1 package gov.nist.secauto.oscal.lib.model;
2
3 import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValue;
4 import gov.nist.secauto.metaschema.binding.model.annotations.AllowedValues;
5 import gov.nist.secauto.metaschema.binding.model.annotations.BoundAssembly;
6 import gov.nist.secauto.metaschema.binding.model.annotations.BoundField;
7 import gov.nist.secauto.metaschema.binding.model.annotations.BoundFieldValue;
8 import gov.nist.secauto.metaschema.binding.model.annotations.BoundFlag;
9 import gov.nist.secauto.metaschema.binding.model.annotations.GroupAs;
10 import gov.nist.secauto.metaschema.binding.model.annotations.Matches;
11 import gov.nist.secauto.metaschema.binding.model.annotations.MetaschemaAssembly;
12 import gov.nist.secauto.metaschema.binding.model.annotations.ValueConstraints;
13 import gov.nist.secauto.metaschema.model.common.JsonGroupAsBehavior;
14 import gov.nist.secauto.metaschema.model.common.constraint.IConstraint;
15 import gov.nist.secauto.metaschema.model.common.datatype.adapter.DateTimeWithTZAdapter;
16 import gov.nist.secauto.metaschema.model.common.datatype.adapter.IntegerAdapter;
17 import gov.nist.secauto.metaschema.model.common.datatype.adapter.TokenAdapter;
18 import gov.nist.secauto.metaschema.model.common.datatype.adapter.UuidAdapter;
19 import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupLine;
20 import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupLineAdapter;
21 import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultiline;
22 import gov.nist.secauto.metaschema.model.common.datatype.markup.MarkupMultilineAdapter;
23 import gov.nist.secauto.metaschema.model.common.util.ObjectUtils;
24 import java.lang.Override;
25 import java.lang.String;
26 import java.time.ZonedDateTime;
27 import java.util.LinkedList;
28 import java.util.List;
29 import java.util.UUID;
30 import org.apache.commons.lang3.builder.MultilineRecursiveToStringStyle;
31 import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
32
33
34
35
36 @MetaschemaAssembly(
37 formalName = "Identified Risk",
38 description = "An identified risk.",
39 name = "risk",
40 metaschema = OscalAssessmentCommonMetaschema.class
41 )
42 @ValueConstraints(
43 allowedValues = @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name", values = {@AllowedValue(value = "false-positive", description = "The risk has been confirmed to be a false positive."), @AllowedValue(value = "accepted", description = "The risk has been accepted. No further action will be taken."), @AllowedValue(value = "risk-adjusted", description = "The risk has been adjusted."), @AllowedValue(value = "priority", description = "A numeric value indicating the sequence in which risks should be addressed. (Lower numbers are higher priority)")}),
44 matches = @Matches(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='priority']/@value", typeAdapter = IntegerAdapter.class)
45 )
46 public class Risk {
47 @BoundFlag(
48 formalName = "Risk Universally Unique Identifier",
49 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this risk elsewhere in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope). The locally defined *UUID* of the `risk` can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same subject across revisions of the document.",
50 useName = "uuid",
51 required = true,
52 typeAdapter = UuidAdapter.class
53 )
54 private UUID _uuid;
55
56
57
58
59 @BoundField(
60 formalName = "Risk Title",
61 description = "The title for this risk.",
62 useName = "title",
63 minOccurs = 1
64 )
65 @BoundFieldValue(
66 typeAdapter = MarkupLineAdapter.class
67 )
68 private MarkupLine _title;
69
70
71
72
73 @BoundField(
74 formalName = "Risk Description",
75 description = "A human-readable summary of the identified risk, to include a statement of how the risk impacts the system.",
76 useName = "description",
77 minOccurs = 1
78 )
79 @BoundFieldValue(
80 typeAdapter = MarkupMultilineAdapter.class
81 )
82 private MarkupMultiline _description;
83
84
85
86
87 @BoundField(
88 formalName = "Risk Statement",
89 description = "An summary of impact for how the risk affects the system.",
90 useName = "statement",
91 minOccurs = 1
92 )
93 @BoundFieldValue(
94 typeAdapter = MarkupMultilineAdapter.class
95 )
96 private MarkupMultiline _statement;
97
98 @BoundAssembly(
99 formalName = "Property",
100 description = "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.",
101 useName = "prop",
102 maxOccurs = -1
103 )
104 @GroupAs(
105 name = "props",
106 inJson = JsonGroupAsBehavior.LIST
107 )
108 private List<Property> _props;
109
110 @BoundAssembly(
111 formalName = "Link",
112 description = "A reference to a local or remote resource, that has a specific relation to the containing object.",
113 useName = "link",
114 maxOccurs = -1
115 )
116 @GroupAs(
117 name = "links",
118 inJson = JsonGroupAsBehavior.LIST
119 )
120 private List<Link> _links;
121
122 @BoundField(
123 formalName = "Risk Status",
124 description = "Describes the status of the associated risk.",
125 useName = "status",
126 minOccurs = 1
127 )
128 @BoundFieldValue(
129 typeAdapter = TokenAdapter.class
130 )
131 @ValueConstraints(
132 allowedValues = @AllowedValues(level = IConstraint.Level.ERROR, allowOthers = true, values = {@AllowedValue(value = "open", description = "The risk has been identified."), @AllowedValue(value = "investigating", description = "The identified risk is being investigated. (Open risk)"), @AllowedValue(value = "remediating", description = "Remediation activities are underway, but are not yet complete. (Open risk)"), @AllowedValue(value = "deviation-requested", description = "A risk deviation, such as false positive, risk reduction, or operational requirement has been submitted for approval. (Open risk)"), @AllowedValue(value = "deviation-approved", description = "A risk deviation, such as false positive, risk reduction, or operational requirement has been approved. (Open risk)"), @AllowedValue(value = "closed", description = "The risk has been resolved.")})
133 )
134 private String _status;
135
136 @BoundAssembly(
137 formalName = "Origin",
138 description = "Identifies the source of the finding, such as a tool, interviewed person, or activity.",
139 useName = "origin",
140 maxOccurs = -1,
141 remarks = "Used to identify the individual and/or tool that identified this risk."
