControls { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub exclude_controls: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_all: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub include_controls: Option>, + /// A designation of how a selection of controls in a profile is to be ordered. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub order: Option, +} +/// A designation of how a selection of controls in a profile is to be ordered. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// Selecting a control by its ID given as a literal. +/// +/// A textual label that provides a sub-type or characterization of the group. +/// +/// Identifies the group. +/// +/// A textual label that provides a characterization of the type, purpose, use or scope of +/// the parameter. +/// +/// (deprecated) Another parameter invoking this one. This construct has been deprecated and +/// should not be used. +/// +/// A unique identifier for the parameter. +/// +/// An optional textual providing a sub-type or characterization of the part's name, or a +/// category to which the part belongs. +/// +/// A unique identifier for the part. +/// +/// A textual label that uniquely identifies the part's semantic type, which exists in a +/// value space qualified by the ns. +/// +/// A reference to a role performed by a party. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// Target location of the addition. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// Identify items to remove by matching their class. +/// +/// Identify items to remove indicated by their id. +/// +/// Identify items remove by matching their assigned name. +/// +/// Identify items to remove by the item's ns, which is the namespace associated with a part, +/// or prop. +/// +/// A textual label that provides a characterization of the parameter. +/// +/// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +/// and should not be used. +/// +/// An identifier for the parameter. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Indicates the type of address. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum Order { + Ascending, + Descending, + Keep, +} + +/// Parameters provide a mechanism for the dynamic assignment of value(s) in a control. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Parameter { + /// A textual label that provides a characterization of the type, purpose, use or scope of + /// the parameter. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub constraints: Option>, + /// (deprecated) Another parameter invoking this one. This construct has been deprecated and + /// should not be used. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub depends_on: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub guidelines: Option>, + /// A unique identifier for the parameter. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub id: String, + /// A short, placeholder name for the parameter, which can be used as a substitute for a + /// value if no value is assigned. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub label: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub select: Option, + /// Describes the purpose and use of a parameter. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub usage: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} + +/// A formal or informal expression of a constraint or test. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Constraint { + /// A textual summary of the constraint to be applied. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub tests: Option>, +} + +/// A test expression which is expected to be evaluated by a tool. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ConstraintTest { + /// A formal (executable) expression of a constraint. + pub expression: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// A prose statement that provides a recommendation for the use of a parameter. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Guideline { + /// Prose permits multiple paragraphs, lists, tables etc. + #[serde(deserialize_with = "validation::deser_markup")] + pub prose: String, +} + +/// Presenting a choice among alternatives. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Selection { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub choice: Option>, + /// Describes the number of selections that must occur. Without this setting, only one value + /// should be assumed to be permitted. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub how_many: Option, +} +/// Describes the number of selections that must occur. Without this setting, only one value +/// should be assumed to be permitted. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// Selecting a control by its ID given as a literal. +/// +/// A textual label that provides a sub-type or characterization of the group. +/// +/// Identifies the group. +/// +/// A textual label that provides a characterization of the type, purpose, use or scope of +/// the parameter. +/// +/// (deprecated) Another parameter invoking this one. This construct has been deprecated and +/// should not be used. +/// +/// A unique identifier for the parameter. +/// +/// An optional textual providing a sub-type or characterization of the part's name, or a +/// category to which the part belongs. +/// +/// A unique identifier for the part. +/// +/// A textual label that uniquely identifies the part's semantic type, which exists in a +/// value space qualified by the ns. +/// +/// A reference to a role performed by a party. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// Target location of the addition. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// Identify items to remove by matching their class. +/// +/// Identify items to remove indicated by their id. +/// +/// Identify items remove by matching their assigned name. +/// +/// Identify items to remove by the item's ns, which is the namespace associated with a part, +/// or prop. +/// +/// A textual label that provides a characterization of the parameter. +/// +/// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +/// and should not be used. +/// +/// An identifier for the parameter. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Indicates the type of address. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum ParameterCardinality { + One, + #[serde(rename = "one-or-more")] + OneOrMore, +} + +/// An annotated, markup-based textual element of a control's or catalog group's definition, +/// or a child of another part. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Part { + /// An optional textual providing a sub-type or characterization of the part's name, or a + /// category to which the part belongs. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + /// A unique identifier for the part. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub id: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + /// A textual label that uniquely identifies the part's semantic type, which exists in a + /// value space qualified by the ns. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + /// An optional namespace qualifying the part's name. This allows different organizations to + /// associate distinct semantics with the same name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub ns: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parts: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// Permits multiple paragraphs, lists, tables etc. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub prose: Option, + /// An optional name given to the part, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, +} + +/// Directs that controls appear without any grouping structure. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct FlatWithoutGrouping {} + +/// Provides information about the containing document, and defines concepts that are shared +/// across the document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentMetadata { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub actions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + pub last_modified: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub locations: Option>, + pub oscal_version: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub revisions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub roles: Option>, + /// A name given to the document, which may be used by a tool for display and navigation. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + pub version: String, +} + +/// An action applied by a role within a given party to the content. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Action { + /// The date and time when the action occurred. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub date: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + /// Specifies the action type system used. + pub system: String, + /// The type of action documented by the assembly, such as an approval. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub action_type: String, + /// A unique identifier that can be used to reference this defined action elsewhere in an + /// OSCAL document. A UUID should be consistently used for a given location across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A reference to a set of persons and/or organizations that have responsibility for +/// performing the referenced role in the context of the containing object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResponsibleParty { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[serde( + serialize_with = "validation::ser_uuid_vec", + deserialize_with = "validation::deser_uuid_vec" + )] + pub party_uuids: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A reference to a role performed by a party. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub role_id: String, +} + +/// A physical point of presence, which may be associated with people, organizations, or +/// other concepts within the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Location { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option
, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A name given to the location, which may be used by a tool for display and navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_vec_opt", + deserialize_with = "validation::deser_uri_vec_opt" + )] + pub urls: Option>, + /// A unique ID for the location, for reference. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A postal address for the location. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Address { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addr_lines: Option>, + /// City, town or geographical region for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub city: Option, + /// The ISO 3166-1 alpha-2 country code for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub country: Option, + /// Postal or ZIP code for mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub postal_code: Option, + /// State, province or analogous geographical region for a mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub state: Option, + /// Indicates the type of address. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub address_type: Option, +} + +/// A telephone service number as defined by ITU-T E.164. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TelephoneNumber { + pub number: String, + /// Indicates the type of phone number. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_number_type: Option, +} + +/// An organization or person, which may be associated with roles or other concepts within +/// the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Party { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub external_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub location_uuids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + pub member_of_organizations: Option>, + /// The full name of the party. This is typically the legal name associated with the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A category describing the kind of party the object describes. + #[serde(rename = "type")] + pub party_type: PartyType, + /// A unique identifier for the party. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// An identifier for a person or organization using a designated scheme. e.g. an Open +/// Researcher and Contributor ID (ORCID). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PartyExternalIdentifier { + pub id: String, + /// Indicates the type of external identifier. + #[serde( + serialize_with = "validation::ser_uri", + deserialize_with = "validation::deser_uri" + )] + pub scheme: String, +} +/// A category describing the kind of party the object describes. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// A glob expression matching the IDs of one or more controls to be selected. +/// +/// A formal (executable) expression of a constraint. +/// +/// A parameter value or set of values. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// The digest method by which a hash is derived. +/// +/// Indicates the type of phone number. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum PartyType { + Organization, + Person, +} + +/// An entry in a sequential list of revisions to the containing document, expected to be in +/// reverse chronological order (i.e. latest first). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RevisionHistoryEntry { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub last_modified: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oscal_version: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A name given to the document revision, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + pub version: String, +} + +/// Defines a function, which might be assigned to a party in a specific situation. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Role { + /// A summary of the role's purpose and associated responsibilities. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + /// A unique identifier for the role. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the role. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + /// A name given to the role, which may be used by a tool for display and navigation. + pub title: String, +} + +/// Set parameters or amend controls in resolution. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ModifyControls { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub alters: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set_parameters: Option>, +} + +/// Specifies changes to be made to an included control when a profile is resolved. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Alteration { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub adds: Option>, + /// A reference to a control with a corresponding id value. When referencing an externally + /// defined control, the Control Identifier Reference must be used in the context of the + /// external / imported OSCAL instance (e.g., uri-reference). + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub control_id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub removes: Option>, +} + +/// Specifies contents to be added into controls, in resolution. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Addition { + /// Target location of the addition. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub by_id: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub params: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parts: Option>, + /// Where to add the new content with respect to the targeted element (beside it or inside + /// it). + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub position: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A name given to the control, which may be used by a tool for display and navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, +} +/// Where to add the new content with respect to the targeted element (beside it or inside +/// it). +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// Selecting a control by its ID given as a literal. +/// +/// A textual label that provides a sub-type or characterization of the group. +/// +/// Identifies the group. +/// +/// A textual label that provides a characterization of the type, purpose, use or scope of +/// the parameter. +/// +/// (deprecated) Another parameter invoking this one. This construct has been deprecated and +/// should not be used. +/// +/// A unique identifier for the parameter. +/// +/// An optional textual providing a sub-type or characterization of the part's name, or a +/// category to which the part belongs. +/// +/// A unique identifier for the part. +/// +/// A textual label that uniquely identifies the part's semantic type, which exists in a +/// value space qualified by the ns. +/// +/// A reference to a role performed by a party. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// Target location of the addition. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// Identify items to remove by matching their class. +/// +/// Identify items to remove indicated by their id. +/// +/// Identify items remove by matching their assigned name. +/// +/// Identify items to remove by the item's ns, which is the namespace associated with a part, +/// or prop. +/// +/// A textual label that provides a characterization of the parameter. +/// +/// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +/// and should not be used. +/// +/// An identifier for the parameter. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Indicates the type of address. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum Position { + After, + Before, + Ending, + Starting, +} + +/// Specifies objects to be removed from a control based on specific aspects of the object +/// that must all match. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Removal { + /// Identify items to remove by matching their class. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub by_class: Option, + /// Identify items to remove indicated by their id. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub by_id: Option, + /// Identify items to remove by the name of the item's information object name, e.g. title or + /// prop. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub by_item_name: Option, + /// Identify items remove by matching their assigned name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub by_name: Option, + /// Identify items to remove by the item's ns, which is the namespace associated with a part, + /// or prop. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub by_ns: Option, +} +/// Identify items to remove by the name of the item's information object name, e.g. title or +/// prop. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// Selecting a control by its ID given as a literal. +/// +/// A textual label that provides a sub-type or characterization of the group. +/// +/// Identifies the group. +/// +/// A textual label that provides a characterization of the type, purpose, use or scope of +/// the parameter. +/// +/// (deprecated) Another parameter invoking this one. This construct has been deprecated and +/// should not be used. +/// +/// A unique identifier for the parameter. +/// +/// An optional textual providing a sub-type or characterization of the part's name, or a +/// category to which the part belongs. +/// +/// A unique identifier for the part. +/// +/// A textual label that uniquely identifies the part's semantic type, which exists in a +/// value space qualified by the ns. +/// +/// A reference to a role performed by a party. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// Target location of the addition. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// Identify items to remove by matching their class. +/// +/// Identify items to remove indicated by their id. +/// +/// Identify items remove by matching their assigned name. +/// +/// Identify items to remove by the item's ns, which is the namespace associated with a part, +/// or prop. +/// +/// A textual label that provides a characterization of the parameter. +/// +/// **(deprecated)** Another parameter invoking this one. This construct has been deprecated +/// and should not be used. +/// +/// An identifier for the parameter. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Indicates the type of address. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum ItemNameReference { + Link, + Map, + Mapping, + Param, + Part, + Prop, +} + +/// A parameter setting, to be propagated to points of insertion. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ParameterSetting { + /// A textual label that provides a characterization of the parameter. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub class: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub constraints: Option>, + /// **(deprecated)** Another parameter invoking this one. This construct has been deprecated + /// and should not be used. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub depends_on: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub guidelines: Option>, + /// A short, placeholder name for the parameter, which can be used as a substitute for a + /// value if no value is assigned. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub label: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + /// An identifier for the parameter. + pub param_id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub select: Option, + /// Describes the purpose and use of a parameter. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub usage: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub values: Option>, +} diff --git a/roscal_lib/src/implementation/component_definition.rs b/roscal_lib/src/implementation/component_definition.rs new file mode 100644 index 0000000..e65e9cb --- /dev/null +++ b/roscal_lib/src/implementation/component_definition.rs @@ -0,0 +1,1199 @@ +use derivative::Derivative; +use strum::EnumString; +use derive_builder::Builder; +use serde::{Serialize, Deserialize}; +use crate::validation; + +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ComponentDefinition { + #[serde(rename = "$schema")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub schema: Option, + pub component_definition: ComponentDefinitionClass, +} + +/// A collection of component descriptions, which may optionally be grouped by capability. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ComponentDefinitionClass { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub back_matter: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub capabilities: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub components: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub import_component_definitions: Option>, + pub metadata: DocumentMetadata, + /// Provides a globally unique means to identify a given component definition instance. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A collection of resources that may be referenced from within the OSCAL document instance. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct BackMatter { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option>, +} + +/// A resource associated with content in the containing document instance. A resource may be +/// directly included in the document using base64 encoding or may point to one or more +/// equivalent internet resources. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Resource { + /// A resource encoded using the Base64 alphabet defined by RFC 2045. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub base64: Option, + /// An optional citation consisting of end note text using structured markup. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub citation: Option, + /// An optional short summary of the resource used to indicate the purpose of the resource. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rlinks: Option>, + /// An optional name given to the resource, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A unique identifier for a resource. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A resource encoded using the Base64 alphabet defined by RFC 2045. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Base64 { + /// Name of the file before it was encoded as Base64 to be embedded in a resource. This is + /// the name that will be assigned to the file when the file is decoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub filename: Option, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + #[serde( + serialize_with = "validation::ser_base64", + deserialize_with = "validation::deser_base64" + )] + pub value: String, +} + +/// An optional citation consisting of end note text using structured markup. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Citation { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A line of citation text. + #[serde(deserialize_with = "validation::deser_markup")] + pub text: String, +} + +/// A reference to a local or remote resource, that has a specific relation to the containing +/// object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Link { + /// A resolvable URL reference to a resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + /// Describes the type of relationship provided by the link's hypertext reference. This can + /// be an indicator of the link's purpose. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub rel: Option, + /// In case where the href points to a back-matter/resource, this value will indicate the URI + /// fragment to append to any rlink associated with the resource. This value MUST be URI + /// encoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resource_fragment: Option, + /// A textual label to associate with the link, which may be used for presentation in a tool. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub text: Option, +} + +/// An attribute, characteristic, or quality of the containing object expressed as a +/// namespace qualified name/value pair. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Property { + /// A textual label that provides a sub-type or characterization of the property's name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + /// An identifier for relating distinct sets of properties. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub group: Option, + /// A textual label, within a namespace, that uniquely identifies a specific attribute, + /// characteristic, or quality of the property's containing object. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + /// A namespace qualifying the property's name. This allows different organizations to + /// associate distinct semantics with the same name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub ns: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A unique identifier for a property. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, + /// Indicates the value of the attribute, characteristic, or quality. + pub value: String, +} + +/// A document identifier qualified by an identifier scheme. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentIdentifier { + pub identifier: String, + /// Qualifies the kind of document identifier using a URI. If the scheme is not provided the + /// value of the element will be interpreted as a string of characters. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub scheme: Option, +} + +/// A URL-based pointer to an external resource with an optional hash for verification and +/// change detection. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResourceLink { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub hashes: Option>, + /// A resolvable URL pointing to the referenced resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, +} + +/// A representation of a cryptographic digest generated over a resource using a specified +/// hash algorithm. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Hash { + /// The digest method by which a hash is derived. + pub algorithm: String, + #[serde( + serialize_with = "validation::ser_hash", + deserialize_with = "validation::deser_hash" + )] + pub value: String, +} + +/// A grouping of other components and/or capabilities. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Capability { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub control_implementations: Option>, + /// A summary of the capability. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub incorporates_components: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + /// The capability's human-readable name. + pub name: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// Provides a globally unique means to identify a given capability. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Defines how the component or capability supports a set of controls. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ControlImplementationSet { + /// A description of how the specified set of controls are implemented for the containing + /// component or capability. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + pub implemented_requirements: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set_parameters: Option>, + /// A reference to an OSCAL catalog or profile providing the referenced control or subcontrol + /// definition. + pub source: String, + /// Provides a means to identify a set of control implementations that are supported by a + /// given component or capability. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Describes how the containing component or capability implements an individual control. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ControlImplementation { + /// A reference to a control with a corresponding id value. When referencing an externally + /// defined control, the Control Identifier Reference must be used in the context of the + /// external / imported OSCAL instance (e.g., uri-reference). + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub control_id: String, + /// A suggestion from the supplier (e.g., component vendor or author) for how the specified + /// control may be implemented if the containing component or capability is instantiated in a + /// system security plan. + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set_parameters: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub statements: Option>, + /// Provides a globally unique means to identify a given control implementation by a + /// component. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A reference to a role with responsibility for performing a function relative to the +/// containing object, optionally associated with a set of persons and/or organizations that +/// perform that role. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResponsibleRole { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + pub party_uuids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A human-oriented identifier reference to a role performed. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub role_id: String, +} + +/// Identifies the parameter that will be set by the enclosed value. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SetParameterValue { + /// A human-oriented reference to a parameter within a control, who's catalog has been + /// imported into the current implementation context. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub param_id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + pub values: Vec, +} + +/// Identifies which statements within a control are addressed. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ControlStatementImplementation { + /// A summary of how the containing control statement is implemented by the component or + /// capability. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + /// A human-oriented identifier reference to a control statement. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub statement_id: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this control statement elsewhere in this or other OSCAL instances. The UUID + /// of the control statement in the source OSCAL instance is sufficient to reference the data + /// item locally or globally (e.g., in an imported OSCAL instance). + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// The collection of components comprising this capability. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct IncorporatesComponent { + /// A machine-oriented identifier reference to a component. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub component_uuid: String, + /// A description of the component, including information about its function. + pub description: String, +} + +/// A defined component that can be part of an implemented system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Component { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub control_implementations: Option>, + /// A description of the component, including information about its function. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub protocols: Option>, + /// A summary of the technological or business purpose of the component. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub purpose: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + /// A human readable name for the component. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A category describing the purpose of the component. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub component_type: String, + /// Provides a globally unique means to identify a given component. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Information about the protocol used to provide a service. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ServiceProtocolInformation { + /// The common name of the protocol, which should be the appropriate "service name" from the + /// IANA Service Name and Transport Protocol Port Number Registry. + pub name: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port_ranges: Option>, + /// A human readable name for the protocol (e.g., Transport Layer Security). + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this service protocol information elsewhere in this or other OSCAL + /// instances. The locally defined UUID of the service protocol can be used to reference the + /// data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + /// assigned per-subject, which means it should be consistently used to identify the same + /// subject across revisions of the document. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, +} + +/// Where applicable this is the IPv4 port range on which the service operates. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PortRange { + /// Indicates the ending port number in a port range + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_non_neg_int_opt", + deserialize_with = "validation::deser_non_neg_int_opt" + )] + pub end: Option, + /// Indicates the starting port number in a port range + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_non_neg_int_opt", + deserialize_with = "validation::deser_non_neg_int_opt" + )] + pub start: Option, + /// Indicates the transport type. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub transport: Option, +} +/// Indicates the transport type. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// A human-oriented identifier reference to a role performed. +/// +/// A human-oriented reference to a parameter within a control, who's catalog has been +/// imported into the current implementation context. +/// +/// A human-oriented identifier reference to a control statement. +/// +/// A reference to a role performed by a party. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Indicates the type of address. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum Transport { + #[serde(rename = "TCP")] + Tcp, + #[serde(rename = "UDP")] + Udp, +} + +/// Loads a component definition from another resource. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImportComponentDefinition { + /// A link to a resource that defines a set of components and/or capabilities to import into + /// this collection. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, +} + +/// Provides information about the containing document, and defines concepts that are shared +/// across the document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentMetadata { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub actions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + pub last_modified: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub locations: Option>, + pub oscal_version: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub revisions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub roles: Option>, + /// A name given to the document, which may be used by a tool for display and navigation. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + pub version: String, +} + +/// An action applied by a role within a given party to the content. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Action { + /// The date and time when the action occurred. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub date: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + /// Specifies the action type system used. + pub system: String, + /// The type of action documented by the assembly, such as an approval. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub action_type: String, + /// A unique identifier that can be used to reference this defined action elsewhere in an + /// OSCAL document. A UUID should be consistently used for a given location across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A reference to a set of persons and/or organizations that have responsibility for +/// performing the referenced role in the context of the containing object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResponsibleParty { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[serde( + serialize_with = "validation::ser_uuid_vec", + deserialize_with = "validation::deser_uuid_vec" + )] + pub party_uuids: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A reference to a role performed by a party. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub role_id: String, +} + +/// A physical point of presence, which may be associated with people, organizations, or +/// other concepts within the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Location { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option
, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A name given to the location, which may be used by a tool for display and navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_vec_opt", + deserialize_with = "validation::deser_uri_vec_opt" + )] + pub urls: Option>, + /// A unique ID for the location, for reference. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A postal address for the location. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Address { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addr_lines: Option>, + /// City, town or geographical region for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub city: Option, + /// The ISO 3166-1 alpha-2 country code for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub country: Option, + /// Postal or ZIP code for mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub postal_code: Option, + /// State, province or analogous geographical region for a mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub state: Option, + /// Indicates the type of address. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub address_type: Option, +} + +/// A telephone service number as defined by ITU-T E.164. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TelephoneNumber { + pub number: String, + /// Indicates the type of phone number. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_number_type: Option, +} + +/// An organization or person, which may be associated with roles or other concepts within +/// the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Party { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub external_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub location_uuids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + pub member_of_organizations: Option>, + /// The full name of the party. This is typically the legal name associated with the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A category describing the kind of party the object describes. + #[serde(rename = "type")] + pub party_type: PartyType, + /// A unique identifier for the party. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// An identifier for a person or organization using a designated scheme. e.g. an Open +/// Researcher and Contributor ID (ORCID). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PartyExternalIdentifier { + pub id: String, + /// Indicates the type of external identifier. + #[serde( + serialize_with = "validation::ser_uri", + deserialize_with = "validation::deser_uri" + )] + pub scheme: String, +} +/// A category describing the kind of party the object describes. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// A parameter value or set of values. +/// +/// The capability's human-readable name. +/// +/// The common name of the protocol, which should be the appropriate "service name" from the +/// IANA Service Name and Transport Protocol Port Number Registry. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// The digest method by which a hash is derived. +/// +/// A category describing the purpose of the component. +/// +/// Indicates the type of phone number. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum PartyType { + Organization, + Person, +} + +/// An entry in a sequential list of revisions to the containing document, expected to be in +/// reverse chronological order (i.e. latest first). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RevisionHistoryEntry { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub last_modified: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oscal_version: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A name given to the document revision, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + pub version: String, +} + +/// Defines a function, which might be assigned to a party in a specific situation. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Role { + /// A summary of the role's purpose and associated responsibilities. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + /// A unique identifier for the role. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the role. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + /// A name given to the role, which may be used by a tool for display and navigation. + pub title: String, +} diff --git a/roscal_lib/src/implementation/mod.rs b/roscal_lib/src/implementation/mod.rs new file mode 100644 index 0000000..4c3c6e3 --- /dev/null +++ b/roscal_lib/src/implementation/mod.rs @@ -0,0 +1,6 @@ +//! OSCAL Implementation Layer. + +/// Component Definition Model +pub mod component_definition; +/// System Security Plan Model +pub mod ssp; diff --git a/roscal_lib/src/implementation/ssp.rs b/roscal_lib/src/implementation/ssp.rs new file mode 100644 index 0000000..39fc94b --- /dev/null +++ b/roscal_lib/src/implementation/ssp.rs @@ -0,0 +1,2165 @@ +use derivative::Derivative; +use strum::EnumString; +use derive_builder::Builder; +use serde::{Serialize, Deserialize}; +use crate::validation; + +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SystemSecurityPlan { + #[serde(rename = "$schema")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub schema: Option, + pub system_security_plan: SystemSecurityPlanSsp, +} + +/// A system security plan, such as those described in NIST SP 800-18. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SystemSecurityPlanSsp { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub back_matter: Option, + pub control_implementation: ControlImplementation, + pub import_profile: ImportProfile, + pub metadata: DocumentMetadata, + pub system_characteristics: SystemCharacteristics, + pub system_implementation: SystemImplementation, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this system security plan (SSP) elsewhere in this or other OSCAL instances. + /// The locally defined UUID of the SSP can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance).This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A collection of resources that may be referenced from within the OSCAL document instance. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct BackMatter { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resources: Option>, +} + +/// A resource associated with content in the containing document instance. A resource may be +/// directly included in the document using base64 encoding or may point to one or more +/// equivalent internet resources. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Resource { + /// A resource encoded using the Base64 alphabet defined by RFC 2045. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub base64: Option, + /// An optional citation consisting of end note text using structured markup. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub citation: Option, + /// An optional short summary of the resource used to indicate the purpose of the resource. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub rlinks: Option>, + /// An optional name given to the resource, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A unique identifier for a resource. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A resource encoded using the Base64 alphabet defined by RFC 2045. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Base64 { + /// Name of the file before it was encoded as Base64 to be embedded in a resource. This is + /// the name that will be assigned to the file when the file is decoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub filename: Option, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + #[serde( + serialize_with = "validation::ser_base64", + deserialize_with = "validation::deser_base64" + )] + pub value: String, +} + +/// An optional citation consisting of end note text using structured markup. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Citation { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A line of citation text. + #[serde(deserialize_with = "validation::deser_markup")] + pub text: String, +} + +/// A reference to a local or remote resource, that has a specific relation to the containing +/// object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Link { + /// A resolvable URL reference to a resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, + /// Describes the type of relationship provided by the link's hypertext reference. This can + /// be an indicator of the link's purpose. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub rel: Option, + /// In case where the href points to a back-matter/resource, this value will indicate the URI + /// fragment to append to any rlink associated with the resource. This value MUST be URI + /// encoded. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub resource_fragment: Option, + /// A textual label to associate with the link, which may be used for presentation in a tool. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub text: Option, +} + +/// An attribute, characteristic, or quality of the containing object expressed as a +/// namespace qualified name/value pair. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Property { + /// A textual label that provides a sub-type or characterization of the property's name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub class: Option, + /// An identifier for relating distinct sets of properties. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub group: Option, + /// A textual label, within a namespace, that uniquely identifies a specific attribute, + /// characteristic, or quality of the property's containing object. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub name: String, + /// A namespace qualifying the property's name. This allows different organizations to + /// associate distinct semantics with the same name. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub ns: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A unique identifier for a property. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, + /// Indicates the value of the attribute, characteristic, or quality. + pub value: String, +} + +/// A document identifier qualified by an identifier scheme. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentIdentifier { + pub identifier: String, + /// Qualifies the kind of document identifier using a URI. If the scheme is not provided the + /// value of the element will be interpreted as a string of characters. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub scheme: Option, +} + +/// A URL-based pointer to an external resource with an optional hash for verification and +/// change detection. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResourceLink { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub hashes: Option>, + /// A resolvable URL pointing to the referenced resource. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + /// A label that indicates the nature of a resource, as a data serialization or format. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub media_type: Option, +} + +/// A representation of a cryptographic digest generated over a resource using a specified +/// hash algorithm. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Hash { + /// The digest method by which a hash is derived. + pub algorithm: String, + #[serde( + serialize_with = "validation::ser_hash", + deserialize_with = "validation::deser_hash" + )] + pub value: String, +} + +/// Describes how the system satisfies a set of controls. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ControlImplementation { + /// A statement describing important things to know about how this set of control + /// satisfaction documentation is approached. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + pub implemented_requirements: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set_parameters: Option>, +} + +/// Describes how the system satisfies the requirements of an individual control. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ControlBasedRequirement { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub by_components: Option>, + /// A reference to a control with a corresponding id value. When referencing an externally + /// defined control, the Control Identifier Reference must be used in the context of the + /// external / imported OSCAL instance (e.g., uri-reference). + pub control_id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set_parameters: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub statements: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this control requirement elsewhere in this or other OSCAL instances. The + /// locally defined UUID of the control requirement can be used to reference the data item + /// locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + /// per-subject, which means it should be consistently used to identify the same subject + /// across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Defines how the referenced component implements a set of controls. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ComponentControlImplementation { + /// A machine-oriented identifier reference to the component that is implemeting a given + /// control. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub component_uuid: String, + /// An implementation statement that describes how a control or a control statement is + /// implemented within the referenced system component. + pub description: String, + /// Identifies content intended for external consumption, such as with leveraged + /// organizations. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub export: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub implementation_status: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub inherited: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub satisfied: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub set_parameters: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this by-component entry elsewhere in this or other OSCAL instances. The + /// locally defined UUID of the by-component entry can be used to reference the data item + /// locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + /// per-subject, which means it should be consistently used to identify the same subject + /// across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies content intended for external consumption, such as with leveraged +/// organizations. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Export { + /// An implementation statement that describes the aspects of the control or control + /// statement implementation that can be available to another system leveraging this system. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub provided: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsibilities: Option>, +} + +/// Describes a capability which may be inherited by a leveraging system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ProvidedControlImplementation { + /// An implementation statement that describes the aspects of the control or control + /// statement implementation that can be provided to another system leveraging this system. