@prefix skos: . @prefix owl: . @prefix rdfs: . @prefix dcterms: . @prefix xsd: . # External vocabulary alignments @prefix dpv: . # W3C Data Privacy Vocabulary @prefix cv: . # CCCEV / SEMIC Core Criterion and Evidence Vocabulary # Bridge ontology base prefix (also hosts the bridge concept scheme) @prefix sbom: . # ============================================================================ # Ontology declaration # ============================================================================ sbom: a owl:Ontology ; dcterms:title "SBOM Bridging Ontology for Mapping"@en ; dcterms:description """A SKOS vocabulary of stable identifiers for the minimum elements (baseline attributes) required in a Software Bill of Materials (SBOM)."""@en ; dcterms:license ; dcterms:created "2026-06-13"^^xsd:date ; dcterms:modified "2026-06-15"^^xsd:date ; owl:versionInfo "0.1.0" ; rdfs:seeAlso ; rdfs:seeAlso ; rdfs:seeAlso ; rdfs:seeAlso ; rdfs:seeAlso ; rdfs:seeAlso ; rdfs:seeAlso . # ---------------------------------------------------------------------------- # Custom datatype: SARIF Rule ID / OSCAL control-id # Notation: SBOM-[SPEC]-[CAT]-[NNN] (SARIF) # sbom-[spec]-[cat]-[nnn] (OSCAL = lowercase of SARIF) # See: bact/ntia-conformance-checker (sarif-output branch) # ---------------------------------------------------------------------------- sbom:SarifRuleId a rdfs:Datatype ; rdfs:label "SARIF Rule ID"@en ; rdfs:comment "A SARIF 2.1.0 rule identifier in the form SBOM-[SPEC]-[CAT]-[NNN]."@en . # ============================================================================ # TYPE CLASSES # ============================================================================ sbom:InfoRequirementSpec a owl:Class ; rdfs:label "SBOM Information Requirement Specification"@en ; rdfs:comment "A standard or guidance document specifying which SBOM elements MUST/SHOULD be present (e.g. NTIA, CISA, G7 AI, BSI TR-03183-2, MOF)."@en . sbom:RegulatorySpec a owl:Class ; rdfs:subClassOf dpv:Regulation ; rdfs:label "Regulatory Specification"@en ; rdfs:comment "A legally binding instrument that mandates SBOM-related obligations (e.g. EU AI Act, EU CRA). Subclass of dpv:Regulation."@en . sbom:ExchangeFormatSpec a owl:Class ; rdfs:label "SBOM Exchange Format Specification"@en ; rdfs:comment "A technical specification defining a serialization format for SBOM content (e.g. SPDX, CycloneDX)."@en . sbom:satisfiedBy a owl:ObjectProperty ; rdfs:label "satisfied by"@en ; rdfs:domain skos:Concept ; rdfs:range skos:ConceptScheme ; rdfs:comment "Links a regulatory provision to the InfoRequirementSpec whose conformance satisfies it."@en . sbom:valueConstraint a owl:ObjectProperty ; rdfs:subPropertyOf cv:constraint ; rdfs:label "value constraint"@en ; rdfs:domain skos:Concept ; rdfs:comment "Links a concept to a SKOS Collection of allowed values for the mapped field. Sub-property of cv:constraint (CCCEV)."@en . # ============================================================================ # PROVISION TYPE VOCABULARY # ============================================================================ # Six provision types aligned with ISO/IEC Directives Part 2 §7 (verbal forms # for expressions of provisions) and RFC 2119/BCP 14 keywords. # Usage: sbom:provisionType . # Assertions live in per-standard files (docs//.ttl). # ============================================================================ sbom:provisionType a owl:ObjectProperty ; rdfs:label "provision type"@en ; rdfs:comment "The normative strength of a requirement element (SHALL, SHOULD, MAY, etc.) as one of the sbom:provision-types concepts."@en ; rdfs:domain skos:Concept ; rdfs:range skos:Concept . sbom:provision-types a skos:ConceptScheme ; skos:prefLabel "SBOM Provision Types"@en ; dcterms:description "Six provision types aligned with ISO/IEC Directives Part 2 §7 verbal forms and RFC 2119/BCP 14 keywords."@en ; rdfs:seeAlso ; rdfs:seeAlso ; skos:hasTopConcept sbom:Requirement , sbom:ConditionalRequirement , sbom:Recommendation , sbom:Permission , sbom:PossibilityAndCapability , sbom:ExternalConstraint . sbom:Requirement a skos:Concept ; skos:topConceptOf sbom:provision-types ; skos:inScheme sbom:provision-types ; skos:prefLabel "Requirement"@en ; skos:altLabel "SHALL"@en ; skos:altLabel "MUST"@en ; skos:altLabel "REQUIRED"@en ; skos:definition """The element SHALL be present in every conformant SBOM. Absence makes the SBOM non-conformant with the source standard. Corresponds to ISO/IEC Directives Part 2 'requirement' (verbal form: shall) and RFC 2119 MUST / SHALL / REQUIRED."""