doc/development/sec/cyclonedx_property_taxonomy.md
This document defines the namespaces and properties used by the gitlab namespace
in the CycloneDX Property Taxonomy.
[!note] Before making changes to this file, reach out to the threat insights engineering team,
@gitlab-org/govern/threat-insights.
The Property of column describes what object a property may be attached to.
metadata apply to all objects in the document.components) may only have properties applied to the top-level object.When a property is set in both metadata and on an individual component, the component-level
value takes precedence for that component. If a property is set only in metadata, it applies
uniformly to all components. This is important for merged SBOMs where components originate from
different input files.
gitlab namespace taxonomy| Namespace | Description |
|---|---|
meta | Namespace for data about the property schema. |
dependency_scanning | Namespace for data related to dependency scanning. |
container_scanning | Namespace for data related to container scanning. |
gitlab:meta namespace taxonomy| Property | Description | Property of |
|---|---|---|
gitlab:meta:schema_version | Used by GitLab to determine how to parse the properties in a report. Must be 1. | metadata |
gitlab:dependency_scanning namespace taxonomy| Property | Description | Example values | Property of |
|---|---|---|---|
gitlab:dependency_scanning:category | The name of the category or dependency group that the dependency belongs to. If no category is specified, production is used by default. | production, development, test | components |
| Namespace | Description |
|---|---|
gitlab:dependency_scanning:input_file | Namespace for information about the input file analyzed to produce the dependency. |
gitlab:dependency_scanning:source_file | Namespace for information about the file you can edit to manage the dependency. |
gitlab:dependency_scanning:package_manager | Namespace for information about the package manager associated with the dependency. |
gitlab:dependency_scanning:language | Namespace for information about the programming language associated with the dependency. |
For vulnerability scanning to produce findings, the following properties are required:
gitlab:meta:schema_version (must be 1) in metadatagitlab:dependency_scanning:input_file:path in metadata or on each componentIf input_file:path is absent, source_file:path is used as a fallback. If neither is present,
no vulnerability findings are produced for those components. On GitLab 18.10 and later, an error
is displayed in the pipeline security tab.
gitlab:dependency_scanning:input_file namespace taxonomy| Property | Description | Example values | Property of |
|---|---|---|---|
gitlab:dependency_scanning:input_file:path | The path, relative to the root of the repository, to the file analyzed to produce the dependency. Usually, the lock file. | package-lock.json, Gemfile.lock, go.sum | metadata, component |
gitlab:dependency_scanning:source_file namespace taxonomy| Property | Description | Example values | Property of |
|---|---|---|---|
gitlab:dependency_scanning:source_file:path | The path, relative to the root of the repository, to the file you can edit to manage the dependency. | package.json, Gemfile, go.mod | metadata, component |
gitlab:dependency_scanning:package_manager namespace taxonomy| Property | Description | Example values | Property of |
|---|---|---|---|
gitlab:dependency_scanning:package_manager:name | The name of the package manager associated with the dependency | npm, bundler, go | metadata, component |
gitlab:dependency_scanning:language namespace taxonomy| Property | Description | Example values | Property of |
|---|---|---|---|
gitlab:dependency_scanning:language:name | The name of the programming language associated with the dependency | JavaScript, Ruby, Go | metadata, component |
gitlab:dependency_scanning_component namespace taxonomy| Property | Description | Example values | Property of |
|---|---|---|---|
gitlab:dependency_scanning_component:reachability | Identifies if a component is used | in_use, not_found | component |
gitlab:container_scanning namespace taxonomy| Namespace | Description |
|---|---|
gitlab:container_scanning:image | Namespace for information about the scanned image. |
gitlab:container_scanning:operating_system | Namespace for information about the operating system associated with the scanned image. |
gitlab:container_scanning:image namespace taxonomy| Property | Description | Example values | Property of |
|---|---|---|---|
gitlab:container_scanning:image:name | The name of the scanned image. | registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/main | metadata, component |
gitlab:container_scanning:image:tag | The tag of the scanned image. | 91d61f07e0a4b3dd34b39d77f47f6f9bf48cde0a | metadata, component |
gitlab:container_scanning:operating_system namespace taxonomy| Property | Description | Example values | Property of |
|---|---|---|---|
gitlab:container_scanning:operating_system:name | The name of the operation system. | alpine | metadata, component |
gitlab:container_scanning:operating_system:version | The version of the operation system. | 3.1.8 | metadata, component |