{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "SBOM Volatile Fields Contract",
  "description": "Authoritative list of SBOM fields stripped before canonicalization to ensure deterministic hashes. Referenced by SbomNormalizer.",
  "version": 1,
  "cyclonedx": {
    "strip": [
      {
        "path": "serialNumber",
        "scope": "root",
        "rationale": "UUID regenerated on every BOM creation; not content-derived."
      },
      {
        "path": "metadata.timestamp",
        "scope": "metadata",
        "rationale": "Generation timestamp varies per run; not content-derived."
      },
      {
        "path": "metadata.tools",
        "scope": "metadata",
        "rationale": "Tool name/version/vendor varies across scanner installs; does not reflect scanned content."
      },
      {
        "path": "metadata.authors",
        "scope": "metadata",
        "rationale": "Author identity varies per operator; does not affect component inventory."
      }
    ],
    "specVersions": ["1.4", "1.5", "1.6", "1.7"]
  },
  "spdx": {
    "strip": [
      {
        "path": "creationInfo.created",
        "scope": "creationInfo",
        "rationale": "Timestamp of SPDX document creation; varies per run."
      },
      {
        "path": "creationInfo.creators",
        "scope": "creationInfo",
        "rationale": "Tool identifiers include version strings (e.g., 'Tool: syft-1.2.3'); varies across installs."
      },
      {
        "path": "creationInfo.licenseListVersion",
        "scope": "creationInfo",
        "rationale": "Tracks upstream SPDX license list version available at scan time; not content-derived."
      }
    ],
    "specVersions": ["2.2", "2.3", "3.0", "3.0.1"]
  }
}