From 54a16fec6cbb071f38aee007e9f1e7fa66d658fa Mon Sep 17 00:00:00 2001 From: Andrea Vibelli Date: Thu, 6 Mar 2025 11:07:15 +0100 Subject: [PATCH 1/4] chore: add Red Hat SBOM property taxonomy --- docs/taxonomy.md | 197 +++++++++++++++++++++++++++++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 198 insertions(+) create mode 100644 docs/taxonomy.md diff --git a/docs/taxonomy.md b/docs/taxonomy.md new file mode 100644 index 0000000..f7b6801 --- /dev/null +++ b/docs/taxonomy.md @@ -0,0 +1,197 @@ +# Red Hat CycloneDX Property Taxonomy, v1.0.0 + +This is the official Red Hat property taxonomy for CycloneDX. + +For more information about CycloneDX property taxonomies, refer to +their [official documentation](https://github.com/CycloneDX/cyclonedx-property-taxonomy). + +## Red Hat properties + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionScope
redhat:advisory_idThe Red Hat Errata numeric identifier for which the SBOM was generated.metadata
redhat:deliverable-urlIf the SBOM was generated from a ZIP file, it indicates the url location of the file.metadata/component
redhat:deliverable-checksumIf the SBOM was generated from a ZIP file, it indicates the checksum (sha256) of the file.metadata/component
sbomer:image:labels:architectureSpecifies the CPU architecture for which the image is built, such as amd64, arm64, etc.components[]
sbomer:image:labels:build-dateIndicates the date and time when the image was built.​components[]
sbomer:image:labels:com.redhat.componentSpecifies the Red Hat component name associated with the image.​components[]
sbomer:image:labels:com.redhat.delivery.backportA flag indicating whether the image includes backported features or fixes (true) or not (false).components[]
sbomer:image:labels:com.redhat.delivery.operator.bundleA flag indicating whether the image is an Operator bundle for Red Hat OpenShift (true) or not (false).​components[]
sbomer:image:labels:com.redhat.license_termsProvides a URL to the license terms applicable to the image.​components[]
sbomer:image:labels:com.redhat.openshift.versionsSpecifies the compatible OpenShift versions for the image.​components[]
sbomer:image:labels:descriptionProvides a brief description of the image's purpose or contents.​components[]
sbomer:image:labels:distribution-scopeDefines the scope of distribution, such as public or private.​components[]
sbomer:image:labels:io.buildah.versionSpecifies the version of Buildah used to build the image.components[]
sbomer:image:labels:io.k8s.descriptionProvides a description of the image for Kubernetes environments.components[]
sbomer:image:labels:io.k8s.display-nameSpecifies a human-readable name for the image in Kubernetes contexts.components[]
sbomer:image:labels:io.openshift.tagsLists tags associated with the image for OpenShift categorization.components[]
sbomer:image:labels:lvms.tagsSpecifies tags related to Logical Volume Management (LVM) systems.components[]
sbomer:image:labels:maintainerProvides contact information for the image's maintainer.​components[]
sbomer:image:labels:nameSpecifies the name of the image.components[]
sbomer:image:labels:operators.operatorframework.io.bundle.channels.v1Lists the channels for the Operator bundle, such as stable or beta.components[]
sbomer:image:labels:operators.operatorframework.io.bundle.manifests.v1Indicates the location of the Operator bundle manifests.​components[]
sbomer:image:labels:operators.operatorframework.io.bundle.mediatype.v1Specifies the media type or format of the operator bundle, such as Helm charts or plain Kubernetes manifests.components[]
sbomer:image:labels:operators.operatorframework.io.bundle.metadata.v1Indicates the path within the image to the directory containing metadata files about the bundle.components[]
sbomer:image:labels:operators.operatorframework.io.bundle.package.v1Denotes the package name of the operator bundle.components[]
sbomer:image:labels:releaseSpecifies the release version of the image or software contained within.components[]
sbomer:image:labels:summaryProvides a brief summary of the image's purpose or contents.components[]
sbomer:image:labels:urlOffers a URL to more information about the image or the project it represents.components[]
sbomer:image:labels:vcs-refIndicates the specific commit reference from the version control system used to build the image.components[]
sbomer:image:labels:vcs-typeSpecifies the type of version control system used, such as Git or SVN.components[]
sbomer:image:labels:vendorIdentifies the organization or individual responsible for the image.components[]
sbomer:image:labels:versionDenotes the version of the application or component contained within the image.components[]