142 )
143 @GroupAs(
144 name = "origins",
145 inJson = JsonGroupAsBehavior.LIST
146 )
147 private List<Origin> _origins;
148
149 @BoundField(
150 formalName = "Threat ID",
151 description = "A pointer, by ID, to an externally-defined threat.",
152 useName = "threat-id",
153 maxOccurs = -1
154 )
155 @GroupAs(
156 name = "threat-ids",
157 inJson = JsonGroupAsBehavior.LIST
158 )
159 private List<ThreatId> _threatIds;
160
161 @BoundAssembly(
162 formalName = "Characterization",
163 description = "A collection of descriptive data about the containing object from a specific origin.",
164 useName = "characterization",
165 maxOccurs = -1
166 )
167 @GroupAs(
168 name = "characterizations",
169 inJson = JsonGroupAsBehavior.LIST
170 )
171 private List<Characterization> _characterizations;
172
173
174
175
176 @BoundAssembly(
177 formalName = "Mitigating Factor",
178 description = "Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.",
179 useName = "mitigating-factor",
180 maxOccurs = -1
181 )
182 @GroupAs(
183 name = "mitigating-factors",
184 inJson = JsonGroupAsBehavior.LIST
185 )
186 private List<MitigatingFactor> _mitigatingFactors;
187
188
189
190
191 @BoundField(
192 formalName = "Risk Resolution Deadline",
193 description = "The date/time by which the risk must be resolved.",
194 useName = "deadline"
195 )
196 @BoundFieldValue(
197 typeAdapter = DateTimeWithTZAdapter.class
198 )
199 private ZonedDateTime _deadline;
200
201 @BoundAssembly(
202 formalName = "Risk Response",
203 description = "Describes either recommended or an actual plan for addressing the risk.",
204 useName = "response",
205 maxOccurs = -1
206 )
207 @GroupAs(
208 name = "remediations",
209 inJson = JsonGroupAsBehavior.LIST
210 )
211 private List<Response> _remediations;
212
213
214
215
216 @BoundAssembly(
217 formalName = "Risk Log",
218 description = "A log of all risk-related tasks taken.",
219 useName = "risk-log"
220 )
221 private RiskLog _riskLog;
222
223
224
225
226 @BoundAssembly(
227 formalName = "Related Observation",
228 description = "Relates the finding to a set of referenced observations that were used to determine the finding.",
229 useName = "related-observation",
230 maxOccurs = -1
231 )
232 @GroupAs(
233 name = "related-observations",
234 inJson = JsonGroupAsBehavior.LIST
235 )
236 private List<RelatedObservation> _relatedObservations;
237
238 public Risk() {
239 }
240
241 public UUID getUuid() {
242 return _uuid;
243 }
244
245 public void setUuid(UUID value) {
246 _uuid = value;
247 }
248
249 public MarkupLine getTitle() {
250 return _title;
251 }
252
253 public void setTitle(MarkupLine value) {
254 _title = value;
255 }
256
257 public MarkupMultiline getDescription() {
258 return _description;
259 }
260
261 public void setDescription(MarkupMultiline value) {
262 _description = value;
263 }
264
265 public MarkupMultiline getStatement() {
266 return _statement;
267 }
268
269 public void setStatement(MarkupMultiline value) {
270 _statement = value;
271 }
272
273 public List<Property> getProps() {
274 return _props;
275 }
276
277 public void setProps(List<Property> value) {
278 _props = value;
279 }
280
281
282
283
284
285
286 public boolean addProp(Property item) {
287 Property value = ObjectUtils.requireNonNull(item,"item cannot be null");
288 if (_props == null) {
289 _props = new LinkedList<>();
290 }
291 return _props.add(value);
292 }
293
294
295
296
297
298
299 public boolean removeProp(Property item) {
300 Property value = ObjectUtils.requireNonNull(item,"item cannot be null");
301 return _props == null ? false : _props.remove(value);
302 }
303
304 public List<Link> getLinks() {
305 return _links;
306 }
307
308 public void setLinks(List<Link> value) {
309 _links = value;
310 }
311
312
313
314
315
316
317 public boolean addLink(Link item) {
318 Link value = ObjectUtils.requireNonNull(item,"item cannot be null");
319 if (_links == null) {
320 _links = new LinkedList<>();
321 }
322 return _links.add(value);
323 }
324
325
326
327
328
329
330 public boolean removeLink(Link item) {
331 Link value = ObjectUtils.requireNonNull(item,"item cannot be null");
332 return _links == null ? false : _links.remove(value);
333 }
334
335 public String getStatus() {
336 return _status;
337 }
338
339 public void setStatus(String value) {
340 _status = value;
341 }
342
343 public List<Origin> getOrigins() {
344 return _origins;
345 }
346
347 public void setOrigins(List<Origin> value) {
348 _origins = value;
349 }
350
351
352
353
354
355
356 public boolean addOrigin(Origin item) {
357 Origin value = ObjectUtils.requireNonNull(item,"item cannot be null");
358 if (_origins == null) {
359 _origins = new LinkedList<>();
