{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://stellaops.org/schemas/events/advisoryai.evidence.bundle@1.schema.json", "title": "AdvisoryAI Evidence Bundle Schema v1", "description": "Schema for AdvisoryAI evidence bundles containing advisory observations with CVSS vectors and optional signatures. Used by ExportCenter and Timeline services for evidence aggregation.", "type": "object", "required": ["bundleId", "advisoryId", "tenant", "generatedAt", "schemaVersion"], "$defs": { "cvssVector": { "type": "object", "title": "CVSS Vector", "description": "Common Vulnerability Scoring System vector and score", "properties": { "vector": { "type": ["string", "null"], "description": "CVSS vector string (v2, v3.0, v3.1, or v4.0)", "examples": [ "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" ] }, "score": { "type": ["number", "null"], "minimum": 0, "maximum": 10, "description": "CVSS base score (0.0 to 10.0)" } }, "additionalProperties": false }, "signatureInfo": { "type": "object", "title": "Signature Information", "description": "Cryptographic signature for bundle authentication", "required": ["signature", "keyId"], "properties": { "signature": { "type": "string", "description": "Base64-encoded cryptographic signature" }, "keyId": { "type": "string", "description": "Identifier of the signing key", "examples": ["sha256:abc123...", "stellaops-prod-2025"] }, "algorithm": { "type": ["string", "null"], "description": "Signature algorithm used", "examples": ["ECDSA-P256-SHA256", "RSA-PSS-SHA256", "Ed25519"] } }, "additionalProperties": false }, "advisoryObservation": { "type": "object", "title": "Advisory Observation", "description": "An individual advisory observation within the bundle", "required": ["observationId", "source"], "properties": { "observationId": { "type": "string", "description": "Unique identifier for this observation", "minLength": 1 }, "source": { "type": "string", "description": "Source of the observation (e.g., scanner, user, vex-lens)", "examples": ["scanner", "manual", "vex-lens", "advisoryai", "concelier"] }, "purl": { "type": ["string", "null"], "description": "Package URL identifying the affected component", "pattern": "^pkg:[a-z]+/", "examples": ["pkg:npm/lodash@4.17.21", "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1"] }, "cve": { "type": ["string", "null"], "description": "CVE identifier", "pattern": "^CVE-[0-9]{4}-[0-9]+$", "examples": ["CVE-2021-44228", "CVE-2024-12345"] }, "severity": { "type": ["string", "null"], "description": "Severity level", "enum": ["critical", "high", "medium", "low", "info", "unknown", null] }, "cvss": { "oneOf": [ { "$ref": "#/$defs/cvssVector" }, { "type": "null" } ], "description": "CVSS vector and score" }, "summary": { "type": ["string", "null"], "description": "Brief summary of the observation" }, "evidence": { "type": ["object", "null"], "additionalProperties": true, "description": "Arbitrary evidence data attached to the observation", "examples": [ { "reachability": "reachable", "callPaths": ["main() -> vulnerable_func()"], "exploitMaturity": "poc" } ] } }, "additionalProperties": false } }, "properties": { "bundleId": { "type": "string", "description": "Unique identifier for this evidence bundle", "minLength": 1, "examples": ["bundle-550e8400-e29b-41d4-a716-446655440000"] }, "advisoryId": { "type": "string", "description": "Identifier of the related advisory or assessment", "minLength": 1, "examples": ["advisory-2025-001", "assessment-abc123"] }, "tenant": { "type": "string", "description": "Tenant identifier (may be UUID or name)", "minLength": 1, "examples": ["00000000-0000-0000-0000-000000000001", "acme-corp"] }, "generatedAt": { "type": "string", "format": "date-time", "description": "ISO 8601 timestamp when the bundle was generated" }, "schemaVersion": { "type": "integer", "minimum": 0, "description": "Schema version number for this bundle format", "default": 1 }, "observations": { "type": "array", "items": { "$ref": "#/$defs/advisoryObservation" }, "default": [], "description": "List of advisory observations in this bundle" }, "signatures": { "type": ["array", "null"], "items": { "$ref": "#/$defs/signatureInfo" }, "description": "Optional cryptographic signatures for bundle verification" } }, "additionalProperties": false, "examples": [ { "bundleId": "bundle-550e8400-e29b-41d4-a716-446655440000", "advisoryId": "assessment-log4shell-2024", "tenant": "00000000-0000-0000-0000-000000000001", "generatedAt": "2025-12-07T10:30:00Z", "schemaVersion": 1, "observations": [ { "observationId": "obs-001", "source": "scanner", "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1", "cve": "CVE-2021-44228", "severity": "critical", "cvss": { "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "score": 10.0 }, "summary": "Log4Shell RCE vulnerability detected in log4j-core", "evidence": { "reachability": "reachable", "callPaths": [ "com.example.App.main() -> org.apache.logging.log4j.Logger.error()" ], "exploitMaturity": "weaponized", "kevListed": true } }, { "observationId": "obs-002", "source": "vex-lens", "purl": "pkg:maven/org.apache.logging.log4j/log4j-api@2.14.1", "cve": "CVE-2021-45105", "severity": "high", "cvss": { "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 5.9 }, "summary": "Log4j2 infinite recursion DoS vulnerability" } ], "signatures": [ { "signature": "MEUCIQDx...", "keyId": "sha256:abc123def456...", "algorithm": "ECDSA-P256-SHA256" } ] } ] }