sbom_tools/quality/compliance/
registry.rs

1//! Compliance rule registry: the single source of truth for SARIF rule
2//! IDs, harmonised-standard cross-references, and remediation text, keyed
3//! by the stable internal `Violation::rule_id`.
4
5use super::{StandardKind, ViolationSeverity};
6
7/// Static metadata attached to a compliance rule. The `rule_id` on every
8/// [`Violation`] indexes into [`rule_meta`]; the registry — not the
9/// human-readable message — is the single source of truth for the
10/// externally-visible SARIF rule ID, the harmonised-standard cross-references,
11/// and the remediation text. Rewording a message can no longer silently
12/// re-bucket a GitHub code-scanning rule or drop a prEN/BSI reference.
13#[derive(Debug, Clone, Copy)]
14pub struct RuleMeta {
15    /// Externally-visible SARIF rule ID (e.g., `SBOM-CRA-ART-13-4`). GitHub
16    /// code scanning dedups on this value, so it must stay stable.
17    pub sarif_id: &'static str,
18    /// Documentation-default severity for the rule. Push sites may still
19    /// escalate/relax the concrete [`Violation::severity`] by product class or
20    /// CRA phase; this default is surfaced in the SARIF rule catalogue.
21    pub default_severity: ViolationSeverity,
22    /// Harmonised-standard / regulation cross-references, in display order.
23    pub refs: &'static [(StandardKind, &'static str)],
24    /// Remediation guidance shown in reports and the TUI.
25    pub remediation: &'static str,
26}
27
28/// Generic fallback remediation, shared by rules with no bespoke guidance.
29pub(crate) const REMEDIATION_GENERIC: &str = "Review the requirement and update the SBOM accordingly. Consult the EU CRA regulation (EU 2024/2847) for detailed guidance.";
30
31/// SSDF practices share one remediation paragraph.
32const REMEDIATION_SSDF: &str = "Follow NIST SP 800-218 SSDF practices: include tool provenance, source VCS references, build metadata, and cryptographic hashes for all components.";
33
34/// EO 14028 §4 requirements share one remediation paragraph.
35const REMEDIATION_EO14028: &str = "Follow EO 14028 Section 4(e) requirements: use a machine-readable format (CycloneDX 1.4+, SPDX 2.3+, or SPDX 3.0+), auto-generate the SBOM, include unique identifiers, versions, hashes, dependencies, and supplier information.";
36
37/// EU AI Act not-applicable remediation.
38const REMEDIATION_AIACT_NA: &str = "EU AI Act Annex IV readiness applies only to SBOMs that describe AI/ML systems. Add machine-learning-model or dataset components (CycloneDX 1.5+ AI/ML BOM) to enable the assessment.";
39
40/// BSI/G7 SBOM-for-AI not-applicable remediation.
41const REMEDIATION_BSIAI_NA: &str = "BSI/G7 SBOM-for-AI minimum-elements readiness applies only to SBOMs that describe AI/ML systems. Add machine-learning-model or dataset components (CycloneDX 1.5+ AI/ML BOM, or an SPDX 3.0 AI/Dataset profile) to enable the assessment.";
42
43/// BSI/G7 SBOM-for-AI Models-cluster remediation.
44const REMEDIATION_BSIAI_MODELS: &str = "Declare the BSI/G7 SBOM-for-AI Models minimum elements for each MachineLearningModel component: name, version, a unique identifier (PURL/CPE/SWHID/SWID), a model-weight hash using a NIST-approved algorithm (SHA-256+), a model card, the architecture, training datasets, limitations, and a license.";
45
46/// BSI/G7 SBOM-for-AI Datasets-cluster remediation.
47const REMEDIATION_BSIAI_DATASETS: &str = "Declare the BSI/G7 SBOM-for-AI Datasets minimum elements for each Data component: name, a unique identifier, a hash value, a license, a sensitivity classification, and provenance / intended-use (SPDX 3.0 dataset_intendedUse / dataPreprocessing / anonymizationMethodUsed, or governance owners).";
48
49/// BSI/G7 SBOM-for-AI document/metadata/system/infra/security remediation.
50const REMEDIATION_BSIAI_GENERAL: &str = "Declare the BSI/G7 SBOM-for-AI minimum elements: document author, data-format name + version, timestamp, generation tool, and signature; the primary AI system, its producer, and its data-flow/usage; runtime/framework infrastructure links; and AI-specific security controls / exploitability references where they can be expressed.";
51
52/// Look up the static [`RuleMeta`] for a stable internal rule key.
53///
54/// The key is the [`Violation::rule_id`] set at each check site. Returns
55/// `None` for unregistered keys — the exhaustive test
56/// `every_emitted_violation_has_a_registered_rule_id` guarantees no live check
57/// site emits an unregistered key.
