From 319c6ee2eb3155082edb0686cefd33edf8de6cab Mon Sep 17 00:00:00 2001 From: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com> Date: Wed, 10 Nov 2021 11:28:47 -0500 Subject: [PATCH] document current draft for iana submission (#618) * document current draft for IANA submission Signed-off-by: Christopher Angelo Phillips --- schema/json/vnd.syft+json | 70 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 schema/json/vnd.syft+json diff --git a/schema/json/vnd.syft+json b/schema/json/vnd.syft+json new file mode 100644 index 000000000..2a318a57f --- /dev/null +++ b/schema/json/vnd.syft+json @@ -0,0 +1,70 @@ +(registered 2021-11-05, last updated 2021-11-05) + +Media type name: application +Media subtype name: vnd.syft+json + +Required parameters: N/A + +Optional parameters: +version + +The version parameter refers to the Syft specification version in use. + +version = 1*DIGIT "." 1*DIGIT "." 1*DIGIT + +Encoding considerations: binary +This media type has all of the same encoding considerations of +application/json as described in [RFC8259] + + +Security considerations: +This media type has all of the same security +considerations of application/json as described in [RFC8259]. + +Depending on the operational context of the device or software being described by the SBOM there may be additional security requirements. These may include but are not limited to, encryption at rest, encryption in transit, and restrictions on the transmission of the SBOM to 3rd parties. These additional requirements are considered out of scope for the specification. They will typically be enforced by contract or copyright terms. + + +Interoperability considerations: +This media type has the same interoperability considerations of application/json as described in [RFC8259]. + +Published specification: +The specification can be found on the main Syft GitHub repository under the schema directory https://github.com/anchore/syft/blob/main/schema/json + +Applications which use this media: +This media type is used to specify a software bill of materials. +It will be used by tools that produce SBOMs either during the software build process or as a result of software composition analysis. + +It will also be used by tools that consume SBOMs for software +supply chain, component, supplier, license, and vulnerability +analysis. + +Fragment identifier considerations: +N/A + +Restrictions on usage: +N/A + +Provisional registration? (standards tree only): +N/A + +Additional information: + +1. Deprecated alias names for this type: N/A +2. Magic number(s): N/A +3. File extension(s): .syft.json +4. Macintosh file type code: N/A +5. Object Identifiers: N/A + +General Comments: + + +Person to contact for further information: + +1. Name: Dan Luhring +2. Email: dan.luhring@anchore.com + +Intended usage: Common +The Syft SBOM format is an open-source software bill of materials specification. It is intended to be exchanged between different parties of the software supply chain. + + +Author/Change controller: Dan Luhring, on behalf of Anchore