132 lines
4.0 KiB
JSON
132 lines
4.0 KiB
JSON
{
|
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
"title": "Artifact Canonical Record v1",
|
|
"description": "Unified evidence record aggregating all attestations, referrers, and VEX refs for a single artifact identified by canonical_id. See docs/contracts/artifact-canonical-record-v1.md.",
|
|
"type": "object",
|
|
"required": ["canonical_id", "format", "sbom_ref", "created_at"],
|
|
"properties": {
|
|
"canonical_id": {
|
|
"type": "string",
|
|
"description": "sha256:<hex> computed per canonical-sbom-id-v1.md",
|
|
"pattern": "^sha256:[a-f0-9]{64}$"
|
|
},
|
|
"format": {
|
|
"type": "string",
|
|
"description": "Canonicalization format identifier",
|
|
"const": "cyclonedx-jcs:1"
|
|
},
|
|
"sbom_ref": {
|
|
"type": "string",
|
|
"description": "Content-addressable reference to the SBOM (CAS URI or OCI ref)",
|
|
"examples": [
|
|
"cas://sbom/inventory/abc123.json",
|
|
"oci://registry/repo@sha256:abc123"
|
|
]
|
|
},
|
|
"attestations": {
|
|
"type": "array",
|
|
"description": "All DSSE attestations referencing this artifact",
|
|
"items": {
|
|
"type": "object",
|
|
"required": ["predicate_type", "dsse_digest", "signed_at"],
|
|
"properties": {
|
|
"predicate_type": {
|
|
"type": "string",
|
|
"description": "Predicate type URI from the predicate registry"
|
|
},
|
|
"dsse_digest": {
|
|
"type": "string",
|
|
"description": "SHA-256 of the DSSE envelope body",
|
|
"pattern": "^sha256:[a-f0-9]{64}$"
|
|
},
|
|
"signer_keyid": {
|
|
"type": "string",
|
|
"description": "Key ID of the signer"
|
|
},
|
|
"rekor_entry_id": {
|
|
"type": "string",
|
|
"description": "Rekor transparency log entry UUID (null if offline)"
|
|
},
|
|
"rekor_tile": {
|
|
"type": "string",
|
|
"description": "Rekor tile URL for inclusion proof verification"
|
|
},
|
|
"signed_at": {
|
|
"type": "string",
|
|
"format": "date-time"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"referrers": {
|
|
"type": "array",
|
|
"description": "OCI referrers (symbol bundles, attestation manifests)",
|
|
"items": {
|
|
"type": "object",
|
|
"required": ["media_type", "descriptor_digest"],
|
|
"properties": {
|
|
"media_type": {
|
|
"type": "string",
|
|
"description": "OCI media type",
|
|
"examples": [
|
|
"application/vnd.stella.symbols+tar",
|
|
"application/vnd.in-toto+json"
|
|
]
|
|
},
|
|
"descriptor_digest": {
|
|
"type": "string",
|
|
"pattern": "^sha256:[a-f0-9]{64}$"
|
|
},
|
|
"registry": {
|
|
"type": "string",
|
|
"description": "Registry hostname"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"vex_refs": {
|
|
"type": "array",
|
|
"description": "VEX consensus records targeting this artifact",
|
|
"items": {
|
|
"type": "object",
|
|
"required": ["vulnerability_id", "consensus_status"],
|
|
"properties": {
|
|
"vulnerability_id": {
|
|
"type": "string",
|
|
"description": "CVE or advisory ID"
|
|
},
|
|
"consensus_status": {
|
|
"type": "string",
|
|
"enum": ["affected", "not_affected", "under_investigation", "fixed"]
|
|
},
|
|
"confidence_score": {
|
|
"type": "number",
|
|
"minimum": 0,
|
|
"maximum": 1
|
|
},
|
|
"consensus_digest": {
|
|
"type": "string",
|
|
"description": "SHA-256 of the VexLens consensus record"
|
|
},
|
|
"dsse_digest": {
|
|
"type": "string",
|
|
"description": "SHA-256 of the VEX attestation DSSE (if signed)"
|
|
},
|
|
"rekor_tile": {
|
|
"type": "string",
|
|
"description": "Rekor tile URL (if anchored)"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"created_at": {
|
|
"type": "string",
|
|
"format": "date-time"
|
|
},
|
|
"updated_at": {
|
|
"type": "string",
|
|
"format": "date-time"
|
|
}
|
|
}
|
|
}
|