1 package gov.nist.secauto.oscal.lib.model;
2
3 import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValue;
4 import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValues;
5 import gov.nist.secauto.metaschema.binding.model.annotations.AssemblyConstraints;
6 import gov.nist.secauto.metaschema.binding.model.annotations.BoundAssembly;
7 import gov.nist.secauto.metaschema.binding.model.annotations.BoundField;
8 import gov.nist.secauto.metaschema.binding.model.annotations.BoundFieldValue;
9 import gov.nist.secauto.metaschema.binding.model.annotations.BoundFlag;
10 import gov.nist.secauto.metaschema.binding.model.annotations.GroupAs;
11 import gov.nist.secauto.metaschema.binding.model.annotations.HasCardinality;
12 import gov.nist.secauto.metaschema.binding.model.annotations.IndexHasKey;
13 import gov.nist.secauto.metaschema.binding.model.annotations.IsUnique;
14 import gov.nist.secauto.metaschema.binding.model.annotations.KeyField;
15 import gov.nist.secauto.metaschema.binding.model.annotations.MetaschemaAssembly;
16 import gov.nist.secauto.metaschema.binding.model.annotations.ValueConstraints;
17 import gov.nist.secauto.metaschema.model.common.JsonGroupAsBehavior;
18 import gov.nist.secauto.metaschema.model.common.constraint.IConstraint;
19 import gov.nist.secauto.metaschema.model.common.datatype.adapter.UuidAdapter;
20 import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultiline;
21 import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultilineAdapter;
22 import gov.nist.secauto.metaschema.model.common.util.ObjectUtils;
23 import java.lang.Override;
24 import java.lang.String;
25 import java.util.LinkedList;
26 import java.util.List;
27 import java.util.UUID;
28 import org.apache.commons.lang3.builder.MultilineRecursiveToStringStyle;
29 import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
30
31
32
33
34 @MetaschemaAssembly(
35 formalName = "Inventory Item",
36 description = "A single managed inventory item within the system.",
37 name = "inventory-item",
38 metaschema = OscalImplementationCommonMetaschema.class
39 )
40 @ValueConstraints(
41 allowedValues = {
42 @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name", values = {@AllowedValue(value = "ipv4-address", description = "The Internet Protocol v4 Address of the asset."), @AllowedValue(value = "ipv6-address", description = "The Internet Protocol v6 Address of the asset."), @AllowedValue(value = "fqdn", description = "The full-qualified domain name (FQDN) of the asset."), @AllowedValue(value = "uri", description = "A Uniform Resource Identifier (URI) for the asset."), @AllowedValue(value = "serial-number", description = "A serial number for the asset."), @AllowedValue(value = "netbios-name", description = "The NetBIOS name for the asset."), @AllowedValue(value = "mac-address", description = "The media access control (MAC) address for the asset."), @AllowedValue(value = "physical-location", description = "The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers)."), @AllowedValue(value = "is-scanned", description = "is the asset subjected to network scans? (yes/no)"), @AllowedValue(value = "hardware-model", description = "The model number of the hardware used by the asset."), @AllowedValue(value = "os-name", description = "The name of the operating system used by the asset."), @AllowedValue(value = "os-version", description = "The version of the operating system used by the asset."), @AllowedValue(value = "software-name", description = "The software product name used by the asset."), @AllowedValue(value = "software-version", description = "The software product version used by the asset."), @AllowedValue(value = "software-patch-level", description = "The software product patch level used by the asset."), @AllowedValue(value = "asset-type", description = "Simple indication of the asset's function, such as Router, Storage Array, DNS Server."), @AllowedValue(value = "asset-id", description = "An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item."), @AllowedValue(value = "asset-tag", description = "An asset tag assigned by the organization responsible for maintaining the logical or tangible item."), @AllowedValue(value = "public", description = "Identifies whether the asset is publicly accessible (yes/no)"), @AllowedValue(value = "virtual", description = "Identifies whether the asset is virtualized (yes/no)"), @AllowedValue(value = "vlan-id", description = "Virtual LAN identifier of the asset."), @AllowedValue(value = "network-id", description = "The network identifier of the asset."), @AllowedValue(value = "label", description = "A human-readable label for the parent context."), @AllowedValue(value = "sort-id", description = "An alternative identifier, whose value is easily sortable among other such values in the document."), @AllowedValue(value = "baseline-configuration-name", description = "The name of the baseline configuration for the asset."), @AllowedValue(value = "allows-authenticated-scan", description = "Can the asset be check with an authenticated scan? (yes/no)"), @AllowedValue(value = "function", description = "The function provided by the asset for the system.")}),
