cyclonedx-property-taxonomy
CycloneDX Property Taxonomy
This is the official CycloneDX property namespace and name taxonomy.
Introduction
With the v1.3 release of the CycloneDX specification, custom properties have been added.
Although the specification doesn’t impose restrictions on the property names used, standardization can assist tool implementers and BOM consumers.
The authoritative source of official namespaces and property names is this repository.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC2119.
Namespace Syntax
Namespaces are hierarchical and delimited with a :.
As such, : MUST NOT be used in property namespaces and names except as a delimiter.
The only characters that SHALL be used in official property namespaces and names are alphanumerical characters, “-“, “_” and “ “ from the US ASCII character set.
Namespaces SHOULD be lower case. Base property names MAY use upper case.
Examples
internal:information_security_classification
internal:team_responsible
ABNF for Official CycloneDX Property Names
property-name = 1*(namespace ":") name
namespace = 1*namechar
name = 1*namechar
namechar = ALPHA / DIGIT / "-" / "_" / " "
ABNF syntax as per RFC5234: Augmented BNF for Syntax Specifications: ABNF.
Registered Top Level Namespaces
Regardless of other licensing attributes in this repository or document,
the following table (called “registry”) is marked with
CC0 1.0
| Namespace | Description | Administered By | Taxonomy |
|---|---|---|---|
cdx |
Namespace for official CycloneDX namespaces and properties. Unofficial namespaces and properties MUST NOT be used under the cdx namespace. |
CycloneDX Core Working Group | cdx taxonomy |
internal |
Namespace for internal use only. BOMs shared with 3rd parties SHOULD NOT include properties in this namespace. | N/A | N/A |
urn |
Namespace blocked to prevent confusions with Uniform Resource Name | N/A | N/A |
aboutcode |
Namespace for use by AboutCode projects. | nexB | AboutCode taxonomy |
accellence |
Namespace for use by Accellence Technologies. | AccellenceTechnologies | Accellence taxonomy |
amazon |
Namespace for use by Amazon. | Amazon | RESERVED |
appknox |
Namespace for use by Appknox Platform. | Appknox | Appknox taxonomy |
aquasecurity |
Namespace for use by Aqua Security. | Aqua Security | RESERVED |
boschrexroth |
Namespace for use by Bosch Rexroth. | Bosch Rexroth AG | Bosch Rexroth taxonomy |
bytetrail |
Namespace for use by ByteTrail. | ByteTrail | RESERVED |
codenotary |
Namespace for use by Codenotary platform. | Codenotary | Codenotary taxonomy |
dependency-track |
Namespace for use by the Dependency-Track project. | Dependency-Track Maintainers | RESERVED |
expliot |
Namespace for use by EXPLIoT. | EXPLIoT | EXPLIoT taxonomy |
finitestate |
Namespace for the use by Finite State. | Finite State | finitestate taxonomy |
fortify |
Namespace for use by Fortify. | Micro Focus | RESERVED |
gitlab |
Namespace for use by GitLab. | GitLab | GitLab taxonomy |
grype |
Namespace for use by the Grype project. | Grype Maintainers | RESERVED |
hoppr |
Namespace for the use by the Hoppr project. | Lockheed Martin | Hoppr Taxonomy Documentation |
ibm |
Namespace for use by IBM. | IBM | RESERVED |
interlynk |
Namespace for use by Interlynk. | Interlynk | Interlynk taxonomy |
ksoc |
Namespace for use by KSOC. | KSOC | KSOC taxonomy |
medical-aegis |
Namespace for use by Medical Aegis. | Medical Aegis | RESERVED |
observer |
Namespace for use by SBOM Observer. | Bitfront | SBOM Observer Taxonomy |
recon |
Namespace for use by the Recon Project. | Recon Project | RESERVED |
scribe |
Namespace for use by Scribe Security | Scribe Security | RESERVED |
servicenow |
Namespace for use by ServiceNow. | ServiceNow | RESERVED |
siemens |
Namespace for use by Siemens. | Siemens | Siemens taxonomy |
snyk |
Namespace for use by Snyk. | Snyk | Snyk Taxonomy Documentation |
sonatype |
Namespace for use by Sonatype | Sonatype | Sonatype Taxonomy Documentation |
spack |
Namespace for use by the Spack package manager. | Spack Maintainers | Spack SBOM Project |
stackable |
Namespace for use by Stackable | Stackable | RESERVED |
syft |
Namespace for use by the Syft project. | Syft Maintainers | RESERVED |
tern |
Namespace for use by the Tern project. | Tern Maintainers | RESERVED |
veracode |
Namespace for use by Veracode. | Veracode | Veracode taxonomy |
Registering New Top Level Namespaces
It is RECOMMENDED that anyone creating custom properties outside of the internal
namespace SHOULD register a new top level namespace.
The process for registering a new top level namespace is to create a new issue requesting it.
Namespaces are initially registered as RESERVED.
Before using your RESERVED namespace, documentation for the taxonomy of the
namespace SHOULD be publicly available. Failure to do so MAY result in the
namespace reservation being revoked.
An example is the cdx taxonomy.