58#[must_use]
59pub fn rule_meta(rule_id: &str) -> Option<RuleMeta> {
60    use StandardKind as K;
61    const CRA: K = K::CraArticle;
62    const ANNEX: K = K::CraAnnex;
63    const PREN: K = K::Pren40000_1_3;
64    let meta = match rule_id {
65        // ---- CRA Articles ------------------------------------------------
66        "SBOM-CRA-ART-13-2" => RuleMeta {
67            sarif_id: "SBOM-CRA-GENERAL",
68            default_severity: ViolationSeverity::Warning,
69            refs: &[(CRA, "Art. 13(2)")],
70            remediation: REMEDIATION_GENERIC,
71        },
72        "SBOM-CRA-ART-13-3" => RuleMeta {
73            sarif_id: "SBOM-CRA-ART-13-3",
74            default_severity: ViolationSeverity::Warning,
75            refs: &[(CRA, "Art. 13(3)")],
76            remediation: "Regenerate the SBOM when components are added, removed, or updated. CRA Art. 13(3) requires timely updates reflecting the current state of the software.",
77        },
78        "SBOM-CRA-ART-13-4" => RuleMeta {
79            sarif_id: "SBOM-CRA-ART-13-4",
80            default_severity: ViolationSeverity::Warning,
81            refs: &[(CRA, "Art. 13(4)"), (PREN, "PRE-7-RQ-04")],
82            remediation: "Ensure the SBOM is produced in CycloneDX 1.4+ (JSON or XML), SPDX 2.3+ (JSON or tag-value), or SPDX 3.0+ (JSON-LD). Older format versions may not be recognized as machine-readable under the CRA.",
83        },
84        "SBOM-CRA-ART-13-5" => RuleMeta {
85            sarif_id: "SBOM-CRA-ART-13-5",
86            default_severity: ViolationSeverity::Warning,
87            refs: &[(CRA, "Art. 13(5)")],
88            remediation: "Ensure every component has license information. CycloneDX: use component.licenses[]. SPDX 2.x: use PackageLicenseDeclared / PackageLicenseConcluded. SPDX 3.0: use HAS_DECLARED_LICENSE / HAS_CONCLUDED_LICENSE relationships.",
89        },
90        "SBOM-CRA-ART-13-6-CONTACT" => RuleMeta {
91            sarif_id: "SBOM-CRA-ART-13-6",
92            default_severity: ViolationSeverity::Warning,
93            refs: &[(CRA, "Art. 13(6)")],
94            remediation: "Add a security contact or vulnerability disclosure URL. CycloneDX: add a component externalReference with type 'security-contact' or set metadata.manufacturer.contact. SPDX: add an SECURITY external reference.",
95        },
96        "SBOM-CRA-ART-13-6-METADATA" => RuleMeta {
97            sarif_id: "SBOM-CRA-ART-13-6",
98            default_severity: ViolationSeverity::Warning,
99            refs: &[(CRA, "Art. 13(6)")],
100            remediation: "Add severity (e.g., CVSS score) and remediation details to each vulnerability entry. CycloneDX: use vulnerability.ratings[].score and vulnerability.analysis. SPDX: use annotation or externalRef.",
101        },
102        "SBOM-CRA-ART-13-7" => RuleMeta {
103            sarif_id: "SBOM-CRA-ART-13-7",
104            default_severity: ViolationSeverity::Warning,
105            refs: &[(CRA, "Art. 13(7)"), (PREN, "RLS-2-RQ-03-RE")],
106            remediation: "Reference a coordinated vulnerability disclosure policy. CycloneDX: add an externalReference of type 'advisories' linking to your disclosure policy. SPDX: add an external document reference.",
107        },
108        "SBOM-CRA-ART-13-8" => RuleMeta {
109            sarif_id: "SBOM-CRA-ART-13-8",
110            default_severity: ViolationSeverity::Info,
111            refs: &[(CRA, "Art. 13(8)")],
112            remediation: "Specify when security updates will no longer be provided. CycloneDX 1.5+: use component.releaseNotes or metadata properties. SPDX: use an annotation with end-of-support date.",
113        },
114        "SBOM-CRA-ART-13-9" => RuleMeta {
115            sarif_id: "SBOM-CRA-ART-13-9",
116            default_severity: ViolationSeverity::Info,
117            refs: &[(CRA, "Art. 13(9)")],
118            remediation: "Include vulnerability data or add a vulnerability-assertion external reference stating no known vulnerabilities. CycloneDX: use the vulnerabilities array. SPDX: use annotations or external references.",
119        },
120        "SBOM-CRA-ART-13-11" => RuleMeta {
121            sarif_id: "SBOM-CRA-ART-13-11",
122            default_severity: ViolationSeverity::Info,
123            refs: &[(CRA, "Art. 13(11)")],
124            remediation: "Include lifecycle or end-of-support metadata for components. CycloneDX: use component properties (e.g., cdx:lifecycle:status). SPDX: use annotations.",
125        },
126        "SBOM-CRA-ART-13-12-PRODUCT" => RuleMeta {
127            sarif_id: "SBOM-CRA-ART-13-12",
128            default_severity: ViolationSeverity::Warning,
129            refs: &[(CRA, "Art. 13(12)")],
130            remediation: "The SBOM must identify the product by name. CycloneDX: set metadata.component.name. SPDX: set documentDescribes with the primary package name.",
131        },
132        "SBOM-CRA-ART-13-12-VERSION" => RuleMeta {
133            sarif_id: "SBOM-CRA-ART-13-12",
134            default_severity: ViolationSeverity::Error,
135            refs: &[(CRA, "Art. 13(12)"), (PREN, "PRE-7-RQ-06")],
136            remediation: "Every component must have a version string. Use the actual release version (e.g., '1.2.3'), not a range or placeholder.",
137        },
138        "SBOM-CRA-ART-13-15" => RuleMeta {
139            sarif_id: "SBOM-CRA-ART-13-15",
140            default_severity: ViolationSeverity::Warning,
141            refs: &[(CRA, "Art. 13(15)")],
142            remediation: "Identify the manufacturer/supplier. CycloneDX: set metadata.manufacturer or component.supplier. SPDX: set PackageSupplier.",
143        },
144        "SBOM-CRA-ART-13-15-EMAIL" => RuleMeta {
145            sarif_id: "SBOM-CRA-ART-13-15",
146            default_severity: ViolationSeverity::Warning,
147            refs: &[(CRA, "Art. 13(15)")],
148            remediation: "Provide a valid contact email for the manufacturer. The email must contain an @ sign with valid local and domain parts.",
149        },