@en ; rdfs:seeAlso ; rdfs:seeAlso ; skos:relatedMatch ; rdfs:seeAlso . sbom:ConditionalRequirement a skos:Concept ; skos:topConceptOf sbom:provision-types ; skos:inScheme sbom:provision-types ; skos:prefLabel "Conditional Requirement"@en ; skos:altLabel "SHALL IF"@en ; skos:altLabel "MUST IF"@en ; skos:definition """The element SHALL be present when a stated condition holds (e.g. the information exists and the SBOM format can represent the data field). An extension of the ISO/IEC 'requirement' provision type scoped to a specific condition. RFC 2119 has no dedicated keyword; expressed as MUST with an explicit condition."""@en ; skos:scopeNote """BSI TR-03183-2 (2025) uses this tier explicitly: 'MUST additionally include ... if it exists and fulfils the requirements of an SBOM format specification for the specific data field'."""@en ; rdfs:seeAlso ; rdfs:seeAlso . sbom:Recommendation a skos:Concept ; skos:topConceptOf sbom:provision-types ; skos:inScheme sbom:provision-types ; skos:prefLabel "Recommendation"@en ; skos:altLabel "SHOULD"@en ; skos:altLabel "RECOMMENDED"@en ; skos:definition """The element SHOULD be present. There may be valid reasons to omit it in particular circumstances, but the full implications must be understood and weighed. Corresponds to ISO/IEC Directives Part 2 'recommendation' (verbal form: should) and RFC 2119 SHOULD / RECOMMENDED."""@en ; rdfs:seeAlso ; rdfs:seeAlso ; skos:relatedMatch . sbom:Permission a skos:Concept ; skos:topConceptOf sbom:provision-types ; skos:inScheme sbom:provision-types ; skos:prefLabel "Permission"@en ; skos:altLabel "MAY"@en ; skos:altLabel "OPTIONAL"@en ; skos:definition """The element MAY be present. Absence has no conformance implication. Corresponds to ISO/IEC Directives Part 2 'permission' (verbal form: may) and RFC 2119 MAY / OPTIONAL."""@en ; rdfs:seeAlso ; rdfs:seeAlso ; skos:relatedMatch ; rdfs:seeAlso . sbom:PossibilityAndCapability a skos:Concept ; skos:topConceptOf sbom:provision-types ; skos:inScheme sbom:provision-types ; skos:prefLabel "Possibility and Capability"@en ; skos:altLabel "CAN"@en ; skos:definition """Expresses that an SBOM element or feature can be represented (a statement of technical capability or possibility), not a normative obligation. Corresponds to ISO/IEC Directives Part 2 'possibility and capability' (verbal form: can). Has no RFC 2119 equivalent."""@en ; skos:scopeNote "Included for ISO completeness; relevant when annotating exchange format specifications."@en ; rdfs:seeAlso . sbom:ExternalConstraint a skos:Concept ; skos:topConceptOf sbom:provision-types ; skos:inScheme sbom:provision-types ; skos:prefLabel "External Constraint"@en ; skos:altLabel "MUST"@en ; skos:definition """The element must be present due to an obligation imposed by an external law, regulation, or normative document outside the scope of the SBOM information requirement specification itself. Corresponds to ISO/IEC Directives Part 2 'external constraint' (verbal form: must, distinct from shall). Has no RFC 2119 equivalent (RFC 2119 treats MUST and SHALL as synonyms; ISO does not)."""@en ; skos:scopeNote "Relevant when an element is mandated by legislation (e.g. EU CRA) rather than by the standard itself."@en ; rdfs:seeAlso . # ============================================================================ # BRIDGE CONCEPT SCHEME # ============================================================================ # Neutral concepts abstracted from all supported minimum-element standards. # Intended use: mapping_justification in SSSOM crosswalks. # ============================================================================ sbom:bridge a skos:ConceptScheme ; skos:prefLabel "SBOM Minimum Elements - Bridge Concepts"@en ; dcterms:title "SBOM Bridging Ontology for Mapping -- Bridge Concept Scheme" ; dcterms:description "Neutral bridge concepts covering the union of minimum elements defined in: NTIA (2021), CISA FSCT3 (2024), CISA (2025), G7 SBOM for AI (2026), and BSI TR-03183-2 (2025)."@en ; owl:versionInfo "0.1.0" ; skos:hasTopConcept sbom:bom-document , sbom:bom-component , sbom:bom-ai , sbom:bom-dataset , sbom:bom-infra , sbom:bom-security . # -- Bridge category concepts (top concepts) ---------------------------------- sbom:bom-document a skos:Concept ; skos:inScheme sbom:bridge ; skos:topConceptOf sbom:bridge ; skos:prefLabel "SBOM Document"@en ; skos:definition "Concepts describing the SBOM document itself: authorship, format, lifecycle stage, tooling and document-level relationships."