# Model Scanner to CylcloneDX Schema Mapping

The following table shows how Model Scanner fields are mapped to the CycloneDX 1.6 standard.

See CycloneDX 1.6 JSON Reference for more information about the standard.

## Metadata

| Model Scanner v3 Output | CycloneDX 1.6 Output | Description |
|  --- | --- | --- |
| version | metadata.tools.components.version | The version of a particular component used within a tool that generated or processed the AIBOM. |
| inventory.model_name | metadata.component.name | The name of the primary component that the AIBOM describes. |
| inventory.model_version | metadata.component.version | The version of the primary component that the AIBOM describes. |
| inventory.requested_scan_location | metadata.component.properties.name | The name of the property. Duplicate names are allowed, each potentially having a different value. |
| inventory.requested_scan_location | metadata.component.properties.value | The value of the property. |
| status | metadata.properties.name | The name of the property. Duplicate names are allowed, each potentially having a different value. |
| status | metadata.properties.value | The value of the property. |
| start_time | metadata.properties.name | The name of the property. Duplicate names are allowed, each potentially having a different value. |
| start_time | metadata.properties.value | The value of the property. |
| end_time | metadata.properties.name | The name of the property. Duplicate names are allowed, each potentially having a different value. |
| end_time | metadata.properties.value | The value of the property. |


## Components

A list of software and hardware components.

| Model Scanner v3 Output | CycloneDX 1.6 Output | Description |
|  --- | --- | --- |
| file_results.file_location | components.name | The name of the component. This will often be a shortened, single name of the component.Examples: **commons-lang3** and **jquery**. |
| file_results.file_location | components.bom-ref | An optional identifier which can be used to reference the component elsewhere in the BOM.Every bom-ref must be unique within the BOM.Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links. |
| file_results.details.sha256 | components.hashes.alg | The algorithm that generated the SHA256 hash value. |
| file_results.details.sha256 | components.hashes.content | The value of the SHA256 hash.Must match regular expression: `^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$`. |
| file_results.details.md5 | components.hashes.alg | The algorithm that generated the MD5 hash value. |
| file_results.details.md5 | components.hashes.content | The value of the MD5 hash.Must match regular expression: `^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$`. |
| file_results.details.file_type | components.properties.name | The name of the property. Duplicate names are allowed, each potentially having a different value. |
| file_results.details.file_type | components.properties.value | The value of the property. |
| file_results.status | components.properties.name | The name of the property. Duplicate names are allowed, each potentially having a different value. |
| file_results.status | components.properties.value | The value of the property. |
| file_results.details.tlsh | components.properties.name | The name of the property. Duplicate names are allowed, each potentially having a different value. |
| file_results.details.tlsh | components.properties.value | The value of the property. |


## Vulnerabilities

Vulnerabilities identified in components or services.

| Model Scanner v3 Output | CycloneDX 1.6 Output | Description |
|  --- | --- | --- |
| file_results.detections.rule_id | vulnerabilities.id | The identifier that uniquely identifies the vulnerability. |
| file_results.detections.detection_id | vulnerabilities.bom-ref | An optional identifier which can be used to reference the vulnerability elsewhere in the BOM.Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro `urn:cdx:` to avoid conflicts with BOM-Links.Must be at least `1` character long. |
| file_results.detections.category | vulnerabilities.description | A description of the vulnerability as provided by the source. |
| file_results.detections.description | vulnerabilities.detail | If available, an in-depth description of the vulnerability as provided by the source organization.Details often include information useful in understanding root cause. |
| file_results.detections.severity | vulnerabilities.ratings.severity | Textual representation of the severity that corresponds to the numerical score of the rating. |
| file_results.detections.technical_blog_hrefs | vulnerabilities.advisories.url | Location where the advisory can be obtained. |
| file_results.detections.cve | vulnerabilities.references.id | An identifier that uniquely identifies the vulnerability.Example: "CVE-2021-39182" |
| file_results.detections.cve | vulnerabilities.references.source | The source that published the vulnerability. |
| file_results.detections.cve | vulnerabilities.references.source.name | The name of the source. |
| file_results.detections.cve | vulnerabilities.references.source.url | The url of the vulnerability documentation as provided by the source. |
| file_results.detections.owasp | vulnerabilities.references.id | An identifier that uniquely identifies the vulnerability. |
| file_results.detections.owasp | vulnerabilities.references.source | The source that published the vulnerability. |
| file_results.detections.owasp | vulnerabilities.references.source.name | The name of the source. |
| file_results.detections.owasp | vulnerabilities.references.source.url | The url of the vulnerability documentation as provided by the source. |
| file_results.detections.mitre_atlas | vulnerabilities.references.id | An identifier that uniquely identifies the vulnerability. |
| file_results.detections.mitre_atlas | vulnerabilities.references.source | The source that published the vulnerability. |
| file_results.detections.mitre_atlas | vulnerabilities.references.source.name | The name of the source. |
| file_results.detections.mitre_atlas | vulnerabilities.references.source.url | The url of the vulnerability documentation as provided by the source. |
| file_results.file_location | vulnerabilities.affects.ref | References a component or service by the objects bom-ref. |