43 @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-type']/@value", allowOthers = true, values = {@AllowedValue(value = "operating-system", description = "System software that manages computer hardware, software resources, and provides common services for computer programs."), @AllowedValue(value = "database", description = "An electronic collection of data, or information, that is specially organized for rapid search and retrieval."), @AllowedValue(value = "web-server", description = "A system that delivers content or services to end users over the Internet or an intranet."), @AllowedValue(value = "dns-server", description = "A system that resolves domain names to internet protocol (IP) addresses."), @AllowedValue(value = "email-server", description = "A computer system that sends and receives electronic mail messages."), @AllowedValue(value = "directory-server", description = "A system that stores, organizes and provides access to directory information in order to unify network resources."), @AllowedValue(value = "pbx", description = "A private branch exchange (PBX) provides a a private telephone switchboard."), @AllowedValue(value = "firewall", description = "A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules."), @AllowedValue(value = "router", description = "A physical or virtual networking device that forwards data packets between computer networks."), @AllowedValue(value = "switch", description = "A physical or virtual networking device that connects devices within a computer network by using packet switching to receive and forward data to the destination device."), @AllowedValue(value = "storage-array", description = "A consolidated, block-level data storage capability."), @AllowedValue(value = "appliance", description = "A physical or virtual machine that centralizes hardware, software, or services for a specific purpose.")}),
44 @AllowedValues(level = IConstraint.Level.ERROR, target = "(.)[@type=('software', 'hardware', 'service')]/prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name", values = @AllowedValue(value = "vendor-name", description = "The name of the company or organization")),
45 @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='is-scanned']/@value", values = {@AllowedValue(value = "yes", description = "The asset is included in periodic vulnerability scanning."), @AllowedValue(value = "no", description = "The asset is not included in periodic vulnerability scanning.")}),
46 @AllowedValues(level = IConstraint.Level.ERROR, target = "link/@rel", allowOthers = true, values = @AllowedValue(value = "baseline-template", description = "A reference to the baseline template used to configure the asset.")),
47 @AllowedValues(level = IConstraint.Level.ERROR, target = "responsible-party/@role-id", allowOthers = true, values = {@AllowedValue(value = "asset-owner", description = "Accountable for ensuring the asset is managed in accordance with organizational policies and procedures."), @AllowedValue(value = "asset-administrator", description = "Responsible for administering a set of assets."), @AllowedValue(value = "security-operations", description = "Members of the security operations center (SOC)."), @AllowedValue(value = "network-operations", description = "Members of the network operations center (NOC)."), @AllowedValue(value = "incident-response", description = "Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions."), @AllowedValue(value = "help-desk", description = "Responsible for providing information and support to users."), @AllowedValue(value = "configuration-management", description = "Responsible for the configuration management processes governing changes to the asset."), @AllowedValue(value = "maintainer", description = "Responsible for the creation and maintenance of a component."), @AllowedValue(value = "provider", description = "Organization responsible for providing the component, if this is different from the \"maintainer\" (e.g., a reseller).")})
48 },
49 indexHasKey = {
50 @IndexHasKey(level = IConstraint.Level.ERROR, target = "responsible-party", indexName = "index-metadata-role-id", keyFields = @KeyField(target = "@role-id")),
51 @IndexHasKey(level = IConstraint.Level.ERROR, target = "responsible-party", indexName = "index-metadata-party-uuid", keyFields = @KeyField(target = "party-uuid"))
52 }
53 )
54 @AssemblyConstraints(
55 isUnique = @IsUnique(id = "unique-inventory-item-responsible-party", level = IConstraint.Level.ERROR, target = "responsible-party", keyFields = @KeyField(target = "@role-id"), remarks = "Since `responsible-party` associates multiple `party-uuid` entries with a single `role-id`, each role-id must be referenced only once.")
