specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

character encoding in JSON BOMs

Open gernot-h opened this issue 1 year ago • 2 comments

After asking myself whether I need to support any encoding besides UTF-8 when consuming CycloneDX JSON BOMs, I stumbled over https://mobiarch.wordpress.com/2022/12/10/lets-talk-about-json-and-character-encoding/.

With https://github.com/CycloneDX/specification/blob/1.6/schema/bom-1.6.xsd and the XML examples using UTF-8, I wonder whether some downstream users also assume CycloneDX JSON BOMs are always UTF-8 encoded, while RFC 7159 also allows UTF-16 and UTF-32 in LE/BE flavors.

So perhaps it would be good to add a clarifying sentence about expected/recommended/required encodings to https://cyclonedx.org/specification/overview/, wdyt?

gernot-h avatar May 27 '24 12:05 gernot-h

CycloneDX JSON implementation utilizes JSON spec, and therefore all spec of JSON applies, including the encoding.

I do not see a need to hint people how JSON works, as it is an external standard.

jkowalleck avatar Jun 14 '24 16:06 jkowalleck

CycloneDX JSON implementation utilizes JSON spec, and therefore all spec of JSON applies, including the encoding.

I do not see a need to hint people how JSON works, as it is an external standard.

Well, as written above, this was just meant as a hint to downstream users and tool developers probably not aware of all JSON aspects either that they should support all allowed encodings or that SBOMs SHOULD be encoded in UTF8 or whatever you consider right(tm). The blog article above or e.g. the lengthy discussion in https://docs.python.org/3/library/json.html#character-encodings shows that this is probably not a topic everyone is aware of...

gernot-h avatar Jun 18 '24 11:06 gernot-h