001package gov.nist.secauto.oscal.lib.model; 002 003import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValue; 004import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValues; 005import gov.nist.secauto.metaschema.binding.model.annotations.BoundAssembly; 006import gov.nist.secauto.metaschema.binding.model.annotations.BoundField; 007import gov.nist.secauto.metaschema.binding.model.annotations.BoundFieldValue; 008import gov.nist.secauto.metaschema.binding.model.annotations.BoundFlag; 009import gov.nist.secauto.metaschema.binding.model.annotations.GroupAs; 010import gov.nist.secauto.metaschema.binding.model.annotations.Matches; 011import gov.nist.secauto.metaschema.binding.model.annotations.MetaschemaAssembly; 012import gov.nist.secauto.metaschema.binding.model.annotations.ValueConstraints; 013import gov.nist.secauto.metaschema.model.common.JsonGroupAsBehavior; 014import gov.nist.secauto.metaschema.model.common.constraint.IConstraint; 015import gov.nist.secauto.metaschema.model.common.datatype.adapter.DateTimeWithTZAdapter; 016import gov.nist.secauto.metaschema.model.common.datatype.adapter.IntegerAdapter; 017import gov.nist.secauto.metaschema.model.common.datatype.adapter.TokenAdapter; 018import gov.nist.secauto.metaschema.model.common.datatype.adapter.UuidAdapter; 019import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupLine; 020import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupLineAdapter; 021import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultiline; 022import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultilineAdapter; 023import gov.nist.secauto.metaschema.model.common.util.ObjectUtils; 024import java.lang.Override; 025import java.lang.String; 026import java.time.ZonedDateTime; 027import java.util.LinkedList; 028import java.util.List; 029import java.util.UUID; 030import org.apache.commons.lang3.builder.MultilineRecursiveToStringStyle; 031import org.apache.commons.lang3.builder.ReflectionToStringBuilder; 032 033/** 034 * An identified risk. 035 */ 036@MetaschemaAssembly( 037 formalName = "Identified Risk", 038 description = "An identified risk.", 039 name = "risk", 040 metaschema = OscalAssessmentCommonMetaschema.class 041) 042@ValueConstraints( 043 allowedValues = @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name", values = {@AllowedValue(value = "false-positive", description = "The risk has been confirmed to be a false positive."), @AllowedValue(value = "accepted", description = "The risk has been accepted. No further action will be taken."), @AllowedValue(value = "risk-adjusted", description = "The risk has been adjusted."), @AllowedValue(value = "priority", description = "A numeric value indicating the sequence in which risks should be addressed. (Lower numbers are higher priority)")}), 044 matches = @Matches(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='priority']/@value", typeAdapter = IntegerAdapter.class) 045) 046public class Risk { 047 @BoundFlag( 048 formalName = "Risk Universally Unique Identifier", 049 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this risk elsewhere in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope). The locally defined *UUID* of the `risk` can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same subject across revisions of the document.", 050 useName = "uuid", 051 required = true, 052 typeAdapter = UuidAdapter.class 053 ) 054 private UUID _uuid; 055 056 /** 057 * "The title for this risk." 058 */ 059 @BoundField( 060 formalName = "Risk Title", 061 description = "The title for this risk.", 062 useName = "title", 063 minOccurs = 1 064 ) 065 @BoundFieldValue( 066 typeAdapter = MarkupLineAdapter.class 067 ) 068 private MarkupLine _title; 069 070 /** 071 * "A human-readable summary of the identified risk, to include a statement of how the risk impacts the system." 072 */ 073 @BoundField( 074 formalName = "Risk Description", 075 description = "A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.", 076 useName = "description", 077 minOccurs = 1 078 ) 079 @BoundFieldValue( 080 typeAdapter = MarkupMultilineAdapter.class 081 ) 082 private MarkupMultiline _description; 083 084 /** 085 * "An summary of impact for how the risk affects the system." 086 */ 087 @BoundField( 088 formalName = "Risk Statement", 089 description = "An summary of impact for how the risk affects the system.", 090 useName = "statement", 091 minOccurs = 1 092 ) 093 @BoundFieldValue( 094 typeAdapter = MarkupMultilineAdapter.class 095 ) 096 private MarkupMultiline _statement; 097 098 @BoundAssembly( 099 formalName = "Property", 100 description = "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", 101 useName = "prop", 102 maxOccurs = -1 103 ) 104 @GroupAs( 105 name = "props", 106 inJson = JsonGroupAsBehavior.LIST 107 ) 108 private List<Property> _props; 109 110 @BoundAssembly( 111 formalName = "Link", 112 description = "A reference to a local or remote resource, that has a specific relation to the containing object.", 113 useName = "link", 114 maxOccurs = -1 115 ) 116 @GroupAs( 117 name = "links", 118 inJson = JsonGroupAsBehavior.LIST 119 ) 120 private List<Link> _links; 121 122 @BoundField( 123 formalName = "Risk Status", 124 description = "Describes the status of the associated risk.", 125 useName = "status", 126 minOccurs = 1 127 ) 128 @BoundFieldValue( 129 typeAdapter = TokenAdapter.class 130 ) 131 @ValueConstraints( 132 allowedValues = @AllowedValues(level = IConstraint.Level.ERROR, allowOthers = true, values = {@AllowedValue(value = "open", description = "The risk has been identified."), @AllowedValue(value = "investigating", description = "The identified risk is being investigated. (Open risk)"), @AllowedValue(value = "remediating", description = "Remediation activities are underway, but are not yet complete. (Open risk)"), @AllowedValue(value = "deviation-requested", description = "A risk deviation, such as false positive, risk reduction, or operational requirement has been submitted for approval. (Open risk)"), @AllowedValue(value = "deviation-approved", description = "A risk deviation, such as false positive, risk reduction, or operational requirement has been approved. (Open risk)"), @AllowedValue(value = "closed", description = "The risk has been resolved.")