56 )
57 public class InventoryItem {
58 @BoundFlag(
59 formalName = "Inventory Item Universally Unique Identifier",
60 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this inventory item elsewhere in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope). The locally defined *UUID* of the `inventory item` can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same subject across revisions of the document.",
61 useName = "uuid",
62 required = true,
63 typeAdapter = UuidAdapter.class
64 )
65 private UUID _uuid;
66
67
68
69
70 @BoundField(
71 formalName = "Inventory Item Description",
72 description = "A summary of the inventory item stating its purpose within the system.",
73 useName = "description",
74 minOccurs = 1
75 )
76 @BoundFieldValue(
77 typeAdapter = MarkupMultilineAdapter.class
78 )
79 private MarkupMultiline _description;
80
81 @BoundAssembly(
82 formalName = "Property",
83 description = "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.",
84 useName = "prop",
85 maxOccurs = -1
86 )
87 @GroupAs(
88 name = "props",
89 inJson = JsonGroupAsBehavior.LIST
90 )
91 private List<Property> _props;
92
93 @BoundAssembly(
94 formalName = "Link",
95 description = "A reference to a local or remote resource, that has a specific relation to the containing object.",
96 useName = "link",
97 maxOccurs = -1
98 )
99 @GroupAs(
100 name = "links",
101 inJson = JsonGroupAsBehavior.LIST
102 )
103 private List<Link> _links;
104
105 @BoundAssembly(
106 formalName = "Responsible Party",
107 description = "A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.",
108 useName = "responsible-party",
109 maxOccurs = -1
110 )
111 @GroupAs(
112 name = "responsible-parties",
113 inJson = JsonGroupAsBehavior.LIST
114 )
115 private List<ResponsibleParty> _responsibleParties;
116
117
118
119
120 @BoundAssembly(
121 formalName = "Implemented Component",
122 description = "The set of components that are implemented in a given system inventory item.",
123 useName = "implemented-component",
124 maxOccurs = -1
125 )
126 @GroupAs(
127 name = "implemented-components",
128 inJson = JsonGroupAsBehavior.LIST
129 )
130 private List<ImplementedComponent> _implementedComponents;
131
132 @BoundField(
133 formalName = "Remarks",
134 description = "Additional commentary about the containing object.",
135 useName = "remarks"
136 )
137 @BoundFieldValue(
138 typeAdapter = MarkupMultilineAdapter.class
139 )
140 private MarkupMultiline _remarks;
141
142 public InventoryItem() {
143 }
144
145 public UUID getUuid() {
146 return _uuid;
147 }
148
149 public void setUuid(UUID value) {
150 _uuid = value;
151 }
152
153 public MarkupMultiline getDescription() {
154 return _description;
155 }
156
157 public void setDescription(MarkupMultiline value) {
158 _description = value;
159 }
160
161 public List<Property> getProps() {
162 return _props;
163 }
164
165 public void setProps(List<Property> value) {
166 _props = value;
167 }
168
169
170
171
172
173
174 public boolean addProp(Property item) {
175 Property value = ObjectUtils.requireNonNull(item,"item cannot be null");
176 if (_props == null) {
177 _props = new LinkedList<>();
178 }
179 return _props.add(value);
180 }
181
182
183
184
185
186
187 public boolean removeProp(Property item) {
188 Property value = ObjectUtils.requireNonNull(item,"item cannot be null");
189 return _props == null ? false : _props.remove(value);
190 }
191
192 public List<Link> getLinks() {
193 return _links;
194 }
195
196 public void setLinks(List<Link> value) {
197 _links = value;
198 }
199
200
201
202
203
204
205 public boolean addLink(Link item) {
206 Link value = ObjectUtils.requireNonNull(item,"item cannot be null");
207 if (_links == null) {
208 _links = new LinkedList<>();
209 }
210 return _links.add(value);
211 }
212
213
214
215
216
217
218 public boolean removeLink(Link item) {
219 Link value = ObjectUtils.requireNonNull(item,"item cannot be null");
220 return _links == null ? false : _links.remove(value);
221 }
222
223 public List<ResponsibleParty> getResponsibleParties() {
224 return _responsibleParties;
225 }
226
227 public void setResponsibleParties(List<ResponsibleParty> value) {
228 _responsibleParties = value;
229 }
230
231
232
233
234
235
236 public boolean addResponsibleParty(ResponsibleParty item) {
237 ResponsibleParty value = ObjectUtils.requireNonNull(item,"item cannot be null");
238 if (_responsibleParties == null) {
239 _responsibleParties = new LinkedList<>();
240 }
241 return _responsibleParties.add(value);
242 }
243
244
245
246
247
248
249 public boolean removeResponsibleParty(ResponsibleParty item) {
250 ResponsibleParty value = ObjectUtils.requireNonNull(item,"item cannot be null");
251 return _responsibleParties == null ? false : _responsibleParties.remove(value);
252 }
253
254 public List<ImplementedComponent> getImplementedComponents() {
255 return _implementedComponents;