360 }
361 return _origins.add(value);
362 }
363
364
365
366
367
368
369 public boolean removeOrigin(Origin item) {
370 Origin value = ObjectUtils.requireNonNull(item,"item cannot be null");
371 return _origins == null ? false : _origins.remove(value);
372 }
373
374 public List<ThreatId> getThreatIds() {
375 return _threatIds;
376 }
377
378 public void setThreatIds(List<ThreatId> value) {
379 _threatIds = value;
380 }
381
382
383
384
385
386
387 public boolean addThreatId(ThreatId item) {
388 ThreatId value = ObjectUtils.requireNonNull(item,"item cannot be null");
389 if (_threatIds == null) {
390 _threatIds = new LinkedList<>();
391 }
392 return _threatIds.add(value);
393 }
394
395
396
397
398
399
400 public boolean removeThreatId(ThreatId item) {
401 ThreatId value = ObjectUtils.requireNonNull(item,"item cannot be null");
402 return _threatIds == null ? false : _threatIds.remove(value);
403 }
404
405 public List<Characterization> getCharacterizations() {
406 return _characterizations;
407 }
408
409 public void setCharacterizations(List<Characterization> value) {
410 _characterizations = value;
411 }
412
413
414
415
416
417
418 public boolean addCharacterization(Characterization item) {
419 Characterization value = ObjectUtils.requireNonNull(item,"item cannot be null");
420 if (_characterizations == null) {
421 _characterizations = new LinkedList<>();
422 }
423 return _characterizations.add(value);
424 }
425
426
427
428
429
430
431 public boolean removeCharacterization(Characterization item) {
432 Characterization value = ObjectUtils.requireNonNull(item,"item cannot be null");
433 return _characterizations == null ? false : _characterizations.remove(value);
434 }
435
436 public List<MitigatingFactor> getMitigatingFactors() {
437 return _mitigatingFactors;
438 }
439
440 public void setMitigatingFactors(List<MitigatingFactor> value) {
441 _mitigatingFactors = value;
442 }
443
444
445
446
447
448
449 public boolean addMitigatingFactor(MitigatingFactor item) {
450 MitigatingFactor value = ObjectUtils.requireNonNull(item,"item cannot be null");
451 if (_mitigatingFactors == null) {
452 _mitigatingFactors = new LinkedList<>();
453 }
454 return _mitigatingFactors.add(value);
455 }
456
457
458
459
460
461
462 public boolean removeMitigatingFactor(MitigatingFactor item) {
463 MitigatingFactor value = ObjectUtils.requireNonNull(item,"item cannot be null");
464 return _mitigatingFactors == null ? false : _mitigatingFactors.remove(value);
465 }
466
467 public ZonedDateTime getDeadline() {
468 return _deadline;
469 }
470
471 public void setDeadline(ZonedDateTime value) {
472 _deadline = value;
473 }
474
475 public List<Response> getRemediations() {
476 return _remediations;
477 }
478
479 public void setRemediations(List<Response> value) {
480 _remediations = value;
481 }
482
483
484
485
486
487
488 public boolean addResponse(Response item) {
489 Response value = ObjectUtils.requireNonNull(item,"item cannot be null");
490 if (_remediations == null) {
491 _remediations = new LinkedList<>();
492 }
493 return _remediations.add(value);
494 }
495
496
497
498
499
500
501 public boolean removeResponse(Response item) {
502 Response value = ObjectUtils.requireNonNull(item,"item cannot be null");
503 return _remediations == null ? false : _remediations.remove(value);
504 }
505
506 public RiskLog getRiskLog() {
507 return _riskLog;
508 }
509
510 public void setRiskLog(RiskLog value) {
511 _riskLog = value;
512 }
513
514 public List<RelatedObservation> getRelatedObservations() {
515 return _relatedObservations;
516 }
517
518 public void setRelatedObservations(List<RelatedObservation> value) {
519 _relatedObservations = value;
520 }
521
522
523
524
525
526
527 public boolean addRelatedObservation(RelatedObservation item) {
528 RelatedObservation value = ObjectUtils.requireNonNull(item,"item cannot be null");
529 if (_relatedObservations == null) {
530 _relatedObservations = new LinkedList<>();
531 }
532 return _relatedObservations.add(value);
533 }
534
535
536
537
538
539
540 public boolean removeRelatedObservation(RelatedObservation item) {
541 RelatedObservation value = ObjectUtils.requireNonNull(item,"item cannot be null");
542 return _relatedObservations == null ? false : _relatedObservations.remove(value);
543 }
544
545 @Override
546 public String toString() {
547 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
548 }
549
550
551
552
553 @MetaschemaAssembly(
554 formalName = "Related Observation",
555 description = "Relates the finding to a set of referenced observations that were used to determine the finding.",
556 name = "related-observation",
557 metaschema = OscalAssessmentCommonMetaschema.class