150        "SBOM-CRA-ART-14" => RuleMeta {
151            sarif_id: "SBOM-CRA-GENERAL",
152            default_severity: ViolationSeverity::Info,
153            refs: &[(CRA, "Art. 14")],
154            remediation: REMEDIATION_GENERIC,
155        },
156        "SBOM-CRA-ART-24" => RuleMeta {
157            sarif_id: "SBOM-CRA-GENERAL",
158            default_severity: ViolationSeverity::Warning,
159            refs: &[],
160            remediation: REMEDIATION_GENERIC,
161        },
162        // ---- CRA Annexes -------------------------------------------------
163        "SBOM-CRA-ANNEX-I-IDENTIFIER" => RuleMeta {
164            sarif_id: "SBOM-CRA-ANNEX-I",
165            default_severity: ViolationSeverity::Warning,
166            refs: &[(ANNEX, "Annex I"), (PREN, "PRE-7-RQ-07")],
167            remediation: "Add a PURL, CPE, or SWID tag to each component for unique identification. PURLs are preferred (e.g., pkg:npm/lodash@4.17.21).",
168        },
169        "SBOM-CRA-ANNEX-I-TRACEABILITY" => RuleMeta {
170            sarif_id: "SBOM-CRA-ANNEX-I",
171            default_severity: ViolationSeverity::Warning,
172            refs: &[(ANNEX, "Annex I Part II"), (PREN, "PRE-7-RQ-07")],
173            remediation: "Add a PURL, CPE, or SWID tag to each component for unique identification. PURLs are preferred (e.g., pkg:npm/lodash@4.17.21).",
174        },
175        "SBOM-CRA-ANNEX-I-SUPPLY-CHAIN" => RuleMeta {
176            sarif_id: "SBOM-CRA-ANNEX-I",
177            default_severity: ViolationSeverity::Warning,
178            refs: &[
179                (ANNEX, "Annex I Part II"),
180                (ANNEX, "Annex I Part III"),
181                (PREN, "PRE-7-RQ-01"),
182                (PREN, "PRE-7-RQ-03"),
183            ],
184            remediation: "Add dependency relationships between components. CycloneDX: use the dependencies array. SPDX: use DEPENDS_ON relationships.",
185        },
186        "SBOM-CRA-ANNEX-I-INTEGRITY" => RuleMeta {
187            sarif_id: "SBOM-CRA-ANNEX-I",
188            default_severity: ViolationSeverity::Info,
189            refs: &[(ANNEX, "Annex I")],
190            remediation: "Add cryptographic hashes (SHA-256 or stronger) to components for integrity verification.",
191        },
192        "SBOM-CRA-ANNEX-I-DEPENDENCY" => RuleMeta {
193            sarif_id: "SBOM-CRA-ANNEX-I",
194            default_severity: ViolationSeverity::Error,
195            refs: &[(ANNEX, "Annex I")],
196            remediation: "Add dependency relationships between components. CycloneDX: use the dependencies array. SPDX: use DEPENDS_ON relationships.",
197        },
198        "SBOM-CRA-ANNEX-I-PRIMARY" => RuleMeta {
199            sarif_id: "SBOM-CRA-ANNEX-I",
200            default_severity: ViolationSeverity::Warning,
201            refs: &[(ANNEX, "Annex I")],
202            remediation: "Identify the top-level product component. CycloneDX: set metadata.component. SPDX: use documentDescribes to point to the primary package.",
203        },
204        "SBOM-CRA-ANNEX-I-CONTROLS" => RuleMeta {
205            sarif_id: "SBOM-CRA-ANNEX-I",
206            default_severity: ViolationSeverity::Warning,
207            refs: &[(ANNEX, "Annex I")],
208            remediation: REMEDIATION_GENERIC,
209        },
210        "SBOM-CRA-ANNEX-III" => RuleMeta {
211            sarif_id: "SBOM-CRA-ANNEX-III",
212            default_severity: ViolationSeverity::Info,
213            refs: &[(ANNEX, "Annex III")],
214            remediation: "Add document-level integrity metadata: a serial number (CycloneDX: serialNumber, SPDX: documentNamespace), or a digital signature/attestation with a cryptographic hash.",
215        },
216        "SBOM-CRA-ANNEX-IV" => RuleMeta {
217            sarif_id: "SBOM-CRA-GENERAL",
218            default_severity: ViolationSeverity::Info,
219            refs: &[(ANNEX, "Annex IV")],
220            remediation: REMEDIATION_GENERIC,
221        },
222        "SBOM-CRA-ANNEX-VII" => RuleMeta {
223            sarif_id: "SBOM-CRA-ANNEX-VII",
224            default_severity: ViolationSeverity::Info,
225            refs: &[(ANNEX, "Annex VII")],
226            remediation: "Reference the EU Declaration of Conformity. CycloneDX: add an externalReference of type 'attestation' or 'certification'. SPDX: add an external document reference.",
227        },
228        "SBOM-CRA-ANNEX-VIII" => RuleMeta {
229            // Historically matched the "annex vii" substring of "annex viii".
230            sarif_id: "SBOM-CRA-ANNEX-VII",
231            default_severity: ViolationSeverity::Info,
232            refs: &[(ANNEX, "Annex VIII")],
233            remediation: REMEDIATION_GENERIC,
234        },
235        "SBOM-CRA-PRE-8-RQ-02" => RuleMeta {
236            sarif_id: "SBOM-CRA-PRE-8-RQ-02",
237            default_severity: ViolationSeverity::Error,
238            refs: &[(PREN, "PRE-8-RQ-02")],
239            remediation: REMEDIATION_GENERIC,
240        },
241        "SBOM-CRA-PRE-7-RQ-07-RE" => RuleMeta {
242            sarif_id: "SBOM-CRA-PRE-7-RQ-07-RE",
243            default_severity: ViolationSeverity::Warning,
244            refs: &[
245                (ANNEX, "Annex I Part II"),
246                (PREN, "PRE-7-RQ-07"),
247                (PREN, "PRE-7-RQ-07-RE"),
248            ],
249            remediation: "Add cryptographic hashes (SHA-256 or stronger) to components for integrity verification.",
250        },
251        // ---- Generic CRA / document-level (no specific article) ----------
252        "SBOM-CRA-GENERAL" => RuleMeta {
253            sarif_id: "SBOM-CRA-GENERAL",
254            default_severity: ViolationSeverity::Warning,
255            refs: &[],
256            remediation: REMEDIATION_GENERIC,
257        },
258        // ---- EUCC Substantial (reference-only profile) -------------------
259        "SBOM-EUCC" => RuleMeta {
260            sarif_id: "SBOM-CRA-GENERAL",
261            default_severity: ViolationSeverity::Warning,
