As in one previous fragment presented, the CertGraph Ontology is proposed as an extensible approach to model evidence. The foundation of the ontology is Core, which consists of the following sub-ontologies:

• Evidence, which contains concepts to link resources with security features
• Framework, which contains common (high-level) types of software components, like HTTP servers or Logging components
• Functionality, which contains common (low-level) data types, which model smaller parts of software or represent simple record types
• Properties, which defines a common set of properties to link and are used across the whole ontology
• Security, which models security-related concepts.

On top of Core, the following four already established extensions are built:

• Cloud, used by Clouditor-Discovery and focuses on resources deployed in the cloud
• Application, used by Codyze and eknows-e3 and focuses on source code
• ML, used by AI-SEC and focuses on machine learning models
• Document, used by AMOE and focuses on documents written in natural language.

Currently, new extensions in the areas of Human Resources are being developed to cover further relevant areas like security awareness trainings, for example.

More details about the ontology can be found in the deliverable D2.10.