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this provided entry elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the provided entry can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A reference to a role with responsibility for performing a function relative to the +/// containing object, optionally associated with a set of persons and/or organizations that +/// perform that role. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResponsibleRole { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + pub party_uuids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A human-oriented identifier reference to a role performed. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub role_id: String, +} + +/// Describes a control implementation responsibility imposed on a leveraging system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ControlImplementationResponsibility { + /// An implementation statement that describes the aspects of the control or control + /// statement implementation that a leveraging system must implement to satisfy the control + /// provided by a leveraged system. + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A machine-oriented identifier reference to an inherited control implementation that a + /// leveraging system is inheriting from a leveraged system. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + pub provided_uuid: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this responsibility elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the responsibility can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Indicates the degree to which the a given control is implemented. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImplementationStatus { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// Identifies the implementation status of the control or control objective. + pub state: String, +} + +/// Describes a control implementation inherited by a leveraging system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct InheritedControlImplementation { + /// An implementation statement that describes the aspects of a control or control statement + /// implementation that a leveraging system is inheriting from a leveraged system. + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A machine-oriented identifier reference to an inherited control implementation that a + /// leveraging system is inheriting from a leveraged system. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + pub provided_uuid: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this inherited entry elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the inherited control implementation can be used to reference the data + /// item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + /// assigned per-subject, which means it should be consistently used to identify the same + /// subject across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Describes how this system satisfies a responsibility imposed by a leveraged system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SatisfiedControlImplementationResponsibility { + /// An implementation statement that describes the aspects of a control or control statement + /// implementation that a leveraging system is implementing based on a requirement from a + /// leveraged system. + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A machine-oriented identifier reference to a control implementation that satisfies a + /// responsibility imposed by a leveraged system. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + pub responsibility_uuid: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this satisfied control implementation entry elsewhere in this or other OSCAL + /// instances. The locally defined UUID of the control implementation can be used to + /// reference the data item locally or globally (e.g., in an imported OSCAL instance). This + /// UUID should be assigned per-subject, which means it should be consistently used to + /// identify the same subject across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies the parameter that will be set by the enclosed value. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SetParameterValue { + /// A human-oriented reference to a parameter within a control, who's catalog has been + /// imported into the current implementation context. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub param_id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + pub values: Vec, +} + +/// Identifies which statements within a control are addressed. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SpecificControlStatement { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub by_components: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + /// A human-oriented identifier reference to a control statement. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub statement_id: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this control statement elsewhere in this or other OSCAL instances. The UUID + /// of the control statement in the source OSCAL instance is sufficient to reference the data + /// item locally or globally (e.g., in an imported OSCAL instance). + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Used to import the OSCAL profile representing the system's control baseline. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImportProfile { + /// A resolvable URL reference to the profile or catalog to use as the system's control + /// baseline. + #[serde( + serialize_with = "validation::ser_uri_ref", + deserialize_with = "validation::deser_uri_ref" + )] + pub href: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// Provides information about the containing document, and defines concepts that are shared +/// across the document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DocumentMetadata { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub actions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub document_ids: Option>, + #[serde( + serialize_with = "validation::ser_dttz", + deserialize_with = "validation::deser_dttz" + )] + pub last_modified: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub locations: Option>, + pub oscal_version: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub revisions: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub roles: Option>, + /// A name given to the document, which may be used by a tool for display and navigation. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + pub version: String, +} + +/// An action applied by a role within a given party to the content. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Action { + /// The date and time when the action occurred. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub date: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + /// Specifies the action type system used. + pub system: String, + /// The type of action documented by the assembly, such as an approval. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub action_type: String, + /// A unique identifier that can be used to reference this defined action elsewhere in an + /// OSCAL document. A UUID should be consistently used for a given location across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A reference to a set of persons and/or organizations that have responsibility for +/// performing the referenced role in the context of the containing object. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ResponsibleParty { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[serde( + serialize_with = "validation::ser_uuid_vec", + deserialize_with = "validation::deser_uuid_vec" + )] + pub party_uuids: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A reference to a role performed by a party. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub role_id: String, +} + +/// A physical point of presence, which may be associated with people, organizations, or +/// other concepts within the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Location { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub address: Option
, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A name given to the location, which may be used by a tool for display and navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_vec_opt", + deserialize_with = "validation::deser_uri_vec_opt" + )] + pub urls: Option>, + /// A unique ID for the location, for reference. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A postal address for the location. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Address { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addr_lines: Option>, + /// City, town or geographical region for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub city: Option, + /// The ISO 3166-1 alpha-2 country code for the mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub country: Option, + /// Postal or ZIP code for mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub postal_code: Option, + /// State, province or analogous geographical region for a mailing address. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub state: Option, + /// Indicates the type of address. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_token_opt", + deserialize_with = "validation::deser_token_opt" + )] + pub address_type: Option, +} + +/// A telephone service number as defined by ITU-T E.164. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct TelephoneNumber { + pub number: String, + /// Indicates the type of phone number. + #[serde(rename = "type")] + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_number_type: Option, +} + +/// An organization or person, which may be associated with roles or other concepts within +/// the current or linked OSCAL document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Party { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_email_vec_opt", + deserialize_with = "validation::deser_email_vec_opt" + )] + pub email_addresses: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub external_ids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub location_uuids: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_vec_opt", + deserialize_with = "validation::deser_uuid_vec_opt" + )] + pub member_of_organizations: Option>, + /// The full name of the party. This is typically the legal name associated with the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the party. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub telephone_numbers: Option>, + /// A category describing the kind of party the object describes. + #[serde(rename = "type")] + pub party_type: PartyType, + /// A unique identifier for the party. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// An identifier for a person or organization using a designated scheme. e.g. an Open +/// Researcher and Contributor ID (ORCID). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PartyExternalIdentifier { + pub id: String, + /// Indicates the type of external identifier. + #[serde( + serialize_with = "validation::ser_uri", + deserialize_with = "validation::deser_uri" + )] + pub scheme: String, +} +/// A category describing the kind of party the object describes. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// A parameter value or set of values. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// A target-level of availability for the system, based on the sensitivity of information +/// within the system. +/// +/// A target-level of confidentiality for the system, based on the sensitivity of information +/// within the system. +/// +/// A target-level of integrity for the system, based on the sensitivity of information +/// within the system. +/// +/// The overall information system sensitivity categorization, such as defined by FIPS-199. +/// +/// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +/// +/// The selected (Confidentiality, Integrity, or Availability) security impact level. +/// +/// A human-oriented, globally unique identifier qualified by the given identification system +/// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +/// reference this system elsewhere in this or other OSCAL instances. This id should be +/// assigned per-subject, which means it should be consistently used to identify the same +/// subject across revisions of the document. +/// +/// The full name of the system. +/// +/// A short name for the system, such as an acronym, that is suitable for display in a data +/// table or summary list. +/// +/// The common name of the protocol, which should be the appropriate "service name" from the +/// IANA Service Name and Transport Protocol Port Number Registry. +/// +/// Describes a function performed for a given authorized privilege by this user class. +/// +/// A short common name, abbreviation, or acronym for the user. +/// +/// The digest method by which a hash is derived. +/// +/// Indicates the type of phone number. +/// +/// A category describing the purpose of the component. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum PartyType { + Organization, + Person, +} + +/// An entry in a sequential list of revisions to the containing document, expected to be in +/// reverse chronological order (i.e. latest first). +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct RevisionHistoryEntry { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub last_modified: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub oscal_version: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_dttz_opt", + deserialize_with = "validation::deser_dttz_opt" + )] + pub published: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A name given to the document revision, which may be used by a tool for display and + /// navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + pub version: String, +} + +/// Defines a function, which might be assigned to a party in a specific situation. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Role { + /// A summary of the role's purpose and associated responsibilities. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + /// A unique identifier for the role. + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub id: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A short common name, abbreviation, or acronym for the role. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + /// A name given to the role, which may be used by a tool for display and navigation. + pub title: String, +} + +/// Contains the characteristics of the system, such as its name, purpose, and security +/// impact level. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SystemCharacteristics { + pub authorization_boundary: AuthorizationBoundary, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub data_flow: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_date_opt", + deserialize_with = "validation::deser_date_opt" + )] + pub date_authorized: Option, + /// A summary of the system. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub network_architecture: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub security_impact_level: Option, + /// The overall information system sensitivity categorization, such as defined by FIPS-199. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub security_sensitivity_level: Option, + pub status: SystemCharacteristicsStatus, + pub system_ids: Vec, + pub system_information: SystemInformation, + /// The full name of the system. + pub system_name: String, + /// A short name for the system, such as an acronym, that is suitable for display in a data + /// table or summary list. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub system_name_short: Option, +} + +/// A description of this system's authorization boundary, optionally supplemented by +/// diagrams that illustrate the authorization boundary. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct AuthorizationBoundary { + /// A summary of the system's authorization boundary. + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub diagrams: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// A graphic that provides a visual representation the system, or some aspect of it. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Diagram { + /// A brief caption to annotate the diagram. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub caption: Option, + /// A summary of the diagram. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this diagram elsewhere in this or other OSCAL instances. The locally defined + /// UUID of the diagram can be used to reference the data item locally or globally (e.g., in + /// an imported OSCAL instance). This UUID should be assigned per-subject, which means it + /// should be consistently used to identify the same subject across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A description of the logical flow of information within the system and across its +/// boundaries, optionally supplemented by diagrams that illustrate these flows. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct DataFlow { + /// A summary of the system's data flow. + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub diagrams: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// A description of the system's network architecture, optionally supplemented by diagrams +/// that illustrate the network architecture. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct NetworkArchitecture { + /// A summary of the system's network architecture. + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub diagrams: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, +} + +/// The overall level of expected impact resulting from unauthorized disclosure, +/// modification, or loss of access to information. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SecurityImpactLevel { + /// A target-level of availability for the system, based on the sensitivity of information + /// within the system. + pub security_objective_availability: String, + /// A target-level of confidentiality for the system, based on the sensitivity of information + /// within the system. + pub security_objective_confidentiality: String, + /// A target-level of integrity for the system, based on the sensitivity of information + /// within the system. + pub security_objective_integrity: String, +} + +/// Describes the operational status of the system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SystemCharacteristicsStatus { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// The current operating status. + pub state: PurpleState, +} +/// The current operating status. +/// +/// A label that indicates the nature of a resource, as a data serialization or format. +/// +/// A non-empty string with leading and trailing whitespace disallowed. Whitespace is: U+9, +/// U+10, U+32 or [ +/// ]+ +/// +/// In case where the href points to a back-matter/resource, this value will indicate the URI +/// fragment to append to any rlink associated with the resource. This value MUST be URI +/// encoded. +/// +/// Indicates the value of the attribute, characteristic, or quality. +/// +/// A parameter value or set of values. +/// +/// A single line of an address. +/// +/// City, town or geographical region for the mailing address. +/// +/// The ISO 3166-1 alpha-2 country code for the mailing address. +/// +/// Postal or ZIP code for mailing address. +/// +/// State, province or analogous geographical region for a mailing address. +/// +/// The OSCAL model version the document was authored against and will conform to as valid. +/// +/// The full name of the party. This is typically the legal name associated with the party. +/// +/// A short common name, abbreviation, or acronym for the party. +/// +/// Used to distinguish a specific revision of an OSCAL document from other previous and +/// future versions. +/// +/// A short common name, abbreviation, or acronym for the role. +/// +/// A target-level of availability for the system, based on the sensitivity of information +/// within the system. +/// +/// A target-level of confidentiality for the system, based on the sensitivity of information +/// within the system. +/// +/// A target-level of integrity for the system, based on the sensitivity of information +/// within the system. +/// +/// The overall information system sensitivity categorization, such as defined by FIPS-199. +/// +/// The prescribed base (Confidentiality, Integrity, or Availability) security impact level. +/// +/// The selected (Confidentiality, Integrity, or Availability) security impact level. +/// +/// A human-oriented, globally unique identifier qualified by the given identification system +/// used, such as NIST SP 800-60. This identifier has cross-instance scope and can be used to +/// reference this system elsewhere in this or other OSCAL instances. This id should be +/// assigned per-subject, which means it should be consistently used to identify the same +/// subject across revisions of the document. +/// +/// The full name of the system. +/// +/// A short name for the system, such as an acronym, that is suitable for display in a data +/// table or summary list. +/// +/// The common name of the protocol, which should be the appropriate "service name" from the +/// IANA Service Name and Transport Protocol Port Number Registry. +/// +/// Describes a function performed for a given authorized privilege by this user class. +/// +/// A short common name, abbreviation, or acronym for the user. +/// +/// The digest method by which a hash is derived. +/// +/// Indicates the type of phone number. +/// +/// A category describing the purpose of the component. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum PurpleState { + Disposition, + Operational, + Other, + #[serde(rename = "under-development")] + UnderDevelopment, + #[serde(rename = "under-major-modification")] + UnderMajorModification, +} + +/// A human-oriented, globally unique identifier with cross-instance scope that can be used +/// to reference this system identification property elsewhere in this or other OSCAL +/// instances. When referencing an externally defined system identification, the system +/// identification must be used in the context of the external / imported OSCAL instance +/// (e.g., uri-reference). This string should be assigned per-subject, which means it should +/// be consistently used to identify the same system across revisions of the document. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SystemIdentification { + pub id: String, + /// Identifies the identification system from which the provided identifier was assigned. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uri_opt", + deserialize_with = "validation::deser_uri_opt" + )] + pub identifier_type: Option, +} + +/// Contains details about all information types that are stored, processed, or transmitted +/// by the system, such as privacy information, and those defined in NIST SP 800-60. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SystemInformation { + pub information_types: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, +} + +/// Contains details about one information type that is stored, processed, or transmitted by +/// the system, such as privacy information, and those defined in NIST SP 800-60. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct InformationType { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub availability_impact: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub categorizations: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub confidentiality_impact: Option, + /// A summary of how this information type is used within the system. + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub integrity_impact: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + /// A human readable name for the information type. This title should be meaningful within + /// the context of the system. + pub title: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this information type elsewhere in this or other OSCAL instances. The + /// locally defined UUID of the information type can be used to reference the data item + /// locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned + /// per-subject, which means it should be consistently used to identify the same subject + /// across revisions of the document. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, +} + +/// The expected level of impact resulting from the described information. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImpactLevel { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub adjustment_justification: Option, + pub base: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub selected: Option, +} + +/// A set of information type identifiers qualified by the given identification system used, +/// such as NIST SP 800-60. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct InformationTypeCategorization { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub information_type_ids: Option>, + /// Specifies the information type identification system used. + pub system: String, +} + +/// Provides information as to how the system is implemented. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SystemImplementation { + pub components: Vec, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub inventory_items: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub leveraged_authorizations: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + pub users: Vec, +} + +/// A defined component that can be part of an implemented system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Component { + /// A description of the component, including information about its function. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub protocols: Option>, + /// A summary of the technological or business purpose of the component. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub purpose: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_roles: Option>, + /// Describes the operational status of the system component. + pub status: ComponentStatus, + /// A human readable name for the system component. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A category describing the purpose of the component. + #[serde(rename = "type")] + #[serde( + serialize_with = "validation::ser_token", + deserialize_with = "validation::deser_token" + )] + pub component_type: String, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this component elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the component can be used to reference the data item locally or globally + /// (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, which + /// means it should be consistently used to identify the same subject across revisions of the + /// document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Information about the protocol used to provide a service. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ServiceProtocolInformation { + /// The common name of the protocol, which should be the appropriate "service name" from the + /// IANA Service Name and Transport Protocol Port Number Registry. + pub name: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub port_ranges: Option>, + /// A human readable name for the protocol (e.g., Transport Layer Security). + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this service protocol information elsewhere in this or other OSCAL + /// instances. The locally defined UUID of the service protocol can be used to reference the + /// data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + /// assigned per-subject, which means it should be consistently used to identify the same + /// subject across revisions of the document. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_uuid_opt", + deserialize_with = "validation::deser_uuid_opt" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: Option, +} + +/// Where applicable this is the IPv4 port range on which the service operates. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct PortRange { + /// Indicates the ending port number in a port range + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_non_neg_int_opt", + deserialize_with = "validation::deser_non_neg_int_opt" + )] + pub end: Option, + /// Indicates the starting port number in a port range + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde( + serialize_with = "validation::ser_non_neg_int_opt", + deserialize_with = "validation::deser_non_neg_int_opt" + )] + pub start: Option, + /// Indicates the transport type. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub transport: Option, +} +/// Indicates the transport type. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// A human-oriented identifier reference to a role performed. +/// +/// A human-oriented reference to a parameter within a control, who's catalog has been +/// imported into the current implementation context. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// A human-oriented identifier reference to a control statement. +/// +/// A reference to a role performed by a party. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// Reference to a role by UUID. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Identifies the implementation status of the control or control objective. +/// +/// Indicates the type of address. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum Transport { + #[serde(rename = "TCP")] + Tcp, + #[serde(rename = "UDP")] + Udp, +} + +/// Describes the operational status of the system component. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ComponentStatus { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// The operational status. + pub state: FluffyState, +} +/// The operational status. +/// +/// Name of the file before it was encoded as Base64 to be embedded in a resource. This is +/// the name that will be assigned to the file when the file is decoded. +/// +/// A non-colonized name as defined by XML Schema Part 2: Datatypes Second Edition. +/// https://www.w3.org/TR/xmlschema11-2/#NCName. +/// +/// A textual label that provides a sub-type or characterization of the property's name. +/// +/// An identifier for relating distinct sets of properties. +/// +/// A textual label, within a namespace, that uniquely identifies a specific attribute, +/// characteristic, or quality of the property's containing object. +/// +/// A human-oriented identifier reference to a role performed. +/// +/// A human-oriented reference to a parameter within a control, who's catalog has been +/// imported into the current implementation context. +/// +/// A reference to a control with a corresponding id value. When referencing an externally +/// defined control, the Control Identifier Reference must be used in the context of the +/// external / imported OSCAL instance (e.g., uri-reference). +/// +/// A human-oriented identifier reference to a control statement. +/// +/// A reference to a role performed by a party. +/// +/// The type of action documented by the assembly, such as an approval. +/// +/// A unique identifier for the role. +/// +/// Reference to a role by UUID. +/// +/// Describes the type of relationship provided by the link's hypertext reference. This can +/// be an indicator of the link's purpose. +/// +/// Identifies the implementation status of the control or control objective. +/// +/// Indicates the type of address. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[non_exhaustive] +#[derive(EnumString, Derivative)] +#[derivative(PartialEq)] +pub enum FluffyState { + Disposition, + Operational, + Other, + #[serde(rename = "under-development")] + UnderDevelopment, +} + +/// A single managed inventory item within the system. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct InventoryItem { + /// A summary of the inventory item stating its purpose within the system. + #[serde(deserialize_with = "validation::deser_markup")] + pub description: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub implemented_components: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this inventory item elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the inventory item can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// The set of components that are implemented in a given system inventory item. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct ImplementedComponent { + /// A machine-oriented identifier reference to a component that is implemented as part of an + /// inventory item. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub component_uuid: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub responsible_parties: Option>, +} + +/// A description of another authorized system from which this system inherits capabilities +/// that satisfy security requirements. Another term for this concept is a common control +/// provider. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct LeveragedAuthorization { + #[serde( + serialize_with = "validation::ser_date", + deserialize_with = "validation::deser_date" + )] + pub date_authorized: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + /// A machine-oriented identifier reference to the party that manages the leveraged system. + #[derivative(PartialEq = "ignore")] + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + pub party_uuid: String, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + /// A human readable name for the leveraged authorization in the context of the system. + #[serde(deserialize_with = "validation::deser_markup")] + pub title: String, + /// A machine-oriented, globally unique identifier with cross-instance scope and can be used + /// to reference this leveraged authorization elsewhere in this or other OSCAL instances. The + /// locally defined UUID of the leveraged authorization can be used to reference the data + /// item locally or globally (e.g., in an imported OSCAL instance). This UUID should be + /// assigned per-subject, which means it should be consistently used to identify the same + /// subject across revisions of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// A type of user that interacts with the system based on an associated role. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct SystemUser { + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub authorized_privileges: Option>, + /// A summary of the user's purpose within the system. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub links: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub props: Option>, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub remarks: Option, + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_token_vec_opt")] + pub role_ids: Option>, + /// A short common name, abbreviation, or acronym for the user. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + pub short_name: Option, + /// A name given to the user, which may be used by a tool for display and navigation. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub title: Option, + /// A machine-oriented, globally unique identifier with cross-instance scope that can be used + /// to reference this user class elsewhere in this or other OSCAL instances. The locally + /// defined UUID of the system user can be used to reference the data item locally or + /// globally (e.g., in an imported OSCAL instance). This UUID should be assigned per-subject, + /// which means it should be consistently used to identify the same subject across revisions + /// of the document. + #[serde( + serialize_with = "validation::ser_uuid", + deserialize_with = "validation::deser_uuid" + )] + #[derivative(PartialEq = "ignore")] + pub uuid: String, +} + +/// Identifies a specific system privilege held by the user, along with an associated +/// description and/or rationale for the privilege. +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +#[derive(Builder, Derivative)] +#[builder(setter(into, strip_option))] +#[derivative(PartialEq)] +#[serde(deny_unknown_fields)] +pub struct Privilege { + /// A summary of the privilege's purpose within the system. + #[builder(setter(into, strip_option), default)] + #[serde(default, skip_serializing_if = "Option::is_none")] + #[serde(deserialize_with = "validation::deser_markup_opt")] + pub description: Option, + pub functions_performed: Vec, + /// A human readable name for the privilege. + pub title: String, +} diff --git a/roscal_lib/src/lib.rs b/roscal_lib/src/lib.rs new file mode 100644 index 0000000..1cbac54 --- /dev/null +++ b/roscal_lib/src/lib.rs @@ -0,0 +1,71 @@ +//! # OSCAL: Referential implementation of Open Security Controls Assessment Language(OSCAL) +//! This library enables users to programmatically parse and build various OSCAL +//! models using the builder pattern, with bi-directional validation enabled on key +//! fields during serialisation/deserialisation. +//! +//! All textual fields are represented as `String` type such as uuid, datetime etc. +//! This library strives to be unopinionated about which library is being used by +//! the user to build certain data field, therefore it does not re-export some of +//! the libraries used internally for validation. The libraries for building these types +//! are specified Cargo.toml such as `chrono`, `uriparse`, `uuid` etc, although you +//! can follow the OSCAL specification and choose whichever that conforms to the requirement. +//! See +//! +//! Currently the latest v1.x is being tracked by this library and primarily supports +//! the roscal_cli tool. +//! +//! +//! # Example of a building a minimum Catalog model +//! +//! ```toml +//! [dependencies] +//! roscal_lib = "0.1.0" +//! uuid = { version = "1.6.1", features = ["v4"] } +//! chrono = { version = "0.4.31", features = ["serde"] } +//! ``` +//! +//! ``` +//! use roscal_lib::control::catalog::{self, CatalogBuilder, CatalogClassBuilder}; +//! +//! fn builder() { +//! let mut catalog_builder = CatalogBuilder::default(); +//! let mut catalog_class_builder = CatalogClassBuilder::default(); +//! +//! let uuid = uuid::Uuid::new_v4().to_string(); +//! let last_modified = chrono::DateTime::parse_from_rfc3339("2023-12-31T23:59:59Z") +//! .unwrap().to_string(); +//! let metadata = catalog::DocumentMetadataBuilder::default() +//! .version("1") +//! .title("catalog") +//! .oscal_version("1.0.0") +//! .last_modified(last_modified) +//! .build() +//! .expect("unable to build metadata"); +//! +//! let catalog_class = catalog_class_builder +//! .uuid(uuid) +//! .metadata(metadata) +//! .build() +//! .expect("unable to build catalog class"); +//! let catalog = catalog_builder +//! .catalog(catalog_class) +//! .build() +//! .expect("unable to build catalog"); +//! +//! assert_eq!(true, serde_json::to_string(&catalog).is_ok()) +//! } +//! ``` +#![forbid(unsafe_code)] + +pub mod assessment; +mod common_impl; +pub mod control; +pub mod implementation; +mod uuid_impl; +mod validation; + +/// Update UUID v4/v5 if model content has changed +pub trait UpdateUuid: Sized { + fn update_uuid_v4(&mut self, rhs: &Self) -> &mut Self; + fn update_uuid_v5(&mut self, rhs: &Self) -> &mut Self; +} diff --git a/roscal_lib/src/uuid_impl.rs b/roscal_lib/src/uuid_impl.rs new file mode 100644 index 0000000..89e986c --- /dev/null +++ b/roscal_lib/src/uuid_impl.rs @@ -0,0 +1,42 @@ +use crate::{assessment::*, control::*, implementation::*, UpdateUuid}; + +macro_rules! impl_update_uuid { + ( $( $t:ty ),* ) => { + $( + impl UpdateUuid for $t { + fn update_uuid_v4(&mut self, rhs: &Self) -> &mut Self { + if self != rhs { + self.uuid = String::from(uuid::Uuid::new_v4()); + + return self + } + + self + } + + fn update_uuid_v5(&mut self, rhs: &Self) -> &mut Self { + if self != rhs { + self.uuid = String::from(uuid::Uuid::new_v5( + &uuid::Uuid::NAMESPACE_URL, + b"http://csrc.nist.gov/ns/oscal", + )); + + return self + } + + self + } + } + )* + }; +} + +impl_update_uuid!( + assessment_plan::SecurityAssessmentPlanSap, + assessment_results::SecurityAssessmentResultsSar, + poam::PlanOfActionAndMilestonesPoaM, + catalog::CatalogClass, + profile::ProfileClass, + component_definition::ComponentDefinitionClass, + ssp::SystemSecurityPlanSsp +); diff --git a/roscal_lib/src/validation.rs b/roscal_lib/src/validation.rs new file mode 100644 index 0000000..e14e87c --- /dev/null +++ b/roscal_lib/src/validation.rs @@ -0,0 +1,796 @@ +use std::env; + +use chrono::prelude::*; +use lazy_static::lazy_static; +use pulldown_cmark::{Options, Parser}; +use regex::Regex; +use serde::{de, ser::SerializeSeq, Deserialize, Serializer}; +use uriparse::{uri::URI, uri_reference::URIReference}; + +lazy_static! { + static ref BASE64: Regex = Regex::new(r"^[0-9A-Za-z+/]+={0,2}$").unwrap(); + static ref DATE: Regex = Regex::new(r"^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))(Z|[+-][0-9]{2}:[0-9]{2})?$").unwrap(); + static ref EMAIL: Regex = Regex::new(r"^.+@.+$").unwrap(); + static ref TOKEN: Regex = + Regex::new(r"^(\p{L}|_)(\p{L}|\p{N}|[.\-_])*$").unwrap(); + static ref SHA_SHA3_224: Regex = Regex::new(r"^[0-9a-fA-F]{28}$").unwrap(); + static ref SHA_SHA3_256: Regex = Regex::new(r"^[0-9a-fA-F]{32}$").unwrap(); + static ref SHA_SHA3_384: Regex = Regex::new(r"^[0-9a-fA-F]{48}$").unwrap(); + static ref SHA_SHA3_512: Regex = Regex::new(r"^[0-9a-fA-F]{64}$").unwrap(); +} + +fn is_valid_based64(pat: &str) -> bool { + BASE64.is_match(pat) +} + +fn is_valid_date(pat: &str) -> bool { + DATE.is_match(pat) +} + +fn is_valid_dttz(pat: &str) -> bool { + DateTime::parse_from_rfc3339(pat).is_ok() +} + +fn is_valid_email(pat: &str) -> bool { + EMAIL.is_match(pat) +} + +fn is_valid_hash(pat: &str) -> bool { + SHA_SHA3_224.is_match(pat) + || SHA_SHA3_256.is_match(pat) + || SHA_SHA3_384.is_match(pat) + || SHA_SHA3_512.is_match(pat) +} + +fn is_valid_token(pat: &str) -> bool { + TOKEN.is_match(pat) +} + +fn is_valid_uri(pat: &str) -> bool { + URI::try_from(pat).is_ok() +} + +fn is_valid_uri_ref(pat: &str) -> bool { + URIReference::try_from(pat).is_ok() +} + +fn is_valid_uuid(pat: &str) -> bool { + let res = uuid::Uuid::try_parse(pat); + if let Ok(res) = res { + if let Some(version) = res.clone().get_version() { + version == uuid::Version::Random || version == uuid::Version::Sha1 + } else { + false + } + } else { + false + } +} + +pub(crate) fn ser_base64( + s: &str, + serializer: S, +) -> Result { + if is_valid_based64(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid base64 pattern")) + } +} + +pub(crate) fn deser_base64<'de, D>(deserializer: D) -> Result +where + D: serde::de::Deserializer<'de>, +{ + match String::deserialize(deserializer) { + Ok(v) => { + if is_valid_based64(&v) { + Ok(v) + } else { + Err(de::Error::custom("invalid base64 pattern".to_owned())) + } + } + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn ser_date( + s: &str, + serializer: S, +) -> Result { + if is_valid_date(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid date pattern")) + } +} + +pub(crate) fn ser_date_opt( + s: &Option, + serializer: S, +) -> Result { + if let Some(s) = s { + if is_valid_date(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid date pattern")) + } + } else { + serializer.serialize_none() + } +} + +pub(crate) fn deser_date<'de, D>(deserializer: D) -> Result +where + D: serde::de::Deserializer<'de>, +{ + match String::deserialize(deserializer) { + Ok(v) => { + if is_valid_date(&v) { + Ok(v) + } else { + Err(de::Error::custom("invalid date pattern".to_owned())) + } + } + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn deser_date_opt<'de, D>( + deserializer: D, +) -> Result, D::Error> +where + D: serde::de::Deserializer<'de>, +{ + match Option::::deserialize(deserializer) { + Ok(Some(v)) => { + if is_valid_date(&v) { + Ok(Some(v)) + } else { + Err(de::Error::custom("invalid date pattern".to_owned())) + } + } + Ok(None) => Ok(None), + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn ser_dttz( + s: &str, + serializer: S, +) -> Result { + if is_valid_dttz(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid datetime pattern")) + } +} + +pub(crate) fn ser_dttz_opt( + s: &Option, + serializer: S, +) -> Result { + if let Some(s) = s { + if is_valid_dttz(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid datetime pattern")) + } + } else { + serializer.serialize_none() + } +} + +pub(crate) fn deser_dttz<'de, D>(deserializer: D) -> Result +where + D: serde::de::Deserializer<'de>, +{ + match String::deserialize(deserializer) { + Ok(v) => { + if is_valid_dttz(&v) { + Ok(v) + } else { + Err(de::Error::custom("invalid datetime pattern".to_owned())) + } + } + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn deser_dttz_opt<'de, D>( + deserializer: D, +) -> Result, D::Error> +where + D: serde::de::Deserializer<'de>, +{ + match Option::::deserialize(deserializer) { + Ok(Some(v)) => { + if is_valid_dttz(&v) { + Ok(Some(v)) + } else { + Err(de::Error::custom("invalid datetime pattern".to_owned())) + } + } + Ok(None) => Ok(None), + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn ser_email_vec_opt( + s: &Option>, + serializer: S, +) -> Result { + if let Some(s) = s { + if s.iter().all(|s| is_valid_email(s)) { + let mut seq = serializer.serialize_seq(Some(s.len()))?; + for elt in s { + seq.serialize_element(elt)?; + } + seq.end() + } else { + Err(serde::ser::Error::custom("invalid email pattern")) + } + } else { + serializer.serialize_none() + } +} + +pub(crate) fn deser_email_vec_opt<'de, D>( + deserializer: D, +) -> Result>, D::Error> +where + D: serde::de::Deserializer<'de>, +{ + match Option::>::deserialize(deserializer) { + Ok(Some(v)) => { + if v.iter().all(|s| is_valid_email(s)) { + Ok(Some(v)) + } else { + Err(de::Error::custom("invalid email pattern".to_owned())) + } + } + Ok(None) => Ok(None), + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn ser_hash( + s: &str, + serializer: S, +) -> Result { + if is_valid_hash(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid rlink hash pattern")) + } +} + +pub(crate) fn deser_hash<'de, D>(deserializer: D) -> Result +where + D: serde::de::Deserializer<'de>, +{ + match String::deserialize(deserializer) { + Ok(v) => { + if is_valid_hash(&v) { + Ok(v) + } else { + Err(de::Error::custom("invalid rlink hash pattern".to_owned())) + } + } + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn ser_positive_int( + s: &i64, + serializer: S, +) -> Result { + if *s >= 1 { + serializer.serialize_i64(*s) + } else { + Err(serde::ser::Error::custom( + "invalid positive integer pattern", + )) + } +} + +pub(crate) fn deser_positive_int<'de, D>( + deserializer: D, +) -> Result +where + D: serde::de::Deserializer<'de>, +{ + match i64::deserialize(deserializer) { + Ok(v) => { + if v >= 1 { + Ok(v) + } else { + Err(de::Error::custom( + "invalid positive integer pattern".to_owned(), + )) + } + } + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn ser_non_neg_int_opt( + s: &Option, + serializer: S, +) -> Result { + if let Some(s) = s { + if *s >= 0 { + serializer.serialize_i64(*s) + } else { + Err(serde::ser::Error::custom( + "invalid non negative integer pattern", + )) + } + } else { + serializer.serialize_none() + } +} + +pub(crate) fn deser_non_neg_int_opt<'de, D>( + deserializer: D, +) -> Result, D::Error> +where + D: serde::de::Deserializer<'de>, +{ + match Option::::deserialize(deserializer) { + Ok(Some(v)) => { + if v >= 0 { + Ok(Some(v)) + } else { + Err(de::Error::custom( + "invalid non negative integer pattern".to_owned(), + )) + } + } + Ok(None) => Ok(None), + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn ser_token( + s: &str, + serializer: S, +) -> Result { + if is_valid_token(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid token pattern")) + } +} + +pub(crate) fn ser_token_opt( + s: &Option, + serializer: S, +) -> Result { + if let Some(s) = s { + if is_valid_token(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid token pattern")) + } + } else { + serializer.serialize_none() + } +} + +pub(crate) fn ser_token_vec_opt( + s: &Option>, + serializer: S, +) -> Result { + if let Some(s) = s { + if s.iter().all(|s| is_valid_token(s)) { + let mut seq = serializer.serialize_seq(Some(s.len()))?; + for elt in s { + seq.serialize_element(elt)?; + } + seq.end() + } else { + Err(serde::ser::Error::custom("invalid token pattern")) + } + } else { + serializer.serialize_none() + } +} + +pub(crate) fn deser_token<'de, D>(deserializer: D) -> Result +where + D: serde::de::Deserializer<'de>, +{ + match String::deserialize(deserializer) { + Ok(v) => { + if is_valid_token(&v) { + Ok(v) + } else { + Err(de::Error::custom("invalid token pattern".to_owned())) + } + } + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn deser_token_opt<'de, D>( + deserializer: D, +) -> Result, D::Error> +where + D: serde::de::Deserializer<'de>, +{ + match Option::::deserialize(deserializer) { + Ok(Some(v)) => { + if is_valid_token(&v) { + Ok(Some(v)) + } else { + Err(de::Error::custom("invalid token pattern".to_owned())) + } + } + Ok(None) => Ok(None), + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn deser_token_vec_opt<'de, D>( + deserializer: D, +) -> Result>, D::Error> +where + D: serde::de::Deserializer<'de>, +{ + match Option::>::deserialize(deserializer) { + Ok(Some(v)) => { + if v.iter().all(|s| is_valid_token(s)) { + Ok(Some(v)) + } else { + Err(de::Error::custom("invalid token pattern".to_owned())) + } + } + Ok(None) => Ok(None), + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn ser_uri( + s: &str, + serializer: S, +) -> Result { + if is_valid_uri(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid uri pattern")) + } +} + +pub(crate) fn ser_uri_opt( + s: &Option, + serializer: S, +) -> Result { + if let Some(s) = s { + if is_valid_uri(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid uri pattern")) + } + } else { + serializer.serialize_none() + } +} + +pub(crate) fn ser_uri_vec_opt( + s: &Option>, + serializer: S, +) -> Result { + if let Some(s) = s { + if s.iter().all(|s| is_valid_uri(s)) { + let mut seq = serializer.serialize_seq(Some(s.len()))?; + for elt in s { + seq.serialize_element(elt)?; + } + seq.end() + } else { + Err(serde::ser::Error::custom("invalid uri pattern")) + } + } else { + serializer.serialize_none() + } +} + +pub(crate) fn deser_uri<'de, D>(deserializer: D) -> Result +where + D: serde::de::Deserializer<'de>, +{ + match String::deserialize(deserializer) { + Ok(v) => { + if is_valid_uri(&v) { + Ok(v) + } else { + Err(de::Error::custom("invalid uri pattern".to_owned())) + } + } + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn deser_uri_opt<'de, D>( + deserializer: D, +) -> Result, D::Error> +where + D: serde::de::Deserializer<'de>, +{ + match Option::::deserialize(deserializer) { + Ok(Some(v)) => { + if is_valid_uri(&v) { + Ok(Some(v)) + } else { + Err(de::Error::custom("invalid uri pattern".to_owned())) + } + } + Ok(None) => Ok(None), + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn deser_uri_vec_opt<'de, D>( + deserializer: D, +) -> Result>, D::Error> +where + D: serde::de::Deserializer<'de>, +{ + match Option::>::deserialize(deserializer) { + Ok(Some(v)) => { + if v.iter().all(|s| is_valid_uri(s)) { + Ok(Some(v)) + } else { + Err(de::Error::custom("invalid uri pattern".to_owned())) + } + } + Ok(None) => Ok(None), + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn ser_uri_ref( + s: &str, + serializer: S, +) -> Result { + if is_valid_uri_ref(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid uri reference pattern")) + } +} + +pub(crate) fn ser_uri_ref_opt( + s: &Option, + serializer: S, +) -> Result { + if let Some(s) = s { + if is_valid_uri_ref(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid uri reference pattern")) + } + } else { + serializer.serialize_none() + } +} + +pub(crate) fn deser_uri_ref<'de, D>(deserializer: D) -> Result +where + D: serde::de::Deserializer<'de>, +{ + match String::deserialize(deserializer) { + Ok(v) => { + if is_valid_uri(&v) || is_valid_uri_ref(&v) { + Ok(v) + } else { + Err(de::Error::custom( + "invalid uri reference pattern".to_owned(), + )) + } + } + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn deser_uri_ref_opt<'de, D>( + deserializer: D, +) -> Result, D::Error> +where + D: serde::de::Deserializer<'de>, +{ + match Option::::deserialize(deserializer) { + Ok(Some(v)) => { + if is_valid_uri(&v) || is_valid_uri_ref(&v) { + Ok(Some(v)) + } else { + Err(de::Error::custom( + "invalid uri reference pattern".to_owned(), + )) + } + } + Ok(None) => Ok(None), + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn ser_uuid( + s: &str, + serializer: S, +) -> Result { + if is_valid_uuid(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid uuid pattern")) + } +} + +pub(crate) fn ser_uuid_vec( + s: &Vec, + serializer: S, +) -> Result { + if s.iter().all(|s| is_valid_uuid(s)) { + let mut seq = serializer.serialize_seq(Some(s.len()))?; + for elt in s { + seq.serialize_element(elt)?; + } + seq.end() + } else { + Err(serde::ser::Error::custom("invalid uuid pattern")) + } +} + +pub(crate) fn ser_uuid_opt( + s: &Option, + serializer: S, +) -> Result { + if let Some(s) = s { + if is_valid_uuid(s) { + serializer.serialize_str(s) + } else { + Err(serde::ser::Error::custom("invalid uuid pattern")) + } + } else { + serializer.serialize_none() + } +} + +pub(crate) fn ser_uuid_vec_opt( + s: &Option>, + serializer: S, +) -> Result { + if let Some(s) = s { + if s.iter().all(|s| is_valid_uuid(s)) { + let mut seq = serializer.serialize_seq(Some(s.len()))?; + for elt in s { + seq.serialize_element(elt)?; + } + seq.end() + } else { + Err(serde::ser::Error::custom("invalid uuid pattern")) + } + } else { + serializer.serialize_none() + } +} + +pub(crate) fn deser_uuid<'de, D>(deserializer: D) -> Result +where + D: serde::de::Deserializer<'de>, +{ + match String::deserialize(deserializer) { + Ok(v) => { + if is_valid_uuid(&v) { + Ok(v) + } else { + Err(de::Error::custom("invalid uuid pattern".to_owned())) + } + } + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn deser_uuid_opt<'de, D>( + deserializer: D, +) -> Result, D::Error> +where + D: serde::de::Deserializer<'de>, +{ + match Option::::deserialize(deserializer) { + Ok(Some(v)) => { + if is_valid_uuid(&v) { + Ok(Some(v)) + } else { + Err(de::Error::custom("invalid uuid pattern".to_owned())) + } + } + Ok(None) => Ok(None), + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn deser_uuid_vec<'de, D>( + deserializer: D, +) -> Result, D::Error> +where + D: serde::de::Deserializer<'de>, +{ + match Vec::::deserialize(deserializer) { + Ok(v) => { + if v.iter().all(|s| is_valid_uuid(s)) { + Ok(v) + } else { + Err(de::Error::custom("invalid uuid pattern".to_owned())) + } + } + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn deser_uuid_vec_opt<'de, D>( + deserializer: D, +) -> Result>, D::Error> +where + D: serde::de::Deserializer<'de>, +{ + match Option::>::deserialize(deserializer) { + Ok(Some(v)) => { + if v.iter().all(|s| is_valid_uuid(s)) { + Ok(Some(v)) + } else { + Err(de::Error::custom("invalid uuid pattern".to_owned())) + } + } + Ok(None) => Ok(None), + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +fn parse_markup(input: String) -> String { + let parser = Parser::new_ext(&input, Options::all()); + + let mut output = String::new(); + pulldown_cmark::html::push_html(&mut output, parser); + + output +} + +pub(crate) fn deser_markup<'de, D>(deserializer: D) -> Result +where + D: serde::de::Deserializer<'de>, +{ + let mode = env::var("OSCAL_MARKUP_RENDER_MODE").unwrap_or_default(); + + match String::deserialize(deserializer) { + Ok(v) => { + if mode.eq("ENABLED") { + Ok(parse_markup(v)) + } else { + Ok(v) + } + } + Err(e) => Err(de::Error::custom(e.to_string())), + } +} + +pub(crate) fn deser_markup_opt<'de, D>( + deserializer: D, +) -> Result, D::Error> +where + D: serde::de::Deserializer<'de>, +{ + let mode = env::var("OSCAL_MARKUP_RENDER_MODE").unwrap_or_default(); + + match Option::::deserialize(deserializer) { + Ok(Some(v)) => { + if mode.eq("ENABLED") { + Ok(Some(parse_markup(v))) + } else { + Ok(Some(v)) + } + } + Ok(None) => Ok(None), + Err(e) => Err(de::Error::custom(e.to_string())), + } +} diff --git a/roscal_lib/tests/ap/json/ifa_assessment-plan-example-min.json b/roscal_lib/tests/ap/json/ifa_assessment-plan-example-min.json new file mode 100644 index 0000000..0f006d7 --- /dev/null +++ b/roscal_lib/tests/ap/json/ifa_assessment-plan-example-min.json @@ -0,0 +1,115 @@ +{ + "assessment-plan": { + "uuid": "60077e84-e62f-4375-8c6c-b0e0d4560c5f", + "metadata": { + "title": "IFA GoodRead Assessment Plan", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "1.0", + "oscal-version": "1.1.2", + "roles": [{ "id": "assessor", "title": "IFA Security Control Assessor" }], + "parties": [ + { + "uuid": "e7730080-71ce-4b20-bec4-84f33136fd58", + "type": "person", + "name": "Amy Assessor", + "member-of-organizations": ["3a675986-b4ff-4030-b178-e953c2e55d64"] + }, + { + "uuid": "3a675986-b4ff-4030-b178-e953c2e55d64", + "type": "organization", + "name": "Important Federal Agency", + "short-name": "IFA", + "links": [{ "href": "https://www.ifa.gov", "rel": "website" }] + } + ], + "responsible-parties": [ + { + "role-id": "assessor", + "party-uuids": ["e7730080-71ce-4b20-bec4-84f33136fd58"] + } + ] + }, + "import-ssp": { "href": "../3-implementation/ssp.oscal.xml" }, + "local-definitions": { + "activities": [ + { + "uuid": "52277182-1ba3-4cb6-8d96-b1b97aaf9d6b", + "title": "Examine System Elements for Least Privilege Design and Implementation", + "description": "The activity and it steps will be performed by the assessor and facilitated by owner, ISSO, and product team for the IFA GoodRead system with necessary information and access about least privilege design and implementation of the system's elements: the application, web framework, server, and cloud account infrastructure.", + "props": [{ "name": "method", "value": "EXAMINE" }], + "steps": [ + { + "uuid": "733e3cbf-e398-46b6-9c02-a2cb534c341e", + "title": "Obtain Network Access via VPN to IFA GoodRead Environment", + "description": "The assessor will obtain network access with appropriately configured VPN account to see admin frontend to the application for PAO staff, which is only accessible via VPN with an appropriately configured role for PAO staff accounts." + }, + { + "uuid": "4ce7e0b4-d69e-4b80-a700-8600b4d4d933", + "title": "Obtain Credentials and Access to AwesomeCloud Account for IFA GoodRead System", + "description": "The assessor will obtain access to the GoodRead Product Team's AwesomeCloud account with their single sign-on credentials to a read-only assessor role." + }, + { + "uuid": "3d0297de-e47b-4360-b9c3-cf5c425f86cd", + "title": "Obtain Applcation Access Provided by Product Team", + "description": "The assessor will obtain non-privileged account credentials with the PAO staff role to test this role in the application does not permit excessive administrative operations." + }, + { + "uuid": "64ca1ef6-3ad4-4747-97c6-40890222463f", + "title": "Confirm Load Balancer Blocks Access to Admin Frontend from Internet", + "description": "The assessor will confirm that the load balancer for public access does not allow access to Admin Frontend of the application from the Internet." + }, + { + "uuid": "715f0592-166f-44f6-bb66-d99623e035dc", + "title": "Confirm GoodRead's PAO Role Cannot Manage Users", + "description": "The assessor will confirm that user's logged into the GoodRead Application with the PAO staff role cannot add, modify, or disable users from the system." + }, + { + "uuid": "4641957b-a0fa-4c61-af1a-d3e9101efe40", + "title": "Confirm Django Admin Panel Not Available", + "description": "The assessor will confirm with web-based interface and API methods users with the PAO Staff role cannot access the Django admin panel functions and interactively change application's database records." + } + ], + "related-controls": { + "control-selections": [ + { "include-controls": [{ "control-id": "ac-6.1" }] } + ] + }, + "responsible-roles": [ + { + "role-id": "assessor", + "party-uuids": ["e7730080-71ce-4b20-bec4-84f33136fd58"] + } + ] + } + ] + }, + "reviewed-controls": { + "control-selections": [ + { "include-controls": [{ "control-id": "ac-6.1" }] } + ], + "control-objective-selections": [{ "include-all": {} }] + }, + "assessment-subjects": [ + { + "type": "component", + "description": "The assessor for the IFA GoodRead Project, including the application and infrastructure for this information system, are within scope of this assessment.", + "include-all": {} + } + ], + "tasks": [ + { + "uuid": "b3504d22-0e75-4dd7-9247-618661beba4e", + "type": "action", + "title": "Examine Least Privilege Design and Implementation", + "associated-activities": [ + { + "activity-uuid": "0d243b23-a889-478f-9716-6d4870e56209", + "subjects": [{ "type": "component", "include-all": {} }] + } + ], + "responsible-roles": [{ "role-id": "assessor" }], + "remarks": "Per IFA's use of NIST SP-800 53A, the assessor, with the support of the owner, information system security officer, and product team for the IFA GoodRead project, will examine least privilege design and implementation with the following:\n\n* list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized;\n* system configuration settings and associated documentation;\n" + } + ] + } +} diff --git a/roscal_lib/tests/ap/json/ifa_assessment-plan-example.json b/roscal_lib/tests/ap/json/ifa_assessment-plan-example.json new file mode 100644 index 0000000..0b46637 --- /dev/null +++ b/roscal_lib/tests/ap/json/ifa_assessment-plan-example.json @@ -0,0 +1,157 @@ +{ + "assessment-plan": { + "uuid": "60077e84-e62f-4375-8c6c-b0e0d4560c5f", + "metadata": { + "title": "IFA GoodRead Assessment Plan", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "1.0", + "oscal-version": "1.1.2", + "roles": [ + { + "id": "assessor", + "title": "IFA Security Control Assessor" + } + ], + "parties": [ + { + "uuid": "e7730080-71ce-4b20-bec4-84f33136fd58", + "type": "person", + "name": "Amy Assessor", + "member-of-organizations": ["3a675986-b4ff-4030-b178-e953c2e55d64"] + }, + { + "uuid": "3a675986-b4ff-4030-b178-e953c2e55d64", + "type": "organization", + "name": "Important Federal Agency", + "short-name": "IFA", + "links": [ + { + "href": "https://www.ifa.gov", + "rel": "website" + } + ] + } + ], + "responsible-parties": [ + { + "role-id": "assessor", + "party-uuids": ["e7730080-71ce-4b20-bec4-84f33136fd58"] + } + ] + }, + "import-ssp": { + "href": "../3-implementation/ssp.oscal.xml" + }, + "local-definitions": { + "activities": [ + { + "uuid": "52277182-1ba3-4cb6-8d96-b1b97aaf9d6b", + "title": "Examine System Elements for Least Privilege Design and Implementation", + "description": "The activity and it steps will be performed by the assessor and facilitated by owner, ISSO, and product team for the IFA GoodRead system with necessary information and access about least privilege design and implementation of the system's elements: the application, web framework, server, and cloud account infrastructure.", + "props": [ + { + "name": "method", + "value": "EXAMINE" + } + ], + "steps": [ + { + "uuid": "733e3cbf-e398-46b6-9c02-a2cb534c341e", + "title": "Obtain Network Access via VPN to IFA GoodRead Environment", + "description": "The assessor will obtain network access with appropriately configured VPN account to see admin frontend to the application for PAO staff, which is only accessible via VPN with an appropriately configured role for PAO staff accounts." + }, + { + "uuid": "4ce7e0b4-d69e-4b80-a700-8600b4d4d933", + "title": "Obtain Credentials and Access to AwesomeCloud Account for IFA GoodRead System", + "description": "The assessor will obtain access to the GoodRead Product Team's AwesomeCloud account with their single sign-on credentials to a read-only assessor role." + }, + { + "uuid": "3d0297de-e47b-4360-b9c3-cf5c425f86cd", + "title": "Obtain Applcation Access Provided by Product Team", + "description": "The assessor will obtain non-privileged account credentials with the PAO staff role to test this role in the application does not permit excessive administrative operations." + }, + { + "uuid": "64ca1ef6-3ad4-4747-97c6-40890222463f", + "title": "Confirm Load Balancer Blocks Access to Admin Frontend from Internet", + "description": "The assessor will confirm that the load balancer for public access does not allow access to Admin Frontend of the application from the Internet." + }, + { + "uuid": "715f0592-166f-44f6-bb66-d99623e035dc", + "title": "Confirm GoodRead's PAO Role Cannot Manage Users", + "description": "The assessor will confirm that user's logged into the GoodRead Application with the PAO staff role cannot add, modify, or disable users from the system." + }, + { + "uuid": "4641957b-a0fa-4c61-af1a-d3e9101efe40", + "title": "Confirm Django Admin Panel Not Available", + "description": "The assessor will confirm with web-based interface and API methods users with the PAO Staff role cannot access the Django admin panel functions and interactively change application's database records." + } + ], + "related-controls": { + "control-selections": [ + { + "include-controls": [ + { + "control-id": "ac-6.1" + } + ] + } + ] + }, + "responsible-roles": [ + { + "role-id": "assessor", + "party-uuids": ["e7730080-71ce-4b20-bec4-84f33136fd58"] + } + ] + } + ] + }, + "reviewed-controls": { + "control-selections": [ + { + "include-controls": [ + { + "control-id": "ac-6.1" + } + ] + } + ], + "control-objective-selections": [ + { + "include-all": {} + } + ] + }, + "assessment-subjects": [ + { + "type": "component", + "description": "The assessor for the IFA GoodRead Project, including the application and infrastructure for this information system, are within scope of this assessment.", + "include-all": {} + } + ], + "tasks": [ + { + "uuid": "b3504d22-0e75-4dd7-9247-618661beba4e", + "type": "action", + "title": "Examine Least Privilege Design and Implementation", + "associated-activities": [ + { + "activity-uuid": "0d243b23-a889-478f-9716-6d4870e56209", + "subjects": [ + { + "type": "component", + "include-all": {} + } + ] + } + ], + "responsible-roles": [ + { + "role-id": "assessor" + } + ], + "remarks": "Per IFA's use of NIST SP-800 53A, the assessor, with the support of the owner, information system security officer, and product team for the IFA GoodRead project, will examine least privilege design and implementation with the following:\n\n* list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized;\n* system configuration settings and associated documentation;\n" + } + ] + } +} diff --git a/roscal_lib/tests/ap/yaml/ifa_assessment-plan-example.yaml b/roscal_lib/tests/ap/yaml/ifa_assessment-plan-example.yaml new file mode 100644 index 0000000..30cd433 --- /dev/null +++ b/roscal_lib/tests/ap/yaml/ifa_assessment-plan-example.yaml @@ -0,0 +1,90 @@ +assessment-plan: + uuid: 60077e84-e62f-4375-8c6c-b0e0d4560c5f + metadata: + title: IFA GoodRead Assessment Plan + last-modified: "2024-02-01T13:57:28.355446-04:00" + version: "1.0" + oscal-version: 1.1.2 + roles: + - id: assessor + title: IFA Security Control Assessor + parties: + - uuid: e7730080-71ce-4b20-bec4-84f33136fd58 + type: person + name: Amy Assessor + member-of-organizations: + - 3a675986-b4ff-4030-b178-e953c2e55d64 + - uuid: 3a675986-b4ff-4030-b178-e953c2e55d64 + type: organization + name: Important Federal Agency + short-name: IFA + links: + - href: https://www.ifa.gov + rel: website + responsible-parties: + - role-id: assessor + party-uuids: + - e7730080-71ce-4b20-bec4-84f33136fd58 + import-ssp: + href: ../3-implementation/ssp.oscal.xml + local-definitions: + activities: + - uuid: 52277182-1ba3-4cb6-8d96-b1b97aaf9d6b + title: Examine System Elements for Least Privilege Design and Implementation + description: 'The activity and it steps will be performed by the assessor and facilitated by owner, ISSO, and product team for the IFA GoodRead system with necessary information and access about least privilege design and implementation of the system''s elements: the application, web framework, server, and cloud account infrastructure.' + props: + - name: method + value: EXAMINE + steps: + - uuid: 733e3cbf-e398-46b6-9c02-a2cb534c341e + title: Obtain Network Access via VPN to IFA GoodRead Environment + description: The assessor will obtain network access with appropriately configured VPN account to see admin frontend to the application for PAO staff, which is only accessible via VPN with an appropriately configured role for PAO staff accounts. + - uuid: 4ce7e0b4-d69e-4b80-a700-8600b4d4d933 + title: Obtain Credentials and Access to AwesomeCloud Account for IFA GoodRead System + description: The assessor will obtain access to the GoodRead Product Team's AwesomeCloud account with their single sign-on credentials to a read-only assessor role. + - uuid: 3d0297de-e47b-4360-b9c3-cf5c425f86cd + title: Obtain Applcation Access Provided by Product Team + description: The assessor will obtain non-privileged account credentials with the PAO staff role to test this role in the application does not permit excessive administrative operations. + - uuid: 64ca1ef6-3ad4-4747-97c6-40890222463f + title: Confirm Load Balancer Blocks Access to Admin Frontend from Internet + description: The assessor will confirm that the load balancer for public access does not allow access to Admin Frontend of the application from the Internet. + - uuid: 715f0592-166f-44f6-bb66-d99623e035dc + title: Confirm GoodRead's PAO Role Cannot Manage Users + description: The assessor will confirm that user's logged into the GoodRead Application with the PAO staff role cannot add, modify, or disable users from the system. + - uuid: 4641957b-a0fa-4c61-af1a-d3e9101efe40 + title: Confirm Django Admin Panel Not Available + description: The assessor will confirm with web-based interface and API methods users with the PAO Staff role cannot access the Django admin panel functions and interactively change application's database records. + related-controls: + control-selections: + - include-controls: + - control-id: ac-6.1 + responsible-roles: + - role-id: assessor + party-uuids: + - e7730080-71ce-4b20-bec4-84f33136fd58 + reviewed-controls: + control-selections: + - include-controls: + - control-id: ac-6.1 + control-objective-selections: + - include-all: {} + assessment-subjects: + - type: component + description: The assessor for the IFA GoodRead Project, including the application and infrastructure for this information system, are within scope of this assessment. + include-all: {} + tasks: + - uuid: b3504d22-0e75-4dd7-9247-618661beba4e + type: action + title: Examine Least Privilege Design and Implementation + associated-activities: + - activity-uuid: 0d243b23-a889-478f-9716-6d4870e56209 + subjects: + - type: component + include-all: {} + responsible-roles: + - role-id: assessor + remarks: | + Per IFA's use of NIST SP-800 53A, the assessor, with the support of the owner, information system security officer, and product team for the IFA GoodRead project, will examine least privilege design and implementation with the following: + + * list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized; + * system configuration settings and associated documentation; diff --git a/roscal_lib/tests/ar/json/ifa_assessment-results-example-min.json b/roscal_lib/tests/ar/json/ifa_assessment-results-example-min.json new file mode 100644 index 0000000..77b8ddb --- /dev/null +++ b/roscal_lib/tests/ar/json/ifa_assessment-results-example-min.json @@ -0,0 +1,169 @@ +{ + "assessment-results": { + "uuid": "ec0dad37-54e0-40fd-a925-6d0bdea94c0d", + "metadata": { + "title": "IFA GoodRead Continuous Monitoring Assessment Results June 2023", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "202306-002", + "oscal-version": "1.1.2", + "roles": [ + { "id": "assessor", "title": "IFA Security Controls Assessor" } + ], + "parties": [ + { + "uuid": "e7730080-71ce-4b20-bec4-84f33136fd58", + "type": "person", + "name": "Amy Assessor", + "member-of-organizations": ["3a675986-b4ff-4030-b178-e953c2e55d64"] + }, + { + "uuid": "3a675986-b4ff-4030-b178-e953c2e55d64", + "type": "organization", + "name": "Important Federal Agency", + "short-name": "IFA", + "links": [{ "href": "https://www.ifa.gov", "rel": "website" }] + } + ], + "responsible-parties": [ + { + "role-id": "assessor", + "party-uuids": ["e7730080-71ce-4b20-bec4-84f33136fd58"] + } + ] + }, + "import-ap": { "href": "./ap.oscal.xml" }, + "local-definitions": { + "activities": [ + { + "uuid": "cf5d53fe-6043-4c68-9ed6-6b258909febf", + "title": "Test System Elements for Least Privilege Design and Implementation", + "description": "The activity and it steps will be performed by the assessor via their security automation platform to test least privilege design and implementation of the system's elements, specifically the cloud account infrastructure, as part of continuous monitoring.", + "props": [{ "name": "method", "value": "TEST" }], + "steps": [ + { + "uuid": "57f8cfb8-fc3f-41d3-b938-6ab421c92574", + "title": "Configure Cross-Account IAM Role Trust for GoodRead and Assessor AwesomeCloud Accounts", + "description": "The GoodRead system engineer will coordinate with the assessor's engineering support staff to configure an IAM role trust. A service account for automation with its own role with the assessor's AwesomeCloud account can assume the role for read-only assessor operations within the GoodRead Product Team's AwesomeCloud account for continuous monitoring of least privilege.", + "remarks": "This step is complete.\n\nGoodRead Product Team and SCA Engineering Support configured the latter's cross-account role trust and authentication and authorization in to the former's account on May 29, 2023." + }, + { + "uuid": "976aadad-b1ce-475b-aa6c-e082537e7902", + "title": "Automate Cross-Account Login to GoodRead AwesomeCloud Account", + "description": "The assessor's security automation platform will create a session from their dedicated will obtain access to the GoodRead Product Team's AwesomeCloud account with their single sign-on credentials to a read-only assessor role.", + "remarks": "This step is complete.\n\nGoodRead Product Team and SCA Engineering Support tested scripts from the security automation platform interactively on May 30, 2023, to confirm they work ahead of June 2023 continuous monitoring cycle." + }, + { + "uuid": "18ce4e19-7432-4484-8e75-2dd8f05668cf", + "title": "Analyze GoodRead Developer and System Engineer Roles for Least Privilege", + "description": "Once authenticated and authorized with a cross-account session, the security automation pipeline will execute scripts developed and maintained by the assessor's engineering support staff. It will analyze the permitted actions for the developer and system engineer roles in the GoodRead Product Team's AwesomeCloud account to confirm they are designed and implement to facilitate only least privilege operation. Examples are included below.\n\n* For the GoodRead developer role in their AwesomeCloud account, the developer role may only permit the user with this role to check the IP addresses and status of the Awesome Compute Service server instances. This role will not permit the user to create, change, or delete the instances. Similarly, the developer will permit a user to perform actions to see IP addresses of an Awesome Load Balancer instance, but not add, change, or delete the instances.\n* For the GoodRead system engineer role in their AwesomeCloud account, the system engineer role may only permit actions where the user can add, change, or delete instances for approved services (i.e. Awesome Compute Service, Awesome Load Balancer, et cetera). The role may not permit actions by the user for any other service.\n" + } + ], + "related-controls": { + "control-selections": [ + { "include-controls": [{ "control-id": "ac-6.1" }] } + ] + }, + "responsible-roles": [ + { + "role-id": "assessor", + "party-uuids": ["e7730080-71ce-4b20-bec4-84f33136fd58"] + } + ] + } + ] + }, + "results": [ + { + "uuid": "a1d20136-37e0-42aa-9834-4e9d8c36d798", + "title": "IFA GoodRead Continous Monitoring Results June 2023", + "description": "Automated monthly continuous monitoring of the GoodRead information system's cloud infrastructure recorded observations below. Additionally, contingent upon the confidence level of the observations and possible risks, confirmed findings may be opened.", + "start": "2023-06-02T08:31:20-04:00", + "end": "2023-06-02T08:46:51-04:00", + "local-definitions": { + "tasks": [ + { + "uuid": "35876484-aa4b-494d-95a2-0d1cc04eb47e", + "type": "action", + "title": "Test System Elements for Least Privilege Design and Implementation", + "description": "The activity and it steps will be performed by the assessor via their security automation platform to test least privilege design and implementation of the system's elements, specifically the cloud account infrastructure, as part of continuous monitoring.", + "associated-activities": [ + { + "activity-uuid": "cf5d53fe-6043-4c68-9ed6-6b258909febf", + "subjects": [{ "type": "component", "include-all": {} }] + } + ] + } + ] + }, + "reviewed-controls": { + "control-selections": [ + { "include-controls": [{ "control-id": "ac-6.1" }] } + ] + }, + "observations": [ + { + "uuid": "8807eb6e-0c05-43bc-8438-799739615e34", + "title": "AwesomeCloud IAM Roles Test - GoodRead System Engineer Role", + "description": "Test AwesomeCloud IAM Roles for least privilege design and implementation.", + "methods": ["TEST"], + "types": ["finding"], + "subjects": [ + { + "subject-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "type": "component" + } + ], + "collected": "2023-06-02T08:31:20-04:00", + "expires": "2023-07-01T00:00:00-04:00", + "remarks": "The assessor's security automation platform analyzed all roles specific to the GoodRead Product Team, not those managed by the Office of Information Technology. The `IFA-GoodRead-SystemEnginer` role in their respective AwesomeCloud account permitted use of the following high-risk actions.\n\n* awesomecloud:auditlog:DeleteAccountAuditLog\n* awesomecloud:secmon:AdministerConfigurations\n\n\nBoth of these actions are overly permissive and not appropriate for the business function of the staff member assigned this role." + }, + { + "uuid": "4a2fb32e-9be9-43cf-b717-e9e47de061bd", + "title": "AwesomeCloud IAM Roles Test - GoodRead Developer Role", + "description": "Test AwesomeCloud IAM Roles for least privilege design and implementation.", + "methods": ["TEST"], + "types": ["finding"], + "subjects": [ + { + "subject-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "type": "component" + } + ], + "collected": "2023-06-02T08:31:20-04:00", + "expires": "2023-07-01T00:00:00-04:00", + "remarks": "The assessor's security automation platform detected that the developer's role is permitted to perform only permissible actions in the GoodRead AwesomeCloud account in accordance with the agency's least privilege policy and procedures." + } + ], + "risks": [ + { + "uuid": "0cfa750e-3553-47ba-a7ba-cf84a884d261", + "title": "GoodRead System Engineers Have Over-Privileged Access to Cloud Infrastructure Account", + "description": "A user in the GoodRead cloud environment with the privileges of a system engineer can exceed the intended privileges for their related business function. They can delete all historical audit records and remove important security monitoring functions for the IFA Security Operations Center staff.", + "statement": "An account without proper least privilege design and implementation can be used to surreptitiously add, change, or delete cloud infrastructure to the too managing all links to IFA's communication to public citizens, potentially causing significant harm with no forensic evidence to recover the system. Regardless of the extent and duration of a potential incident, such a configuration greatly increases the risk of an insider threat if there were likely to a potential insider threat in the GoodRead Product Team.\n\nIf such an insider threat existed and acted with this misconfigruatio, the resulting event could cause significant financial and reputational risk to IFA's Administrator, executive staff, and the agency overall.", + "status": "investigating" + } + ], + "findings": [ + { + "uuid": "45d8a6c2-1368-4bad-9ba0-7141f0a32889", + "title": "GoodRead AwesomeCloud Account's System Engineer Role Permits High Risk Actions", + "description": "The assessor's security automation platform detected that the system engineer's role is permitted to perform the following actions in the GoodRead AwesomeCloud account.\n\n* Delete and reset account audit logs.\n* Add, change, or delete security monitoring configurations in the Awesome Security Monitor service used by the IFA Security Operations Center.\n\n\nThe system engineer is not permitted to modify these services and their role was incorrectly configured.", + "target": { + "type": "objective-id", + "target-id": "ac-6.1_obj", + "description": "This is a finding.", + "status": { "state": "not-satisfied" } + }, + "implementation-statement-uuid": "d5f9b263-965d-440b-99e7-77f5df670a11", + "related-observations": [ + { "observation-uuid": "8807eb6e-0c05-43bc-8438-799739615e34" } + ], + "related-risks": [ + { "risk-uuid": "0cfa750e-3553-47ba-a7ba-cf84a884d261" } + ] + } + ] + } + ] + } +} diff --git a/roscal_lib/tests/ar/json/ifa_assessment-results-example.json b/roscal_lib/tests/ar/json/ifa_assessment-results-example.json new file mode 100644 index 0000000..1862401 --- /dev/null +++ b/roscal_lib/tests/ar/json/ifa_assessment-results-example.json @@ -0,0 +1,207 @@ +{ + "assessment-results": { + "uuid": "ec0dad37-54e0-40fd-a925-6d0bdea94c0d", + "metadata": { + "title": "IFA GoodRead Continuous Monitoring Assessment Results June 2023", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "202306-002", + "oscal-version": "1.1.2", + "roles": [ + { + "id": "assessor", + "title": "IFA Security Controls Assessor" + } + ], + "parties": [ + { + "uuid": "e7730080-71ce-4b20-bec4-84f33136fd58", + "type": "person", + "name": "Amy Assessor", + "member-of-organizations": ["3a675986-b4ff-4030-b178-e953c2e55d64"] + }, + { + "uuid": "3a675986-b4ff-4030-b178-e953c2e55d64", + "type": "organization", + "name": "Important Federal Agency", + "short-name": "IFA", + "links": [ + { + "href": "https://www.ifa.gov", + "rel": "website" + } + ] + } + ], + "responsible-parties": [ + { + "role-id": "assessor", + "party-uuids": ["e7730080-71ce-4b20-bec4-84f33136fd58"] + } + ] + }, + "import-ap": { + "href": "./ap.oscal.xml" + }, + "local-definitions": { + "activities": [ + { + "uuid": "cf5d53fe-6043-4c68-9ed6-6b258909febf", + "title": "Test System Elements for Least Privilege Design and Implementation", + "description": "The activity and it steps will be performed by the assessor via their security automation platform to test least privilege design and implementation of the system's elements, specifically the cloud account infrastructure, as part of continuous monitoring.", + "props": [ + { + "name": "method", + "value": "TEST" + } + ], + "steps": [ + { + "uuid": "57f8cfb8-fc3f-41d3-b938-6ab421c92574", + "title": "Configure Cross-Account IAM Role Trust for GoodRead and Assessor AwesomeCloud Accounts", + "description": "The GoodRead system engineer will coordinate with the assessor's engineering support staff to configure an IAM role trust. A service account for automation with its own role with the assessor's AwesomeCloud account can assume the role for read-only assessor operations within the GoodRead Product Team's AwesomeCloud account for continuous monitoring of least privilege.", + "remarks": "This step is complete.\n\nGoodRead Product Team and SCA Engineering Support configured the latter's cross-account role trust and authentication and authorization in to the former's account on May 29, 2023." + }, + { + "uuid": "976aadad-b1ce-475b-aa6c-e082537e7902", + "title": "Automate Cross-Account Login to GoodRead AwesomeCloud Account", + "description": "The assessor's security automation platform will create a session from their dedicated will obtain access to the GoodRead Product Team's AwesomeCloud account with their single sign-on credentials to a read-only assessor role.", + "remarks": "This step is complete.\n\nGoodRead Product Team and SCA Engineering Support tested scripts from the security automation platform interactively on May 30, 2023, to confirm they work ahead of June 2023 continuous monitoring cycle." + }, + { + "uuid": "18ce4e19-7432-4484-8e75-2dd8f05668cf", + "title": "Analyze GoodRead Developer and System Engineer Roles for Least Privilege", + "description": "Once authenticated and authorized with a cross-account session, the security automation pipeline will execute scripts developed and maintained by the assessor's engineering support staff. It will analyze the permitted actions for the developer and system engineer roles in the GoodRead Product Team's AwesomeCloud account to confirm they are designed and implement to facilitate only least privilege operation. Examples are included below.\n\n* For the GoodRead developer role in their AwesomeCloud account, the developer role may only permit the user with this role to check the IP addresses and status of the Awesome Compute Service server instances. This role will not permit the user to create, change, or delete the instances. Similarly, the developer will permit a user to perform actions to see IP addresses of an Awesome Load Balancer instance, but not add, change, or delete the instances.\n* For the GoodRead system engineer role in their AwesomeCloud account, the system engineer role may only permit actions where the user can add, change, or delete instances for approved services (i.e. Awesome Compute Service, Awesome Load Balancer, et cetera). The role may not permit actions by the user for any other service.\n" + } + ], + "related-controls": { + "control-selections": [ + { + "include-controls": [ + { + "control-id": "ac-6.1" + } + ] + } + ] + }, + "responsible-roles": [ + { + "role-id": "assessor", + "party-uuids": ["e7730080-71ce-4b20-bec4-84f33136fd58"] + } + ] + } + ] + }, + "results": [ + { + "uuid": "a1d20136-37e0-42aa-9834-4e9d8c36d798", + "title": "IFA GoodRead Continous Monitoring Results June 2023", + "description": "Automated monthly continuous monitoring of the GoodRead information system's cloud infrastructure recorded observations below. Additionally, contingent upon the confidence level of the observations and possible risks, confirmed findings may be opened.", + "start": "2023-06-02T08:31:20-04:00", + "end": "2023-06-02T08:46:51-04:00", + "local-definitions": { + "tasks": [ + { + "uuid": "35876484-aa4b-494d-95a2-0d1cc04eb47e", + "type": "action", + "title": "Test System Elements for Least Privilege Design and Implementation", + "description": "The activity and it steps will be performed by the assessor via their security automation platform to test least privilege design and implementation of the system's elements, specifically the cloud account infrastructure, as part of continuous monitoring.", + "associated-activities": [ + { + "activity-uuid": "cf5d53fe-6043-4c68-9ed6-6b258909febf", + "subjects": [ + { + "type": "component", + "include-all": {} + } + ] + } + ] + } + ] + }, + "reviewed-controls": { + "control-selections": [ + { + "include-controls": [ + { + "control-id": "ac-6.1" + } + ] + } + ] + }, + "observations": [ + { + "uuid": "8807eb6e-0c05-43bc-8438-799739615e34", + "title": "AwesomeCloud IAM Roles Test - GoodRead System Engineer Role", + "description": "Test AwesomeCloud IAM Roles for least privilege design and implementation.", + "methods": ["TEST"], + "types": ["finding"], + "subjects": [ + { + "subject-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "type": "component" + } + ], + "collected": "2023-06-02T08:31:20-04:00", + "expires": "2023-07-01T00:00:00-04:00", + "remarks": "The assessor's security automation platform analyzed all roles specific to the GoodRead Product Team, not those managed by the Office of Information Technology. The `IFA-GoodRead-SystemEnginer` role in their respective AwesomeCloud account permitted use of the following high-risk actions.\n\n* awesomecloud:auditlog:DeleteAccountAuditLog\n* awesomecloud:secmon:AdministerConfigurations\n\n\nBoth of these actions are overly permissive and not appropriate for the business function of the staff member assigned this role." + }, + { + "uuid": "4a2fb32e-9be9-43cf-b717-e9e47de061bd", + "title": "AwesomeCloud IAM Roles Test - GoodRead Developer Role", + "description": "Test AwesomeCloud IAM Roles for least privilege design and implementation.", + "methods": ["TEST"], + "types": ["finding"], + "subjects": [ + { + "subject-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "type": "component" + } + ], + "collected": "2023-06-02T08:31:20-04:00", + "expires": "2023-07-01T00:00:00-04:00", + "remarks": "The assessor's security automation platform detected that the developer's role is permitted to perform only permissible actions in the GoodRead AwesomeCloud account in accordance with the agency's least privilege policy and procedures." + } + ], + "risks": [ + { + "uuid": "0cfa750e-3553-47ba-a7ba-cf84a884d261", + "title": "GoodRead System Engineers Have Over-Privileged Access to Cloud Infrastructure Account", + "description": "A user in the GoodRead cloud environment with the privileges of a system engineer can exceed the intended privileges for their related business function. They can delete all historical audit records and remove important security monitoring functions for the IFA Security Operations Center staff.", + "statement": "An account without proper least privilege design and implementation can be used to surreptitiously add, change, or delete cloud infrastructure to the too managing all links to IFA's communication to public citizens, potentially causing significant harm with no forensic evidence to recover the system. Regardless of the extent and duration of a potential incident, such a configuration greatly increases the risk of an insider threat if there were likely to a potential insider threat in the GoodRead Product Team.\n\nIf such an insider threat existed and acted with this misconfigruatio, the resulting event could cause significant financial and reputational risk to IFA's Administrator, executive staff, and the agency overall.", + "status": "investigating" + } + ], + "findings": [ + { + "uuid": "45d8a6c2-1368-4bad-9ba0-7141f0a32889", + "title": "GoodRead AwesomeCloud Account's System Engineer Role Permits High Risk Actions", + "description": "The assessor's security automation platform detected that the system engineer's role is permitted to perform the following actions in the GoodRead AwesomeCloud account.\n\n* Delete and reset account audit logs.\n* Add, change, or delete security monitoring configurations in the Awesome Security Monitor service used by the IFA Security Operations Center.\n\n\nThe system engineer is not permitted to modify these services and their role was incorrectly configured.", + "target": { + "type": "objective-id", + "target-id": "ac-6.1_obj", + "description": "This is a finding.", + "status": { + "state": "not-satisfied" + } + }, + "implementation-statement-uuid": "d5f9b263-965d-440b-99e7-77f5df670a11", + "related-observations": [ + { + "observation-uuid": "8807eb6e-0c05-43bc-8438-799739615e34" + } + ], + "related-risks": [ + { + "risk-uuid": "0cfa750e-3553-47ba-a7ba-cf84a884d261" + } + ] + } + ] + } + ] + } +} diff --git a/roscal_lib/tests/ar/yaml/ifa_assessment-results-example.yaml b/roscal_lib/tests/ar/yaml/ifa_assessment-results-example.yaml new file mode 100644 index 0000000..ff2eb72 --- /dev/null +++ b/roscal_lib/tests/ar/yaml/ifa_assessment-results-example.yaml @@ -0,0 +1,153 @@ +assessment-results: + uuid: ec0dad37-54e0-40fd-a925-6d0bdea94c0d + metadata: + title: IFA GoodRead Continuous Monitoring Assessment Results June 2023 + last-modified: "2024-02-01T13:57:28.355446-04:00" + version: 202306-002 + oscal-version: 1.1.2 + roles: + - id: assessor + title: IFA Security Controls Assessor + parties: + - uuid: e7730080-71ce-4b20-bec4-84f33136fd58 + type: person + name: Amy Assessor + member-of-organizations: + - 3a675986-b4ff-4030-b178-e953c2e55d64 + - uuid: 3a675986-b4ff-4030-b178-e953c2e55d64 + type: organization + name: Important Federal Agency + short-name: IFA + links: + - href: https://www.ifa.gov + rel: website + responsible-parties: + - role-id: assessor + party-uuids: + - e7730080-71ce-4b20-bec4-84f33136fd58 + import-ap: + href: ./ap.oscal.xml + local-definitions: + activities: + - uuid: cf5d53fe-6043-4c68-9ed6-6b258909febf + title: Test System Elements for Least Privilege Design and Implementation + description: The activity and it steps will be performed by the assessor via their security automation platform to test least privilege design and implementation of the system's elements, specifically the cloud account infrastructure, as part of continuous monitoring. + props: + - name: method + value: TEST + steps: + - uuid: 57f8cfb8-fc3f-41d3-b938-6ab421c92574 + title: Configure Cross-Account IAM Role Trust for GoodRead and Assessor AwesomeCloud Accounts + description: The GoodRead system engineer will coordinate with the assessor's engineering support staff to configure an IAM role trust. A service account for automation with its own role with the assessor's AwesomeCloud account can assume the role for read-only assessor operations within the GoodRead Product Team's AwesomeCloud account for continuous monitoring of least privilege. + remarks: |- + This step is complete. + + GoodRead Product Team and SCA Engineering Support configured the latter's cross-account role trust and authentication and authorization in to the former's account on May 29, 2023. + - uuid: 976aadad-b1ce-475b-aa6c-e082537e7902 + title: Automate Cross-Account Login to GoodRead AwesomeCloud Account + description: The assessor's security automation platform will create a session from their dedicated will obtain access to the GoodRead Product Team's AwesomeCloud account with their single sign-on credentials to a read-only assessor role. + remarks: |- + This step is complete. + + GoodRead Product Team and SCA Engineering Support tested scripts from the security automation platform interactively on May 30, 2023, to confirm they work ahead of June 2023 continuous monitoring cycle. + - uuid: 18ce4e19-7432-4484-8e75-2dd8f05668cf + title: Analyze GoodRead Developer and System Engineer Roles for Least Privilege + description: | + Once authenticated and authorized with a cross-account session, the security automation pipeline will execute scripts developed and maintained by the assessor's engineering support staff. It will analyze the permitted actions for the developer and system engineer roles in the GoodRead Product Team's AwesomeCloud account to confirm they are designed and implement to facilitate only least privilege operation. Examples are included below. + + * For the GoodRead developer role in their AwesomeCloud account, the developer role may only permit the user with this role to check the IP addresses and status of the Awesome Compute Service server instances. This role will not permit the user to create, change, or delete the instances. Similarly, the developer will permit a user to perform actions to see IP addresses of an Awesome Load Balancer instance, but not add, change, or delete the instances. + * For the GoodRead system engineer role in their AwesomeCloud account, the system engineer role may only permit actions where the user can add, change, or delete instances for approved services (i.e. Awesome Compute Service, Awesome Load Balancer, et cetera). The role may not permit actions by the user for any other service. + related-controls: + control-selections: + - include-controls: + - control-id: ac-6.1 + responsible-roles: + - role-id: assessor + party-uuids: + - e7730080-71ce-4b20-bec4-84f33136fd58 + results: + - uuid: a1d20136-37e0-42aa-9834-4e9d8c36d798 + title: IFA GoodRead Continous Monitoring Results June 2023 + description: Automated monthly continuous monitoring of the GoodRead information system's cloud infrastructure recorded observations below. Additionally, contingent upon the confidence level of the observations and possible risks, confirmed findings may be opened. + start: "2023-06-02T08:31:20-04:00" + end: "2023-06-02T08:46:51-04:00" + local-definitions: + tasks: + - uuid: 35876484-aa4b-494d-95a2-0d1cc04eb47e + type: action + title: Test System Elements for Least Privilege Design and Implementation + description: The activity and it steps will be performed by the assessor via their security automation platform to test least privilege design and implementation of the system's elements, specifically the cloud account infrastructure, as part of continuous monitoring. + associated-activities: + - activity-uuid: cf5d53fe-6043-4c68-9ed6-6b258909febf + subjects: + - type: component + include-all: {} + reviewed-controls: + control-selections: + - include-controls: + - control-id: ac-6.1 + observations: + - uuid: 8807eb6e-0c05-43bc-8438-799739615e34 + title: AwesomeCloud IAM Roles Test - GoodRead System Engineer Role + description: Test AwesomeCloud IAM Roles for least privilege design and implementation. + methods: + - TEST + types: + - finding + subjects: + - subject-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + type: component + collected: "2023-06-02T08:31:20-04:00" + expires: "2023-07-01T00:00:00-04:00" + remarks: |- + The assessor's security automation platform analyzed all roles specific to the GoodRead Product Team, not those managed by the Office of Information Technology. The `IFA-GoodRead-SystemEnginer` role in their respective AwesomeCloud account permitted use of the following high-risk actions. + + * awesomecloud:auditlog:DeleteAccountAuditLog + * awesomecloud:secmon:AdministerConfigurations + + + Both of these actions are overly permissive and not appropriate for the business function of the staff member assigned this role. + - uuid: 4a2fb32e-9be9-43cf-b717-e9e47de061bd + title: AwesomeCloud IAM Roles Test - GoodRead Developer Role + description: Test AwesomeCloud IAM Roles for least privilege design and implementation. + methods: + - TEST + types: + - finding + subjects: + - subject-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + type: component + collected: "2023-06-02T08:31:20-04:00" + expires: "2023-07-01T00:00:00-04:00" + remarks: The assessor's security automation platform detected that the developer's role is permitted to perform only permissible actions in the GoodRead AwesomeCloud account in accordance with the agency's least privilege policy and procedures. + risks: + - uuid: 0cfa750e-3553-47ba-a7ba-cf84a884d261 + title: GoodRead System Engineers Have Over-Privileged Access to Cloud Infrastructure Account + description: A user in the GoodRead cloud environment with the privileges of a system engineer can exceed the intended privileges for their related business function. They can delete all historical audit records and remove important security monitoring functions for the IFA Security Operations Center staff. + statement: |- + An account without proper least privilege design and implementation can be used to surreptitiously add, change, or delete cloud infrastructure to the too managing all links to IFA's communication to public citizens, potentially causing significant harm with no forensic evidence to recover the system. Regardless of the extent and duration of a potential incident, such a configuration greatly increases the risk of an insider threat if there were likely to a potential insider threat in the GoodRead Product Team. + + If such an insider threat existed and acted with this misconfigruatio, the resulting event could cause significant financial and reputational risk to IFA's Administrator, executive staff, and the agency overall. + status: investigating + findings: + - uuid: 45d8a6c2-1368-4bad-9ba0-7141f0a32889 + title: GoodRead AwesomeCloud Account's System Engineer Role Permits High Risk Actions + description: |- + The assessor's security automation platform detected that the system engineer's role is permitted to perform the following actions in the GoodRead AwesomeCloud account. + + * Delete and reset account audit logs. + * Add, change, or delete security monitoring configurations in the Awesome Security Monitor service used by the IFA Security Operations Center. + + + The system engineer is not permitted to modify these services and their role was incorrectly configured. + target: + type: objective-id + target-id: ac-6.1_obj + description: This is a finding. + status: + state: not-satisfied + implementation-statement-uuid: d5f9b263-965d-440b-99e7-77f5df670a11 + related-observations: + - observation-uuid: 8807eb6e-0c05-43bc-8438-799739615e34 + related-risks: + - risk-uuid: 0cfa750e-3553-47ba-a7ba-cf84a884d261 diff --git a/roscal_lib/tests/catalog/json/basic-catalog-min.json b/roscal_lib/tests/catalog/json/basic-catalog-min.json new file mode 100644 index 0000000..e337a0f --- /dev/null +++ b/roscal_lib/tests/catalog/json/basic-catalog-min.json @@ -0,0 +1,234 @@ +{ + "catalog": { + "uuid": "74c8ba1e-5cd4-4ad1-bbfd-d888e2f6c724", + "metadata": { + "title": "Sample Security Catalog *for Demonstration* and Testing", + "published": "2023-10-12T00:00:00.000000-04:00", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "1.1", + "oscal-version": "1.1.2", + "remarks": "The following is a short excerpt from [ISO/IEC 27002:2013](https://www.iso.org/standard/54533.html), *Information technology — Security techniques — Code of practice for information security controls*. This work is provided here under copyright \"fair use\" for non-profit, educational purposes only. Copyrights for this work are held by the publisher, the International Organization for Standardization (ISO)." + }, + "groups": [ + { + "id": "s1", + "title": "Organization of Information Security", + "props": [{ "name": "label", "value": "1" }], + "groups": [ + { + "id": "s1.1", + "title": "Internal Organization", + "controls": [ + { + "id": "s1.1.1", + "title": "Information security roles and responsibilities", + "params": [ + { + "id": "s1.1.1-prm1", + "label": "a choice from a selection", + "select": { + "how-many": "one-or-more", + "choice": [ + "initiating a device lock after {{ insert: param, s1.1.1-prm_2 }} of inactivity", + "requiring the user to initiate a device lock before leaving the system unattended" + ] + } + }, + { "id": "s1.1.1-prm_2", "label": "a duration" } + ], + "props": [{ "name": "label", "value": "1.1.1" }], + "parts": [ + { + "id": "s1.1_smt", + "name": "overview", + "prose": "To establish a management framework to initiate and control the implementation and operation of information security within the organization." + }, + { + "id": "s1.1.1_stm", + "name": "statement", + "prose": "All information security responsibilities should be defined and allocated.\n\nA value has been assigned to {{ insert: param, s1.1.1-prm1 }}.\n\nA cross link has been established with a choppy syntax: [(choppy)](#s1.2)." + }, + { + "id": "s1.1.1_gdn", + "name": "guidance", + "parts": [ + { + "id": "s1.1.1_gdn.1", + "name": "objective", + "prose": "Allocation of information security responsibilities should be done in accordance with the information security policies. Responsibilities for the protection of individual assets and for carrying out specific information security processes should be identified. Responsibilities for information security risk management activities and in particular for acceptance of residual risks should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Local responsibilities for the protection of assets and for carrying out specific security processes should be defined." + }, + { + "id": "s1.1.1_gdn.2", + "name": "objective", + "prose": "Individuals with allocated information security responsibilities may delegate security tasks to others. Nevertheless they remain accountable and should determine that any delegated tasks have been correctly performed." + }, + { + "id": "s1.1.1_gdn.3", + "name": "objective", + "prose": "Areas for which individuals are responsible should be stated. In particular the following should take place:\n\n1. the assets and information security processes should be identified and defined;\n1. the entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented;\n1. authorization levels should be defined and documented;\n1. to be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments;\n1. coordination and oversight of information security aspects of supplier relationships should be identified and documented.\n" + } + ] + }, + { + "id": "s1.1.1_inf", + "name": "overview", + "props": [ + { "name": "label", "value": "Other information" } + ], + "prose": "Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls.\n\nHowever, responsibility for resourcing and implementing the controls will often remain with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection." + } + ] + }, + { + "id": "s1.1.2", + "title": "Segregation of duties", + "props": [{ "name": "label", "value": "1.1.2" }], + "parts": [ + { + "id": "s1.1.2_stm", + "name": "statement", + "prose": "Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets." + }, + { + "id": "s1.1.2_gdn", + "name": "guidance", + "parts": [ + { + "id": "s1.1.2_gdn.1", + "name": "objective", + "prose": "Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls." + }, + { + "id": "s1.1.2_gdn.2", + "name": "objective", + "prose": "Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered." + } + ] + }, + { + "id": "s1.1.2_inf", + "name": "overview", + "prose": "Segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an organization’s assets." + } + ] + } + ] + } + ] + }, + { + "id": "s2", + "title": "Access control", + "props": [{ "name": "label", "value": "2" }], + "groups": [ + { + "id": "s2.1", + "title": "Business requirements of access control", + "props": [{ "name": "label", "value": "2.1" }], + "parts": [ + { + "id": "s2.1_smt", + "name": "overview", + "prose": "To limit access to information and information processing facilities." + } + ], + "controls": [ + { + "id": "s2.1.1", + "title": "Access control policy", + "props": [{ "name": "label", "value": "2.1.1" }], + "parts": [ + { + "id": "s2.1.1_stm", + "name": "statement", + "prose": "An access control policy should be established, documented and reviewed based on business and information security requirements." + }, + { + "id": "s2.1.1_gdn", + "name": "guidance", + "parts": [ + { + "id": "s2.1.1_gdn.1", + "name": "objective", + "prose": "Asset owners should determine appropriate access control rules, access rights and restrictions for specific user roles towards their assets, with the amount of detail and the strictness of the controls reflecting the associated information security risks." + }, + { + "id": "s2.1.1_gdn.2", + "name": "objective", + "prose": "Access controls are both logical and physical and these should be considered together." + }, + { + "id": "s2.1.1_gdn.3", + "name": "objective", + "prose": "Users and service providers should be given a clear statement of the business requirements to be met by access controls." + }, + { + "id": "s2.1.1_gdn.4", + "name": "objective", + "prose": "The policy should take account of the following:\n\n1. security requirements of business applications;\n1. policies for information dissemination and authorization, e.g. the need-to-know principle and information security levels and classification of information;\n1. consistency between the access rights and information classification policies of systems and networks;\n1. relevant legislation and any contractual obligations regarding limitation of access to data or services;\n1. management of access rights in a distributed and networked environment which recognizes all types of connections available;\n1. segregation of access control roles, e.g. access request, access authorization, access administration;\n1. requirements for formal authorization of access requests;\n1. requirements for periodic review of access rights;\n1. removal of access rights;\n1. archiving of records of all significant events concerning the use and management of user identities and secret authentication information;,\n1. roles with privileged access.