{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://shiftleftcyber.io/ai-bom/schemas/ai-sbom-1.0.0.schema.json",
  "title": "AI Software Bill of Materials",
  "description": "An AI SBOM schema derived from the G7 SBOM for AI minimum elements document. It captures metadata, system properties, model properties, dataset properties, infrastructure, security properties, and KPIs.",
  "type": "object",
  "additionalProperties": false,
  "required": [
    "schemaVersion",
    "metadata",
    "system",
    "models"
  ],
  "properties": {
    "schemaVersion": {
      "type": "string",
      "const": "1.0.0"
    },
    "metadata": {
      "$ref": "#/$defs/metadata"
    },
    "system": {
      "$ref": "#/$defs/system"
    },
    "models": {
      "type": "array",
      "minItems": 1,
      "items": {
        "$ref": "#/$defs/model"
      }
    },
    "datasets": {
      "type": "array",
      "items": {
        "$ref": "#/$defs/dataset"
      }
    },
    "infrastructure": {
      "$ref": "#/$defs/infrastructure"
    },
    "security": {
      "$ref": "#/$defs/security"
    },
    "kpis": {
      "$ref": "#/$defs/kpis"
    }
  },
  "$defs": {
    "nonEmptyString": {
      "type": "string",
      "minLength": 1
    },
    "unknownableString": {
      "type": "string",
      "minLength": 1,
      "description": "Use the literal string 'unknown' when the information is unavailable."
    },
    "timestamp": {
      "type": "string",
      "format": "date-time"
    },
    "uri": {
      "type": "string",
      "format": "uri"
    },
    "hashAlgorithm": {
      "type": "string",
      "enum": [
        "sha-256",
        "sha-384",
        "sha-512",
        "sha3-256",
        "sha3-384",
        "sha3-512",
        "unknown"
      ]
    },
    "hashValue": {
      "type": "string",
      "oneOf": [
        {
          "const": "unknown"
        },
        {
          "pattern": "^[A-Fa-f0-9]{64,128}$"
        }
      ]
    },
    "identifier": {
      "type": "object",
      "additionalProperties": false,
      "required": [
        "type",
        "value"
      ],
      "properties": {
        "type": {
          "type": "string",
          "enum": [
            "cpe",
            "purl",
            "uuid",
            "commit",
            "omnibor",
            "swhid",
            "uri",
            "custom"
          ]
        },
        "value": {
          "$ref": "#/$defs/nonEmptyString"
        }
      }
    },
    "externalReference": {
      "type": "object",
      "additionalProperties": false,
      "required": [
        "type",
        "url"
      ],
      "properties": {
        "type": {
          "$ref": "#/$defs/nonEmptyString"
        },
        "url": {
          "$ref": "#/$defs/uri"
        },
        "description": {
          "$ref": "#/$defs/nonEmptyString"
        }
      }
    },
    "dependencyRelationship": {
      "type": "object",
      "additionalProperties": false,
      "required": [
        "source",
        "relationship",
        "target"
      ],
      "properties": {
        "source": {
          "$ref": "#/$defs/nonEmptyString"
        },
        "relationship": {
          "type": "string",
          "enum": [
            "includes",
            "included-in",
            "depends-on",
            "derived-from",
            "descendant-of",
            "generates",
            "uses"
          ]
        },
        "target": {
          "$ref": "#/$defs/nonEmptyString"
        },
        "description": {
          "$ref": "#/$defs/nonEmptyString"
        }
      }
    },
    "jsfSignatureCore": {
      "type": "object",
      "title": "JSF signaturecore",
      "description": "A simple JSON Signature Format (JSF) signature object. Only signaturecore is supported; multisignature signers and signature chains are intentionally not supported yet.",
      "additionalProperties": false,
      "required": [
        "algorithm",
        "value"
      ],
      "properties": {
        "algorithm": {
          "$ref": "#/$defs/jsfAlgorithm"
        },
        "keyId": {
          "$ref": "#/$defs/nonEmptyString",
          "description": "Optional application-specific identifier for the signature key."