}) 133 ) 134 private String _status; 135 136 @BoundAssembly( 137 formalName = "Origin", 138 description = "Identifies the source of the finding, such as a tool, interviewed person, or activity.", 139 useName = "origin", 140 maxOccurs = -1, 141 remarks = "Used to identify the individual and/or tool that identified this risk." 142 ) 143 @GroupAs( 144 name = "origins", 145 inJson = JsonGroupAsBehavior.LIST 146 ) 147 private List<Origin> _origins; 148 149 @BoundField( 150 formalName = "Threat ID", 151 description = "A pointer, by ID, to an externally-defined threat.", 152 useName = "threat-id", 153 maxOccurs = -1 154 ) 155 @GroupAs( 156 name = "threat-ids", 157 inJson = JsonGroupAsBehavior.LIST 158 ) 159 private List<ThreatId> _threatIds; 160 161 @BoundAssembly( 162 formalName = "Characterization", 163 description = "A collection of descriptive data about the containing object from a specific origin.", 164 useName = "characterization", 165 maxOccurs = -1 166 ) 167 @GroupAs( 168 name = "characterizations", 169 inJson = JsonGroupAsBehavior.LIST 170 ) 171 private List<Characterization> _characterizations; 172 173 /** 174 * "Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP." 175 */ 176 @BoundAssembly( 177 formalName = "Mitigating Factor", 178 description = "Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.", 179 useName = "mitigating-factor", 180 maxOccurs = -1 181 ) 182 @GroupAs( 183 name = "mitigating-factors", 184 inJson = JsonGroupAsBehavior.LIST 185 ) 186 private List<MitigatingFactor> _mitigatingFactors; 187 188 /** 189 * "The date/time by which the risk must be resolved." 190 */ 191 @BoundField( 192 formalName = "Risk Resolution Deadline", 193 description = "The date/time by which the risk must be resolved.", 194 useName = "deadline" 195 ) 196 @BoundFieldValue( 197 typeAdapter = DateTimeWithTZAdapter.class 198 ) 199 private ZonedDateTime _deadline; 200 201 @BoundAssembly( 202 formalName = "Risk Response", 203 description = "Describes either recommended or an actual plan for addressing the risk.", 204 useName = "response", 205 maxOccurs = -1 206 ) 207 @GroupAs( 208 name = "remediations", 209 inJson = JsonGroupAsBehavior.LIST 210 ) 211 private List<Response> _remediations; 212 213 /** 214 * "A log of all risk-related tasks taken." 215 */ 216 @BoundAssembly( 217 formalName = "Risk Log", 218 description = "A log of all risk-related tasks taken.", 219 useName = "risk-log" 220 ) 221 private RiskLog _riskLog; 222 223 /** 224 * "Relates the finding to a set of referenced observations that were used to determine the finding." 225 */ 226 @BoundAssembly( 227 formalName = "Related Observation", 228 description = "Relates the finding to a set of referenced observations that were used to determine the finding.", 229 useName = "related-observation", 230 maxOccurs = -1 231 ) 232 @GroupAs( 233 name = "related-observations", 234 inJson = JsonGroupAsBehavior.LIST 235 ) 236 private List<RelatedObservation> _relatedObservations; 237 238 public Risk() { 239 } 240 241 public UUID getUuid() { 242 return _uuid; 243 } 244 245 public void setUuid(UUID value) { 246 _uuid = value; 247 } 248 249 public MarkupLine getTitle() { 250 return _title; 251 } 252 253 public void setTitle(MarkupLine value) { 254 _title = value; 255 } 256 257 public MarkupMultiline getDescription() { 258 return _description; 259 } 260 261 public void setDescription(MarkupMultiline value) { 262 _description = value; 263 } 264 265 public MarkupMultiline getStatement() { 266 return _statement; 267 } 268 269 public void setStatement(MarkupMultiline value) { 270 _statement = value; 271 } 272 273 public List<Property> getProps() { 274 return _props; 275 } 276 277 public void setProps(List<Property> value) { 278 _props = value; 279 } 280 281 /** 282 * Add a new {@link Property} item to the underlying collection. 283 * @param item the item to add 284 * @return {@code true} 285 */ 286 public boolean addProp(Property item) { 287 Property value = ObjectUtils.requireNonNull(item,"item cannot be null"); 288 if (_props == null) { 289 _props = new LinkedList<>(); 290 } 291 return _props.add(value); 292 } 293 294 /** 295 * Remove the first matching {@link Property} item from the underlying collection. 296 * @param item the item to remove 297 * @return {@code true} if the item was removed or {@code false} otherwise 298 */ 299 public boolean removeProp(Property item) { 300 Property value = ObjectUtils.requireNonNull(item,"item cannot be null"); 301 return _props == null ? false : _props.remove(value); 302 } 303 304 public List<Link> getLinks() { 305 return _links; 306 } 307 308 public void setLinks(List<Link> value) { 309 _links = value; 310 } 311 312 /** 313 * Add a new {@link Link} item to the underlying collection. 314 * @param item the item to add 315 * @return {@code true} 316 */ 317 public boolean addLink(Link item) { 318 Link value = ObjectUtils.requireNonNull(item,"item cannot be null"); 319 if (_links == null) { 320 _links = new LinkedList<>(); 321 } 322 return _links.add(value); 323 } 324 325 /** 326 * Remove the first matching {@link Link} item from the underlying collection. 