558 )
559 public static class RelatedObservation {
560 @BoundFlag(
561 formalName = "Observation Universally Unique Identifier Reference",
562 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented) identifier reference to an observation defined in the list of observations.",
563 useName = "observation-uuid",
564 required = true,
565 typeAdapter = UuidAdapter.class
566 )
567 private UUID _observationUuid;
568
569 public RelatedObservation() {
570 }
571
572 public UUID getObservationUuid() {
573 return _observationUuid;
574 }
575
576 public void setObservationUuid(UUID value) {
577 _observationUuid = value;
578 }
579
580 @Override
581 public String toString() {
582 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
583 }
584 }
585
586
587
588
589 @MetaschemaAssembly(
590 formalName = "Risk Log",
591 description = "A log of all risk-related tasks taken.",
592 name = "risk-log",
593 metaschema = OscalAssessmentCommonMetaschema.class
594 )
595 public static class RiskLog {
596
597
598
599 @BoundAssembly(
600 formalName = "Risk Log Entry",
601 description = "Identifies an individual risk response that occurred as part of managing an identified risk.",
602 useName = "entry",
603 minOccurs = 1,
604 maxOccurs = -1
605 )
606 @GroupAs(
607 name = "entries",
608 inJson = JsonGroupAsBehavior.LIST
609 )
610 private List<Entry> _entries;
611
612 public RiskLog() {
613 }
614
615 public List<Entry> getEntries() {
616 return _entries;
617 }
618
619 public void setEntries(List<Entry> value) {
620 _entries = value;
621 }
622
623
624
625
626
627
628 public boolean addEntry(Entry item) {
629 Entry value = ObjectUtils.requireNonNull(item,"item cannot be null");
630 if (_entries == null) {
631 _entries = new LinkedList<>();
632 }
633 return _entries.add(value);
634 }
635
636
637
638
639
640
641 public boolean removeEntry(Entry item) {
642 Entry value = ObjectUtils.requireNonNull(item,"item cannot be null");
643 return _entries == null ? false : _entries.remove(value);
644 }
645
646 @Override
647 public String toString() {
648 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
649 }
650
651
652
653
654 @MetaschemaAssembly(
655 formalName = "Risk Log Entry",
656 description = "Identifies an individual risk response that occurred as part of managing an identified risk.",
657 name = "entry",
658 metaschema = OscalAssessmentCommonMetaschema.class
659 )
660 @ValueConstraints(
661 allowedValues = {
662 @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal')]/@name", values = @AllowedValue(value = "type", description = "The type of remediation tracking entry. Can be multi-valued.")),
663 @AllowedValues(level = IConstraint.Level.ERROR, target = "prop[has-oscal-namespace('http://csrc.nist.gov/ns/oscal') and @name='type']/@value", allowOthers = true, values = {@AllowedValue(value = "vendor-check-in", description = "Contacted vendor to determine the status of a pending fix to a known vulnerability."), @AllowedValue(value = "status-update", description = "Information related to the current state of response to this risk."), @AllowedValue(value = "milestone-complete", description = "A significant step in the response plan has been achieved."), @AllowedValue(value = "mitigation", description = "An activity was completed that reduces the likelihood or impact of this risk."), @AllowedValue(value = "remediated", description = "An activity was completed that eliminates the likelihood or impact of this risk."), @AllowedValue(value = "closed", description = "The risk is no longer applicable to the system."), @AllowedValue(value = "dr-submission", description = "A deviation request was made to the authorizing official."), @AllowedValue(value = "dr-updated", description = "A previously submitted deviation request has been modified."), @AllowedValue(value = "dr-approved", description = "The authorizing official approved the deviation."), @AllowedValue(value = "dr-rejected", description = "The authorizing official rejected the deviation.")})
664 }
665 )
666 public static class Entry {
667 @BoundFlag(
668 formalName = "Risk Log Entry Universally Unique Identifier",
669 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this risk log entry elsewhere in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope). The locally defined *UUID* of the `risk log entry` can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same subject across revisions of the document.",
670 useName = "uuid",
671 required = true,
672 typeAdapter = UuidAdapter.class
673 )
674 private UUID _uuid;
675
676
677
678
679 @BoundField(
680 formalName = "Title",
681 description = "The title for this risk log entry.",
