{ "registry_metadata": { "description": "Field registry for configurable AI SBOM generation and scoring" }, "scoring_config": { "tier_weights": { "critical": 3, "important": 2, "supplementary": 1 }, "category_weights": { "required_fields": 20, "metadata": 20, "component_basic": 20, "component_model_card": 30, "external_references": 10 }, "scoring_profiles": { "basic": { "description": "Minimal fields required for identification", "required_categories": [ "required_fields", "component_basic" ], "required_fields": [ "bomFormat", "specVersion", "serialNumber", "version", "name" ], "minimum_score": 40, "weight_multiplier": 1.0 }, "standard": { "description": "Comprehensive fields for proper documentation", "required_categories": [ "required_fields", "metadata", "component_basic" ], "required_fields": [ "bomFormat", "specVersion", "serialNumber", "version", "name", "downloadLocation", "primaryPurpose", "suppliedBy" ], "minimum_score": 70, "weight_multiplier": 1.0 }, "advanced": { "description": "Extensive documentation for maximum transparency", "required_categories": [ "required_fields", "metadata", "component_basic", "component_model_card", "external_references" ], "required_fields": [ "bomFormat", "specVersion", "serialNumber", "version", "name", "downloadLocation", "primaryPurpose", "suppliedBy", "type", "purl", "description", "licenses", "hyperparameter", "technicalLimitations", "energyConsumption", "safetyRiskAssessment", "typeOfModel" ], "minimum_score": 85, "weight_multiplier": 1.0 } }, "algorithm_config": { "type": "weighted_sum", "max_score": 100, "normalization": "category_based", "penalty_for_missing_critical": 0.5, "bonus_for_complete_categories": 0.1 } }, "aibom_config": { "structure_template": "cyclonedx_1.6", "generator_info": { "name": "owasp-aibom-generator", "version": "1.0.0", "manufacturer": "OWASP GenAI Security Project" }, "generation_rules": { "include_metadata_properties": true, "include_model_card": true, "include_external_references": true, "include_dependencies": true }, "validation_rules": { "require_critical_fields": true, "validate_jsonpath_expressions": true, "enforce_cyclonedx_schema": true } }, "fields": { "bomFormat": { "tier": "critical", "weight": 4.0, "category": "required_fields", "description": "Format identifier for the SBOM", "jsonpath": "$.bomFormat", "aibom_generation": { "location": "$.bomFormat", "rule": "always_include", "source_fields": [ "bomFormat" ], "validation": "required", "data_type": "string" }, "scoring": { "points": 4.0, "required_for_profiles": [ "basic", "standard", "advanced" ], "category_contribution": 0.2 }, "validation_message": { "missing": "Missing critical field: bomFormat - essential for SBOM identification", "recommendation": "Ensure bomFormat is set to 'CycloneDX'" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#bomFormat", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#bomFormat", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/core/" } }, "datasets": { "tier": "important", "weight": 3.0, "category": "component_model_card", "description": "Datasets used for training", "jsonpath": "$.component.modelCard.modelParameters.datasets", "aibom_generation": { "location": "$.component.modelCard.modelParameters.datasets", "rule": "include_if_available", "source_fields": [ "datasets", "dataset", "data" ], "validation": "recommended", "data_type": "array" }, "scoring": { "points": 3.0, "required_for_profiles": [ "standard", "advanced" ], "category_contribution": 0.1 }, "validation_message": { "missing": "Missing field: datasets - training data information important for transparency", "recommendation": "Add information about the datasets used to train the model" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_modelCard_modelParameters_datasets", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_modelCard_modelParameters_datasets", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/dataset/" } }, "paper": { "tier": "supplementary", "weight": 2.0, "category": "external_references", "description": "Research paper associated with the model", "jsonpath": "$.metadata.component.externalReferences[?(@.type=='documentation')]", "aibom_generation": { "location": "none", "rule": "include_if_present", "source_fields": [ "paper" ], "validation": "optional", "data_type": "string" }, "extraction": { "methods": [ "api" ], "source_priority": [ "api" ] }, "scoring": { "points": 2.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.2 }, "validation_message": { "missing": "No research paper link found", "recommendation": "Add ArXiv tag or paper link to model card" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_externalReferences", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_externalReferences", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "vcs": { "tier": "supplementary", "weight": 4.0, "category": "external_references", "description": "Version control system URL", "jsonpath": "$.components[0].externalReferences[?(@.type=='vcs')].url", "aibom_generation": { "location": "none", "rule": "include_if_present", "source_fields": [ "vcs", "repository" ], "validation": "optional", "data_type": "string" }, "extraction": { "methods": [ "api" ], "source_priority": [ "api" ] }, "scoring": { "points": 4.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.4 }, "validation_message": { "missing": "No VCS link found", "recommendation": "Add repository link to model card" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_externalReferences", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_externalReferences", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "website": { "tier": "supplementary", "weight": 4.0, "category": "external_references", "description": "Model website or documentation URL", "jsonpath": "$.components[0].externalReferences[?