spdx-spec icon indicating copy to clipboard operation
spdx-spec copied to clipboard

Published 20 hours ago verified publisher icon spdx

Expected media type for spdx json/xml documents

Open sambhav opened this issue 4 years ago • 8 comments

Hello SPDX team. We are trying to integrate spdx support in buildpacks. One of the things that we had a question about was the appropriate media type for spdx documents. It looks like the IANA media type for spdx is registered as text/spdx. Looking at the entry document this seems to be specifically for the spdx tag format. https://www.iana.org/assignments/media-types/text/spdx What is the expected media type for json/xml spdx documents?

text/spdx+json or text/spdx+xml based on https://en.wikipedia.org/wiki/Media_type#Suffix Or would all of them be text/spdx?

Wondering as we were looking at some other sbom formats on the list

CycloneDX seems to have

application/vnd.cyclonedx+json and application/vnd.cyclonedx+xml respectively. . Swid seems to have application/swid+xml

Any guidance here would be greatly appreciated.

sambhav avatar Sep 24 '21 00:09 sambhav

cc: @nishakm maybe you can help?

sambhav avatar Sep 24 '21 00:09 sambhav

@rnjudge Applied on behalf of SPDX. We could also apply for something like application/org.spdx+json. It's something we can bring up in the next SPDX tech meeting.

nishakm avatar Sep 24 '21 01:09 nishakm

@samj1912 Yes, the current IANA SPDX type was intended to represent tag-value format with the intention being to re-visit adding other formats in the future so I suppose the future is upon us :) Definitely worth raising at the next meeting and I would be happy to lead this effort. Thanks for surfacing this.

rnjudge avatar Sep 24 '21 03:09 rnjudge

Hi @samj1912 - just wanted to update you that I will open an application to add SPDX JSON/XML IANA media types this week.

rnjudge avatar Oct 04 '21 17:10 rnjudge

The application/spdx+json media type is officially approved and recorded with IANA: https://www.iana.org/assignments/media-types/application/spdx+json.

After discussing with a few SPDX folks, it was determined that the XML schema needs further review before officially submitting to IANA. I am having conversations around this now and will try to report back with an estimated time frame for when we can expect this.

rnjudge avatar Nov 03 '21 23:11 rnjudge

This is excellent news! Thanks @rnjudge for pushing this through! cc: @SteveLasker for OCI mediaTypes

nishakm avatar Nov 04 '21 13:11 nishakm

Rose discussed: Only missing media type is now XML. Need to get follow up for @zvr for review.

kestewart avatar Mar 15 '22 16:03 kestewart