        },
        "publicKey": {
          "$ref": "#/$defs/jsfPublicKey"
        },
        "certificatePath": {
          "type": "array",
          "minItems": 1,
          "items": {
            "$ref": "#/$defs/nonEmptyString"
          },
          "description": "Optional sorted array of base64url-encoded X.509 certificates where the first element contains the signing certificate."
        },
        "excludes": {
          "type": "array",
          "minItems": 1,
          "items": {
            "$ref": "#/$defs/nonEmptyString"
          },
          "description": "Optional JSF excludes. Verifiers should reject unexpected excludes by policy."
        },
        "value": {
          "$ref": "#/$defs/nonEmptyString",
          "description": "The base64url-encoded signature value. This value is removed before JCS canonicalization during signature verification."
        }
      }
    },
    "jsfAlgorithm": {
      "oneOf": [
        {
          "type": "string",
          "enum": [
            "RS256",
            "RS384",
            "RS512",
            "PS256",
            "PS384",
            "PS512",
            "ES256",
            "ES384",
            "ES512",
            "Ed25519",
            "Ed448",
            "HS256",
            "HS384",
            "HS512"
          ]
        },
        {
          "type": "string",
          "pattern": "^(https?://|urn:).+",
          "description": "Proprietary signature algorithms must be expressed as URIs."
        }
      ]
    },
    "jsfPublicKey": {
      "type": "object",
      "title": "JSF publicKey",
      "required": [
        "kty"
      ],
      "oneOf": [
        {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "kty",
            "crv",
            "x",
            "y"
          ],
          "properties": {
            "kty": {
              "const": "EC"
            },
            "crv": {
              "type": "string",
              "enum": [
                "P-256",
                "P-384",
                "P-521"
              ]
            },
            "x": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "y": {
              "$ref": "#/$defs/nonEmptyString"
            }
          }
        },
        {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "kty",
            "crv",
            "x"
          ],
          "properties": {
            "kty": {
              "const": "OKP"
            },
            "crv": {
              "type": "string",
              "enum": [
                "Ed25519",
                "Ed448"
              ]
            },
            "x": {
              "$ref": "#/$defs/nonEmptyString"
            }
          }
        },
        {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "kty",
            "n",
            "e"
          ],
          "properties": {
            "kty": {
              "const": "RSA"
            },
            "n": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "e": {
              "$ref": "#/$defs/nonEmptyString"
            }
          }
        }
      ]
    },
    "metadata": {
      "type": "object",
      "additionalProperties": false,
      "required": [
        "bomFormat",
        "sbomAuthor",
        "sbomVersion",
        "sbomDataFormatName",
        "sbomDataFormatVersion",
        "sbomTimestamp"
      ],
      "properties": {
        "bomFormat": {
          "type": "string",
          "const": "AI-SBOM",
          "description": "Format discriminator for automation. The fixed value identifies the document as an AI SBOM."
        },
        "sbomAuthor": {
          "$ref": "#/$defs/nonEmptyString"
        },
        "sbomVersion": {
          "$ref": "#/$defs/nonEmptyString"
        },
        "sbomDataFormatName": {
          "$ref": "#/$defs/nonEmptyString"
        },
        "sbomDataFormatVersion": {
          "$ref": "#/$defs/nonEmptyString"
        },
        "sbomAuthorSignature": {
          "$ref": "#/$defs/jsfSignatureCore"
        },
        "sbomToolName": {
          "$ref": "#/$defs/nonEmptyString"
        },
        "sbomToolVersion": {
          "$ref": "#/$defs/unknownableString"
        },
        "sbomGenerationContext": {
          "type": "string",
          "enum": [
            "before-build",
            "build",
            "after-build",
            "source-analysis",
            "binary-analysis",
            "runtime-analysis",
            "manual",
            "unknown"
          ]
        },
        "sbomTimestamp": {
          "$ref": "#/$defs/timestamp"
        },
        "sbomDependencyRelationships": {
          "type": "array",
          "items": {
            "$ref": "#/$defs/dependencyRelationship"
          }
        }
      }
    },
    "system": {
      "type": "object",
      "additionalProperties": false,
      "required": [
        "systemName",
        "systemComponents",
        "systemProducer"
      ],
      "properties": {
        "systemName": {
          "type": "array",
          "minItems": 1,
          "items": {
            "$ref": "#/$defs/nonEmptyString"
          }
        },
        "systemComponents": {
          "type": "array",
          "minItems": 1,
          "items": {
            "type": "object",
            "additionalProperties": false,
            "required": [
              "name",
              "type"