(@.type=='website')].url", "aibom_generation": { "location": "none", "rule": "include_if_present", "source_fields": [ "website", "url" ], "validation": "optional", "data_type": "string" }, "extraction": { "methods": [ "api" ], "source_priority": [ "api" ] }, "scoring": { "points": 4.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.4 }, "validation_message": { "missing": "No website link found", "recommendation": "Add website link to model card" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_externalReferences", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_externalReferences", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "specVersion": { "tier": "critical", "weight": 4.0, "category": "required_fields", "description": "CycloneDX specification version", "jsonpath": "$.specVersion", "aibom_generation": { "location": "$.specVersion", "rule": "always_include", "source_fields": [ "specVersion" ], "validation": "required", "data_type": "string" }, "scoring": { "points": 4.0, "required_for_profiles": [ "basic", "standard", "advanced" ], "category_contribution": 0.2 }, "validation_message": { "missing": "Missing critical field: specVersion - required for CycloneDX compliance", "recommendation": "Set specVersion to '1.6' for CycloneDX 1.6 compliance" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#specVersion", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#specVersion", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/core/" } }, "serialNumber": { "tier": "critical", "weight": 4.0, "category": "required_fields", "description": "Unique identifier for this SBOM instance", "jsonpath": "$.serialNumber", "aibom_generation": { "location": "$.serialNumber", "rule": "always_include", "source_fields": [ "serialNumber" ], "validation": "required", "data_type": "string" }, "scoring": { "points": 4.0, "required_for_profiles": [ "basic", "standard", "advanced" ], "category_contribution": 0.2 }, "validation_message": { "missing": "Missing critical field: serialNumber - unique identifier required", "recommendation": "Generate a UUID for the SBOM instance" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#serialNumber", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#serialNumber", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/core/" } }, "version": { "tier": "critical", "weight": 4.0, "category": "required_fields", "description": "Version of this SBOM document", "jsonpath": "$.version", "aibom_generation": { "location": "$.version", "rule": "always_include", "source_fields": [ "version" ], "validation": "required", "data_type": "integer" }, "scoring": { "points": 4.0, "required_for_profiles": [ "basic", "standard", "advanced" ], "category_contribution": 0.2 }, "validation_message": { "missing": "Missing critical field: version - document version required", "recommendation": "Set version to 1 for initial SBOM generation" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#version", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#version", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/core/" } }, "primaryPurpose": { "tier": "critical", "weight": 4.0, "category": "metadata", "description": "Primary purpose or task of the AI model", "jsonpath": "$.component.modelCard.modelParameters.task", "aibom_generation": { "location": "$.component.modelCard.modelParameters.task", "rule": "include_if_available", "source_fields": [ "primaryPurpose", "pipeline_tag", "ai:task" ], "validation": "recommended", "data_type": "string" }, "scoring": { "points": 4.0, "required_for_profiles": [ "standard", "advanced" ], "category_contribution": 0.2 }, "validation_message": { "missing": "Missing critical field: primaryPurpose - essential for understanding model intent", "recommendation": "Add the primary task or purpose of the AI model" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_modelCard_modelParameters_approach", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_modelCard_modelParameters_approach", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "suppliedBy": { "tier": "critical", "weight": 4.0, "category": "metadata", "description": "Organization or individual that supplied the model", "jsonpath": "$.component.supplier.name", "aibom_generation": { "location": "$.component.supplier", "rule": "include_if_available", "source_fields": [ "suppliedBy", "author", "publisher" ], "validation": "recommended", "data_type": "string" }, "scoring": { "points": 4.0, "required_for_profiles": [ "standard", "advanced" ], "category_contribution": 0.2 }, "validation_message": { "missing": "Missing critical field: suppliedBy - supplier identification required", "recommendation": "Add the organization or individual who provided the model" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_supplier", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_supplier", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/software/" } }, "standardCompliance": { "tier": "supplementary", "weight": 1.0, "category": "metadata", "description": "Standards or regulations the model complies with", "jsonpath": "$.metadata.properties[?