682 useName = "title"
683 )
684 @BoundFieldValue(
685 typeAdapter = MarkupLineAdapter.class
686 )
687 private MarkupLine _title;
688
689
690
691
692 @BoundField(
693 formalName = "Risk Task Description",
694 description = "A human-readable description of what was done regarding the risk.",
695 useName = "description"
696 )
697 @BoundFieldValue(
698 typeAdapter = MarkupMultilineAdapter.class
699 )
700 private MarkupMultiline _description;
701
702
703
704
705 @BoundField(
706 formalName = "Start",
707 description = "Identifies the start date and time of the event.",
708 useName = "start",
709 minOccurs = 1
710 )
711 @BoundFieldValue(
712 typeAdapter = DateTimeWithTZAdapter.class
713 )
714 private ZonedDateTime _start;
715
716
717
718
719 @BoundField(
720 formalName = "End",
721 description = "Identifies the end date and time of the event. If the event is a point in time, the start and end will be the same date and time.",
722 useName = "end"
723 )
724 @BoundFieldValue(
725 typeAdapter = DateTimeWithTZAdapter.class
726 )
727 private ZonedDateTime _end;
728
729 @BoundAssembly(
730 formalName = "Property",
731 description = "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.",
732 useName = "prop",
733 maxOccurs = -1
734 )
735 @GroupAs(
736 name = "props",
737 inJson = JsonGroupAsBehavior.LIST
738 )
739 private List<Property> _props;
740
741 @BoundAssembly(
742 formalName = "Link",
743 description = "A reference to a local or remote resource, that has a specific relation to the containing object.",
744 useName = "link",
745 maxOccurs = -1
746 )
747 @GroupAs(
748 name = "links",
749 inJson = JsonGroupAsBehavior.LIST
750 )
751 private List<Link> _links;
752
753 @BoundAssembly(
754 formalName = "Logged By",
755 description = "Used to indicate who created a log entry in what role.",
756 useName = "logged-by",
757 maxOccurs = -1
758 )
759 @GroupAs(
760 name = "logged-by",
761 inJson = JsonGroupAsBehavior.LIST
762 )
763 private List<LoggedBy> _loggedBy;
764
765 @BoundField(
766 formalName = "Risk Status",
767 description = "Describes the status of the associated risk.",
768 useName = "status-change",
769 remarks = "Identifies a change in risk status made resulting from the task described by this risk log entry. This allows the risk's status history to be captured as a sequence of risk log entries."
770 )
771 @BoundFieldValue(
772 typeAdapter = TokenAdapter.class
773 )
774 @ValueConstraints(
775 allowedValues = @AllowedValues(level = IConstraint.Level.ERROR, allowOthers = true, values = {@AllowedValue(value = "open", description = "The risk has been identified."), @AllowedValue(value = "investigating", description = "The identified risk is being investigated. (Open risk)"), @AllowedValue(value = "remediating", description = "Remediation activities are underway, but are not yet complete. (Open risk)"), @AllowedValue(value = "deviation-requested", description = "A risk deviation, such as false positive, risk reduction, or operational requirement has been submitted for approval. (Open risk)"), @AllowedValue(value = "deviation-approved", description = "A risk deviation, such as false positive, risk reduction, or operational requirement has been approved. (Open risk)"), @AllowedValue(value = "closed", description = "The risk has been resolved.")})
776 )
777 private String _statusChange;
778
779
780
781
782 @BoundAssembly(
783 formalName = "Risk Response Reference",
784 description = "Identifies an individual risk response that this log entry is for.",
785 useName = "related-response",
786 maxOccurs = -1
787 )
788 @GroupAs(
789 name = "related-responses",
790 inJson = JsonGroupAsBehavior.LIST
791 )
792 private List<RelatedResponse> _relatedResponses;
793
794 @BoundField(
795 formalName = "Remarks",
796 description = "Additional commentary about the containing object.",
797 useName = "remarks"
798 )
799 @BoundFieldValue(
800 typeAdapter = MarkupMultilineAdapter.class
801 )
802 private MarkupMultiline _remarks;
803
804 public Entry() {
805 }
806
807 public UUID getUuid() {
808 return _uuid;
809 }
810
811 public void setUuid(UUID value) {
812 _uuid = value;
813 }
814
815 public MarkupLine getTitle() {
816 return _title;
817 }
818
819 public void setTitle(MarkupLine value) {
820 _title = value;
821 }
822
823 public MarkupMultiline getDescription() {
824 return _description;
825 }
826
827 public void setDescription(MarkupMultiline value) {
828 _description = value;
829 }
830
831 public ZonedDateTime getStart() {
832 return _start;
833 }
834
835 public void setStart(ZonedDateTime value) {
836 _start = value;
837 }
838
839 public ZonedDateTime getEnd() {
840 return _end;
841 }
842
843 public void setEnd(ZonedDateTime value) {