262            refs: &[],
263            remediation: REMEDIATION_GENERIC,
264        },
265        // ---- EU AI Act Annex IV technical-documentation readiness --------
266        "SBOM-AIACT-NA" => RuleMeta {
267            sarif_id: "SBOM-AIACT-NA",
268            default_severity: ViolationSeverity::Info,
269            refs: &[(K::EuAiAct, "Annex IV")],
270            remediation: REMEDIATION_AIACT_NA,
271        },
272        "SBOM-AIACT-ANNEX-IV-1-DESCRIPTION" => RuleMeta {
273            sarif_id: "SBOM-AIACT-ANNEX-IV-1",
274            default_severity: ViolationSeverity::Warning,
275            refs: &[(K::EuAiAct, "Annex IV §1")],
276            remediation: "Add a general description of the AI model: architecture family/name and a model-card reference. CycloneDX: set modelCard.modelParameters.architectureFamily / modelArchitecture and an external reference of type 'model-card'.",
277        },
278        "SBOM-AIACT-ANNEX-IV-1-PURPOSE" => RuleMeta {
279            sarif_id: "SBOM-AIACT-ANNEX-IV-1",
280            default_severity: ViolationSeverity::Warning,
281            refs: &[(K::EuAiAct, "Annex IV §1")],
282            remediation: "Document the intended purpose / use-cases of the AI model. CycloneDX: set modelCard.considerations.useCases.",
283        },
284        "SBOM-AIACT-ANNEX-IV-2D-DATASETS" => RuleMeta {
285            sarif_id: "SBOM-AIACT-ANNEX-IV-2D",
286            default_severity: ViolationSeverity::Warning,
287            refs: &[(K::EuAiAct, "Annex IV §2(d)")],
288            remediation: "Reference the training datasets used. CycloneDX: set modelCard.modelParameters.datasets with a {ref} to a data component.",
289        },
290        "SBOM-AIACT-ANNEX-IV-2D-SENSITIVITY" => RuleMeta {
291            sarif_id: "SBOM-AIACT-ANNEX-IV-2D",
292            default_severity: ViolationSeverity::Warning,
293            refs: &[(K::EuAiAct, "Annex IV §2(d)")],
294            remediation: "Declare a sensitivity classification for each dataset (e.g. 'none', 'pii', 'personal'). CycloneDX: set the data component's sensitiveData array.",
295        },
296        "SBOM-AIACT-ANNEX-IV-2D-PERSONAL-DATA" => RuleMeta {
297            sarif_id: "SBOM-AIACT-ANNEX-IV-2D",
298            default_severity: ViolationSeverity::Info,
299            refs: &[(K::EuAiAct, "Annex IV §2(d)")],
300            remediation: "Where training data involves personal data, document the GDPR lawful basis and data-protection measures alongside the SBOM (AI Act and GDPR apply in parallel).",
301        },
302        "SBOM-AIACT-ANNEX-IV-2G-METRICS" => RuleMeta {
303            sarif_id: "SBOM-AIACT-ANNEX-IV-2G",
304            default_severity: ViolationSeverity::Warning,
305            refs: &[(K::EuAiAct, "Annex IV §2(g)")],
306            remediation: "Record validation/testing metrics (accuracy, robustness). CycloneDX: set modelCard.quantitativeAnalysis.performanceMetrics.",
307        },
308        "SBOM-AIACT-ANNEX-IV-2G-ENERGY" => RuleMeta {
309            sarif_id: "SBOM-AIACT-ANNEX-IV-2G",
310            default_severity: ViolationSeverity::Info,
311            refs: &[(K::EuAiAct, "Annex IV §2(g)")],
312            remediation: "Disclose computational resources / training energy. CycloneDX: set modelCard.considerations.environmentalConsiderations.energyConsumptions.",
313        },
314        "SBOM-AIACT-ANNEX-IV-3-LIMITATIONS" => RuleMeta {
315            sarif_id: "SBOM-AIACT-ANNEX-IV-3",
316            default_severity: ViolationSeverity::Info,
317            refs: &[(K::EuAiAct, "Annex IV §3")],
318            remediation: "State the foreseeable limitations and risks of the model, including ethical and fairness considerations. CycloneDX: set modelCard.considerations.technicalLimitations / ethicalConsiderations / fairnessAssessments.",
319        },
320        // ---- BSI/G7 SBOM-for-AI Minimum Elements readiness ---------------
321        "SBOM-BSIAI-NA" => RuleMeta {
322            sarif_id: "SBOM-BSIAI-NA",
323            default_severity: ViolationSeverity::Info,
324            refs: &[(K::BsiSbomForAi, "Applicability")],
325            remediation: REMEDIATION_BSIAI_NA,
326        },
327        // Metadata cluster
328        "SBOM-BSIAI-META-AUTHOR" => RuleMeta {
329            sarif_id: "SBOM-BSIAI-META",
330            default_severity: ViolationSeverity::Error,
331            refs: &[(K::BsiSbomForAi, "Metadata / Author")],
332            remediation: REMEDIATION_BSIAI_GENERAL,
333        },
334        "SBOM-BSIAI-META-FORMAT" => RuleMeta {
335            sarif_id: "SBOM-BSIAI-META",
336            default_severity: ViolationSeverity::Error,
337            refs: &[(K::BsiSbomForAi, "Metadata / Data format name + version")],
338            remediation: REMEDIATION_BSIAI_GENERAL,
339        },
340        "SBOM-BSIAI-META-TIMESTAMP" => RuleMeta {
341            sarif_id: "SBOM-BSIAI-META",
342            default_severity: ViolationSeverity::Error,
343            refs: &[(K::BsiSbomForAi, "Metadata / Timestamp")],
344            remediation: REMEDIATION_BSIAI_GENERAL,
345        },
346        "SBOM-BSIAI-META-TOOL" => RuleMeta {
347            sarif_id: "SBOM-BSIAI-META",
348            default_severity: ViolationSeverity::Warning,
349            refs: &[(K::BsiSbomForAi, "Metadata / Generation tool")],
350            remediation: REMEDIATION_BSIAI_GENERAL,
351        },
352        "SBOM-BSIAI-META-SIGNATURE" => RuleMeta {
353            sarif_id: "SBOM-BSIAI-META",
354            default_severity: ViolationSeverity::Info,
355            refs: &[(K::BsiSbomForAi, "Metadata / Signature")],
356            remediation: REMEDIATION_BSIAI_GENERAL,
357        },
358        // System-Level cluster
359        "SBOM-BSIAI-SYS-PRIMARY" => RuleMeta {
360            sarif_id: "SBOM-BSIAI-SYS",
361            default_severity: ViolationSeverity::Warning,
362            refs: &[(K::BsiSbomForAi, "System-Level / Primary AI system")],
363            remediation: REMEDIATION_BSIAI_GENERAL,
364        },