            ],
            "properties": {
              "name": {
                "$ref": "#/$defs/nonEmptyString"
              },
              "type": {
                "type": "string",
                "enum": [
                  "ai-model",
                  "database",
                  "software",
                  "api",
                  "agent",
                  "service",
                  "other"
                ]
              },
              "version": {
                "$ref": "#/$defs/unknownableString"
              },
              "supplier": {
                "$ref": "#/$defs/nonEmptyString"
              }
            }
          }
        },
        "systemProducer": {
          "$ref": "#/$defs/nonEmptyString"
        },
        "systemVersion": {
          "$ref": "#/$defs/unknownableString"
        },
        "systemTimestamp": {
          "$ref": "#/$defs/timestamp"
        },
        "systemDataFlow": {
          "type": "array",
          "minItems": 1,
          "items": {
            "type": "object",
            "additionalProperties": false,
            "required": [
              "source",
              "destination",
              "description"
            ],
            "properties": {
              "source": {
                "$ref": "#/$defs/nonEmptyString"
              },
              "destination": {
                "$ref": "#/$defs/nonEmptyString"
              },
              "description": {
                "$ref": "#/$defs/nonEmptyString"
              },
              "protocol": {
                "$ref": "#/$defs/nonEmptyString"
              },
              "externalService": {
                "type": "boolean"
              }
            }
          }
        },
        "systemDataUsage": {
          "$ref": "#/$defs/nonEmptyString"
        },
        "systemInputOutputProperties": {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "inputModalities",
            "outputModalities",
            "inputPreprocessing"
          ],
          "properties": {
            "inputModalities": {
              "type": "array",
              "minItems": 1,
              "items": {
                "$ref": "#/$defs/nonEmptyString"
              }
            },
            "outputModalities": {
              "type": "array",
              "minItems": 1,
              "items": {
                "$ref": "#/$defs/nonEmptyString"
              }
            },
            "inputPreprocessing": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "decisionImpactDocumentationUrl": {
              "$ref": "#/$defs/uri"
            }
          }
        },
        "intendedApplicationArea": {
          "type": "array",
          "minItems": 1,
          "items": {
            "$ref": "#/$defs/nonEmptyString"
          }
        }
      }
    },
    "model": {
      "type": "object",
      "additionalProperties": false,
      "required": [
        "modelName",
        "modelIdentifiers",
        "modelProducers"
      ],
      "properties": {
        "modelName": {
          "type": "array",
          "minItems": 1,
          "items": {
            "$ref": "#/$defs/nonEmptyString"
          }
        },
        "modelIdentifiers": {
          "type": "array",
          "minItems": 1,
          "items": {
            "$ref": "#/$defs/identifier"
          }
        },
        "modelVersion": {
          "$ref": "#/$defs/unknownableString"
        },
        "modelTimestamp": {
          "$ref": "#/$defs/timestamp"
        },
        "modelProducers": {
          "type": "array",
          "minItems": 1,
          "items": {
            "$ref": "#/$defs/nonEmptyString"
          }
        },
        "modelDescription": {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "capabilities"
          ],
          "properties": {
            "capabilities": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "knownLimitations": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "lineage": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "dependencies": {
              "type": "array",
              "items": {
                "$ref": "#/$defs/nonEmptyString"
              }
            }
          }
        },
        "modelHashValue": {
          "$ref": "#/$defs/hashValue"
        },
        "modelHashAlgorithm": {
          "$ref": "#/$defs/hashAlgorithm"
        },
        "modelProperties": {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "modelFamily"
          ],
          "properties": {
            "modelFamily": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "architecture": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "parameterCount": {
              "oneOf": [
                {
                  "type": "integer",
                  "minimum": 0
                },
                {
                  "const": "unknown"
                }
              ]
            },
            "hyperparameters": {
              "type": "object",
              "additionalProperties": true
            }
          }
        },
        "modelInputOutputProperties": {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "inputModalities",
            "outputModalities"
          ],
          "properties": {
            "inputModalities": {
              "type": "array",
              "minItems": 1,
              "items": {