\n" + } + ] + }, + { + "id": "s2.1.1_info", + "name": "overview", + "parts": [ + { + "id": "s2.1.1_info.1", + "name": "objective", + "prose": "Care should be taken when specifying access control rules to consider:\n\n1. establishing rules based on the premise “Everything is generally forbidden unless expressly permitted” rather than the weaker rule “Everything is generally permitted unless expressly forbidden”;\n1. changes in information labels that are initiated automatically by information processing facilities and those initiated at the discretion of a user;\n1. changes in user permissions that are initiated automatically by the information system and those initiated by an administrator;\n1. rules which require specific approval before enactment and those which do not.\n" + }, + { + "id": "s2.1.1_info.2", + "name": "objective", + "prose": "Access control rules should be supported by formal procedures and defined responsibilities." + }, + { + "id": "s2.1.1_stm.3", + "name": "objective", + "prose": "Role based access control is an approach used successfully by many organizations to link access rights with business roles." + }, + { + "id": "s2.1.1_stm.4", + "name": "objective", + "prose": "Two of the frequent principles directing the access control policy are:\n\n1. Need-to-know: you are only granted access to the information you need to perform your tasks (different tasks/roles mean different need-to-know and hence different access profile);\n1. Need-to-use: you are only granted access to the information processing facilities (IT equipment, applications, procedures, rooms) you need to perform your task/job/role.\n" + } + ] + } + ] + }, + { + "id": "s2.1.2", + "title": "Access to networks and network services", + "props": [{ "name": "label", "value": "2.1.2" }], + "parts": [ + { + "id": "s2.1.2_stm", + "name": "statement", + "prose": "Users should only be provided with access to the network and network services that they have been specifically authorized to use." + }, + { + "id": "s2.1.2_gdn", + "name": "guidance", + "parts": [ + { + "id": "s2.1.2_gdn.1", + "name": "objective", + "prose": "A policy should be formulated concerning the use of networks and network services. This policy should cover:\n\n1. the networks and network services which are allowed to be accessed;\n1. authorization procedures for determining who is allowed to access which networks and networked services;\n1. management controls and procedures to protect access to network connections and network services;\n1. the means used to access networks and network services (e.g. use of VPN or wireless network);\n1. user authentication requirements for accessing various network services;\n1. monitoring of the use of network service\n" + }, + { + "id": "s2.1.2_gdn.2", + "name": "objective", + "prose": "The policy on the use of network services should be consistent with the organization’s access control policy" + } + ] + } + ] + } + ] + } + ] + } + ] + } +} diff --git a/roscal_lib/tests/catalog/json/basic-catalog.json b/roscal_lib/tests/catalog/json/basic-catalog.json new file mode 100644 index 0000000..f35f3b8 --- /dev/null +++ b/roscal_lib/tests/catalog/json/basic-catalog.json @@ -0,0 +1,275 @@ +{ + "catalog": { + "uuid": "74c8ba1e-5cd4-4ad1-bbfd-d888e2f6c724", + "metadata": { + "title": "Sample Security Catalog *for Demonstration* and Testing", + "published": "2023-10-12T00:00:00.000000-04:00", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "1.1", + "oscal-version": "1.1.2", + "remarks": "The following is a short excerpt from [ISO/IEC 27002:2013](https://www.iso.org/standard/54533.html), *Information technology — Security techniques — Code of practice for information security controls*. This work is provided here under copyright \"fair use\" for non-profit, educational purposes only. Copyrights for this work are held by the publisher, the International Organization for Standardization (ISO)." + }, + "groups": [ + { + "id": "s1", + "title": "Organization of Information Security", + "props": [ + { + "name": "label", + "value": "1" + } + ], + "groups": [ + { + "id": "s1.1", + "title": "Internal Organization", + "controls": [ + { + "id": "s1.1.1", + "title": "Information security roles and responsibilities", + "params": [ + { + "id": "s1.1.1-prm1", + "label": "a choice from a selection", + "select": { + "how-many": "one-or-more", + "choice": [ + "initiating a device lock after {{ insert: param, s1.1.1-prm_2 }} of inactivity", + "requiring the user to initiate a device lock before leaving the system unattended" + ] + } + }, + { + "id": "s1.1.1-prm_2", + "label": "a duration" + } + ], + "props": [ + { + "name": "label", + "value": "1.1.1" + } + ], + "parts": [ + { + "id": "s1.1_smt", + "name": "overview", + "prose": "To establish a management framework to initiate and control the implementation and operation of information security within the organization." + }, + { + "id": "s1.1.1_stm", + "name": "statement", + "prose": "All information security responsibilities should be defined and allocated.\n\nA value has been assigned to {{ insert: param, s1.1.1-prm1 }}.\n\nA cross link has been established with a choppy syntax: [(choppy)](#s1.2)." + }, + { + "id": "s1.1.1_gdn", + "name": "guidance", + "parts": [ + { + "id": "s1.1.1_gdn.1", + "name": "objective", + "prose": "Allocation of information security responsibilities should be done in accordance with the information security policies. Responsibilities for the protection of individual assets and for carrying out specific information security processes should be identified. Responsibilities for information security risk management activities and in particular for acceptance of residual risks should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Local responsibilities for the protection of assets and for carrying out specific security processes should be defined." + }, + { + "id": "s1.1.1_gdn.2", + "name": "objective", + "prose": "Individuals with allocated information security responsibilities may delegate security tasks to others. Nevertheless they remain accountable and should determine that any delegated tasks have been correctly performed." + }, + { + "id": "s1.1.1_gdn.3", + "name": "objective", + "prose": "Areas for which individuals are responsible should be stated. In particular the following should take place:\n\n1. the assets and information security processes should be identified and defined;\n1. the entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented;\n1. authorization levels should be defined and documented;\n1. to be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments;\n1. coordination and oversight of information security aspects of supplier relationships should be identified and documented.\n" + } + ] + }, + { + "id": "s1.1.1_inf", + "name": "overview", + "props": [ + { + "name": "label", + "value": "Other information" + } + ], + "prose": "Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls.\n\nHowever, responsibility for resourcing and implementing the controls will often remain with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection." + } + ] + }, + { + "id": "s1.1.2", + "title": "Segregation of duties", + "props": [ + { + "name": "label", + "value": "1.1.2" + } + ], + "parts": [ + { + "id": "s1.1.2_stm", + "name": "statement", + "prose": "Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets." + }, + { + "id": "s1.1.2_gdn", + "name": "guidance", + "parts": [ + { + "id": "s1.1.2_gdn.1", + "name": "objective", + "prose": "Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls." + }, + { + "id": "s1.1.2_gdn.2", + "name": "objective", + "prose": "Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered." + } + ] + }, + { + "id": "s1.1.2_inf", + "name": "overview", + "prose": "Segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an organization’s assets." + } + ] + } + ] + } + ] + }, + { + "id": "s2", + "title": "Access control", + "props": [ + { + "name": "label", + "value": "2" + } + ], + "groups": [ + { + "id": "s2.1", + "title": "Business requirements of access control", + "props": [ + { + "name": "label", + "value": "2.1" + } + ], + "parts": [ + { + "id": "s2.1_smt", + "name": "overview", + "prose": "To limit access to information and information processing facilities." + } + ], + "controls": [ + { + "id": "s2.1.1", + "title": "Access control policy", + "props": [ + { + "name": "label", + "value": "2.1.1" + } + ], + "parts": [ + { + "id": "s2.1.1_stm", + "name": "statement", + "prose": "An access control policy should be established, documented and reviewed based on business and information security requirements." + }, + { + "id": "s2.1.1_gdn", + "name": "guidance", + "parts": [ + { + "id": "s2.1.1_gdn.1", + "name": "objective", + "prose": "Asset owners should determine appropriate access control rules, access rights and restrictions for specific user roles towards their assets, with the amount of detail and the strictness of the controls reflecting the associated information security risks." + }, + { + "id": "s2.1.1_gdn.2", + "name": "objective", + "prose": "Access controls are both logical and physical and these should be considered together." + }, + { + "id": "s2.1.1_gdn.3", + "name": "objective", + "prose": "Users and service providers should be given a clear statement of the business requirements to be met by access controls." + }, + { + "id": "s2.1.1_gdn.4", + "name": "objective", + "prose": "The policy should take account of the following:\n\n1. security requirements of business applications;\n1. policies for information dissemination and authorization, e.g. the need-to-know principle and information security levels and classification of information;\n1. consistency between the access rights and information classification policies of systems and networks;\n1. relevant legislation and any contractual obligations regarding limitation of access to data or services;\n1. management of access rights in a distributed and networked environment which recognizes all types of connections available;\n1. segregation of access control roles, e.g. access request, access authorization, access administration;\n1. requirements for formal authorization of access requests;\n1. requirements for periodic review of access rights;\n1. removal of access rights;\n1. archiving of records of all significant events concerning the use and management of user identities and secret authentication information;,\n1. roles with privileged access.\n" + } + ] + }, + { + "id": "s2.1.1_info", + "name": "overview", + "parts": [ + { + "id": "s2.1.1_info.1", + "name": "objective", + "prose": "Care should be taken when specifying access control rules to consider:\n\n1. establishing rules based on the premise “Everything is generally forbidden unless expressly permitted” rather than the weaker rule “Everything is generally permitted unless expressly forbidden”;\n1. changes in information labels that are initiated automatically by information processing facilities and those initiated at the discretion of a user;\n1. changes in user permissions that are initiated automatically by the information system and those initiated by an administrator;\n1. rules which require specific approval before enactment and those which do not.\n" + }, + { + "id": "s2.1.1_info.2", + "name": "objective", + "prose": "Access control rules should be supported by formal procedures and defined responsibilities." + }, + { + "id": "s2.1.1_stm.3", + "name": "objective", + "prose": "Role based access control is an approach used successfully by many organizations to link access rights with business roles." + }, + { + "id": "s2.1.1_stm.4", + "name": "objective", + "prose": "Two of the frequent principles directing the access control policy are:\n\n1. Need-to-know: you are only granted access to the information you need to perform your tasks (different tasks/roles mean different need-to-know and hence different access profile);\n1. Need-to-use: you are only granted access to the information processing facilities (IT equipment, applications, procedures, rooms) you need to perform your task/job/role.\n" + } + ] + } + ] + }, + { + "id": "s2.1.2", + "title": "Access to networks and network services", + "props": [ + { + "name": "label", + "value": "2.1.2" + } + ], + "parts": [ + { + "id": "s2.1.2_stm", + "name": "statement", + "prose": "Users should only be provided with access to the network and network services that they have been specifically authorized to use." + }, + { + "id": "s2.1.2_gdn", + "name": "guidance", + "parts": [ + { + "id": "s2.1.2_gdn.1", + "name": "objective", + "prose": "A policy should be formulated concerning the use of networks and network services. This policy should cover:\n\n1. the networks and network services which are allowed to be accessed;\n1. authorization procedures for determining who is allowed to access which networks and networked services;\n1. management controls and procedures to protect access to network connections and network services;\n1. the means used to access networks and network services (e.g. use of VPN or wireless network);\n1. user authentication requirements for accessing various network services;\n1. monitoring of the use of network service\n" + }, + { + "id": "s2.1.2_gdn.2", + "name": "objective", + "prose": "The policy on the use of network services should be consistent with the organization’s access control policy" + } + ] + } + ] + } + ] + } + ] + } + ] + } +} diff --git a/roscal_lib/tests/catalog/yaml/basic-catalog.yaml b/roscal_lib/tests/catalog/yaml/basic-catalog.yaml new file mode 100644 index 0000000..db432c4 --- /dev/null +++ b/roscal_lib/tests/catalog/yaml/basic-catalog.yaml @@ -0,0 +1,199 @@ +catalog: + uuid: 74c8ba1e-5cd4-4ad1-bbfd-d888e2f6c724 + metadata: + title: Sample Security Catalog *for Demonstration* and Testing + published: "2023-10-12T00:00:00.000000-04:00" + last-modified: "2024-02-01T13:57:28.355446-04:00" + version: "1.1" + oscal-version: 1.1.2 + remarks: The following is a short excerpt from [ISO/IEC 27002:2013](https://www.iso.org/standard/54533.html), *Information technology — Security techniques — Code of practice for information security controls*. This work is provided here under copyright "fair use" for non-profit, educational purposes only. Copyrights for this work are held by the publisher, the International Organization for Standardization (ISO). + groups: + - id: s1 + title: Organization of Information Security + props: + - name: label + value: "1" + groups: + - id: s1.1 + title: Internal Organization + controls: + - id: s1.1.1 + title: Information security roles and responsibilities + params: + - id: s1.1.1-prm1 + label: a choice from a selection + select: + how-many: one-or-more + choice: + - 'initiating a device lock after {{ insert: param, s1.1.1-prm_2 }} of inactivity' + - requiring the user to initiate a device lock before leaving the system unattended + - id: s1.1.1-prm_2 + label: a duration + props: + - name: label + value: 1.1.1 + parts: + - id: s1.1_smt + name: overview + prose: To establish a management framework to initiate and control the implementation and operation of information security within the organization. + - id: s1.1.1_stm + name: statement + prose: |- + All information security responsibilities should be defined and allocated. + + A value has been assigned to {{ insert: param, s1.1.1-prm1 }}. + + A cross link has been established with a choppy syntax: [(choppy)](#s1.2). + - id: s1.1.1_gdn + name: guidance + parts: + - id: s1.1.1_gdn.1 + name: objective + prose: Allocation of information security responsibilities should be done in accordance with the information security policies. Responsibilities for the protection of individual assets and for carrying out specific information security processes should be identified. Responsibilities for information security risk management activities and in particular for acceptance of residual risks should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Local responsibilities for the protection of assets and for carrying out specific security processes should be defined. + - id: s1.1.1_gdn.2 + name: objective + prose: Individuals with allocated information security responsibilities may delegate security tasks to others. Nevertheless they remain accountable and should determine that any delegated tasks have been correctly performed. + - id: s1.1.1_gdn.3 + name: objective + prose: | + Areas for which individuals are responsible should be stated. In particular the following should take place: + + 1. the assets and information security processes should be identified and defined; + 1. the entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented; + 1. authorization levels should be defined and documented; + 1. to be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments; + 1. coordination and oversight of information security aspects of supplier relationships should be identified and documented. + - id: s1.1.1_inf + name: overview + props: + - name: label + value: Other information + prose: |- + Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls. + + However, responsibility for resourcing and implementing the controls will often remain with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection. + - id: s1.1.2 + title: Segregation of duties + props: + - name: label + value: 1.1.2 + parts: + - id: s1.1.2_stm + name: statement + prose: Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. + - id: s1.1.2_gdn + name: guidance + parts: + - id: s1.1.2_gdn.1 + name: objective + prose: Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls. + - id: s1.1.2_gdn.2 + name: objective + prose: Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered. + - id: s1.1.2_inf + name: overview + prose: Segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an organization’s assets. + - id: s2 + title: Access control + props: + - name: label + value: "2" + groups: + - id: s2.1 + title: Business requirements of access control + props: + - name: label + value: "2.1" + parts: + - id: s2.1_smt + name: overview + prose: To limit access to information and information processing facilities. + controls: + - id: s2.1.1 + title: Access control policy + props: + - name: label + value: 2.1.1 + parts: + - id: s2.1.1_stm + name: statement + prose: An access control policy should be established, documented and reviewed based on business and information security requirements. + - id: s2.1.1_gdn + name: guidance + parts: + - id: s2.1.1_gdn.1 + name: objective + prose: Asset owners should determine appropriate access control rules, access rights and restrictions for specific user roles towards their assets, with the amount of detail and the strictness of the controls reflecting the associated information security risks. + - id: s2.1.1_gdn.2 + name: objective + prose: Access controls are both logical and physical and these should be considered together. + - id: s2.1.1_gdn.3 + name: objective + prose: Users and service providers should be given a clear statement of the business requirements to be met by access controls. + - id: s2.1.1_gdn.4 + name: objective + prose: | + The policy should take account of the following: + + 1. security requirements of business applications; + 1. policies for information dissemination and authorization, e.g. the need-to-know principle and information security levels and classification of information; + 1. consistency between the access rights and information classification policies of systems and networks; + 1. relevant legislation and any contractual obligations regarding limitation of access to data or services; + 1. management of access rights in a distributed and networked environment which recognizes all types of connections available; + 1. segregation of access control roles, e.g. access request, access authorization, access administration; + 1. requirements for formal authorization of access requests; + 1. requirements for periodic review of access rights; + 1. removal of access rights; + 1. archiving of records of all significant events concerning the use and management of user identities and secret authentication information;, + 1. roles with privileged access. + - id: s2.1.1_info + name: overview + parts: + - id: s2.1.1_info.1 + name: objective + prose: | + Care should be taken when specifying access control rules to consider: + + 1. establishing rules based on the premise “Everything is generally forbidden unless expressly permitted” rather than the weaker rule “Everything is generally permitted unless expressly forbidden”; + 1. changes in information labels that are initiated automatically by information processing facilities and those initiated at the discretion of a user; + 1. changes in user permissions that are initiated automatically by the information system and those initiated by an administrator; + 1. rules which require specific approval before enactment and those which do not. + - id: s2.1.1_info.2 + name: objective + prose: Access control rules should be supported by formal procedures and defined responsibilities. + - id: s2.1.1_stm.3 + name: objective + prose: Role based access control is an approach used successfully by many organizations to link access rights with business roles. + - id: s2.1.1_stm.4 + name: objective + prose: | + Two of the frequent principles directing the access control policy are: + + 1. Need-to-know: you are only granted access to the information you need to perform your tasks (different tasks/roles mean different need-to-know and hence different access profile); + 1. Need-to-use: you are only granted access to the information processing facilities (IT equipment, applications, procedures, rooms) you need to perform your task/job/role. + - id: s2.1.2 + title: Access to networks and network services + props: + - name: label + value: 2.1.2 + parts: + - id: s2.1.2_stm + name: statement + prose: Users should only be provided with access to the network and network services that they have been specifically authorized to use. + - id: s2.1.2_gdn + name: guidance + parts: + - id: s2.1.2_gdn.1 + name: objective + prose: | + A policy should be formulated concerning the use of networks and network services. This policy should cover: + + 1. the networks and network services which are allowed to be accessed; + 1. authorization procedures for determining who is allowed to access which networks and networked services; + 1. management controls and procedures to protect access to network connections and network services; + 1. the means used to access networks and network services (e.g. use of VPN or wireless network); + 1. user authentication requirements for accessing various network services; + 1. monitoring of the use of network service + - id: s2.1.2_gdn.2 + name: objective + prose: The policy on the use of network services should be consistent with the organization’s access control policy diff --git a/roscal_lib/tests/component-definition/json/example-component-definition-min.json b/roscal_lib/tests/component-definition/json/example-component-definition-min.json new file mode 100644 index 0000000..eb0aeac --- /dev/null +++ b/roscal_lib/tests/component-definition/json/example-component-definition-min.json @@ -0,0 +1,132 @@ +{ + "component-definition": { + "uuid": "a7ba800c-a432-44cd-9075-0862cd66da6b", + "metadata": { + "title": "MongoDB Component Definition Example", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "20231012", + "oscal-version": "1.1.2", + "roles": [{ "id": "provider", "title": "Provider" }], + "parties": [ + { + "uuid": "ef7c799a-c50e-49ab-83e0-515e989e6df1", + "type": "organization", + "name": "MongoDB", + "links": [{ "href": "https://www.mongodb.com", "rel": "website" }] + } + ] + }, + "components": [ + { + "uuid": "91f646c5-b1b6-4786-9ec3-2305a044e217", + "type": "service", + "title": "MongoDB", + "description": "MongoDB is a source-available, cross-platform document-oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas.", + "purpose": "Provides a NoSQL database service", + "responsible-roles": [ + { + "role-id": "provider", + "party-uuids": ["ef7c799a-c50e-49ab-83e0-515e989e6df1"] + }, + { "role-id": "customer" } + ], + "protocols": [ + { + "uuid": "2b4a1b3a-cbc5-4cc8-bde6-7437c28c4e54", + "name": "mongodb", + "title": "Primary daemon process for the MongoDB system.", + "port-ranges": [ + { "start": 27017, "end": 27017, "transport": "TCP" } + ] + }, + { + "uuid": "99d8d4e5-e734-4e05-a2f9-7353097b8b61", + "name": "mongodb-shardsrv", + "title": "MongoDB protocol for sharding with shardsrv option.", + "port-ranges": [ + { "start": 27018, "end": 27018, "transport": "TCP" } + ] + }, + { + "uuid": "6fa762f1-09ca-44d5-a94c-cfceb57debd5", + "name": "mongodb-configsvr", + "title": "MongoDB protocol for configsrv operation.", + "port-ranges": [ + { "start": 27019, "end": 27019, "transport": "TCP" } + ] + } + ], + "control-implementations": [ + { + "uuid": "49f0b690-ed9f-4f32-aae0-625b77aa6d27", + "source": "#ba047e56-faef-430c-bafb-c54e9a87c6e8", + "description": "MongoDB control implementations for NIST SP 800-53 revision 5.", + "implemented-requirements": [ + { + "uuid": "cf8338c5-fb6e-4593-a4a8-b3c4946ee080", + "control-id": "sc-8", + "description": "MongoDB's implementation of SC-8 control. The details of the implementation are provided at the statement level.", + "set-parameters": [ + { "param-id": "sc-8_prm_1", "values": ["confidentiality"] } + ], + "statements": [ + { + "statement-id": "sc-8_smt", + "uuid": "bb9219b1-e51c-4680-abb0-616a43bbfbb1", + "description": "MongoDB implements TLS 1.x to protect the {{ insert: param, sc-8_prm_1 }} of transmitted data by encrypting data in transit, preventing unauthorized disclosure or changes to information during transmission." + } + ] + }, + { + "uuid": "cf8338c5-fb6e-4593-a4a8-b3c4946ee081", + "control-id": "sc-8.1", + "description": "MongoDB implements cryptographic mechanisms (TLS 1.x) to provide cryptographic protection for data in transit.", + "set-parameters": [ + { + "param-id": "sc-8.1_prm_1", + "values": ["prevent unauthorized disclosure of information"] + } + ], + "statements": [ + { + "statement-id": "sc-8.1_smt", + "uuid": "bb9219b1-e51c-4680-abb0-616a43bbfbb1", + "description": "To implement cryptographic mechanisms (aka enable TLS 1.x) to {{ insert: param, sc-8.1_prm_1 }}, customers need to set the `PEMKeyFile` option in the configuration file `/etc/mongod.conf` to the certificate file's path and restart the component.", + "responsible-roles": [{ "role-id": "customer" }] + } + ] + }, + { + "uuid": "5227daf8-7a4b-4fe0-aea9-3547b7de2603", + "control-id": "sa-4.9", + "description": "Must ensure that MongoDB only listens for network connections on authorized interfaces by configuring the MongoDB configuration file to limit the services exposure to only the network interfaces on which MongoDB instances should listen for incoming connections." + } + ] + } + ] + } + ], + "back-matter": { + "resources": [ + { + "uuid": "ba047e56-faef-430c-bafb-c54e9a87c6e8", + "description": "NIST Special Publication 800-53 Revision 5: Moderate Baseline Profile", + "rlinks": [ + { + "href": "../../../nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "../../../nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "../../../nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + } + ] + } + } +} diff --git a/roscal_lib/tests/component-definition/json/example-component-definition.json b/roscal_lib/tests/component-definition/json/example-component-definition.json new file mode 100644 index 0000000..3b8825f --- /dev/null +++ b/roscal_lib/tests/component-definition/json/example-component-definition.json @@ -0,0 +1,163 @@ +{ + "component-definition": { + "uuid": "a7ba800c-a432-44cd-9075-0862cd66da6b", + "metadata": { + "title": "MongoDB Component Definition Example", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "20231012", + "oscal-version": "1.1.2", + "roles": [ + { + "id": "provider", + "title": "Provider" + } + ], + "parties": [ + { + "uuid": "ef7c799a-c50e-49ab-83e0-515e989e6df1", + "type": "organization", + "name": "MongoDB", + "links": [ + { + "href": "https://www.mongodb.com", + "rel": "website" + } + ] + } + ] + }, + "components": [ + { + "uuid": "91f646c5-b1b6-4786-9ec3-2305a044e217", + "type": "service", + "title": "MongoDB", + "description": "MongoDB is a source-available, cross-platform document-oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas.", + "purpose": "Provides a NoSQL database service", + "responsible-roles": [ + { + "role-id": "provider", + "party-uuids": ["ef7c799a-c50e-49ab-83e0-515e989e6df1"] + }, + { + "role-id": "customer" + } + ], + "protocols": [ + { + "uuid": "2b4a1b3a-cbc5-4cc8-bde6-7437c28c4e54", + "name": "mongodb", + "title": "Primary daemon process for the MongoDB system.", + "port-ranges": [ + { + "start": 27017, + "end": 27017, + "transport": "TCP" + } + ] + }, + { + "uuid": "99d8d4e5-e734-4e05-a2f9-7353097b8b61", + "name": "mongodb-shardsrv", + "title": "MongoDB protocol for sharding with shardsrv option.", + "port-ranges": [ + { + "start": 27018, + "end": 27018, + "transport": "TCP" + } + ] + }, + { + "uuid": "6fa762f1-09ca-44d5-a94c-cfceb57debd5", + "name": "mongodb-configsvr", + "title": "MongoDB protocol for configsrv operation.", + "port-ranges": [ + { + "start": 27019, + "end": 27019, + "transport": "TCP" + } + ] + } + ], + "control-implementations": [ + { + "uuid": "49f0b690-ed9f-4f32-aae0-625b77aa6d27", + "source": "#ba047e56-faef-430c-bafb-c54e9a87c6e8", + "description": "MongoDB control implementations for NIST SP 800-53 revision 5.", + "implemented-requirements": [ + { + "uuid": "cf8338c5-fb6e-4593-a4a8-b3c4946ee080", + "control-id": "sc-8", + "description": "MongoDB's implementation of SC-8 control. The details of the implementation are provided at the statement level.", + "set-parameters": [ + { + "param-id": "sc-8_prm_1", + "values": ["confidentiality"] + } + ], + "statements": [ + { + "statement-id": "sc-8_smt", + "uuid": "bb9219b1-e51c-4680-abb0-616a43bbfbb1", + "description": "MongoDB implements TLS 1.x to protect the {{ insert: param, sc-8_prm_1 }} of transmitted data by encrypting data in transit, preventing unauthorized disclosure or changes to information during transmission." + } + ] + }, + { + "uuid": "cf8338c5-fb6e-4593-a4a8-b3c4946ee081", + "control-id": "sc-8.1", + "description": "MongoDB implements cryptographic mechanisms (TLS 1.x) to provide cryptographic protection for data in transit.", + "set-parameters": [ + { + "param-id": "sc-8.1_prm_1", + "values": ["prevent unauthorized disclosure of information"] + } + ], + "statements": [ + { + "statement-id": "sc-8.1_smt", + "uuid": "bb9219b1-e51c-4680-abb0-616a43bbfbb1", + "description": "To implement cryptographic mechanisms (aka enable TLS 1.x) to {{ insert: param, sc-8.1_prm_1 }}, customers need to set the `PEMKeyFile` option in the configuration file `/etc/mongod.conf` to the certificate file's path and restart the component.", + "responsible-roles": [ + { + "role-id": "customer" + } + ] + } + ] + }, + { + "uuid": "5227daf8-7a4b-4fe0-aea9-3547b7de2603", + "control-id": "sa-4.9", + "description": "Must ensure that MongoDB only listens for network connections on authorized interfaces by configuring the MongoDB configuration file to limit the services exposure to only the network interfaces on which MongoDB instances should listen for incoming connections." + } + ] + } + ] + } + ], + "back-matter": { + "resources": [ + { + "uuid": "ba047e56-faef-430c-bafb-c54e9a87c6e8", + "description": "NIST Special Publication 800-53 Revision 5: Moderate Baseline Profile", + "rlinks": [ + { + "href": "../../../nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "../../../nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "../../../nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + } + ] + } + } +} diff --git a/roscal_lib/tests/component-definition/json/example-component-min.json b/roscal_lib/tests/component-definition/json/example-component-min.json new file mode 100644 index 0000000..5aeddd9 --- /dev/null +++ b/roscal_lib/tests/component-definition/json/example-component-min.json @@ -0,0 +1,98 @@ +{ + "component-definition": { + "uuid": "8223d65f-57a9-4689-8f06-2a975ae2ad72", + "metadata": { + "title": "Test Component Definition", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "20231012", + "oscal-version": "1.1.2", + "parties": [ + { + "uuid": "ee47836c-877c-4007-bbf3-c9d9bd805a9a", + "type": "organization", + "name": "Test Vendor" + } + ] + }, + "components": [ + { + "uuid": "b036a6ac-6cff-4066-92bc-74ddfd9ad6fa", + "type": "software", + "title": "test component 1", + "description": "This is a software component that implements basic authentication mechanisms.", + "responsible-roles": [ + { + "role-id": "provider", + "party-uuids": ["ee47836c-877c-4007-bbf3-c9d9bd805a9a"] + } + ], + "control-implementations": [ + { + "uuid": "cfcdd674-8595-4f98-a9d1-3ac70825c49f", + "source": "#f52e1458-7a97-49fd-8189-6af6a4e7051b", + "description": "This is a partial implementation of the SP 800-53 rev4 catalog, focusing on the control enhancement AC-2 (3).", + "implemented-requirements": [ + { + "uuid": "d1016df0-9b5c-4839-86cd-f9c1d113077b", + "control-id": "ac-2.3", + "description": "Inactive accounts are automatically disabled based on the duration specified by the duration parameter. Disabled accounts are expected to be reviewed and removed when appropriate." + } + ] + }, + { + "uuid": "22dbff65-9729-449f-9dfc-4e5fee0906de", + "source": "#ec013e7d-e2a2-4ddb-a174-fbd9da24b0d8", + "description": "This is a partial implementation of the FedRAMP High profile, focusing on the control enhancement AC-2 (3).", + "implemented-requirements": [ + { + "uuid": "65e30b37-0640-4844-9f42-b2a7ae944bb1", + "control-id": "ac-2.3", + "description": "An alternate narrative for FedRAMP.." + } + ] + } + ] + } + ], + "back-matter": { + "resources": [ + { + "uuid": "f52e1458-7a97-49fd-8189-6af6a4e7051b", + "description": "NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations", + "rlinks": [ + { + "href": "../../../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "../../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "../../../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + }, + { + "uuid": "ec013e7d-e2a2-4ddb-a174-fbd9da24b0d8", + "description": "FedRAMP Revision 4 High Baseline Profile", + "rlinks": [ + { + "href": "https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev4/baselines/xml/FedRAMP_rev4_HIGH-baseline_profile.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev4/baselines/json/FedRAMP_rev4_HIGH-baseline_profile.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev4/baselines/yaml/FedRAMP_rev4_HIGH-baseline_profile.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + } + ] + } + } +} diff --git a/roscal_lib/tests/component-definition/json/example-component.json b/roscal_lib/tests/component-definition/json/example-component.json new file mode 100644 index 0000000..5aeddd9 --- /dev/null +++ b/roscal_lib/tests/component-definition/json/example-component.json @@ -0,0 +1,98 @@ +{ + "component-definition": { + "uuid": "8223d65f-57a9-4689-8f06-2a975ae2ad72", + "metadata": { + "title": "Test Component Definition", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "20231012", + "oscal-version": "1.1.2", + "parties": [ + { + "uuid": "ee47836c-877c-4007-bbf3-c9d9bd805a9a", + "type": "organization", + "name": "Test Vendor" + } + ] + }, + "components": [ + { + "uuid": "b036a6ac-6cff-4066-92bc-74ddfd9ad6fa", + "type": "software", + "title": "test component 1", + "description": "This is a software component that implements basic authentication mechanisms.", + "responsible-roles": [ + { + "role-id": "provider", + "party-uuids": ["ee47836c-877c-4007-bbf3-c9d9bd805a9a"] + } + ], + "control-implementations": [ + { + "uuid": "cfcdd674-8595-4f98-a9d1-3ac70825c49f", + "source": "#f52e1458-7a97-49fd-8189-6af6a4e7051b", + "description": "This is a partial implementation of the SP 800-53 rev4 catalog, focusing on the control enhancement AC-2 (3).", + "implemented-requirements": [ + { + "uuid": "d1016df0-9b5c-4839-86cd-f9c1d113077b", + "control-id": "ac-2.3", + "description": "Inactive accounts are automatically disabled based on the duration specified by the duration parameter. Disabled accounts are expected to be reviewed and removed when appropriate." + } + ] + }, + { + "uuid": "22dbff65-9729-449f-9dfc-4e5fee0906de", + "source": "#ec013e7d-e2a2-4ddb-a174-fbd9da24b0d8", + "description": "This is a partial implementation of the FedRAMP High profile, focusing on the control enhancement AC-2 (3).", + "implemented-requirements": [ + { + "uuid": "65e30b37-0640-4844-9f42-b2a7ae944bb1", + "control-id": "ac-2.3", + "description": "An alternate narrative for FedRAMP.." + } + ] + } + ] + } + ], + "back-matter": { + "resources": [ + { + "uuid": "f52e1458-7a97-49fd-8189-6af6a4e7051b", + "description": "NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations", + "rlinks": [ + { + "href": "../../../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "../../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "../../../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + }, + { + "uuid": "ec013e7d-e2a2-4ddb-a174-fbd9da24b0d8", + "description": "FedRAMP Revision 4 High Baseline Profile", + "rlinks": [ + { + "href": "https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev4/baselines/xml/FedRAMP_rev4_HIGH-baseline_profile.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev4/baselines/json/FedRAMP_rev4_HIGH-baseline_profile.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev4/baselines/yaml/FedRAMP_rev4_HIGH-baseline_profile.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + } + ] + } + } +} diff --git a/roscal_lib/tests/component-definition/yaml/example-component-definition.yaml b/roscal_lib/tests/component-definition/yaml/example-component-definition.yaml new file mode 100644 index 0000000..a57eb32 --- /dev/null +++ b/roscal_lib/tests/component-definition/yaml/example-component-definition.yaml @@ -0,0 +1,93 @@ +component-definition: + uuid: a7ba800c-a432-44cd-9075-0862cd66da6b + metadata: + title: MongoDB Component Definition Example + last-modified: "2024-02-01T13:57:28.355446-04:00" + version: "20231012" + oscal-version: 1.1.2 + roles: + - id: provider + title: Provider + parties: + - uuid: ef7c799a-c50e-49ab-83e0-515e989e6df1 + type: organization + name: MongoDB + links: + - href: https://www.mongodb.com + rel: website + components: + - uuid: 91f646c5-b1b6-4786-9ec3-2305a044e217 + type: service + title: MongoDB + description: MongoDB is a source-available, cross-platform document-oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas. + purpose: Provides a NoSQL database service + responsible-roles: + - role-id: provider + party-uuids: + - ef7c799a-c50e-49ab-83e0-515e989e6df1 + - role-id: customer + protocols: + - uuid: 2b4a1b3a-cbc5-4cc8-bde6-7437c28c4e54 + name: mongodb + title: Primary daemon process for the MongoDB system. + port-ranges: + - start: 27017 + end: 27017 + transport: TCP + - uuid: 99d8d4e5-e734-4e05-a2f9-7353097b8b61 + name: mongodb-shardsrv + title: MongoDB protocol for sharding with shardsrv option. + port-ranges: + - start: 27018 + end: 27018 + transport: TCP + - uuid: 6fa762f1-09ca-44d5-a94c-cfceb57debd5 + name: mongodb-configsvr + title: MongoDB protocol for configsrv operation. + port-ranges: + - start: 27019 + end: 27019 + transport: TCP + control-implementations: + - uuid: 49f0b690-ed9f-4f32-aae0-625b77aa6d27 + source: '#ba047e56-faef-430c-bafb-c54e9a87c6e8' + description: MongoDB control implementations for NIST SP 800-53 revision 5. + implemented-requirements: + - uuid: cf8338c5-fb6e-4593-a4a8-b3c4946ee080 + control-id: sc-8 + description: MongoDB's implementation of SC-8 control. The details of the implementation are provided at the statement level. + set-parameters: + - param-id: sc-8_prm_1 + values: + - confidentiality + statements: + - statement-id: sc-8_smt + uuid: bb9219b1-e51c-4680-abb0-616a43bbfbb1 + description: 'MongoDB implements TLS 1.x to protect the {{ insert: param, sc-8_prm_1 }} of transmitted data by encrypting data in transit, preventing unauthorized disclosure or changes to information during transmission.' + - uuid: cf8338c5-fb6e-4593-a4a8-b3c4946ee081 + control-id: sc-8.1 + description: MongoDB implements cryptographic mechanisms (TLS 1.x) to provide cryptographic protection for data in transit. + set-parameters: + - param-id: sc-8.1_prm_1 + values: + - prevent unauthorized disclosure of information + statements: + - statement-id: sc-8.1_smt + uuid: bb9219b1-e51c-4680-abb0-616a43bbfbb1 + description: 'To implement cryptographic mechanisms (aka enable TLS 1.x) to {{ insert: param, sc-8.1_prm_1 }}, customers need to set the `PEMKeyFile` option in the configuration file `/etc/mongod.conf` to the certificate file''s path and restart the component.' + responsible-roles: + - role-id: customer + - uuid: 5227daf8-7a4b-4fe0-aea9-3547b7de2603 + control-id: sa-4.9 + description: Must ensure that MongoDB only listens for network connections on authorized interfaces by configuring the MongoDB configuration file to limit the services exposure to only the network interfaces on which MongoDB instances should listen for incoming connections. + back-matter: + resources: + - uuid: ba047e56-faef-430c-bafb-c54e9a87c6e8 + description: 'NIST Special Publication 800-53 Revision 5: Moderate Baseline Profile' + rlinks: + - href: ../../../nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml + media-type: application/oscal.catalog+xml + - href: ../../../nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile.json + media-type: application/oscal.catalog+json + - href: ../../../nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.yaml + media-type: application/oscal.catalog+yaml diff --git a/roscal_lib/tests/component-definition/yaml/example-component.yaml b/roscal_lib/tests/component-definition/yaml/example-component.yaml new file mode 100644 index 0000000..8c13cbb --- /dev/null +++ b/roscal_lib/tests/component-definition/yaml/example-component.yaml @@ -0,0 +1,55 @@ +component-definition: + uuid: 8223d65f-57a9-4689-8f06-2a975ae2ad72 + metadata: + title: Test Component Definition + last-modified: "2024-02-01T13:57:28.355446-04:00" + version: "20231012" + oscal-version: 1.1.2 + parties: + - uuid: ee47836c-877c-4007-bbf3-c9d9bd805a9a + type: organization + name: Test Vendor + components: + - uuid: b036a6ac-6cff-4066-92bc-74ddfd9ad6fa + type: software + title: test component 1 + description: This is a software component that implements basic authentication mechanisms. + responsible-roles: + - role-id: provider + party-uuids: + - ee47836c-877c-4007-bbf3-c9d9bd805a9a + control-implementations: + - uuid: cfcdd674-8595-4f98-a9d1-3ac70825c49f + source: '#f52e1458-7a97-49fd-8189-6af6a4e7051b' + description: This is a partial implementation of the SP 800-53 rev4 catalog, focusing on the control enhancement AC-2 (3). + implemented-requirements: + - uuid: d1016df0-9b5c-4839-86cd-f9c1d113077b + control-id: ac-2.3 + description: Inactive accounts are automatically disabled based on the duration specified by the duration parameter. Disabled accounts are expected to be reviewed and removed when appropriate. + - uuid: 22dbff65-9729-449f-9dfc-4e5fee0906de + source: '#ec013e7d-e2a2-4ddb-a174-fbd9da24b0d8' + description: This is a partial implementation of the FedRAMP High profile, focusing on the control enhancement AC-2 (3). + implemented-requirements: + - uuid: 65e30b37-0640-4844-9f42-b2a7ae944bb1 + control-id: ac-2.3 + description: An alternate narrative for FedRAMP.. + back-matter: + resources: + - uuid: f52e1458-7a97-49fd-8189-6af6a4e7051b + description: 'NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations' + rlinks: + - href: ../../../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml + media-type: application/oscal.catalog+xml + - href: ../../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json + media-type: application/oscal.catalog+json + - href: ../../../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml + media-type: application/oscal.catalog+yaml + - uuid: ec013e7d-e2a2-4ddb-a174-fbd9da24b0d8 + description: FedRAMP Revision 4 High Baseline Profile + rlinks: + - href: https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev4/baselines/xml/FedRAMP_rev4_HIGH-baseline_profile.xml + media-type: application/oscal.catalog+xml + - href: https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev4/baselines/json/FedRAMP_rev4_HIGH-baseline_profile.json + media-type: application/oscal.catalog+json + - href: https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev4/baselines/yaml/FedRAMP_rev4_HIGH-baseline_profile.yaml + media-type: application/oscal.catalog+yaml diff --git a/roscal_lib/tests/loc b/roscal_lib/tests/loc new file mode 100644 index 0000000..1f6970e --- /dev/null +++ b/roscal_lib/tests/loc @@ -0,0 +1 @@ +https://github.com/usnistgov/oscal-content/tree/main/examples \ No newline at end of file diff --git a/roscal_lib/tests/malformed.rs b/roscal_lib/tests/malformed.rs new file mode 100644 index 0000000..1d71e8a --- /dev/null +++ b/roscal_lib/tests/malformed.rs @@ -0,0 +1,68 @@ +use std::{fs::File, io::BufReader}; + +use roscal_lib::{ + control::profile::Profile, implementation::ssp::SystemSecurityPlan, +}; + +#[test] +fn wrong_date() { + let file = File::open("tests/malformed/date.yaml").unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_yaml::from_reader(reader); + + let e = res.err().unwrap().to_string(); + + assert_eq!("system-security-plan.system-characteristics: invalid date pattern at line 54 column 5", e) +} + +#[test] +fn wrong_datetime() { + let file = File::open("tests/malformed/datetime.yaml").unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_yaml::from_reader(reader); + + let e = res.err().unwrap().to_string(); + + assert_eq!( + "profile.metadata: invalid datetime pattern at line 4 column 5", + e + ) +} + +#[test] +fn wrong_email() { + let file = File::open("tests/malformed/email.yaml").unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_yaml::from_reader(reader); + + let e = res.err().unwrap().to_string(); + + assert_eq!("profile.metadata.parties[0]: invalid email pattern at line 14 column 9", e) +} + +#[test] +fn wrong_uri() { + let file = File::open("tests/malformed/uri.yaml").unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_yaml::from_reader(reader); + + let e = res.err().unwrap().to_string(); + + assert_eq!("profile.back-matter.resources[0].rlinks[0]: invalid uri reference pattern at line 416 column 13", e) +} + +#[test] +fn wrong_uuid() { + let file = File::open("tests/malformed/uuid.yaml").unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_yaml::from_reader(reader); + + let e = res.err().unwrap().to_string(); + + assert_eq!