365        "SBOM-BSIAI-SYS-PRODUCER" => RuleMeta {
366            sarif_id: "SBOM-BSIAI-SYS",
367            default_severity: ViolationSeverity::Warning,
368            refs: &[(K::BsiSbomForAi, "System-Level / Producer")],
369            remediation: REMEDIATION_BSIAI_GENERAL,
370        },
371        "SBOM-BSIAI-SYS-DATAFLOW" => RuleMeta {
372            sarif_id: "SBOM-BSIAI-SYS",
373            default_severity: ViolationSeverity::Info,
374            refs: &[(K::BsiSbomForAi, "System-Level / Data flow & usage")],
375            remediation: REMEDIATION_BSIAI_GENERAL,
376        },
377        // Models cluster
378        "SBOM-BSIAI-MODEL-NAME" => RuleMeta {
379            sarif_id: "SBOM-BSIAI-MODEL",
380            default_severity: ViolationSeverity::Error,
381            refs: &[(K::BsiSbomForAi, "Models / Model name")],
382            remediation: REMEDIATION_BSIAI_MODELS,
383        },
384        "SBOM-BSIAI-MODEL-VERSION" => RuleMeta {
385            sarif_id: "SBOM-BSIAI-MODEL",
386            default_severity: ViolationSeverity::Error,
387            refs: &[(K::BsiSbomForAi, "Models / Model version")],
388            remediation: REMEDIATION_BSIAI_MODELS,
389        },
390        "SBOM-BSIAI-MODEL-IDENTIFIER" => RuleMeta {
391            sarif_id: "SBOM-BSIAI-MODEL",
392            default_severity: ViolationSeverity::Error,
393            refs: &[(K::BsiSbomForAi, "Models / Model identifier")],
394            remediation: REMEDIATION_BSIAI_MODELS,
395        },
396        "SBOM-BSIAI-MODEL-HASH" => RuleMeta {
397            sarif_id: "SBOM-BSIAI-MODEL",
398            default_severity: ViolationSeverity::Error,
399            refs: &[(K::BsiSbomForAi, "Models / Model hash value")],
400            remediation: REMEDIATION_BSIAI_MODELS,
401        },
402        "SBOM-BSIAI-MODEL-HASH-ALGO" => RuleMeta {
403            sarif_id: "SBOM-BSIAI-MODEL",
404            default_severity: ViolationSeverity::Error,
405            refs: &[(K::BsiSbomForAi, "Models / Hash algorithm")],
406            remediation: REMEDIATION_BSIAI_MODELS,
407        },
408        "SBOM-BSIAI-MODEL-CARD" => RuleMeta {
409            sarif_id: "SBOM-BSIAI-MODEL",
410            default_severity: ViolationSeverity::Warning,
411            refs: &[(K::BsiSbomForAi, "Models / Model card")],
412            remediation: REMEDIATION_BSIAI_MODELS,
413        },
414        "SBOM-BSIAI-MODEL-ARCHITECTURE" => RuleMeta {
415            sarif_id: "SBOM-BSIAI-MODEL",
416            default_severity: ViolationSeverity::Warning,
417            refs: &[(K::BsiSbomForAi, "Models / Architecture")],
418            remediation: REMEDIATION_BSIAI_MODELS,
419        },
420        "SBOM-BSIAI-MODEL-DATASETS" => RuleMeta {
421            sarif_id: "SBOM-BSIAI-MODEL",
422            default_severity: ViolationSeverity::Warning,
423            refs: &[(K::BsiSbomForAi, "Models / Training datasets")],
424            remediation: REMEDIATION_BSIAI_MODELS,
425        },
426        "SBOM-BSIAI-MODEL-LIMITATIONS" => RuleMeta {
427            sarif_id: "SBOM-BSIAI-MODEL",
428            default_severity: ViolationSeverity::Warning,
429            refs: &[(K::BsiSbomForAi, "Models / Limitations")],
430            remediation: REMEDIATION_BSIAI_MODELS,
431        },
432        "SBOM-BSIAI-MODEL-LICENSE" => RuleMeta {
433            sarif_id: "SBOM-BSIAI-MODEL",
434            default_severity: ViolationSeverity::Warning,
435            refs: &[(K::BsiSbomForAi, "Models / Model license")],
436            remediation: REMEDIATION_BSIAI_MODELS,
437        },
438        // Datasets cluster
439        "SBOM-BSIAI-DATASET-NAME" => RuleMeta {
440            sarif_id: "SBOM-BSIAI-DATASET",
441            default_severity: ViolationSeverity::Error,
442            refs: &[(K::BsiSbomForAi, "Datasets / Dataset name")],
443            remediation: REMEDIATION_BSIAI_DATASETS,
444        },
445        "SBOM-BSIAI-DATASET-IDENTIFIER" => RuleMeta {
446            sarif_id: "SBOM-BSIAI-DATASET",
447            default_severity: ViolationSeverity::Error,
448            refs: &[(K::BsiSbomForAi, "Datasets / Dataset identifier")],
449            remediation: REMEDIATION_BSIAI_DATASETS,
450        },
451        "SBOM-BSIAI-DATASET-HASH" => RuleMeta {
452            sarif_id: "SBOM-BSIAI-DATASET",
453            default_severity: ViolationSeverity::Warning,
454            refs: &[(K::BsiSbomForAi, "Datasets / Dataset hash value")],
455            remediation: REMEDIATION_BSIAI_DATASETS,
456        },
457        "SBOM-BSIAI-DATASET-LICENSE" => RuleMeta {
458            sarif_id: "SBOM-BSIAI-DATASET",
459            default_severity: ViolationSeverity::Warning,
460            refs: &[(K::BsiSbomForAi, "Datasets / Dataset license")],
461            remediation: REMEDIATION_BSIAI_DATASETS,
462        },
463        "SBOM-BSIAI-DATASET-SENSITIVITY" => RuleMeta {
464            sarif_id: "SBOM-BSIAI-DATASET",
465            default_severity: ViolationSeverity::Warning,
466            refs: &[(K::BsiSbomForAi, "Datasets / Sensitivity classification")],
467            remediation: REMEDIATION_BSIAI_DATASETS,
468        },
469        "SBOM-BSIAI-DATASET-PROVENANCE" => RuleMeta {
470            sarif_id: "SBOM-BSIAI-DATASET",
471            default_severity: ViolationSeverity::Warning,
472            refs: &[(K::BsiSbomForAi, "Datasets / Provenance & intended use")],
473            remediation: REMEDIATION_BSIAI_DATASETS,
474        },
475        // Infrastructure cluster
476        "SBOM-BSIAI-INFRA-RUNTIME" => RuleMeta {
477            sarif_id: "SBOM-BSIAI-INFRA",
478            default_severity: ViolationSeverity::Info,
479            refs: &[(K::BsiSbomForAi, "Infrastructure / Runtime & framework")],
480            remediation: REMEDIATION_BSIAI_GENERAL,
481        },
482        // Security cluster
483        "SBOM-BSIAI-SEC-CONTROLS" => RuleMeta {
484            sarif_id: "SBOM-BSIAI-SEC",
485            default_severity: ViolationSeverity::Info,