                "$ref": "#/$defs/nonEmptyString"
              }
            },
            "outputModalities": {
              "type": "array",
              "minItems": 1,
              "items": {
                "$ref": "#/$defs/nonEmptyString"
              }
            },
            "contextLength": {
              "oneOf": [
                {
                  "type": "integer",
                  "minimum": 1
                },
                {
                  "const": "unknown"
                }
              ]
            },
            "inputPreprocessing": {
              "$ref": "#/$defs/nonEmptyString"
            }
          }
        },
        "modelTrainingProperties": {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "learningType"
          ],
          "properties": {
            "learningType": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "trainingStages": {
              "type": "array",
              "items": {
                "$ref": "#/$defs/nonEmptyString"
              }
            },
            "documentationUrl": {
              "$ref": "#/$defs/uri"
            }
          }
        },
        "modelLicense": {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "name"
          ],
          "properties": {
            "name": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "url": {
              "$ref": "#/$defs/uri"
            },
            "openness": {
              "type": "object",
              "additionalProperties": false,
              "required": [
                "openWeights"
              ],
              "properties": {
                "openWeights": {
                  "type": "boolean"
                },
                "openArchitecture": {
                  "type": "boolean"
                },
                "openData": {
                  "type": "boolean"
                },
                "openTraining": {
                  "type": "boolean"
                }
              }
            }
          }
        },
        "modelExternalReferences": {
          "type": "array",
          "items": {
            "$ref": "#/$defs/externalReference"
          }
        }
      }
    },
    "dataset": {
      "type": "object",
      "additionalProperties": false,
      "required": [
        "datasetName",
        "datasetDescription"
      ],
      "properties": {
        "datasetName": {
          "$ref": "#/$defs/nonEmptyString"
        },
        "datasetDescription": {
          "$ref": "#/$defs/nonEmptyString"
        },
        "datasetContent": {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "domain"
          ],
          "properties": {
            "domain": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "format": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "dataModalities": {
              "type": "array",
              "minItems": 1,
              "items": {
                "$ref": "#/$defs/nonEmptyString"
              }
            }
          }
        },
        "datasetIdentifiers": {
          "type": "array",
          "minItems": 1,
          "items": {
            "$ref": "#/$defs/identifier"
          }
        },
        "datasetHash": {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "algorithm",
            "value"
          ],
          "properties": {
            "algorithm": {
              "$ref": "#/$defs/hashAlgorithm"
            },
            "value": {
              "$ref": "#/$defs/hashValue"
            }
          }
        },
        "datasetProvenance": {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "origin"
          ],
          "properties": {
            "origin": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "collectionMethods": {
              "type": "array",
              "items": {
                "$ref": "#/$defs/nonEmptyString"
              }
            },
            "processingSteps": {
              "type": "array",
              "items": {
                "$ref": "#/$defs/nonEmptyString"
              }
            },
            "creator": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "syntheticDataMethods": {
              "$ref": "#/$defs/nonEmptyString"
            }
          }
        },
        "datasetStatisticalProperties": {
          "type": "object",
          "additionalProperties": true
        },
        "datasetSensitivity": {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "description"
          ],
          "properties": {
            "containsPersonalData": {
              "type": "boolean"
            },
            "containsSensitiveData": {
              "type": "boolean"
            },
            "containsCopyrightProtectedData": {
              "type": "boolean"
            },
            "containsNationalSecurityData": {
              "type": "boolean"
            },
            "description": {
              "$ref": "#/$defs/nonEmptyString"
            }
          }
        },
        "datasetDependencyRelationships": {
          "type": "array",
          "items": {
            "$ref": "#/$defs/dependencyRelationship"
          }
        },
        "datasetLicense": {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "name"
          ],
          "properties": {
            "name": {
              "$ref": "#/$defs/nonEmptyString"
            },
