IETF Logo Mail Archive

[media-types] Community review for proposed 'application/spdx+json' media type

Rose Judge <rjudge@vmware.com> Fri, 08 October 2021 15:57 UTC

Return-Path: <rjudge@vmware.com>
X-Original-To: media-types@ietfa.amsl.com
Delivered-To: media-types@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA6DA3A047D for <media-types@ietfa.amsl.com>; Fri, 8 Oct 2021 08:57:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Level:
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=vmware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m6slDfKe1Ed5 for <media-types@ietfa.amsl.com>; Fri, 8 Oct 2021 08:57:27 -0700 (PDT)
Received: from pechora3.dc.icann.org (pechora3.icann.org [IPv6:2620:0:2830:201::1:73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E72E3A03EE for <media-types@ietf.org>; Fri, 8 Oct 2021 08:57:27 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2061.outbound.protection.outlook.com [40.107.244.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pechora3.dc.icann.org (Postfix) with ESMTPS id 9BD197000616 for <media-types@iana.org>; Fri, 8 Oct 2021 15:57:25 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B8LpCNOrVTVlerLxo0y7HWdgfaF6oSAts+7ExL0RyLRjF0QfjnP0ra73XmA9nCy/s8ST7AFbOxCWP95thWV2N1eFawaes9HM/zW61r9wDCrlLTvPBSR8siUTQS53kYQbGZBNEhsjmhFntJBCqUWz8RHymCauE2rXBUyq+0iAlmxSmyo2WRQAPSdVcseepRvLV0xMqKKTznqefWuWCvsUwfIN8PtGHB974C71/P/XMVIC8qJR23y48C0BgR1kvajy0NrkpnNIddUli0iweBLfytWE2pCzgiXH9tCc+gHuJbRXOkeOS9zHA6p5Z81FfnuuPH5+BElvZ6ZCXu00Xv6SGw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=m5Cj59L4BxecHJk5Hr+844iRDsVS8gv40Jqbu9/r5QE=; b=RXnfrbv26HJi9NDgG050HcCfyCs9JAMSLG5tt+tp1+YyiGbvmQeLVHkMtnTjUKHwFsQ8Xk44p/hyQ4UA/ZGjGnOqPslxQW+uKy25wId9Jn0cGZSR0AMHiNiPHuFqPWx2FDq/bY+142M5FeLqRsSWgGTGkNhHyocxOgXS7Tql0DEqlL3PiOTM8KMW7ttv9cN3i9GG2QtZjvELPctAiA4DfIh78giDqlxxWXuIbtOgTZ3fkjgvaWyf4cEJs858piyMXHWOBlxk3Bk0Try/BGZ6LeqFGpJSH7bndWRkgn1oQ3+uNKiNTwGOXcWKpesO2L/53lUS0YIbTRGVprZYTMiJ2g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vmware.com; dmarc=pass action=none header.from=vmware.com; dkim=pass header.d=vmware.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vmware.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=m5Cj59L4BxecHJk5Hr+844iRDsVS8gv40Jqbu9/r5QE=; b=nXTQol18WK9I2VSW1r9nUEL1NBYfa8nxK0VhkzZ75IuAD3Uf3CreNDf+XvV0AwAUM1qZhhpyTtHeqISP9mBJTvwtorcqI8CRSGl0RA/3LXcqwCTPLcX7KKdwFI9yrOb3Dmyk5bFJ/mbSfwgmOO5/szqYaou/hQhoZC7AwQncMqE=
Received: from BYAPR05MB6118.namprd05.prod.outlook.com (2603:10b6:a03:ae::33) by BYAPR05MB6118.namprd05.prod.outlook.com (2603:10b6:a03:ae::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.13; Fri, 8 Oct 2021 15:57:03 +0000
Received: from BYAPR05MB6118.namprd05.prod.outlook.com ([fe80::653d:8166:3b9f:5de2]) by BYAPR05MB6118.namprd05.prod.outlook.com ([fe80::653d:8166:3b9f:5de2%3]) with mapi id 15.20.4587.019; Fri, 8 Oct 2021 15:57:03 +0000