327 * @param item the item to remove 328 * @return {@code true} if the item was removed or {@code false} otherwise 329 */ 330 public boolean removeLink(Link item) { 331 Link value = ObjectUtils.requireNonNull(item,"item cannot be null"); 332 return _links == null ? false : _links.remove(value); 333 } 334 335 public String getStatus() { 336 return _status; 337 } 338 339 public void setStatus(String value) { 340 _status = value; 341 } 342 343 public List<Origin> getOrigins() { 344 return _origins; 345 } 346 347 public void setOrigins(List<Origin> value) { 348 _origins = value; 349 } 350 351 /** 352 * Add a new {@link Origin} item to the underlying collection. 353 * @param item the item to add 354 * @return {@code true} 355 */ 356 public boolean addOrigin(Origin item) { 357 Origin value = ObjectUtils.requireNonNull(item,"item cannot be null"); 358 if (_origins == null) { 359 _origins = new LinkedList<>(); 360 } 361 return _origins.add(value); 362 } 363 364 /** 365 * Remove the first matching {@link Origin} item from the underlying collection. 366 * @param item the item to remove 367 * @return {@code true} if the item was removed or {@code false} otherwise 368 */ 369 public boolean removeOrigin(Origin item) { 370 Origin value = ObjectUtils.requireNonNull(item,"item cannot be null"); 371 return _origins == null ? false : _origins.remove(value); 372 } 373 374 public List<ThreatId> getThreatIds() { 375 return _threatIds; 376 } 377 378 public void setThreatIds(List<ThreatId> value) { 379 _threatIds = value; 380 } 381 382 /** 383 * Add a new {@link ThreatId} item to the underlying collection. 384 * @param item the item to add 385 * @return {@code true} 386 */ 387 public boolean addThreatId(ThreatId item) { 388 ThreatId value = ObjectUtils.requireNonNull(item,"item cannot be null"); 389 if (_threatIds == null) { 390 _threatIds = new LinkedList<>(); 391 } 392 return _threatIds.add(value); 393 } 394 395 /** 396 * Remove the first matching {@link ThreatId} item from the underlying collection. 397 * @param item the item to remove 398 * @return {@code true} if the item was removed or {@code false} otherwise 399 */ 400 public boolean removeThreatId(ThreatId item) { 401 ThreatId value = ObjectUtils.requireNonNull(item,"item cannot be null"); 402 return _threatIds == null ? false : _threatIds.remove(value); 403 } 404 405 public List<Characterization> getCharacterizations() { 406 return _characterizations; 407 } 408 409 public void setCharacterizations(List<Characterization> value) { 410 _characterizations = value; 411 } 412 413 /** 414 * Add a new {@link Characterization} item to the underlying collection. 415 * @param item the item to add 416 * @return {@code true} 417 */ 418 public boolean addCharacterization(Characterization item) { 419 Characterization value = ObjectUtils.requireNonNull(item,"item cannot be null"); 420 if (_characterizations == null) { 421 _characterizations = new LinkedList<>(); 422 } 423 return _characterizations.add(value); 424 } 425 426 /** 427 * Remove the first matching {@link Characterization} item from the underlying collection. 428 * @param item the item to remove 429 * @return {@code true} if the item was removed or {@code false} otherwise 430 */ 431 public boolean removeCharacterization(Characterization item) { 432 Characterization value = ObjectUtils.requireNonNull(item,"item cannot be null"); 433 return _characterizations == null ? false : _characterizations.remove(value); 434 } 435 436 public List<MitigatingFactor> getMitigatingFactors() { 437 return _mitigatingFactors; 438 } 439 440 public void setMitigatingFactors(List<MitigatingFactor> value) { 441 _mitigatingFactors = value; 442 } 443 444 /** 445 * Add a new {@link MitigatingFactor} item to the underlying collection. 446 * @param item the item to add 447 * @return {@code true} 448 */ 449 public boolean addMitigatingFactor(MitigatingFactor item) { 450 MitigatingFactor value = ObjectUtils.requireNonNull(item,"item cannot be null"); 451 if (_mitigatingFactors == null) { 452 _mitigatingFactors = new LinkedList<>(); 453 } 454 return _mitigatingFactors.add(value); 455 } 456 457 /** 458 * Remove the first matching {@link MitigatingFactor} item from the underlying collection. 459 * @param item the item to remove 460 * @return {@code true} if the item was removed or {@code false} otherwise 461 */ 462 public boolean removeMitigatingFactor(MitigatingFactor item) { 463 MitigatingFactor value = ObjectUtils.requireNonNull(item,"item cannot be null"); 464 return _mitigatingFactors == null ? false : _mitigatingFactors.remove(value); 465 } 466 467 public ZonedDateTime getDeadline() { 468 return _deadline; 469 } 470 471 public void setDeadline(ZonedDateTime value) { 472 _deadline = value; 473 } 474 475 public List<Response> getRemediations() { 476 return _remediations; 477 } 478 479 public void setRemediations(List<Response> value) { 480 _remediations = value; 481 } 482 483 /** 484 * Add a new {@link Response} item to the underlying collection. 485 * @param item the item to add 486 * @return {@code true} 487 */ 488 public boolean addResponse(Response item) { 489 Response value = ObjectUtils.requireNonNull(item,"item cannot be null"); 490 if (_remediations == null) { 491 _remediations = new LinkedList<>(); 492 } 493 return _remediations.add(value); 494 } 495 496 /** 497 * Remove the first matching {@link Response} item from the underlying collection. 