@en . sbom:bom-component a skos:Concept ; skos:inScheme sbom:bridge ; skos:topConceptOf sbom:bridge ; skos:prefLabel "Component"@en ; skos:definition "Concepts applicable to any type of software/AI/data component: name, version, identity, supplier, integrity and licensing."@en . sbom:bom-ai a skos:Concept ; skos:inScheme sbom:bridge ; skos:topConceptOf sbom:bridge ; skos:prefLabel "AI System and Model"@en ; skos:definition "Concepts specific to AI systems and models not captured by generic component attributes: application domain, data flows, model properties and training."@en . sbom:bom-dataset a skos:Concept ; skos:inScheme sbom:bridge ; skos:topConceptOf sbom:bridge ; skos:prefLabel "Dataset"@en ; skos:definition "Concepts specific to datasets: content type, provenance, statistical characteristics and sensitivity."@en . sbom:bom-infra a skos:Concept ; skos:inScheme sbom:bridge ; skos:topConceptOf sbom:bridge ; skos:prefLabel "Infrastructure"@en ; skos:definition "Concepts describing the software and hardware environment required to run the system."@en . sbom:bom-security a skos:Concept ; skos:inScheme sbom:bridge ; skos:topConceptOf sbom:bridge ; skos:prefLabel "Security"@en ; skos:definition "Concepts describing security controls, compliance, disclosure policies, vulnerability references and performance metrics."@en . # -- SBOM Document leaf concepts ----------------------------------------------- sbom:doc-author a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-document ; skos:prefLabel "SBOM author"@en ; skos:altLabel "Author of SBOM Data"@en ; # NTIA label skos:altLabel "Author Name"@en ; # FSCT3 label skos:definition "The agent (person, organisation or tool) that produced the SBOM document."@en ; skos:notation "SBOM-NTIA-DF-006"^^sbom:SarifRuleId ; skos:notation "SBOM-FSCT3-META-001"^^sbom:SarifRuleId . sbom:doc-timestamp a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-document ; skos:prefLabel "SBOM timestamp"@en ; skos:altLabel "Timestamp"@en ; skos:definition "The date and time at which the SBOM document was created."@en ; skos:notation "SBOM-NTIA-DF-007"^^sbom:SarifRuleId ; skos:notation "SBOM-FSCT3-META-002"^^sbom:SarifRuleId . sbom:doc-lifecycle-stage a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-document ; skos:prefLabel "SBOM lifecycle stage"@en ; skos:altLabel "SBOM type"@en ; # FSCT3, SPDX 3 label skos:altLabel "SBOM generation context"@en ; # G7 AI, CISA 2025 label skos:definition "The lifecycle stage or context in which the SBOM was generated (e.g. build, analysed, deployed, runtime)."@en ; skos:scopeNote "Terminology variant: 'SBOM type' is used in CISA FSCT3 (2024) and SPDX 3; 'SBOM generation context' is used in G7 SBOM for AI (2026) and CISA (2025). Both refer to the same concept."@en ; skos:notation "SBOM-FSCT3-META-003"^^sbom:SarifRuleId . sbom:doc-primary-component a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-document ; skos:prefLabel "SBOM primary component"@en ; skos:altLabel "Primary Component"@en ; skos:definition "The top-level component or system that the SBOM describes (the SBOM's root subject)."@en ; skos:notation "SBOM-FSCT3-META-004"^^sbom:SarifRuleId . sbom:doc-dependency-relationship a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-document ; skos:prefLabel "SBOM dependency relationship"@en ; skos:altLabel "Dependency Relationship"@en ; skos:definition "Explicit dependency relationships between components recorded in the SBOM."@en ; skos:notation "SBOM-NTIA-DF-005"^^sbom:SarifRuleId ; skos:notation "SBOM-FSCT3-META-005"^^sbom:SarifRuleId . sbom:doc-version a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-document ; skos:prefLabel "SBOM version"@en ; skos:definition "A version identifier for this specific instance of the SBOM document."@en ; skos:scopeNote "Required by G7 SBOM for AI (2026). Not explicitly required by NTIA or FSCT3, though SPDX supports it via Element.version."@en . sbom:doc-spec-version a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-document ; skos:prefLabel "SBOM spec version"@en ; skos:altLabel "SBOM data format name"@en ; # G7AI MD-03 label skos:altLabel "SBOM data format version"@en ; # G7AI MD-04 label skos:definition "The name and/or version of the SBOM data format specification used (e.g. 