Merge branch 'main' into spdx

CODEOWNERS

@@ -0,0 +1,18 @@
+# see https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
+
+# see the teams: https://github.com/orgs/CycloneDX/teams
+
+## default
+*	@CycloneDX/core-team
+
+## CDX maintained: dedicated maintainer teams are the subject-matter experts.
+## But @core-team is additional owner, as they are the only ones that can trigger a merge.
+### Go
+/cdx/gomod.md  @CycloneDX/go-maintainers @CycloneDX/core-team
+### JS & Node
+/cdx/npm.md  @CycloneDX/javascript-maintainers @CycloneDX/core-team
+### PHP
+/cdx/composer.md  @CycloneDX/php-maintainers @CycloneDX/core-team
+### Pythpn
+/cdx/pipenv.md  @CycloneDX/python-maintainers @CycloneDX/core-team
+/cdx/poetry.md  @CycloneDX/python-maintainers @CycloneDX/core-team

README.md

@@ -13,7 +13,7 @@ This is the official CycloneDX property namespace and name taxonomy.
 With the v1.3 release of the specification, custom properties have been added.
 
 Although the specification doesn't impose restrictions on the property names used,
-standardization can assist tool implementors and BOM consumers.
+standardization can assist tool implementers and BOM consumers.
 
 The authoritative source of official namespaces and property names is this repository.
 
@@ -23,11 +23,11 @@ interpreted as described in [RFC2119](http://www.ietf.org/rfc/rfc2119.txt).
 
 ## Namespace Syntax
 
-Namespaces are hierarchical and delimeted with a `:`.
+Namespaces are hierarchical and delimited with a `:`.
 
-As such, `:` MUST NOT be used in property namespaces and names except as a delimeter.
+As such, `:` MUST NOT be used in property namespaces and names except as a delimiter.
 
-The only characters that SHALL be used in official property namespaces and names are alpanumerical characters, "-", "_" and " " from the US ASCII character set.
+The only characters that SHALL be used in official property namespaces and names are alphanumerical characters, "-", "_" and " " from the US ASCII character set.
 
 Namespaces SHOULD be lower case. Base property names MAY use upper case.
 
@@ -58,11 +58,33 @@ ABNF syntax as per [RFC5234: Augmented BNF for Syntax Specifications: ABNF](http
 | --- | --- | --- | --- |
 | `cdx` | Namespace for official CycloneDX namespaces and properties. Unofficial namespaces and properties MUST NOT be used under the `cdx` namespace. | CycloneDX Core Working Group | [cdx taxonomy](cdx.md) |
 | `internal` | Namespace for internal use only. BOMs shared with 3rd parties SHOULD NOT include properties in the local namespace. | CycloneDX Core Working Group | N/A |
+| `urn` | Namespace blocked to prevent confusions with [Uniform Resource Name](https://www.rfc-editor.org/rfc/rfc2141) | N/A | N/A |
+| `aboutcode` | Namespace for use by AboutCode projects. | nexB | [AboutCode taxonomy](https://github.com/nexB/aboutcode-cyclonedx-taxonomy#readme) |
+| `amazon` | Namespace for use by Amazon. | Amazon | `RESERVED` |
+| `appknox` | Namespace for use by Appknox Platform. | Appknox | [Appknox taxonomy](https://github.com/appknox/cyclonedx-property-taxonomy#readme) |
 | `aquasecurity` | Namespace for use by Aqua Security. | Aqua Security | `RESERVED` |
+| `bytetrail` | Namespace for use by ByteTrail. | ByteTrail | `RESERVED` | 
+| `codenotary` | Namespace for use by Codenotary platform. | Codenotary | [Codenotary taxonomy](https://github.com/codenotary/cyclonedx-property-taxonomy) |
 | `dependency-track` | Namespace for use by the Dependency-Track project. | Dependency-Track Maintainers | `RESERVED` |
-| `spack` | Namespace for use by the Spack package manager. | Spack Maintainers | [Spack SBOM Project](https://github.com/spack/spack-sbom) |
+| `expliot` | Namespace for use by EXPLIoT. | EXPLIoT | [EXPLIoT taxonomy](https://gitlab.com/expliot_framework/expliot/-/blob/master/docs/compliance/cyclonedx.rst) |
+| `finitestate` | Namespace for the use by Finite State. | Finite State | [finitestate taxonomy](https://github.com/FiniteStateInc/cyclonedx-property-taxonomy#readme) |
+| `fortify` | Namespace for use by Fortify. | Micro Focus | `RESERVED` |
+| `gitlab` | Namespace for use by GitLab. | GitLab | [GitLab taxonomy](https://docs.gitlab.com/ee/development/sec/cyclonedx_property_taxonomy.html) |
+| `grype` | Namespace for use by the Grype project. | Grype Maintainers | [Grype Project](https://github.com/anchore/grype) |
+| `hoppr` | Namespace for the use by the Hoppr project. | Lockheed Martin | [Hoppr Project](https://hoppr.dev/docs/architecture/cdx-taxonomy/) |
+| `ibm` | Namespace for use by IBM. | IBM | `RESERVED` |
+| `ksoc` | Namespace for use by KSOC. | KSOC | [KSOC taxonomy](https://github.com/ksoclabs/kbom/blob/main/docs/taxonomy.md) |
+| `medical-aegis` | Namespace for use by Medical Aegis. | Medical Aegis | `RESERVED` |
+| `recon` | Namespace for use by the Recon Project. | Recon Project | `RESERVED` |
+| `servicenow` | Namespace for use by ServiceNow. | ServiceNow | `RESERVED` |
+| `siemens` | Namespace for use by Siemens. | Siemens | [Siemens taxonomy](https://github.com/siemens/cyclonedx-property-taxonomy#readme) |
+| `snyk` | Namespace for use by Snyk. | Snyk | [Snyk Taxonomy Documentation](https://docs.snyk.io/snyk-api-info/get-a-projects-sbom-document-endpoint#custom-cyclonedx-properties) |
+| `sonatype` | Namespace for use by Sonatype | Sonatype | [Sonatype Taxonomy Documentation](https://help.sonatype.com/lift/open-source-vulnerability-analysis/dependency-view/cyclonedx-sonatype-namespace-taxonomy) |
+| `spack` | Namespace for use by the Spack package manager. | Spack Maintainers | [Spack SBOM Project](https://github.com/spack/spack-sbom#readme) |
 | `spdx` | Namespace for interop with the SPDX format. | CycloneDX Core Working Group | [spdx taxonomy](spdx/spdx.md) |
+| `syft` | Namespace for use by the Syft project. | Syft Maintainers | [Syft Project](https://github.com/anchore/syft) |
 | `tern` | Namespace for use by the Tern project. | Tern Maintainers | [Tern Project](https://github.com/tern-tools/tern) |
+| `veracode` | Namespace for use by Veracode. | Veracode | [Veracode taxonomy](https://github.com/veracode/cyclonedx-property-taxonomy#readme) |
 