844 _end = value;
845 }
846
847 public List<Property> getProps() {
848 return _props;
849 }
850
851 public void setProps(List<Property> value) {
852 _props = value;
853 }
854
855
856
857
858
859
860 public boolean addProp(Property item) {
861 Property value = ObjectUtils.requireNonNull(item,"item cannot be null");
862 if (_props == null) {
863 _props = new LinkedList<>();
864 }
865 return _props.add(value);
866 }
867
868
869
870
871
872
873 public boolean removeProp(Property item) {
874 Property value = ObjectUtils.requireNonNull(item,"item cannot be null");
875 return _props == null ? false : _props.remove(value);
876 }
877
878 public List<Link> getLinks() {
879 return _links;
880 }
881
882 public void setLinks(List<Link> value) {
883 _links = value;
884 }
885
886
887
888
889
890
891 public boolean addLink(Link item) {
892 Link value = ObjectUtils.requireNonNull(item,"item cannot be null");
893 if (_links == null) {
894 _links = new LinkedList<>();
895 }
896 return _links.add(value);
897 }
898
899
900
901
902
903
904 public boolean removeLink(Link item) {
905 Link value = ObjectUtils.requireNonNull(item,"item cannot be null");
906 return _links == null ? false : _links.remove(value);
907 }
908
909 public List<LoggedBy> getLoggedBy() {
910 return _loggedBy;
911 }
912
913 public void setLoggedBy(List<LoggedBy> value) {
914 _loggedBy = value;
915 }
916
917
918
919
920
921
922 public boolean addLoggedBy(LoggedBy item) {
923 LoggedBy value = ObjectUtils.requireNonNull(item,"item cannot be null");
924 if (_loggedBy == null) {
925 _loggedBy = new LinkedList<>();
926 }
927 return _loggedBy.add(value);
928 }
929
930
931
932
933
934
935 public boolean removeLoggedBy(LoggedBy item) {
936 LoggedBy value = ObjectUtils.requireNonNull(item,"item cannot be null");
937 return _loggedBy == null ? false : _loggedBy.remove(value);
938 }
939
940 public String getStatusChange() {
941 return _statusChange;
942 }
943
944 public void setStatusChange(String value) {
945 _statusChange = value;
946 }
947
948 public List<RelatedResponse> getRelatedResponses() {
949 return _relatedResponses;
950 }
951
952 public void setRelatedResponses(List<RelatedResponse> value) {
953 _relatedResponses = value;
954 }
955
956
957
958
959
960
961 public boolean addRelatedResponse(RelatedResponse item) {
962 RelatedResponse value = ObjectUtils.requireNonNull(item,"item cannot be null");
963 if (_relatedResponses == null) {
964 _relatedResponses = new LinkedList<>();
965 }
966 return _relatedResponses.add(value);
967 }
968
969
970
971
972
973
974 public boolean removeRelatedResponse(RelatedResponse item) {
975 RelatedResponse value = ObjectUtils.requireNonNull(item,"item cannot be null");
976 return _relatedResponses == null ? false : _relatedResponses.remove(value);
977 }
978
979 public MarkupMultiline getRemarks() {
980 return _remarks;
981 }
982
983 public void setRemarks(MarkupMultiline value) {
984 _remarks = value;
985 }
986
987 @Override
988 public String toString() {
989 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
990 }
991
992
993
994
995 @MetaschemaAssembly(
996 formalName = "Risk Response Reference",
997 description = "Identifies an individual risk response that this log entry is for.",
998 name = "related-response",
999 metaschema = OscalAssessmentCommonMetaschema.class
1000 )
1001 public static class RelatedResponse {
1002 @BoundFlag(
1003 formalName = "Response Universally Unique Identifier Reference",
1004 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented) identifier reference to a unique risk response.",
1005 useName = "response-uuid",
1006 required = true,
1007 typeAdapter = UuidAdapter.class
1008 )
1009 private UUID _responseUuid;
1010
1011 @BoundAssembly(
1012 formalName = "Property",
1013 description = "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.",
1014 useName = "prop",
1015 maxOccurs = -1
1016 )
1017 @GroupAs(
1018 name = "props",
1019 inJson = JsonGroupAsBehavior.LIST
1020 )
1021 private List<Property> _props;
1022
1023 @BoundAssembly(
1024 formalName = "Link",
1025 description = "A reference to a local or remote resource, that has a specific relation to the containing object.",
1026 useName = "link",
1027 maxOccurs = -1
1028 )
1029 @GroupAs(
1030 name = "links",
1031 inJson = JsonGroupAsBehavior.LIST
1032 )
1033 private List<Link> _links;
1034
1035 @BoundAssembly(
1036 formalName = "Task Reference",
1037 description = "Identifies an individual task for which the containing object is a consequence of.",
1038 useName = "related-task",
1039 maxOccurs = -1,
1040 remarks = "This is used to identify the task(s) that this log entry was generated for."
