From 0b9ad8493659de500311fc5802bc8dc7f00bea66 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 12 May 2026 16:37:02 +0200 Subject: [PATCH 1/2] Add example values to AI SBOM field descriptions --- objects/ai-compute-component/definition.json | 53 ++++++++++++++ objects/ai-dataset-component/definition.json | 60 ++++++++++++++++ .../ai-governance-component/definition.json | 55 +++++++++++++++ objects/ai-model-component/definition.json | 61 ++++++++++++++++ objects/ai-sbom/definition.json | 69 +++++++++++++++++++ 5 files changed, 298 insertions(+) create mode 100644 objects/ai-compute-component/definition.json create mode 100644 objects/ai-dataset-component/definition.json create mode 100644 objects/ai-governance-component/definition.json create mode 100644 objects/ai-model-component/definition.json create mode 100644 objects/ai-sbom/definition.json diff --git a/objects/ai-compute-component/definition.json b/objects/ai-compute-component/definition.json new file mode 100644 index 00000000..b9de420f --- /dev/null +++ b/objects/ai-compute-component/definition.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "component-identifier": { + "description": "Unique identifier (e.g. CPE, purl, image digest). Example: cpe:2.3:a:nvidia:cudnn:9.1:*:*:*:*:*:*:*.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "component-name": { + "description": "Name of compute/runtime component used by the AI system. Example: NVIDIA CUDA Runtime.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "component-type": { + "description": "Type of component (hardware, runtime, container, accelerator). Example: runtime.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "component-version": { + "description": "Version identifier for the component. Example: 12.4.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "dependency-relationship": { + "description": "Relationship of this component to the AI system. Example: required-at-inference.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "integrity-hash": { + "description": "Hash of immutable component artifact where applicable. Example: SHA-256 d4735e3a265e16eee03f59718b9b5d03.", + "misp-attribute": "sha256", + "multiple": true, + "ui-priority": 0 + }, + "supplier": { + "description": "Supplier or manufacturer of the compute component. Example: NVIDIA.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + } + }, + "description": "Runtime and compute dependency component for an AI SBOM. Reference: BSI, \"SBOM for AI — minimum elements\" (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/SBOM-for-AI_minimum-elements.pdf?__blob=publicationFile&v=4).", + "meta-category": "software", + "name": "ai-compute-component", + "required": [ + "component-name", + "component-type" + ], + "uuid": "7d8496fd-a74a-4bd7-bec0-ce8e326df894", + "version": 1 +} \ No newline at end of file diff --git a/objects/ai-dataset-component/definition.json b/objects/ai-dataset-component/definition.json new file mode 100644 index 00000000..fe676d08 --- /dev/null +++ b/objects/ai-dataset-component/definition.json @@ -0,0 +1,60 @@ +{ + "attributes": { + "data-sensitivity": { + "description": "Data sensitivity classification (e.g., personal, confidential). Example: Personal data - pseudonymized.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "dataset-identifier": { + "description": "Unique dataset identifier such as DOI or URI. Example: https://doi.org/10.1234/example-dataset.", + "misp-attribute": "link", + "multiple": true, + "ui-priority": 1 + }, + "dataset-license": { + "description": "License terms for dataset usage. Example: ODC-BY-1.0.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "dataset-name": { + "description": "Name of the dataset component. Example: Example Instruction Dataset.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "dataset-origin": { + "description": "Source provenance information for the dataset. Example: Curated from public web crawl 2025-Q4.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "dataset-provider": { + "description": "Organization or source providing the dataset. Example: Example Data Foundation.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "dataset-version": { + "description": "Version or release identifier of the dataset. Example: 2025.12.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "integrity-hash": { + "description": "Cryptographic hash of dataset artifact. Example: SHA-256 b94d27b9934d3e08a52e52d7da7dabfac484efe3.", + "misp-attribute": "sha256", + "multiple": true, + "ui-priority": 1 + } + }, + "description": "Dataset component entry for an AI SBOM. Reference: BSI, \"SBOM for AI — minimum elements\" (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/SBOM-for-AI_minimum-elements.pdf?