 ## Registering New Top Level Namespaces
 
@@ -72,7 +94,7 @@ namespace SHOULD register a new top level namespace.
 The process for registering a new top level namespace is to
 [create a new issue requesting it](https://github.com/CycloneDX/cyclonedx-property-taxonomy/issues/new/choose).
 
-Namespaces are initialling registered as `RESERVED`.
+Namespaces are initially registered as `RESERVED`.
 
 Before using your `RESERVED` namespace, documentation for the taxonomy of the
 namespace SHOULD be publicly available. Failure to do so MAY result in the

cdx.md

@@ -2,8 +2,12 @@
 
 | Namespace | Description | Administered By | Taxonomy |
 | --- | --- | --- | --- |
+| `cdx:composer` | Namespace for properties specific to the PHP Composer ecosystem. | CycloneDX PHP Maintainers | [cdx:composer taxonomy](cdx/composer.md) |
 | `cdx:device` | Namespace for properties specific to hardware devices. | CycloneDX Core Working Group | [cdx:device taxonomy](cdx/device.md) |
 | `cdx:gomod` | Namespace for properties specific to the Go Module ecosystem. | CycloneDX Go Maintainers | [cdx:gomod taxonomy](cdx/gomod.md) |
+| `cdx:npm` | Namespace for properties specific to the Node NPM ecosystem. | CycloneDX JavaScript Maintainers | [cdx:npm taxonomy](cdx/npm.md) |
+| `cdx:pipenv` | Namespace for properties specific to the Python Pipenv ecosystem. | CycloneDX Python Maintainers | [cdx:pipenv taxonomy](cdx/pipenv.md) |
+| `cdx:poetry` | Namespace for properties specific to the Python Poetry ecosystem. | CycloneDX Python Maintainers | [cdx:poetry taxonomy](cdx/poetry.md) |
 
 ## Registering `cdx` Namespaces and Properties
 
@@ -15,4 +19,4 @@ the request will be reviewed by the Core Working Group.
 