From: Rose Judge <rjudge@vmware.com>
To: "media-types@iana.org" <media-types@iana.org>
CC: Kate Stewart <kstewart@linuxfoundation.org>
Thread-Topic: Community review for proposed 'application/spdx+json' media type
Thread-Index: AQHXuTju0FklPwYA30eWkZKzfFj2Uw==
Date: Fri, 8 Oct 2021 15:57:03 +0000
Message-ID: <3F3F0650-14F5-44E3-B406-2BF992157BF1@vmware.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
authentication-results: iana.org; dkim=none (message not signed) header.d=none;iana.org; dmarc=none action=none header.from=vmware.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f7f31521-3a2b-45e8-3c41-08d98a74454d
x-ms-traffictypediagnostic: BYAPR05MB6118:
x-microsoft-antispam-prvs: <BYAPR05MB6118A4C3D061D7845D2297F5A4B29@BYAPR05MB6118.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3631;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lfkSiQ4y+YOcasIt8v2mUATSV7g91Y0mmaWLIiNi0YOWOIZd1UB6o7jymGvas/ica6VMOgSK5uOX3Fxl7HU6mngxAtCBV4M74P33zJilNp9gi5yiqJtmBEJF4TLGnp2COTfpufG94hwEoEdpZRK0SWEOApVv+nb9p5PhWqNzlLu1EUf64Cs4IIcvi2OKHl5OOof7Jj4SedzVK29/wB0hIT2ucgL5W5iR5FaJbfyC9JoPRjIpdmpymjkCHUTbAJWI6CS0WoavJXLULmuPBMMCkQqe95IvkQfD9cwR/tcg3WwQr+vADVOaknC3yiCo1mK9X1IGwmWZhSZQ8GOLaJ0/KoNEZM+a9fflJl1n2PxGcxVwpWIkdqh/tl1nQPKaT6o0M/m30eEWvZyMyDx8QRwLD4X1dLTBsjHyApKICte7drZJUVF4svjSm+rit7R+3YvMzuukF1K/7YrxTurXoOZJObwrURvqogTc1It8aRok9Jdb6WTErOdk6cK6NQeBrP9IHqu5fU59K2I7DTN+lWWmgTwbgbEj9M9r56Ry3iVOlUxgHo9Ralr6CJd6aT8slEN6dFKLJ1bS43hffcr9NJUEakUPWkMvV1PTd72pOoaD6YUvGOKfou/0u36+pd4v3XL6uOqLSdsxFppGoC3qsusVd2Ldoh2hGcGIS1G0RMkpU5EBhzTm2PK83bwsdz5tgAuc1bF7gp45WszDrGmHGz/EqZkovn1I7+Gvuyx9BckwowlCl4A53yE0q4rQqTr9dMqzOYHXgelhNzK9Z1+liNBk9aWwk0z9RI6ELYrM/AOvsrc6mXdFhe48DMFcNrdBxGwPx9XrkjwCgRONo9gFbAdbCylCcRUA09Roob+S8x8fj3Y=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR05MB6118.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(6512007)(66476007)(2906002)(66946007)(966005)(66556008)(64756008)(38100700002)(66446008)(66574015)(6486002)(76116006)(508600001)(36756003)(122000001)(83380400001)(6506007)(4326008)(316002)(8936002)(86362001)(71200400001)(6916009)(166002)(33656002)(186003)(8676002)(9326002)(38070700005)(2616005)(5660300002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?TE0xM0cwMlBSQkQxWHo0VTUvRXl6ajM1U0IvMWVneXJPMmYxbXhUd0M2d0ZN?= =?utf-8?B?SnBVUU4wMFQwaGhCNGpGemhIaFJ2ZDZkOHNiVGNoZ2J2T2dQQ3FVRVpCcVJz?= =?utf-8?B?aFRJLzhJdDAvK2xYYWVZQlA5RENyT2xNZjBJTmYyV25tVVBmK3M4QzNwYUhJ?= =?utf-8?B?Z3JQaUpEd0VYdmtkNFYweEhCV1hVWTdPeE1wemF4RUptMmpRV3BKMjBKVEI2?= =?utf-8?B?WDc1MWFuTDV3eTBKdE1IR3FqbStKR3NIMytOL0xaYXFKdDVXUzlVTVBKUi9R?= =?utf-8?B?YjVvZ0tLc25IMUtIT2lKQ005MXlBWWF5WWZoWEFmazl4anZneVM3NlRrWnEy?= =?utf-8?B?cXZOcmwvZStlcG5IZno2VGE3UXZKaERMTkg2bWFhYkJaZEd2NHZmdzBBVWcw?= =?utf-8?B?M2hjNHE3bUgzR0dtalNUbTZEUE9TLzRmcW82bXNkYitqRnJLeE5uL1NxR2Jp?