486            refs: &[(K::BsiSbomForAi, "Security / AI security controls")],
487            remediation: REMEDIATION_BSIAI_GENERAL,
488        },
489        "SBOM-BSIAI-SEC-EXPLOITABILITY" => RuleMeta {
490            sarif_id: "SBOM-BSIAI-SEC",
491            default_severity: ViolationSeverity::Info,
492            refs: &[(K::BsiSbomForAi, "Security / Exploitability reference")],
493            remediation: REMEDIATION_BSIAI_GENERAL,
494        },
495        // ---- NTIA --------------------------------------------------------
496        "SBOM-NTIA-VERSION" => RuleMeta {
497            sarif_id: "SBOM-NTIA-VERSION",
498            default_severity: ViolationSeverity::Error,
499            refs: &[(K::NtiaMinimum, "NTIA Minimum Elements")],
500            remediation: REMEDIATION_GENERIC,
501        },
502        "SBOM-NTIA-SUPPLIER" => RuleMeta {
503            sarif_id: "SBOM-NTIA-SUPPLIER",
504            default_severity: ViolationSeverity::Error,
505            refs: &[(K::NtiaMinimum, "NTIA Minimum Elements")],
506            remediation: REMEDIATION_GENERIC,
507        },
508        "SBOM-NTIA-DEPENDENCY" => RuleMeta {
509            sarif_id: "SBOM-NTIA-DEPENDENCY",
510            default_severity: ViolationSeverity::Error,
511            refs: &[(K::NtiaMinimum, "NTIA Minimum Elements")],
512            remediation: REMEDIATION_GENERIC,
513        },
514        // ---- FDA ---------------------------------------------------------
515        "SBOM-FDA-SUPPLIER" => RuleMeta {
516            sarif_id: "SBOM-FDA-SUPPLIER",
517            default_severity: ViolationSeverity::Error,
518            refs: &[(K::FdaPremarket, "FDA Premarket")],
519            remediation: REMEDIATION_GENERIC,
520        },
521        "SBOM-FDA-SUPPORT" => RuleMeta {
522            sarif_id: "SBOM-FDA-SUPPORT",
523            default_severity: ViolationSeverity::Warning,
524            refs: &[(K::FdaPremarket, "FDA Premarket")],
525            remediation: REMEDIATION_GENERIC,
526        },
527        "SBOM-FDA-NAME" => RuleMeta {
528            sarif_id: "SBOM-FDA-GENERAL",
529            default_severity: ViolationSeverity::Warning,
530            refs: &[(K::FdaPremarket, "FDA Premarket")],
531            remediation: REMEDIATION_GENERIC,
532        },
533        "SBOM-FDA-VERSION" => RuleMeta {
534            sarif_id: "SBOM-FDA-VERSION",
535            default_severity: ViolationSeverity::Error,
536            refs: &[(K::FdaPremarket, "FDA Premarket")],
537            remediation: REMEDIATION_GENERIC,
538        },
539        "SBOM-FDA-IDENTIFIER" => RuleMeta {
540            sarif_id: "SBOM-FDA-IDENTIFIER",
541            default_severity: ViolationSeverity::Error,
542            refs: &[(K::FdaPremarket, "FDA Premarket")],
543            remediation: REMEDIATION_GENERIC,
544        },
545        "SBOM-FDA-HASH" => RuleMeta {
546            sarif_id: "SBOM-FDA-HASH",
547            default_severity: ViolationSeverity::Error,
548            refs: &[(K::FdaPremarket, "FDA Premarket")],
549            remediation: REMEDIATION_GENERIC,
550        },
551        // FDA rules emitted by the `validate` NTIA/FDA fast-path
552        // (`cli::validate`), which builds violations directly without
553        // populating `standard_refs`.
554        "SBOM-FDA-CREATOR" => RuleMeta {
555            sarif_id: "SBOM-FDA-CREATOR",
556            default_severity: ViolationSeverity::Warning,
557            refs: &[(K::FdaPremarket, "FDA Premarket")],
558            remediation: REMEDIATION_GENERIC,
559        },
560        "SBOM-FDA-NAMESPACE" => RuleMeta {
561            sarif_id: "SBOM-FDA-NAMESPACE",
562            default_severity: ViolationSeverity::Warning,
563            refs: &[(K::FdaPremarket, "FDA Premarket")],
564            remediation: REMEDIATION_GENERIC,
565        },
566        "SBOM-FDA-DEPENDENCY" => RuleMeta {
567            sarif_id: "SBOM-FDA-DEPENDENCY",
568            default_severity: ViolationSeverity::Error,
569            refs: &[(K::FdaPremarket, "FDA Premarket")],
570            remediation: REMEDIATION_GENERIC,
571        },
572        "SBOM-FDA-SECURITY" => RuleMeta {
573            sarif_id: "SBOM-FDA-SECURITY",
574            default_severity: ViolationSeverity::Warning,
575            refs: &[(K::FdaPremarket, "FDA Premarket")],
576            remediation: REMEDIATION_GENERIC,
577        },
578        "SBOM-FDA-GENERAL" => RuleMeta {
579            sarif_id: "SBOM-FDA-GENERAL",
580            default_severity: ViolationSeverity::Warning,
581            refs: &[(K::FdaPremarket, "FDA Premarket")],
582            remediation: REMEDIATION_GENERIC,
583        },
584        // NTIA rules emitted by the `validate` fast-path.
585        "SBOM-NTIA-AUTHOR" => RuleMeta {
586            sarif_id: "SBOM-NTIA-AUTHOR",
587            default_severity: ViolationSeverity::Error,
588            refs: &[(K::NtiaMinimum, "NTIA Minimum Elements")],
589            remediation: REMEDIATION_GENERIC,
590        },
591        "SBOM-NTIA-NAME" => RuleMeta {
592            sarif_id: "SBOM-NTIA-NAME",
593            default_severity: ViolationSeverity::Error,
594            refs: &[(K::NtiaMinimum, "NTIA Minimum Elements")],
595            remediation: REMEDIATION_GENERIC,
596        },
597        "SBOM-NTIA-IDENTIFIER" => RuleMeta {
598            sarif_id: "SBOM-NTIA-IDENTIFIER",
599            default_severity: ViolationSeverity::Warning,
600            refs: &[(K::NtiaMinimum, "NTIA Minimum Elements")],
601            remediation: REMEDIATION_GENERIC,
602        },
603        "SBOM-NTIA-GENERAL" => RuleMeta {
604            sarif_id: "SBOM-NTIA-GENERAL",
605            default_severity: ViolationSeverity::Warning,
606            refs: &[(K::NtiaMinimum, "NTIA Minimum Elements")],
607            remediation: REMEDIATION_GENERIC,
608        },
609        // Catch-all rule keys for the SSDF / EO 14028 profiles; not currently
610        // emitted by any check site but kept so the registry mirrors the full
611        // SARIF rule catalogue.
