diff --git a/docs/taxonomy.md b/docs/taxonomy.md new file mode 100644 index 0000000..f7b6801 --- /dev/null +++ b/docs/taxonomy.md @@ -0,0 +1,197 @@ +# Red Hat CycloneDX Property Taxonomy, v1.0.0 + +This is the official Red Hat property taxonomy for CycloneDX. + +For more information about CycloneDX property taxonomies, refer to +their [official documentation](https://github.com/CycloneDX/cyclonedx-property-taxonomy). + +## Red Hat properties + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionScope
redhat:advisory_idThe Red Hat Errata numeric identifier for which the SBOM was generated.metadata
redhat:deliverable-urlIf the SBOM was generated from a ZIP file, it indicates the url location of the file.metadata/component
redhat:deliverable-checksumIf the SBOM was generated from a ZIP file, it indicates the checksum (sha256) of the file.metadata/component
sbomer:image:labels:architectureSpecifies the CPU architecture for which the image is built, such as amd64, arm64, etc.components[]
sbomer:image:labels:build-dateIndicates the date and time when the image was built.​components[]
sbomer:image:labels:com.redhat.componentSpecifies the Red Hat component name associated with the image.​components[]
sbomer:image:labels:com.redhat.delivery.backportA flag indicating whether the image includes backported features or fixes (true) or not (false).components[]
sbomer:image:labels:com.redhat.delivery.operator.bundleA flag indicating whether the image is an Operator bundle for Red Hat OpenShift (true) or not (false).​components[]
sbomer:image:labels:com.redhat.license_termsProvides a URL to the license terms applicable to the image.​components[]
sbomer:image:labels:com.redhat.openshift.versionsSpecifies the compatible OpenShift versions for the image.​components[]
sbomer:image:labels:descriptionProvides a brief description of the image's purpose or contents.​components[]
sbomer:image:labels:distribution-scopeDefines the scope of distribution, such as public or private.​components[]
sbomer:image:labels:io.buildah.versionSpecifies the version of Buildah used to build the image.components[]
sbomer:image:labels:io.k8s.descriptionProvides a description of the image for Kubernetes environments.components[]
sbomer:image:labels:io.k8s.display-nameSpecifies a human-readable name for the image in Kubernetes contexts.components[]
sbomer:image:labels:io.openshift.tagsLists tags associated with the image for OpenShift categorization.components[]
sbomer:image:labels:lvms.tagsSpecifies tags related to Logical Volume Management (LVM) systems.components[]
sbomer:image:labels:maintainerProvides contact information for the image's maintainer.​components[]
sbomer:image:labels:nameSpecifies the name of the image.components[]
sbomer:image:labels:operators.operatorframework.io.bundle.channels.v1Lists the channels for the Operator bundle, such as stable or beta.components[]
sbomer:image:labels:operators.operatorframework.io.bundle.manifests.v1Indicates the location of the Operator bundle manifests.​components[]
sbomer:image:labels:operators.operatorframework.io.bundle.mediatype.v1Specifies the media type or format of the operator bundle, such as Helm charts or plain Kubernetes manifests.components[]
sbomer:image:labels:operators.operatorframework.io.bundle.metadata.v1Indicates the path within the image to the directory containing metadata files about the bundle.components[]
sbomer:image:labels:operators.operatorframework.io.bundle.package.v1Denotes the package name of the operator bundle.components[]
sbomer:image:labels:releaseSpecifies the release version of the image or software contained within.components[]
sbomer:image:labels:summaryProvides a brief summary of the image's purpose or contents.components[]
sbomer:image:labels:urlOffers a URL to more information about the image or the project it represents.components[]
sbomer:image:labels:vcs-refIndicates the specific commit reference from the version control system used to build the image.components[]
sbomer:image:labels:vcs-typeSpecifies the type of version control system used, such as Git or SVN.components[]
sbomer:image:labels:vendorIdentifies the organization or individual responsible for the image.components[]
sbomer:image:labels:versionDenotes the version of the application or component contained within the image.components[]
+ +The **Scope** column describes which `properties` section is the intended location for the property. For example, +a scope of `metadata` means that the property is intended for use in `metadata/properties`. This is meant as a +recommendation only. + + +## Additional Notes + +The properties listed in this document represent an ideal state across all of Red Hat-published security data +that we want to achieve in the long term. In some SBOMs, components or metadata may be missing some properties or their +content may not be accurate. Please +[contact Red Hat Product Security](https://access.redhat.com/security/team/contact/) or file a Jira issue in the +[SECDATA project](https://issues.redhat.com/projects/SECDATA) if you find any discrepancies in Red Hat's security data. +Feedback on our SBOM design and publishing is always welcome and appreciated. + + +## License + +Copyright (c) 2024 Red Hat Product Security + +Licensed under MIT License. + diff --git a/mkdocs.yml b/mkdocs.yml index 19c8507..1843348 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -39,6 +39,7 @@ nav: - SBOM: "sbom.md" - purl: "purl.md" - CSAF/VEX: "csaf-vex.md" + - Taxonomy: "taxonomy.md" plugins: - social