("profile: invalid uuid pattern at line 2 column 3", e) +} diff --git a/roscal_lib/tests/malformed/date.yaml b/roscal_lib/tests/malformed/date.yaml new file mode 100644 index 0000000..a806ca0 --- /dev/null +++ b/roscal_lib/tests/malformed/date.yaml @@ -0,0 +1,286 @@ +system-security-plan: + uuid: 5e139edd-86aa-4b65-8431-1192bd276658 + metadata: + title: IFA GoodRead System Security Plan + published: "2023-05-19T14:46:54-04:00" + last-modified: "2024-03-01T13:57:28.355446-04:00" + version: "1.1" + oscal-version: 1.1.2 + roles: + - id: owner + title: IFA GoodRead Owner + - id: developer + title: IFA GoodRead Developer + - id: system-engineer + title: IFA GoodRead System Engineer + - id: public-affairs-office + title: IFA Public Affairs Office + parties: + - uuid: ba9c12bd-e5ef-46b6-95a2-4d8e7f864c1a + type: person + name: Owen Stilskin + member-of-organizations: + - 3a675986-b4ff-4030-b178-e953c2e55d64 + - uuid: 67c04291-dbf6-495a-a3ba-0011638acc94 + type: person + name: Juno Styles + member-of-organizations: + - 3a675986-b4ff-4030-b178-e953c2e55d64 + - uuid: 4ba3f2b7-e894-48d7-b940-91c68661df55 + type: person + name: Xavier Jones + member-of-organizations: + - 3a675986-b4ff-4030-b178-e953c2e55d64 + - uuid: 3a675986-b4ff-4030-b178-e953c2e55d64 + type: organization + name: Important Federal Agency + short-name: IFA + links: + - href: https://www.ifa.gov + rel: website + responsible-parties: + - role-id: owner + party-uuids: + - ba9c12bd-e5ef-46b6-95a2-4d8e7f864c1a + - role-id: developer + party-uuids: + - 67c04291-dbf6-495a-a3ba-0011638acc94 + - role-id: system-engineer + party-uuids: + - 4ba3f2b7-e894-48d7-b940-91c68661df55 + import-profile: + href: ../select/profile.oscal.json + system-characteristics: + system-ids: + - identifier-type: http://ietf.org/rfc/rfc4122 + id: 8101e04d-8305-4e73-bb95-6b59f645b143 + system-name: IFA GoodRead + description: This system acts as a link shortener for IFA employees + date-authorized: "2023-12-04T14:55:00.000000-04:00" + security-sensitivity-level: moderate + system-information: + information-types: + - uuid: bccfbb65-a7f3-41ac-989f-01d96eddfdc7 + title: User-provided Links + description: This system maintains a set of user-provided links and their associated shortlinks + categorizations: + - system: https://doi.org/10.6028/NIST.SP.800-60v2r1 + information-type-ids: + - C.2.8.12 + confidentiality-impact: + base: fips-199-low + integrity-impact: + base: fips-199-low + selected: fips-199-moderate + adjustment-justification: Maliciously modified links are a concern + availability-impact: + base: fips-199-low + security-impact-level: + security-objective-confidentiality: low + security-objective-integrity: medium + security-objective-availability: low + status: + state: operational + authorization-boundary: + description: This section describes an attached diagram of the authorization boundary for IFA GoodRead Project's information system. + network-architecture: + description: This section describes an attached diagram of the network architecture for IFA GoodRead Project's information system. + data-flow: + description: This section describes an attached diagram of various dataflows for application and related elements of the IFA GoodRead Project's information system. + system-implementation: + users: + - uuid: 00d323d3-dc3f-4d93-900f-f13430e094d3 + title: Application Administrator + description: The developer of the application supports IFA Public Affairs Officers by administering the application and its infrastructure. + role-ids: + - developer + authorized-privileges: + - title: Application Administrator Privilege + functions-performed: + - user-creation + - user-enablement + - user-disablement + - user-role-modification + - popular-shortlink-cache-reset + - database-export + - database-migration + - uuid: 61405ba7-edb4-4243-8461-79aac5805e5c + title: Public Affairs Officers + description: IFA Public Affairs Officers (PAOs) in each division of the agency review public communications to citizens who are customers of the IFA. PAOs review requests from colleagues to generate and publish content that is the target of a shortlink and can unpublish shortlinks. + role-ids: + - public-affairs-office + authorized-privileges: + - title: Public Affairs Officer Privilege + functions-performed: + - shortlink-generation + - shortlink-approval + - shortlink-rejection + - shortlink-publication + - shortlink-unpublication + - uuid: fb36760a-143d-490b-8fc4-6a8c172fba86 + title: General Public + description: The general public is free to click on shortlinks + authorized-privileges: + - title: General Public Privilege + functions-performed: + - shortlink-view + components: + - uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + type: this-system + title: IFA GoodRead System + description: 'IFA develops, operates, and maintains the GoodRead link shortener system to ' + status: + state: operational + responsible-roles: + - role-id: developer + party-uuids: + - 67c04291-dbf6-495a-a3ba-0011638acc94 + - role-id: system-engineer + party-uuids: + - 4ba3f2b7-e894-48d7-b940-91c68661df55 + inventory-items: + - uuid: 4392599a-9117-416a-87d1-24c7d1b2dd0b + description: This is the custom GoodRead application within the system. + props: + - name: software-name + value: IFA GoodRead + class: webserver-application + - name: software-version + value: 1.0.0 + class: webserver-application + - name: asset-type + value: web-server + class: webserver-application + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: d911b560-f564-4715-8d2a-76f86127ac73 + description: This is the web application framework upon which the developer writes the custom GoodRead application for the user interface and API of this system. + props: + - name: software-name + value: Django Framework + class: webserver-framework + - name: software-version + value: 4.2.1 + class: webserver-framework + - name: asset-type + value: web-server + class: webserver-framework + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: 3e3a8d9a-e3d6-4c7d-b59b-a8d6514fa4a2 + description: This is the database for the custom GoodRead application within the system. + props: + - name: software-name + value: PostgreSQL + class: database + - name: software-version + value: "15.3" + class: database + - name: asset-type + value: database + class: database + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: 0fb95c4c-ebfd-492e-8145-363eb7947dbe + description: This is the operating system for the web server that runs the custom GoodRead application within the system. + props: + - name: software-name + value: Red Hat Enterprise Linux 9 + class: operating-system + - name: asset-type + value: operating-system + class: operating-system + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: cd39f700-23ab-4574-a17e-c9c8f073cbec + description: This inventory item is an instance from the AwesomeCloud Awesome Compute Service (ACS) Service. It is a Linux server. + props: + - name: asset-id + value: instance-abcd1234 + class: linux-server + - name: ipv4-address + value: 172.1.2.3 + class: linux-server + - name: ipv4-address + value: 1.1.2.3 + class: linux-server + - name: uri + value: instance-abcd1234.acs.awesomecloud.systems + class: linux-server + - name: asset-type + value: appliance + class: linux-server + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: d9550535-40b9-4d8b-861c-07aa8786bf43 + description: This inventory item is an instance from the AwesomeCloud Awesome Load Balancer (ALB) Service. It is a Linux server. + props: + - name: asset-type + value: appliance + class: network-load-balancer + - name: asset-id + value: instance-defg7890 + class: linux-server + - name: uri + value: https://instance-defg7890.alb.awesomecloud.systems + class: network-load-balancer + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + control-implementation: + description: This is the control implementation for the application and infrastructure that compose to the IFA GoodRead Project's system. + set-parameters: + - param-id: ac-06.01_odp.01 + values: + - individuals and roles with authorized access to security functions and security-relevant information are defined and not available to all users of the system; + - param-id: ac-06.01_odp.02 + values: + - security functions (deployed in hardware) for authorized access are defined; + - param-id: ac-06.01_odp.03 + values: + - security functions (deployed in soware) for authorized access are defined; + - param-id: ac-06.01_odp.04 + values: + - security functions (deployed in firmware) for authorized access are defined; + - param-id: ac-06.01_odp.05 + values: + - security-relevant information for authorized access is defined; + implemented-requirements: + - uuid: d5f9b263-965d-440b-99e7-77f5df670a11 + control-id: ac-6.1 + by-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + uuid: a4c2d318-26a9-49df-9818-ee0acaf066f2 + description: |- + The IFA GoodRead application and infrastructure are composed as designed and implemented with lease privilege for the elements of this system. + + For the IFA GoodRead application, the custom application is designed and implemented on top of the Django Framework to enforce least privilege. The application has a role for IFA Public Affairs Officers and one for the developers for privileged permissions, respectively. Only the latter can access or change administrative and security configurations and related data. + + The Django Framework and Django REST Framework (DRF), by default, allows any user with the `is_staff` role attribute to access administrative functions in an application using the framework. IFA GoodRead developers have disabled this behavior, relying on the custom roles identified in the relevant section. + + For the IFA GoodRead database, the system account and accredentials for the application to read and write to the system datastore has specific read and write authorization for specific tables. This database service account does not have full administrative permissions to add, modify, or delete all respective tables. For the production environment, only the IFA GoodRead developer has a dedicated account with equivalent permissions. Only local network socket access, within in the Linux server, is permitted by host firewall configuration. Remote access, privileged or unprivileged, is not allowed remotely and the system engineer must locally authenticate for access. + + For the RedHat Linux server upon which the IFA GoodRead application is deployed in this system, only the system engineer has a non-privileged user to log in remotely via the SSH protocol to perform ad-hoc inspection, monthly log review as required by policy and procedure, and emergency debugging of the system. Privileged system administration operations may only be performed with the `sudo` subsystem which requires a password, two-factor authentication, and has enhanced logging of all commands executed. The system engineer must log in remotely and then use `sudo` to elevate privileges. Remote access with the privileged account is prohibited by configuration and attempts are logged. + + For this remote SSH access, least privilege is additionally enforced by allowing this access via a specific network zone in the IFA GoodRead AwesomeCloud account accessible to only the system engineer via IFA's VPN solution, which requires the system engineer use a dedicated account with their own password and two-factor authentication token. + + For cloud account and API access to reconfigure the Linux server and its load balancer, administrative access is only allowed for the system engineer via a special AwesomeCloud IAM role. The authentication and authorization for this role is controlled by an integration with the organization's single sign-on solution. This solution will only be accessible and correctly execute for them when they are on the VPN with their account with traffic forwarded to the appropriate network zone in the IFA GoodRead account in AwesomeCloud. It will not work the developer or any staff users of the application. + implementation-status: + state: implemented diff --git a/roscal_lib/tests/malformed/datetime.yaml b/roscal_lib/tests/malformed/datetime.yaml new file mode 100644 index 0000000..e1dd0d7 --- /dev/null +++ b/roscal_lib/tests/malformed/datetime.yaml @@ -0,0 +1,421 @@ +profile: + uuid: cd073316-7c58-4c34-9f5c-9eb5aa722683 + metadata: + title: NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE + last-modified: "2023-12-04T14:55:00" + version: 5.1.1+u2 + oscal-version: 1.1.1 + roles: + - id: creator + title: Document Creator + - id: contact + title: Contact + parties: + - uuid: c748c806-1d77-4695-bb40-e117b2afa82e + type: organization + name: Joint Task Force, Transformation Initiative + email-addresses: + - sec-cert@nist.gov + addresses: + - addr-lines: + - National Institute of Standards and Technology + - 'Attn: Computer Security Division' + - Information Technology Laboratory + - 100 Bureau Drive (Mail Stop 8930) + city: Gaithersburg + state: MD + postal-code: 20899-8930 + responsible-parties: + - role-id: creator + party-uuids: + - c748c806-1d77-4695-bb40-e117b2afa82e + - role-id: contact + party-uuids: + - c748c806-1d77-4695-bb40-e117b2afa82e + imports: + - href: '#84cbf061-eb87-4ec1-8112-1f529232e907' + include-controls: + - with-ids: + - ac-1 + - ac-2 + - ac-2.1 + - ac-2.2 + - ac-2.3 + - ac-2.4 + - ac-2.5 + - ac-2.11 + - ac-2.12 + - ac-2.13 + - ac-3 + - ac-4 + - ac-4.4 + - ac-5 + - ac-6 + - ac-6.1 + - ac-6.2 + - ac-6.3 + - ac-6.5 + - ac-6.7 + - ac-6.9 + - ac-6.10 + - ac-7 + - ac-8 + - ac-10 + - ac-11 + - ac-11.1 + - ac-12 + - ac-14 + - ac-17 + - ac-17.1 + - ac-17.2 + - ac-17.3 + - ac-17.4 + - ac-18 + - ac-18.1 + - ac-18.3 + - ac-18.4 + - ac-18.5 + - ac-19 + - ac-19.5 + - ac-20 + - ac-20.1 + - ac-20.2 + - ac-21 + - ac-22 + - at-1 + - at-2 + - at-2.2 + - at-2.3 + - at-3 + - at-4 + - au-1 + - au-2 + - au-3 + - au-3.1 + - au-4 + - au-5 + - au-5.1 + - au-5.2 + - au-6 + - au-6.1 + - au-6.3 + - au-6.5 + - au-6.6 + - au-7 + - au-7.1 + - au-8 + - au-9 + - au-9.2 + - au-9.3 + - au-9.4 + - au-10 + - au-11 + - au-12 + - au-12.1 + - au-12.3 + - ca-1 + - ca-2 + - ca-2.1 + - ca-2.2 + - ca-3 + - ca-3.6 + - ca-5 + - ca-6 + - ca-7 + - ca-7.1 + - ca-7.4 + - ca-8 + - ca-8.1 + - ca-9 + - cm-1 + - cm-2 + - cm-2.2 + - cm-2.3 + - cm-2.7 + - cm-3 + - cm-3.1 + - cm-3.2 + - cm-3.4 + - cm-3.6 + - cm-4 + - cm-4.1 + - cm-4.2 + - cm-5 + - cm-5.1 + - cm-6 + - cm-6.1 + - cm-6.2 + - cm-7 + - cm-7.1 + - cm-7.2 + - cm-7.5 + - cm-8 + - cm-8.1 + - cm-8.2 + - cm-8.3 + - cm-8.4 + - cm-9 + - cm-10 + - cm-11 + - cm-12 + - cm-12.1 + - cp-1 + - cp-2 + - cp-2.1 + - cp-2.2 + - cp-2.3 + - cp-2.5 + - cp-2.8 + - cp-3 + - cp-3.1 + - cp-4 + - cp-4.1 + - cp-4.2 + - cp-6 + - cp-6.1 + - cp-6.2 + - cp-6.3 + - cp-7 + - cp-7.1 + - cp-7.2 + - cp-7.3 + - cp-7.4 + - cp-8 + - cp-8.1 + - cp-8.2 + - cp-8.3 + - cp-8.4 + - cp-9 + - cp-9.1 + - cp-9.2 + - cp-9.3 + - cp-9.5 + - cp-9.8 + - cp-10 + - cp-10.2 + - cp-10.4 + - ia-1 + - ia-2 + - ia-2.1 + - ia-2.2 + - ia-2.5 + - ia-2.8 + - ia-2.12 + - ia-3 + - ia-4 + - ia-4.4 + - ia-5 + - ia-5.1 + - ia-5.2 + - ia-5.6 + - ia-6 + - ia-7 + - ia-8 + - ia-8.1 + - ia-8.2 + - ia-8.4 + - ia-11 + - ia-12 + - ia-12.2 + - ia-12.3 + - ia-12.4 + - ia-12.5 + - ir-1 + - ir-2 + - ir-2.1 + - ir-2.2 + - ir-3 + - ir-3.2 + - ir-4 + - ir-4.1 + - ir-4.4 + - ir-4.11 + - ir-5 + - ir-5.1 + - ir-6 + - ir-6.1 + - ir-6.3 + - ir-7 + - ir-7.1 + - ir-8 + - ma-1 + - ma-2 + - ma-2.2 + - ma-3 + - ma-3.1 + - ma-3.2 + - ma-3.3 + - ma-4 + - ma-4.3 + - ma-5 + - ma-5.1 + - ma-6 + - mp-1 + - mp-2 + - mp-3 + - mp-4 + - mp-5 + - mp-6 + - mp-6.1 + - mp-6.2 + - mp-6.3 + - mp-7 + - pe-1 + - pe-2 + - pe-3 + - pe-3.1 + - pe-4 + - pe-5 + - pe-6 + - pe-6.1 + - pe-6.4 + - pe-8 + - pe-8.1 + - pe-9 + - pe-10 + - pe-11 + - pe-11.1 + - pe-12 + - pe-13 + - pe-13.1 + - pe-13.2 + - pe-14 + - pe-15 + - pe-15.1 + - pe-16 + - pe-17 + - pe-18 + - pl-1 + - pl-2 + - pl-4 + - pl-4.1 + - pl-8 + - pl-10 + - pl-11 + - ps-1 + - ps-2 + - ps-3 + - ps-4 + - ps-4.2 + - ps-5 + - ps-6 + - ps-7 + - ps-8 + - ps-9 + - ra-1 + - ra-2 + - ra-3 + - ra-3.1 + - ra-5 + - ra-5.2 + - ra-5.4 + - ra-5.5 + - ra-5.11 + - ra-7 + - ra-9 + - sa-1 + - sa-2 + - sa-3 + - sa-4 + - sa-4.1 + - sa-4.2 + - sa-4.5 + - sa-4.9 + - sa-4.10 + - sa-5 + - sa-8 + - sa-9 + - sa-9.2 + - sa-10 + - sa-11 + - sa-15 + - sa-15.3 + - sa-16 + - sa-17 + - sa-21 + - sa-22 + - sc-1 + - sc-2 + - sc-3 + - sc-4 + - sc-5 + - sc-7 + - sc-7.3 + - sc-7.4 + - sc-7.5 + - sc-7.7 + - sc-7.8 + - sc-7.18 + - sc-7.21 + - sc-8 + - sc-8.1 + - sc-10 + - sc-12 + - sc-12.1 + - sc-13 + - sc-15 + - sc-17 + - sc-18 + - sc-20 + - sc-21 + - sc-22 + - sc-23 + - sc-24 + - sc-28 + - sc-28.1 + - sc-39 + - si-1 + - si-2 + - si-2.2 + - si-3 + - si-4 + - si-4.2 + - si-4.4 + - si-4.5 + - si-4.10 + - si-4.12 + - si-4.14 + - si-4.20 + - si-4.22 + - si-5 + - si-5.1 + - si-6 + - si-7 + - si-7.1 + - si-7.2 + - si-7.5 + - si-7.7 + - si-7.15 + - si-8 + - si-8.2 + - si-10 + - si-11 + - si-12 + - si-16 + - sr-1 + - sr-2 + - sr-2.1 + - sr-3 + - sr-5 + - sr-6 + - sr-8 + - sr-9 + - sr-9.1 + - sr-10 + - sr-11 + - sr-11.1 + - sr-11.2 + - sr-12 + merge: + as-is: true + back-matter: + resources: + - uuid: 84cbf061-eb87-4ec1-8112-1f529232e907 + description: 'NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations' + rlinks: + - href: ../../../../nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml + media-type: application/oscal.catalog+xml + - href: ../../../../nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json + media-type: application/oscal.catalog+json + - href: ../../../../nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml + media-type: application/oscal.catalog+yaml \ No newline at end of file diff --git a/roscal_lib/tests/malformed/email.yaml b/roscal_lib/tests/malformed/email.yaml new file mode 100644 index 0000000..4f8d141 --- /dev/null +++ b/roscal_lib/tests/malformed/email.yaml @@ -0,0 +1,421 @@ +profile: + uuid: cd073316-7c58-4c34-9f5c-9eb5aa722683 + metadata: + title: NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE + last-modified: "2023-12-04T14:55:00.000000-04:00" + version: 5.1.1+u2 + oscal-version: 1.1.1 + roles: + - id: creator + title: Document Creator + - id: contact + title: Contact + parties: + - uuid: c748c806-1d77-4695-bb40-e117b2afa82e + type: organization + name: Joint Task Force, Transformation Initiative + email-addresses: + - sec-cert_at_nist_dot_gov + addresses: + - addr-lines: + - National Institute of Standards and Technology + - 'Attn: Computer Security Division' + - Information Technology Laboratory + - 100 Bureau Drive (Mail Stop 8930) + city: Gaithersburg + state: MD + postal-code: 20899-8930 + responsible-parties: + - role-id: creator + party-uuids: + - c748c806-1d77-4695-bb40-e117b2afa82e + - role-id: contact + party-uuids: + - c748c806-1d77-4695-bb40-e117b2afa82e + imports: + - href: '#84cbf061-eb87-4ec1-8112-1f529232e907' + include-controls: + - with-ids: + - ac-1 + - ac-2 + - ac-2.1 + - ac-2.2 + - ac-2.3 + - ac-2.4 + - ac-2.5 + - ac-2.11 + - ac-2.12 + - ac-2.13 + - ac-3 + - ac-4 + - ac-4.4 + - ac-5 + - ac-6 + - ac-6.1 + - ac-6.2 + - ac-6.3 + - ac-6.5 + - ac-6.7 + - ac-6.9 + - ac-6.10 + - ac-7 + - ac-8 + - ac-10 + - ac-11 + - ac-11.1 + - ac-12 + - ac-14 + - ac-17 + - ac-17.1 + - ac-17.2 + - ac-17.3 + - ac-17.4 + - ac-18 + - ac-18.1 + - ac-18.3 + - ac-18.4 + - ac-18.5 + - ac-19 + - ac-19.5 + - ac-20 + - ac-20.1 + - ac-20.2 + - ac-21 + - ac-22 + - at-1 + - at-2 + - at-2.2 + - at-2.3 + - at-3 + - at-4 + - au-1 + - au-2 + - au-3 + - au-3.1 + - au-4 + - au-5 + - au-5.1 + - au-5.2 + - au-6 + - au-6.1 + - au-6.3 + - au-6.5 + - au-6.6 + - au-7 + - au-7.1 + - au-8 + - au-9 + - au-9.2 + - au-9.3 + - au-9.4 + - au-10 + - au-11 + - au-12 + - au-12.1 + - au-12.3 + - ca-1 + - ca-2 + - ca-2.1 + - ca-2.2 + - ca-3 + - ca-3.6 + - ca-5 + - ca-6 + - ca-7 + - ca-7.1 + - ca-7.4 + - ca-8 + - ca-8.1 + - ca-9 + - cm-1 + - cm-2 + - cm-2.2 + - cm-2.3 + - cm-2.7 + - cm-3 + - cm-3.1 + - cm-3.2 + - cm-3.4 + - cm-3.6 + - cm-4 + - cm-4.1 + - cm-4.2 + - cm-5 + - cm-5.1 + - cm-6 + - cm-6.1 + - cm-6.2 + - cm-7 + - cm-7.1 + - cm-7.2 + - cm-7.5 + - cm-8 + - cm-8.1 + - cm-8.2 + - cm-8.3 + - cm-8.4 + - cm-9 + - cm-10 + - cm-11 + - cm-12 + - cm-12.1 + - cp-1 + - cp-2 + - cp-2.1 + - cp-2.2 + - cp-2.3 + - cp-2.5 + - cp-2.8 + - cp-3 + - cp-3.1 + - cp-4 + - cp-4.1 + - cp-4.2 + - cp-6 + - cp-6.1 + - cp-6.2 + - cp-6.3 + - cp-7 + - cp-7.1 + - cp-7.2 + - cp-7.3 + - cp-7.4 + - cp-8 + - cp-8.1 + - cp-8.2 + - cp-8.3 + - cp-8.4 + - cp-9 + - cp-9.1 + - cp-9.2 + - cp-9.3 + - cp-9.5 + - cp-9.8 + - cp-10 + - cp-10.2 + - cp-10.4 + - ia-1 + - ia-2 + - ia-2.1 + - ia-2.2 + - ia-2.5 + - ia-2.8 + - ia-2.12 + - ia-3 + - ia-4 + - ia-4.4 + - ia-5 + - ia-5.1 + - ia-5.2 + - ia-5.6 + - ia-6 + - ia-7 + - ia-8 + - ia-8.1 + - ia-8.2 + - ia-8.4 + - ia-11 + - ia-12 + - ia-12.2 + - ia-12.3 + - ia-12.4 + - ia-12.5 + - ir-1 + - ir-2 + - ir-2.1 + - ir-2.2 + - ir-3 + - ir-3.2 + - ir-4 + - ir-4.1 + - ir-4.4 + - ir-4.11 + - ir-5 + - ir-5.1 + - ir-6 + - ir-6.1 + - ir-6.3 + - ir-7 + - ir-7.1 + - ir-8 + - ma-1 + - ma-2 + - ma-2.2 + - ma-3 + - ma-3.1 + - ma-3.2 + - ma-3.3 + - ma-4 + - ma-4.3 + - ma-5 + - ma-5.1 + - ma-6 + - mp-1 + - mp-2 + - mp-3 + - mp-4 + - mp-5 + - mp-6 + - mp-6.1 + - mp-6.2 + - mp-6.3 + - mp-7 + - pe-1 + - pe-2 + - pe-3 + - pe-3.1 + - pe-4 + - pe-5 + - pe-6 + - pe-6.1 + - pe-6.4 + - pe-8 + - pe-8.1 + - pe-9 + - pe-10 + - pe-11 + - pe-11.1 + - pe-12 + - pe-13 + - pe-13.1 + - pe-13.2 + - pe-14 + - pe-15 + - pe-15.1 + - pe-16 + - pe-17 + - pe-18 + - pl-1 + - pl-2 + - pl-4 + - pl-4.1 + - pl-8 + - pl-10 + - pl-11 + - ps-1 + - ps-2 + - ps-3 + - ps-4 + - ps-4.2 + - ps-5 + - ps-6 + - ps-7 + - ps-8 + - ps-9 + - ra-1 + - ra-2 + - ra-3 + - ra-3.1 + - ra-5 + - ra-5.2 + - ra-5.4 + - ra-5.5 + - ra-5.11 + - ra-7 + - ra-9 + - sa-1 + - sa-2 + - sa-3 + - sa-4 + - sa-4.1 + - sa-4.2 + - sa-4.5 + - sa-4.9 + - sa-4.10 + - sa-5 + - sa-8 + - sa-9 + - sa-9.2 + - sa-10 + - sa-11 + - sa-15 + - sa-15.3 + - sa-16 + - sa-17 + - sa-21 + - sa-22 + - sc-1 + - sc-2 + - sc-3 + - sc-4 + - sc-5 + - sc-7 + - sc-7.3 + - sc-7.4 + - sc-7.5 + - sc-7.7 + - sc-7.8 + - sc-7.18 + - sc-7.21 + - sc-8 + - sc-8.1 + - sc-10 + - sc-12 + - sc-12.1 + - sc-13 + - sc-15 + - sc-17 + - sc-18 + - sc-20 + - sc-21 + - sc-22 + - sc-23 + - sc-24 + - sc-28 + - sc-28.1 + - sc-39 + - si-1 + - si-2 + - si-2.2 + - si-3 + - si-4 + - si-4.2 + - si-4.4 + - si-4.5 + - si-4.10 + - si-4.12 + - si-4.14 + - si-4.20 + - si-4.22 + - si-5 + - si-5.1 + - si-6 + - si-7 + - si-7.1 + - si-7.2 + - si-7.5 + - si-7.7 + - si-7.15 + - si-8 + - si-8.2 + - si-10 + - si-11 + - si-12 + - si-16 + - sr-1 + - sr-2 + - sr-2.1 + - sr-3 + - sr-5 + - sr-6 + - sr-8 + - sr-9 + - sr-9.1 + - sr-10 + - sr-11 + - sr-11.1 + - sr-11.2 + - sr-12 + merge: + as-is: true + back-matter: + resources: + - uuid: 84cbf061-eb87-4ec1-8112-1f529232e907 + description: 'NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations' + rlinks: + - href: ../../../../nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml + media-type: application/oscal.catalog+xml + - href: ../../../../nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json + media-type: application/oscal.catalog+json + - href: ../../../../nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml + media-type: application/oscal.catalog+yaml \ No newline at end of file diff --git a/roscal_lib/tests/malformed/uri.yaml b/roscal_lib/tests/malformed/uri.yaml new file mode 100644 index 0000000..0d03e00 --- /dev/null +++ b/roscal_lib/tests/malformed/uri.yaml @@ -0,0 +1,421 @@ +profile: + uuid: cd073316-7c58-4c34-9f5c-9eb5aa722683 + metadata: + title: NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE + last-modified: "2023-12-04T14:55:00.000000-04:00" + version: 5.1.1+u2 + oscal-version: 1.1.1 + roles: + - id: creator + title: Document Creator + - id: contact + title: Contact + parties: + - uuid: c748c806-1d77-4695-bb40-e117b2afa82e + type: organization + name: Joint Task Force, Transformation Initiative + email-addresses: + - sec-cert@nist.gov + addresses: + - addr-lines: + - National Institute of Standards and Technology + - 'Attn: Computer Security Division' + - Information Technology Laboratory + - 100 Bureau Drive (Mail Stop 8930) + city: Gaithersburg + state: MD + postal-code: 20899-8930 + responsible-parties: + - role-id: creator + party-uuids: + - c748c806-1d77-4695-bb40-e117b2afa82e + - role-id: contact + party-uuids: + - c748c806-1d77-4695-bb40-e117b2afa82e + imports: + - href: '#84cbf061-eb87-4ec1-8112-1f529232e907' + include-controls: + - with-ids: + - ac-1 + - ac-2 + - ac-2.1 + - ac-2.2 + - ac-2.3 + - ac-2.4 + - ac-2.5 + - ac-2.11 + - ac-2.12 + - ac-2.13 + - ac-3 + - ac-4 + - ac-4.4 + - ac-5 + - ac-6 + - ac-6.1 + - ac-6.2 + - ac-6.3 + - ac-6.5 + - ac-6.7 + - ac-6.9 + - ac-6.10 + - ac-7 + - ac-8 + - ac-10 + - ac-11 + - ac-11.1 + - ac-12 + - ac-14 + - ac-17 + - ac-17.1 + - ac-17.2 + - ac-17.3 + - ac-17.4 + - ac-18 + - ac-18.1 + - ac-18.3 + - ac-18.4 + - ac-18.5 + - ac-19 + - ac-19.5 + - ac-20 + - ac-20.1 + - ac-20.2 + - ac-21 + - ac-22 + - at-1 + - at-2 + - at-2.2 + - at-2.3 + - at-3 + - at-4 + - au-1 + - au-2 + - au-3 + - au-3.1 + - au-4 + - au-5 + - au-5.1 + - au-5.2 + - au-6 + - au-6.1 + - au-6.3 + - au-6.5 + - au-6.6 + - au-7 + - au-7.1 + - au-8 + - au-9 + - au-9.2 + - au-9.3 + - au-9.4 + - au-10 + - au-11 + - au-12 + - au-12.1 + - au-12.3 + - ca-1 + - ca-2 + - ca-2.1 + - ca-2.2 + - ca-3 + - ca-3.6 + - ca-5 + - ca-6 + - ca-7 + - ca-7.1 + - ca-7.4 + - ca-8 + - ca-8.1 + - ca-9 + - cm-1 + - cm-2 + - cm-2.2 + - cm-2.3 + - cm-2.7 + - cm-3 + - cm-3.1 + - cm-3.2 + - cm-3.4 + - cm-3.6 + - cm-4 + - cm-4.1 + - cm-4.2 + - cm-5 + - cm-5.1 + - cm-6 + - cm-6.1 + - cm-6.2 + - cm-7 + - cm-7.1 + - cm-7.2 + - cm-7.5 + - cm-8 + - cm-8.1 + - cm-8.2 + - cm-8.3 + - cm-8.4 + - cm-9 + - cm-10 + - cm-11 + - cm-12 + - cm-12.1 + - cp-1 + - cp-2 + - cp-2.1 + - cp-2.2 + - cp-2.3 + - cp-2.5 + - cp-2.8 + - cp-3 + - cp-3.1 + - cp-4 + - cp-4.1 + - cp-4.2 + - cp-6 + - cp-6.1 + - cp-6.2 + - cp-6.3 + - cp-7 + - cp-7.1 + - cp-7.2 + - cp-7.3 + - cp-7.4 + - cp-8 + - cp-8.1 + - cp-8.2 + - cp-8.3 + - cp-8.4 + - cp-9 + - cp-9.1 + - cp-9.2 + - cp-9.3 + - cp-9.5 + - cp-9.8 + - cp-10 + - cp-10.2 + - cp-10.4 + - ia-1 + - ia-2 + - ia-2.1 + - ia-2.2 + - ia-2.5 + - ia-2.8 + - ia-2.12 + - ia-3 + - ia-4 + - ia-4.4 + - ia-5 + - ia-5.1 + - ia-5.2 + - ia-5.6 + - ia-6 + - ia-7 + - ia-8 + - ia-8.1 + - ia-8.2 + - ia-8.4 + - ia-11 + - ia-12 + - ia-12.2 + - ia-12.3 + - ia-12.4 + - ia-12.5 + - ir-1 + - ir-2 + - ir-2.1 + - ir-2.2 + - ir-3 + - ir-3.2 + - ir-4 + - ir-4.1 + - ir-4.4 + - ir-4.11 + - ir-5 + - ir-5.1 + - ir-6 + - ir-6.1 + - ir-6.3 + - ir-7 + - ir-7.1 + - ir-8 + - ma-1 + - ma-2 + - ma-2.2 + - ma-3 + - ma-3.1 + - ma-3.2 + - ma-3.3 + - ma-4 + - ma-4.3 + - ma-5 + - ma-5.1 + - ma-6 + - mp-1 + - mp-2 + - mp-3 + - mp-4 + - mp-5 + - mp-6 + - mp-6.1 + - mp-6.2 + - mp-6.3 + - mp-7 + - pe-1 + - pe-2 + - pe-3 + - pe-3.1 + - pe-4 + - pe-5 + - pe-6 + - pe-6.1 + - pe-6.4 + - pe-8 + - pe-8.1 + - pe-9 + - pe-10 + - pe-11 + - pe-11.1 + - pe-12 + - pe-13 + - pe-13.1 + - pe-13.2 + - pe-14 + - pe-15 + - pe-15.1 + - pe-16 + - pe-17 + - pe-18 + - pl-1 + - pl-2 + - pl-4 + - pl-4.1 + - pl-8 + - pl-10 + - pl-11 + - ps-1 + - ps-2 + - ps-3 + - ps-4 + - ps-4.2 + - ps-5 + - ps-6 + - ps-7 + - ps-8 + - ps-9 + - ra-1 + - ra-2 + - ra-3 + - ra-3.1 + - ra-5 + - ra-5.2 + - ra-5.4 + - ra-5.5 + - ra-5.11 + - ra-7 + - ra-9 + - sa-1 + - sa-2 + - sa-3 + - sa-4 + - sa-4.1 + - sa-4.2 + - sa-4.5 + - sa-4.9 + - sa-4.10 + - sa-5 + - sa-8 + - sa-9 + - sa-9.2 + - sa-10 + - sa-11 + - sa-15 + - sa-15.3 + - sa-16 + - sa-17 + - sa-21 + - sa-22 + - sc-1 + - sc-2 + - sc-3 + - sc-4 + - sc-5 + - sc-7 + - sc-7.3 + - sc-7.4 + - sc-7.5 + - sc-7.7 + - sc-7.8 + - sc-7.18 + - sc-7.21 + - sc-8 + - sc-8.1 + - sc-10 + - sc-12 + - sc-12.1 + - sc-13 + - sc-15 + - sc-17 + - sc-18 + - sc-20 + - sc-21 + - sc-22 + - sc-23 + - sc-24 + - sc-28 + - sc-28.1 + - sc-39 + - si-1 + - si-2 + - si-2.2 + - si-3 + - si-4 + - si-4.2 + - si-4.4 + - si-4.5 + - si-4.10 + - si-4.12 + - si-4.14 + - si-4.20 + - si-4.22 + - si-5 + - si-5.1 + - si-6 + - si-7 + - si-7.1 + - si-7.2 + - si-7.5 + - si-7.7 + - si-7.15 + - si-8 + - si-8.2 + - si-10 + - si-11 + - si-12 + - si-16 + - sr-1 + - sr-2 + - sr-2.1 + - sr-3 + - sr-5 + - sr-6 + - sr-8 + - sr-9 + - sr-9.1 + - sr-10 + - sr-11 + - sr-11.1 + - sr-11.2 + - sr-12 + merge: + as-is: true + back-matter: + resources: + - uuid: 84cbf061-eb87-4ec1-8112-1f529232e907 + description: 'NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations' + rlinks: + - href: ~@nist.gov#SP800-53%rev5^xml!NIST_SP-800-53_rev5_catalog.xml + media-type: application/oscal.catalog+xml + - href: ../../../../nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json + media-type: application/oscal.catalog+json + - href: ../../../../nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml + media-type: application/oscal.catalog+yaml \ No newline at end of file diff --git a/roscal_lib/tests/malformed/uuid.yaml b/roscal_lib/tests/malformed/uuid.yaml new file mode 100644 index 0000000..8079dd8 --- /dev/null +++ b/roscal_lib/tests/malformed/uuid.yaml @@ -0,0 +1,421 @@ +profile: + uuid: wrong + metadata: + title: NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE + last-modified: "2023-12-04T14:55:00.000000-04:00" + version: 5.1.1+u2 + oscal-version: 1.1.1 + roles: + - id: creator + title: Document Creator + - id: contact + title: Contact + parties: + - uuid: c748c806-1d77-4695-bb40-e117b2afa82e + type: organization + name: Joint Task Force, Transformation Initiative + email-addresses: + - sec-cert@nist.gov + addresses: + - addr-lines: + - National Institute of Standards and Technology + - 'Attn: Computer Security Division' + - Information Technology Laboratory + - 100 Bureau Drive (Mail Stop 8930) + city: Gaithersburg + state: MD + postal-code: 20899-8930 + responsible-parties: + - role-id: creator + party-uuids: + - c748c806-1d77-4695-bb40-e117b2afa82e + - role-id: contact + party-uuids: + - c748c806-1d77-4695-bb40-e117b2afa82e + imports: + - href: '#84cbf061-eb87-4ec1-8112-1f529232e907' + include-controls: + - with-ids: + - ac-1 + - ac-2 + - ac-2.1 + - ac-2.2 + - ac-2.3 + - ac-2.4 + - ac-2.5 + - ac-2.11 + - ac-2.12 + - ac-2.13 + - ac-3 + - ac-4 + - ac-4.4 + - ac-5 + - ac-6 + - ac-6.1 + - ac-6.2 + - ac-6.3 + - ac-6.5 + - ac-6.7 + - ac-6.9 + - ac-6.10 + - ac-7 + - ac-8 + - ac-10 + - ac-11 + - ac-11.1 + - ac-12 + - ac-14 + - ac-17 + - ac-17.1 + - ac-17.2 + - ac-17.3 + - ac-17.4 + - ac-18 + - ac-18.1 + - ac-18.3 + - ac-18.4 + - ac-18.5 + - ac-19 + - ac-19.5 + - ac-20 + - ac-20.1 + - ac-20.2 + - ac-21 + - ac-22 + - at-1 + - at-2 + - at-2.2 + - at-2.3 + - at-3 + - at-4 + - au-1 + - au-2 + - au-3 + - au-3.1 + - au-4 + - au-5 + - au-5.1 + - au-5.2 + - au-6 + - au-6.1 + - au-6.3 + - au-6.5 + - au-6.6 + - au-7 + - au-7.1 + - au-8 + - au-9 + - au-9.2 + - au-9.3 + - au-9.4 + - au-10 + - au-11 + - au-12 + - au-12.1 + - au-12.3 + - ca-1 + - ca-2 + - ca-2.1 + - ca-2.2 + - ca-3 + - ca-3.6 + - ca-5 + - ca-6 + - ca-7 + - ca-7.1 + - ca-7.4 + - ca-8 + - ca-8.1 + - ca-9 + - cm-1 + - cm-2 + - cm-2.2 + - cm-2.3 + - cm-2.7 + - cm-3 + - cm-3.1 + - cm-3.2 + - cm-3.4 + - cm-3.6 + - cm-4 + - cm-4.1 + - cm-4.2 + - cm-5 + - cm-5.1 + - cm-6 + - cm-6.1 + - cm-6.2 + - cm-7 + - cm-7.1 + - cm-7.2 + - cm-7.5 + - cm-8 + - cm-8.1 + - cm-8.2 + - cm-8.3 + - cm-8.4 + - cm-9 + - cm-10 + - cm-11 + - cm-12 + - cm-12.1 + - cp-1 + - cp-2 + - cp-2.1 + - cp-2.2 + - cp-2.3 + - cp-2.5 + - cp-2.8 + - cp-3 + - cp-3.1 + - cp-4 + - cp-4.1 + - cp-4.2 + - cp-6 + - cp-6.1 + - cp-6.2 + - cp-6.3 + - cp-7 + - cp-7.1 + - cp-7.2 + - cp-7.3 + - cp-7.4 + - cp-8 + - cp-8.1 + - cp-8.2 + - cp-8.3 + - cp-8.4 + - cp-9 + - cp-9.1 + - cp-9.2 + - cp-9.3 + - cp-9.5 + - cp-9.8 + - cp-10 + - cp-10.2 + - cp-10.4 + - ia-1 + - ia-2 + - ia-2.1 + - ia-2.2 + - ia-2.5 + - ia-2.8 + - ia-2.12 + - ia-3 + - ia-4 + - ia-4.4 + - ia-5 + - ia-5.1 + - ia-5.2 + - ia-5.6 + - ia-6 + - ia-7 + - ia-8 + - ia-8.1 + - ia-8.2 + - ia-8.4 + - ia-11 + - ia-12 + - ia-12.2 + - ia-12.3 + - ia-12.4 + - ia-12.5 + - ir-1 + - ir-2 + - ir-2.1 + - ir-2.2 + - ir-3 + - ir-3.2 + - ir-4 + - ir-4.1 + - ir-4.4 + - ir-4.11 + - ir-5 + - ir-5.1 + - ir-6 + - ir-6.1 + - ir-6.3 + - ir-7 + - ir-7.1 + - ir-8 + - ma-1 + - ma-2 + - ma-2.2 + - ma-3 + - ma-3.1 + - ma-3.2 + - ma-3.3 + - ma-4 + - ma-4.3 + - ma-5 + - ma-5.1 + - ma-6 + - mp-1 + - mp-2 + - mp-3 + - mp-4 + - mp-5 + - mp-6 + - mp-6.1 + - mp-6.2 + - mp-6.3 + - mp-7 + - pe-1 + - pe-2 + - pe-3 + - pe-3.1 + - pe-4 + - pe-5 + - pe-6 + - pe-6.1 + - pe-6.4 + - pe-8 + - pe-8.1 + - pe-9 + - pe-10 + - pe-11 + - pe-11.1 + - pe-12 + - pe-13 + - pe-13.1 + - pe-13.2 + - pe-14 + - pe-15 + - pe-15.1 + - pe-16 + - pe-17 + - pe-18 + - pl-1 + - pl-2 + - pl-4 + - pl-4.1 + - pl-8 + - pl-10 + - pl-11 + - ps-1 + - ps-2 + - ps-3 + - ps-4 + - ps-4.2 + - ps-5 + - ps-6 + - ps-7 + - ps-8 + - ps-9 + - ra-1 + - ra-2 + - ra-3 + - ra-3.1 + - ra-5 + - ra-5.2 + - ra-5.4 + - ra-5.5 + - ra-5.11 + - ra-7 + - ra-9 + - sa-1 + - sa-2 + - sa-3 + - sa-4 + - sa-4.1 + - sa-4.2 + - sa-4.5 + - sa-4.9 + - sa-4.10 + - sa-5 + - sa-8 + - sa-9 + - sa-9.2 + - sa-10 + - sa-11 + - sa-15 + - sa-15.3 + - sa-16 + - sa-17 + - sa-21 + - sa-22 + - sc-1 + - sc-2 + - sc-3 + - sc-4 + - sc-5 + - sc-7 + - sc-7.3 + - sc-7.4 + - sc-7.5 + - sc-7.7 + - sc-7.8 + - sc-7.18 + - sc-7.21 + - sc-8 + - sc-8.1 + - sc-10 + - sc-12 + - sc-12.1 + - sc-13 + - sc-15 + - sc-17 + - sc-18 + - sc-20 + - sc-21 + - sc-22 + - sc-23 + - sc-24 + - sc-28 + - sc-28.1 + - sc-39 + - si-1 + - si-2 + - si-2.2 + - si-3 + - si-4 + - si-4.2 + - si-4.4 + - si-4.5 + - si-4.10 + - si-4.12 + - si-4.14 + - si-4.20 + - si-4.22 + - si-5 + - si-5.1 + - si-6 + - si-7 + - si-7.1 + - si-7.2 + - si-7.5 + - si-7.7 + - si-7.15 + - si-8 + - si-8.2 + - si-10 + - si-11 + - si-12 + - si-16 + - sr-1 + - sr-2 + - sr-2.1 + - sr-3 + - sr-5 + - sr-6 + - sr-8 + - sr-9 + - sr-9.1 + - sr-10 + - sr-11 + - sr-11.1 + - sr-11.2 + - sr-12 + merge: + as-is: true + back-matter: + resources: + - uuid: 84cbf061-eb87-4ec1-8112-1f529232e907 + description: 'NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations' + rlinks: + - href: ../../../../nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml + media-type: application/oscal.catalog+xml + - href: ../../../../nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json + media-type: application/oscal.catalog+json + - href: ../../../../nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml + media-type: application/oscal.catalog+yaml \ No newline at end of file diff --git a/roscal_lib/tests/parse_test.rs b/roscal_lib/tests/parse_test.rs new file mode 100644 index 0000000..627678b --- /dev/null +++ b/roscal_lib/tests/parse_test.rs @@ -0,0 +1,198 @@ +use std::{ + fs::{read_dir, File}, + io::BufReader, +}; + +use roscal_lib::{ + assessment::{ + assessment_plan::AssessmentPlan, assessment_results::AssessmentResults, + poam::PlanOfActionAndMilestones, + }, + control::{catalog::Catalog, profile::Profile}, + implementation::{ + component_definition::ComponentDefinition, ssp::SystemSecurityPlan, + }, +}; + +#[test] +fn parse_json_ap() { + for e in read_dir("tests/ap/json").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_json::from_reader(reader); + assert_eq!(true, res.is_ok()) + } +} + +#[test] +fn parse_yaml_ap() { + for e in read_dir("tests/ap/yaml").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_yaml::from_reader(reader); + assert_eq!(true, res.is_ok()) + } +} + +#[test] +fn parse_json_ar() { + for e in read_dir("tests/ar/json").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_json::from_reader(reader); + assert_eq!(true, res.is_ok()) + } +} + +#[test] +fn parse_yaml_ar() { + for e in read_dir("tests/ar/yaml").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_yaml::from_reader(reader); + assert_eq!(true, res.is_ok()) + } +} + +#[test] +fn parse_json_catalog() { + for e in read_dir("tests/catalog/json").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_json::from_reader(reader); + assert_eq!(true, res.is_ok()) + } +} + +#[test] +fn parse_yaml_catalog() { + for e in read_dir("tests/catalog/yaml").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_yaml::from_reader(reader); + assert_eq!(true, res.is_ok()) + } +} + +#[test] +fn parse_json_component_def() { + for e in read_dir("tests/component-definition/json").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_json::from_reader(reader); + assert_eq!(true, res.is_ok()) + } +} + +#[test] +fn parse_yaml_component_def() { + for e in read_dir("tests/component-definition/yaml").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_yaml::from_reader(reader); + assert_eq!(true, res.is_ok()) + } +} + +#[test] +fn parse_json_poam() { + for e in read_dir("tests/poam/json").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_json::from_reader(reader); + assert_eq!(true, res.is_ok()) + } +} + +#[test] +fn parse_yaml_poam() { + for e in read_dir("tests/poam/yaml").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_yaml::from_reader(reader); + assert_eq!(true, res.is_ok()) + } +} + +#[test] +fn parse_json_profile() { + for e in read_dir("tests/profile/json").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_json::from_reader(reader); + assert_eq!(true, res.is_ok()) + } +} + +#[test] +fn parse_yaml_profile() { + for e in read_dir("tests/profile/yaml").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_yaml::from_reader(reader); + assert_eq!(true, res.is_ok()) + } +} + +#[test] +fn parse_json_ssp() { + for e in read_dir("tests/ssp/json").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_json::from_reader(reader); + assert_eq!(true, res.is_ok()) + } +} + +#[test] +fn parse_yaml_ssp() { + for e in read_dir("tests/ssp/yaml").unwrap() { + let entry = e.unwrap(); + let path = entry.path(); + let file = File::open(path.clone()).unwrap(); + let reader = BufReader::new(file); + let res: Result = + serde_yaml::from_reader(reader); + let a = res.map_err(|e| eprintln!("{}:::{}", e, path.display())); + assert_eq!(true, a.is_ok()) + } +} diff --git a/roscal_lib/tests/poam/json/ifa_plan-of-action-and-milestones-min.json b/roscal_lib/tests/poam/json/ifa_plan-of-action-and-milestones-min.json new file mode 100644 index 0000000..94c5cc9 --- /dev/null +++ b/roscal_lib/tests/poam/json/ifa_plan-of-action-and-milestones-min.json @@ -0,0 +1,197 @@ +{ + "plan-of-action-and-milestones": { + "uuid": "714210d2-f8df-448c-be3e-e2213816cf79", + "metadata": { + "title": "IFA GoodRead Plan of Action and Milestones", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "1.1", + "oscal-version": "1.1.2" + }, + "import-ssp": { "href": "../5-authorize/ssp.oscal.xml" }, + "system-id": { + "identifier-type": "http://ietf.org/rfc/rfc4122", + "id": "8101e04d-8305-4e73-bb95-6b59f645b143" + }, + "observations": [ + { + "uuid": "0c4de4fc-9bde-46af-b6fe-3b5e78194dcf", + "title": "Django Framework Examination", + "description": "Examine Django Framework for least privilege design and implementation.", + "methods": ["EXAMINE"], + "types": ["control-objective"], + "subjects": [ + { + "subject-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "type": "component" + } + ], + "collected": "2023-05-19T12:14:16-04:00", + "remarks": "The assessor attempted to access the admin panel while logged into the GoodRead application as a PAO staff user. They were able to see the admin panel and directly edit database records for the application using the Django Framework's admin panel." + }, + { + "uuid": "8807eb6e-0c05-43bc-8438-799739615e34", + "title": "AwesomeCloud IAM Roles Test - GoodRead System Engineer Role", + "description": "Test AwesomeCloud IAM Roles for least privilege design and implementation.", + "methods": ["TEST"], + "types": ["finding"], + "subjects": [ + { + "subject-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "type": "component" + } + ], + "collected": "2023-06-02T08:31:20-04:00", + "expires": "2023-07-01T00:00:00-04:00", + "remarks": "The assessor's security automation platform analyzed all roles specific to the GoodRead Product Team, not those managed by the Office of Information Technology. The `IFA-GoodRead-SystemEnginer` role in their respective AwesomeCloud account permitted use of the following high-risk actions.\n\n* awesomecloud:auditlog:DeleteAccountAuditLog\n* awesomecloud:secmon:AdministerConfigurations\n\n\nBoth of these actions are overly permissive and not appropriate for the business function of the staff member assigned this role." + } + ], + "risks": [ + { + "uuid": "8b8bae66-b28c-4fa5-9a20-b79e7322fc00", + "title": "IFA-GOODREAD-RISK-1: PAO Staff Have Over-Privileged Access to GoodRead System", + "description": "A user with the privileges of a PAO staff user can exceed the intended privileges for their related business function and directly edit the database for the GoodRead application.", + "statement": "An account without proper least privilege design and implementation can be used to significantly damage links created by the tool for use by public citizens, potentially causing a national outage. If an outage were to occur, IFA and Government policy will require the CIO of the agency to notify the Department of Homeland Security and the public.\n\nSuch an event will cause significant financial and reputational risk to IFA's Administrator, executive staff, and the agency overall.", + "status": "deviation-approved", + "characterizations": [ + { + "origin": { + "actors": [ + { + "type": "party", + "actor-uuid": "e7730080-71ce-4b20-bec4-84f33136fd58" + } + ] + }, + "facets": [ + { + "name": "likelihood", + "system": "https://ifa.gov/division/ociso/sca", + "value": "low" + }, + { + "name": "impact", + "system": "https://ifa.gov/division/ociso/sca", + "value": "high" + } + ] + } + ], + "mitigating-factors": [ + { + "uuid": "401c15c9-ad6b-4d4a-a591-7d53a3abb3b6", + "description": "The GoodRead application is designed and implemented to only allow access to the administrative functions for those with PAO staff fole via the VPN via network configuration between the IFA Enterprise Support Systems and the GoodRead AwesomeCloud account. Additionally, the load balanacer configuration only allows access to view shortlinks from the public internet." + } + ], + "deadline": "2024-01-01T05:00:00-04:00", + "remediations": [ + { + "uuid": "d28873f7-0a45-476d-9cd3-1d2ec0b8bca1", + "lifecycle": "planned", + "title": "IFA-GOODREAD-RISK1-RESPONSE: IFA GoodRead Prouct Team Response", + "description": "The GoodRead Product Team does not have sufficient personnel and budget to implement the required changes in their use of the Django Framework and its configuration in this quarter. With the consultation of the ISSO and the assessor, the owner of the GoodRead system has decided to accept this risk until the end of December 2023. From September to December, budget will be available for the Good Read Product Team's developer and system engineer to completely disable the functionality that is the source of the risk and its originating finding.", + "props": [{ "name": "type", "value": "accept" }], + "tasks": [ + { + "uuid": "f8b1d4cb-d1a9-4932-9859-2e93b325f287", + "type": "milestone", + "title": "End of Year Project Management Report of Developed Remediations", + "description": "The owner, ISSO, and product team of the GoodRead Project intend to complete the necessary development between September 2023 and December 2023. Whether or not the necessary development for remedation is complete, the product team's project manager will submit the final annual report. They will identify this work item and whether it has been completed.", + "timing": { + "within-date-range": { + "start": "2023-09-29T09:00:00-04:00", + "end": "2024-01-01T05:00:00-04:00" + } + } + } + ] + } + ], + "related-observations": [ + { "observation-uuid": "0c4de4fc-9bde-46af-b6fe-3b5e78194dcf" } + ] + }, + { + "uuid": "1c65d2d3-7735-47fa-8f68-a236744beab7", + "title": "IFA-GOODREAD-RISK-2: GoodRead System Engineers Have Over-Privileged Access to Cloud Infrastructure Account", + "description": "A user in the GoodRead cloud environment with the privileges of a system engineer can exceed the intended privileges for their related business function. They can delete all historical audit records and remove important security monitoring functions for the IFA Security Operations Center staff.", + "statement": "An account without proper least privilege design and implementation can be used to surreptitiously add, change, or delete cloud infrastructure to the too managing all links to IFA's communication to public citizens, potentially causing significant harm with no forensic evidence to recover the system. Regardless of the extent and duration of a potential incident, such a configuration greatly increases the risk of an insider threat if there were likely to a potential insider threat in the GoodRead Product Team.\n\nIf such an insider threat existed and acted with this misconfigruatio, the resulting event could cause significant financial and reputational risk to IFA's Administrator, executive staff, and the agency overall.", + "status": "open", + "characterizations": [ + { + "origin": { + "actors": [ + { + "type": "party", + "actor-uuid": "e7730080-71ce-4b20-bec4-84f33136fd58" + } + ] + }, + "facets": [ + { + "name": "likelihood", + "system": "https://ifa.gov/division/ociso/sca", + "value": "low" + }, + { + "name": "impact", + "system": "https://ifa.gov/division/ociso/sca", + "value": "high" + } + ] + } + ], + "deadline": "2023-06-23T17:00:00-04:00", + "remediations": [ + { + "uuid": "4676b126-ba6d-40cc-9dc8-f2aa677b03ee", + "lifecycle": "planned", + "title": "IFA-GOODREAD-RISK1-RESPONSE: IFA GoodRead Prouct Team Response", + "description": "The GoodRead Product Team does not have siginficant mitigations or compensating controls to counter this risk, even if likelihood is low. The IFA CISO has cited ongoing guidance that potential insider threat risks be prioritized above alternative categories of risk for this quarter. Additionally, there is sufficient budget and unallocated time for the GoodRead and Office of Information Technology system engineers to modify AwesomeCloud IAM roles on or before the next continuous monitoring cycle beginning in July 2023. The planned completion data is June 23, 2023.", + "props": [{ "name": "type", "value": "mitigate" }], + "tasks": [ + { + "uuid": "a0bb457d-0d14-4a74-801a-ffc9bc4cd636", + "type": "milestone", + "title": "Completion of GoodRead Sprint Ending June 23, 2023", + "description": "The owner, ISSO, and product team of the GoodRead Project intend to complete the necessary development by June 23. 2023, the last day of the coinciding sprint. Whether or not the necessary development for mitigation is complete, the product team's project manager will write a brief at the end of the sprint to thw owner and ISSO of this system with the final status and determination of this work item in this sprint.", + "timing": { + "within-date-range": { + "start": "2023-06-03T00:00:00-04:00", + "end": "2024-06-23T17:00:00-04:00" + } + } + } + ] + } + ], + "related-observations": [ + { "observation-uuid": "8807eb6e-0c05-43bc-8438-799739615e34" } + ] + } + ], + "poam-items": [ + { + "uuid": "e174dfb9-0ae3-4a8f-8e7c-081527b84337", + "title": "Update Django Framework Configuration to Disable Default Admin Panel", + "description": "Budget and technical staff are needed to re-design and re-implement a part of the GoodRead application's use of a web appplication programming framework to mitigate the risk of low privilege users directly modifying the database of this application. This application is a high-visibility service and integral to future operations of the IFA Office of Public Affairs and its staff.", + "related-observations": [ + { "observation-uuid": "0c4de4fc-9bde-46af-b6fe-3b5e78194dcf" } + ], + "related-risks": [ + { "risk-uuid": "401c15c9-ad6b-4d4a-a591-7d53a3abb3b6" } + ] + }, + { + "uuid": "48c8368d-43ff-4736-9b28-64b1b1284c03", + "title": "GoodRead System Engineers Have Over-Privileged Access to Cloud Infrastructure Account", + "description": "Budget and technical staff allocation are available and designated to fix a misconfiguration of the IAM roles for members of the GoodRead Product Team in their AwesomeCloud account to implement least privilege as designed.", + "related-observations": [ + { "observation-uuid": "8807eb6e-0c05-43bc-8438-799739615e34" } + ], + "related-risks": [ + { "risk-uuid": "1c65d2d3-7735-47fa-8f68-a236744beab7" } + ] + } + ] + } +} diff --git a/roscal_lib/tests/poam/json/ifa_plan-of-action-and-milestones.json b/roscal_lib/tests/poam/json/ifa_plan-of-action-and-milestones.json new file mode 100644 index 0000000..70ac170 --- /dev/null +++ b/roscal_lib/tests/poam/json/ifa_plan-of-action-and-milestones.json @@ -0,0 +1,221 @@ +{ + "plan-of-action-and-milestones": { + "uuid": "714210d2-f8df-448c-be3e-e2213816cf79", + "metadata": { + "title": "IFA GoodRead Plan of Action and Milestones", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "1.1", + "oscal-version": "1.1.2" + }, + "import-ssp": { + "href": "../5-authorize/ssp.oscal.xml" + }, + "system-id": { + "identifier-type": "http://ietf.org/rfc/rfc4122", + "id": "8101e04d-8305-4e73-bb95-6b59f645b143" + }, + "observations": [ + { + "uuid": "0c4de4fc-9bde-46af-b6fe-3b5e78194dcf", + "title": "Django Framework Examination", + "description": "Examine Django Framework for least privilege design and implementation.", + "methods": ["EXAMINE"], + "types": ["control-objective"], + "subjects": [ + { + "subject-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "type": "component" + } + ], + "collected": "2023-05-19T12:14:16-04:00", + "remarks": "The assessor attempted to access the admin panel while logged into the GoodRead application as a PAO staff user. They were able to see the admin panel and directly edit database records for the application using the Django Framework's admin panel." + }, + { + "uuid": "8807eb6e-0c05-43bc-8438-799739615e34", + "title": "AwesomeCloud IAM Roles Test - GoodRead System Engineer Role", + "description": "Test AwesomeCloud IAM Roles for least privilege design and implementation.", + "methods": ["TEST"], + "types": ["finding"], + "subjects": [ + { + "subject-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "type": "component" + } + ], + "collected": "2023-06-02T08:31:20-04:00", + "expires": "2023-07-01T00:00:00-04:00", + "remarks": "The assessor's security automation platform analyzed all roles specific to the GoodRead Product Team, not those managed by the Office of Information Technology. The `IFA-GoodRead-SystemEnginer` role in their respective AwesomeCloud account permitted use of the following high-risk actions.\n\n* awesomecloud:auditlog:DeleteAccountAuditLog\n* awesomecloud:secmon:AdministerConfigurations\n\n\nBoth of these actions are overly permissive and not appropriate for the business function of the staff member assigned this role." + } + ], + "risks": [ + { + "uuid": "8b8bae66-b28c-4fa5-9a20-b79e7322fc00", + "title": "IFA-GOODREAD-RISK-1: PAO Staff Have Over-Privileged Access to GoodRead System", + "description": "A user with the privileges of a PAO staff user can exceed the intended privileges for their related business function and directly edit the database for the GoodRead application.", + "statement": "An account without proper least privilege design and implementation can be used to significantly damage links created by the tool for use by public citizens, potentially causing a national outage. If an outage were to occur, IFA and Government policy will require the CIO of the agency to notify the Department of Homeland Security and the public.\n\nSuch an event will cause significant financial and reputational risk to IFA's Administrator, executive staff, and the agency overall.", + "status": "deviation-approved", + "characterizations": [ + { + "origin": { + "actors": [ + { + "type": "party", + "actor-uuid": "e7730080-71ce-4b20-bec4-84f33136fd58" + } + ] + }, + "facets": [ + { + "name": "likelihood", + "system": "https://ifa.gov/division/ociso/sca", + "value": "low" + }, + { + "name": "impact", + "system": "https://ifa.gov/division/ociso/sca", + "value": "high" + } + ] + } + ], + "mitigating-factors": [ + { + "uuid": "401c15c9-ad6b-4d4a-a591-7d53a3abb3b6", + "description": "The GoodRead application is designed and implemented to only allow access to the administrative functions for those with PAO staff fole via the VPN via network configuration between the IFA Enterprise Support Systems and the GoodRead AwesomeCloud account. Additionally, the load balanacer configuration only allows access to view shortlinks from the public internet." + } + ], + "deadline": "2024-01-01T05:00:00-04:00", + "remediations": [ + { + "uuid": "d28873f7-0a45-476d-9cd3-1d2ec0b8bca1", + "lifecycle": "planned", + "title": "IFA-GOODREAD-RISK1-RESPONSE: IFA GoodRead Prouct Team Response", + "description": "The GoodRead Product Team does not have sufficient personnel and budget to implement the required changes in their use of the Django Framework and its configuration in this quarter. With the consultation of the ISSO and the assessor, the owner of the GoodRead system has decided to accept this risk until the end of December 2023. From September to December, budget will be available for the Good Read Product Team's developer and system engineer to completely disable the functionality that is the source of the risk and its originating finding.", + "props": [ + { + "name": "type", + "value": "accept" + } + ], + "tasks": [ + { + "uuid": "f8b1d4cb-d1a9-4932-9859-2e93b325f287", + "type": "milestone", + "title": "End of Year Project Management Report of Developed Remediations", + "description": "The owner, ISSO, and product team of the GoodRead Project intend to complete the necessary development between September 2023 and December 2023. Whether or not the necessary development for remedation is complete, the product team's project manager will submit the final annual report. They will identify this work item and whether it has been completed.", + "timing": { + "within-date-range": { + "start": "2023-09-29T09:00:00-04:00", + "end": "2024-01-01T05:00:00-04:00" + } + } + } + ] + } + ], + "related-observations": [ + { + "observation-uuid": "0c4de4fc-9bde-46af-b6fe-3b5e78194dcf" + } + ] + }, + { + "uuid": "1c65d2d3-7735-47fa-8f68-a236744beab7", + "title": "IFA-GOODREAD-RISK-2: GoodRead System Engineers Have Over-Privileged Access to Cloud Infrastructure Account", + "description": "A user in the GoodRead cloud environment with the privileges of a system engineer can exceed the intended privileges for their related business function. They can delete all historical audit records and remove important security monitoring functions for the IFA Security Operations Center staff.", + "statement": "An account without proper least privilege design and implementation can be used to surreptitiously add, change, or delete cloud infrastructure to the too managing all links to IFA's communication to public citizens, potentially causing significant harm with no forensic evidence to recover the system. Regardless of the extent and duration of a potential incident, such a configuration greatly increases the risk of an insider threat if there were likely to a potential insider threat in the GoodRead Product Team.\n\nIf such an insider threat existed and acted with this misconfigruatio, the resulting event could cause significant financial and reputational risk to IFA's Administrator, executive staff, and the agency overall.", + "status": "open", + "characterizations": [ + { + "origin": { + "actors": [ + { + "type": "party", + "actor-uuid": "e7730080-71ce-4b20-bec4-84f33136fd58" + } + ] + }, + "facets": [ + { + "name": "likelihood", + "system": "https://ifa.gov/division/ociso/sca", + "value": "low" + }, + { + "name": "impact", + "system": "https://ifa.gov/division/ociso/sca", + "value": "high" + } + ] + } + ], + "deadline": "2023-06-23T17:00:00-04:00", + "remediations": [ + { + "uuid": "4676b126-ba6d-40cc-9dc8-f2aa677b03ee", + "lifecycle": "planned", + "title": "IFA-GOODREAD-RISK1-RESPONSE: IFA GoodRead Prouct Team Response", + "description": "The GoodRead Product Team does not have siginficant mitigations or compensating controls to counter this risk, even if likelihood is low. The IFA CISO has cited ongoing guidance that potential insider threat risks be prioritized above alternative categories of risk for this quarter. Additionally, there is sufficient budget and unallocated time for the GoodRead and Office of Information Technology system engineers to modify AwesomeCloud IAM roles on or before the next continuous monitoring cycle beginning in July 2023. The planned completion data is June 23, 2023.", + "props": [ + { + "name": "type", + "value": "mitigate" + } + ], + "tasks": [ + { + "uuid": "a0bb457d-0d14-4a74-801a-ffc9bc4cd636", + "type": "milestone", + "title": "Completion of GoodRead Sprint Ending June 23, 2023", + "description": "The owner, ISSO, and product team of the GoodRead Project intend to complete the necessary development by June 23. 