'SPDX 3.1', 'CycloneDX 1.6')."@en ; skos:scopeNote "G7 AI separates format name (MD-03) and format version (MD-04); they share this bridge concept because SPDX encodes both in specVersion."@en . sbom:doc-tool a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-document ; skos:prefLabel "SBOM tool"@en ; skos:altLabel "SBOM tool name"@en ; skos:altLabel "SBOM tool version"@en ; skos:definition "The name and/or version of the software tool used to generate the SBOM."@en ; skos:scopeNote "Required by G7 SBOM for AI (2026). Not explicitly required by NTIA or FSCT3."@en . sbom:doc-integrity a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-document ; skos:prefLabel "SBOM integrity"@en ; skos:altLabel "SBOM author signature"@en ; # G7AI MD-05 label skos:definition "A cryptographic signature, hash or other integrity mechanism allowing verification of the SBOM document."@en ; skos:scopeNote "Required by G7 SBOM for AI (2026). Not yet required by NTIA or FSCT3. No native digital-signature field in SPDX 3.1-dev; typically attached externally (JWS, PGP detached)."@en . sbom:doc-identifier a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-document ; skos:prefLabel "SBOM identifier"@en ; skos:altLabel "SBOM-URI"@en ; skos:definition "A persistent URI that uniquely identifies this SBOM document instance."@en ; skos:scopeNote "Required (if it exists) by BSI TR-03183-2 (2025). Maps to SPDX software_Sbom.spdxId and CycloneDX serialNumber."@en . # -- Component leaf concepts --------------------------------------------------- sbom:component-name a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component name"@en ; skos:definition "The human-readable name of a software, AI model or dataset component."@en ; skos:notation "SBOM-NTIA-DF-002"^^sbom:SarifRuleId ; skos:notation "SBOM-FSCT3-COMP-001"^^sbom:SarifRuleId . sbom:component-version a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component version"@en ; skos:definition "A version or release identifier for a specific snapshot of the component."@en ; skos:notation "SBOM-NTIA-DF-003"^^sbom:SarifRuleId ; skos:notation "SBOM-FSCT3-COMP-002"^^sbom:SarifRuleId . sbom:component-supplier a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component supplier"@en ; skos:altLabel "Supplier Name"@en ; skos:definition "The organisation or person that supplied or distributed the component."@en ; skos:notation "SBOM-NTIA-DF-001"^^sbom:SarifRuleId ; skos:notation "SBOM-FSCT3-COMP-003"^^sbom:SarifRuleId . sbom:component-identifier a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component identifier"@en ; skos:altLabel "Unique Identifier"@en ; skos:altLabel "PURL"@en ; skos:definition "A stable, unique identifier for the component -- typically a PURL (Package URL), SPDX ID, DOI or similar."@en ; skos:scopeNote "SPDX 3.x maps this to Software.Package.packageUrl (PURL) for external identifiers and Element.spdxId for the internal SPDX identifier."@en ; skos:notation "SBOM-NTIA-DF-004"^^sbom:SarifRuleId ; skos:notation "SBOM-FSCT3-COMP-004"^^sbom:SarifRuleId . sbom:component-hash a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component hash"@en ; skos:altLabel "Cryptographic Hash"@en ; skos:definition "A cryptographic hash of the component artifact (algorithm + digest) for integrity verification."@en ; skos:notation "SBOM-FSCT3-COMP-005"^^sbom:SarifRuleId . sbom:component-relationship a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component relationship"@en ; skos:altLabel "Relationship"@en ; skos:definition "A typed relationship between two components (e.g. CONTAINS, DEPENDS_ON, TRAINED_ON, HAS_PREREQUISITE) with an optional completeness indication."@en ; skos:notation "SBOM-FSCT3-COMP-006"^^sbom:SarifRuleId . sbom:component-license a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component license"@en ; skos:altLabel "Concluded License"@en ; skos:altLabel "Declared License"@en ; skos:definition "The declared or concluded license under which the component is distributed (expressed as an SPDX license expression or similar)."@en ; skos:notation "SBOM-FSCT3-COMP-007"^^sbom:SarifRuleId . sbom:component-copyright a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component copyright"@en ; skos:altLabel "Copyright Notice"@en ; skos:definition "The copyright notice or holder information for the component."