+ +The **Scope** column describes which `properties` section is the intended location for the property. For example, +a scope of `metadata` means that the property is intended for use in `metadata/properties`. This is meant as a +recommendation only. + + +## Additional Notes + +The properties listed in this document represent an ideal state across all of Red Hat-published security data +that we want to achieve in the long term. In some SBOMs, components or metadata may be missing some properties or their +content may not be accurate. Please +[contact Red Hat Product Security](https://access.redhat.com/security/team/contact/) or file a Jira issue in the +[SECDATA project](https://issues.redhat.com/projects/SECDATA) if you find any discrepancies in Red Hat's security data. +Feedback on our SBOM design and publishing is always welcome and appreciated. + + +## License + +Copyright (c) 2024 Red Hat Product Security + +Licensed under MIT License. + diff --git a/mkdocs.yml b/mkdocs.yml index 19c8507..1843348 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -39,6 +39,7 @@ nav: - SBOM: "sbom.md" - purl: "purl.md" - CSAF/VEX: "csaf-vex.md" + - Taxonomy: "taxonomy.md" plugins: - social From e2a7cb1012bdff0d2ee1fa77b0260edce7023a1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Prpi=C4=8D?= Date: Fri, 7 Mar 2025 15:08:22 -0500 Subject: [PATCH 2/4] Reformat table to markdown; nest under SBOM nav --- docs/taxonomy.md | 237 +++++++++-------------------------------------- mkdocs.yml | 6 +- 2 files changed, 46 insertions(+), 197 deletions(-) diff --git a/docs/taxonomy.md b/docs/taxonomy.md index f7b6801..183db51 100644 --- a/docs/taxonomy.md +++ b/docs/taxonomy.md @@ -1,197 +1,44 @@ -# Red Hat CycloneDX Property Taxonomy, v1.0.0 - -This is the official Red Hat property taxonomy for CycloneDX. - -For more information about CycloneDX property taxonomies, refer to -their [official documentation](https://github.com/CycloneDX/cyclonedx-property-taxonomy). - -## Red Hat properties - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PropertyDescriptionScope
redhat:advisory_idThe Red Hat Errata numeric identifier for which the SBOM was generated.metadata
redhat:deliverable-urlIf the SBOM was generated from a ZIP file, it indicates the url location of the file.metadata/component
redhat:deliverable-checksumIf the SBOM was generated from a ZIP file, it indicates the checksum (sha256) of the file.metadata/component
sbomer:image:labels:architectureSpecifies the CPU architecture for which the image is built, such as amd64, arm64, etc.components[]
sbomer:image:labels:build-dateIndicates the date and time when the image was built.​components[]
sbomer:image:labels:com.redhat.componentSpecifies the Red Hat component name associated with the image.​components[]
sbomer:image:labels:com.redhat.delivery.backportA flag indicating whether the image includes backported features or fixes (true) or not (false).components[]
sbomer:image:labels:com.redhat.delivery.operator.bundleA flag indicating whether the image is an Operator bundle for Red Hat OpenShift (true) or not (false).​components[]
sbomer:image:labels:com.redhat.license_termsProvides a URL to the license terms applicable to the image.​components[]
sbomer:image:labels:com.redhat.openshift.versionsSpecifies the compatible OpenShift versions for the image.​components[]
sbomer:image:labels:descriptionProvides a brief description of the image's purpose or contents.​components[]
sbomer:image:labels:distribution-scopeDefines the scope of distribution, such as public or private.​components[]
sbomer:image:labels:io.buildah.versionSpecifies the version of Buildah used to build the image.components[]
sbomer:image:labels:io.k8s.descriptionProvides a description of the image for Kubernetes environments.components[]
sbomer:image:labels:io.k8s.display-nameSpecifies a human-readable name for the image in Kubernetes contexts.components[]
sbomer:image:labels:io.openshift.tagsLists tags associated with the image for OpenShift categorization.components[]
sbomer:image:labels:lvms.tagsSpecifies tags related to Logical Volume Management (LVM) systems.components[]
sbomer:image:labels:maintainerProvides contact information for the image's maintainer.​components[]
sbomer:image:labels:nameSpecifies the name of the image.components[]
sbomer:image:labels:operators.operatorframework.io.bundle.channels.v1Lists the channels for the Operator bundle, such as stable or beta.components[]
sbomer:image:labels:operators.operatorframework.io.bundle.manifests.v1Indicates the location of the Operator bundle manifests.​components[]
sbomer:image:labels:operators.operatorframework.io.bundle.mediatype.v1Specifies the media type or format of the operator bundle, such as Helm charts or plain Kubernetes manifests.components[]