__blob=publicationFile&v=4).", + "meta-category": "misc", + "name": "ai-dataset-component", + "required": [ + "dataset-name" + ], + "uuid": "2a7519c7-dbc9-441f-abd1-d1fc9e8e46ea", + "version": 1 +} \ No newline at end of file diff --git a/objects/ai-governance-component/definition.json b/objects/ai-governance-component/definition.json new file mode 100644 index 00000000..65256f7b --- /dev/null +++ b/objects/ai-governance-component/definition.json @@ -0,0 +1,55 @@ +{ + "attributes": { + "coverage": { + "description": "AI lifecycle phase covered by the governance artifact. Example: development and deployment phases.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "document-link": { + "description": "URL or location of the governance artifact. Example: https://example.org/model-card.pdf.", + "disable_correlation": true, + "misp-attribute": "link", + "multiple": true, + "ui-priority": 1 + }, + "document-name": { + "description": "Name of policy, card, report, or assurance artifact. Example: Model Card - Example-LLM-7B.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "document-type": { + "description": "Type of governance document referenced by the AI SBOM. Example: model-card.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "document-version": { + "description": "Version of the governance artifact. Example: v1.2.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "issuer": { + "description": "Entity issuing the governance artifact. Example: Responsible AI Team, Example Corp.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "last-reviewed": { + "description": "Most recent review date for governance content. Example: 2026-04-30T00:00:00Z.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + } + }, + "description": "Governance and transparency artifacts linked from an AI SBOM (e.g., model cards, risk docs). Reference: BSI, \"SBOM for AI — minimum elements\" (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/SBOM-for-AI_minimum-elements.pdf?__blob=publicationFile&v=4).", + "meta-category": "misc", + "name": "ai-governance-component", + "required": [ + "document-type", + "document-name" + ], + "uuid": "1490a8e8-a3ca-4139-815d-abc9798e5868", + "version": 1 +} \ No newline at end of file diff --git a/objects/ai-model-component/definition.json b/objects/ai-model-component/definition.json new file mode 100644 index 00000000..0b1c0329 --- /dev/null +++ b/objects/ai-model-component/definition.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "artifact-hash": { + "description": "Cryptographic hash for model artifact integrity. Example: SHA-256 3f786850e387550fdab836ed7e6dc881de23001b.", + "misp-attribute": "sha256", + "multiple": true, + "ui-priority": 1 + }, + "license": { + "description": "License applying to the model component. Example: Apache-2.0.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "model-identifier": { + "description": "Unique identifier such as URI, digest, or package URL. Example: huggingface://org/model@v1.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "model-name": { + "description": "Name of the AI model component. Example: Example-LLM-7B.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "model-type": { + "description": "Model family or architecture type. Example: Transformer decoder-only.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "model-version": { + "description": "Version or release of the model. Example: 2026.04.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "provider": { + "description": "Organization that developed or publishes the model. Example: Example AI Labs.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "training-framework": { + "description": "Framework used to train or package the model. Example: PyTorch 2.4.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + } + }, + "description": "AI model component entry for an AI SBOM. Reference: BSI, \"SBOM for AI — minimum elements\" (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/SBOM-for-AI_minimum-elements.pdf?__blob=publicationFile&v=4).", + "meta-category": "software", + "name": "ai-model-component", + "required": [ + "model-name", + "model-version" + ], + "uuid": "e5162e7f-ca79-49b4-b997-9873521f05d9", + "version": 1 +} \ No newline at end of file diff --git a/objects/ai-sbom/definition.json b/objects/ai-sbom/definition.json new file mode 100644 index 00000000..6a8246d7 --- /dev/null +++ b/objects/ai-sbom/definition.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "ai-system-name": { + "description": "Name of the AI system covered by the SBOM. Example: Fraud Detection Assistant.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "ai-system-version": { + "description": "Version or release identifier of the AI system. Example: 2.3.1.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "author": { + "description": "Entity creating or assembling the AI SBOM. Example: AI Governance Office, Example Corp.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "license": { + "description": "Applicable license statement for the AI SBOM artifact. Example: CC-BY-4.0.