{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://stella.ops/predicates/vex@v1",
  "title": "StellaOps VEX Attestation Predicate",
  "description": "Predicate for VEX statements embedded in attestations.",
  "type": "object",
  "required": ["format", "statements"],
  "properties": {
    "format": {
      "type": "string",
      "enum": ["openvex", "csaf-vex", "cyclonedx-vex"],
      "description": "VEX format specification."
    },
    "statements": {
      "type": "array",
      "items": {
        "$ref": "#/$defs/vexStatement"
      },
      "minItems": 1,
      "description": "VEX statements in this attestation."
    },
    "digest": {
      "type": "string",
      "pattern": "^sha256:[a-f0-9]{64}$",
      "description": "Content-addressed digest of the VEX document."
    },
    "author": {
      "type": "string",
      "description": "Author of the VEX statements."
    },
    "timestamp": {
      "type": "string",
      "format": "date-time",
      "description": "When the VEX was issued."
    }
  },
  "$defs": {
    "vexStatement": {
      "type": "object",
      "required": ["vulnerability", "status"],
      "properties": {
        "vulnerability": {
          "type": "string",
          "description": "CVE or vulnerability identifier."
        },
        "status": {
          "type": "string",
          "enum": ["affected", "not_affected", "under_investigation", "fixed"],
          "description": "VEX status."
        },
        "justification": {
          "type": "string",
          "description": "Justification for not_affected status."
        },
        "products": {
          "type": "array",
          "items": { "type": "string" },
          "description": "Affected products (PURLs)."
        }
      }
    }
  },
  "additionalProperties": false
}