2023, the last day of the coinciding sprint. Whether or not the necessary development for mitigation is complete, the product team's project manager will write a brief at the end of the sprint to thw owner and ISSO of this system with the final status and determination of this work item in this sprint.", + "timing": { + "within-date-range": { + "start": "2023-06-03T00:00:00-04:00", + "end": "2024-06-23T17:00:00-04:00" + } + } + } + ] + } + ], + "related-observations": [ + { + "observation-uuid": "8807eb6e-0c05-43bc-8438-799739615e34" + } + ] + } + ], + "poam-items": [ + { + "uuid": "e174dfb9-0ae3-4a8f-8e7c-081527b84337", + "title": "Update Django Framework Configuration to Disable Default Admin Panel", + "description": "Budget and technical staff are needed to re-design and re-implement a part of the GoodRead application's use of a web appplication programming framework to mitigate the risk of low privilege users directly modifying the database of this application. This application is a high-visibility service and integral to future operations of the IFA Office of Public Affairs and its staff.", + "related-observations": [ + { + "observation-uuid": "0c4de4fc-9bde-46af-b6fe-3b5e78194dcf" + } + ], + "related-risks": [ + { + "risk-uuid": "401c15c9-ad6b-4d4a-a591-7d53a3abb3b6" + } + ] + }, + { + "uuid": "48c8368d-43ff-4736-9b28-64b1b1284c03", + "title": "GoodRead System Engineers Have Over-Privileged Access to Cloud Infrastructure Account", + "description": "Budget and technical staff allocation are available and designated to fix a misconfiguration of the IAM roles for members of the GoodRead Product Team in their AwesomeCloud account to implement least privilege as designed.", + "related-observations": [ + { + "observation-uuid": "8807eb6e-0c05-43bc-8438-799739615e34" + } + ], + "related-risks": [ + { + "risk-uuid": "1c65d2d3-7735-47fa-8f68-a236744beab7" + } + ] + } + ] + } +} diff --git a/roscal_lib/tests/poam/yaml/ifa_plan-of-action-and-milestones.yaml b/roscal_lib/tests/poam/yaml/ifa_plan-of-action-and-milestones.yaml new file mode 100644 index 0000000..c2d609c --- /dev/null +++ b/roscal_lib/tests/poam/yaml/ifa_plan-of-action-and-milestones.yaml @@ -0,0 +1,144 @@ +plan-of-action-and-milestones: + uuid: 714210d2-f8df-448c-be3e-e2213816cf79 + metadata: + title: IFA GoodRead Plan of Action and Milestones + last-modified: "2024-02-01T13:57:28.355446-04:00" + version: "1.1" + oscal-version: 1.1.2 + import-ssp: + href: ../5-authorize/ssp.oscal.xml + system-id: + identifier-type: http://ietf.org/rfc/rfc4122 + id: 8101e04d-8305-4e73-bb95-6b59f645b143 + observations: + - uuid: 0c4de4fc-9bde-46af-b6fe-3b5e78194dcf + title: Django Framework Examination + description: Examine Django Framework for least privilege design and implementation. + methods: + - EXAMINE + types: + - control-objective + subjects: + - subject-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + type: component + collected: "2023-05-19T12:14:16-04:00" + remarks: The assessor attempted to access the admin panel while logged into the GoodRead application as a PAO staff user. They were able to see the admin panel and directly edit database records for the application using the Django Framework's admin panel. + - uuid: 8807eb6e-0c05-43bc-8438-799739615e34 + title: AwesomeCloud IAM Roles Test - GoodRead System Engineer Role + description: Test AwesomeCloud IAM Roles for least privilege design and implementation. + methods: + - TEST + types: + - finding + subjects: + - subject-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + type: component + collected: "2023-06-02T08:31:20-04:00" + expires: "2023-07-01T00:00:00-04:00" + remarks: |- + The assessor's security automation platform analyzed all roles specific to the GoodRead Product Team, not those managed by the Office of Information Technology. The `IFA-GoodRead-SystemEnginer` role in their respective AwesomeCloud account permitted use of the following high-risk actions. + + * awesomecloud:auditlog:DeleteAccountAuditLog + * awesomecloud:secmon:AdministerConfigurations + + + Both of these actions are overly permissive and not appropriate for the business function of the staff member assigned this role. + risks: + - uuid: 8b8bae66-b28c-4fa5-9a20-b79e7322fc00 + title: 'IFA-GOODREAD-RISK-1: PAO Staff Have Over-Privileged Access to GoodRead System' + description: A user with the privileges of a PAO staff user can exceed the intended privileges for their related business function and directly edit the database for the GoodRead application. + statement: |- + An account without proper least privilege design and implementation can be used to significantly damage links created by the tool for use by public citizens, potentially causing a national outage. If an outage were to occur, IFA and Government policy will require the CIO of the agency to notify the Department of Homeland Security and the public. + + Such an event will cause significant financial and reputational risk to IFA's Administrator, executive staff, and the agency overall. + status: deviation-approved + characterizations: + - origin: + actors: + - type: party + actor-uuid: e7730080-71ce-4b20-bec4-84f33136fd58 + facets: + - name: likelihood + system: https://ifa.gov/division/ociso/sca + value: low + - name: impact + system: https://ifa.gov/division/ociso/sca + value: high + mitigating-factors: + - uuid: 401c15c9-ad6b-4d4a-a591-7d53a3abb3b6 + description: The GoodRead application is designed and implemented to only allow access to the administrative functions for those with PAO staff fole via the VPN via network configuration between the IFA Enterprise Support Systems and the GoodRead AwesomeCloud account. Additionally, the load balanacer configuration only allows access to view shortlinks from the public internet. + deadline: "2024-01-01T05:00:00-04:00" + remediations: + - uuid: d28873f7-0a45-476d-9cd3-1d2ec0b8bca1 + lifecycle: planned + title: 'IFA-GOODREAD-RISK1-RESPONSE: IFA GoodRead Prouct Team Response' + description: The GoodRead Product Team does not have sufficient personnel and budget to implement the required changes in their use of the Django Framework and its configuration in this quarter. With the consultation of the ISSO and the assessor, the owner of the GoodRead system has decided to accept this risk until the end of December 2023. From September to December, budget will be available for the Good Read Product Team's developer and system engineer to completely disable the functionality that is the source of the risk and its originating finding. + props: + - name: type + value: accept + tasks: + - uuid: f8b1d4cb-d1a9-4932-9859-2e93b325f287 + type: milestone + title: End of Year Project Management Report of Developed Remediations + description: The owner, ISSO, and product team of the GoodRead Project intend to complete the necessary development between September 2023 and December 2023. Whether or not the necessary development for remedation is complete, the product team's project manager will submit the final annual report. They will identify this work item and whether it has been completed. + timing: + within-date-range: + start: "2023-09-29T09:00:00-04:00" + end: "2024-01-01T05:00:00-04:00" + related-observations: + - observation-uuid: 0c4de4fc-9bde-46af-b6fe-3b5e78194dcf + - uuid: 1c65d2d3-7735-47fa-8f68-a236744beab7 + title: 'IFA-GOODREAD-RISK-2: GoodRead System Engineers Have Over-Privileged Access to Cloud Infrastructure Account' + description: A user in the GoodRead cloud environment with the privileges of a system engineer can exceed the intended privileges for their related business function. They can delete all historical audit records and remove important security monitoring functions for the IFA Security Operations Center staff. + statement: |- + An account without proper least privilege design and implementation can be used to surreptitiously add, change, or delete cloud infrastructure to the too managing all links to IFA's communication to public citizens, potentially causing significant harm with no forensic evidence to recover the system. Regardless of the extent and duration of a potential incident, such a configuration greatly increases the risk of an insider threat if there were likely to a potential insider threat in the GoodRead Product Team. + + If such an insider threat existed and acted with this misconfigruatio, the resulting event could cause significant financial and reputational risk to IFA's Administrator, executive staff, and the agency overall. + status: open + characterizations: + - origin: + actors: + - type: party + actor-uuid: e7730080-71ce-4b20-bec4-84f33136fd58 + facets: + - name: likelihood + system: https://ifa.gov/division/ociso/sca + value: low + - name: impact + system: https://ifa.gov/division/ociso/sca + value: high + deadline: "2023-06-23T17:00:00-04:00" + remediations: + - uuid: 4676b126-ba6d-40cc-9dc8-f2aa677b03ee + lifecycle: planned + title: 'IFA-GOODREAD-RISK1-RESPONSE: IFA GoodRead Prouct Team Response' + description: The GoodRead Product Team does not have siginficant mitigations or compensating controls to counter this risk, even if likelihood is low. The IFA CISO has cited ongoing guidance that potential insider threat risks be prioritized above alternative categories of risk for this quarter. Additionally, there is sufficient budget and unallocated time for the GoodRead and Office of Information Technology system engineers to modify AwesomeCloud IAM roles on or before the next continuous monitoring cycle beginning in July 2023. The planned completion data is June 23, 2023. + props: + - name: type + value: mitigate + tasks: + - uuid: a0bb457d-0d14-4a74-801a-ffc9bc4cd636 + type: milestone + title: Completion of GoodRead Sprint Ending June 23, 2023 + description: The owner, ISSO, and product team of the GoodRead Project intend to complete the necessary development by June 23. 2023, the last day of the coinciding sprint. Whether or not the necessary development for mitigation is complete, the product team's project manager will write a brief at the end of the sprint to thw owner and ISSO of this system with the final status and determination of this work item in this sprint. + timing: + within-date-range: + start: "2023-06-03T00:00:00-04:00" + end: "2024-06-23T17:00:00-04:00" + related-observations: + - observation-uuid: 8807eb6e-0c05-43bc-8438-799739615e34 + poam-items: + - uuid: e174dfb9-0ae3-4a8f-8e7c-081527b84337 + title: Update Django Framework Configuration to Disable Default Admin Panel + description: Budget and technical staff are needed to re-design and re-implement a part of the GoodRead application's use of a web appplication programming framework to mitigate the risk of low privilege users directly modifying the database of this application. This application is a high-visibility service and integral to future operations of the IFA Office of Public Affairs and its staff. + related-observations: + - observation-uuid: 0c4de4fc-9bde-46af-b6fe-3b5e78194dcf + related-risks: + - risk-uuid: 401c15c9-ad6b-4d4a-a591-7d53a3abb3b6 + - uuid: 48c8368d-43ff-4736-9b28-64b1b1284c03 + title: GoodRead System Engineers Have Over-Privileged Access to Cloud Infrastructure Account + description: Budget and technical staff allocation are available and designated to fix a misconfiguration of the IAM roles for members of the GoodRead Product Team in their AwesomeCloud account to implement least privilege as designed. + related-observations: + - observation-uuid: 8807eb6e-0c05-43bc-8438-799739615e34 + related-risks: + - risk-uuid: 1c65d2d3-7735-47fa-8f68-a236744beab7 diff --git a/roscal_lib/tests/profile/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json b/roscal_lib/tests/profile/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json new file mode 100644 index 0000000..4673df9 --- /dev/null +++ b/roscal_lib/tests/profile/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json @@ -0,0 +1,458 @@ +{ + "profile": { + "uuid": "ad6ca352-8b0e-40e7-b6e2-279706ef5456", + "metadata": { + "title": "NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE", + "last-modified": "2024-02-04T23:16:00.000000-00:00", + "version": "5.1.1+u4", + "oscal-version": "1.1.2", + "roles": [ + { + "id": "creator", + "title": "Document Creator" + }, + { + "id": "contact", + "title": "Contact" + } + ], + "parties": [ + { + "uuid": "c748c806-1d77-4695-bb40-e117b2afa82e", + "type": "organization", + "name": "Joint Task Force, Transformation Initiative", + "email-addresses": ["sec-cert@nist.gov"], + "addresses": [ + { + "addr-lines": [ + "National Institute of Standards and Technology", + "Attn: Computer Security Division", + "Information Technology Laboratory", + "100 Bureau Drive (Mail Stop 8930)" + ], + "city": "Gaithersburg", + "state": "MD", + "postal-code": "20899-8930" + } + ] + } + ], + "responsible-parties": [ + { + "role-id": "creator", + "party-uuids": ["c748c806-1d77-4695-bb40-e117b2afa82e"] + }, + { + "role-id": "contact", + "party-uuids": ["c748c806-1d77-4695-bb40-e117b2afa82e"] + } + ] + }, + "imports": [ + { + "href": "#84cbf061-eb87-4ec1-8112-1f529232e907", + "include-controls": [ + { + "with-ids": [ + "ac-1", + "ac-2", + "ac-2.1", + "ac-2.2", + "ac-2.3", + "ac-2.4", + "ac-2.5", + "ac-2.11", + "ac-2.12", + "ac-2.13", + "ac-3", + "ac-4", + "ac-4.4", + "ac-5", + "ac-6", + "ac-6.1", + "ac-6.2", + "ac-6.3", + "ac-6.5", + "ac-6.7", + "ac-6.9", + "ac-6.10", + "ac-7", + "ac-8", + "ac-10", + "ac-11", + "ac-11.1", + "ac-12", + "ac-14", + "ac-17", + "ac-17.1", + "ac-17.2", + "ac-17.3", + "ac-17.4", + "ac-18", + "ac-18.1", + "ac-18.3", + "ac-18.4", + "ac-18.5", + "ac-19", + "ac-19.5", + "ac-20", + "ac-20.1", + "ac-20.2", + "ac-21", + "ac-22", + "at-1", + "at-2", + "at-2.2", + "at-2.3", + "at-3", + "at-4", + "au-1", + "au-2", + "au-3", + "au-3.1", + "au-4", + "au-5", + "au-5.1", + "au-5.2", + "au-6", + "au-6.1", + "au-6.3", + "au-6.5", + "au-6.6", + "au-7", + "au-7.1", + "au-8", + "au-9", + "au-9.2", + "au-9.3", + "au-9.4", + "au-10", + "au-11", + "au-12", + "au-12.1", + "au-12.3", + "ca-1", + "ca-2", + "ca-2.1", + "ca-2.2", + "ca-3", + "ca-3.6", + "ca-5", + "ca-6", + "ca-7", + "ca-7.1", + "ca-7.4", + "ca-8", + "ca-8.1", + "ca-9", + "cm-1", + "cm-2", + "cm-2.2", + "cm-2.3", + "cm-2.7", + "cm-3", + "cm-3.1", + "cm-3.2", + "cm-3.4", + "cm-3.6", + "cm-4", + "cm-4.1", + "cm-4.2", + "cm-5", + "cm-5.1", + "cm-6", + "cm-6.1", + "cm-6.2", + "cm-7", + "cm-7.1", + "cm-7.2", + "cm-7.5", + "cm-8", + "cm-8.1", + "cm-8.2", + "cm-8.3", + "cm-8.4", + "cm-9", + "cm-10", + "cm-11", + "cm-12", + "cm-12.1", + "cp-1", + "cp-2", + "cp-2.1", + "cp-2.2", + "cp-2.3", + "cp-2.5", + "cp-2.8", + "cp-3", + "cp-3.1", + "cp-4", + "cp-4.1", + "cp-4.2", + "cp-6", + "cp-6.1", + "cp-6.2", + "cp-6.3", + "cp-7", + "cp-7.1", + "cp-7.2", + "cp-7.3", + "cp-7.4", + "cp-8", + "cp-8.1", + "cp-8.2", + "cp-8.3", + "cp-8.4", + "cp-9", + "cp-9.1", + "cp-9.2", + "cp-9.3", + "cp-9.5", + "cp-9.8", + "cp-10", + "cp-10.2", + "cp-10.4", + "ia-1", + "ia-2", + "ia-2.1", + "ia-2.2", + "ia-2.5", + "ia-2.8", + "ia-2.12", + "ia-3", + "ia-4", + "ia-4.4", + "ia-5", + "ia-5.1", + "ia-5.2", + "ia-5.6", + "ia-6", + "ia-7", + "ia-8", + "ia-8.1", + "ia-8.2", + "ia-8.4", + "ia-11", + "ia-12", + "ia-12.2", + "ia-12.3", + "ia-12.4", + "ia-12.5", + "ir-1", + "ir-2", + "ir-2.1", + "ir-2.2", + "ir-3", + "ir-3.2", + "ir-4", + "ir-4.1", + "ir-4.4", + "ir-4.11", + "ir-5", + "ir-5.1", + "ir-6", + "ir-6.1", + "ir-6.3", + "ir-7", + "ir-7.1", + "ir-8", + "ma-1", + "ma-2", + "ma-2.2", + "ma-3", + "ma-3.1", + "ma-3.2", + "ma-3.3", + "ma-4", + "ma-4.3", + "ma-5", + "ma-5.1", + "ma-6", + "mp-1", + "mp-2", + "mp-3", + "mp-4", + "mp-5", + "mp-6", + "mp-6.1", + "mp-6.2", + "mp-6.3", + "mp-7", + "pe-1", + "pe-2", + "pe-3", + "pe-3.1", + "pe-4", + "pe-5", + "pe-6", + "pe-6.1", + "pe-6.4", + "pe-8", + "pe-8.1", + "pe-9", + "pe-10", + "pe-11", + "pe-11.1", + "pe-12", + "pe-13", + "pe-13.1", + "pe-13.2", + "pe-14", + "pe-15", + "pe-15.1", + "pe-16", + "pe-17", + "pe-18", + "pl-1", + "pl-2", + "pl-4", + "pl-4.1", + "pl-8", + "pl-10", + "pl-11", + "ps-1", + "ps-2", + "ps-3", + "ps-4", + "ps-4.2", + "ps-5", + "ps-6", + "ps-7", + "ps-8", + "ps-9", + "ra-1", + "ra-2", + "ra-3", + "ra-3.1", + "ra-5", + "ra-5.2", + "ra-5.4", + "ra-5.5", + "ra-5.11", + "ra-7", + "ra-9", + "sa-1", + "sa-2", + "sa-3", + "sa-4", + "sa-4.1", + "sa-4.2", + "sa-4.5", + "sa-4.9", + "sa-4.10", + "sa-5", + "sa-8", + "sa-9", + "sa-9.2", + "sa-10", + "sa-11", + "sa-15", + "sa-15.3", + "sa-16", + "sa-17", + "sa-21", + "sa-22", + "sc-1", + "sc-2", + "sc-3", + "sc-4", + "sc-5", + "sc-7", + "sc-7.3", + "sc-7.4", + "sc-7.5", + "sc-7.7", + "sc-7.8", + "sc-7.18", + "sc-7.21", + "sc-8", + "sc-8.1", + "sc-10", + "sc-12", + "sc-12.1", + "sc-13", + "sc-15", + "sc-17", + "sc-18", + "sc-20", + "sc-21", + "sc-22", + "sc-23", + "sc-24", + "sc-28", + "sc-28.1", + "sc-39", + "si-1", + "si-2", + "si-2.2", + "si-3", + "si-4", + "si-4.2", + "si-4.4", + "si-4.5", + "si-4.10", + "si-4.12", + "si-4.14", + "si-4.20", + "si-4.22", + "si-5", + "si-5.1", + "si-6", + "si-7", + "si-7.1", + "si-7.2", + "si-7.5", + "si-7.7", + "si-7.15", + "si-8", + "si-8.2", + "si-10", + "si-11", + "si-12", + "si-16", + "sr-1", + "sr-2", + "sr-2.1", + "sr-3", + "sr-5", + "sr-6", + "sr-8", + "sr-9", + "sr-9.1", + "sr-10", + "sr-11", + "sr-11.1", + "sr-11.2", + "sr-12" + ] + } + ] + } + ], + "merge": { + "as-is": true + }, + "back-matter": { + "resources": [ + { + "uuid": "84cbf061-eb87-4ec1-8112-1f529232e907", + "description": "NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations", + "rlinks": [ + { + "href": "../../../../nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "../../../../nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "../../../../nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + } + ] + } + } +} diff --git a/roscal_lib/tests/profile/yaml/NIST_SP-800-53_rev5_HIGH-baseline_profile.yaml b/roscal_lib/tests/profile/yaml/NIST_SP-800-53_rev5_HIGH-baseline_profile.yaml new file mode 100644 index 0000000..61564bf --- /dev/null +++ b/roscal_lib/tests/profile/yaml/NIST_SP-800-53_rev5_HIGH-baseline_profile.yaml @@ -0,0 +1,421 @@ +profile: + uuid: cd073316-7c58-4c34-9f5c-9eb5aa722683 + metadata: + title: NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE + last-modified: "2023-12-04T14:55:00.000000-04:00" + version: 5.1.1+u2 + oscal-version: 1.1.1 + roles: + - id: creator + title: Document Creator + - id: contact + title: Contact + parties: + - uuid: c748c806-1d77-4695-bb40-e117b2afa82e + type: organization + name: Joint Task Force, Transformation Initiative + email-addresses: + - sec-cert@nist.gov + addresses: + - addr-lines: + - National Institute of Standards and Technology + - 'Attn: Computer Security Division' + - Information Technology Laboratory + - 100 Bureau Drive (Mail Stop 8930) + city: Gaithersburg + state: MD + postal-code: 20899-8930 + responsible-parties: + - role-id: creator + party-uuids: + - c748c806-1d77-4695-bb40-e117b2afa82e + - role-id: contact + party-uuids: + - c748c806-1d77-4695-bb40-e117b2afa82e + imports: + - href: '#84cbf061-eb87-4ec1-8112-1f529232e907' + include-controls: + - with-ids: + - ac-1 + - ac-2 + - ac-2.1 + - ac-2.2 + - ac-2.3 + - ac-2.4 + - ac-2.5 + - ac-2.11 + - ac-2.12 + - ac-2.13 + - ac-3 + - ac-4 + - ac-4.4 + - ac-5 + - ac-6 + - ac-6.1 + - ac-6.2 + - ac-6.3 + - ac-6.5 + - ac-6.7 + - ac-6.9 + - ac-6.10 + - ac-7 + - ac-8 + - ac-10 + - ac-11 + - ac-11.1 + - ac-12 + - ac-14 + - ac-17 + - ac-17.1 + - ac-17.2 + - ac-17.3 + - ac-17.4 + - ac-18 + - ac-18.1 + - ac-18.3 + - ac-18.4 + - ac-18.5 + - ac-19 + - ac-19.5 + - ac-20 + - ac-20.1 + - ac-20.2 + - ac-21 + - ac-22 + - at-1 + - at-2 + - at-2.2 + - at-2.3 + - at-3 + - at-4 + - au-1 + - au-2 + - au-3 + - au-3.1 + - au-4 + - au-5 + - au-5.1 + - au-5.2 + - au-6 + - au-6.1 + - au-6.3 + - au-6.5 + - au-6.6 + - au-7 + - au-7.1 + - au-8 + - au-9 + - au-9.2 + - au-9.3 + - au-9.4 + - au-10 + - au-11 + - au-12 + - au-12.1 + - au-12.3 + - ca-1 + - ca-2 + - ca-2.1 + - ca-2.2 + - ca-3 + - ca-3.6 + - ca-5 + - ca-6 + - ca-7 + - ca-7.1 + - ca-7.4 + - ca-8 + - ca-8.1 + - ca-9 + - cm-1 + - cm-2 + - cm-2.2 + - cm-2.3 + - cm-2.7 + - cm-3 + - cm-3.1 + - cm-3.2 + - cm-3.4 + - cm-3.6 + - cm-4 + - cm-4.1 + - cm-4.2 + - cm-5 + - cm-5.1 + - cm-6 + - cm-6.1 + - cm-6.2 + - cm-7 + - cm-7.1 + - cm-7.2 + - cm-7.5 + - cm-8 + - cm-8.1 + - cm-8.2 + - cm-8.3 + - cm-8.4 + - cm-9 + - cm-10 + - cm-11 + - cm-12 + - cm-12.1 + - cp-1 + - cp-2 + - cp-2.1 + - cp-2.2 + - cp-2.3 + - cp-2.5 + - cp-2.8 + - cp-3 + - cp-3.1 + - cp-4 + - cp-4.1 + - cp-4.2 + - cp-6 + - cp-6.1 + - cp-6.2 + - cp-6.3 + - cp-7 + - cp-7.1 + - cp-7.2 + - cp-7.3 + - cp-7.4 + - cp-8 + - cp-8.1 + - cp-8.2 + - cp-8.3 + - cp-8.4 + - cp-9 + - cp-9.1 + - cp-9.2 + - cp-9.3 + - cp-9.5 + - cp-9.8 + - cp-10 + - cp-10.2 + - cp-10.4 + - ia-1 + - ia-2 + - ia-2.1 + - ia-2.2 + - ia-2.5 + - ia-2.8 + - ia-2.12 + - ia-3 + - ia-4 + - ia-4.4 + - ia-5 + - ia-5.1 + - ia-5.2 + - ia-5.6 + - ia-6 + - ia-7 + - ia-8 + - ia-8.1 + - ia-8.2 + - ia-8.4 + - ia-11 + - ia-12 + - ia-12.2 + - ia-12.3 + - ia-12.4 + - ia-12.5 + - ir-1 + - ir-2 + - ir-2.1 + - ir-2.2 + - ir-3 + - ir-3.2 + - ir-4 + - ir-4.1 + - ir-4.4 + - ir-4.11 + - ir-5 + - ir-5.1 + - ir-6 + - ir-6.1 + - ir-6.3 + - ir-7 + - ir-7.1 + - ir-8 + - ma-1 + - ma-2 + - ma-2.2 + - ma-3 + - ma-3.1 + - ma-3.2 + - ma-3.3 + - ma-4 + - ma-4.3 + - ma-5 + - ma-5.1 + - ma-6 + - mp-1 + - mp-2 + - mp-3 + - mp-4 + - mp-5 + - mp-6 + - mp-6.1 + - mp-6.2 + - mp-6.3 + - mp-7 + - pe-1 + - pe-2 + - pe-3 + - pe-3.1 + - pe-4 + - pe-5 + - pe-6 + - pe-6.1 + - pe-6.4 + - pe-8 + - pe-8.1 + - pe-9 + - pe-10 + - pe-11 + - pe-11.1 + - pe-12 + - pe-13 + - pe-13.1 + - pe-13.2 + - pe-14 + - pe-15 + - pe-15.1 + - pe-16 + - pe-17 + - pe-18 + - pl-1 + - pl-2 + - pl-4 + - pl-4.1 + - pl-8 + - pl-10 + - pl-11 + - ps-1 + - ps-2 + - ps-3 + - ps-4 + - ps-4.2 + - ps-5 + - ps-6 + - ps-7 + - ps-8 + - ps-9 + - ra-1 + - ra-2 + - ra-3 + - ra-3.1 + - ra-5 + - ra-5.2 + - ra-5.4 + - ra-5.5 + - ra-5.11 + - ra-7 + - ra-9 + - sa-1 + - sa-2 + - sa-3 + - sa-4 + - sa-4.1 + - sa-4.2 + - sa-4.5 + - sa-4.9 + - sa-4.10 + - sa-5 + - sa-8 + - sa-9 + - sa-9.2 + - sa-10 + - sa-11 + - sa-15 + - sa-15.3 + - sa-16 + - sa-17 + - sa-21 + - sa-22 + - sc-1 + - sc-2 + - sc-3 + - sc-4 + - sc-5 + - sc-7 + - sc-7.3 + - sc-7.4 + - sc-7.5 + - sc-7.7 + - sc-7.8 + - sc-7.18 + - sc-7.21 + - sc-8 + - sc-8.1 + - sc-10 + - sc-12 + - sc-12.1 + - sc-13 + - sc-15 + - sc-17 + - sc-18 + - sc-20 + - sc-21 + - sc-22 + - sc-23 + - sc-24 + - sc-28 + - sc-28.1 + - sc-39 + - si-1 + - si-2 + - si-2.2 + - si-3 + - si-4 + - si-4.2 + - si-4.4 + - si-4.5 + - si-4.10 + - si-4.12 + - si-4.14 + - si-4.20 + - si-4.22 + - si-5 + - si-5.1 + - si-6 + - si-7 + - si-7.1 + - si-7.2 + - si-7.5 + - si-7.7 + - si-7.15 + - si-8 + - si-8.2 + - si-10 + - si-11 + - si-12 + - si-16 + - sr-1 + - sr-2 + - sr-2.1 + - sr-3 + - sr-5 + - sr-6 + - sr-8 + - sr-9 + - sr-9.1 + - sr-10 + - sr-11 + - sr-11.1 + - sr-11.2 + - sr-12 + merge: + as-is: true + back-matter: + resources: + - uuid: 84cbf061-eb87-4ec1-8112-1f529232e907 + description: 'NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations' + rlinks: + - href: ../../../../nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml + media-type: application/oscal.catalog+xml + - href: ../../../../nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json + media-type: application/oscal.catalog+json + - href: ../../../../nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml + media-type: application/oscal.catalog+yaml \ No newline at end of file diff --git a/roscal_lib/tests/ssp/json/ifa_ssp-example-min.json b/roscal_lib/tests/ssp/json/ifa_ssp-example-min.json new file mode 100644 index 0000000..357ce88 --- /dev/null +++ b/roscal_lib/tests/ssp/json/ifa_ssp-example-min.json @@ -0,0 +1,407 @@ +{ + "system-security-plan": { + "uuid": "5e139edd-86aa-4b65-8431-1192bd276658", + "metadata": { + "title": "IFA GoodRead System Security Plan", + "published": "2023-05-19T14:46:54-04:00", + "last-modified": "2024-03-01T13:57:28.355446-04:00", + "version": "1.1", + "oscal-version": "1.1.2", + "roles": [ + { "id": "owner", "title": "IFA GoodRead Owner" }, + { "id": "developer", "title": "IFA GoodRead Developer" }, + { "id": "system-engineer", "title": "IFA GoodRead System Engineer" }, + { "id": "public-affairs-office", "title": "IFA Public Affairs Office" } + ], + "parties": [ + { + "uuid": "ba9c12bd-e5ef-46b6-95a2-4d8e7f864c1a", + "type": "person", + "name": "Owen Stilskin", + "member-of-organizations": ["3a675986-b4ff-4030-b178-e953c2e55d64"] + }, + { + "uuid": "67c04291-dbf6-495a-a3ba-0011638acc94", + "type": "person", + "name": "Juno Styles", + "member-of-organizations": ["3a675986-b4ff-4030-b178-e953c2e55d64"] + }, + { + "uuid": "4ba3f2b7-e894-48d7-b940-91c68661df55", + "type": "person", + "name": "Xavier Jones", + "member-of-organizations": ["3a675986-b4ff-4030-b178-e953c2e55d64"] + }, + { + "uuid": "3a675986-b4ff-4030-b178-e953c2e55d64", + "type": "organization", + "name": "Important Federal Agency", + "short-name": "IFA", + "links": [{ "href": "https://www.ifa.gov", "rel": "website" }] + } + ], + "responsible-parties": [ + { + "role-id": "owner", + "party-uuids": ["ba9c12bd-e5ef-46b6-95a2-4d8e7f864c1a"] + }, + { + "role-id": "developer", + "party-uuids": ["67c04291-dbf6-495a-a3ba-0011638acc94"] + }, + { + "role-id": "system-engineer", + "party-uuids": ["4ba3f2b7-e894-48d7-b940-91c68661df55"] + } + ] + }, + "import-profile": { "href": "../select/profile.oscal.json" }, + "system-characteristics": { + "system-ids": [ + { + "identifier-type": "http://ietf.org/rfc/rfc4122", + "id": "8101e04d-8305-4e73-bb95-6b59f645b143" + } + ], + "system-name": "IFA GoodRead", + "description": "This system acts as a link shortener for IFA employees", + "date-authorized": "2023-05-19", + "security-sensitivity-level": "moderate", + "system-information": { + "information-types": [ + { + "uuid": "bccfbb65-a7f3-41ac-989f-01d96eddfdc7", + "title": "User-provided Links", + "description": "This system maintains a set of user-provided links and their associated shortlinks", + "categorizations": [ + { + "system": "https://doi.org/10.6028/NIST.SP.800-60v2r1", + "information-type-ids": ["C.2.8.12"] + } + ], + "confidentiality-impact": { "base": "fips-199-low" }, + "integrity-impact": { + "base": "fips-199-low", + "selected": "fips-199-moderate", + "adjustment-justification": "Maliciously modified links are a concern" + }, + "availability-impact": { "base": "fips-199-low" } + } + ] + }, + "security-impact-level": { + "security-objective-confidentiality": "low", + "security-objective-integrity": "medium", + "security-objective-availability": "low" + }, + "status": { "state": "operational" }, + "authorization-boundary": { + "description": "This section describes an attached diagram of the authorization boundary for IFA GoodRead Project's information system." + }, + "network-architecture": { + "description": "This section describes an attached diagram of the network architecture for IFA GoodRead Project's information system." + }, + "data-flow": { + "description": "This section describes an attached diagram of various dataflows for application and related elements of the IFA GoodRead Project's information system." + } + }, + "system-implementation": { + "users": [ + { + "uuid": "00d323d3-dc3f-4d93-900f-f13430e094d3", + "title": "Application Administrator", + "description": "The developer of the application supports IFA Public Affairs Officers by administering the application and its infrastructure.", + "role-ids": ["developer"], + "authorized-privileges": [ + { + "title": "Application Administrator Privilege", + "functions-performed": [ + "user-creation", + "user-enablement", + "user-disablement", + "user-role-modification", + "popular-shortlink-cache-reset", + "database-export", + "database-migration" + ] + } + ] + }, + { + "uuid": "61405ba7-edb4-4243-8461-79aac5805e5c", + "title": "Public Affairs Officers", + "description": "IFA Public Affairs Officers (PAOs) in each division of the agency review public communications to citizens who are customers of the IFA. PAOs review requests from colleagues to generate and publish content that is the target of a shortlink and can unpublish shortlinks.", + "role-ids": ["public-affairs-office"], + "authorized-privileges": [ + { + "title": "Public Affairs Officer Privilege", + "functions-performed": [ + "shortlink-generation", + "shortlink-approval", + "shortlink-rejection", + "shortlink-publication", + "shortlink-unpublication" + ] + } + ] + }, + { + "uuid": "fb36760a-143d-490b-8fc4-6a8c172fba86", + "title": "General Public", + "description": "The general public is free to click on shortlinks", + "authorized-privileges": [ + { + "title": "General Public Privilege", + "functions-performed": ["shortlink-view"] + } + ] + } + ], + "components": [ + { + "uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "type": "this-system", + "title": "IFA GoodRead System", + "description": "IFA develops, operates, and maintains the GoodRead link shortener system to ", + "status": { "state": "operational" }, + "responsible-roles": [ + { + "role-id": "developer", + "party-uuids": ["67c04291-dbf6-495a-a3ba-0011638acc94"] + }, + { + "role-id": "system-engineer", + "party-uuids": ["4ba3f2b7-e894-48d7-b940-91c68661df55"] + } + ] + } + ], + "inventory-items": [ + { + "uuid": "4392599a-9117-416a-87d1-24c7d1b2dd0b", + "description": "This is the custom GoodRead application within the system.", + "props": [ + { + "name": "software-name", + "value": "IFA GoodRead", + "class": "webserver-application" + }, + { + "name": "software-version", + "value": "1.0.0", + "class": "webserver-application" + }, + { + "name": "asset-type", + "value": "web-server", + "class": "webserver-application" + } + ], + "implemented-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "props": [ + { "name": "asset-id", "value": "IFAGOV-SYSTEM1234-GOODREAD" } + ] + } + ] + }, + { + "uuid": "d911b560-f564-4715-8d2a-76f86127ac73", + "description": "This is the web application framework upon which the developer writes the custom GoodRead application for the user interface and API of this system.", + "props": [ + { + "name": "software-name", + "value": "Django Framework", + "class": "webserver-framework" + }, + { + "name": "software-version", + "value": "4.2.1", + "class": "webserver-framework" + }, + { + "name": "asset-type", + "value": "web-server", + "class": "webserver-framework" + } + ], + "implemented-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "props": [ + { "name": "asset-id", "value": "IFAGOV-SYSTEM1234-GOODREAD" } + ] + } + ] + }, + { + "uuid": "3e3a8d9a-e3d6-4c7d-b59b-a8d6514fa4a2", + "description": "This is the database for the custom GoodRead application within the system.", + "props": [ + { + "name": "software-name", + "value": "PostgreSQL", + "class": "database" + }, + { + "name": "software-version", + "value": "15.3", + "class": "database" + }, + { "name": "asset-type", "value": "database", "class": "database" } + ], + "implemented-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "props": [ + { "name": "asset-id", "value": "IFAGOV-SYSTEM1234-GOODREAD" } + ] + } + ] + }, + { + "uuid": "0fb95c4c-ebfd-492e-8145-363eb7947dbe", + "description": "This is the operating system for the web server that runs the custom GoodRead application within the system.", + "props": [ + { + "name": "software-name", + "value": "Red Hat Enterprise Linux 9", + "class": "operating-system" + }, + { + "name": "asset-type", + "value": "operating-system", + "class": "operating-system" + } + ], + "implemented-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "props": [ + { "name": "asset-id", "value": "IFAGOV-SYSTEM1234-GOODREAD" } + ] + } + ] + }, + { + "uuid": "cd39f700-23ab-4574-a17e-c9c8f073cbec", + "description": "This inventory item is an instance from the AwesomeCloud Awesome Compute Service (ACS) Service. It is a Linux server.", + "props": [ + { + "name": "asset-id", + "value": "instance-abcd1234", + "class": "linux-server" + }, + { + "name": "ipv4-address", + "value": "172.1.2.3", + "class": "linux-server" + }, + { + "name": "ipv4-address", + "value": "1.1.2.3", + "class": "linux-server" + }, + { + "name": "uri", + "value": "instance-abcd1234.acs.awesomecloud.systems", + "class": "linux-server" + }, + { + "name": "asset-type", + "value": "appliance", + "class": "linux-server" + } + ], + "implemented-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "props": [ + { "name": "asset-id", "value": "IFAGOV-SYSTEM1234-GOODREAD" } + ] + } + ] + }, + { + "uuid": "d9550535-40b9-4d8b-861c-07aa8786bf43", + "description": "This inventory item is an instance from the AwesomeCloud Awesome Load Balancer (ALB) Service. It is a Linux server.", + "props": [ + { + "name": "asset-type", + "value": "appliance", + "class": "network-load-balancer" + }, + { + "name": "asset-id", + "value": "instance-defg7890", + "class": "linux-server" + }, + { + "name": "uri", + "value": "https://instance-defg7890.alb.awesomecloud.systems", + "class": "network-load-balancer" + } + ], + "implemented-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "props": [ + { "name": "asset-id", "value": "IFAGOV-SYSTEM1234-GOODREAD" } + ] + } + ] + } + ] + }, + "control-implementation": { + "description": "This is the control implementation for the application and infrastructure that compose to the IFA GoodRead Project's system.", + "set-parameters": [ + { + "param-id": "ac-06.01_odp.01", + "values": [ + "individuals and roles with authorized access to security functions and security-relevant information are defined and not available to all users of the system;" + ] + }, + { + "param-id": "ac-06.01_odp.02", + "values": [ + "security functions (deployed in hardware) for authorized access are defined;" + ] + }, + { + "param-id": "ac-06.01_odp.03", + "values": [ + "security functions (deployed in soware) for authorized access are defined;" + ] + }, + { + "param-id": "ac-06.01_odp.04", + "values": [ + "security functions (deployed in firmware) for authorized access are defined;" + ] + }, + { + "param-id": "ac-06.01_odp.05", + "values": [ + "security-relevant information for authorized access is defined;" + ] + } + ], + "implemented-requirements": [ + { + "uuid": "d5f9b263-965d-440b-99e7-77f5df670a11", + "control-id": "ac-6.1", + "by-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "uuid": "a4c2d318-26a9-49df-9818-ee0acaf066f2", + "description": "The IFA GoodRead application and infrastructure are composed as designed and implemented with lease privilege for the elements of this system.\n\nFor the IFA GoodRead application, the custom application is designed and implemented on top of the Django Framework to enforce least privilege. The application has a role for IFA Public Affairs Officers and one for the developers for privileged permissions, respectively. Only the latter can access or change administrative and security configurations and related data.\n\nThe Django Framework and Django REST Framework (DRF), by default, allows any user with the `is_staff` role attribute to access administrative functions in an application using the framework. IFA GoodRead developers have disabled this behavior, relying on the custom roles identified in the relevant section.\n\nFor the IFA GoodRead database, the system account and accredentials for the application to read and write to the system datastore has specific read and write authorization for specific tables. This database service account does not have full administrative permissions to add, modify, or delete all respective tables. For the production environment, only the IFA GoodRead developer has a dedicated account with equivalent permissions. Only local network socket access, within in the Linux server, is permitted by host firewall configuration. Remote access, privileged or unprivileged, is not allowed remotely and the system engineer must locally authenticate for access.\n\nFor the RedHat Linux server upon which the IFA GoodRead application is deployed in this system, only the system engineer has a non-privileged user to log in remotely via the SSH protocol to perform ad-hoc inspection, monthly log review as required by policy and procedure, and emergency debugging of the system. Privileged system administration operations may only be performed with the `sudo` subsystem which requires a password, two-factor authentication, and has enhanced logging of all commands executed. The system engineer must log in remotely and then use `sudo` to elevate privileges. Remote access with the privileged account is prohibited by configuration and attempts are logged.\n\nFor this remote SSH access, least privilege is additionally enforced by allowing this access via a specific network zone in the IFA GoodRead AwesomeCloud account accessible to only the system engineer via IFA's VPN solution, which requires the system engineer use a dedicated account with their own password and two-factor authentication token.\n\nFor cloud account and API access to reconfigure the Linux server and its load balancer, administrative access is only allowed for the system engineer via a special AwesomeCloud IAM role. The authentication and authorization for this role is controlled by an integration with the organization's single sign-on solution. This solution will only be accessible and correctly execute for them when they are on the VPN with their account with traffic forwarded to the appropriate network zone in the IFA GoodRead account in AwesomeCloud. It will not work the developer or any staff users of the application.", + "implementation-status": { "state": "implemented" } + } + ] + } + ] + } + } +} diff --git a/roscal_lib/tests/ssp/json/ifa_ssp-example.json b/roscal_lib/tests/ssp/json/ifa_ssp-example.json new file mode 100644 index 0000000..fa67115 --- /dev/null +++ b/roscal_lib/tests/ssp/json/ifa_ssp-example.json @@ -0,0 +1,458 @@ +{ + "system-security-plan": { + "uuid": "5e139edd-86aa-4b65-8431-1192bd276658", + "metadata": { + "title": "IFA GoodRead System Security Plan", + "published": "2023-05-19T14:46:54-04:00", + "last-modified": "2024-03-01T13:57:28.355446-04:00", + "version": "1.1", + "oscal-version": "1.1.2", + "roles": [ + { + "id": "owner", + "title": "IFA GoodRead Owner" + }, + { + "id": "developer", + "title": "IFA GoodRead Developer" + }, + { + "id": "system-engineer", + "title": "IFA GoodRead System Engineer" + }, + { + "id": "public-affairs-office", + "title": "IFA Public Affairs Office" + } + ], + "parties": [ + { + "uuid": "ba9c12bd-e5ef-46b6-95a2-4d8e7f864c1a", + "type": "person", + "name": "Owen Stilskin", + "member-of-organizations": ["3a675986-b4ff-4030-b178-e953c2e55d64"] + }, + { + "uuid": "67c04291-dbf6-495a-a3ba-0011638acc94", + "type": "person", + "name": "Juno Styles", + "member-of-organizations": ["3a675986-b4ff-4030-b178-e953c2e55d64"] + }, + { + "uuid": "4ba3f2b7-e894-48d7-b940-91c68661df55", + "type": "person", + "name": "Xavier Jones", + "member-of-organizations": ["3a675986-b4ff-4030-b178-e953c2e55d64"] + }, + { + "uuid": "3a675986-b4ff-4030-b178-e953c2e55d64", + "type": "organization", + "name": "Important Federal Agency", + "short-name": "IFA", + "links": [ + { + "href": "https://www.ifa.gov", + "rel": "website" + } + ] + } + ], + "responsible-parties": [ + { + "role-id": "owner", + "party-uuids": ["ba9c12bd-e5ef-46b6-95a2-4d8e7f864c1a"] + }, + { + "role-id": "developer", + "party-uuids": ["67c04291-dbf6-495a-a3ba-0011638acc94"] + }, + { + "role-id": "system-engineer", + "party-uuids": ["4ba3f2b7-e894-48d7-b940-91c68661df55"] + } + ] + }, + "import-profile": { + "href": "../select/profile.oscal.json" + }, + "system-characteristics": { + "system-ids": [ + { + "identifier-type": "http://ietf.org/rfc/rfc4122", + "id": "8101e04d-8305-4e73-bb95-6b59f645b143" + } + ], + "system-name": "IFA GoodRead", + "description": "This system acts as a link shortener for IFA employees", + "date-authorized": "2023-05-19", + "security-sensitivity-level": "moderate", + "system-information": { + "information-types": [ + { + "uuid": "bccfbb65-a7f3-41ac-989f-01d96eddfdc7", + "title": "User-provided Links", + "description": "This system maintains a set of user-provided links and their associated shortlinks", + "categorizations": [ + { + "system": "https://doi.org/10.6028/NIST.SP.800-60v2r1", + "information-type-ids": ["C.2.8.12"] + } + ], + "confidentiality-impact": { + "base": "fips-199-low" + }, + "integrity-impact": { + "base": "fips-199-low", + "selected": "fips-199-moderate", + "adjustment-justification": "Maliciously modified links are a concern" + }, + "availability-impact": { + "base": "fips-199-low" + } + } + ] + }, + "security-impact-level": { + "security-objective-confidentiality": "low", + "security-objective-integrity": "medium", + "security-objective-availability": "low" + }, + "status": { + "state": "operational" + }, + "authorization-boundary": { + "description": "This section describes an attached diagram of the authorization boundary for IFA GoodRead Project's information system." + }, + "network-architecture": { + "description": "This section describes an attached diagram of the network architecture for IFA GoodRead Project's information system." + }, + "data-flow": { + "description": "This section describes an attached diagram of various dataflows for application and related elements of the IFA GoodRead Project's information system." + } + }, + "system-implementation": { + "users": [ + { + "uuid": "00d323d3-dc3f-4d93-900f-f13430e094d3", + "title": "Application Administrator", + "description": "The developer of the application supports IFA Public Affairs Officers by administering the application and its infrastructure.", + "role-ids": ["developer"], + "authorized-privileges": [ + { + "title": "Application Administrator Privilege", + "functions-performed": [ + "user-creation", + "user-enablement", + "user-disablement", + "user-role-modification", + "popular-shortlink-cache-reset", + "database-export", + "database-migration" + ] + } + ] + }, + { + "uuid": "61405ba7-edb4-4243-8461-79aac5805e5c", + "title": "Public Affairs Officers", + "description": "IFA Public Affairs Officers (PAOs) in each division of the agency review public communications to citizens who are customers of the IFA. PAOs review requests from colleagues to generate and publish content that is the target of a shortlink and can unpublish shortlinks.", + "role-ids": ["public-affairs-office"], + "authorized-privileges": [ + { + "title": "Public Affairs Officer Privilege", + "functions-performed": [ + "shortlink-generation", + "shortlink-approval", + "shortlink-rejection", + "shortlink-publication", + "shortlink-unpublication" + ] + } + ] + }, + { + "uuid": "fb36760a-143d-490b-8fc4-6a8c172fba86", + "title": "General Public", + "description": "The general public is free to click on shortlinks", + "authorized-privileges": [ + { + "title": "General Public Privilege", + "functions-performed": ["shortlink-view"] + } + ] + } + ], + "components": [ + { + "uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "type": "this-system", + "title": "IFA GoodRead System", + "description": "IFA develops, operates, and maintains the GoodRead link shortener system to ", + "status": { + "state": "operational" + }, + "responsible-roles": [ + { + "role-id": "developer", + "party-uuids": ["67c04291-dbf6-495a-a3ba-0011638acc94"] + }, + { + "role-id": "system-engineer", + "party-uuids": ["4ba3f2b7-e894-48d7-b940-91c68661df55"] + } + ] + } + ], + "inventory-items": [ + { + "uuid": "4392599a-9117-416a-87d1-24c7d1b2dd0b", + "description": "This is the custom GoodRead application within the system.", + "props": [ + { + "name": "software-name", + "value": "IFA GoodRead", + "class": "webserver-application" + }, + { + "name": "software-version", + "value": "1.0.0", + "class": "webserver-application" + }, + { + "name": "asset-type", + "value": "web-server", + "class": "webserver-application" + } + ], + "implemented-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "props": [ + { + "name": "asset-id", + "value": "IFAGOV-SYSTEM1234-GOODREAD" + } + ] + } + ] + }, + { + "uuid": "d911b560-f564-4715-8d2a-76f86127ac73", + "description": "This is the web application framework upon which the developer writes the custom GoodRead application for the user interface and API of this system.", + "props": [ + { + "name": "software-name", + "value": "Django Framework", + "class": "webserver-framework" + }, + { + "name": "software-version", + "value": "4.2.1", + "class": "webserver-framework" + }, + { + "name": "asset-type", + "value": "web-server", + "class": "webserver-framework" + } + ], + "implemented-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "props": [ + { + "name": "asset-id", + "value": "IFAGOV-SYSTEM1234-GOODREAD" + } + ] + } + ] + }, + { + "uuid": "3e3a8d9a-e3d6-4c7d-b59b-a8d6514fa4a2", + "description": "This is the database for the custom GoodRead application within the system.", + "props": [ + { + "name": "software-name", + "value": "PostgreSQL", + "class": "database" + }, + { + "name": "software-version", + "value": "15.3", + "class": "database" + }, + { + "name": "asset-type", + "value": "database", + "class": "database" + } + ], + "implemented-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "props": [ + { + "name": "asset-id", + "value": "IFAGOV-SYSTEM1234-GOODREAD" + } + ] + } + ] + }, + { + "uuid": "0fb95c4c-ebfd-492e-8145-363eb7947dbe", + "description": "This is the operating system for the web server that runs the custom GoodRead application within the system.", + "props": [ + { + "name": "software-name", + "value": "Red Hat Enterprise Linux 9", + "class": "operating-system" + }, + { + "name": "asset-type", + "value": "operating-system", + "class": "operating-system" + } + ], + "implemented-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "props": [ + { + "name": "asset-id", + "value": "IFAGOV-SYSTEM1234-GOODREAD" + } + ] + } + ] + }, + { + "uuid": "cd39f700-23ab-4574-a17e-c9c8f073cbec", + "description": "This inventory item is an instance from the AwesomeCloud Awesome Compute Service (ACS) Service. It is a Linux server.", + "props": [ + { + "name": "asset-id", + "value": "instance-abcd1234", + "class": "linux-server" + }, + { + "name": "ipv4-address", + "value": "172.1.2.3", + "class": "linux-server" + }, + { + "name": "ipv4-address", + "value": "1.1.2.3", + "class": "linux-server" + }, + { + "name": "uri", + "value": "instance-abcd1234.acs.awesomecloud.systems", + "class": "linux-server" + }, + { + "name": "asset-type", + "value": "appliance", + "class": "linux-server" + } + ], + "implemented-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "props": [ + { + "name": "asset-id", + "value": "IFAGOV-SYSTEM1234-GOODREAD" + } + ] + } + ] + }, + { + "uuid": "d9550535-40b9-4d8b-861c-07aa8786bf43", + "description": "This inventory item is an instance from the AwesomeCloud Awesome Load Balancer (ALB) Service. It is a Linux server.", + "props": [ + { + "name": "asset-type", + "value": "appliance", + "class": "network-load-balancer" + }, + { + "name": "asset-id", + "value": "instance-defg7890", + "class": "linux-server" + }, + { + "name": "uri", + "value": "https://instance-defg7890.alb.awesomecloud.systems", + "class": "network-load-balancer" + } + ], + "implemented-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "props": [ + { + "name": "asset-id", + "value": "IFAGOV-SYSTEM1234-GOODREAD" + } + ] + } + ] + } + ] + }, + "control-implementation": { + "description": "This is the control implementation for the application and infrastructure that compose to the IFA GoodRead Project's system.", + "set-parameters": [ + { + "param-id": "ac-06.01_odp.01", + "values": [ + "individuals and roles with authorized access to security functions and security-relevant information are defined and not available to all users of the system;" + ] + }, + { + "param-id": "ac-06.01_odp.02", + "values": [ + "security functions (deployed in hardware) for authorized access are defined;" + ] + }, + { + "param-id": "ac-06.01_odp.03", + "values": [ + "security functions (deployed in soware) for authorized access are defined;" + ] + }, + { + "param-id": "ac-06.01_odp.04", + "values": [ + "security functions (deployed in firmware) for authorized access are defined;" + ] + }, + { + "param-id": "ac-06.01_odp.05", + "values": [ + "security-relevant information for authorized access is defined;" + ] + } + ], + "implemented-requirements": [ + { + "uuid": "d5f9b263-965d-440b-99e7-77f5df670a11", + "control-id": "ac-6.1", + "by-components": [ + { + "component-uuid": "551b9706-d6a4-4d25-8207-f2ccec548b89", + "uuid": "a4c2d318-26a9-49df-9818-ee0acaf066f2", + "description": "The IFA GoodRead application and infrastructure are composed as designed and implemented with lease privilege for the elements of this system.\n\nFor the IFA GoodRead application, the custom application is designed and implemented on top of the Django Framework to enforce least privilege. The application has a role for IFA Public Affairs Officers and one for the developers for privileged permissions, respectively. Only the latter can access or change administrative and security configurations and related data.\n\nThe Django Framework and Django REST Framework (DRF), by default, allows any user with the `is_staff` role attribute to access administrative functions in an application using the framework. IFA GoodRead developers have disabled this behavior, relying on the custom roles identified in the relevant section.\n\nFor the IFA GoodRead database, the system account and accredentials for the application to read and write to the system datastore has specific read and write authorization for specific tables. This database service account does not have full administrative permissions to add, modify, or delete all respective tables. For the production environment, only the IFA GoodRead developer has a dedicated account with equivalent permissions. Only local network socket access, within in the Linux server, is permitted by host firewall configuration. Remote access, privileged or unprivileged, is not allowed remotely and the system engineer must locally authenticate for access.\n\nFor the RedHat Linux server upon which the IFA GoodRead application is deployed in this system, only the system engineer has a non-privileged user to log in remotely via the SSH protocol to perform ad-hoc inspection, monthly log review as required by policy and procedure, and emergency debugging of the system. Privileged system administration operations may only be performed with the `sudo` subsystem which requires a password, two-factor authentication, and has enhanced logging of all commands executed. The system engineer must log in remotely and then use `sudo` to elevate privileges. Remote access with the privileged account is prohibited by configuration and attempts are logged.\n\nFor this remote SSH access, least privilege is additionally enforced by allowing this access via a specific network zone in the IFA GoodRead AwesomeCloud account accessible to only the system engineer via IFA's VPN solution, which requires the system engineer use a dedicated account with their own password and two-factor authentication token.\n\nFor cloud account and API access to reconfigure the Linux server and its load balancer, administrative access is only allowed for the system engineer via a special AwesomeCloud IAM role. The authentication and authorization for this role is controlled by an integration with the organization's single sign-on solution. This solution will only be accessible and correctly execute for them when they are on the VPN with their account with traffic forwarded to the appropriate network zone in the IFA GoodRead account in AwesomeCloud. It will not work the developer or any staff users of the application.", + "implementation-status": { + "state": "implemented" + } + } + ] + } + ] + } + } +} diff --git a/roscal_lib/tests/ssp/json/oscal_leveraged-example_ssp-min.json b/roscal_lib/tests/ssp/json/oscal_leveraged-example_ssp-min.json new file mode 100644 index 0000000..5aa9321 --- /dev/null +++ b/roscal_lib/tests/ssp/json/oscal_leveraged-example_ssp-min.json @@ -0,0 +1,233 @@ +{ + "system-security-plan": { + "uuid": "d197545f-353f-407b-9166-ebf959774c5a", + "metadata": { + "title": "CSP IaaS System Security Plan", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "0.3", + "oscal-version": "1.1.2", + "roles": [ + { "id": "admin", "title": "Administrator" }, + { "id": "customer", "title": "External Customer" }, + { "id": "poc-for-customers", "title": "Internal POC for Customers" } + ], + "parties": [ + { + "uuid": "11111111-0000-4000-9000-100000000001", + "type": "person", + "remarks": "Leveraged Authorization POC" + }, + { "uuid": "11111111-0000-4000-9000-100000000002", "type": "person" } + ] + }, + "import-profile": { "href": "#6b45e2a5-b238-4752-ba12-cfd6ef2a83df" }, + "system-characteristics": { + "system-ids": [{ "id": "csp_iaas_system" }], + "system-name": "Leveraged IaaS System", + "description": "An example of three customers leveraging an authorized SaaS, which is running on an authorized IaaS.\n\n```\n\nCust-A Cust-B Cust-C\n | | |\n +---------+---------+\n |\n +-------------------+\n | Leveraging SaaS |\n +-------------------+\n |\n |\n +-------------------+\n | Leveraged IaaS |\n | this file |\n +-------------------+\n \n```\n\nIn this example, the IaaS SSP specifies customer responsibilities for certain controls.\n\nThe SaaS must address these for the control to be fully satisfied.\n\nThe SaaS provider may either implement these directly or pass the responsibility on to their customers. Both may be necessary.\n\nFor any given control, the Leveraged IaaS SSP must describe:\n\n1. HOW the IaaS is directly satisfying the control\n1. WHAT responsibilities are left for the Leveraging SaaS (or their customers) to implement.\n\n\nFor any given control, the Leveraging SaaS SSP must describe:\n\n1. WHAT is being inherited from the underlying IaaS\n1. HOW the SaaS is directly satisfying the control.\n1. WHAT responsibilities are left for the SaaS customers to implement. (The SaaS customers are Cust-A, B and C)\n", + "security-sensitivity-level": "low", + "system-information": { + "information-types": [ + { + "uuid": "11111111-0000-4000-9000-200000000000", + "title": "System and Network Monitoring", + "description": "This IaaS system handles information pertaining to audit events.", + "categorizations": [ + { + "system": "https://doi.org/10.6028/NIST.SP.800-60v2r1", + "information-type-ids": ["C.3.5.8"] + } + ], + "confidentiality-impact": { + "base": "fips-199-moderate", + "selected": "fips-199-low", + "adjustment-justification": "This impact has been adjusted to low as an example of how to perform this type of adjustment." + }, + "integrity-impact": { + "base": "fips-199-moderate", + "selected": "fips-199-low", + "adjustment-justification": "This impact has been adjusted to low as an example of how to perform this type of adjustment." + }, + "availability-impact": { + "base": "fips-199-moderate", + "selected": "fips-199-low", + "adjustment-justification": "This impact has been adjusted to low as an example of how to perform this type of adjustment." + } + } + ] + }, + "security-impact-level": { + "security-objective-confidentiality": "fips-199-low", + "security-objective-integrity": "fips-199-low", + "security-objective-availability": "fips-199-low" + }, + "status": { "state": "operational" }, + "authorization-boundary": { + "description": "The hardware and software supporting the virtualized infrastructure supporting the IaaS." + }, + "remarks": "Most system-characteristics content does not support the example, and is included to meet the minimum SSP syntax requirements." + }, + "system-implementation": { + "users": [ + { + "uuid": "11111111-0000-4000-9000-200000000001", + "role-ids": ["admin"], + "authorized-privileges": [ + { + "title": "Administrator", + "functions-performed": ["Manages the components within the IaaS."] + } + ] + } + ], + "components": [ + { + "uuid": "11111111-0000-4000-9001-000000000001", + "type": "this-system", + "title": "This System", + "description": "This Leveraged IaaS.