612        "SBOM-SSDF-GENERAL" => RuleMeta {
613            sarif_id: "SBOM-SSDF-GENERAL",
614            default_severity: ViolationSeverity::Warning,
615            refs: &[(K::NistSsdf, "SP 800-218")],
616            remediation: REMEDIATION_SSDF,
617        },
618        "SBOM-EO14028-GENERAL" => RuleMeta {
619            sarif_id: "SBOM-EO14028-GENERAL",
620            default_severity: ViolationSeverity::Warning,
621            refs: &[(K::Eo14028, "EO 14028 §4")],
622            remediation: REMEDIATION_EO14028,
623        },
624        // ---- NIST SSDF ---------------------------------------------------
625        "SBOM-SSDF-PS1" => RuleMeta {
626            sarif_id: "SBOM-SSDF-PS1",
627            default_severity: ViolationSeverity::Error,
628            refs: &[(K::NistSsdf, "PS.1")],
629            remediation: REMEDIATION_SSDF,
630        },
631        "SBOM-SSDF-PS2" => RuleMeta {
632            sarif_id: "SBOM-SSDF-PS2",
633            default_severity: ViolationSeverity::Error,
634            refs: &[(K::NistSsdf, "PS.2")],
635            remediation: REMEDIATION_SSDF,
636        },
637        "SBOM-SSDF-PS3" => RuleMeta {
638            sarif_id: "SBOM-SSDF-PS3",
639            default_severity: ViolationSeverity::Warning,
640            refs: &[(K::NistSsdf, "PS.3")],
641            remediation: REMEDIATION_SSDF,
642        },
643        "SBOM-SSDF-PO1" => RuleMeta {
644            sarif_id: "SBOM-SSDF-PO1",
645            default_severity: ViolationSeverity::Warning,
646            refs: &[(K::NistSsdf, "PO.1")],
647            remediation: REMEDIATION_SSDF,
648        },
649        "SBOM-SSDF-PO3" => RuleMeta {
650            sarif_id: "SBOM-SSDF-PO3",
651            default_severity: ViolationSeverity::Info,
652            refs: &[(K::NistSsdf, "PO.3")],
653            remediation: REMEDIATION_SSDF,
654        },
655        "SBOM-SSDF-PW4" => RuleMeta {
656            sarif_id: "SBOM-SSDF-PW4",
657            default_severity: ViolationSeverity::Error,
658            refs: &[(K::NistSsdf, "PW.4")],
659            remediation: REMEDIATION_SSDF,
660        },
661        "SBOM-SSDF-PW6" => RuleMeta {
662            sarif_id: "SBOM-SSDF-PW6",
663            default_severity: ViolationSeverity::Info,
664            refs: &[(K::NistSsdf, "PW.6")],
665            remediation: REMEDIATION_SSDF,
666        },
667        "SBOM-SSDF-RV1" => RuleMeta {
668            sarif_id: "SBOM-SSDF-RV1",
669            default_severity: ViolationSeverity::Warning,
670            refs: &[(K::NistSsdf, "RV.1")],
671            remediation: REMEDIATION_SSDF,
672        },
673        // ---- EO 14028 ----------------------------------------------------
674        "SBOM-EO14028-FORMAT" => RuleMeta {
675            sarif_id: "SBOM-EO14028-FORMAT",
676            default_severity: ViolationSeverity::Error,
677            refs: &[(K::Eo14028, "EO 14028 §4")],
678            remediation: REMEDIATION_EO14028,
679        },
680        "SBOM-EO14028-AUTOGEN" => RuleMeta {
681            sarif_id: "SBOM-EO14028-AUTOGEN",
682            default_severity: ViolationSeverity::Warning,
683            refs: &[(K::Eo14028, "EO 14028 §4")],
684            remediation: REMEDIATION_EO14028,
685        },
686        "SBOM-EO14028-CREATOR" => RuleMeta {
687            sarif_id: "SBOM-EO14028-CREATOR",
688            default_severity: ViolationSeverity::Error,
689            refs: &[(K::Eo14028, "EO 14028 §4")],
690            remediation: REMEDIATION_EO14028,
691        },
692        "SBOM-EO14028-IDENTIFIER" => RuleMeta {
693            sarif_id: "SBOM-EO14028-IDENTIFIER",
694            default_severity: ViolationSeverity::Error,
695            refs: &[(K::Eo14028, "EO 14028 §4")],
696            remediation: REMEDIATION_EO14028,
697        },
698        "SBOM-EO14028-DEPENDENCY" => RuleMeta {
699            sarif_id: "SBOM-EO14028-DEPENDENCY",
700            default_severity: ViolationSeverity::Error,
701            refs: &[(K::Eo14028, "EO 14028 §4")],
702            remediation: REMEDIATION_EO14028,
703        },
704        "SBOM-EO14028-VERSION" => RuleMeta {
705            sarif_id: "SBOM-EO14028-VERSION",
706            default_severity: ViolationSeverity::Error,
707            refs: &[(K::Eo14028, "EO 14028 §4")],
708            remediation: REMEDIATION_EO14028,
709        },
710        "SBOM-EO14028-INTEGRITY" => RuleMeta {
711            sarif_id: "SBOM-EO14028-INTEGRITY",
712            default_severity: ViolationSeverity::Warning,
713            refs: &[(K::Eo14028, "EO 14028 §4")],
714            remediation: REMEDIATION_EO14028,
715        },
716        "SBOM-EO14028-DISCLOSURE" => RuleMeta {
717            sarif_id: "SBOM-EO14028-DISCLOSURE",
718            default_severity: ViolationSeverity::Warning,
719            refs: &[(K::Eo14028, "EO 14028 §4")],
720            remediation: REMEDIATION_EO14028,
721        },
722        "SBOM-EO14028-SUPPLIER" => RuleMeta {
723            sarif_id: "SBOM-EO14028-SUPPLIER",
724            default_severity: ViolationSeverity::Warning,
725            refs: &[(K::Eo14028, "EO 14028 §4")],
726            remediation: REMEDIATION_EO14028,
727        },
728        // ---- BSI TR-03183-2 ----------------------------------------------
729        "SBOM-BSI-TR-03183-2-5-1" => RuleMeta {
730            sarif_id: "SBOM-BSI-TR-03183-2-5-1",
