Determine custom CycloneDX properties and create taxonomy

Why are we doing this work

We're going to use metadata properties in order to include source information inside CycloneDX reports. These properties should be well-defined and documented.

The CycloneDX specification for the field says:

Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy. Formal registration is OPTIONAL.

Relevant links

Non-functional requirements

Documentation:
Feature flag:
Performance:
Testing:

Implementation plan

Create gitlab-org/security-products/gitlab-cyclonedx-property-taxonomy project
Create a taxonomy defining the properties that GitLab uses
Register the gitlab namespace in the CycloneDX property taxonomy, and link back to our own taxonomy.

Determine custom CycloneDX properties and create taxonomy

Why are we doing this work

Relevant links

Non-functional requirements

Implementation plan

Verification steps