498 * @param item the item to remove 499 * @return {@code true} if the item was removed or {@code false} otherwise 500 */ 501 public boolean removeResponse(Response item) { 502 Response value = ObjectUtils.requireNonNull(item,"item cannot be null"); 503 return _remediations == null ? false : _remediations.remove(value); 504 } 505 506 public RiskLog getRiskLog() { 507 return _riskLog; 508 } 509 510 public void setRiskLog(RiskLog value) { 511 _riskLog = value; 512 } 513 514 public List<RelatedObservation> getRelatedObservations() { 515 return _relatedObservations; 516 } 517 518 public void setRelatedObservations(List<RelatedObservation> value) { 519 _relatedObservations = value; 520 } 521 522 /** 523 * Add a new {@link RelatedObservation} item to the underlying collection. 524 * @param item the item to add 525 * @return {@code true} 526 */ 527 public boolean addRelatedObservation(RelatedObservation item) { 528 RelatedObservation value = ObjectUtils.requireNonNull(item,"item cannot be null"); 529 if (_relatedObservations == null) { 530 _relatedObservations = new LinkedList<>(); 531 } 532 return _relatedObservations.add(value); 533 } 534 535 /** 536 * Remove the first matching {@link RelatedObservation} item from the underlying collection. 537 * @param item the item to remove 538 * @return {@code true} if the item was removed or {@code false} otherwise 539 */ 540 public boolean removeRelatedObservation(RelatedObservation item) { 541 RelatedObservation value = ObjectUtils.requireNonNull(item,"item cannot be null"); 542 return _relatedObservations == null ? false : _relatedObservations.remove(value); 543 } 544 545 @Override 546 public String toString() { 547 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString(); 548 } 549 550 /** 551 * Relates the finding to a set of referenced observations that were used to determine the finding. 552 */ 553 @MetaschemaAssembly( 554 formalName = "Related Observation", 555 description = "Relates the finding to a set of referenced observations that were used to determine the finding.", 556 name = "related-observation", 557 metaschema = OscalAssessmentCommonMetaschema.class 558 ) 559 public static class RelatedObservation { 560 @BoundFlag( 561 formalName = "Observation Universally Unique Identifier Reference", 562 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented) identifier reference to an observation defined in the list of observations.", 563 useName = "observation-uuid", 564 required = true, 565 typeAdapter = UuidAdapter.class 566 ) 567 private UUID _observationUuid; 568 569 public RelatedObservation() { 570 } 571 572 public UUID getObservationUuid() { 573 return _observationUuid; 574 } 575 576 public void setObservationUuid(UUID value) { 577 _observationUuid = value; 578 } 579 580 @Override 581 public String toString() { 582 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString(); 583 } 584 } 585 586 /** 587 * A log of all risk-related tasks taken. 588 */ 589 @MetaschemaAssembly( 590 formalName = "Risk Log", 591 description = "A log of all risk-related tasks taken.", 592 name = "risk-log", 593 metaschema = OscalAssessmentCommonMetaschema.class 594 ) 595 public static class RiskLog { 596 /** 597 * "Identifies an individual risk response that occurred as part of managing an identified risk." 598 */ 599 @BoundAssembly( 600 formalName = "Risk Log Entry", 601 description = "Identifies an individual risk response that occurred as part of managing an identified risk.", 602 useName = "entry", 603 minOccurs = 1, 604 maxOccurs = -1 605 ) 606 @GroupAs( 607 name = "entries", 608 inJson = JsonGroupAsBehavior.LIST 609 ) 610 private List<Entry> _entries; 611 612 public RiskLog() { 613 } 614 615 public List<Entry> getEntries() { 616 return _entries; 617 } 618 619 public void setEntries(List<Entry> value) { 620 _entries = value; 621 } 622 623 /** 624 * Add a new {@link Entry} item to the underlying collection. 625 * @param item the item to add 626 * @return {@code true} 627 */ 628 public boolean addEntry(Entry item) { 629 Entry value = ObjectUtils.requireNonNull(item,"item cannot be null"); 630 if (_entries == null) { 631 _entries = new LinkedList<>(); 632 } 633 return _entries.add(value); 634 } 635 636 /** 637 * Remove the first matching {@link Entry} item from the underlying collection. 638 * @param item the item to remove 639 * @return {@code true} if the item was removed or {@code false} otherwise 640 */ 641 public boolean removeEntry(Entry item) { 642 Entry value = ObjectUtils.requireNonNull(item,"item cannot be null"); 643 return _entries == null ? false : _entries.remove(value); 644 } 645 646 @Override 647 public String toString() { 648 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString(); 649 } 650 651 /** 652 * Identifies an individual risk response that occurred as part of managing an identified risk. 653 */ 654 @MetaschemaAssembly( 655 formalName = "Risk Log Entry", 656 description = "Identifies an individual risk response that occurred as part of managing an identified risk.", 657 name = "entry", 658 metaschema = OscalAssessmentCommonMetaschema.class 659 ) 660 @ValueConstraints( 661 allowedValues = { 662 @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name", values = @AllowedValue(value = "type", description = "The type of remediation tracking entry. Can be multi-valued.")), 663 @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value", allowOthers = true, values = {@AllowedValue(value = "vendor-check-in", description = "Contacted vendor to determine the status of a pending fix to a known vulnerability."), @AllowedValue(value = "status-update", description = "Information related to the current state of response to this risk."), @AllowedValue(value = "milestone-complete", description = "A significant step in the response plan has been achieved."), @AllowedValue(value = "mitigation", description = "An activity was completed that reduces the likelihood or impact of this risk."), @AllowedValue(value = "remediated", description = "An activity was completed that eliminates the likelihood or impact of this risk."), @AllowedValue(value = "closed", description = "The risk is no longer applicable to the system."), @AllowedValue(value = "dr-submission", description = "A deviation request was made to the authorizing official."), @AllowedValue(value = "dr-updated", description = "A previously submitted deviation request has been modified."), @AllowedValue(value = "dr-approved", description = "The authorizing official approved the deviation."), @AllowedValue(value = "dr-rejected", description = "The authorizing official rejected the deviation.")