{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://stella-ops.org/schemas/cdx-vex.stella/v1.json",
  "title": "VEX Verdict Predicate Schema",
  "description": "Schema for cdx-vex.stella/v1 predicate type - VEX verdict with provenance",
  "type": "object",
  "required": [
    "sbomEntryId",
    "vulnerabilityId",
    "status",
    "justification",
    "policyVersion",
    "reasoningId",
    "vexVerdictId"
  ],
  "properties": {
    "sbomEntryId": {
      "type": "string",
      "pattern": "^sha256:[a-f0-9]{64}:pkg:.+",
      "description": "The SBOM entry ID this verdict applies to"
    },
    "vulnerabilityId": {
      "type": "string",
      "pattern": "^(CVE-[0-9]{4}-[0-9]+|GHSA-.+)$",
      "description": "The vulnerability ID (CVE, GHSA, etc.)"
    },
    "status": {
      "type": "string",
      "enum": ["not_affected", "affected", "fixed", "under_investigation"],
      "description": "VEX status"
    },
    "justification": {
      "type": "string",
      "minLength": 1,
      "description": "Justification for the VEX status"
    },
    "policyVersion": {
      "type": "string",
      "pattern": "^v[0-9]+\\.[0-9]+\\.[0-9]+$",
      "description": "Version of the policy used"
    },
    "reasoningId": {
      "type": "string",
      "pattern": "^sha256:[a-f0-9]{64}$",
      "description": "Reference to the reasoning that led to this verdict"
    },
    "vexVerdictId": {
      "type": "string",
      "pattern": "^sha256:[a-f0-9]{64}$",
      "description": "Content-addressed ID of this VEX verdict"
    }
  },
  "additionalProperties": false
}