Description
With v1.3 of the spec custom properties were introduced. But no real guidance on naming.
For example, CDX support is being added to Tern, a container SCA tool. One of the things Tern does is detect the OS, i.e. Debian. It refers to this information as os_guess. In that implementation this has been added as the property tern:os_guess.
This sort of namespacing can make it easier for folks trying to build tooling that processes CDX BOMs. They can now add support for tern:os_guess, if relevant to them, with less chance of a naming collision.
I also propose we have a standard way of namespacing CDX implementation specific properties. i.e. cdx:dotnet:whatever. Although that scheme should be defined at the CDX project level, the whatever can be delegated to each implementation.
Maybe there should be official package/build ecosystem namespaces too? i.e. cdx:nuget:whatever and cdx:msbuild:whatever? This could really help 3rd party tool implementers.
I think we should also specify a namespace for internal use only. We're probably all already throwing around CDX BOMs between our own internal tooling. But an internal namespace would mean that tooling, like the CLI, could support stripping properties that are only intended for internal usage before publishing the final "public" BOM.
So, I guess my proposal is:
- add documentation to the specification repo which details the high level recommended property namespacing scheme
- add references to that documentation in the description of properties in the spec itself
- create a new repo, cyclonedx-property-namespaces, with a file for each official CDX property namespace, i.e.
cdx:nugetand a list of official NuGet specific property names (perhaps code owners can be used to delegate these to relevant implementation maintainers)