}) 664 } 665 ) 666 public static class Entry { 667 @BoundFlag( 668 formalName = "Risk Log Entry Universally Unique Identifier", 669 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this risk log entry elsewhere in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope). The locally defined *UUID* of the `risk log entry` can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same subject across revisions of the document.", 670 useName = "uuid", 671 required = true, 672 typeAdapter = UuidAdapter.class 673 ) 674 private UUID _uuid; 675 676 /** 677 * "The title for this risk log entry." 678 */ 679 @BoundField( 680 formalName = "Title", 681 description = "The title for this risk log entry.", 682 useName = "title" 683 ) 684 @BoundFieldValue( 685 typeAdapter = MarkupLineAdapter.class 686 ) 687 private MarkupLine _title; 688 689 /** 690 * "A human-readable description of what was done regarding the risk." 691 */ 692 @BoundField( 693 formalName = "Risk Task Description", 694 description = "A human-readable description of what was done regarding the risk.", 695 useName = "description" 696 ) 697 @BoundFieldValue( 698 typeAdapter = MarkupMultilineAdapter.class 699 ) 700 private MarkupMultiline _description; 701 702 /** 703 * "Identifies the start date and time of the event." 704 */ 705 @BoundField( 706 formalName = "Start", 707 description = "Identifies the start date and time of the event.", 708 useName = "start", 709 minOccurs = 1 710 ) 711 @BoundFieldValue( 712 typeAdapter = DateTimeWithTZAdapter.class 713 ) 714 private ZonedDateTime _start; 715 716 /** 717 * "Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time." 718 */ 719 @BoundField( 720 formalName = "End", 721 description = "Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time.", 722 useName = "end" 723 ) 724 @BoundFieldValue( 725 typeAdapter = DateTimeWithTZAdapter.class 726 ) 727 private ZonedDateTime _end; 728 729 @BoundAssembly( 730 formalName = "Property", 731 description = "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", 732 useName = "prop", 733 maxOccurs = -1 734 ) 735 @GroupAs( 736 name = "props", 737 inJson = JsonGroupAsBehavior.LIST 738 ) 739 private List<Property> _props; 740 741 @BoundAssembly( 742 formalName = "Link", 743 description = "A reference to a local or remote resource, that has a specific relation to the containing object.", 744 useName = "link", 745 maxOccurs = -1 746 ) 747 @GroupAs( 748 name = "links", 749 inJson = JsonGroupAsBehavior.LIST 750 ) 751 private List<Link> _links; 752 753 @BoundAssembly( 754 formalName = "Logged By", 755 description = "Used to indicate who created a log entry in what role.", 756 useName = "logged-by", 757 maxOccurs = -1 758 ) 759 @GroupAs( 760 name = "logged-by", 761 inJson = JsonGroupAsBehavior.LIST 762 ) 763 private List<LoggedBy> _loggedBy; 764 765 @BoundField( 766 formalName = "Risk Status", 767 description = "Describes the status of the associated risk.", 768 useName = "status-change", 769 remarks = "Identifies a change in risk status made resulting from the task described by this risk log entry. This allows the risk's status history to be captured as a sequence of risk log entries." 770 ) 771 @BoundFieldValue( 772 typeAdapter = TokenAdapter.class 773 ) 774 @ValueConstraints( 775 allowedValues = @AllowedValues(level = IConstraint.Level.ERROR, allowOthers = true, values = {@AllowedValue(value = "open", description = "The risk has been identified."), @AllowedValue(value = "investigating", description = "The identified risk is being investigated. (Open risk)"), @AllowedValue(value = "remediating", description = "Remediation activities are underway, but are not yet complete. (Open risk)"), @AllowedValue(value = "deviation-requested", description = "A risk deviation, such as false positive, risk reduction, or operational requirement has been submitted for approval. (Open risk)"), @AllowedValue(value = "deviation-approved", description = "A risk deviation, such as false positive, risk reduction, or operational requirement has been approved. (Open risk)"), @AllowedValue(value = "closed", description = "The risk has been resolved.")}) 776 ) 777 private String _statusChange; 778 779 /** 780 * "Identifies an individual risk response that this log entry is for." 781 */ 782 @BoundAssembly( 783 formalName = "Risk Response Reference", 784 description = "Identifies an individual risk response that this log entry is for.", 785 useName = "related-response", 786 maxOccurs = -1 787 ) 788 @GroupAs( 789 name = "related-responses", 790 inJson = JsonGroupAsBehavior.LIST 791 ) 792 private List<RelatedResponse> _relatedResponses; 793 794 @BoundField( 795 formalName = "Remarks", 796 description = "Additional commentary about the containing object.", 797 useName = "remarks" 798 ) 799 @BoundFieldValue( 800 typeAdapter = MarkupMultilineAdapter.class 801 ) 802 private MarkupMultiline _remarks; 803 804 public Entry() { 805 } 806 807 public UUID getUuid() { 808 return _uuid; 809 } 810 811 public void setUuid(UUID value) { 812 _uuid = value; 813 } 814 815 public MarkupLine getTitle() { 816 return _title; 817 } 818 819 public void setTitle(MarkupLine value) { 820 _title = value; 821 } 822 823 public MarkupMultiline getDescription() { 824 return _description; 825 } 826 827 public void setDescription(MarkupMultiline value) { 828 _description = value; 829 } 830 831 public ZonedDateTime getStart() { 832 return _start; 833 } 834 835 public void setStart(ZonedDateTime value) { 836 _start = value; 837 } 838 839 public ZonedDateTime getEnd() { 840 return _end; 841 } 842 843 public void setEnd(ZonedDateTime value) { 844 _end = value; 845 } 846 847 public List<Property> getProps() { 848 return _props; 849 } 850 851 public void setProps(List<Property> value) { 852 _props = value; 853 } 854 855 /** 856 * Add a new {@link Property} item to the underlying collection. 