(@.name=='standardCompliance')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "standardCompliance", "compliance" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.05 }, "validation_message": { "missing": "Missing supplementary field: standardCompliance - compliance information helpful", "recommendation": "Add any relevant standards or regulations the model complies with" }, "reference_urls": { "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/model/AI/Classes/AIPackage/#AI-standardCompliance", "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "external_references": { "tier": "supplementary", "weight": 1.0, "category": "component_basic", "description": "Additional external references", "jsonpath": "$.component.externalReferences", "aibom_generation": { "location": "$.component.externalReferences", "rule": "include_if_available", "source_fields": [ "external_references", "references", "citations" ], "validation": "optional", "data_type": "array" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.05 }, "validation_message": { "missing": "Missing supplementary field: external_references - additional references helpful", "recommendation": "Add links to papers, documentation, or other resources" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_externalReferences", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_externalReferences", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "domain": { "tier": "supplementary", "weight": 1.0, "category": "metadata", "description": "Domain or field of application", "jsonpath": "$.metadata.properties[?(@.name=='domain')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "domain", "field", "application_area" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.05 }, "validation_message": { "missing": "Missing supplementary field: domain - application domain helpful for context", "recommendation": "Add the domain or field where this model is typically applied" }, "reference_urls": { "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/model/AI/Classes/AIPackage/#AI-domain", "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "autonomyType": { "tier": "supplementary", "weight": 1.0, "category": "metadata", "description": "Level of autonomy or human involvement required", "jsonpath": "$.metadata.properties[?(@.name=='autonomyType')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "autonomyType", "autonomy_level" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.05 }, "validation_message": { "missing": "Missing supplementary field: autonomyType - autonomy level information helpful", "recommendation": "Add information about the level of human oversight required" }, "reference_urls": { "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/model/AI/Classes/AIPackage/#AI-autonomyType", "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "name": { "tier": "critical", "weight": 4.0, "category": "component_basic", "description": "Name of the AI model component", "jsonpath": "$.components[0].name", "aibom_generation": { "location": "$.components[0].name", "rule": "always_include", "source_fields": [ "name", "model_name" ], "validation": "required", "data_type": "string" }, "scoring": { "points": 4.0, "required_for_profiles": [ "basic", "standard", "advanced" ], "category_contribution": 0.2 }, "validation_message": { "missing": "Missing critical field: name - essential for model identification", "recommendation": "Add a descriptive name for the model" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_name", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_name", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/software/" } }, "type": { "tier": "critical", "weight": 4.0, "category": "component_basic", "description": "Type of component (machine-learning-model)", "jsonpath": "$.components[0].type", "aibom_generation": { "location": "$.components[0].type", "rule": "always_include", "source_fields": [ "type" ], "validation": "required", "data_type": "string" }, "scoring": { "points": 4.0, "required_for_profiles": [ "basic", "standard", "advanced" ], "category_contribution": 0.2 }, "validation_message": { "missing": "Missing field: type - component type classification needed", "recommendation": "Set type to 'machine-learning-model' for AI models" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_type", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_type", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/software/" } }, "component_version": { "tier": "critical", "weight": 4.0, "category": "component_basic", "description": "Version of the component", "jsonpath": "$.components[0].version", "aibom_generation": { "location": "$.components[0].version", "rule": "always_include", "source_fields": [ "version" ], "validation": "required", "data_type": "string" }, "scoring": { "points": 4.0, "required_for_profiles": [ "basic", "standard", "advanced" ], "category_contribution": 0.2 }, "validation_message": { "missing": "Missing field: version - component version needed", "recommendation": "Set an appropriate version for the component" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_version", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_version", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/software/" } }, "purl": { "tier": "important", "weight": 3.0, "category": "component_basic", "description": "Package URL identifier", "jsonpath": "$.components[0].purl", "aibom_generation": { "location": "$.components[0].purl", "rule": "include_if_available", "source_fields": [ "purl", "package_url" ], "validation": "recommended", "data_type": "string" }, "scoring": { "points": 3.0, "required_for_profiles": [ "standard", "advanced" ], "category_contribution": 0.15 }, "validation_message": { "missing": "Missing field: purl - package URL for identification", "recommendation": "Add a Package URL (PURL) for the model" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_purl", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_purl", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/software/Package/" } }, "description": { "tier": "important", "weight": 3.0, "category": "component_basic", "description": "Description of the AI