\n\nThe entire system as depicted in the system authorization boundary", + "status": { "state": "operational" } + }, + { + "uuid": "11111111-0000-4000-9001-000000000002", + "type": "software", + "title": "Application", + "description": "An application within the IaaS, exposed to SaaS customers and their downstream customers.\n\nThis Leveraged IaaS maintains aspects of the application.\n\nThe Leveraging SaaS maintains aspects of their assigned portion of the application.\n\nThe customers of the Leveraging SaaS maintain aspects of their sub-assigned portions of the application.", + "props": [{ "name": "implementation-point", "value": "internal" }], + "status": { "state": "operational" }, + "responsible-roles": [ + { + "role-id": "admin", + "party-uuids": ["11111111-0000-4000-9000-100000000001"] + } + ] + } + ] + }, + "control-implementation": { + "description": "This is a collection of control responses.", + "implemented-requirements": [ + { + "uuid": "11111111-0000-4000-9009-002000000000", + "control-id": "ac-2", + "set-parameters": [ + { + "param-id": "ac-2_prm_1", + "values": ["privileged and non-privileged"] + } + ], + "statements": [ + { + "statement-id": "ac-2_stmt.a", + "uuid": "11111111-0000-4000-9009-002001000000", + "by-components": [ + { + "component-uuid": "11111111-0000-4000-9001-000000000001", + "uuid": "11111111-0000-4000-9009-002001001000", + "description": "Response for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.\n\nResponse for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.\n\nResponse for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.\n\nResponse for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.", + "export": { + "description": "Optional description about what is being exported.", + "provided": [ + { + "uuid": "11111111-0000-4000-9009-002001001001", + "description": "Consumer-appropriate description of what a leveraging system may inherite from THIS SYSTEM in the context of satisfying satisfaction of AC-2, part a.", + "responsible-roles": [ + { + "role-id": "poc-for-customers", + "party-uuids": [ + "11111111-0000-4000-9000-100000000001" + ] + } + ] + } + ], + "responsibilities": [ + { + "uuid": "11111111-0000-4000-9009-002001001002", + "provided-uuid": "11111111-0000-4000-9009-002001001001", + "description": "Leveraging system's responsibilities with respect to inheriting this capability.\n\nIn the context of the application component in satisfaction of AC-2, part a.", + "responsible-roles": [ + { + "role-id": "customer", + "party-uuids": [ + "11111111-0000-4000-9000-100000000002" + ] + } + ] + } + ] + } + }, + { + "component-uuid": "11111111-0000-4000-9001-000000000002", + "uuid": "11111111-0000-4000-9009-002001002000", + "description": "Describes how the application satisfies AC-2, Part a.", + "export": { + "description": "Optional description about what is being exported.", + "provided": [ + { + "uuid": "11111111-0000-4000-9009-002001002001", + "description": "Consumer-appropriate description of what may be inherited.\n\nIn the context of the application component in satisfaction of AC-2, part a.", + "responsible-roles": [ + { + "role-id": "poc-for-customers", + "party-uuids": [ + "11111111-0000-4000-9000-100000000001" + ] + } + ] + } + ], + "responsibilities": [ + { + "uuid": "11111111-0000-4000-9009-002001002002", + "provided-uuid": "11111111-0000-4000-9009-002001002001", + "description": "Leveraging system's responsibilities with respect to inheriting this capability.\n\nIn the context of the application component in satisfaction of AC-2, part a.", + "responsible-roles": [ + { + "role-id": "customer", + "party-uuids": [ + "11111111-0000-4000-9000-100000000002" + ] + } + ] + } + ] + } + } + ], + "remarks": "a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: privileged and non-privileged];" + } + ], + "remarks": "The organization:\n\na. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];\n\nb. Assigns account managers for information system accounts;\n\nc. Establishes conditions for group and role membership;\n\nd. through j. omitted" + } + ] + }, + "back-matter": { + "resources": [ + { + "uuid": "11111111-0000-4000-9999-000000000001", + "rlinks": [{ "href": "./attachments/IaaS_ac_proc.docx" }] + }, + { + "uuid": "6b45e2a5-b238-4752-ba12-cfd6ef2a83df", + "description": "NIST Special Publication 800-53 Revision 4: Low Baseline Profile", + "rlinks": [ + { + "href": "../../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline_profile.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "../../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_LOW-baseline_profile.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + } + ] + } + } +} diff --git a/roscal_lib/tests/ssp/json/oscal_leveraged-example_ssp.json b/roscal_lib/tests/ssp/json/oscal_leveraged-example_ssp.json new file mode 100644 index 0000000..53563e8 --- /dev/null +++ b/roscal_lib/tests/ssp/json/oscal_leveraged-example_ssp.json @@ -0,0 +1,276 @@ +{ + "system-security-plan": { + "uuid": "d197545f-353f-407b-9166-ebf959774c5a", + "metadata": { + "title": "CSP IaaS System Security Plan", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "0.3", + "oscal-version": "1.1.2", + "roles": [ + { + "id": "admin", + "title": "Administrator" + }, + { + "id": "customer", + "title": "External Customer" + }, + { + "id": "poc-for-customers", + "title": "Internal POC for Customers" + } + ], + "parties": [ + { + "uuid": "11111111-0000-4000-9000-100000000001", + "type": "person", + "remarks": "Leveraged Authorization POC" + }, + { + "uuid": "11111111-0000-4000-9000-100000000002", + "type": "person" + } + ] + }, + "import-profile": { + "href": "#6b45e2a5-b238-4752-ba12-cfd6ef2a83df" + }, + "system-characteristics": { + "system-ids": [ + { + "id": "csp_iaas_system" + } + ], + "system-name": "Leveraged IaaS System", + "description": "An example of three customers leveraging an authorized SaaS, which is running on an authorized IaaS.\n\n```\n\nCust-A Cust-B Cust-C\n | | |\n +---------+---------+\n |\n +-------------------+\n | Leveraging SaaS |\n +-------------------+\n |\n |\n +-------------------+\n | Leveraged IaaS |\n | this file |\n +-------------------+\n \n```\n\nIn this example, the IaaS SSP specifies customer responsibilities for certain controls.\n\nThe SaaS must address these for the control to be fully satisfied.\n\nThe SaaS provider may either implement these directly or pass the responsibility on to their customers. Both may be necessary.\n\nFor any given control, the Leveraged IaaS SSP must describe:\n\n1. HOW the IaaS is directly satisfying the control\n1. WHAT responsibilities are left for the Leveraging SaaS (or their customers) to implement.\n\n\nFor any given control, the Leveraging SaaS SSP must describe:\n\n1. WHAT is being inherited from the underlying IaaS\n1. HOW the SaaS is directly satisfying the control.\n1. WHAT responsibilities are left for the SaaS customers to implement. (The SaaS customers are Cust-A, B and C)\n", + "security-sensitivity-level": "low", + "system-information": { + "information-types": [ + { + "uuid": "11111111-0000-4000-9000-200000000000", + "title": "System and Network Monitoring", + "description": "This IaaS system handles information pertaining to audit events.", + "categorizations": [ + { + "system": "https://doi.org/10.6028/NIST.SP.800-60v2r1", + "information-type-ids": [ + "C.3.5.8" + ] + } + ], + "confidentiality-impact": { + "base": "fips-199-moderate", + "selected": "fips-199-low", + "adjustment-justification": "This impact has been adjusted to low as an example of how to perform this type of adjustment." + }, + "integrity-impact": { + "base": "fips-199-moderate", + "selected": "fips-199-low", + "adjustment-justification": "This impact has been adjusted to low as an example of how to perform this type of adjustment." + }, + "availability-impact": { + "base": "fips-199-moderate", + "selected": "fips-199-low", + "adjustment-justification": "This impact has been adjusted to low as an example of how to perform this type of adjustment." + } + } + ] + }, + "security-impact-level": { + "security-objective-confidentiality": "fips-199-low", + "security-objective-integrity": "fips-199-low", + "security-objective-availability": "fips-199-low" + }, + "status": { + "state": "operational" + }, + "authorization-boundary": { + "description": "The hardware and software supporting the virtualized infrastructure supporting the IaaS." + }, + "remarks": "Most system-characteristics content does not support the example, and is included to meet the minimum SSP syntax requirements." + }, + "system-implementation": { + "users": [ + { + "uuid": "11111111-0000-4000-9000-200000000001", + "role-ids": [ + "admin" + ], + "authorized-privileges": [ + { + "title": "Administrator", + "functions-performed": [ + "Manages the components within the IaaS." + ] + } + ] + } + ], + "components": [ + { + "uuid": "11111111-0000-4000-9001-000000000001", + "type": "this-system", + "title": "This System", + "description": "This Leveraged IaaS.\n\nThe entire system as depicted in the system authorization boundary", + "status": { + "state": "operational" + } + }, + { + "uuid": "11111111-0000-4000-9001-000000000002", + "type": "software", + "title": "Application", + "description": "An application within the IaaS, exposed to SaaS customers and their downstream customers.\n\nThis Leveraged IaaS maintains aspects of the application.\n\nThe Leveraging SaaS maintains aspects of their assigned portion of the application.\n\nThe customers of the Leveraging SaaS maintain aspects of their sub-assigned portions of the application.", + "props": [ + { + "name": "implementation-point", + "value": "internal" + } + ], + "status": { + "state": "operational" + }, + "responsible-roles": [ + { + "role-id": "admin", + "party-uuids": [ + "11111111-0000-4000-9000-100000000001" + ] + } + ] + } + ] + }, + "control-implementation": { + "description": "This is a collection of control responses.", + "implemented-requirements": [ + { + "uuid": "11111111-0000-4000-9009-002000000000", + "control-id": "ac-2", + "set-parameters": [ + { + "param-id": "ac-2_prm_1", + "values": [ + "privileged and non-privileged" + ] + } + ], + "statements": [ + { + "statement-id": "ac-2_stmt.a", + "uuid": "11111111-0000-4000-9009-002001000000", + "by-components": [ + { + "component-uuid": "11111111-0000-4000-9001-000000000001", + "uuid": "11111111-0000-4000-9009-002001001000", + "description": "Response for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.\n\nResponse for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.\n\nResponse for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.\n\nResponse for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.", + "export": { + "description": "Optional description about what is being exported.", + "provided": [ + { + "uuid": "11111111-0000-4000-9009-002001001001", + "description": "Consumer-appropriate description of what a leveraging system may inherite from THIS SYSTEM in the context of satisfying satisfaction of AC-2, part a.", + "responsible-roles": [ + { + "role-id": "poc-for-customers", + "party-uuids": [ + "11111111-0000-4000-9000-100000000001" + ] + } + ] + } + ], + "responsibilities": [ + { + "uuid": "11111111-0000-4000-9009-002001001002", + "provided-uuid": "11111111-0000-4000-9009-002001001001", + "description": "Leveraging system's responsibilities with respect to inheriting this capability.\n\nIn the context of the application component in satisfaction of AC-2, part a.", + "responsible-roles": [ + { + "role-id": "customer", + "party-uuids": [ + "11111111-0000-4000-9000-100000000002" + ] + } + ] + } + ] + } + }, + { + "component-uuid": "11111111-0000-4000-9001-000000000002", + "uuid": "11111111-0000-4000-9009-002001002000", + "description": "Describes how the application satisfies AC-2, Part a.", + "export": { + "description": "Optional description about what is being exported.", + "provided": [ + { + "uuid": "11111111-0000-4000-9009-002001002001", + "description": "Consumer-appropriate description of what may be inherited.\n\nIn the context of the application component in satisfaction of AC-2, part a.", + "responsible-roles": [ + { + "role-id": "poc-for-customers", + "party-uuids": [ + "11111111-0000-4000-9000-100000000001" + ] + } + ] + } + ], + "responsibilities": [ + { + "uuid": "11111111-0000-4000-9009-002001002002", + "provided-uuid": "11111111-0000-4000-9009-002001002001", + "description": "Leveraging system's responsibilities with respect to inheriting this capability.\n\nIn the context of the application component in satisfaction of AC-2, part a.", + "responsible-roles": [ + { + "role-id": "customer", + "party-uuids": [ + "11111111-0000-4000-9000-100000000002" + ] + } + ] + } + ] + } + } + ], + "remarks": "a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: privileged and non-privileged];" + } + ], + "remarks": "The organization:\n\na. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];\n\nb. Assigns account managers for information system accounts;\n\nc. Establishes conditions for group and role membership;\n\nd. through j. omitted" + } + ] + }, + "back-matter": { + "resources": [ + { + "uuid": "11111111-0000-4000-9999-000000000001", + "rlinks": [ + { + "href": "./attachments/IaaS_ac_proc.docx" + } + ] + }, + { + "uuid": "6b45e2a5-b238-4752-ba12-cfd6ef2a83df", + "description": "NIST Special Publication 800-53 Revision 4: Low Baseline Profile", + "rlinks": [ + { + "href": "../../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline_profile.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "../../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_LOW-baseline_profile.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + } + ] + } + } +} diff --git a/roscal_lib/tests/ssp/json/oscal_leveraging-example_ssp-min.json b/roscal_lib/tests/ssp/json/oscal_leveraging-example_ssp-min.json new file mode 100644 index 0000000..0a50e14 --- /dev/null +++ b/roscal_lib/tests/ssp/json/oscal_leveraging-example_ssp-min.json @@ -0,0 +1,274 @@ +{ + "system-security-plan": { + "uuid": "bb9219b1-e51c-4680-abb0-616a43bbfbb1", + "metadata": { + "title": "Leveraging SaaS System Security Plan", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "0.3", + "oscal-version": "1.1.2", + "roles": [{ "id": "admin", "title": "Administrator" }], + "parties": [ + { + "uuid": "22222222-0000-4000-9000-100000000001", + "type": "person", + "remarks": "Leveraging SaaS' Admin" + }, + { + "uuid": "11111111-0000-4000-9000-100000000001", + "type": "person", + "remarks": "Leveraged Authorization (IaaS) POC" + } + ] + }, + "import-profile": { "href": "#6b45e2a5-b238-4752-ba12-cfd6ef2a83df" }, + "system-characteristics": { + "system-ids": [{ "id": "saas_system_iaas_customer" }], + "system-name": "Leveraging SaaS System", + "description": "An example of three customers leveraging an authorized SaaS, which is running on an authorized IaaS.\n\n```\n\nCust-A Cust-B Cust-C\n | | |\n +---------+---------+\n |\n +-------------------+\n | Leveraging SaaS |\n | this file |\n +-------------------+\n |\n |\n +-------------------+\n | Leveraged IaaS |\n +-------------------+\n \n```\n\nIn this example, the IaaS SSP (the leveraged SSP) specifies what IaaS provides and the customer's responsibilities for certain controls.\n\nThe SaaS must address these responsibilities for the control to be fully satisfied.\n\nThe SaaS provider may either implement these directly or pass the responsibility on to their customers. Both may be necessary.\n\nFor any given control, the Leveraged IaaS SSP must describe:\n\n1. HOW the IaaS is directly satisfying the control\n1. WHAT responsibilities are left for the Leveraging SaaS (or their customers) to implement.\n\n\nFor any given control, the Leveraging SaaS SSP must describe:\n\n1. WHAT is being inherited from the underlying IaaS\n1. HOW the SaaS is directly satisfying the control.\n1. WHAT responsibilities are left for the SaaS' customers to implement. (The SaaS customers are Cust-A, B and C)\n", + "security-sensitivity-level": "low", + "system-information": { + "information-types": [ + { + "uuid": "22222222-0000-4000-9000-200000000000", + "title": "System and Network Monitoring", + "description": "This system handles information pertaining to audit events.", + "categorizations": [ + { + "system": "https://doi.org/10.6028/NIST.SP.800-60v2r1", + "information-type-ids": ["C.3.5.8"] + } + ], + "confidentiality-impact": { + "base": "fips-199-moderate", + "selected": "fips-199-low", + "adjustment-justification": "This impact has been adjusted to low as an example of how to perform this type of adjustment." + }, + "integrity-impact": { + "base": "fips-199-moderate", + "selected": "fips-199-low", + "adjustment-justification": "This impact has been adjusted to low as an example of how to perform this type of adjustment." + }, + "availability-impact": { + "base": "fips-199-moderate", + "selected": "fips-199-low", + "adjustment-justification": "This impact has been adjusted to low as an example of how to perform this type of adjustment." + } + } + ] + }, + "security-impact-level": { + "security-objective-confidentiality": "fips-199-low", + "security-objective-integrity": "fips-199-low", + "security-objective-availability": "fips-199-low" + }, + "status": { "state": "operational" }, + "authorization-boundary": { + "description": "The virtualized components deployed on the CSP IaaS." + }, + "remarks": "Most system-characteristics content does not support the example, and is included to meet the minimum SSP syntax requirements." + }, + "system-implementation": { + "leveraged-authorizations": [ + { + "uuid": "22222222-0000-4000-9000-300000000001", + "title": "CSP IaaS [Leveraged System]", + "links": [ + { + "href": "#b3a3079c-ace3-4aae-9acd-d52d418472f2", + "rel": "oscal-ssp-xml" + } + ], + "party-uuid": "11111111-0000-4000-9000-100000000001", + "date-authorized": "2018-01-01" + } + ], + "users": [ + { + "uuid": "22222222-0000-4000-9000-200000000001", + "role-ids": ["admin"], + "authorized-privileges": [ + { + "title": "Administrator", + "functions-performed": ["Manages the components within the SaaS."] + } + ] + } + ], + "components": [ + { + "uuid": "22222222-0000-4000-9001-000000000001", + "type": "this-system", + "title": " **THIS SYSTEM (SaaS)** ", + "description": "This Leveraging SaaS.\n\nThe entire system as depicted in the system authorization boundary", + "status": { "state": "operational" } + }, + { + "uuid": "22222222-0000-4000-9001-000000000002", + "type": "system", + "title": " **LEVERAGED SYSTEM (IaaS)** ", + "description": "If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be used as the UUID for this component.", + "props": [ + { "name": "implementation-point", "value": "external" }, + { + "name": "leveraged-authorization-uuid", + "value": "22222222-0000-4000-9000-300000000001" + }, + { + "name": "inherited-uuid", + "value": "11111111-0000-4000-9001-000000000001" + } + ], + "status": { "state": "operational" } + }, + { + "uuid": "22222222-0000-4000-9001-000000000003", + "type": "appliance", + "title": "Access Control Appliance", + "description": "An access control virtual appliance, wich performs XYZ functions.", + "props": [ + { "name": "implementation-point", "value": "internal" }, + { "name": "virtual", "value": "yes" } + ], + "status": { "state": "operational" } + }, + { + "uuid": "22222222-0000-4000-9001-000000000004", + "type": "application", + "title": "LEVERAGED APPLICATION", + "description": "Inherited from underlying IaaS.", + "props": [ + { "name": "implementation-point", "value": "external" }, + { + "name": "leveraged-authorization-uuid", + "value": "22222222-0000-4000-9000-300000000001" + }, + { + "name": "inherited-uuid", + "value": "11111111-0000-4000-9001-000000000002" + } + ], + "status": { "state": "operational" } + } + ] + }, + "control-implementation": { + "description": "This is a collection of control responses.", + "implemented-requirements": [ + { + "uuid": "22222222-0000-4000-9009-002000000000", + "control-id": "ac-2", + "set-parameters": [ + { + "param-id": "ac-2_prm_1", + "values": ["privileged and non-privileged"] + } + ], + "statements": [ + { + "statement-id": "ac-2_stmt.a", + "uuid": "22222222-0000-4000-9009-002001000000", + "by-components": [ + { + "component-uuid": "22222222-0000-4000-9001-000000000001", + "uuid": "22222222-0000-4000-9009-002001001000", + "description": "Response for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.\n\nResponse for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.\n\nResponse for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.\n\nResponse for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.", + "responsible-roles": [ + { + "role-id": "admin", + "party-uuids": ["22222222-0000-4000-9000-100000000001"] + } + ] + }, + { + "component-uuid": "22222222-0000-4000-9001-000000000002", + "uuid": "22222222-0000-4000-9009-002001002000", + "description": "Describe how this internal virtual appliance satisfies AC-2, Part a.", + "satisfied": [ + { + "uuid": "22222222-0000-4000-9009-002001002001", + "responsibility-uuid": "11111111-0000-4000-9009-002001001001", + "description": "Description that directly addresses how the consumer responsibility was satisfied.", + "responsible-roles": [ + { + "role-id": "admin", + "party-uuids": [ + "22222222-0000-4000-9000-100000000001" + ] + } + ] + } + ] + }, + { + "component-uuid": "22222222-0000-4000-9001-000000000003", + "uuid": "22222222-0000-4000-9009-002001003000", + "description": " *duplicated/tailored description of what was inherited, and description of what was configured.* \n\nConsumer-appropriate description of what may be inherited.\n\nIn the context of the application component in satisfaction of AC-2, part a.", + "inherited": [ + { + "uuid": "22222222-0000-4000-9009-002001002002", + "provided-uuid": "11111111-0000-4000-9009-002001002001", + "description": "Optional description.\n\n *Possibly duplicated description of what was inherited.* \n\nConsumer-appropriate description of what may be inherited.\n\nIn the context of the application component in satisfaction of AC-2, part a." + } + ], + "satisfied": [ + { + "uuid": "22222222-0000-4000-9009-002001002003", + "responsibility-uuid": "11111111-0000-4000-9009-002001002002", + "description": "Description of how the responsibility was satisfied." + } + ] + } + ], + "remarks": "a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: privileged and non-privileged];" + } + ], + "remarks": "The organization:\n\na. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];\n\nb. Assigns account managers for information system accounts;\n\nc. Establishes conditions for group and role membership;\n\nOmitted: d. through j." + } + ] + }, + "back-matter": { + "resources": [ + { + "uuid": "22222222-0000-4000-9999-000000000001", + "rlinks": [{ "href": "./attachments/SaaS_ac_proc.docx" }] + }, + { + "uuid": "6b45e2a5-b238-4752-ba12-cfd6ef2a83df", + "description": "NIST Special Publication 800-53 Revision 4: Low Baseline Profile", + "rlinks": [ + { + "href": "../../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline_profile.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "../../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_LOW-baseline_profile.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + }, + { + "uuid": "b3a3079c-ace3-4aae-9acd-d52d418472f2", + "description": "Leveraged System Security Plan in OSCAL Data Formats", + "rlinks": [ + { + "href": "../../ssp/xml/oscal_leveraged-example_ssp.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "../../../ssp/json/nist.gov/SP800-53/rev4/json/oscal_leveraged-example_ssp.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "../../../ssp/yaml/oscal_leveraged-example_ssp.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + } + ] + } + } +} diff --git a/roscal_lib/tests/ssp/json/oscal_leveraging-example_ssp.json b/roscal_lib/tests/ssp/json/oscal_leveraging-example_ssp.json new file mode 100644 index 0000000..6a6fa0f --- /dev/null +++ b/roscal_lib/tests/ssp/json/oscal_leveraging-example_ssp.json @@ -0,0 +1,321 @@ +{ + "system-security-plan": { + "uuid": "bb9219b1-e51c-4680-abb0-616a43bbfbb1", + "metadata": { + "title": "Leveraging SaaS System Security Plan", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "0.3", + "oscal-version": "1.1.2", + "roles": [ + { + "id": "admin", + "title": "Administrator" + } + ], + "parties": [ + { + "uuid": "22222222-0000-4000-9000-100000000001", + "type": "person", + "remarks": "Leveraging SaaS' Admin" + }, + { + "uuid": "11111111-0000-4000-9000-100000000001", + "type": "person", + "remarks": "Leveraged Authorization (IaaS) POC" + } + ] + }, + "import-profile": { + "href": "#6b45e2a5-b238-4752-ba12-cfd6ef2a83df" + }, + "system-characteristics": { + "system-ids": [ + { + "id": "saas_system_iaas_customer" + } + ], + "system-name": "Leveraging SaaS System", + "description": "An example of three customers leveraging an authorized SaaS, which is running on an authorized IaaS.\n\n```\n\nCust-A Cust-B Cust-C\n | | |\n +---------+---------+\n |\n +-------------------+\n | Leveraging SaaS |\n | this file |\n +-------------------+\n |\n |\n +-------------------+\n | Leveraged IaaS |\n +-------------------+\n \n```\n\nIn this example, the IaaS SSP (the leveraged SSP) specifies what IaaS provides and the customer's responsibilities for certain controls.\n\nThe SaaS must address these responsibilities for the control to be fully satisfied.\n\nThe SaaS provider may either implement these directly or pass the responsibility on to their customers. Both may be necessary.\n\nFor any given control, the Leveraged IaaS SSP must describe:\n\n1. HOW the IaaS is directly satisfying the control\n1. WHAT responsibilities are left for the Leveraging SaaS (or their customers) to implement.\n\n\nFor any given control, the Leveraging SaaS SSP must describe:\n\n1. WHAT is being inherited from the underlying IaaS\n1. HOW the SaaS is directly satisfying the control.\n1. WHAT responsibilities are left for the SaaS' customers to implement. (The SaaS customers are Cust-A, B and C)\n", + "security-sensitivity-level": "low", + "system-information": { + "information-types": [ + { + "uuid": "22222222-0000-4000-9000-200000000000", + "title": "System and Network Monitoring", + "description": "This system handles information pertaining to audit events.", + "categorizations": [ + { + "system": "https://doi.org/10.6028/NIST.SP.800-60v2r1", + "information-type-ids": [ + "C.3.5.8" + ] + } + ], + "confidentiality-impact": { + "base": "fips-199-moderate", + "selected": "fips-199-low", + "adjustment-justification": "This impact has been adjusted to low as an example of how to perform this type of adjustment." + }, + "integrity-impact": { + "base": "fips-199-moderate", + "selected": "fips-199-low", + "adjustment-justification": "This impact has been adjusted to low as an example of how to perform this type of adjustment." + }, + "availability-impact": { + "base": "fips-199-moderate", + "selected": "fips-199-low", + "adjustment-justification": "This impact has been adjusted to low as an example of how to perform this type of adjustment." + } + } + ] + }, + "security-impact-level": { + "security-objective-confidentiality": "fips-199-low", + "security-objective-integrity": "fips-199-low", + "security-objective-availability": "fips-199-low" + }, + "status": { + "state": "operational" + }, + "authorization-boundary": { + "description": "The virtualized components deployed on the CSP IaaS." + }, + "remarks": "Most system-characteristics content does not support the example, and is included to meet the minimum SSP syntax requirements." + }, + "system-implementation": { + "leveraged-authorizations": [ + { + "uuid": "22222222-0000-4000-9000-300000000001", + "title": "CSP IaaS [Leveraged System]", + "links": [ + { + "href": "#b3a3079c-ace3-4aae-9acd-d52d418472f2", + "rel": "oscal-ssp-xml" + } + ], + "party-uuid": "11111111-0000-4000-9000-100000000001", + "date-authorized": "2018-01-01" + } + ], + "users": [ + { + "uuid": "22222222-0000-4000-9000-200000000001", + "role-ids": [ + "admin" + ], + "authorized-privileges": [ + { + "title": "Administrator", + "functions-performed": [ + "Manages the components within the SaaS." + ] + } + ] + } + ], + "components": [ + { + "uuid": "22222222-0000-4000-9001-000000000001", + "type": "this-system", + "title": " **THIS SYSTEM (SaaS)** ", + "description": "This Leveraging SaaS.\n\nThe entire system as depicted in the system authorization boundary", + "status": { + "state": "operational" + } + }, + { + "uuid": "22222222-0000-4000-9001-000000000002", + "type": "system", + "title": " **LEVERAGED SYSTEM (IaaS)** ", + "description": "If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be used as the UUID for this component.", + "props": [ + { + "name": "implementation-point", + "value": "external" + }, + { + "name": "leveraged-authorization-uuid", + "value": "22222222-0000-4000-9000-300000000001" + }, + { + "name": "inherited-uuid", + "value": "11111111-0000-4000-9001-000000000001" + } + ], + "status": { + "state": "operational" + } + }, + { + "uuid": "22222222-0000-4000-9001-000000000003", + "type": "appliance", + "title": "Access Control Appliance", + "description": "An access control virtual appliance, wich performs XYZ functions.", + "props": [ + { + "name": "implementation-point", + "value": "internal" + }, + { + "name": "virtual", + "value": "yes" + } + ], + "status": { + "state": "operational" + } + }, + { + "uuid": "22222222-0000-4000-9001-000000000004", + "type": "application", + "title": "LEVERAGED APPLICATION", + "description": "Inherited from underlying IaaS.", + "props": [ + { + "name": "implementation-point", + "value": "external" + }, + { + "name": "leveraged-authorization-uuid", + "value": "22222222-0000-4000-9000-300000000001" + }, + { + "name": "inherited-uuid", + "value": "11111111-0000-4000-9001-000000000002" + } + ], + "status": { + "state": "operational" + } + } + ] + }, + "control-implementation": { + "description": "This is a collection of control responses.", + "implemented-requirements": [ + { + "uuid": "22222222-0000-4000-9009-002000000000", + "control-id": "ac-2", + "set-parameters": [ + { + "param-id": "ac-2_prm_1", + "values": [ + "privileged and non-privileged" + ] + } + ], + "statements": [ + { + "statement-id": "ac-2_stmt.a", + "uuid": "22222222-0000-4000-9009-002001000000", + "by-components": [ + { + "component-uuid": "22222222-0000-4000-9001-000000000001", + "uuid": "22222222-0000-4000-9009-002001001000", + "description": "Response for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.\n\nResponse for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.\n\nResponse for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.\n\nResponse for the \\\"This System\\\" component.\n\nOverall description of how \\\"This System\\\" satisfies AC-2, Part a.", + "responsible-roles": [ + { + "role-id": "admin", + "party-uuids": [ + "22222222-0000-4000-9000-100000000001" + ] + } + ] + }, + { + "component-uuid": "22222222-0000-4000-9001-000000000002", + "uuid": "22222222-0000-4000-9009-002001002000", + "description": "Describe how this internal virtual appliance satisfies AC-2, Part a.", + "satisfied": [ + { + "uuid": "22222222-0000-4000-9009-002001002001", + "responsibility-uuid": "11111111-0000-4000-9009-002001001001", + "description": "Description that directly addresses how the consumer responsibility was satisfied.", + "responsible-roles": [ + { + "role-id": "admin", + "party-uuids": [ + "22222222-0000-4000-9000-100000000001" + ] + } + ] + } + ] + }, + { + "component-uuid": "22222222-0000-4000-9001-000000000003", + "uuid": "22222222-0000-4000-9009-002001003000", + "description": " *duplicated/tailored description of what was inherited, and description of what was configured.* \n\nConsumer-appropriate description of what may be inherited.\n\nIn the context of the application component in satisfaction of AC-2, part a.", + "inherited": [ + { + "uuid": "22222222-0000-4000-9009-002001002002", + "provided-uuid": "11111111-0000-4000-9009-002001002001", + "description": "Optional description.\n\n *Possibly duplicated description of what was inherited.* \n\nConsumer-appropriate description of what may be inherited.\n\nIn the context of the application component in satisfaction of AC-2, part a." + } + ], + "satisfied": [ + { + "uuid": "22222222-0000-4000-9009-002001002003", + "responsibility-uuid": "11111111-0000-4000-9009-002001002002", + "description": "Description of how the responsibility was satisfied." + } + ] + } + ], + "remarks": "a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: privileged and non-privileged];" + } + ], + "remarks": "The organization:\n\na. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];\n\nb. Assigns account managers for information system accounts;\n\nc. Establishes conditions for group and role membership;\n\nOmitted: d. through j." + } + ] + }, + "back-matter": { + "resources": [ + { + "uuid": "22222222-0000-4000-9999-000000000001", + "rlinks": [ + { + "href": "./attachments/SaaS_ac_proc.docx" + } + ] + }, + { + "uuid": "6b45e2a5-b238-4752-ba12-cfd6ef2a83df", + "description": "NIST Special Publication 800-53 Revision 4: Low Baseline Profile", + "rlinks": [ + { + "href": "../../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline_profile.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "../../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_LOW-baseline_profile.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + }, + { + "uuid": "b3a3079c-ace3-4aae-9acd-d52d418472f2", + "description": "Leveraged System Security Plan in OSCAL Data Formats", + "rlinks": [ + { + "href": "../../ssp/xml/oscal_leveraged-example_ssp.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "../../../ssp/json/nist.gov/SP800-53/rev4/json/oscal_leveraged-example_ssp.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "../../../ssp/yaml/oscal_leveraged-example_ssp.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + } + ] + } + } +} diff --git a/roscal_lib/tests/ssp/json/ssp-example-min.json b/roscal_lib/tests/ssp/json/ssp-example-min.json new file mode 100644 index 0000000..481b1e4 --- /dev/null +++ b/roscal_lib/tests/ssp/json/ssp-example-min.json @@ -0,0 +1,459 @@ +{ + "system-security-plan": { + "uuid": "cff8385f-108e-40a5-8f7a-82f3dc0eaba8", + "metadata": { + "title": "Enterprise Logging and Auditing System Security Plan", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "1.1", + "oscal-version": "1.1.2", + "roles": [ + { "id": "legal-officer", "title": "Legal Officer" }, + { "id": "maintainer", "title": "System Maintainer" }, + { "id": "asset-owner", "title": "System Assets Owner" }, + { "id": "provider", "title": "System Provider" }, + { "id": "asset-administrator", "title": "System Assets Admin" } + ], + "parties": [ + { + "uuid": "3b2a5599-cc37-403f-ae36-5708fa804b27", + "type": "organization", + "name": "Enterprise Asset Owners" + }, + { + "uuid": "833ac398-5c9a-4e6b-acba-2a9c11399da0", + "type": "organization", + "name": "Enterprise Asset Administrators" + }, + { + "uuid": "ec485dcf-2519-43f5-8e7d-014cc315332d", + "type": "organization", + "name": "Legal Department" + }, + { + "uuid": "0f0c15ed-565e-4ce9-8670-b54853d0bf03", + "type": "organization", + "name": "IT Department" + }, + { + "uuid": "96c362ee-a012-4e07-92f3-486ab303b0e7", + "type": "organization", + "name": "Acme Corp" + } + ] + }, + "import-profile": { "href": "#b78aa3ec-915d-475b-8097-46813fae1825" }, + "system-characteristics": { + "system-ids": [ + { + "identifier-type": "https://ietf.org/rfc/rfc4122", + "id": "d7456980-9277-4dcb-83cf-f8ff0442623b" + } + ], + "system-name": "Enterprise Logging and Auditing System", + "description": "This is an example of a system that provides enterprise logging and log auditing capabilities.", + "props": [ + { "name": "cloud-deployment-model", "value": "private-cloud" }, + { "name": "cloud-service-model", "value": "iaas" } + ], + "security-sensitivity-level": "moderate", + "system-information": { + "information-types": [ + { + "uuid": "7d28ac6e-5970-4f4c-a508-5a3715f0f02b", + "title": "System and Network Monitoring", + "description": "This system maintains historical logging and auditing information for all client devices connected to this system.", + "categorizations": [ + { + "system": "https://doi.org/10.6028/NIST.SP.800-60v2r1", + "information-type-ids": ["C.3.5.8"] + } + ], + "confidentiality-impact": { "base": "fips-199-moderate" }, + "integrity-impact": { "base": "fips-199-moderate" }, + "availability-impact": { "base": "fips-199-low" } + } + ] + }, + "security-impact-level": { + "security-objective-confidentiality": "fips-199-moderate", + "security-objective-integrity": "fips-199-moderate", + "security-objective-availability": "fips-199-low" + }, + "status": { + "state": "other", + "remarks": "This is an example, and is not intended to be implemented as a system" + }, + "authorization-boundary": { + "description": "The description of the authorization boundary would go here." + } + }, + "system-implementation": { + "users": [ + { + "uuid": "9824089b-322c-456f-86c4-4111c4200f69", + "title": "System Administrator", + "props": [{ "name": "type", "value": "internal" }], + "role-ids": ["asset-administrator"] + }, + { + "uuid": "9824089b-322c-456f-86c4-4111c4200f62", + "title": "System Maintainer", + "props": [{ "name": "type", "value": "internal" }], + "role-ids": ["maintainer"] + }, + { + "uuid": "ae8de94c-835d-4303-83b1-114b6a117a07", + "title": "Audit Team", + "props": [{ "name": "type", "value": "internal" }], + "role-ids": ["asset-owner"] + }, + { + "uuid": "372ce7a3-92b0-437e-a98c-24d29f9bfab8", + "title": "Legal Department", + "props": [{ "name": "type", "value": "internal" }], + "role-ids": ["legal-officer"] + }, + { + "uuid": "372ce7a3-92b0-437e-a98c-55d29f9bfab8", + "title": "Provider", + "props": [{ "name": "type", "value": "internal" }], + "role-ids": ["provider"] + } + ], + "components": [ + { + "uuid": "74042245-3db1-4f4d-be9a-ceb62d81152c", + "type": "this-system", + "title": "This System", + "description": "The system described by this SSP.", + "status": { "state": "operational" } + }, + { + "uuid": "e00acdcf-911b-437d-a42f-b0b558cc4f03", + "type": "software", + "title": "Logging Server", + "description": "Provides a means for hosts to publish logged events to a central server.", + "status": { "state": "operational" }, + "responsible-roles": [ + { + "role-id": "provider", + "party-uuids": ["96c362ee-a012-4e07-92f3-486ab303b0e7"] + }, + { + "role-id": "asset-owner", + "party-uuids": ["3b2a5599-cc37-403f-ae36-5708fa804b27"] + }, + { + "role-id": "asset-administrator", + "party-uuids": ["833ac398-5c9a-4e6b-acba-2a9c11399da0"] + } + ] + }, + { + "uuid": "795533ab-9427-4abe-820f-0b571bacfe6d", + "type": "policy", + "title": "Enterprise Logging, Monitoring, and Alerting Policy", + "description": "Requires all components to send logs to the enterprise logging solution\n\n* Requires all components synchronize their time with the appropriate enterprise time service, and at what frequency. \n* Identifies the events that must be captured \n* Identifies who is responsible/accountable for performing these functions \n", + "props": [ + { "name": "version", "value": "2.1" }, + { "name": "release-date", "value": "2018-10-15" } + ], + "status": { "state": "operational" }, + "responsible-roles": [ + { + "role-id": "maintainer", + "party-uuids": ["ec485dcf-2519-43f5-8e7d-014cc315332d"] + } + ] + }, + { + "uuid": "941e2a87-46f4-4b3e-9e87-bbd187091ca1", + "type": "process", + "title": "System Integration Process", + "description": "Ensures proper integration into the enterprise as new systems are brought into production.", + "props": [{ "name": "release-date", "value": "2018-10-15" }], + "links": [ + { + "href": "#795533ab-9427-4abe-820f-0b571bacfe6d", + "rel": "implements-policy", + "text": "Ensures logs from components in new system are able to published to the logging server. Ensures log monitoring capabilities recognize new system as authorized." + } + ], + "status": { "state": "operational" }, + "responsible-roles": [ + { + "role-id": "maintainer", + "party-uuids": ["0f0c15ed-565e-4ce9-8670-b54853d0bf03"] + } + ] + }, + { + "uuid": "fa39eb84-3014-46b4-b6bc-7da10527c262", + "type": "process", + "title": "Inventory Management Process", + "description": "Describes how new components are introduced into the system - ensures monitoring teams know about every asset that should be producing logs, thus should be monitored.", + "props": [{ "name": "release-date", "value": "2018-10-15" }], + "links": [ + { + "href": "#795533ab-9427-4abe-820f-0b571bacfe6d", + "rel": "implements-policy", + "text": "Ensures that all host are known and authorized. Ensures that these hosts publish log events to the logging server." + } + ], + "status": { "state": "operational" }, + "responsible-roles": [ + { + "role-id": "maintainer", + "party-uuids": ["0f0c15ed-565e-4ce9-8670-b54853d0bf03"] + } + ] + }, + { + "uuid": "4938767c-dd8b-4ea4-b74a-fafffd48ac99", + "type": "guidance", + "title": "Configuration Management Guidance", + "description": "Describes how to configure a component to ensure its logs are transmitted to Splunk in the appropriate format. Also describes how to configure time synchronization.", + "props": [{ "name": "release-date", "value": "2018-10-15" }], + "links": [ + { + "href": "#795533ab-9427-4abe-820f-0b571bacfe6d", + "rel": "implements-policy", + "text": "Ensures that all host are configured to publish log events to the logging server." + } + ], + "status": { "state": "operational" }, + "responsible-roles": [ + { + "role-id": "maintainer", + "party-uuids": ["0f0c15ed-565e-4ce9-8670-b54853d0bf03"] + } + ] + } + ], + "inventory-items": [ + { + "uuid": "c9c32657-a0eb-4cf2-b5c1-20928983063c", + "description": "The logging server.", + "props": [{ "name": "asset-id", "value": "asset-id-logging-server" }], + "responsible-parties": [ + { + "role-id": "asset-administrator", + "party-uuids": ["833ac398-5c9a-4e6b-acba-2a9c11399da0"] + }, + { + "role-id": "asset-owner", + "party-uuids": ["3b2a5599-cc37-403f-ae36-5708fa804b27"] + } + ], + "implemented-components": [ + { + "component-uuid": "e00acdcf-911b-437d-a42f-b0b558cc4f03", + "props": [{ "name": "asset-id", "value": "logging-server" }] + }, + { + "component-uuid": "795533ab-9427-4abe-820f-0b571bacfe6d", + "props": [{ "name": "asset-id", "value": "legal policy" }] + } + ] + } + ], + "remarks": "This is a partial implementation that addresses the logging server portion of the auditing system." + }, + "control-implementation": { + "description": "This is the control implementation for the system.", + "implemented-requirements": [ + { + "uuid": "aaadb3ff-6ae8-4332-92db-211468c52af2", + "control-id": "au-1", + "statements": [ + { + "statement-id": "au-1_smt", + "uuid": "7ad47329-dc55-4196-a19d-178a8fe7438d" + }, + { + "statement-id": "au-1_smt.a", + "uuid": "f3887a91-9ed3-425c-b305-21e4634a1c34", + "by-components": [ + { + "component-uuid": "795533ab-9427-4abe-820f-0b571bacfe6d", + "uuid": "a74681b2-fbcb-46eb-90fd-0d55aa74ac7b", + "description": "The legal department develops, documents and disseminates this policy to all staff and contractors within the organization.", + "set-parameters": [ + { + "param-id": "au-1_prm_1", + "values": [ + "all staff and contractors within the organization" + ] + } + ] + }, + { + "component-uuid": "941e2a87-46f4-4b3e-9e87-bbd187091ca1", + "uuid": "4f873ce6-dd49-4a46-bd4a-5041c22665f1", + "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.", + "set-parameters": [ + { + "param-id": "au-1_prm_1", + "values": [ + "all IT staff who administer this system when the staff member is assigned and annually through training" + ] + } + ] + }, + { + "component-uuid": "fa39eb84-3014-46b4-b6bc-7da10527c262", + "uuid": "ea85a624-cd21-4c63-abe0-f66087e97241", + "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.", + "set-parameters": [ + { + "param-id": "au-1_prm_1", + "values": [ + "all IT staff who administer this system when the staff member is assigned and annually through training" + ] + } + ] + }, + { + "component-uuid": "4938767c-dd8b-4ea4-b74a-fafffd48ac99", + "uuid": "b5e5823a-844f-4306-a5ab-7e110679e0d5", + "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.", + "set-parameters": [ + { + "param-id": "au-1_prm_1", + "values": [ + "all IT staff who administer this system when the staff member is assigned and annually through training" + ] + } + ] + } + ] + }, + { + "statement-id": "au-1_smt.a.1", + "uuid": "6fe632bd-33aa-4eea-a507-a37f0d212085", + "by-components": [ + { + "component-uuid": "795533ab-9427-4abe-820f-0b571bacfe6d", + "uuid": "2d0a7b08-da7f-4691-b99c-8fd9df02b25c", + "description": "This policy explicitly states the purpose and scope of the policy in Section 1. Roles and responsibilities are described in Section 2. This section also describes responsibilities for organizational coordination. Management commitment and compliance statements are made in the board’s directive memo dated January 1, 2012." + } + ] + }, + { + "statement-id": "au-1_smt.a.2", + "uuid": "dbe9af68-1cd9-4ff1-965b-8f887351d411", + "by-components": [ + { + "component-uuid": "941e2a87-46f4-4b3e-9e87-bbd187091ca1", + "uuid": "dd4fd380-7a2a-4fba-9e98-933ba5cfc04d", + "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process" + }, + { + "component-uuid": "fa39eb84-3014-46b4-b6bc-7da10527c262", + "uuid": "3b912d0f-2463-497c-8d8a-72416f38e999", + "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process" + }, + { + "component-uuid": "4938767c-dd8b-4ea4-b74a-fafffd48ac99", + "uuid": "226ee2a2-cbdb-498f-8182-94dfa013476c", + "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process" + } + ] + }, + { + "statement-id": "au-1_smt.b", + "uuid": "b1773cd6-afc5-4c87-84a7-f182e6be5af9", + "remarks": "N/A" + }, + { + "statement-id": "au-1_smt.b.1", + "uuid": "75873308-f37d-4e89-9c27-29f3dee4b314", + "by-components": [ + { + "component-uuid": "795533ab-9427-4abe-820f-0b571bacfe6d", + "uuid": "23903c59-1327-46f0-9c28-09ec7f144214", + "description": "The legal department reviews this policy annually, and other times as necessary in response to regulatory or organizational changes. The legal department updates the policy as needed based on these reviews.", + "set-parameters": [ + { + "param-id": "au-1_prm_2", + "values": [ + "annually, and other times as necessary in response to regulatory or organizational changes" + ] + } + ] + } + ] + }, + { + "statement-id": "au-1_smt.b.2", + "uuid": "74b5b0f2-9915-4f80-b7cd-379566442ab6", + "by-components": [ + { + "component-uuid": "941e2a87-46f4-4b3e-9e87-bbd187091ca1", + "uuid": "0c45b6e2-f85b-4656-a6cc-2a302d184720", + "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews.", + "set-parameters": [ + { + "param-id": "au-1_prm_3", + "values": [ + "annually, and other times as necessary in response to regulatory or organizational changes" + ] + } + ] + }, + { + "component-uuid": "fa39eb84-3014-46b4-b6bc-7da10527c262", + "uuid": "094f02ce-4b7a-405c-90a5-ab4d95133f74", + "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews.", + "set-parameters": [ + { + "param-id": "au-1_prm_3", + "values": [ + "annually, and other times as necessary in response to regulatory or organizational changes" + ] + } + ] + }, + { + "component-uuid": "4938767c-dd8b-4ea4-b74a-fafffd48ac99", + "uuid": "7ec8b7ec-d931-4055-ac74-6d288d636787", + "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews", + "set-parameters": [ + { + "param-id": "au-1_prm_3", + "values": [ + "annually, and other times as necessary in response to regulatory or organizational changes" + ] + } + ] + } + ] + } + ] + } + ] + }, + "back-matter": { + "resources": [ + { + "uuid": "b78aa3ec-915d-475b-8097-46813fae1825", + "description": "NIST Special Publication 800-53 Revision 4: Moderate Baseline Profile", + "rlinks": [ + { + "href": "../../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline_profile.