Giters

CycloneDX / cyclonedx-property-taxonomy

A taxonomy of all official CycloneDX property namespaces and names

Home Page:https://cyclonedx.github.io/cyclonedx-property-taxonomy/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[PROPOSAL] Namespace syntax should support standardized URN syntax for direct usage

mrutkows opened this issue · comments

commented

It is a common practice to construct namespaces using URNs to describe resources (e.g., tag or classify resources such as components, tools, and the like). It is designed to avoid collisions and also be used to construct URIs and URLs which are also common means to encode a plurality of identifiers.

See:

Some examples lifted from linked wikipedia document include:

urn:isan:0000-0000-2CEA-0000-1-0000-0000-Y // Book ID
urn:microsoft:adfs:claimsxray           // MS federated ID
urn:epc:id:gdti:0614141.12345.400  // Global Doc ID

as you can see, namespaces are constructed an urn:<org>:<domain>:<subdomain>:<...>:<value> manner; this should be allowed by syntax.

This issue requests that the syntax for CDX namespace should support URN syntax. My primary concern is that its allowed character set (pattern) would not be rejected. From current syntax, multiple ":" colon chars. are strictly disallowed.

Hoping we allow direct transfer of widely adopting URNs into properties within CDX as many companies use them in some form for federated identity and or taxonomy classification systems.

Ideally, if you indeed want simplicity, an aliasing methodology can be used (e.g., as in many schema strategies) to define a local document use of, for example:

  • alias: xyz:
  • full urn urn:http://company.xyz.com

Additionally, it should be noted that URNs are designed not to require registration as designers would construct them using unique pathing; as managing a global registration system can become untenable. Registration of values or IDs should be managed by the namespace owners.

commented

This is a great idea IMO

commented

The full set of URN does not actually make sense here, right? As the property describes a "kind", not a dedicated value, right?

As you wrote, @mrutkows

namespaces are constructed an urn:<org>:<domain>:<subdomain>:<...>:<value> manner

I would argue that the value must not be part of the property.

This means, in CycloneDX you would go - property=value-like with
urn:<org>:<domain>:<subdomain>:<...>:<name>=<value>

which makes me think: why don't you just go with my-namespace:<name>=urn:<org>:<domain>:<subdomain>:<...>:<value>.
Meaning: use your URN as a value, not a property-name, and all is good.

What do you think, @mrutkows , @coderpatros ?

commented

can we close this, @mrutkows?