@en ; skos:notation "SBOM-FSCT3-COMP-008"^^sbom:SarifRuleId . sbom:component-timestamp a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component timestamp"@en ; skos:altLabel "Build time"@en ; skos:altLabel "Release time"@en ; skos:definition "The date and time the component was built or officially released."@en ; skos:scopeNote "Required by G7 SBOM for AI (2026) at both system and model level. Not explicitly required by NTIA or FSCT3."@en . sbom:component-description a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component description"@en ; skos:definition "A free-text description of the component's purpose, architecture or key characteristics."@en ; skos:scopeNote "Required by G7 SBOM for AI (2026) for models and datasets. Not explicitly required by NTIA or FSCT3."@en . sbom:component-external-reference a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component external reference"@en ; skos:definition "Links to supplementary resources for the component such as model cards, research papers, repositories, or registries."@en ; skos:scopeNote "Required by G7 SBOM for AI (2026) for AI models. Maps to SPDX Element.externalRef and Element.externalIdentifier."@en . sbom:component-filename a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component filename"@en ; skos:definition "The actual filename of the component (without path) as it appears in the delivered artifact."@en ; skos:scopeNote "Required by BSI TR-03183-2 (2025). In SPDX 3.x represented via a software_File element linked by hasDistributionArtifact; in CycloneDX via BSI property taxonomy key bsi:component:filename."@en . sbom:component-executable-property a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component executable property"@en ; skos:definition "Whether the component is an executable file (compiled binary, interpreted script, or shared library)."@en ; skos:scopeNote "Required by BSI TR-03183-2 (2025). In SPDX 3.x mapped via software_File.software_additionalPurpose; in CycloneDX via BSI property taxonomy key bsi:component:executable. See https://github.com/BSI-Bund/tr-03183-cyclonedx-property-taxonomy."@en . sbom:component-archive-property a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component archive property"@en ; skos:definition "Whether the component is an archive that combines multiple sub-components (e.g. a zip, rpm, container image)."@en ; skos:scopeNote "Required by BSI TR-03183-2 (2025). In SPDX 3.x: software_additionalPurpose; in CycloneDX: bsi:component:archive property."@en . sbom:component-structured-property a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-component ; skos:prefLabel "Component structured property"@en ; skos:definition "Whether the component is a structured archive whose internal component metadata is still recoverable (e.g. zip, tar, container image) vs an unstructured archive such as a firmware image."@en ; skos:scopeNote "Required by BSI TR-03183-2 (2025). In SPDX 3.x: software_additionalPurpose (container = structured, firmware = unstructured); in CycloneDX: bsi:component:structured property."@en . # -- AI/ML leaf concepts ------------------------------------------------------- sbom:ai-application-domain a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-ai ; skos:prefLabel "AI application domain"@en ; skos:altLabel "Intended application area"@en ; # G7AI SLP-09 label skos:definition "The domain(s) or application area(s) for which the AI system is intended (e.g. healthcare, finance, autonomous driving)."@en . sbom:ai-data-flow a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-ai ; skos:prefLabel "AI data flow"@en ; skos:definition "A description of how data flows into, through and out of the AI system."@en ; skos:scopeNote "No first-class field in SPDX 3.1-dev; closest is informationAboutApplication. Gap identified for future SPDX AI profile extension."@en . sbom:ai-data-usage a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-ai ; skos:prefLabel "AI data usage"@en ; skos:definition "A description of how data (including personal or sensitive data) is used by the AI system."@en . sbom:ai-io-properties a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-ai ; skos:prefLabel "AI input/output properties"@en ; skos:definition "The types, modalities and constraints on data accepted as input and produced as output by the AI system or model."