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "../../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + } + ] + } + } +} diff --git a/roscal_lib/tests/ssp/json/ssp-example.json b/roscal_lib/tests/ssp/json/ssp-example.json new file mode 100644 index 0000000..e7588ba --- /dev/null +++ b/roscal_lib/tests/ssp/json/ssp-example.json @@ -0,0 +1,591 @@ +{ + "system-security-plan": { + "uuid": "cff8385f-108e-40a5-8f7a-82f3dc0eaba8", + "metadata": { + "title": "Enterprise Logging and Auditing System Security Plan", + "last-modified": "2024-02-01T13:57:28.355446-04:00", + "version": "1.1", + "oscal-version": "1.1.2", + "roles": [ + { + "id": "legal-officer", + "title": "Legal Officer" + }, + { + "id": "maintainer", + "title": "System Maintainer" + }, + { + "id": "asset-owner", + "title": "System Assets Owner" + }, + { + "id": "provider", + "title": "System Provider" + }, + { + "id": "asset-administrator", + "title": "System Assets Admin" + } + ], + "parties": [ + { + "uuid": "3b2a5599-cc37-403f-ae36-5708fa804b27", + "type": "organization", + "name": "Enterprise Asset Owners" + }, + { + "uuid": "833ac398-5c9a-4e6b-acba-2a9c11399da0", + "type": "organization", + "name": "Enterprise Asset Administrators" + }, + { + "uuid": "ec485dcf-2519-43f5-8e7d-014cc315332d", + "type": "organization", + "name": "Legal Department" + }, + { + "uuid": "0f0c15ed-565e-4ce9-8670-b54853d0bf03", + "type": "organization", + "name": "IT Department" + }, + { + "uuid": "96c362ee-a012-4e07-92f3-486ab303b0e7", + "type": "organization", + "name": "Acme Corp" + } + ] + }, + "import-profile": { + "href": "#b78aa3ec-915d-475b-8097-46813fae1825" + }, + "system-characteristics": { + "system-ids": [ + { + "identifier-type": "https://ietf.org/rfc/rfc4122", + "id": "d7456980-9277-4dcb-83cf-f8ff0442623b" + } + ], + "system-name": "Enterprise Logging and Auditing System", + "description": "This is an example of a system that provides enterprise logging and log auditing capabilities.", + "props": [ + { + "name": "cloud-deployment-model", + "value": "private-cloud" + }, + { + "name": "cloud-service-model", + "value": "iaas" + } + ], + "security-sensitivity-level": "moderate", + "system-information": { + "information-types": [ + { + "uuid": "7d28ac6e-5970-4f4c-a508-5a3715f0f02b", + "title": "System and Network Monitoring", + "description": "This system maintains historical logging and auditing information for all client devices connected to this system.", + "categorizations": [ + { + "system": "https://doi.org/10.6028/NIST.SP.800-60v2r1", + "information-type-ids": [ + "C.3.5.8" + ] + } + ], + "confidentiality-impact": { + "base": "fips-199-moderate" + }, + "integrity-impact": { + "base": "fips-199-moderate" + }, + "availability-impact": { + "base": "fips-199-low" + } + } + ] + }, + "security-impact-level": { + "security-objective-confidentiality": "fips-199-moderate", + "security-objective-integrity": "fips-199-moderate", + "security-objective-availability": "fips-199-low" + }, + "status": { + "state": "other", + "remarks": "This is an example, and is not intended to be implemented as a system" + }, + "authorization-boundary": { + "description": "The description of the authorization boundary would go here." + } + }, + "system-implementation": { + "users": [ + { + "uuid": "9824089b-322c-456f-86c4-4111c4200f69", + "title": "System Administrator", + "props": [ + { + "name": "type", + "value": "internal" + } + ], + "role-ids": [ + "asset-administrator" + ] + }, + { + "uuid": "9824089b-322c-456f-86c4-4111c4200f62", + "title": "System Maintainer", + "props": [ + { + "name": "type", + "value": "internal" + } + ], + "role-ids": [ + "maintainer" + ] + }, + { + "uuid": "ae8de94c-835d-4303-83b1-114b6a117a07", + "title": "Audit Team", + "props": [ + { + "name": "type", + "value": "internal" + } + ], + "role-ids": [ + "asset-owner" + ] + }, + { + "uuid": "372ce7a3-92b0-437e-a98c-24d29f9bfab8", + "title": "Legal Department", + "props": [ + { + "name": "type", + "value": "internal" + } + ], + "role-ids": [ + "legal-officer" + ] + }, + { + "uuid": "372ce7a3-92b0-437e-a98c-55d29f9bfab8", + "title": "Provider", + "props": [ + { + "name": "type", + "value": "internal" + } + ], + "role-ids": [ + "provider" + ] + } + ], + "components": [ + { + "uuid": "74042245-3db1-4f4d-be9a-ceb62d81152c", + "type": "this-system", + "title": "This System", + "description": "The system described by this SSP.", + "status": { + "state": "operational" + } + }, + { + "uuid": "e00acdcf-911b-437d-a42f-b0b558cc4f03", + "type": "software", + "title": "Logging Server", + "description": "Provides a means for hosts to publish logged events to a central server.", + "status": { + "state": "operational" + }, + "responsible-roles": [ + { + "role-id": "provider", + "party-uuids": [ + "96c362ee-a012-4e07-92f3-486ab303b0e7" + ] + }, + { + "role-id": "asset-owner", + "party-uuids": [ + "3b2a5599-cc37-403f-ae36-5708fa804b27" + ] + }, + { + "role-id": "asset-administrator", + "party-uuids": [ + "833ac398-5c9a-4e6b-acba-2a9c11399da0" + ] + } + ] + }, + { + "uuid": "795533ab-9427-4abe-820f-0b571bacfe6d", + "type": "policy", + "title": "Enterprise Logging, Monitoring, and Alerting Policy", + "description": "Requires all components to send logs to the enterprise logging solution\n\n* Requires all components synchronize their time with the appropriate enterprise time service, and at what frequency. \n* Identifies the events that must be captured \n* Identifies who is responsible/accountable for performing these functions \n", + "props": [ + { + "name": "version", + "value": "2.1" + }, + { + "name": "release-date", + "value": "2018-10-15" + } + ], + "status": { + "state": "operational" + }, + "responsible-roles": [ + { + "role-id": "maintainer", + "party-uuids": [ + "ec485dcf-2519-43f5-8e7d-014cc315332d" + ] + } + ] + }, + { + "uuid": "941e2a87-46f4-4b3e-9e87-bbd187091ca1", + "type": "process", + "title": "System Integration Process", + "description": "Ensures proper integration into the enterprise as new systems are brought into production.", + "props": [ + { + "name": "release-date", + "value": "2018-10-15" + } + ], + "links": [ + { + "href": "#795533ab-9427-4abe-820f-0b571bacfe6d", + "rel": "implements-policy", + "text": "Ensures logs from components in new system are able to published to the logging server. Ensures log monitoring capabilities recognize new system as authorized." + } + ], + "status": { + "state": "operational" + }, + "responsible-roles": [ + { + "role-id": "maintainer", + "party-uuids": [ + "0f0c15ed-565e-4ce9-8670-b54853d0bf03" + ] + } + ] + }, + { + "uuid": "fa39eb84-3014-46b4-b6bc-7da10527c262", + "type": "process", + "title": "Inventory Management Process", + "description": "Describes how new components are introduced into the system - ensures monitoring teams know about every asset that should be producing logs, thus should be monitored.", + "props": [ + { + "name": "release-date", + "value": "2018-10-15" + } + ], + "links": [ + { + "href": "#795533ab-9427-4abe-820f-0b571bacfe6d", + "rel": "implements-policy", + "text": "Ensures that all host are known and authorized. Ensures that these hosts publish log events to the logging server." + } + ], + "status": { + "state": "operational" + }, + "responsible-roles": [ + { + "role-id": "maintainer", + "party-uuids": [ + "0f0c15ed-565e-4ce9-8670-b54853d0bf03" + ] + } + ] + }, + { + "uuid": "4938767c-dd8b-4ea4-b74a-fafffd48ac99", + "type": "guidance", + "title": "Configuration Management Guidance", + "description": "Describes how to configure a component to ensure its logs are transmitted to Splunk in the appropriate format. Also describes how to configure time synchronization.", + "props": [ + { + "name": "release-date", + "value": "2018-10-15" + } + ], + "links": [ + { + "href": "#795533ab-9427-4abe-820f-0b571bacfe6d", + "rel": "implements-policy", + "text": "Ensures that all host are configured to publish log events to the logging server." + } + ], + "status": { + "state": "operational" + }, + "responsible-roles": [ + { + "role-id": "maintainer", + "party-uuids": [ + "0f0c15ed-565e-4ce9-8670-b54853d0bf03" + ] + } + ] + } + ], + "inventory-items": [ + { + "uuid": "c9c32657-a0eb-4cf2-b5c1-20928983063c", + "description": "The logging server.", + "props": [ + { + "name": "asset-id", + "value": "asset-id-logging-server" + } + ], + "responsible-parties": [ + { + "role-id": "asset-administrator", + "party-uuids": [ + "833ac398-5c9a-4e6b-acba-2a9c11399da0" + ] + }, + { + "role-id": "asset-owner", + "party-uuids": [ + "3b2a5599-cc37-403f-ae36-5708fa804b27" + ] + } + ], + "implemented-components": [ + { + "component-uuid": "e00acdcf-911b-437d-a42f-b0b558cc4f03", + "props": [ + { + "name": "asset-id", + "value": "logging-server" + } + ] + }, + { + "component-uuid": "795533ab-9427-4abe-820f-0b571bacfe6d", + "props": [ + { + "name": "asset-id", + "value": "legal policy" + } + ] + } + ] + } + ], + "remarks": "This is a partial implementation that addresses the logging server portion of the auditing system." + }, + "control-implementation": { + "description": "This is the control implementation for the system.", + "implemented-requirements": [ + { + "uuid": "aaadb3ff-6ae8-4332-92db-211468c52af2", + "control-id": "au-1", + "statements": [ + { + "statement-id": "au-1_smt", + "uuid": "7ad47329-dc55-4196-a19d-178a8fe7438d" + }, + { + "statement-id": "au-1_smt.a", + "uuid": "f3887a91-9ed3-425c-b305-21e4634a1c34", + "by-components": [ + { + "component-uuid": "795533ab-9427-4abe-820f-0b571bacfe6d", + "uuid": "a74681b2-fbcb-46eb-90fd-0d55aa74ac7b", + "description": "The legal department develops, documents and disseminates this policy to all staff and contractors within the organization.", + "set-parameters": [ + { + "param-id": "au-1_prm_1", + "values": [ + "all staff and contractors within the organization" + ] + } + ] + }, + { + "component-uuid": "941e2a87-46f4-4b3e-9e87-bbd187091ca1", + "uuid": "4f873ce6-dd49-4a46-bd4a-5041c22665f1", + "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.", + "set-parameters": [ + { + "param-id": "au-1_prm_1", + "values": [ + "all IT staff who administer this system when the staff member is assigned and annually through training" + ] + } + ] + }, + { + "component-uuid": "fa39eb84-3014-46b4-b6bc-7da10527c262", + "uuid": "ea85a624-cd21-4c63-abe0-f66087e97241", + "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.", + "set-parameters": [ + { + "param-id": "au-1_prm_1", + "values": [ + "all IT staff who administer this system when the staff member is assigned and annually through training" + ] + } + ] + }, + { + "component-uuid": "4938767c-dd8b-4ea4-b74a-fafffd48ac99", + "uuid": "b5e5823a-844f-4306-a5ab-7e110679e0d5", + "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training.", + "set-parameters": [ + { + "param-id": "au-1_prm_1", + "values": [ + "all IT staff who administer this system when the staff member is assigned and annually through training" + ] + } + ] + } + ] + }, + { + "statement-id": "au-1_smt.a.1", + "uuid": "6fe632bd-33aa-4eea-a507-a37f0d212085", + "by-components": [ + { + "component-uuid": "795533ab-9427-4abe-820f-0b571bacfe6d", + "uuid": "2d0a7b08-da7f-4691-b99c-8fd9df02b25c", + "description": "This policy explicitly states the purpose and scope of the policy in Section 1. Roles and responsibilities are described in Section 2. This section also describes responsibilities for organizational coordination. Management commitment and compliance statements are made in the board’s directive memo dated January 1, 2012." + } + ] + }, + { + "statement-id": "au-1_smt.a.2", + "uuid": "dbe9af68-1cd9-4ff1-965b-8f887351d411", + "by-components": [ + { + "component-uuid": "941e2a87-46f4-4b3e-9e87-bbd187091ca1", + "uuid": "dd4fd380-7a2a-4fba-9e98-933ba5cfc04d", + "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process" + }, + { + "component-uuid": "fa39eb84-3014-46b4-b6bc-7da10527c262", + "uuid": "3b912d0f-2463-497c-8d8a-72416f38e999", + "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process" + }, + { + "component-uuid": "4938767c-dd8b-4ea4-b74a-fafffd48ac99", + "uuid": "226ee2a2-cbdb-498f-8182-94dfa013476c", + "description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process" + } + ] + }, + { + "statement-id": "au-1_smt.b", + "uuid": "b1773cd6-afc5-4c87-84a7-f182e6be5af9", + "remarks": "N/A" + }, + { + "statement-id": "au-1_smt.b.1", + "uuid": "75873308-f37d-4e89-9c27-29f3dee4b314", + "by-components": [ + { + "component-uuid": "795533ab-9427-4abe-820f-0b571bacfe6d", + "uuid": "23903c59-1327-46f0-9c28-09ec7f144214", + "description": "The legal department reviews this policy annually, and other times as necessary in response to regulatory or organizational changes. The legal department updates the policy as needed based on these reviews.", + "set-parameters": [ + { + "param-id": "au-1_prm_2", + "values": [ + "annually, and other times as necessary in response to regulatory or organizational changes" + ] + } + ] + } + ] + }, + { + "statement-id": "au-1_smt.b.2", + "uuid": "74b5b0f2-9915-4f80-b7cd-379566442ab6", + "by-components": [ + { + "component-uuid": "941e2a87-46f4-4b3e-9e87-bbd187091ca1", + "uuid": "0c45b6e2-f85b-4656-a6cc-2a302d184720", + "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews.", + "set-parameters": [ + { + "param-id": "au-1_prm_3", + "values": [ + "annually, and other times as necessary in response to regulatory or organizational changes" + ] + } + ] + }, + { + "component-uuid": "fa39eb84-3014-46b4-b6bc-7da10527c262", + "uuid": "094f02ce-4b7a-405c-90a5-ab4d95133f74", + "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews.", + "set-parameters": [ + { + "param-id": "au-1_prm_3", + "values": [ + "annually, and other times as necessary in response to regulatory or organizational changes" + ] + } + ] + }, + { + "component-uuid": "4938767c-dd8b-4ea4-b74a-fafffd48ac99", + "uuid": "7ec8b7ec-d931-4055-ac74-6d288d636787", + "description": "The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews", + "set-parameters": [ + { + "param-id": "au-1_prm_3", + "values": [ + "annually, and other times as necessary in response to regulatory or organizational changes" + ] + } + ] + } + ] + } + ] + } + ] + }, + "back-matter": { + "resources": [ + { + "uuid": "b78aa3ec-915d-475b-8097-46813fae1825", + "description": "NIST Special Publication 800-53 Revision 4: Moderate Baseline Profile", + "rlinks": [ + { + "href": "../../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml", + "media-type": "application/oscal.catalog+xml" + }, + { + "href": "../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline_profile.json", + "media-type": "application/oscal.catalog+json" + }, + { + "href": "../../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.yaml", + "media-type": "application/oscal.catalog+yaml" + } + ] + } + ] + } + } +} diff --git a/roscal_lib/tests/ssp/yaml/ifa_ssp-example.yaml b/roscal_lib/tests/ssp/yaml/ifa_ssp-example.yaml new file mode 100644 index 0000000..73f39c6 --- /dev/null +++ b/roscal_lib/tests/ssp/yaml/ifa_ssp-example.yaml @@ -0,0 +1,286 @@ +system-security-plan: + uuid: 5e139edd-86aa-4b65-8431-1192bd276658 + metadata: + title: IFA GoodRead System Security Plan + published: "2023-05-19T14:46:54-04:00" + last-modified: "2024-03-01T13:57:28.355446-04:00" + version: "1.1" + oscal-version: 1.1.2 + roles: + - id: owner + title: IFA GoodRead Owner + - id: developer + title: IFA GoodRead Developer + - id: system-engineer + title: IFA GoodRead System Engineer + - id: public-affairs-office + title: IFA Public Affairs Office + parties: + - uuid: ba9c12bd-e5ef-46b6-95a2-4d8e7f864c1a + type: person + name: Owen Stilskin + member-of-organizations: + - 3a675986-b4ff-4030-b178-e953c2e55d64 + - uuid: 67c04291-dbf6-495a-a3ba-0011638acc94 + type: person + name: Juno Styles + member-of-organizations: + - 3a675986-b4ff-4030-b178-e953c2e55d64 + - uuid: 4ba3f2b7-e894-48d7-b940-91c68661df55 + type: person + name: Xavier Jones + member-of-organizations: + - 3a675986-b4ff-4030-b178-e953c2e55d64 + - uuid: 3a675986-b4ff-4030-b178-e953c2e55d64 + type: organization + name: Important Federal Agency + short-name: IFA + links: + - href: https://www.ifa.gov + rel: website + responsible-parties: + - role-id: owner + party-uuids: + - ba9c12bd-e5ef-46b6-95a2-4d8e7f864c1a + - role-id: developer + party-uuids: + - 67c04291-dbf6-495a-a3ba-0011638acc94 + - role-id: system-engineer + party-uuids: + - 4ba3f2b7-e894-48d7-b940-91c68661df55 + import-profile: + href: ../select/profile.oscal.json + system-characteristics: + system-ids: + - identifier-type: http://ietf.org/rfc/rfc4122 + id: 8101e04d-8305-4e73-bb95-6b59f645b143 + system-name: IFA GoodRead + description: This system acts as a link shortener for IFA employees + date-authorized: "2023-05-19" + security-sensitivity-level: moderate + system-information: + information-types: + - uuid: bccfbb65-a7f3-41ac-989f-01d96eddfdc7 + title: User-provided Links + description: This system maintains a set of user-provided links and their associated shortlinks + categorizations: + - system: https://doi.org/10.6028/NIST.SP.800-60v2r1 + information-type-ids: + - C.2.8.12 + confidentiality-impact: + base: fips-199-low + integrity-impact: + base: fips-199-low + selected: fips-199-moderate + adjustment-justification: Maliciously modified links are a concern + availability-impact: + base: fips-199-low + security-impact-level: + security-objective-confidentiality: low + security-objective-integrity: medium + security-objective-availability: low + status: + state: operational + authorization-boundary: + description: This section describes an attached diagram of the authorization boundary for IFA GoodRead Project's information system. + network-architecture: + description: This section describes an attached diagram of the network architecture for IFA GoodRead Project's information system. + data-flow: + description: This section describes an attached diagram of various dataflows for application and related elements of the IFA GoodRead Project's information system. + system-implementation: + users: + - uuid: 00d323d3-dc3f-4d93-900f-f13430e094d3 + title: Application Administrator + description: The developer of the application supports IFA Public Affairs Officers by administering the application and its infrastructure. + role-ids: + - developer + authorized-privileges: + - title: Application Administrator Privilege + functions-performed: + - user-creation + - user-enablement + - user-disablement + - user-role-modification + - popular-shortlink-cache-reset + - database-export + - database-migration + - uuid: 61405ba7-edb4-4243-8461-79aac5805e5c + title: Public Affairs Officers + description: IFA Public Affairs Officers (PAOs) in each division of the agency review public communications to citizens who are customers of the IFA. PAOs review requests from colleagues to generate and publish content that is the target of a shortlink and can unpublish shortlinks. + role-ids: + - public-affairs-office + authorized-privileges: + - title: Public Affairs Officer Privilege + functions-performed: + - shortlink-generation + - shortlink-approval + - shortlink-rejection + - shortlink-publication + - shortlink-unpublication + - uuid: fb36760a-143d-490b-8fc4-6a8c172fba86 + title: General Public + description: The general public is free to click on shortlinks + authorized-privileges: + - title: General Public Privilege + functions-performed: + - shortlink-view + components: + - uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + type: this-system + title: IFA GoodRead System + description: 'IFA develops, operates, and maintains the GoodRead link shortener system to ' + status: + state: operational + responsible-roles: + - role-id: developer + party-uuids: + - 67c04291-dbf6-495a-a3ba-0011638acc94 + - role-id: system-engineer + party-uuids: + - 4ba3f2b7-e894-48d7-b940-91c68661df55 + inventory-items: + - uuid: 4392599a-9117-416a-87d1-24c7d1b2dd0b + description: This is the custom GoodRead application within the system. + props: + - name: software-name + value: IFA GoodRead + class: webserver-application + - name: software-version + value: 1.0.0 + class: webserver-application + - name: asset-type + value: web-server + class: webserver-application + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: d911b560-f564-4715-8d2a-76f86127ac73 + description: This is the web application framework upon which the developer writes the custom GoodRead application for the user interface and API of this system. + props: + - name: software-name + value: Django Framework + class: webserver-framework + - name: software-version + value: 4.2.1 + class: webserver-framework + - name: asset-type + value: web-server + class: webserver-framework + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: 3e3a8d9a-e3d6-4c7d-b59b-a8d6514fa4a2 + description: This is the database for the custom GoodRead application within the system. + props: + - name: software-name + value: PostgreSQL + class: database + - name: software-version + value: "15.3" + class: database + - name: asset-type + value: database + class: database + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: 0fb95c4c-ebfd-492e-8145-363eb7947dbe + description: This is the operating system for the web server that runs the custom GoodRead application within the system. + props: + - name: software-name + value: Red Hat Enterprise Linux 9 + class: operating-system + - name: asset-type + value: operating-system + class: operating-system + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: cd39f700-23ab-4574-a17e-c9c8f073cbec + description: This inventory item is an instance from the AwesomeCloud Awesome Compute Service (ACS) Service. It is a Linux server. + props: + - name: asset-id + value: instance-abcd1234 + class: linux-server + - name: ipv4-address + value: 172.1.2.3 + class: linux-server + - name: ipv4-address + value: 1.1.2.3 + class: linux-server + - name: uri + value: instance-abcd1234.acs.awesomecloud.systems + class: linux-server + - name: asset-type + value: appliance + class: linux-server + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + - uuid: d9550535-40b9-4d8b-861c-07aa8786bf43 + description: This inventory item is an instance from the AwesomeCloud Awesome Load Balancer (ALB) Service. It is a Linux server. + props: + - name: asset-type + value: appliance + class: network-load-balancer + - name: asset-id + value: instance-defg7890 + class: linux-server + - name: uri + value: https://instance-defg7890.alb.awesomecloud.systems + class: network-load-balancer + implemented-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + props: + - name: asset-id + value: IFAGOV-SYSTEM1234-GOODREAD + control-implementation: + description: This is the control implementation for the application and infrastructure that compose to the IFA GoodRead Project's system. + set-parameters: + - param-id: ac-06.01_odp.01 + values: + - individuals and roles with authorized access to security functions and security-relevant information are defined and not available to all users of the system; + - param-id: ac-06.01_odp.02 + values: + - security functions (deployed in hardware) for authorized access are defined; + - param-id: ac-06.01_odp.03 + values: + - security functions (deployed in soware) for authorized access are defined; + - param-id: ac-06.01_odp.04 + values: + - security functions (deployed in firmware) for authorized access are defined; + - param-id: ac-06.01_odp.05 + values: + - security-relevant information for authorized access is defined; + implemented-requirements: + - uuid: d5f9b263-965d-440b-99e7-77f5df670a11 + control-id: ac-6.1 + by-components: + - component-uuid: 551b9706-d6a4-4d25-8207-f2ccec548b89 + uuid: a4c2d318-26a9-49df-9818-ee0acaf066f2 + description: |- + The IFA GoodRead application and infrastructure are composed as designed and implemented with lease privilege for the elements of this system. + + For the IFA GoodRead application, the custom application is designed and implemented on top of the Django Framework to enforce least privilege. The application has a role for IFA Public Affairs Officers and one for the developers for privileged permissions, respectively. Only the latter can access or change administrative and security configurations and related data. + + The Django Framework and Django REST Framework (DRF), by default, allows any user with the `is_staff` role attribute to access administrative functions in an application using the framework. IFA GoodRead developers have disabled this behavior, relying on the custom roles identified in the relevant section. + + For the IFA GoodRead database, the system account and accredentials for the application to read and write to the system datastore has specific read and write authorization for specific tables. This database service account does not have full administrative permissions to add, modify, or delete all respective tables. For the production environment, only the IFA GoodRead developer has a dedicated account with equivalent permissions. Only local network socket access, within in the Linux server, is permitted by host firewall configuration. Remote access, privileged or unprivileged, is not allowed remotely and the system engineer must locally authenticate for access. + + For the RedHat Linux server upon which the IFA GoodRead application is deployed in this system, only the system engineer has a non-privileged user to log in remotely via the SSH protocol to perform ad-hoc inspection, monthly log review as required by policy and procedure, and emergency debugging of the system. Privileged system administration operations may only be performed with the `sudo` subsystem which requires a password, two-factor authentication, and has enhanced logging of all commands executed. The system engineer must log in remotely and then use `sudo` to elevate privileges. Remote access with the privileged account is prohibited by configuration and attempts are logged. + + For this remote SSH access, least privilege is additionally enforced by allowing this access via a specific network zone in the IFA GoodRead AwesomeCloud account accessible to only the system engineer via IFA's VPN solution, which requires the system engineer use a dedicated account with their own password and two-factor authentication token. + + For cloud account and API access to reconfigure the Linux server and its load balancer, administrative access is only allowed for the system engineer via a special AwesomeCloud IAM role. The authentication and authorization for this role is controlled by an integration with the organization's single sign-on solution. This solution will only be accessible and correctly execute for them when they are on the VPN with their account with traffic forwarded to the appropriate network zone in the IFA GoodRead account in AwesomeCloud. It will not work the developer or any staff users of the application. + implementation-status: + state: implemented diff --git a/roscal_lib/tests/ssp/yaml/oscal_leveraged-example_ssp.yaml b/roscal_lib/tests/ssp/yaml/oscal_leveraged-example_ssp.yaml new file mode 100644 index 0000000..4115237 --- /dev/null +++ b/roscal_lib/tests/ssp/yaml/oscal_leveraged-example_ssp.yaml @@ -0,0 +1,199 @@ +system-security-plan: + uuid: d197545f-353f-407b-9166-ebf959774c5a + metadata: + title: CSP IaaS System Security Plan + last-modified: "2024-02-01T13:57:28.355446-04:00" + version: "0.3" + oscal-version: 1.1.2 + roles: + - id: admin + title: Administrator + - id: customer + title: External Customer + - id: poc-for-customers + title: Internal POC for Customers + parties: + - uuid: 11111111-0000-4000-9000-100000000001 + type: person + remarks: Leveraged Authorization POC + - uuid: 11111111-0000-4000-9000-100000000002 + type: person + import-profile: + href: '#6b45e2a5-b238-4752-ba12-cfd6ef2a83df' + system-characteristics: + system-ids: + - id: csp_iaas_system + system-name: Leveraged IaaS System + description: "An example of three customers leveraging an authorized SaaS, which is running on an authorized IaaS.\n\n```\n\nCust-A Cust-B Cust-C\n | | |\n +---------+---------+\n |\n +-------------------+\n | Leveraging SaaS |\n +-------------------+\n |\n |\n +-------------------+\n | Leveraged IaaS |\n | this file |\n +-------------------+\n \n```\n\nIn this example, the IaaS SSP specifies customer responsibilities for certain controls.\n\nThe SaaS must address these for the control to be fully satisfied.\n\nThe SaaS provider may either implement these directly or pass the responsibility on to their customers. Both may be necessary.\n\nFor any given control, the Leveraged IaaS SSP must describe:\n\n1. HOW the IaaS is directly satisfying the control\n1. WHAT responsibilities are left for the Leveraging SaaS (or their customers) to implement.\n\n\nFor any given control, the Leveraging SaaS SSP must describe:\n\n1. WHAT is being inherited from the underlying IaaS\n1. HOW the SaaS is directly satisfying the control.\n1. WHAT responsibilities are left for the SaaS customers to implement. (The SaaS customers are Cust-A, B and C)\n" + security-sensitivity-level: low + system-information: + information-types: + - uuid: 11111111-0000-4000-9000-200000000000 + title: System and Network Monitoring + description: This IaaS system handles information pertaining to audit events. + categorizations: + - system: https://doi.org/10.6028/NIST.SP.800-60v2r1 + information-type-ids: + - C.3.5.8 + confidentiality-impact: + base: fips-199-moderate + selected: fips-199-low + adjustment-justification: This impact has been adjusted to low as an example of how to perform this type of adjustment. + integrity-impact: + base: fips-199-moderate + selected: fips-199-low + adjustment-justification: This impact has been adjusted to low as an example of how to perform this type of adjustment. + availability-impact: + base: fips-199-moderate + selected: fips-199-low + adjustment-justification: This impact has been adjusted to low as an example of how to perform this type of adjustment. + security-impact-level: + security-objective-confidentiality: fips-199-low + security-objective-integrity: fips-199-low + security-objective-availability: fips-199-low + status: + state: operational + authorization-boundary: + description: The hardware and software supporting the virtualized infrastructure supporting the IaaS. + remarks: Most system-characteristics content does not support the example, and is included to meet the minimum SSP syntax requirements. + system-implementation: + users: + - uuid: 11111111-0000-4000-9000-200000000001 + role-ids: + - admin + authorized-privileges: + - title: Administrator + functions-performed: + - Manages the components within the IaaS. + components: + - uuid: 11111111-0000-4000-9001-000000000001 + type: this-system + title: This System + description: |- + This Leveraged IaaS. + + The entire system as depicted in the system authorization boundary + status: + state: operational + - uuid: 11111111-0000-4000-9001-000000000002 + type: software + title: Application + description: |- + An application within the IaaS, exposed to SaaS customers and their downstream customers. + + This Leveraged IaaS maintains aspects of the application. + + The Leveraging SaaS maintains aspects of their assigned portion of the application. + + The customers of the Leveraging SaaS maintain aspects of their sub-assigned portions of the application. + props: + - name: implementation-point + value: internal + status: + state: operational + responsible-roles: + - role-id: admin + party-uuids: + - 11111111-0000-4000-9000-100000000001 + control-implementation: + description: This is a collection of control responses. + implemented-requirements: + - uuid: 11111111-0000-4000-9009-002000000000 + control-id: ac-2 + set-parameters: + - param-id: ac-2_prm_1 + values: + - privileged and non-privileged + statements: + - statement-id: ac-2_stmt.a + uuid: 11111111-0000-4000-9009-002001000000 + by-components: + - component-uuid: 11111111-0000-4000-9001-000000000001 + uuid: 11111111-0000-4000-9009-002001001000 + description: |- + Response for the \"This System\" component. + + Overall description of how \"This System\" satisfies AC-2, Part a. + + Response for the \"This System\" component. + + Overall description of how \"This System\" satisfies AC-2, Part a. + + Response for the \"This System\" component. + + Overall description of how \"This System\" satisfies AC-2, Part a. + + Response for the \"This System\" component. + + Overall description of how \"This System\" satisfies AC-2, Part a. + export: + description: Optional description about what is being exported. + provided: + - uuid: 11111111-0000-4000-9009-002001001001 + description: Consumer-appropriate description of what a leveraging system may inherite from THIS SYSTEM in the context of satisfying satisfaction of AC-2, part a. + responsible-roles: + - role-id: poc-for-customers + party-uuids: + - 11111111-0000-4000-9000-100000000001 + responsibilities: + - uuid: 11111111-0000-4000-9009-002001001002 + provided-uuid: 11111111-0000-4000-9009-002001001001 + description: |- + Leveraging system's responsibilities with respect to inheriting this capability. + + In the context of the application component in satisfaction of AC-2, part a. + responsible-roles: + - role-id: customer + party-uuids: + - 11111111-0000-4000-9000-100000000002 + - component-uuid: 11111111-0000-4000-9001-000000000002 + uuid: 11111111-0000-4000-9009-002001002000 + description: Describes how the application satisfies AC-2, Part a. + export: + description: Optional description about what is being exported. + provided: + - uuid: 11111111-0000-4000-9009-002001002001 + description: |- + Consumer-appropriate description of what may be inherited. + + In the context of the application component in satisfaction of AC-2, part a. + responsible-roles: + - role-id: poc-for-customers + party-uuids: + - 11111111-0000-4000-9000-100000000001 + responsibilities: + - uuid: 11111111-0000-4000-9009-002001002002 + provided-uuid: 11111111-0000-4000-9009-002001002001 + description: |- + Leveraging system's responsibilities with respect to inheriting this capability. + + In the context of the application component in satisfaction of AC-2, part a. + responsible-roles: + - role-id: customer + party-uuids: + - 11111111-0000-4000-9000-100000000002 + remarks: 'a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: privileged and non-privileged];' + remarks: |- + The organization: + + a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; + + b. Assigns account managers for information system accounts; + + c. Establishes conditions for group and role membership; + + d. through j. omitted + back-matter: + resources: + - uuid: 11111111-0000-4000-9999-000000000001 + rlinks: + - href: ./attachments/IaaS_ac_proc.docx + - uuid: 6b45e2a5-b238-4752-ba12-cfd6ef2a83df + description: 'NIST Special Publication 800-53 Revision 4: Low Baseline Profile' + rlinks: + - href: ../../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml + media-type: application/oscal.catalog+xml + - href: ../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline_profile.json + media-type: application/oscal.catalog+json + - href: ../../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_LOW-baseline_profile.yaml + media-type: application/oscal.catalog+yaml diff --git a/roscal_lib/tests/ssp/yaml/oscal_leveraging-example_ssp.yaml b/roscal_lib/tests/ssp/yaml/oscal_leveraging-example_ssp.yaml new file mode 100644 index 0000000..070ac37 --- /dev/null +++ b/roscal_lib/tests/ssp/yaml/oscal_leveraging-example_ssp.yaml @@ -0,0 +1,210 @@ +system-security-plan: + uuid: bb9219b1-e51c-4680-abb0-616a43bbfbb1 + metadata: + title: Leveraging SaaS System Security Plan + last-modified: "2024-02-01T13:57:28.355446-04:00" + version: "0.3" + oscal-version: 1.1.2 + roles: + - id: admin + title: Administrator + parties: + - uuid: 22222222-0000-4000-9000-100000000001 + type: person + remarks: Leveraging SaaS' Admin + - uuid: 11111111-0000-4000-9000-100000000001 + type: person + remarks: Leveraged Authorization (IaaS) POC + import-profile: + href: '#6b45e2a5-b238-4752-ba12-cfd6ef2a83df' + system-characteristics: + system-ids: + - id: saas_system_iaas_customer + system-name: Leveraging SaaS System + description: "An example of three customers leveraging an authorized SaaS, which is running on an authorized IaaS.\n\n```\n\nCust-A Cust-B Cust-C\n | | |\n +---------+---------+\n |\n +-------------------+\n | Leveraging SaaS |\n | this file |\n +-------------------+\n |\n |\n +-------------------+\n | Leveraged IaaS |\n +-------------------+\n \n```\n\nIn this example, the IaaS SSP (the leveraged SSP) specifies what IaaS provides and the customer's responsibilities for certain controls.\n\nThe SaaS must address these responsibilities for the control to be fully satisfied.\n\nThe SaaS provider may either implement these directly or pass the responsibility on to their customers. Both may be necessary.\n\nFor any given control, the Leveraged IaaS SSP must describe:\n\n1. HOW the IaaS is directly satisfying the control\n1. WHAT responsibilities are left for the Leveraging SaaS (or their customers) to implement.\n\n\nFor any given control, the Leveraging SaaS SSP must describe:\n\n1. WHAT is being inherited from the underlying IaaS\n1. HOW the SaaS is directly satisfying the control.\n1. WHAT responsibilities are left for the SaaS' customers to implement. (The SaaS customers are Cust-A, B and C)\n" + security-sensitivity-level: low + system-information: + information-types: + - uuid: 22222222-0000-4000-9000-200000000000 + title: System and Network Monitoring + description: This system handles information pertaining to audit events. + categorizations: + - system: https://doi.org/10.6028/NIST.SP.800-60v2r1 + information-type-ids: + - C.3.5.8 + confidentiality-impact: + base: fips-199-moderate + selected: fips-199-low + adjustment-justification: This impact has been adjusted to low as an example of how to perform this type of adjustment. + integrity-impact: + base: fips-199-moderate + selected: fips-199-low + adjustment-justification: This impact has been adjusted to low as an example of how to perform this type of adjustment. + availability-impact: + base: fips-199-moderate + selected: fips-199-low + adjustment-justification: This impact has been adjusted to low as an example of how to perform this type of adjustment. + security-impact-level: + security-objective-confidentiality: fips-199-low + security-objective-integrity: fips-199-low + security-objective-availability: fips-199-low + status: + state: operational + authorization-boundary: + description: The virtualized components deployed on the CSP IaaS. + remarks: Most system-characteristics content does not support the example, and is included to meet the minimum SSP syntax requirements. + system-implementation: + leveraged-authorizations: + - uuid: 22222222-0000-4000-9000-300000000001 + title: CSP IaaS [Leveraged System] + links: + - href: '#b3a3079c-ace3-4aae-9acd-d52d418472f2' + rel: oscal-ssp-xml + party-uuid: 11111111-0000-4000-9000-100000000001 + date-authorized: "2018-01-01" + users: + - uuid: 22222222-0000-4000-9000-200000000001 + role-ids: + - admin + authorized-privileges: + - title: Administrator + functions-performed: + - Manages the components within the SaaS. + components: + - uuid: 22222222-0000-4000-9001-000000000001 + type: this-system + title: ' **THIS SYSTEM (SaaS)** ' + description: |- + This Leveraging SaaS. + + The entire system as depicted in the system authorization boundary + status: + state: operational + - uuid: 22222222-0000-4000-9001-000000000002 + type: system + title: ' **LEVERAGED SYSTEM (IaaS)** ' + description: If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be used as the UUID for this component. + props: + - name: implementation-point + value: external + - name: leveraged-authorization-uuid + value: 22222222-0000-4000-9000-300000000001 + - name: inherited-uuid + value: 11111111-0000-4000-9001-000000000001 + status: + state: operational + - uuid: 22222222-0000-4000-9001-000000000003 + type: appliance + title: Access Control Appliance + description: An access control virtual appliance, wich performs XYZ functions. + props: + - name: implementation-point + value: internal + - name: virtual + value: "yes" + status: + state: operational + - uuid: 22222222-0000-4000-9001-000000000004 + type: application + title: LEVERAGED APPLICATION + description: Inherited from underlying IaaS. + props: + - name: implementation-point + value: external + - name: leveraged-authorization-uuid + value: 22222222-0000-4000-9000-300000000001 + - name: inherited-uuid + value: 11111111-0000-4000-9001-000000000002 + status: + state: operational + control-implementation: + description: This is a collection of control responses. + implemented-requirements: + - uuid: 22222222-0000-4000-9009-002000000000 + control-id: ac-2 + set-parameters: + - param-id: ac-2_prm_1 + values: + - privileged and non-privileged + statements: + - statement-id: ac-2_stmt.a + uuid: 22222222-0000-4000-9009-002001000000 + by-components: + - component-uuid: 22222222-0000-4000-9001-000000000001 + uuid: 22222222-0000-4000-9009-002001001000 + description: |- + Response for the \"This System\" component. + + Overall description of how \"This System\" satisfies AC-2, Part a. + + Response for the \"This System\" component. + + Overall description of how \"This System\" satisfies AC-2, Part a. + + Response for the \"This System\" component. + + Overall description of how \"This System\" satisfies AC-2, Part a. + + Response for the \"This System\" component. + + Overall description of how \"This System\" satisfies AC-2, Part a. + responsible-roles: + - role-id: admin + party-uuids: + - 22222222-0000-4000-9000-100000000001 + - component-uuid: 22222222-0000-4000-9001-000000000002 + uuid: 22222222-0000-4000-9009-002001002000 + description: Describe how this internal virtual appliance satisfies AC-2, Part a. + satisfied: + - uuid: 22222222-0000-4000-9009-002001002001 + responsibility-uuid: 11111111-0000-4000-9009-002001001001 + description: Description that directly addresses how the consumer responsibility was satisfied. + responsible-roles: + - role-id: admin + party-uuids: + - 22222222-0000-4000-9000-100000000001 + - component-uuid: 22222222-0000-4000-9001-000000000003 + uuid: 22222222-0000-4000-9009-002001003000 + description: " *duplicated/tailored description of what was inherited, and description of what was configured.* \n\nConsumer-appropriate description of what may be inherited.\n\nIn the context of the application component in satisfaction of AC-2, part a." + inherited: + - uuid: 22222222-0000-4000-9009-002001002002 + provided-uuid: 11111111-0000-4000-9009-002001002001 + description: "Optional description.\n\n *Possibly duplicated description of what was inherited.* \n\nConsumer-appropriate description of what may be inherited.\n\nIn the context of the application component in satisfaction of AC-2, part a." + satisfied: + - uuid: 22222222-0000-4000-9009-002001002003 + responsibility-uuid: 11111111-0000-4000-9009-002001002002 + description: Description of how the responsibility was satisfied. + remarks: 'a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: privileged and non-privileged];' + remarks: |- + The organization: + + a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; + + b. Assigns account managers for information system accounts; + + c. Establishes conditions for group and role membership; + + Omitted: d. through j. + back-matter: + resources: + - uuid: 22222222-0000-4000-9999-000000000001 + rlinks: + - href: ./attachments/SaaS_ac_proc.docx + - uuid: 6b45e2a5-b238-4752-ba12-cfd6ef2a83df + description: 'NIST Special Publication 800-53 Revision 4: Low Baseline Profile' + rlinks: + - href: ../../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml + media-type: application/oscal.catalog+xml + - href: ../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline_profile.json + media-type: application/oscal.catalog+json + - href: ../../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_LOW-baseline_profile.yaml + media-type: application/oscal.catalog+yaml + - uuid: b3a3079c-ace3-4aae-9acd-d52d418472f2 + description: Leveraged System Security Plan in OSCAL Data Formats + rlinks: + - href: ../../ssp/xml/oscal_leveraged-example_ssp.xml + media-type: application/oscal.catalog+xml + - href: ../../../ssp/json/nist.gov/SP800-53/rev4/json/oscal_leveraged-example_ssp.json + media-type: application/oscal.catalog+json + - href: ../../../ssp/yaml/oscal_leveraged-example_ssp.yaml + media-type: application/oscal.catalog+yaml diff --git a/roscal_lib/tests/ssp/yaml/ssp-example.yaml b/roscal_lib/tests/ssp/yaml/ssp-example.yaml new file mode 100644 index 0000000..65b3cfa --- /dev/null +++ b/roscal_lib/tests/ssp/yaml/ssp-example.yaml @@ -0,0 +1,326 @@ +system-security-plan: + uuid: cff8385f-108e-40a5-8f7a-82f3dc0eaba8 + metadata: + title: Enterprise Logging and Auditing System Security Plan + last-modified: "2024-02-01T13:57:28.355446-04:00" + version: "1.1" + oscal-version: 1.1.2 + roles: + - id: legal-officer + title: Legal Officer + - id: maintainer + title: System Maintainer + - id: asset-owner + title: System Assets Owner + - id: provider + title: System Provider + - id: asset-administrator + title: System Assets Admin + parties: + - uuid: 3b2a5599-cc37-403f-ae36-5708fa804b27 + type: organization + name: Enterprise Asset Owners + - uuid: 833ac398-5c9a-4e6b-acba-2a9c11399da0 + type: organization + name: Enterprise Asset Administrators + - uuid: ec485dcf-2519-43f5-8e7d-014cc315332d + type: organization + name: Legal Department + - uuid: 0f0c15ed-565e-4ce9-8670-b54853d0bf03 + type: organization + name: IT Department + - uuid: 96c362ee-a012-4e07-92f3-486ab303b0e7 + type: organization + name: Acme Corp + import-profile: + href: '#b78aa3ec-915d-475b-8097-46813fae1825' + system-characteristics: + system-ids: + - identifier-type: https://ietf.org/rfc/rfc4122 + id: d7456980-9277-4dcb-83cf-f8ff0442623b + system-name: Enterprise Logging and Auditing System + description: This is an example of a system that provides enterprise logging and log auditing capabilities. + props: + - name: cloud-deployment-model + value: private-cloud + - name: cloud-service-model + value: iaas + security-sensitivity-level: moderate + system-information: + information-types: + - uuid: 7d28ac6e-5970-4f4c-a508-5a3715f0f02b + title: System and Network Monitoring + description: This system maintains historical logging and auditing information for all client devices connected to this system. + categorizations: + - system: https://doi.org/10.6028/NIST.SP.800-60v2r1 + information-type-ids: + - C.3.5.8 + confidentiality-impact: + base: fips-199-moderate + integrity-impact: + base: fips-199-moderate + availability-impact: + base: fips-199-low + security-impact-level: + security-objective-confidentiality: fips-199-moderate + security-objective-integrity: fips-199-moderate + security-objective-availability: fips-199-low + status: + state: other + remarks: This is an example, and is not intended to be implemented as a system + authorization-boundary: + description: The description of the authorization boundary would go here. + system-implementation: + users: + - uuid: 9824089b-322c-456f-86c4-4111c4200f69 + title: System Administrator + props: + - name: type + value: internal + role-ids: + - asset-administrator + - uuid: 9824089b-322c-456f-86c4-4111c4200f62 + title: System Maintainer + props: + - name: type + value: internal + role-ids: + - maintainer + - uuid: ae8de94c-835d-4303-83b1-114b6a117a07 + title: Audit Team + props: + - name: type + value: internal + role-ids: + - asset-owner + - uuid: 372ce7a3-92b0-437e-a98c-24d29f9bfab8 + title: Legal Department + props: + - name: type + value: internal + role-ids: + - legal-officer + - uuid: 372ce7a3-92b0-437e-a98c-55d29f9bfab8 + title: Provider + props: + - name: type + value: internal + role-ids: + - provider + components: + - uuid: 74042245-3db1-4f4d-be9a-ceb62d81152c + type: this-system + title: This System + description: The system described by this SSP. + status: + state: operational + - uuid: e00acdcf-911b-437d-a42f-b0b558cc4f03 + type: software + title: Logging Server + description: Provides a means for hosts to publish logged events to a central server. + status: + state: operational + responsible-roles: + - role-id: provider + party-uuids: + - 96c362ee-a012-4e07-92f3-486ab303b0e7 + - role-id: asset-owner + party-uuids: + - 3b2a5599-cc37-403f-ae36-5708fa804b27 + - role-id: asset-administrator + party-uuids: + - 833ac398-5c9a-4e6b-acba-2a9c11399da0 + - uuid: 795533ab-9427-4abe-820f-0b571bacfe6d + type: policy + title: Enterprise Logging, Monitoring, and Alerting Policy + description: "Requires all components to send logs to the enterprise logging solution\n\n* Requires all components synchronize their time with the appropriate enterprise time service, and at what frequency. \n* Identifies the events that must be captured \n* Identifies who is responsible/accountable for performing these functions \n" + props: + - name: version + value: "2.1" + - name: release-date + value: "2018-10-15" + status: + state: operational + responsible-roles: + - role-id: maintainer + party-uuids: + - ec485dcf-2519-43f5-8e7d-014cc315332d + - uuid: 941e2a87-46f4-4b3e-9e87-bbd187091ca1 + type: process + title: System Integration Process + description: Ensures proper integration into the enterprise as new systems are brought into production. + props: + - name: release-date + value: "2018-10-15" + links: + - href: '#795533ab-9427-4abe-820f-0b571bacfe6d' + rel: implements-policy + text: Ensures logs from components in new system are able to published to the logging server. Ensures log monitoring capabilities recognize new system as authorized. + status: + state: operational + responsible-roles: + - role-id: maintainer + party-uuids: + - 0f0c15ed-565e-4ce9-8670-b54853d0bf03 + - uuid: fa39eb84-3014-46b4-b6bc-7da10527c262 + type: process + title: Inventory Management Process + description: Describes how new components are introduced into the system - ensures monitoring teams know about every asset that should be producing logs, thus should be monitored. + props: + - name: release-date + value: "2018-10-15" + links: + - href: '#795533ab-9427-4abe-820f-0b571bacfe6d' + rel: implements-policy + text: Ensures that all host are known and authorized. Ensures that these hosts publish log events to the logging server. + status: + state: operational + responsible-roles: + - role-id: maintainer + party-uuids: + - 0f0c15ed-565e-4ce9-8670-b54853d0bf03 + - uuid: 4938767c-dd8b-4ea4-b74a-fafffd48ac99 + type: guidance + title: Configuration Management Guidance + description: Describes how to configure a component to ensure its logs are transmitted to Splunk in the appropriate format. Also describes how to configure time synchronization. + props: + - name: release-date + value: "2018-10-15" + links: + - href: '#795533ab-9427-4abe-820f-0b571bacfe6d' + rel: implements-policy + text: Ensures that all host are configured to publish log events to the logging server. + status: + state: operational + responsible-roles: + - role-id: maintainer + party-uuids: + - 0f0c15ed-565e-4ce9-8670-b54853d0bf03 + inventory-items: + - uuid: c9c32657-a0eb-4cf2-b5c1-20928983063c + description: The logging server. + props: + - name: asset-id + value: asset-id-logging-server + responsible-parties: + - role-id: asset-administrator + party-uuids: + - 833ac398-5c9a-4e6b-acba-2a9c11399da0 + - role-id: asset-owner + party-uuids: + - 3b2a5599-cc37-403f-ae36-5708fa804b27 + implemented-components: + - component-uuid: e00acdcf-911b-437d-a42f-b0b558cc4f03 + props: + - name: asset-id + value: logging-server + - component-uuid: 795533ab-9427-4abe-820f-0b571bacfe6d + props: + - name: asset-id + value: legal policy + remarks: This is a partial implementation that addresses the logging server portion of the auditing system. + control-implementation: + description: This is the control implementation for the system. + implemented-requirements: + - uuid: aaadb3ff-6ae8-4332-92db-211468c52af2 + control-id: au-1 + statements: + - statement-id: au-1_smt + uuid: 7ad47329-dc55-4196-a19d-178a8fe7438d + - statement-id: au-1_smt.a + uuid: f3887a91-9ed3-425c-b305-21e4634a1c34 + by-components: + - component-uuid: 795533ab-9427-4abe-820f-0b571bacfe6d + uuid: a74681b2-fbcb-46eb-90fd-0d55aa74ac7b + description: The legal department develops, documents and disseminates this policy to all staff and contractors within the organization. + set-parameters: + - param-id: au-1_prm_1 + values: + - all staff and contractors within the organization + - component-uuid: 941e2a87-46f4-4b3e-9e87-bbd187091ca1 + uuid: 4f873ce6-dd49-4a46-bd4a-5041c22665f1 + description: The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training. + set-parameters: + - param-id: au-1_prm_1 + values: + - all IT staff who administer this system when the staff member is assigned and annually through training + - component-uuid: fa39eb84-3014-46b4-b6bc-7da10527c262 + uuid: ea85a624-cd21-4c63-abe0-f66087e97241 + description: The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training. + set-parameters: + - param-id: au-1_prm_1 + values: + - all IT staff who administer this system when the staff member is assigned and annually through training + - component-uuid: 4938767c-dd8b-4ea4-b74a-fafffd48ac99 + uuid: b5e5823a-844f-4306-a5ab-7e110679e0d5 + description: The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this system when the staff member is assigned and annually through training. + set-parameters: + - param-id: au-1_prm_1 + values: + - all IT staff who administer this system when the staff member is assigned and annually through training + - statement-id: au-1_smt.a.1 + uuid: 6fe632bd-33aa-4eea-a507-a37f0d212085 + by-components: + - component-uuid: 795533ab-9427-4abe-820f-0b571bacfe6d + uuid: 2d0a7b08-da7f-4691-b99c-8fd9df02b25c + description: This policy explicitly states the purpose and scope of the policy in Section 1. Roles and responsibilities are described in Section 2. This section also describes responsibilities for organizational coordination. Management commitment and compliance statements are made in the board’s directive memo dated January 1, 2012. + - statement-id: au-1_smt.a.2 + uuid: dbe9af68-1cd9-4ff1-965b-8f887351d411 + by-components: + - component-uuid: 941e2a87-46f4-4b3e-9e87-bbd187091ca1 + uuid: dd4fd380-7a2a-4fba-9e98-933ba5cfc04d + description: 'This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process' + - component-uuid: fa39eb84-3014-46b4-b6bc-7da10527c262 + uuid: 3b912d0f-2463-497c-8d8a-72416f38e999 + description: 'This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process' + - component-uuid: 4938767c-dd8b-4ea4-b74a-fafffd48ac99 + uuid: 226ee2a2-cbdb-498f-8182-94dfa013476c + description: 'This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process' + - statement-id: au-1_smt.b + uuid: b1773cd6-afc5-4c87-84a7-f182e6be5af9 + remarks: N/A + - statement-id: au-1_smt.b.1 + uuid: 75873308-f37d-4e89-9c27-29f3dee4b314 + by-components: + - component-uuid: 795533ab-9427-4abe-820f-0b571bacfe6d + uuid: 23903c59-1327-46f0-9c28-09ec7f144214 + description: The legal department reviews this policy annually, and other times as necessary in response to regulatory or organizational changes. The legal department updates the policy as needed based on these reviews. + set-parameters: + - param-id: au-1_prm_2 + values: + - annually, and other times as necessary in response to regulatory or organizational changes + - statement-id: au-1_smt.b.2 + uuid: 74b5b0f2-9915-4f80-b7cd-379566442ab6 + by-components: + - component-uuid: 941e2a87-46f4-4b3e-9e87-bbd187091ca1 + uuid: 0c45b6e2-f85b-4656-a6cc-2a302d184720 + description: The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews. + set-parameters: + - param-id: au-1_prm_3 + values: + - annually, and other times as necessary in response to regulatory or organizational changes + - component-uuid: fa39eb84-3014-46b4-b6bc-7da10527c262 + uuid: 094f02ce-4b7a-405c-90a5-ab4d95133f74 + description: The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews. + set-parameters: + - param-id: au-1_prm_3 + values: + - annually, and other times as necessary in response to regulatory or organizational changes + - component-uuid: 4938767c-dd8b-4ea4-b74a-fafffd48ac99 + uuid: 7ec8b7ec-d931-4055-ac74-6d288d636787 + description: The IT department reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT department updates the policy as needed based on these reviews + set-parameters: + - param-id: au-1_prm_3 + values: + - annually, and other times as necessary in response to regulatory or organizational changes + back-matter: + resources: + - uuid: b78aa3ec-915d-475b-8097-46813fae1825 + description: 'NIST Special Publication 800-53 Revision 4: Moderate Baseline Profile' + rlinks: + - href: ../../../nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml + media-type: application/oscal.catalog+xml + - href: ../../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline_profile.json + media-type: application/oscal.catalog+json + - href: ../../../nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.yaml + media-type: application/oscal.catalog+yaml diff --git a/rustfmt.toml b/rustfmt.toml new file mode 100644 index 0000000..d010619 --- /dev/null +++ b/rustfmt.toml @@ -0,0 +1,2 @@ +max_width = 80 +tab_spaces = 4 \ No newline at end of file diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..64fbdb4 --- /dev/null +++ b/shell.nix @@ -0,0 +1,10 @@ +(import + ( + let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in + fetchTarball { + url = lock.nodes.flake-compat.locked.url or "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; + sha256 = lock.nodes.flake-compat.locked.narHash; + } + ) + { src = ./.; } +).shellNix \ No newline at end of file