model", "jsonpath": "$.components[0].description", "aibom_generation": { "location": "$.components[0].description", "rule": "include_if_available", "source_fields": [ "description", "summary" ], "validation": "recommended", "data_type": "string" }, "scoring": { "points": 3.0, "required_for_profiles": [ "standard", "advanced" ], "category_contribution": 0.15 }, "validation_message": { "missing": "Missing field: description - model description helpful for understanding", "recommendation": "Add a clear description of what the model does" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_description", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_description", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/software/" } }, "licenses": { "tier": "important", "weight": 3.0, "category": "component_basic", "description": "License information for the model", "jsonpath": "$.components[0].licenses", "aibom_generation": { "location": "$.components[0].licenses", "rule": "include_if_available", "source_fields": [ "licenses", "license" ], "validation": "recommended", "data_type": "array" }, "scoring": { "points": 3.0, "required_for_profiles": [ "standard", "advanced" ], "category_contribution": 0.15 }, "validation_message": { "missing": "Missing field: licenses - license information important for compliance", "recommendation": "Add license information for the model" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_licenses", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_licenses", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/simple_licensing/" } }, "ethicalConsiderations": { "tier": "important", "weight": 2.0, "category": "component_model_card", "description": "Ethical considerations and fairness assessments", "jsonpath": "$.component.modelCard.considerations.ethicalConsiderations[0].description", "aibom_generation": { "location": "$.component.modelCard.considerations.ethicalConsiderations", "rule": "include_if_available", "source_fields": [ "ethicalConsiderations", "ethics", "fairness" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 2.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.067 }, "validation_message": { "missing": "Missing field: ethicalConsiderations - ethical information is critical", "recommendation": "Add ethical considerations or fairness assessments" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_modelCard_considerations_ethicalConsiderations", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_modelCard_considerations_ethicalConsiderations", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "energyConsumption": { "tier": "important", "weight": 2.0, "category": "component_model_card", "description": "Energy consumption information", "jsonpath": "$.metadata.properties[?(@.name=='energyConsumption')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "energyConsumption", "energy_usage" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 2.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.067 }, "validation_message": { "missing": "Missing field: energyConsumption - energy usage information helpful for sustainability", "recommendation": "Add information about the model's energy consumption" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "hyperparameter": { "tier": "important", "weight": 2.0, "category": "component_model_card", "description": "Key hyperparameters of the model architecture", "jsonpath": "$.components[0].modelCard.properties[?(@.name=='genai:aibom:modelcard:hyperparameter')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "hyperparameter", "hyperparameters", "training_params" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 2.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.067 }, "validation_message": { "missing": "Missing field: hyperparameter - training configuration helpful for reproducibility", "recommendation": "Add key hyperparameters used during model training" }, "reference_urls": { "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/model/AI/Classes/AIPackage/#AI-hyperparameter", "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "technicalLimitations": { "tier": "important", "weight": 2.0, "category": "component_model_card", "description": "Known limitations of the model", "jsonpath": "$.component.modelCard.considerations.technicalLimitations[0]", "aibom_generation": { "location": "$.component.modelCard.considerations.technicalLimitations", "rule": "include_if_available", "source_fields": [ "technicalLimitations", "limitations", "known_issues" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 2.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.067 }, "validation_message": { "missing": "Missing field: technicalLimitations - limitations information helpful for safety", "recommendation": "Add known technical limitations of the model" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_modelCard_considerations_technicalLimitations", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_modelCard_considerations_technicalLimitations", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "safetyRiskAssessment": { "tier": "important", "weight": 2.0, "category": "component_model_card", "description": "Safety and risk assessment information", "jsonpath": "$.metadata.properties[?(@.name=='safetyRiskAssessment')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "safetyRiskAssessment", "safety_assessment", "risk_analysis" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 2.