731            default_severity: ViolationSeverity::Error,
732            refs: &[(K::BsiTr03183_2, "§5.1")],
733            remediation: REMEDIATION_GENERIC,
734        },
735        "SBOM-BSI-TR-03183-2-5-2" => RuleMeta {
736            sarif_id: "SBOM-BSI-TR-03183-2-5-2",
737            default_severity: ViolationSeverity::Warning,
738            refs: &[(K::BsiTr03183_2, "§5.2")],
739            remediation: REMEDIATION_GENERIC,
740        },
741        "SBOM-BSI-TR-03183-2-5-3" => RuleMeta {
742            sarif_id: "SBOM-BSI-TR-03183-2-5-3",
743            default_severity: ViolationSeverity::Warning,
744            refs: &[(K::BsiTr03183_2, "§5.3")],
745            remediation: REMEDIATION_GENERIC,
746        },
747        "SBOM-BSI-TR-03183-2-5-4" => RuleMeta {
748            sarif_id: "SBOM-BSI-TR-03183-2-5-4",
749            default_severity: ViolationSeverity::Warning,
750            refs: &[(K::BsiTr03183_2, "§5.4")],
751            remediation: REMEDIATION_GENERIC,
752        },
753        "SBOM-BSI-TR-03183-2-5-5" => RuleMeta {
754            sarif_id: "SBOM-BSI-TR-03183-2-5-5",
755            default_severity: ViolationSeverity::Warning,
756            refs: &[(K::BsiTr03183_2, "§5.5")],
757            remediation: REMEDIATION_GENERIC,
758        },
759        "SBOM-BSI-TR-03183-2-6" => RuleMeta {
760            sarif_id: "SBOM-BSI-TR-03183-2-6",
761            default_severity: ViolationSeverity::Info,
762            refs: &[(K::BsiTr03183_2, "§6")],
763            remediation: REMEDIATION_GENERIC,
764        },
765        // ---- CNSA 2.0 ----------------------------------------------------
766        "SBOM-CNSA2-ALG-001" => RuleMeta {
767            sarif_id: "SBOM-CNSA2-ALG-001",
768            default_severity: ViolationSeverity::Error,
769            refs: &[(K::Cnsa2, "CNSA 2.0")],
770            remediation: REMEDIATION_GENERIC,
771        },
772        "SBOM-CNSA2-ALG-002" => RuleMeta {
773            sarif_id: "SBOM-CNSA2-ALG-002",
774            default_severity: ViolationSeverity::Error,
775            refs: &[(K::Cnsa2, "CNSA 2.0")],
776            remediation: REMEDIATION_GENERIC,
777        },
778        "SBOM-CNSA2-ALG-003" => RuleMeta {
779            sarif_id: "SBOM-CNSA2-ALG-003",
780            default_severity: ViolationSeverity::Error,
781            refs: &[(K::Cnsa2, "CNSA 2.0")],
782            remediation: REMEDIATION_GENERIC,
783        },
784        "SBOM-CNSA2-ALG-004" => RuleMeta {
785            sarif_id: "SBOM-CNSA2-ALG-004",
786            default_severity: ViolationSeverity::Error,
787            refs: &[(K::Cnsa2, "CNSA 2.0")],
788            remediation: REMEDIATION_GENERIC,
789        },
790        "SBOM-CNSA2-ALG-006" => RuleMeta {
791            sarif_id: "SBOM-CNSA2-ALG-006",
792            default_severity: ViolationSeverity::Error,
793            refs: &[(K::Cnsa2, "CNSA 2.0")],
794            remediation: REMEDIATION_GENERIC,
795        },
796        "SBOM-CNSA2-ALG-007" => RuleMeta {
797            sarif_id: "SBOM-CNSA2-ALG-007",
798            default_severity: ViolationSeverity::Error,
799            refs: &[(K::Cnsa2, "CNSA 2.0")],
800            remediation: REMEDIATION_GENERIC,
801        },
802        "SBOM-CNSA2-CERT-001" => RuleMeta {
803            sarif_id: "SBOM-CNSA2-CERT-001",
804            default_severity: ViolationSeverity::Error,
805            refs: &[(K::Cnsa2, "CNSA 2.0")],
806            remediation: REMEDIATION_GENERIC,
807        },
808        // ---- NIST PQC ----------------------------------------------------
809        "SBOM-PQC-001" => RuleMeta {
810            sarif_id: "SBOM-PQC-001",
811            default_severity: ViolationSeverity::Error,
812            refs: &[],
813            remediation: REMEDIATION_GENERIC,
814        },
815        "SBOM-PQC-012" => RuleMeta {
816            sarif_id: "SBOM-PQC-012",
817            default_severity: ViolationSeverity::Warning,
818            refs: &[],
819            remediation: REMEDIATION_GENERIC,
820        },
821        "SBOM-PQC-010" => RuleMeta {
822            sarif_id: "SBOM-PQC-010",
823            default_severity: ViolationSeverity::Warning,
824            refs: &[],
825            remediation: REMEDIATION_GENERIC,
826        },
827        "SBOM-PQC-005" => RuleMeta {
828            sarif_id: "SBOM-PQC-005",
829            default_severity: ViolationSeverity::Error,
830            refs: &[],
831            remediation: REMEDIATION_GENERIC,
832        },
833        "SBOM-PQC-008" => RuleMeta {
834            sarif_id: "SBOM-PQC-008",
835            default_severity: ViolationSeverity::Error,
836            refs: &[],
837            remediation: REMEDIATION_GENERIC,
838        },
839        "SBOM-PQC-009" => RuleMeta {
840            sarif_id: "SBOM-PQC-009",
841            default_severity: ViolationSeverity::Info,
842            refs: &[(K::NistPqc, "NIST PQC")],
843            remediation: REMEDIATION_GENERIC,
844        },
845        "SBOM-PQC-KEY-001" => RuleMeta {
846            sarif_id: "SBOM-PQC-KEY-001",
847            default_severity: ViolationSeverity::Error,
848            refs: &[],
849            remediation: REMEDIATION_GENERIC,
850        },
851        _ => return None,
852    };
853    Some(meta)
854}
sbom_tools/quality/compliance/registry.rs

sbom_tools/quality/compliance/
registry.rs