@en ; skos:scopeNote "No structured I/O schema field in SPDX 3.1-dev; partially covered by typeOfModel (modality) and informationAboutApplication."@en . sbom:ai-model-properties a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-ai ; skos:prefLabel "AI model properties"@en ; skos:definition "AI-specific technical properties of a model: type, explainability, autonomy level, safety risk assessment and energy profile."@en . sbom:ai-training-properties a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-ai ; skos:prefLabel "AI training properties"@en ; skos:definition "Characteristics of the model's training process: hyperparameters, data pre-processing steps, fine-tuning configuration and energy consumption."@en . # -- Dataset leaf concepts ----------------------------------------------------- sbom:dataset-type a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-dataset ; skos:prefLabel "Dataset type"@en ; skos:altLabel "Dataset content"@en ; skos:definition "The type(s) or modality of data in the dataset (e.g. image, text, audio, tabular) and its size."@en . sbom:dataset-provenance a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-dataset ; skos:prefLabel "Dataset provenance"@en ; skos:definition "Information about how, when and where the dataset was collected, updated and pre-processed."@en . sbom:dataset-statistical-properties a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-dataset ; skos:prefLabel "Dataset statistical properties"@en ; skos:definition "Statistical characteristics of the dataset including size, noise levels, known biases and class distributions."@en . sbom:dataset-sensitivity a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-dataset ; skos:prefLabel "Dataset sensitivity"@en ; skos:definition "The sensitivity classification of the dataset, including whether it contains personal or sensitive data and its confidentiality level."@en . # -- Infrastructure leaf concepts ---------------------------------------------- sbom:infra-software a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-infra ; skos:prefLabel "Infrastructure software"@en ; skos:definition "The software environment required to run the AI system: container images, OS, ML frameworks and runtime libraries."@en . sbom:infra-hardware a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-infra ; skos:prefLabel "Infrastructure hardware"@en ; skos:definition "The hardware required to operate the AI system, including specialised accelerators (GPUs, TPUs, NPUs)."@en ; skos:scopeNote "Maps to SPDX 3.1-dev Hardware profile (new vs 3.0.1). This gap did not exist in SPDX 3.0.1."@en . # -- Security leaf concepts ---------------------------------------------------- sbom:security-controls a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-security ; skos:prefLabel "Security controls"@en ; skos:definition "The security controls implemented on the AI system (e.g. access controls, encryption, audit logging)."@en ; skos:scopeNote "No first-class field in SPDX 3.1-dev; represented via ExternalRef pointing to control-framework documents."@en . sbom:security-compliance a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-security ; skos:prefLabel "Security compliance"@en ; skos:definition "The security standards, regulations or frameworks the AI system has been assessed against or conforms to (e.g. EU AI Act, ISO/IEC 42001, NIST AI RMF)."@en . sbom:security-policy a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-security ; skos:prefLabel "Security policy"@en ; skos:altLabel "Cybersecurity policy information"@en ; skos:definition "References to the supplier's vulnerability-disclosure policy, security.txt or coordinated-disclosure process."@en . sbom:vulnerability-reference a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-security ; skos:prefLabel "Vulnerability reference"@en ; skos:altLabel "Vulnerability referencing"@en ; skos:definition "References to known vulnerabilities (CVEs) and their assessment status (VEX) for the AI system and its components."@en . sbom:performance-metric a skos:Concept ; skos:inScheme sbom:bridge ; skos:broader sbom:bom-security ; skos:prefLabel "Performance metric"@en ; skos:altLabel "Security metrics"@en ; skos:altLabel "Operational performance KPIs"@en ; skos:definition "Quantitative security and operational performance metrics and their decision thresholds (e.g. adversarial robustness, accuracy, latency, energy consumption)."@en .