Motivation
Interoperation with external taxonomies (CWE, ATT&CK, CVE), Semantic Web tooling and cross-repository queries is easier when RDX documents optionally express a JSON-LD context. CycloneDX already has a property taxonomy and many consumers adopt name/value properties; a lightweight RDX JSON-LD profile allows unambiguous URIs for core terms, makes mapping to schema.org and ATT&CK explicit, and improves discoverability for graph-based tools without breaking existing validators.
Proposed change
- JSON-LD context
-
Add an optional top-level field in JSON encoding: @context (object or URL) that points to spec/json/rdx.context.json by default. The context will map common RDX properties to stable IRIs, e.g., "cveId": "https://cve.mitre.org/data-definitions#CVE", "attackPath": "https://asrg.org/rdx#attackPath", or reuse established vocabularies like schema:SoftwareApplication for item definitions where applicable.
-
Provide spec/json/rdx.context.json with mappings for: itemDefinition.id/title, assets, threatScenarios.targetedAssetIds, attackPaths, attackSteps, controls, calAssessments, tafAssessments, cvss/cve fields and other high-value keys.
- Backwards compatibility and validation
- The presence of
@context MUST be optional. Existing tooling that does not process JSON-LD will ignore @context by spec. The JSON Schema MUST accept an @context field (string | object) without failing validation.
- Examples & tooling
-
Add an example examples/rdx-jsonld-example.json showing use of @context and a small query example (e.g., JQ or SPARQL snippet) in methodology docs that demonstrates extracting all CVE IDs.
-
Update tools/validate.sh to accept @context in examples (no semantic validation required).
- Use-cases
- Enable simple semantic queries across RDX documents (e.g., find all RDX docs that reference ATT&CK technique T1210).
- New requirement: RDX-118 (new requirement): "Support optional JSON-LD @context to enable semantic linking to external vocabularies and taxonomies (CWE, ATT&CK, CVE, schema.org)." Add to REQUIREMENTS.md.
References
Acceptance criteria
- Add
spec/json/rdx.context.json defining a minimal recommended context mapping for high-value RDX keys.
- Update spec/json/rdx.schema.json to allow an optional
@context (string|object) top-level property without failing validation.
- Example:
examples/rdx-jsonld-example.json containing @context and demonstrating mapping to ATT&CK/CVE IRIs.
- Documentation: methodology/Methodology.md updated with examples showing how to use the context and a short SPARQL/JQ query demonstrating interoperability.
- CI: validate script accepts the new example; tests ensure
@context presence is allowed and that the canonical context file exists in spec/json/.
Generated by tools/ai_idea_scout.py via the AI Idea Scout workflow.
Review the proposal, refine the title/body/labels, and close if not desired.
Motivation
Interoperation with external taxonomies (CWE, ATT&CK, CVE), Semantic Web tooling and cross-repository queries is easier when RDX documents optionally express a JSON-LD context. CycloneDX already has a property taxonomy and many consumers adopt name/value properties; a lightweight RDX JSON-LD profile allows unambiguous URIs for core terms, makes mapping to schema.org and ATT&CK explicit, and improves discoverability for graph-based tools without breaking existing validators.
Proposed change
Add an optional top-level field in JSON encoding:
@context(object or URL) that points tospec/json/rdx.context.jsonby default. The context will map common RDX properties to stable IRIs, e.g.,"cveId": "https://cve.mitre.org/data-definitions#CVE","attackPath": "https://asrg.org/rdx#attackPath", or reuse established vocabularies likeschema:SoftwareApplicationfor item definitions where applicable.Provide
spec/json/rdx.context.jsonwith mappings for: itemDefinition.id/title, assets, threatScenarios.targetedAssetIds, attackPaths, attackSteps, controls, calAssessments, tafAssessments, cvss/cve fields and other high-value keys.@contextMUST be optional. Existing tooling that does not process JSON-LD will ignore@contextby spec. The JSON Schema MUST accept an@contextfield (string | object) without failing validation.Add an example
examples/rdx-jsonld-example.jsonshowing use of@contextand a small query example (e.g., JQ or SPARQL snippet) in methodology docs that demonstrates extracting all CVE IDs.Update
tools/validate.shto accept@contextin examples (no semantic validation required).References
Acceptance criteria
spec/json/rdx.context.jsondefining a minimal recommended context mapping for high-value RDX keys.@context(string|object) top-level property without failing validation.examples/rdx-jsonld-example.jsoncontaining@contextand demonstrating mapping to ATT&CK/CVE IRIs.@contextpresence is allowed and that the canonical context file exists inspec/json/.Generated by
tools/ai_idea_scout.pyvia the AI Idea Scout workflow.Review the proposal, refine the title/body/labels, and close if not desired.