sbomer:image:labels:operators.operatorframework.io.bundle.metadata.v1Indicates the path within the image to the directory containing metadata files about the bundle.components[]
sbomer:image:labels:operators.operatorframework.io.bundle.package.v1Denotes the package name of the operator bundle.components[]
sbomer:image:labels:releaseSpecifies the release version of the image or software contained within.components[]
sbomer:image:labels:summaryProvides a brief summary of the image's purpose or contents.components[]
sbomer:image:labels:urlOffers a URL to more information about the image or the project it represents.components[]
sbomer:image:labels:vcs-refIndicates the specific commit reference from the version control system used to build the image.components[]
sbomer:image:labels:vcs-typeSpecifies the type of version control system used, such as Git or SVN.components[]
sbomer:image:labels:vendorIdentifies the organization or individual responsible for the image.components[]
sbomer:image:labels:versionDenotes the version of the application or component contained within the image.components[]
- -The **Scope** column describes which `properties` section is the intended location for the property. For example, +# Red Hat CycloneDX Property Taxonomy + +_Version: v1.0.0_ + +This is the official Red Hat property taxonomy for CycloneDX. For more information about CycloneDX property taxonomies, +refer to the [official documentation](https://github.com/CycloneDX/cyclonedx-property-taxonomy). + +| Property | Description | Scope | +|--------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|----------------------| +| `redhat:advisory_id` | The [Red Hat Errata](https://access.redhat.com/articles/explaining_redhat_errata) numeric identifier for which the SBOM was generated. | `metadata` | +| `redhat:deliverable-url` | If an SBOM was generated from a ZIP file, it indicates the URL location of the file. | `metadata/component` | +| `redhat:deliverable-checksum` | If an SBOM was generated from a ZIP file, it indicates the checksum (sha256) of the file. | `metadata/component` | +| `sbomer:image:labels:architecture` | Specifies the CPU architecture for which a container image is built, such as `amd64`, `arm64`, etc. | `components[]` | +| `sbomer:image:labels:build-date` | Indicates the date and time when a container image was built. | `components[]` | +| `sbomer:image:labels:com.redhat.component` | Specifies the Red Hat component name associated with a container image. | `components[]` | +| `sbomer:image:labels:com.redhat.delivery.backport` | A flag indicating whether a container image includes backported features or fixes (`true`) or not (`false`). | `components[]` | +| `sbomer:image:labels:com.redhat.delivery.operator.bundle` | A flag indicating whether a container image is an Operator bundle for Red Hat OpenShift (`true`) or not (`false`). | `components[]` | +| `sbomer:image:labels:com.redhat.license_terms` | Provides a URL to the license terms applicable to a container image. | `components[]` | +| `sbomer:image:labels:com.redhat.openshift.versions` | Specifies the compatible OpenShift versions for a container image. | `components[]` | +| `sbomer:image:labels:description` | Provides a brief description of container image's purpose or contents. | `components[]` | +| `sbomer:image:labels:distribution-scope` | Defines the scope of distribution, such as `public` or `private`. | `components[]` | +| `sbomer:image:labels:io.buildah.version` | Specifies the version of Buildah used to build a container image. | `components[]` | +| `sbomer:image:labels:io.k8s.description` | Provides a description of container image for Kubernetes environments. | `components[]` | +| `sbomer:image:labels:io.k8s.display-name` | Specifies a human-readable name for a container image in Kubernetes contexts. | `components[]` | +| `sbomer:image:labels:io.openshift.tags` | Lists tags associated with container image for OpenShift categorization. | `components[]` | +| `sbomer:image:labels:lvms.tags` | Specifies tags related to Logical Volume Management (LVM) systems. | `components[]` | +| `sbomer:image:labels:maintainer` | Provides contact information for a container image's maintainer. | `components[]` | +| `sbomer:image:labels:name` | Specifies the name of a container image. | `components[]` | +| `sbomer:image:labels:operators.operatorframework.io.bundle.channels.v1` | Lists the channels for the Operator bundle, such as `stable` or `beta`. | `components[]` | +| `sbomer:image:labels:operators.operatorframework.io.bundle.manifests.v1` | Indicates the location of the Operator bundle