            "url": {
              "$ref": "#/$defs/uri"
            }
          }
        }
      }
    },
    "infrastructure": {
      "type": "object",
      "additionalProperties": false,
      "required": [
        "infrastructureSoftware"
      ],
      "properties": {
        "infrastructureSoftware": {
          "type": "array",
          "items": {
            "type": "object",
            "additionalProperties": false,
            "required": [
              "name",
              "type"
            ],
            "properties": {
              "name": {
                "$ref": "#/$defs/nonEmptyString"
              },
              "type": {
                "type": "string",
                "enum": [
                  "firmware",
                  "package-manager",
                  "library",
                  "framework",
                  "runtime",
                  "tool",
                  "service",
                  "other"
                ]
              },
              "version": {
                "$ref": "#/$defs/unknownableString"
              },
              "supplier": {
                "$ref": "#/$defs/nonEmptyString"
              }
            }
          }
        },
        "infrastructureHardware": {
          "type": "object",
          "additionalProperties": false,
          "required": [
            "hbomUrl"
          ],
          "properties": {
            "hbomUrl": {
              "$ref": "#/$defs/uri"
            },
            "description": {
              "$ref": "#/$defs/nonEmptyString"
            }
          }
        }
      }
    },
    "security": {
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "securityControls": {
          "type": "array",
          "minItems": 1,
          "items": {
            "type": "object",
            "additionalProperties": false,
            "required": [
              "name",
              "category"
            ],
            "properties": {
              "name": {
                "$ref": "#/$defs/nonEmptyString"
              },
              "category": {
                "type": "string",
                "enum": [
                  "general-cybersecurity",
                  "ai-specific",
                  "physical",
                  "administrative",
                  "technical"
                ]
              },
              "description": {
                "$ref": "#/$defs/nonEmptyString"
              },
              "referenceUrl": {
                "$ref": "#/$defs/uri"
              }
            }
          }
        },
        "securityCompliance": {
          "type": "array",
          "items": {
            "type": "object",
            "additionalProperties": false,
            "required": [
              "name"
            ],
            "properties": {
              "name": {
                "$ref": "#/$defs/nonEmptyString"
              },
              "status": {
                "type": "string",
                "enum": [
                  "certified",
                  "self-attested",
                  "in-progress",
                  "not-assessed",
                  "not-applicable"
                ]
              },
              "referenceUrl": {
                "$ref": "#/$defs/uri"
              }
            }
          }
        },
        "cybersecurityPolicyInformation": {
          "$ref": "#/$defs/uri"
        },
        "vulnerabilityReferencing": {
          "type": "array",
          "items": {
            "$ref": "#/$defs/externalReference"
          }
        }
      }
    },
    "kpis": {
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "securityMetrics": {
          "type": "array",
          "items": {
            "type": "object",
            "additionalProperties": false,
            "required": [
              "name",
              "value"
            ],
            "properties": {
              "name": {
                "$ref": "#/$defs/nonEmptyString"
              },
              "value": {
                "oneOf": [
                  {
                    "type": "number"
                  },
                  {
                    "$ref": "#/$defs/nonEmptyString"
                  }
                ]
              },
              "unit": {
                "$ref": "#/$defs/nonEmptyString"
              },
              "measurementTimestamp": {
                "$ref": "#/$defs/timestamp"
              }
            }
          }
        },
        "operationalPerformanceKpis": {
          "type": "array",
          "items": {
            "type": "object",
            "additionalProperties": false,
            "required": [
              "name",
              "value"
            ],
            "properties": {
              "name": {
                "$ref": "#/$defs/nonEmptyString"
              },
              "value": {
                "oneOf": [
                  {
                    "type": "number"
                  },
                  {
                    "$ref": "#/$defs/nonEmptyString"
                  }
                ]
              },
              "unit": {
                "$ref": "#/$defs/nonEmptyString"
              },
              "measurementTimestamp": {
                "$ref": "#/$defs/timestamp"
              }
            }
          }
        }
      }
    }
  }
}