1041 )
1042 @GroupAs(
1043 name = "related-tasks",
1044 inJson = JsonGroupAsBehavior.LIST
1045 )
1046 private List<RelatedTask> _relatedTasks;
1047
1048 @BoundField(
1049 formalName = "Remarks",
1050 description = "Additional commentary about the containing object.",
1051 useName = "remarks"
1052 )
1053 @BoundFieldValue(
1054 typeAdapter = MarkupMultilineAdapter.class
1055 )
1056 private MarkupMultiline _remarks;
1057
1058 public RelatedResponse() {
1059 }
1060
1061 public UUID getResponseUuid() {
1062 return _responseUuid;
1063 }
1064
1065 public void setResponseUuid(UUID value) {
1066 _responseUuid = value;
1067 }
1068
1069 public List<Property> getProps() {
1070 return _props;
1071 }
1072
1073 public void setProps(List<Property> value) {
1074 _props = value;
1075 }
1076
1077
1078
1079
1080
1081
1082 public boolean addProp(Property item) {
1083 Property value = ObjectUtils.requireNonNull(item,"item cannot be null");
1084 if (_props == null) {
1085 _props = new LinkedList<>();
1086 }
1087 return _props.add(value);
1088 }
1089
1090
1091
1092
1093
1094
1095 public boolean removeProp(Property item) {
1096 Property value = ObjectUtils.requireNonNull(item,"item cannot be null");
1097 return _props == null ? false : _props.remove(value);
1098 }
1099
1100 public List<Link> getLinks() {
1101 return _links;
1102 }
1103
1104 public void setLinks(List<Link> value) {
1105 _links = value;
1106 }
1107
1108
1109
1110
1111
1112
1113 public boolean addLink(Link item) {
1114 Link value = ObjectUtils.requireNonNull(item,"item cannot be null");
1115 if (_links == null) {
1116 _links = new LinkedList<>();
1117 }
1118 return _links.add(value);
1119 }
1120
1121
1122
1123
1124
1125
1126 public boolean removeLink(Link item) {
1127 Link value = ObjectUtils.requireNonNull(item,"item cannot be null");
1128 return _links == null ? false : _links.remove(value);
1129 }
1130
1131 public List<RelatedTask> getRelatedTasks() {
1132 return _relatedTasks;
1133 }
1134
1135 public void setRelatedTasks(List<RelatedTask> value) {
1136 _relatedTasks = value;
1137 }
1138
1139
1140
1141
1142
1143
1144 public boolean addRelatedTask(RelatedTask item) {
1145 RelatedTask value = ObjectUtils.requireNonNull(item,"item cannot be null");
1146 if (_relatedTasks == null) {
1147 _relatedTasks = new LinkedList<>();
1148 }
1149 return _relatedTasks.add(value);
1150 }
1151
1152
1153
1154
1155
1156
1157 public boolean removeRelatedTask(RelatedTask item) {
1158 RelatedTask value = ObjectUtils.requireNonNull(item,"item cannot be null");
1159 return _relatedTasks == null ? false : _relatedTasks.remove(value);
1160 }
1161
1162 public MarkupMultiline getRemarks() {
1163 return _remarks;
1164 }
1165
1166 public void setRemarks(MarkupMultiline value) {
1167 _remarks = value;
1168 }
1169
1170 @Override
1171 public String toString() {
1172 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
1173 }
1174 }
1175 }
1176 }
1177
1178
1179
1180
1181 @MetaschemaAssembly(
1182 formalName = "Mitigating Factor",
1183 description = "Describes an existing mitigating factor that may affect the overall determination of the risk, with an optional link to an implementation statement in the SSP.",
1184 name = "mitigating-factor",
1185 metaschema = OscalAssessmentCommonMetaschema.class
1186 )
1187 public static class MitigatingFactor {
1188 @BoundFlag(
1189 formalName = "Mitigating Factor Universally Unique Identifier",
1190 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this mitigating factor elsewhere in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope). The locally defined *UUID* of the `mitigating factor` can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same subject across revisions of the document.",
1191 useName = "uuid",
1192 required = true,
1193 typeAdapter = UuidAdapter.class
1194 )
1195 private UUID _uuid;
1196
1197 @BoundFlag(
1198 formalName = "Implementation UUID",
1199 description = "A [machine-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#machine-oriented), [globally unique](https://pages.nist.gov/OSCAL/concepts/identifier-use/#globally-unique) identifier with [cross-instance](https://pages.nist.gov/OSCAL/concepts/identifier-use/#cross-instance) scope that can be used to reference this implementation statement elsewhere in [this or other OSCAL instances](https://pages.nist.gov/OSCAL/concepts/identifier-use/#scope)s. The locally defined *UUID* of the `implementation statement` can be used to reference the data item locally or globally (e.g., in an imported OSCAL instance). This UUID should be assigned [per-subject](https://pages.nist.gov/OSCAL/concepts/identifier-use/#consistency), which means it should be consistently used to identify the same subject across revisions of the document.",