857 * @param item the item to add 858 * @return {@code true} 859 */ 860 public boolean addProp(Property item) { 861 Property value = ObjectUtils.requireNonNull(item,"item cannot be null"); 862 if (_props == null) { 863 _props = new LinkedList<>(); 864 } 865 return _props.add(value); 866 } 867 868 /** 869 * Remove the first matching {@link Property} item from the underlying collection. 870 * @param item the item to remove 871 * @return {@code true} if the item was removed or {@code false} otherwise 872 */ 873 public boolean removeProp(Property item) { 874 Property value = ObjectUtils.requireNonNull(item,"item cannot be null"); 875 return _props == null ? false : _props.remove(value); 876 } 877 878 public List<Link> getLinks() { 879 return _links; 880 } 881 882 public void setLinks(List<Link> value) { 883 _links = value; 884 } 885 886 /** 887 * Add a new {@link Link} item to the underlying collection. 888 * @param item the item to add 889 * @return {@code true} 890 */ 891 public boolean addLink(Link item) { 892 Link value = ObjectUtils.requireNonNull(item,"item cannot be null"); 893 if (_links == null) { 894 _links = new LinkedList<>(); 895 } 896 return _links.add(value); 897 } 898 899 /** 900 * Remove the first matching {@link Link} item from the underlying collection. 901 * @param item the item to remove 902 * @return {@code true} if the item was removed or {@code false} otherwise 903 */ 904 public boolean removeLink(Link item) { 905 Link value = ObjectUtils.requireNonNull(item,"item cannot be null"); 906 return _links == null ? false : _links.remove(value); 907 } 908 909 public List<LoggedBy> getLoggedBy() { 910 return _loggedBy; 911 } 912 913 public void setLoggedBy(List<LoggedBy> value) { 914 _loggedBy = value; 915 } 916 917 /** 918 * Add a new {@link LoggedBy} item to the underlying collection. 919 * @param item the item to add 920 * @return {@code true} 921 */ 922 public boolean addLoggedBy(LoggedBy item) { 923 LoggedBy value = ObjectUtils.requireNonNull(item,"item cannot be null"); 924 if (_loggedBy == null) { 925 _loggedBy = new LinkedList<>(); 926 } 927 return _loggedBy.add(value); 928 } 929 930 /** 931 * Remove the first matching {@link LoggedBy} item from the underlying collection. 932 * @param item the item to remove 933 * @return {@code true} if the item was removed or {@code false} otherwise 934 */ 935 public boolean removeLoggedBy(LoggedBy item) { 936 LoggedBy value = ObjectUtils.requireNonNull(item,"item cannot be null"); 937 return _loggedBy == null ? false : _loggedBy.remove(value); 938 } 939 940 public String getStatusChange() { 941 return _statusChange; 942 } 943 944 public void setStatusChange(String value) { 945 _statusChange = value; 946 } 947 948 public List<RelatedResponse> getRelatedResponses() { 949 return _relatedResponses; 950 } 951 952 public void setRelatedResponses(List<RelatedResponse> value) { 953 _relatedResponses = value; 954 } 955 956 /** 957 * Add a new {@link RelatedResponse} item to the underlying collection. 958 * @param item the item to add 959 * @return {@code true} 960 */ 961 public boolean addRelatedResponse(RelatedResponse item) { 962 RelatedResponse value = ObjectUtils.requireNonNull(item,"item cannot be null"); 963 if (_relatedResponses == null) { 964 _relatedResponses = new LinkedList<>(); 965 } 966 return _relatedResponses.add(value); 967 } 968 969 /** 970 * Remove the first matching {@link RelatedResponse} item from the underlying collection. 971 * @param item the item to remove 972 * @return {@code true} if the item was removed or {@code false} otherwise 973 */ 974 public boolean removeRelatedResponse(RelatedResponse item) { 975 RelatedResponse value = ObjectUtils.requireNonNull(item,"item cannot be null"); 976 return _relatedResponses == null ? false : _relatedResponses.remove(value); 977 } 978 979 public MarkupMultiline getRemarks() { 980 return _remarks; 981 } 982 983 public void setRemarks(MarkupMultiline value) { 984 _remarks = value; 985 } 986 987 @Override 988 public String toString() { 989 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString(); 990 } 991 992 /** 993 * Identifies an individual risk response that this log entry is for. 994 */ 995 @MetaschemaAssembly( 996 formalName = "Risk Response Reference", 997 description = "Identifies an individual risk response that this log entry is for.", 998 name = "related-response", 999 metaschema = OscalAssessmentCommonMetaschema.class 1000 ) 1001 public static class RelatedResponse { 1002 @BoundFlag( 1003 formalName = "Response Universally Unique Identifier Reference", 1004 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented) identifier reference to a unique risk response.", 1005 useName = "response-uuid", 1006 required = true, 1007 typeAdapter = UuidAdapter.class 1008 ) 1009 private UUID _responseUuid; 1010 1011 @BoundAssembly( 1012 formalName = "Property", 1013 description = "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", 1014 useName = "prop", 1015 maxOccurs = -1 1016 ) 1017 @GroupAs( 1018 name = "props", 1019 inJson = JsonGroupAsBehavior.LIST 1020 ) 1021 private List<Property> _props; 1022 1023 @BoundAssembly( 1024 formalName = "Link", 1025 description = "A reference to a local or remote resource, that has a specific relation to the containing object.", 1026 useName = "link", 1027 maxOccurs = -1 1028 ) 1029 @GroupAs( 1030 name = "links", 1031 inJson = JsonGroupAsBehavior.LIST 1032 ) 1033 private List<Link> _links; 1034 1035 @BoundAssembly( 1036 formalName = "Task Reference", 1037 description = "Identifies an individual task for which the containing object is a consequence of.", 1038 useName = "related-task", 1039 maxOccurs = -1, 1040 remarks = "This is used to identify the task(s) that this log entry was generated for." 1041 ) 1042 @GroupAs( 1043 name = "related-tasks", 1044 inJson = JsonGroupAsBehavior.LIST 1045 ) 1046 private List<RelatedTask> _relatedTasks; 1047 1048 @BoundField( 1049 formalName = "Remarks", 1050 description = "Additional commentary about the containing object.", 1051 useName = "remarks" 1052 ) 1053 @BoundFieldValue( 1054 typeAdapter = MarkupMultilineAdapter.class 1055 ) 1056 private MarkupMultiline _remarks; 1057 1058 public RelatedResponse() { 1059 } 1060 1061 public UUID getResponseUuid() { 1062 return _responseUuid; 1063 } 1064 1065 public void setResponseUuid(UUID value) { 1066 _responseUuid = value; 1067 } 1068 1069 public List<Property> getProps() { 1070 return _props; 1071 } 1072 1073 public void setProps(List<Property> value) { 1074 _props = value; 1075 } 1076 1077 /** 1078 * Add a new {@link Property} item to the underlying collection. 1079 * @param item the item to add 1080 * @return {@code true} 1081 */ 1082 public boolean addProp(Property item) { 1083 Property value = ObjectUtils.requireNonNull(item,"item cannot be null"); 1084 if (_props == null) { 1085 _props = new LinkedList<>(); 1086 } 1087 return _props.add(value); 1088 } 1089 1090 /** 1091 * Remove the first matching {@link Property} item from the underlying collection. 1092 * @param item the item to remove 1093 * @return {@code true} if the item was removed or {@code false} otherwise 1094 */ 1095 public boolean removeProp(Property item) { 1096 Property value = ObjectUtils.requireNonNull(item,"item cannot be null"); 1097 return _props == null ? false : _props.remove(value); 1098 } 1099 1100 public List<Link> getLinks() { 1101 return _links; 1102 } 1103 1104 public void setLinks(List<Link> value) { 1105 _links = value; 1106 } 1107 1108 /** 1109 * Add a new {@link Link} item to the underlying collection. 1110 * @param item the item to add 1111 * @return {@code true} 1112 */ 1113 public boolean addLink(Link item) { 1114 Link value = ObjectUtils.requireNonNull(item,"item cannot be null"); 1115 if (_links == null) { 1116 _links = new LinkedList<>(); 1117 } 1118 return _links.add(value); 1119 } 1120 1121 /** 1122 * Remove the first matching {@link Link} item from the underlying collection. 1123 * @param item the item to remove 1124 * @return {@code true} if the item was removed or {@code false} otherwise 1125 */ 1126 public boolean removeLink(Link item) { 1127 Link value = ObjectUtils.requireNonNull(item,"item cannot be null"); 1128 return _links == null ? false : _links.remove(value); 1129 } 1130 1131 public List<RelatedTask> getRelatedTasks() { 1132 return _relatedTasks; 1133 } 1134 1135 public void setRelatedTasks(List<RelatedTask> value) { 1136 _relatedTasks = value; 1137 } 1138 1139 /** 1140 * Add a new {@link RelatedTask} item to the underlying collection. 1141 * @param item the item to add 1142 * @return {@code true} 1143 */ 1144 public boolean addRelatedTask(RelatedTask item) { 1145 RelatedTask value = ObjectUtils.requireNonNull(item,"item cannot be null"); 1146 if (_relatedTasks == null) { 1147 _relatedTasks = new LinkedList<>(); 1148 } 1149 return _relatedTasks.add(value); 1150 } 1151 1152 /** 1153 * Remove the first matching {@link RelatedTask} item from the underlying collection. 1154 * @param item the item to remove 1155 * @return {@code true} if the item was removed or {@code false} otherwise 1156 */ 1157 public boolean removeRelatedTask(RelatedTask item) { 1158 RelatedTask value = ObjectUtils.requireNonNull(item,"item cannot be null"); 1159 return _relatedTasks == null ? false : _relatedTasks.remove(value); 1160 } 1161 1162 public MarkupMultiline getRemarks() { 1163 return _remarks; 1164 } 1165 1166 public void setRemarks(MarkupMultiline value) { 1167 _remarks = value; 1168 } 1169 1170 @Override 1171 public String toString() { 1172 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString(); 1173 } 1174 } 1175 } 1176 } 1177 1178 /** 1179 * Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP. 1180 */ 1181 @MetaschemaAssembly( 1182 formalName = "Mitigating Factor", 1183 description = "Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.", 1184 name = "mitigating-factor", 1185 metaschema = OscalAssessmentCommonMetaschema.class 1186 ) 1187 public static class MitigatingFactor { 1188 @BoundFlag( 1189 formalName = "Mitigating Factor Universally Unique Identifier", 1190 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this mitigating factor elsewhere in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope). The locally defined *UUID* of the `mitigating factor` can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same subject across revisions of the document.", 1191 useName = "uuid", 1192 required = true, 1193 typeAdapter = UuidAdapter.class 1194 ) 1195 private UUID _uuid; 1196 1197 @BoundFlag( 1198 formalName = "Implementation UUID", 1199 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this implementation statement elsewhere in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope)s. The locally defined *UUID* of the `implementation statement` can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same subject across revisions of the document.", 1200 useName = "implementation-uuid", 1201 typeAdapter = UuidAdapter.class 1202 ) 1203 private UUID _implementationUuid; 1204 1205 /** 1206 * "A human-readable description of this mitigating factor." 