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "sbom-id": { + "description": "Unique identifier of the AI SBOM document. Example: urn:uuid:123e4567-e89b-12d3-a456-426614174000.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "sbom-version": { + "description": "Version of the AI SBOM document. Example: 1.0.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "standard": { + "description": "Serialization or specification used for the AI SBOM. Example: CycloneDX 1.6 with AI profile.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "supplier": { + "description": "Entity producing or supplying the AI system. Example: Example Corp.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "timestamp": { + "description": "Date and time when the AI SBOM was generated. Example: 2026-05-12T09:30:00Z.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + } + }, + "description": "Top-level AI SBOM metadata aligned with BSI minimum elements for SBOM for AI. Reference: BSI, \"SBOM for AI — minimum elements\" (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/SBOM-for-AI_minimum-elements.pdf?__blob=publicationFile&v=4).", + "meta-category": "misc", + "name": "ai-sbom", + "required": [ + "sbom-id", + "ai-system-name", + "timestamp" + ], + "uuid": "204b7f7e-f65b-424f-852d-465f40c6add6", + "version": 1 +} \ No newline at end of file From 6d49950ffa1cd62af138dd20d6e64738d829fc0f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 12 May 2026 16:55:18 +0200 Subject: [PATCH 2/2] Set AI SBOM object meta-category to file --- objects/ai-compute-component/definition.json | 2 +- objects/ai-dataset-component/definition.json | 2 +- objects/ai-governance-component/definition.json | 2 +- objects/ai-model-component/definition.json | 2 +- objects/ai-sbom/definition.json | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/objects/ai-compute-component/definition.json b/objects/ai-compute-component/definition.json index b9de420f..8cdf4174 100644 --- a/objects/ai-compute-component/definition.json +++ b/objects/ai-compute-component/definition.json @@ -42,7 +42,7 @@ } }, "description": "Runtime and compute dependency component for an AI SBOM. Reference: BSI, \"SBOM for AI — minimum elements\" (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/SBOM-for-AI_minimum-elements.pdf?__blob=publicationFile&v=4).", - "meta-category": "software", + "meta-category": "file", "name": "ai-compute-component", "required": [ "component-name", diff --git a/objects/ai-dataset-component/definition.json b/objects/ai-dataset-component/definition.json index fe676d08..713f2054 100644 --- a/objects/ai-dataset-component/definition.json +++ b/objects/ai-dataset-component/definition.json @@ -50,7 +50,7 @@ } }, "description": "Dataset component entry for an AI SBOM. Reference: BSI, \"SBOM for AI — minimum elements\" (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/SBOM-for-AI_minimum-elements.pdf?__blob=publicationFile&v=4).", - "meta-category": "misc", + "meta-category": "file", "name": "ai-dataset-component", "required": [ "dataset-name" diff --git a/objects/ai-governance-component/definition.json b/objects/ai-governance-component/definition.json index 65256f7b..a67c5ea1 100644 --- a/objects/ai-governance-component/definition.json +++ b/objects/ai-governance-component/definition.json @@ -44,7 +44,7 @@ } }, "description": "Governance and transparency artifacts linked from an AI SBOM (e.g., model cards, risk docs). Reference: BSI, \"SBOM for AI — minimum elements\" (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/SBOM-for-AI_minimum-elements.pdf?__blob=publicationFile&v=4).", - "meta-category": "misc", + "meta-category": "file", "name": "ai-governance-component", "required": [ "document-type", diff --git a/objects/ai-model-component/definition.json b/objects/ai-model-component/definition.json index 0b1c0329..f56f9b42 100644 --- a/objects/ai-model-component/definition.json +++ b/objects/ai-model-component/definition.json @@ -50,7 +50,7 @@ } }, "description": "AI model component entry for an AI SBOM. Reference: BSI, \"SBOM for AI — minimum elements\" (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/SBOM-for-AI_minimum-elements.pdf?__blob=publicationFile&v=4).", - "meta-category": "software", + "meta-category": "file", "name": "ai-model-component", "required": [ "model-name", diff --git a/objects/ai-sbom/definition.json b/objects/ai-sbom/definition.json index 6a8246d7..9e01d0c4 100644 --- a/objects/ai-sbom/definition.json +++ b/objects/ai-sbom/definition.json @@ -57,7 +57,7 @@ } }, "description": "Top-level AI SBOM metadata aligned with BSI minimum elements for SBOM for AI. Reference: BSI, \"SBOM for AI — minimum elements\" (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/SBOM-for-AI_minimum-elements.pdf?__blob=publicationFile&v=4).", - "meta-category": "misc", + "meta-category": "file", "name": "ai-sbom", "required": [ "sbom-id",