Merge pull request #30 from DhruvGarg111/feat/add-json-schema-validation

Add JSON Schema validation for output files

Author: Zie619

README.md

@@ -49,6 +49,9 @@ That's it. Scans your project and prints a risk-scored inventory of every AI com
 # CycloneDX SBOM for compliance
 ai-bom scan . -f cyclonedx -o ai-bom.cdx.json
 
+# Validate JSON output against schema
+ai-bom scan . -f cyclonedx --validate
+
 # SARIF for GitHub Code Scanning
 ai-bom scan . -f sarif -o results.sarif
 
@@ -328,6 +331,15 @@ graph LR
 | CSV | `-f csv` | Spreadsheet analysis |
 | JUnit | `-f junit` | CI/CD test reporting |
 
+## JSON Schema Validation
+
+AI-BOM provides a built-in JSON Schema for validating scan results, ensuring they conform to the expected structure (CycloneDX 1.6 + Trusera extensions).
+
+- **Schema file:** `src/ai_bom/schema/bom-schema.json`
+- **Validation command:** `ai-bom scan . --format cyclonedx --validate`
+
+This is particularly useful in CI/CD pipelines to ensure generated SBOMs are valid before ingestion into tools like Dependency-Track.
+
 <details>
 <summary>CycloneDX output example</summary>
 

src/ai_bom/cli.py

@@ -25,6 +25,7 @@
 from ai_bom.scanners import get_all_scanners
 from ai_bom.scanners.ast_scanner import ASTScanner
 from ai_bom.utils.risk_scorer import score_component
+from ai_bom.utils.validator import validate_output
 
 # Exit codes
 EXIT_ERROR = 2  # Operational errors (bad path, network failure, parse error, etc.)
@@ -345,6 +346,11 @@ def scan(
         "--max-file-size",
         help="Max file size in MB (default: 10). Increase for large models.",
     ),
+    validate_schema: bool = typer.Option(
+        False,
+        "--validate",
+        help="Validate JSON output against schema",
+    ),
     json_output: bool = typer.Option(
         False,
         "--json",
@@ -560,6 +566,17 @@ def scan(
             reporter = get_reporter(format)
             output_str = reporter.render(result)
 
+            # Validate schema if requested
+            if validate_schema and format in ["json", "cyclonedx"]:
+                try:
+                    data = json.loads(output_str)
+                    validate_output(data)
+                    if format == "table" and not quiet:
+                        console.print("[green]JSON Schema validation passed.[/green]")
+                except Exception as e:
+                    console.print(f"[red]Schema validation failed: {e}[/red]")
+                    raise typer.Exit(1) from None
+
             # Write to file if output specified
             if output:
                 reporter.write(result, output)

src/ai_bom/schema/bom-schema.json

@@ -0,0 +1,99 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "AI-BOM CycloneDX Export",
+  "description": "JSON Schema for AI-BOM's CycloneDX 1.6 output format with Trusera extensions.",
+  "type": "object",
+  "required": ["bomFormat", "specVersion", "version", "serialNumber", "metadata", "components"],
+  "properties": {
+    "bomFormat": {
+      "type": "string",
+      "const": "CycloneDX"
+    },
+    "specVersion": {
+      "type": "string",
+      "const": "1.6"
+    },
+    "version": {
+      "type": "integer"
+    },
+    "serialNumber": {
+      "type": "string",
+      "pattern": "^urn:uuid:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$"
+    },
+    "metadata": {
+      "type": "object",
+      "required": ["timestamp", "tools", "properties"],
+      "properties": {
+        "timestamp": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "tools": {
+          "type": "object"
+        },
+        "properties": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/property"
+          }
+        }
+      }
+    },
+    "components": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["bom-ref", "type", "name", "description", "properties", "purl"],
+        "properties": {
+          "bom-ref": {
+            "type": "string"
+          },
+          "type": {
+            "type": "string",
+            "enum": [
+              "application",
+              "framework",
+              "library",
+              "container",
+              "machine-learning-model",
+              "service",
+              "file"
+            ]
+          },
+          "name": {
+            "type": "string"
+          },
+          "version": {
+            "type": "string"
+          },
+          "description": {
+            "type": "string"
+          },
+          "purl": {
+            "type": "string"
+          },
+          "properties": {
+            "type": "array",
+            "items": {
+              "$ref": "#/definitions/property"
+            }
+          }
+        }
+      }
+    }
+  },
+  "definitions": {
+    "property": {
+      "type": "object",
+      "required": ["name", "value"],
+      "properties": {
+        "name": {
+          "type": "string"
+        },
+        "value": {
+          "type": "string"
+        }
+      }
+    }
+  }
+}

src/ai_bom/utils/validator.py

@@ -0,0 +1,30 @@
+"""JSON Schema validation for AI-BOM output."""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+from typing import Any
+
+import jsonschema
+from jsonschema import validate
+
+
+def get_schema() -> dict[str, Any]:
+    """Load the AI-BOM JSON schema."""
+    schema_path = Path(__file__).parent.parent / "schema" / "bom-schema.json"
+    with open(schema_path, encoding="utf-8") as f:
+        return json.load(f)
+
+
+def validate_output(data: dict[str, Any]) -> None:
+    """Validate scan output against the JSON schema.
+
+    Args:
+        data: The JSON-compatible dict to validate.
+
+    Raises:
+        jsonschema.ValidationError: If validation fails.
+    """
+    schema = get_schema()
+    validate(instance=data, schema=schema)

tests/test_cli.py

@@ -248,3 +248,13 @@ def test_scan_no_star_message_in_json_format():
     # JSON format should only contain JSON output, not the star message
     data = json.loads(result.output)
     assert "bomFormat" in data  # Valid CycloneDX JSON
+
+
+def test_scan_validate_schema():
+    """Test that --validate flag works for JSON output."""
+    demo_file = Path(__file__).parent.parent / "examples" / "demo-project" / "app.py"
+    result = runner.invoke(app, ["scan", str(demo_file), "--format", "json", "--validate"])
+    assert result.exit_code == 0
+    # Output should still be valid JSON
+    data = json.loads(result.output)
+    assert "bomFormat" in data

tests/test_output_schemas.py

@@ -236,15 +236,16 @@ def test_cyclonedx_component_properties(self, sample_scan_result):
                     assert isinstance(prop["name"], str)
                     assert isinstance(prop["value"], str)
 
-    @pytest.mark.skipif(not JSONSCHEMA_AVAILABLE, reason="jsonschema not installed")
     def test_cyclonedx_schema_validation(self, multi_component_result):
         """Test that output validates against CycloneDX schema."""
+        from ai_bom.utils.validator import get_schema
         reporter = CycloneDXReporter()
         output = reporter.render(multi_component_result)
         parsed = json.loads(output)
 
         # Validate against schema
-        validator = Draft7Validator(CYCLONEDX_SCHEMA)
+        schema = get_schema()
+        validator = Draft7Validator(schema)
         errors = list(validator.iter_errors(parsed))
         assert len(errors) == 0, f"Schema validation errors: {errors}"