This is the official CycloneDX property namespace and name taxonomy.
With the v1.3 release of the specification, custom properties have been added.
Although the specification doesn't impose restrictions on the property names used, standardization can assist tool implementers and BOM consumers.
The authoritative source of official namespaces and property names is this repository.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.
Namespaces are hierarchical and delimited with a :
.
As such, :
MUST NOT be used in property namespaces and names except as a delimiter.
The only characters that SHALL be used in official property namespaces and names are alphanumerical characters, "-", "_" and " " from the US ASCII character set.
Namespaces SHOULD be lower case. Base property names MAY use upper case.
local:information_security_classification
local:team_responsible
property-name = 1*(namespace ":") name
namespace = 1*namechar
name = 1*namechar
namechar = ALPHA / DIGIT / "-" / "_" / " "
ABNF syntax as per RFC5234: Augmented BNF for Syntax Specifications: ABNF.
Namespace | Description | Administered By | Taxonomy |
---|---|---|---|
cdx |
Namespace for official CycloneDX namespaces and properties. Unofficial namespaces and properties MUST NOT be used under the cdx namespace. |
CycloneDX Core Working Group | cdx taxonomy |
internal |
Namespace for internal use only. BOMs shared with 3rd parties SHOULD NOT include properties in the local namespace. | CycloneDX Core Working Group | N/A |
aquasecurity |
Namespace for use by Aqua Security. | Aqua Security | RESERVED |
dependency-track |
Namespace for use by the Dependency-Track project. | Dependency-Track Maintainers | RESERVED |
expliot |
Namespace for use by EXPLIoT. | EXPLIoT | EXPLIoT taxonomy |
finitestate |
Namespace for the use by Finite State. | Finite State | finitestate taxonomy |
fortify |
Namespace for use by Fortify. | Micro Focus | RESERVED |
gitlab |
Namespace for use by GitLab. | GitLab | GitLab taxonomy |
grype |
Namespace for use by the Grype project. | Grype Maintainers | Grype Project |
hoppr |
Namespace for the use by the Hoppr project. | Lockheed Martin | Hoppr Project |
ibm |
Namespace for use by IBM. | IBM | RESERVED |
servicenow |
Namespace for use by ServiceNow. | ServiceNow | RESERVED |
siemens |
Namespace for use by Siemens. | Siemens | Siemens taxonomy |
snyk |
Namespace for use by Snyk. | Snyk | RESERVED |
sonatype |
Namespace for use by Sonatype | Sonatype | Sonatype Taxonomy Documentation |
spack |
Namespace for use by the Spack package manager. | Spack Maintainers | Spack SBOM Project |
syft |
Namespace for use by the Syft project. | Syft Maintainers | Syft Project |
tern |
Namespace for use by the Tern project. | Tern Maintainers | Tern Project |
veracode |
Namespace for use by Veracode. | Veracode | Veracode taxonomy |
It is RECOMMENDED that anyone creating custom properties outside of the internal
namespace SHOULD register a new top level namespace.
The process for registering a new top level namespace is to create a new issue requesting it.
Namespaces are initially registered as RESERVED
.
Before using your RESERVED
namespace, documentation for the taxonomy of the
namespace SHOULD be publicly available. Failure to do so MAY result in the
namespace reservation being revoked.
An example is the cdx taxonomy.