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.067 }, "validation_message": { "missing": "Missing field: safetyRiskAssessment - safety assessment important for responsible deployment", "recommendation": "Add safety and risk assessment information" }, "reference_urls": { "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/model/AI/Classes/AIPackage/#AI-safetyRiskAssessment", "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "intendedUse": { "tier": "important", "weight": 2.0, "category": "component_model_card", "description": "Intended use cases for the model", "jsonpath": "$.component.modelCard.considerations.useCases[0]", "aibom_generation": { "location": "$.component.modelCard.considerations.useCases", "rule": "include_if_available", "source_fields": [ "intendedUse", "use_cases", "applications" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 2.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.067 }, "validation_message": { "missing": "Missing field: intendedUse - intended use information helpful for context", "recommendation": "Add intended use cases for the model" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_modelCard_considerations_useCases", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_modelCard_considerations_useCases", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "typeOfModel": { "tier": "important", "weight": 2.0, "category": "component_model_card", "description": "Type or architecture of the model", "jsonpath": "$.components[0].modelCard.modelParameters.modelArchitecture", "aibom_generation": { "location": "$.components[0].modelCard.modelParameters.modelArchitecture", "rule": "include_if_available", "source_fields": [ "typeOfModel", "model_type", "architecture" ], "validation": "recommended", "data_type": "string" }, "scoring": { "points": 2.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.067 }, "validation_message": { "missing": "Missing field: typeOfModel - model architecture information helpful", "recommendation": "Add the type or architecture of the model (e.g., Transformer, CNN)" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_modelCard_modelParameters_approach", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_modelCard_modelParameters_approach", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "modelExplainability": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Information about model explainability", "jsonpath": "$.components[0].modelCard.properties[?(@.name=='genai:aibom:modelcard:modelCardExplainability')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "modelExplainability", "explainability", "interpretability" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: modelExplainability - explainability information helpful for transparency", "recommendation": "Add information about model explainability or interpretability features" }, "reference_urls": { "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/model/AI/Classes/AIPackage/#AI-modelExplainability", "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "energyQuantity": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Quantitative energy consumption data", "jsonpath": "$.metadata.properties[?(@.name=='energyQuantity')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "energyQuantity", "energy_amount" ], "validation": "optional", "data_type": "number" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: energyQuantity - quantitative energy data helpful for sustainability metrics", "recommendation": "Add specific energy consumption quantities" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost_value", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost_value", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "energyUnit": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Unit of measurement for energy consumption", "jsonpath": "$.metadata.properties[?(@.name=='energyUnit')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "energyUnit", "energy_unit" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: energyUnit - energy measurement unit helpful for standardization", "recommendation": "Add the unit of measurement for energy consumption (e.g., kWh, Joules)" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost_unit", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_modelCard_considerations_environmentalConsiderations_energyConsumptions_items_activityEnergyCost_unit", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "informationAboutTraining": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Information about the training process", "jsonpath": "$.metadata.properties[?(@.name=='informationAboutTraining')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "informationAboutTraining", "training_info", "training_details" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: informationAboutTraining - training details helpful for understanding model development", "recommendation": "Add information about the training process and methodology" }, "reference_urls": { "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/model/AI/Classes/AIPackage/#AI-informationAboutTraining", "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "informationAboutApplication": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Information about intended applications", "jsonpath": "$.metadata.properties[?(@.name=='informationAboutApplication')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "informationAboutApplication", "application_info", "intended_use" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: informationAboutApplication - application guidance helpful for proper usage", "recommendation": "Add information about intended applications and use cases" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_modelCard_considerations_useCases", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_modelCard_considerations_useCases", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "metric": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Performance metrics and evaluation results", "jsonpath": "$.metadata.properties[?