1200 useName = "implementation-uuid",
1201 typeAdapter = UuidAdapter.class
1202 )
1203 private UUID _implementationUuid;
1204
1205
1206
1207
1208 @BoundField(
1209 formalName = "Mitigating Factor Description",
1210 description = "A human-readable description of this mitigating factor.",
1211 useName = "description",
1212 minOccurs = 1
1213 )
1214 @BoundFieldValue(
1215 typeAdapter = MarkupMultilineAdapter.class
1216 )
1217 private MarkupMultiline _description;
1218
1219 @BoundAssembly(
1220 formalName = "Property",
1221 description = "An attribute, characteristic, or quality of the containing object expressed as a namespace qualified name/value pair.",
1222 useName = "prop",
1223 maxOccurs = -1
1224 )
1225 @GroupAs(
1226 name = "props",
1227 inJson = JsonGroupAsBehavior.LIST
1228 )
1229 private List<Property> _props;
1230
1231 @BoundAssembly(
1232 formalName = "Link",
1233 description = "A reference to a local or remote resource, that has a specific relation to the containing object.",
1234 useName = "link",
1235 maxOccurs = -1
1236 )
1237 @GroupAs(
1238 name = "links",
1239 inJson = JsonGroupAsBehavior.LIST
1240 )
1241 private List<Link> _links;
1242
1243 @BoundAssembly(
1244 formalName = "Identifies the Subject",
1245 description = "A [human-oriented](https://pages.nist.gov/OSCAL/concepts/identifier-use/#human-oriented) identifier reference to a resource. Use type to indicate whether the identified resource is a component, inventory item, location, user, or something else.",
1246 useName = "subject",
1247 maxOccurs = -1,
1248 remarks = "Links identifiable elements of the system to this mitigating factor, such as an inventory-item or component."
1249 )
1250 @GroupAs(
1251 name = "subjects",
1252 inJson = JsonGroupAsBehavior.LIST
1253 )
1254 private List<SubjectReference> _subjects;
1255
1256 public MitigatingFactor() {
1257 }
1258
1259 public UUID getUuid() {
1260 return _uuid;
1261 }
1262
1263 public void setUuid(UUID value) {
1264 _uuid = value;
1265 }
1266
1267 public UUID getImplementationUuid() {
1268 return _implementationUuid;
1269 }
1270
1271 public void setImplementationUuid(UUID value) {
1272 _implementationUuid = value;
1273 }
1274
1275 public MarkupMultiline getDescription() {
1276 return _description;
1277 }
1278
1279 public void setDescription(MarkupMultiline value) {
1280 _description = value;
1281 }
1282
1283 public List<Property> getProps() {
1284 return _props;
1285 }
1286
1287 public void setProps(List<Property> value) {
1288 _props = value;
1289 }
1290
1291
1292
1293
1294
1295
1296 public boolean addProp(Property item) {
1297 Property value = ObjectUtils.requireNonNull(item,"item cannot be null");
1298 if (_props == null) {
1299 _props = new LinkedList<>();
1300 }
1301 return _props.add(value);
1302 }
1303
1304
1305
1306
1307
1308
1309 public boolean removeProp(Property item) {
1310 Property value = ObjectUtils.requireNonNull(item,"item cannot be null");
1311 return _props == null ? false : _props.remove(value);
1312 }
1313
1314 public List<Link> getLinks() {
1315 return _links;
1316 }
1317
1318 public void setLinks(List<Link> value) {
1319 _links = value;
1320 }
1321
1322
1323
1324
1325
1326
1327 public boolean addLink(Link item) {
1328 Link value = ObjectUtils.requireNonNull(item,"item cannot be null");
1329 if (_links == null) {
1330 _links = new LinkedList<>();
1331 }
1332 return _links.add(value);
1333 }
1334
1335
1336
1337
1338
1339
1340 public boolean removeLink(Link item) {
1341 Link value = ObjectUtils.requireNonNull(item,"item cannot be null");
1342 return _links == null ? false : _links.remove(value);
1343 }
1344
1345 public List<SubjectReference> getSubjects() {
1346 return _subjects;
1347 }
1348
1349 public void setSubjects(List<SubjectReference> value) {
1350 _subjects = value;
1351 }
1352
1353
1354
1355
1356
1357
1358 public boolean addSubject(SubjectReference item) {
1359 SubjectReference value = ObjectUtils.requireNonNull(item,"item cannot be null");
1360 if (_subjects == null) {
1361 _subjects = new LinkedList<>();
1362 }
1363 return _subjects.add(value);
1364 }
1365
1366
1367
1368
1369
1370
1371 public boolean removeSubject(SubjectReference item) {
1372 SubjectReference value = ObjectUtils.requireNonNull(item,"item cannot be null");
1373 return _subjects == null ? false : _subjects.remove(value);
1374 }
1375
1376 @Override
1377 public String toString() {
1378 return new ReflectionToStringBuilder(this, MultilineRecursiveToStringStyle.MULTI_LINE_STYLE).toString();
1379 }
1380 }
1381 }