{ "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "Artifact Canonical Record v1", "description": "Unified evidence record aggregating all attestations, referrers, and VEX refs for a single artifact identified by canonical_id. See docs/contracts/artifact-canonical-record-v1.md.", "type": "object", "required": ["canonical_id", "format", "sbom_ref", "created_at"], "properties": { "canonical_id": { "type": "string", "description": "sha256: computed per canonical-sbom-id-v1.md", "pattern": "^sha256:[a-f0-9]{64}$" }, "format": { "type": "string", "description": "Canonicalization format identifier", "const": "cyclonedx-jcs:1" }, "sbom_ref": { "type": "string", "description": "Content-addressable reference to the SBOM (CAS URI or OCI ref)", "examples": [ "cas://sbom/inventory/abc123.json", "oci://registry/repo@sha256:abc123" ] }, "attestations": { "type": "array", "description": "All DSSE attestations referencing this artifact", "items": { "type": "object", "required": ["predicate_type", "dsse_digest", "signed_at"], "properties": { "predicate_type": { "type": "string", "description": "Predicate type URI from the predicate registry" }, "dsse_digest": { "type": "string", "description": "SHA-256 of the DSSE envelope body", "pattern": "^sha256:[a-f0-9]{64}$" }, "signer_keyid": { "type": "string", "description": "Key ID of the signer" }, "rekor_entry_id": { "type": "string", "description": "Rekor transparency log entry UUID (null if offline)" }, "rekor_tile": { "type": "string", "description": "Rekor tile URL for inclusion proof verification" }, "signed_at": { "type": "string", "format": "date-time" } } } }, "referrers": { "type": "array", "description": "OCI referrers (symbol bundles, attestation manifests)", "items": { "type": "object", "required": ["media_type", "descriptor_digest"], "properties": { "media_type": { "type": "string", "description": "OCI media type", "examples": [ "application/vnd.stella.symbols+tar", "application/vnd.in-toto+json" ] }, "descriptor_digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" }, "registry": { "type": "string", "description": "Registry hostname" } } } }, "vex_refs": { "type": "array", "description": "VEX consensus records targeting this artifact", "items": { "type": "object", "required": ["vulnerability_id", "consensus_status"], "properties": { "vulnerability_id": { "type": "string", "description": "CVE or advisory ID" }, "consensus_status": { "type": "string", "enum": ["affected", "not_affected", "under_investigation", "fixed"] }, "confidence_score": { "type": "number", "minimum": 0, "maximum": 1 }, "consensus_digest": { "type": "string", "description": "SHA-256 of the VexLens consensus record" }, "dsse_digest": { "type": "string", "description": "SHA-256 of the VEX attestation DSSE (if signed)" }, "rekor_tile": { "type": "string", "description": "Rekor tile URL (if anchored)" } } } }, "created_at": { "type": "string", "format": "date-time" }, "updated_at": { "type": "string", "format": "date-time" } } }