{ "$defs": { "ComponentHash": { "description": "Hashes attached to a component.", "properties": { "algorithm": { "$ref": "#/$defs/HashAlgorithm" }, "value": { "type": "string" } }, "required": [ "algorithm", "value" ], "type": "object" }, "ComponentIdKind": { "description": "Identifier kind (CISA NTIA: PURL, CPE, SWID).", "oneOf": [ { "const": "purl", "description": "Package URL (pkg:type/namespace/name@version).", "type": "string" }, { "const": "cpe", "description": "Common Platform Enumeration (NIST).", "type": "string" }, { "const": "swid", "description": "Software ID tag (ISO/IEC 19770-2).", "type": "string" }, { "const": "bom_ref", "description": "CycloneDX bom-ref.", "type": "string" } ] }, "ComponentIdentifier": { "description": "Component identifier.", "properties": { "kind": { "$ref": "#/$defs/ComponentIdKind" }, "value": { "type": "string" } }, "required": [ "kind", "value" ], "type": "object" }, "HashAlgorithm": { "description": "Cryptographic hash algorithm.", "enum": [ "sha1", "sha256", "sha384", "sha512", "blake2b", "blake3" ], "type": "string" }, "IsoDate": { "description": "ISO 8601 date (YYYY-MM-DD).", "format": "date", "type": "string" }, "PathRef": { "description": "Path-based cross-reference relative to .corpospec/ root.\nPattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`", "pattern": "^[a-z0-9_-]+(/[a-z0-9_.-]+)+$", "type": "string" }, "SbomComponent": { "description": "One SBOM component.", "properties": { "author": { "description": "Author (often == supplier; CISA NTIA min element).", "type": [ "string", "null" ] }, "depends_on": { "description": "Dependencies (bom-ref of dependent components).", "items": { "type": "string" }, "type": "array" }, "hashes": { "description": "Hashes (recommended: SHA-256).", "items": { "$ref": "#/$defs/ComponentHash" }, "type": "array" }, "identifiers": { "description": "Identifiers (PURL, CPE, SWID, bom-ref).", "items": { "$ref": "#/$defs/ComponentIdentifier" }, "type": "array" }, "license": { "description": "SPDX license identifier or expression.", "type": [ "string", "null" ] }, "name": { "type": "string" }, "supplier": { "description": "Supplier name (CISA NTIA min element).", "type": "string" }, "version": { "type": "string" }, "vulnerability_refs": { "description": "PathRefs into vulnerability records for this component.", "items": { "$ref": "#/$defs/PathRef" }, "type": "array" } }, "required": [ "name", "version", "supplier", "identifiers" ], "type": "object" }, "SbomFormat": { "description": "SBOM format standard.", "oneOf": [ { "const": "spdx23", "description": "SPDX 2.3 (ISO/IEC 5962:2021).", "type": "string" }, { "const": "spdx30", "description": "SPDX 3.0.", "type": "string" }, { "const": "cyclonedx14", "description": "CycloneDX 1.4.", "type": "string" }, { "const": "cyclonedx15", "description": "CycloneDX 1.5.", "type": "string" }, { "const": "cyclonedx16", "description": "CycloneDX 1.6.", "type": "string" }, { "const": "swid", "description": "SWID Tag (ISO/IEC 19770-2).", "type": "string" } ] } }, "$id": "https://corpospec.com/schemas/v0.16.0/software-bill-of-materials.schema.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "additionalProperties": false, "description": "SBOM record.", "properties": { "artefact_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "PathRef to the raw SBOM artefact (SPDX JSON / CycloneDX XML)." }, "components": { "items": { "$ref": "#/$defs/SbomComponent" }, "type": "array" }, "format": { "$ref": "#/$defs/SbomFormat" }, "generated_at": { "$ref": "#/$defs/IsoDate" }, "generator": { "description": "Tool that generated the SBOM (e.g. \"syft@0.84.0\", \"cdxgen@10.0\").", "type": "string" }, "id": { "$ref": "#/$defs/PathRef" }, "signed": { "description": "Whether the SBOM has been digitally signed (cosign, etc.).", "type": "boolean" }, "signing_cert_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "PathRef to the signing key / cert." }, "subject": { "$ref": "#/$defs/PathRef", "description": "PathRef to the subject (product, service, container image)." }, "subject_version": { "description": "Subject version (SemVer or git SHA).", "type": "string" } }, "required": [ "id", "format", "subject", "subject_version", "generator", "generated_at", "components", "signed" ], "title": "SoftwareBillOfMaterials", "type": "object", "x-corpospec-pillar": "legal" }