Skip to content
Model Scanner/
/
CycloneDX Mapping

Model Scanner to CylcloneDX Schema Mapping

The following table shows how Model Scanner fields are mapped to the CycloneDX 1.6 standard.

See CycloneDX 1.6 JSON Reference for more information about the standard.

Metadata

Model Scanner v3 OutputCycloneDX 1.6 OutputDescription
versionmetadata.tools.components.versionThe version of a particular component used within a tool that generated or processed the AIBOM.
inventory.model_namemetadata.component.nameThe name of the primary component that the AIBOM describes.
inventory.model_versionmetadata.component.versionThe version of the primary component that the AIBOM describes.
inventory.requested_scan_locationmetadata.component.properties.nameThe name of the property. Duplicate names are allowed, each potentially having a different value.
inventory.requested_scan_locationmetadata.component.properties.valueThe value of the property.
statusmetadata.properties.nameThe name of the property. Duplicate names are allowed, each potentially having a different value.
statusmetadata.properties.valueThe value of the property.
start_timemetadata.properties.nameThe name of the property. Duplicate names are allowed, each potentially having a different value.
start_timemetadata.properties.valueThe value of the property.
end_timemetadata.properties.nameThe name of the property. Duplicate names are allowed, each potentially having a different value.
end_timemetadata.properties.valueThe value of the property.

Components

A list of software and hardware components.

Model Scanner v3 OutputCycloneDX 1.6 OutputDescription
file_results.file_locationcomponents.nameThe name of the component. This will often be a shortened, single name of the component.

Examples: commons-lang3 and jquery.
file_results.file_locationcomponents.bom-refAn optional identifier which can be used to reference the component elsewhere in the BOM.

Every bom-ref must be unique within the BOM.

Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
file_results.details.sha256components.hashes.algThe algorithm that generated the SHA256 hash value.
file_results.details.sha256components.hashes.contentThe value of the SHA256 hash.

Must match regular expression: ^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$.
file_results.details.md5components.hashes.algThe algorithm that generated the MD5 hash value.
file_results.details.md5components.hashes.contentThe value of the MD5 hash.

Must match regular expression: ^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$.
file_results.details.file_typecomponents.properties.nameThe name of the property. Duplicate names are allowed, each potentially having a different value.
file_results.details.file_typecomponents.properties.valueThe value of the property.
file_results.statuscomponents.properties.nameThe name of the property. Duplicate names are allowed, each potentially having a different value.
file_results.statuscomponents.properties.valueThe value of the property.
file_results.details.tlshcomponents.properties.nameThe name of the property. Duplicate names are allowed, each potentially having a different value.
file_results.details.tlshcomponents.properties.valueThe value of the property.

Vulnerabilities

Vulnerabilities identified in components or services.

Model Scanner v3 OutputCycloneDX 1.6 OutputDescription
file_results.detections.rule_idvulnerabilities.idThe identifier that uniquely identifies the vulnerability.
file_results.detections.detection_idvulnerabilities.bom-refAn optional identifier which can be used to reference the vulnerability elsewhere in the BOM.

Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro urn:cdx: to avoid conflicts with BOM-Links.

Must be at least 1 character long.
file_results.detections.categoryvulnerabilities.descriptionA description of the vulnerability as provided by the source.
file_results.detections.descriptionvulnerabilities.detailIf available, an in-depth description of the vulnerability as provided by the source organization.

Details often include information useful in understanding root cause.
file_results.detections.severityvulnerabilities.ratings.severityTextual representation of the severity that corresponds to the numerical score of the rating.
file_results.detections.technical_blog_hrefsvulnerabilities.advisories.urlLocation where the advisory can be obtained.
file_results.detections.cvevulnerabilities.references.idAn identifier that uniquely identifies the vulnerability.

Example: "CVE-2021-39182"
file_results.detections.cvevulnerabilities.references.sourceThe source that published the vulnerability.
file_results.detections.cvevulnerabilities.references.source.nameThe name of the source.
file_results.detections.cvevulnerabilities.references.source.urlThe url of the vulnerability documentation as provided by the source.
file_results.detections.owaspvulnerabilities.references.idAn identifier that uniquely identifies the vulnerability.
file_results.detections.owaspvulnerabilities.references.sourceThe source that published the vulnerability.
file_results.detections.owaspvulnerabilities.references.source.nameThe name of the source.
file_results.detections.owaspvulnerabilities.references.source.urlThe url of the vulnerability documentation as provided by the source.
file_results.detections.mitre_atlasvulnerabilities.references.idAn identifier that uniquely identifies the vulnerability.
file_results.detections.mitre_atlasvulnerabilities.references.sourceThe source that published the vulnerability.
file_results.detections.mitre_atlasvulnerabilities.references.source.nameThe name of the source.
file_results.detections.mitre_atlasvulnerabilities.references.source.urlThe url of the vulnerability documentation as provided by the source.
file_results.file_locationvulnerabilities.affects.refReferences a component or service by the objects bom-ref.
Previous page
Next page