cyclonedx-property-taxonomy

CycloneDX Property Taxonomy

shield_license shield_website shield_slack shield_groups shield_twitter-follow

This is the official CycloneDX property namespace and name taxonomy.

Introduction

With the v1.3 release of the CycloneDX specification, custom properties have been added.

Although the specification doesn’t impose restrictions on the property names used, standardization can assist tool implementers and BOM consumers.

The authoritative source of official namespaces and property names is this repository.

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC2119.

Namespace Syntax

Namespaces are hierarchical and delimited with a “:”.
As such, “:” MUST NOT be used in property namespaces and names except as a delimiter.

The only characters that SHALL be used in official property namespaces and names are alphanumerical characters, “-“, “_” and “ “ from the US ASCII character set.

Namespaces SHOULD be lower case. Base property names MAY use upper case.

Examples

internal:information_security_classification
internal:team_responsible

ABNF for Official CycloneDX Property Names

property-name = 1*(namespace ":") name

namespace     = 1*namechar

name          = 1*namechar

namechar      = ALPHA / DIGIT / "-" / "_" / " "

ABNF syntax as per RFC5234: Augmented BNF for Syntax Specifications: ABNF.

Registered Top Level Namespaces

Regardless of other licensing attributes in this repository or document,
the following table (called “registry”) is marked with CC0 1.0

Namespace Description Administered By Taxonomy
cdx Namespace for official CycloneDX namespaces and properties. Unofficial namespaces and properties MUST NOT be used under the cdx namespace. CycloneDX Core Working Group cdx taxonomy
internal Namespace for internal use only. BOMs shared with 3rd parties SHOULD NOT include properties in this namespace. N/A N/A
urn Namespace blocked to prevent confusions with Uniform Resource Name N/A N/A
aboutcode Namespace for use by AboutCode projects. AboutCode.org AboutCode taxonomy
accellence Namespace for use by Accellence Technologies. AccellenceTechnologies Accellence taxonomy
amazon Namespace for use by Amazon. Amazon RESERVED
appknox Namespace for use by Appknox Platform. Appknox Appknox taxonomy
aquasecurity Namespace for use by Aqua Security. Aqua Security RESERVED
boschrexroth Namespace for use by Bosch Rexroth. Bosch Rexroth AG Bosch Rexroth taxonomy
bsi Namespace for use by BSI. BSI RESERVED
bytetrail Namespace for use by ByteTrail. ByteTrail RESERVED
codenotary Namespace for use by Codenotary platform. Codenotary Codenotary taxonomy
contact-software Namespace for use by Contact Software. Contact Software RESERVED
dependency-track Namespace for use by the Dependency-Track project. Dependency-Track Maintainers RESERVED
expliot Namespace for use by EXPLIoT. EXPLIoT EXPLIoT taxonomy
finitestate Namespace for the use by Finite State. Finite State finitestate taxonomy
fortify Namespace for use by Fortify. Micro Focus RESERVED
gitlab Namespace for use by GitLab. GitLab GitLab taxonomy
grype Namespace for use by the Grype project. Grype Maintainers RESERVED
hoppr Namespace for the use by the Hoppr project. Lockheed Martin Hoppr Taxonomy Documentation
ibm Namespace for use by IBM. IBM RESERVED
interlynk Namespace for use by Interlynk. Interlynk Interlynk taxonomy
ksoc Namespace for use by KSOC. KSOC KSOC taxonomy
medical-aegis Namespace for use by Medical Aegis. Medical Aegis RESERVED
nix Namespace for Nix properties. Nixpkgs Maintainers Nixpkgs Manual
observer Namespace for use by SBOM Observer. Bitfront SBOM Observer Taxonomy
recon Namespace for use by the Recon Project. Recon Project RESERVED
scribe Namespace for use by Scribe Security Scribe Security RESERVED
servicenow Namespace for use by ServiceNow. ServiceNow RESERVED
siemens Namespace for use by Siemens. Siemens Siemens taxonomy
snyk Namespace for use by Snyk. Snyk Snyk Taxonomy Documentation
sonatype Namespace for use by Sonatype Sonatype Sonatype Taxonomy Documentation
soos Namespace for use by SOOS. SOOS SOOS taxonomy
spack Namespace for use by the Spack package manager. Spack Maintainers Spack SBOM Project
stackable Namespace for use by Stackable Stackable RESERVED
syft Namespace for use by the Syft project. Syft Maintainers RESERVED
tern Namespace for use by the Tern project. Tern Maintainers RESERVED
veracode Namespace for use by Veracode. Veracode Veracode taxonomy

Registering New Top Level Namespaces

It is RECOMMENDED that anyone creating custom properties outside of the internal namespace SHOULD register a new top level namespace.

The process for registering a new top level namespace is to create a new issue requesting it.

Top Level Namespaces are initially registered as RESERVED.

Registered top level namespaces SHOULD be more than two characters long.

Before using your RESERVED namespace, documentation for the taxonomy of the namespace SHOULD be publicly available. Failure to do so MAY result in the namespace reservation being revoked.

An example is the cdx taxonomy.