(@.name=='metric')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "metric", "metrics", "performance" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: metric - performance metrics helpful for evaluation", "recommendation": "Add performance metrics and evaluation results" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_modelCard_quantitativeAnalysis_performanceMetrics", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_modelCard_quantitativeAnalysis_performanceMetrics", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "metricDecisionThreshold": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Decision thresholds for metrics", "jsonpath": "$.metadata.properties[?(@.name=='metricDecisionThreshold')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "metricDecisionThreshold", "decision_threshold", "threshold" ], "validation": "optional", "data_type": "number" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: metricDecisionThreshold - decision thresholds helpful for operational guidance", "recommendation": "Add decision thresholds for performance metrics" }, "reference_urls": { "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/model/AI/Classes/AIPackage/#AI-metricDecisionThreshold", "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "modelDataPreprocessing": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Data preprocessing information", "jsonpath": "$.metadata.properties[?(@.name=='modelDataPreprocessing')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "modelDataPreprocessing", "data_preprocessing", "preprocessing" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: modelDataPreprocessing - preprocessing details helpful for reproducibility", "recommendation": "Add information about data preprocessing steps" }, "reference_urls": { "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/model/AI/Classes/AIPackage/#AI-modelDataPreprocessing", "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "useSensitivePersonalInformation": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Information about use of sensitive personal data", "jsonpath": "$.metadata.properties[?(@.name=='useSensitivePersonalInformation')].value", "aibom_generation": { "location": "$.metadata.properties", "rule": "include_if_available", "source_fields": [ "useSensitivePersonalInformation", "sensitive_data", "personal_data" ], "validation": "optional", "data_type": "boolean" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: useSensitivePersonalInformation - privacy information important for compliance", "recommendation": "Add information about use of sensitive or personal data" }, "reference_urls": { "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/model/AI/Classes/AIPackage/#AI-useSensitivePersonalInformation", "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "downloadLocation": { "tier": "important", "weight": 3.0, "category": "external_references", "description": "URL to download the model", "jsonpath": "$.components[0].externalReferences[?(@.type=='distribution' || @.type=='website')].url", "aibom_generation": { "location": "$.component.externalReferences", "rule": "include_if_available", "source_fields": [ "downloadLocation", "download_url", "model_url" ], "validation": "recommended", "data_type": "string" }, "scoring": { "points": 3.0, "required_for_profiles": [ "standard", "advanced" ], "category_contribution": 0.15 }, "validation_message": { "missing": "Missing field: downloadLocation - model download URL required", "recommendation": "Add a URL where the model can be downloaded" }, "reference_urls": { "cyclonedx_1.6": "https://cyclonedx.org/docs/1.6/json/#components_items_externalReferences", "cyclonedx_1.7": "https://cyclonedx.org/docs/1.7/json/#components_items_externalReferences", "spdx_3.1": "https://spdx.github.io/spdx-spec/v3.1-RC1/ai/" } }, "vocab_size": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Expected size of the model's vocabulary", "jsonpath": "$.components[0].modelCard.properties[?(@.name=='genai:aibom:modelcard:vocabSize')].value", "aibom_generation": { "location": "$.components[0].properties", "rule": "include_if_available", "source_fields": [ "vocab_size" ], "validation": "optional", "data_type": "integer" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: vocab_size - GGUF model properties helpful for reproducibility", "recommendation": "Add Vocabulary Size" }, "reference_urls": { "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "tokenizer_class": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "The specific tokenizer class or method used", "jsonpath": "$.components[0].modelCard.properties[?(@.name=='genai:aibom:modelcard:tokenizerClass')].value", "aibom_generation": { "location": "$.components[0].properties", "rule": "include_if_available", "source_fields": [ "tokenizer_class" ], "validation": "optional", "data_type": "string" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: tokenizer_class - GGUF model properties helpful for reproducibility", "recommendation": "Add Tokenizer Class" }, "reference_urls": { "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "context_length": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Maximum context length or sequence length supported", "jsonpath": "$.components[0].modelCard.properties[?(@.name=='genai:aibom:modelcard:contextLength')].value", "aibom_generation": { "location": "$.components[0].properties", "rule": "include_if_available", "source_fields": [ "context_length" ], "validation": "optional", "data_type": "integer" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: context_length - GGUF model properties helpful for reproducibility", "recommendation": "Add Context Length" }, "reference_urls": { "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "embedding_length": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Vector length of the token embeddings", "jsonpath": "$.components[0].modelCard.properties[?