256 }
257
258 public void setImplementedComponents(List<ImplementedComponent> value) {
259 _implementedComponents = value;
260 }
261
262
263
264
265
266
267 public boolean addImplementedComponent(ImplementedComponent item) {
268 ImplementedComponent value = ObjectUtils.requireNonNull(item,"item cannot be null");
269 if (_implementedComponents == null) {
270 _implementedComponents = new LinkedList<>();
271 }
272 return _implementedComponents.add(value);
273 }
274
275
276
277
278
279
280 public boolean removeImplementedComponent(ImplementedComponent item) {
281 ImplementedComponent value = ObjectUtils.requireNonNull(item,"item cannot be null");
282 return _implementedComponents == null ? false : _implementedComponents.remove(value);
283 }
284
285 public MarkupMultiline getRemarks() {
286 return _remarks;
287 }
288
289 public void setRemarks(MarkupMultiline value) {
290 _remarks = value;
291 }
292
293 @Override
294 public String toString() {
295 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
296 }
297
298
299
300
301 @MetaschemaAssembly(
302 formalName = "Implemented Component",
303 description = "The set of components that are implemented in a given system inventory item.",
304 name = "implemented-component",
305 metaschema = OscalImplementationCommonMetaschema.class
306 )
307 @ValueConstraints(
308 allowedValues = {
309 @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name", values = {@AllowedValue(value = "version", description = "The version of the component."), @AllowedValue(value = "patch-level", description = "The specific patch level of the component."), @AllowedValue(value = "model", description = "The model of the component."), @AllowedValue(value = "release-date", description = "The date the component was released, such as a software release date or policy publication date."), @AllowedValue(value = "validation-type", description = "Used with component-type='validation' to provide a well-known name for a kind of validation."), @AllowedValue(value = "validation-reference", description = "Used with component-type='validation' to indicate the validating body's assigned identifier for their validation of this component."), @AllowedValue(value = "asset-type", description = "Simple indication of the asset's function, such as Router, Storage Array, DNS Server."), @AllowedValue(value = "asset-id", description = "An organizationally specific identifier that is used to uniquely identify a logical or tangible item by the organization that owns the item."), @AllowedValue(value = "asset-tag", description = "An asset tag assigned by the organization responsible for maintaining the logical or tangible item."), @AllowedValue(value = "public", description = "Identifies whether the asset is publicly accessible (yes/no)"), @AllowedValue(value = "virtual", description = "Identifies whether the asset is virtualized (yes/no)"), @AllowedValue(value = "vlan-id", description = "Virtual LAN identifier of the asset."), @AllowedValue(value = "network-id", description = "The network identifier of the asset."), @AllowedValue(value = "label", description = "A human-readable label for the parent context."), @AllowedValue(value = "sort-id", description = "An alternative identifier, whose value is easily sortable among other such values in the document."), @AllowedValue(value = "baseline-configuration-name", description = "The name of the baseline configuration for the asset."), @AllowedValue(value = "allows-authenticated-scan", description = "Can the asset be check with an authenticated scan? (yes/no)"), @AllowedValue(value = "function", description = "The function provided by the asset for the system.")}),
310 @AllowedValues(level = IConstraint.Level.ERROR, target = "responsible-party/@role-id", allowOthers = true, values = {@AllowedValue(value = "asset-owner", description = "Accountable for ensuring the asset is managed in accordance with organizational policies and procedures."), @AllowedValue(value = "asset-administrator", description = "Responsible for administering a set of assets."), @AllowedValue(value = "security-operations", description = "Members of the security operations center (SOC)."), @AllowedValue(value = "network-operations", description = "Members of the network operations center (NOC)."), @AllowedValue(value = "incident-response", description = "Responsible for responding to an event that could lead to loss of, or disruption to, an organization's operations, services or functions."), @AllowedValue(value = "help-desk", description = "Responsible for providing information and support to users."), @AllowedValue(value = "configuration-management", description = "Responsible for the configuration management processes governing changes to the asset.")})
311 }
312 )
313 @AssemblyConstraints(