manifests. | `components[]` | +| `sbomer:image:labels:operators.operatorframework.io.bundle.mediatype.v1` | Specifies the media type or format of the operator bundle, such as Helm charts or plain Kubernetes manifests. | `components[]` | +| `sbomer:image:labels:operators.operatorframework.io.bundle.metadata.v1` | Indicates the path within the image to the directory containing metadata files about the bundle. | `components[]` | +| `sbomer:image:labels:operators.operatorframework.io.bundle.package.v1` | Denotes the package name of the operator bundle. | `components[]` | +| `sbomer:image:labels:release` | Specifies the release version of a container image or software contained within. | `components[]` | +| `sbomer:image:labels:summary` | Provides a brief summary of a container image's purpose or contents. | `components[]` | +| `sbomer:image:labels:url` | Offers a URL to more information about a container image or the project it represents. | `components[]` | +| `sbomer:image:labels:vcs-ref` | Indicates the specific commit reference from the version control system used to build a container image. | `components[]` | +| `sbomer:image:labels:vcs-type` | Specifies the type of version control system used, such as Git or SVN. | `components[]` | +| `sbomer:image:labels:vendor` | Identifies the organization or individual responsible for a container image. | `components[]` | +| `sbomer:image:labels:version` | Denotes the version of the application or component contained within a container image. | `components[]` | + +The `Scope` column describes which `properties` section is the intended location for the property. For example, a scope of `metadata` means that the property is intended for use in `metadata/properties`. This is meant as a recommendation only. - - -## Additional Notes - -The properties listed in this document represent an ideal state across all of Red Hat-published security data -that we want to achieve in the long term. In some SBOMs, components or metadata may be missing some properties or their -content may not be accurate. Please -[contact Red Hat Product Security](https://access.redhat.com/security/team/contact/) or file a Jira issue in the -[SECDATA project](https://issues.redhat.com/projects/SECDATA) if you find any discrepancies in Red Hat's security data. -Feedback on our SBOM design and publishing is always welcome and appreciated. - - -## License - -Copyright (c) 2024 Red Hat Product Security - -Licensed under MIT License. - diff --git a/mkdocs.yml b/mkdocs.yml index 1843348..c45ed82 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -8,6 +8,7 @@ theme: features: - navigation.tabs - navigation.sections + - navigation.expand - toc.integrate - navigation.top - search.suggest @@ -36,10 +37,11 @@ theme: nav: - Home: "index.md" - - SBOM: "sbom.md" + - SBOM: + - Building SBOMs: "sbom.md" + - Property Taxonomy: "taxonomy.md" - purl: "purl.md" - CSAF/VEX: "csaf-vex.md" - - Taxonomy: "taxonomy.md" plugins: - social From ac101e9bd3c90e979573fe980d0f6bf9a4787de4 Mon Sep 17 00:00:00 2001 From: Andrea Vibelli Date: Tue, 11 Mar 2025 07:27:21 +0100 Subject: [PATCH 3/4] chore: prefix all sbomer:image:labels properties with redhat namespace --- docs/taxonomy.md | 56 ++++++++++++++++++++++++------------------------ 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/docs/taxonomy.md b/docs/taxonomy.md index 183db51..ae7d3e6 100644 --- a/docs/taxonomy.md +++ b/docs/taxonomy.md @@ -10,34 +10,34 @@ refer to the [official documentation](https://github.com/CycloneDX/cyclonedx-pro | `redhat:advisory_id` | The [Red Hat Errata](https://access.redhat.com/articles/explaining_redhat_errata) numeric identifier for which the SBOM was generated. | `metadata` | | `redhat:deliverable-url` | If an SBOM was generated from a ZIP file, it indicates the URL location of the file. | `metadata/component` | | `redhat:deliverable-checksum` | If an SBOM was generated from a ZIP file, it indicates the checksum (sha256) of the file. | `metadata/component` | -| `sbomer:image:labels:architecture` | Specifies the CPU architecture for which a container image is built, such as `amd64`, `arm64`, etc. | `components[]` | -| `sbomer:image:labels:build-date` | Indicates the date and time when a container image was built. | `components[]` | -| `sbomer:image:labels:com.redhat.component` | Specifies the Red Hat component name associated with a container image. | `components[]` | -| `sbomer:image:labels:com.redhat.delivery.backport` | A flag indicating whether a container image includes backported features or fixes (`true`) or not (`false`). | `components[]` | -| `sbomer:image:labels:com.redhat.delivery.operator.bundle` | A flag indicating whether a container image is an Operator bundle for Red Hat OpenShift (`true`) or not (`false`). | `components[]` | -| `sbomer:image:labels:com.redhat.license_terms` | Provides a URL to the license terms applicable to a container image. | `components[]` | -| `sbomer:image:labels:com.redhat.openshift.versions` | Specifies the compatible OpenShift versions for a container image. | `components[]` | -| `sbomer:image:labels:description` | Provides a brief description of container image's purpose or contents. | `components[]` | -| `sbomer:image:labels:distribution-scope` | Defines the scope of distribution, such as `public` or `private`. | `components[]` | -| `sbomer:image:labels:io.buildah.version` | Specifies the version of Buildah used to build a container image. | `components[]` | -| `sbomer:image:labels:io.k8s.description` | Provides a description of container image for Kubernetes environments. | `components[]` | -| `sbomer:image:labels:io.k8s.display-name` | Specifies a human-readable name for a container image in Kubernetes contexts. | `components[]` | -| `sbomer:image:labels:io.openshift.tags` | Lists tags associated with container image for OpenShift categorization. | `components[]` | -| `sbomer:image:labels:lvms.tags` | Specifies tags related to Logical Volume Management (LVM) systems. | `components[]` | -| `sbomer:image:labels:maintainer` | Provides contact information for a container image's maintainer. | `components[]` | -| `sbomer:image:labels:name` | Specifies the name of a container image. | `components[]` | -| `sbomer:image:labels:operators.operatorframework.io.bundle.channels.v1` | Lists the channels for the Operator bundle, such as `stable` or `beta`. | `components[]` | -| `sbomer:image:labels:operators.operatorframework.io.bundle.manifests.v1` | Indicates the location of the Operator bundle manifests. | `components[]` | -| `sbomer:image:labels:operators.operatorframework.io.bundle.mediatype.v1` | Specifies the media type or format of the operator bundle, such as Helm charts or plain Kubernetes manifests. | `components[]` | -| `sbomer:image:labels:operators.operatorframework.io.bundle.metadata.v1` | Indicates the path within the image to the directory containing metadata files about the bundle. | `components[]` | -| `sbomer:image:labels:operators.operatorframework.io.bundle.package.v1` | Denotes the package name of the operator bundle. | `components[]` | -| `sbomer:image:labels:release` | Specifies the release version of a container image or software contained within. | `components[]` | -| `sbomer:image:labels:summary` | Provides a brief summary of a container image's purpose or contents. | `components[]` | -| `sbomer:image:labels:url` | Offers a URL to more information about a container image or the project it represents. | `components[]` | -| `sbomer:image:labels:vcs-ref` | Indicates the specific commit reference from the version control system used to build a container image. | `components[]` | -| `sbomer:image:labels:vcs-type` | Specifies the type of version control system used, such as Git or SVN. | `components[]` | -| `sbomer:image:labels:vendor` | Identifies the organization or individual responsible for a container image. | `components[]` | -| `sbomer:image:labels:version` | Denotes the version of the application or component contained within a container image. | `components[]` | +| `redhat:sbomer:image:labels:architecture` | Specifies the CPU architecture for which a container image is built, such as `amd64`, `arm64`, etc. | `components[]` | +| `redhat:sbomer:image:labels:build-date` | Indicates the date and time when a container image was built. | `components[]` | +| `redhat:sbomer:image:labels:com.redhat.component` | Specifies the Red Hat component name associated with a container image. | `components[]` | +| `redhat:sbomer:image:labels:com.redhat.delivery.backport` | A flag indicating whether a container image includes backported features or fixes (`true`) or not (`false`). | `components[]` | +| `redhat:sbomer:image:labels:com.redhat.delivery.operator.bundle` | A flag indicating whether a container image is an Operator bundle for Red Hat OpenShift (`true`) or not (`false`). | `components[]` | +| `redhat:sbomer:image:labels:com.redhat.license_terms` | Provides a URL to the license terms applicable to a container image. | `components[]` | +| `redhat:sbomer:image:labels:com.redhat.openshift.versions` | Specifies the compatible OpenShift versions for a container image. | `components[]` | +| `redhat:sbomer:image:labels:description` | Provides a brief description of container image's purpose or contents. | `components[]` | +| `redhat:sbomer:image:labels:distribution-scope` | Defines the scope of distribution, such as `public` or `private`. | `components[]` | +| `redhat:sbomer:image:labels:io.buildah.version` | Specifies