(@.name=='genai:aibom:modelcard:embeddingLength')].value", "aibom_generation": { "location": "$.components[0].properties", "rule": "include_if_available", "source_fields": [ "embedding_length" ], "validation": "optional", "data_type": "integer" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: embedding_length - GGUF model properties helpful for reproducibility", "recommendation": "Add Embedding Length" }, "reference_urls": { "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "block_count": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Number of transformer blocks or layers", "jsonpath": "$.components[0].modelCard.properties[?(@.name=='genai:aibom:modelcard:blockCount')].value", "aibom_generation": { "location": "$.components[0].properties", "rule": "include_if_available", "source_fields": [ "block_count" ], "validation": "optional", "data_type": "integer" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: block_count - GGUF model properties helpful for reproducibility", "recommendation": "Add Block Count" }, "reference_urls": { "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "attention_head_count": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Number of attention heads in the model", "jsonpath": "$.components[0].modelCard.properties[?(@.name=='genai:aibom:modelcard:attentionHeadCount')].value", "aibom_generation": { "location": "$.components[0].properties", "rule": "include_if_available", "source_fields": [ "attention_head_count" ], "validation": "optional", "data_type": "integer" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: attention_head_count - GGUF model properties helpful for reproducibility", "recommendation": "Add Attention Head Count" }, "reference_urls": { "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "attention_head_count_kv": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Number of Key-Value attention heads", "jsonpath": "$.components[0].modelCard.properties[?(@.name=='genai:aibom:modelcard:attentionHeadCountKV')].value", "aibom_generation": { "location": "$.components[0].properties", "rule": "include_if_available", "source_fields": [ "attention_head_count_kv" ], "validation": "optional", "data_type": "integer" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: attention_head_count_kv - GGUF model properties helpful for reproducibility", "recommendation": "Add Attention Head Count KV" }, "reference_urls": { "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "feed_forward_length": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Dimensionality of the feed-forward network", "jsonpath": "$.components[0].modelCard.properties[?(@.name=='genai:aibom:modelcard:feedForwardLength')].value", "aibom_generation": { "location": "$.components[0].properties", "rule": "include_if_available", "source_fields": [ "feed_forward_length" ], "validation": "optional", "data_type": "integer" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: feed_forward_length - GGUF model properties helpful for reproducibility", "recommendation": "Add Feed Forward Length" }, "reference_urls": { "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "rope_dimension_count": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Number of dimensions for Rotary Position Embedding (RoPE)", "jsonpath": "$.components[0].modelCard.properties[?(@.name=='genai:aibom:modelcard:ropeDimensionCount')].value", "aibom_generation": { "location": "$.components[0].properties", "rule": "include_if_available", "source_fields": [ "rope_dimension_count" ], "validation": "optional", "data_type": "integer" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: rope_dimension_count - GGUF model properties helpful for reproducibility", "recommendation": "Add RoPE Dimension Count" }, "reference_urls": { "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "quantization_version": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Version or specification identifier of the quantization format", "jsonpath": "$.components[0].modelCard.properties[?(@.name=='genai:aibom:modelcard:quantizationVersion')].value", "aibom_generation": { "location": "$.components[0].properties", "rule": "include_if_available", "source_fields": [ "quantization_version" ], "validation": "optional", "data_type": "integer" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: quantization_version - GGUF model properties helpful for reproducibility", "recommendation": "Add Quantization Version" }, "reference_urls": { "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } }, "quantization_file_type": { "tier": "supplementary", "weight": 1.0, "category": "component_model_card", "description": "Enum or integer identifier for the quantization bit-precision (e.g. Q4_K_M)", "jsonpath": "$.components[0].modelCard.properties[?(@.name=='genai:aibom:modelcard:quantizationFileType')].value", "aibom_generation": { "location": "$.components[0].properties", "rule": "include_if_available", "source_fields": [ "quantization_file_type" ], "validation": "optional", "data_type": "integer" }, "scoring": { "points": 1.0, "required_for_profiles": [ "advanced" ], "category_contribution": 0.033 }, "validation_message": { "missing": "Missing supplementary field: quantization_file_type - GGUF model properties helpful for reproducibility", "recommendation": "Add Quantization File Type" }, "reference_urls": { "genai_aibom_taxonomy": "https://github.com/GenAI-Security-Project/cyclonedx-property-taxonomy" } } } }