 If you are requesting a new namespace or property under one of the
 namespaces within `cdx`, it will be reviewed by the team identified in the
-table above.
+table above.

cdx/composer.md

@@ -0,0 +1,19 @@
+# `cdx:composer` Namespace Taxonomy
+
+| Namespace | Description |
+| --------- | ----------- |
+| `cdx:composer:package` | Namespace for package specific properties. |
+
+_Boolean value_ are `true` or `false`. Case sensitive.
+
+## `cdx:composer:package` Namespace Taxonomy
+
+| Property | Description |
+| -------- | ----------- |
+| `cdx:composer:package:type` | The [package type][composer-schema-packageType] of the component. If the property is missing, then assume the value to be `library`. May appear once. |
+| `cdx:composer:package:isDevRequirement` | Whether the package was flagged as "dev requirement". _Boolean value_. If the property is missing, then assume the value to be `false`. May appear once. |
+| `cdx:composer:package:sourceReference` | The repository reference of this package, e.g. master, 1.0.0 or a commit hash for git. Values may be applied to [`externalReferences`][CDX-useCases-externalReferences] of type `vcs`. _Non-empty string value_. May appear once. |
+| `cdx:composer:package:distReference` | The reference of the distribution archive of this version, e.g. master, 1.0.0 or a commit hash for git. Values may be applied to [`externalReferences`][CDX-useCases-externalReferences] of type `distribution`. _Non-empty string value_. May appear once. May appear once. |
+
+[composer-schema-packageType]: https://getcomposer.org/doc/04-schema.md#type
+[CDX-useCases-externalReferences]: https://cyclonedx.org/use-cases/#external-references

cdx/npm.md

@@ -0,0 +1,26 @@
+# `cdx:npm` Namespace Taxonomy
+
+| Namespace | Description |
+| --------- | ----------- |
+| `cdx:npm:package` | Namespace for package specific properties. |
+| `cdx:npm:package:constraint` | Namespace for package constraints. |
+
+_Boolean value_ are `true` or `false`. Case sensitive.
+
+## `cdx:npm:package` Namespace Taxonomy
+
+| Property | Description |
+| -------- | ----------- |
+| `cdx:npm:package:bundled` | Whether the package was bundled(shipped) with its parent component. _Boolean value_. If the property is missing, then assume the value to be `false`. May appear once. |
+| `cdx:npm:package:extraneous` | Whether the package was installed extraneous. _Boolean value_. If the property is missing, then assume the value to be `false`. May appear once. |
+| `cdx:npm:package:private` | Whether the package was flagged as "private". _Boolean value_. If the property is missing, then assume the value to be `false`. May appear once. |
+| `cdx:npm:package:development` | Whether the package was flagged as "devDependency". _Boolean value_. If the property is missing, then assume the value to be `false`. May appear once. |
+| `cdx:npm:package:path` | A path the package is installed to. Posix-like path representation relative to the root directory of the project under analysis. To represent the root dir, an empty string is used. May appear multiple times with different values. Example value: `node_modules/cliui/node_modules/strip-ansi` |
+
+## `cdx:npm:package:constraint` Namespace Taxonomy
+
+| Property | Description |
+| -------- | ----------- |
+| `cdx:npm:package:constraint:engine:<NAME>` | Supported/required [engine marker](https://docs.npmjs.com/cli/v8/configuring-npm/package-json#engines). May appear once. Example: `cdx:npm:package:constraint:engine:node = >=12.2`|
+| `cdx:npm:package:constraint:engine-strict` | Whether the engine is a requirement, or an advice. _Boolean value_. If the property is missing, then assume the value to be `false`. May appear once. |
+| `cdx:npm:package:constraint:os` | Supported/required [operating system markers](https://docs.npmjs.com/cli/v8/configuring-npm/package-json#os). May appear multiple times with different values. |

cdx/pipenv.md

@@ -0,0 +1,11 @@
+# `cdx:pipenv` Namespace Taxonomy
+
+| Namespace | Description |
+| --------- | ----------- |
+| `cdx:pipenv:package` | Namespace for package specific properties. |
+
+## `cdx:pipenv:package` Namespace Taxonomy
+
+| Property | Description |
+| -------- | ----------- |
+| `cdx:pipenv:package:category` | Name of a [package category](https://pipenv.pypa.io/en/latest/basics/#specifying-package-categories) the component belongs to. Well-known categories are: "default", "develop". May appear multiple times with different values. |

cdx/poetry.md

@@ -0,0 +1,11 @@
+# `cdx:poetry` Namespace Taxonomy
+
+| Namespace | Description |
+| --------- | ----------- |
+| `cdx:poetry:package` | Namespace for package specific properties. |
+
+## `cdx:poetry:package` Namespace Taxonomy
+
+| Property | Description |
+| -------- | ----------- |
+| `cdx:poetry:package:group` | Name of a [dependency group](https://python-poetry.org/docs/managing-dependencies/#dependency-groups) the component belongs to. Well-known groups are: "main", "dev". May appear multiple times with different values. |