the version of Buildah used to build a container image. | `components[]` | +| `redhat:sbomer:image:labels:io.k8s.description` | Provides a description of container image for Kubernetes environments. | `components[]` | +| `redhat:sbomer:image:labels:io.k8s.display-name` | Specifies a human-readable name for a container image in Kubernetes contexts. | `components[]` | +| `redhat:sbomer:image:labels:io.openshift.tags` | Lists tags associated with container image for OpenShift categorization. | `components[]` | +| `redhat:sbomer:image:labels:lvms.tags` | Specifies tags related to Logical Volume Management (LVM) systems. | `components[]` | +| `redhat:sbomer:image:labels:maintainer` | Provides contact information for a container image's maintainer. | `components[]` | +| `redhat:sbomer:image:labels:name` | Specifies the name of a container image. | `components[]` | +| `redhat:sbomer:image:labels:operators.operatorframework.io.bundle.channels.v1` | Lists the channels for the Operator bundle, such as `stable` or `beta`. | `components[]` | +| `redhat:sbomer:image:labels:operators.operatorframework.io.bundle.manifests.v1` | Indicates the location of the Operator bundle manifests. | `components[]` | +| `redhat:sbomer:image:labels:operators.operatorframework.io.bundle.mediatype.v1` | Specifies the media type or format of the operator bundle, such as Helm charts or plain Kubernetes manifests. | `components[]` | +| `redhat:sbomer:image:labels:operators.operatorframework.io.bundle.metadata.v1` | Indicates the path within the image to the directory containing metadata files about the bundle. | `components[]` | +| `redhat:sbomer:image:labels:operators.operatorframework.io.bundle.package.v1` | Denotes the package name of the operator bundle. | `components[]` | +| `redhat:sbomer:image:labels:release` | Specifies the release version of a container image or software contained within. | `components[]` | +| `redhat:sbomer:image:labels:summary` | Provides a brief summary of a container image's purpose or contents. | `components[]` | +| `redhat:sbomer:image:labels:url` | Offers a URL to more information about a container image or the project it represents. | `components[]` | +| `redhat:sbomer:image:labels:vcs-ref` | Indicates the specific commit reference from the version control system used to build a container image. | `components[]` | +| `redhat:sbomer:image:labels:vcs-type` | Specifies the type of version control system used, such as Git or SVN. | `components[]` | +| `redhat:sbomer:image:labels:vendor` | Identifies the organization or individual responsible for a container image. | `components[]` | +| `redhat:sbomer:image:labels:version` | Denotes the version of the application or component contained within a container image. | `components[]` | The `Scope` column describes which `properties` section is the intended location for the property. For example, a scope of `metadata` means that the property is intended for use in `metadata/properties`. This is meant as a From f7eb33e99d9a971c8575a187f3f989bdfce20ad6 Mon Sep 17 00:00:00 2001 From: Andrea Vibelli Date: Tue, 11 Mar 2025 10:49:25 +0100 Subject: [PATCH 4/4] chore: add more properties related to type, language and locations of identified packages --- docs/taxonomy.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/taxonomy.md b/docs/taxonomy.md index ae7d3e6..070a550 100644 --- a/docs/taxonomy.md +++ b/docs/taxonomy.md @@ -38,6 +38,11 @@ refer to the [official documentation](https://github.com/CycloneDX/cyclonedx-pro | `redhat:sbomer:image:labels:vcs-type` | Specifies the type of version control system used, such as Git or SVN. | `components[]` | | `redhat:sbomer:image:labels:vendor` | Identifies the organization or individual responsible for a container image. | `components[]` | | `redhat:sbomer:image:labels:version` | Denotes the version of the application or component contained within a container image. | `components[]` | +| `redhat:sbomer:location:0:path` | Indicates the file system path where the package or artifact was found. | `components[]` | +| `redhat:sbomer:metadata:virtualPath` | Represents a virtual file path that points to a package inside an archive or layered file system. | `components[]` | +| `redhat:sbomer:package:language` | Specifies the programming language of the detected package. | `components[]` | +| `redhat:sbomer:package:type` | Defines the type of package, indicating how it was installed or distributed. | `components[]` | + The `Scope` column describes which `properties` section is the intended location for the property. For example, a scope of `metadata` means that the property is intended for use in `metadata/properties`. This is meant as a