314 isUnique = @IsUnique(id = "unique-implemented-component-responsible-party", level = IConstraint.Level.ERROR, target = "responsible-party", keyFields = @KeyField(target = "@role-id"), remarks = "Since `responsible-party` associates multiple `party-uuid` entries with a single `role-id`, each role-id must be referenced only once."),
315 hasCardinality = @HasCardinality(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='asset-id']", minOccurs = 1)
316 )
317 public static class ImplementedComponent {
318 @BoundFlag(
319 formalName = "Component Universally Unique Identifier Reference",
320 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented) identifier reference to a `component` that is implemented as part of an inventory item.",
321 useName = "component-uuid",
322 required = true,
323 typeAdapter = UuidAdapter.class
324 )
325 private UUID _componentUuid;
326
327 @BoundAssembly(
328 formalName = "Property",
329 description = "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.",
330 useName = "prop",
331 maxOccurs = -1
332 )
333 @GroupAs(
334 name = "props",
335 inJson = JsonGroupAsBehavior.LIST
336 )
337 private List<Property> _props;
338
339 @BoundAssembly(
340 formalName = "Link",
341 description = "A reference to a local or remote resource, that has a specific relation to the containing object.",
342 useName = "link",
343 maxOccurs = -1
344 )
345 @GroupAs(
346 name = "links",
347 inJson = JsonGroupAsBehavior.LIST
348 )
349 private List<Link> _links;
350
351 @BoundAssembly(
352 formalName = "Responsible Party",
353 description = "A reference to a set of persons and/or organizations that have responsibility for performing the referenced role in the context of the containing object.",
354 useName = "responsible-party",
355 maxOccurs = -1,
356 remarks = "This construct is used to either: 1) associate a party or parties to a role defined on the component using the `responsible-role` construct, or 2) to define a party or parties that are responsible for a role defined within the context of the containing `inventory-item`."
357 )
358 @GroupAs(
359 name = "responsible-parties",
360 inJson = JsonGroupAsBehavior.LIST
361 )
362 private List<ResponsibleParty> _responsibleParties;
363
364 @BoundField(
365 formalName = "Remarks",
366 description = "Additional commentary about the containing object.",
367 useName = "remarks"
368 )
369 @BoundFieldValue(
370 typeAdapter = MarkupMultilineAdapter.class
371 )
372 private MarkupMultiline _remarks;
373
374 public ImplementedComponent() {
375 }
376
377 public UUID getComponentUuid() {
378 return _componentUuid;
379 }
380
381 public void setComponentUuid(UUID value) {
382 _componentUuid = value;
383 }
384
385 public List<Property> getProps() {
386 return _props;
387 }
388
389 public void setProps(List<Property> value) {
390 _props = value;
391 }
392
393
394
395
396
397
398 public boolean addProp(Property item) {
399 Property value = ObjectUtils.requireNonNull(item,"item cannot be null");
400 if (_props == null) {
401 _props = new LinkedList<>();
402 }
403 return _props.add(value);
404 }
405
406
407
408
409
410
411 public boolean removeProp(Property item) {
412 Property value = ObjectUtils.requireNonNull(item,"item cannot be null");
413 return _props == null ? false : _props.remove(value);
414 }
415
416 public List<Link> getLinks() {
417 return _links;
418 }
419
420 public void setLinks(List<Link> value) {
421 _links = value;
422 }
423
424
425
426
427
428
429 public boolean addLink(Link item) {
430 Link value = ObjectUtils.requireNonNull(item,"item cannot be null");
431 if (_links == null) {
432 _links = new LinkedList<>();
433 }
434 return _links.add(value);
435 }
436
437
438
439
440
441
442 public boolean removeLink(Link item) {
443 Link value = ObjectUtils.requireNonNull(item,"item cannot be null");
444 return _links == null ? false : _links.remove(value);
445 }
446
447 public List<ResponsibleParty> getResponsibleParties() {
448 return _responsibleParties;
449 }
450
451 public void setResponsibleParties(List<ResponsibleParty> value) {
452 _responsibleParties = value;
453 }
454
455
456
457
458
459
460 public boolean addResponsibleParty(ResponsibleParty item) {
461 ResponsibleParty value = ObjectUtils.requireNonNull(item,"item cannot be null");
462 if (_responsibleParties == null) {
463 _responsibleParties = new LinkedList<>();
464 }
465 return _responsibleParties.add(value);
466 }
467
468
469
470
471
472
473 public boolean removeResponsibleParty(ResponsibleParty item) {
474 ResponsibleParty value = ObjectUtils.requireNonNull(item,"item cannot be null");
475 return _responsibleParties == null ? false : _responsibleParties.remove(value);
476 }
477
478 public MarkupMultiline getRemarks() {
479 return _remarks;
480 }
481
482 public void setRemarks(MarkupMultiline value) {
483 _remarks = value;
484 }
485
486 @Override
487 public String toString() {
488 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
489 }
490 }
491 }