1207 */ 1208 @BoundField( 1209 formalName = "Mitigating Factor Description", 1210 description = "A human-readable description of this mitigating factor.", 1211 useName = "description", 1212 minOccurs = 1 1213 ) 1214 @BoundFieldValue( 1215 typeAdapter = MarkupMultilineAdapter.class 1216 ) 1217 private MarkupMultiline _description; 1218 1219 @BoundAssembly( 1220 formalName = "Property", 1221 description = "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.", 1222 useName = "prop", 1223 maxOccurs = -1 1224 ) 1225 @GroupAs( 1226 name = "props", 1227 inJson = JsonGroupAsBehavior.LIST 1228 ) 1229 private List<Property> _props; 1230 1231 @BoundAssembly( 1232 formalName = "Link", 1233 description = "A reference to a local or remote resource, that has a specific relation to the containing object.", 1234 useName = "link", 1235 maxOccurs = -1 1236 ) 1237 @GroupAs( 1238 name = "links", 1239 inJson = JsonGroupAsBehavior.LIST 1240 ) 1241 private List<Link> _links; 1242 1243 @BoundAssembly( 1244 formalName = "Identifies the Subject", 1245 description = "A [human-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#human-oriented) identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.", 1246 useName = "subject", 1247 maxOccurs = -1, 1248 remarks = "Links identifiable elements of the system to this mitigating factor, such as an inventory-item or component." 1249 ) 1250 @GroupAs( 1251 name = "subjects", 1252 inJson = JsonGroupAsBehavior.LIST 1253 ) 1254 private List<SubjectReference> _subjects; 1255 1256 public MitigatingFactor() { 1257 } 1258 1259 public UUID getUuid() { 1260 return _uuid; 1261 } 1262 1263 public void setUuid(UUID value) { 1264 _uuid = value; 1265 } 1266 1267 public UUID getImplementationUuid() { 1268 return _implementationUuid; 1269 } 1270 1271 public void setImplementationUuid(UUID value) { 1272 _implementationUuid = value; 1273 } 1274 1275 public MarkupMultiline getDescription() { 1276 return _description; 1277 } 1278 1279 public void setDescription(MarkupMultiline value) { 1280 _description = value; 1281 } 1282 1283 public List<Property> getProps() { 1284 return _props; 1285 } 1286 1287 public void setProps(List<Property> value) { 1288 _props = value; 1289 } 1290 1291 /** 1292 * Add a new {@link Property} item to the underlying collection. 1293 * @param item the item to add 1294 * @return {@code true} 1295 */ 1296 public boolean addProp(Property item) { 1297 Property value = ObjectUtils.requireNonNull(item,"item cannot be null"); 1298 if (_props == null) { 1299 _props = new LinkedList<>(); 1300 } 1301 return _props.add(value); 1302 } 1303 1304 /** 1305 * Remove the first matching {@link Property} item from the underlying collection. 1306 * @param item the item to remove 1307 * @return {@code true} if the item was removed or {@code false} otherwise 1308 */ 1309 public boolean removeProp(Property item) { 1310 Property value = ObjectUtils.requireNonNull(item,"item cannot be null"); 1311 return _props == null ? false : _props.remove(value); 1312 } 1313 1314 public List<Link> getLinks() { 1315 return _links; 1316 } 1317 1318 public void setLinks(List<Link> value) { 1319 _links = value; 1320 } 1321 1322 /** 1323 * Add a new {@link Link} item to the underlying collection. 1324 * @param item the item to add 1325 * @return {@code true} 1326 */ 1327 public boolean addLink(Link item) { 1328 Link value = ObjectUtils.requireNonNull(item,"item cannot be null"); 1329 if (_links == null) { 1330 _links = new LinkedList<>(); 1331 } 1332 return _links.add(value); 1333 } 1334 1335 /** 1336 * Remove the first matching {@link Link} item from the underlying collection. 1337 * @param item the item to remove 1338 * @return {@code true} if the item was removed or {@code false} otherwise 1339 */ 1340 public boolean removeLink(Link item) { 1341 Link value = ObjectUtils.requireNonNull(item,"item cannot be null"); 1342 return _links == null ? false : _links.remove(value); 1343 } 1344 1345 public List<SubjectReference> getSubjects() { 1346 return _subjects; 1347 } 1348 1349 public void setSubjects(List<SubjectReference> value) { 1350 _subjects = value; 1351 } 1352 1353 /** 1354 * Add a new {@link SubjectReference} item to the underlying collection. 1355 * @param item the item to add 1356 * @return {@code true} 1357 */ 1358 public boolean addSubject(SubjectReference item) { 1359 SubjectReference value = ObjectUtils.requireNonNull(item,"item cannot be null"); 1360 if (_subjects == null) { 1361 _subjects = new LinkedList<>(); 1362 } 1363 return _subjects.add(value); 1364 } 1365 1366 /** 1367 * Remove the first matching {@link SubjectReference} item from the underlying collection. 1368 * @param item the item to remove 1369 * @return {@code true} if the item was removed or {@code false} otherwise 1370 */ 1371 public boolean removeSubject(SubjectReference item) { 1372 SubjectReference value = ObjectUtils.requireNonNull(item,"item cannot be null"); 1373 return _subjects == null ? false : _subjects.remove(value); 1374 } 1375 1376 @Override 1377 public String toString() { 1378 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString(); 1379 } 1380 } 1381}