= =?utf-8?B?YVRHU2NjazJGdllqaU5KeW9aRUluL0drU3lnYk1TV3hORUpmdTdrVDNLUGps?= =?utf-8?B?RlBtRmM3bkNuaFNqSnl5QjhMSnJHRFdwYUFhUEZkalVvSFhYcUNzd2VHc3pP?= =?utf-8?B?aGdrcmlMbDBtbXR1bVRGUUJtN3pmVlRmRFpETjVqWHdZdXM1SFZ6dUV0MjBi?= =?utf-8?B?K25BbXZsNjlKUEZNZmFnbzQzUzlqdlY5M0xJV1VNL0pGTUdjOFVXaXE0MnJB?= =?utf-8?B?QWQ2a0lEOTZLaGNxV0Fwa1VldGdiWG5zWjVqYVEwbXpXaEdBdEV6SUJsditX?= =?utf-8?B?d3FmeWxOZEZKR3JnSTZhKzduSE9zejQxOU8vRkJVVDREaWprMHNTTnFwWDNr?= =?utf-8?B?cUoyRXBabWo3YWZZWWdINENLK0pPNWRiS2VoTlUrUHVQcHhrUUhRaHVPVlI1?= =?utf-8?B?aElIaGpiakRnSmY2Q1VSUkIzSWhiZkV3L0ROSkxkYm1ENlNRMEJ3OWt4NUZr?= =?utf-8?B?R2xybHBxSnVJT1RFWnR4c0VMWERoOUFJN3pEQVV1emtZYjd2Tzc3ZFlxZnpJ?= =?utf-8?B?TjQrRDdBL1duMUVjeDlVazBZcWZFTG9veE0vZmZSbElNYm5VZld2MzFoVzY0?= =?utf-8?B?Z2Z1M2k3bTVOeVVlSkJBYnlkbHYzRjlSMkozWWdzaE9CRzVUaDBXZlJkbkVX?= =?utf-8?B?eWljY2U4Ykc5cExvUTk2U0JKUWF1M3hSRHJjQ1JRdkF1bC96MDYxbUN4V1dT?= =?utf-8?B?ODJwb2FEcllNbmNZLzBMU0h4QlJEQVJsZ0xzeXg5OG92REpzU0l1OGpCb1Nz?= =?utf-8?B?S3pMSGVxeUVQWHZqS0FXVmFLMklmQ2NveWZhZkk1MkFoVllqRjc3aFpQMVFY?= =?utf-8?B?ZDhLam9oU2Z6MW5VZzJMSlV2SzVIM3A4aCtmSkRpblNZM3IxUDhpTDNhWUNR?= =?utf-8?B?UjlDK3pyTlFrNmVteXJqd2NIZEJPNnZkYmdta05Pc3k4dzdFNjRhNkRieVVK?= =?utf-8?B?NWVCTW9zWkNvQXhwYm9jUUhWUTkwckVSS0duZk5mWjl3bUZqQk1XaTlLRU1G?= =?utf-8?B?UXZEUytsamNEc0lReklHdTcwb0d3Y0N5Tnpmek4zVVQyTTBOeEJyZ1hmZStz?= =?utf-8?B?L2hES1JFRmlLaUFyYVE1NlgyOTRKTitFRzZ2YktCNFdQOWttWVVrcmM2RzF3?= =?utf-8?B?NDNPRllTcHNiNkhBME9yTGZGUUhhajJNOEJzWFlwb2VNb1Z3aktiSkJLK1V2?= =?utf-8?B?OXlySkRKbVlZNnVXOStYcEtPRDAzUzVTNUVXcE5JWWhRZms3UjRXZjN1ZHZM?= =?utf-8?B?eStvZE83bVBnNWlXUStzZW9hMkN3ZFR5bEhyTFZ5OVoyc25LYTZoN2ZqUW5n?= =?utf-8?B?bTk3UGdvOVBJQUhZQk5Ra2UzN20rYitUZ3RvL3M3SzlxQ2IvNUFQUVhZbC9N?= =?utf-8?B?MXQvS2RCREY2TkxUK2NXR1FrM3VOL2FERWYvZHJGcE1SNlE9PQ==?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_3F3F065014F544E3B4062BF992157BF1vmwarecom_"
MIME-Version: 1.0
X-OriginatorOrg: vmware.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR05MB6118.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f7f31521-3a2b-45e8-3c41-08d98a74454d
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2021 15:57:03.1945 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tEUicPU1s5ob4ASee7oEsM//8sig3hF5KSgFWPASlSRORjRzCZ7DC38jvaKrlwaR0VZCPhyxqhL53gGT4A4MfA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB6118
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.2 (pechora3.dc.icann.org [0.0.0.0]); Fri, 08 Oct 2021 15:57:25 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/media-types/LK8hKZAUXY6o4oLJu_UgzvqHw00>
Subject: [media-types] Community review for proposed 'application/spdx+json' media type
X-BeenThere: media-types@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IANA mailing list for reviewing Media Type \(MIME Type, Content Type\) registration requests." <media-types.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/media-types>, <mailto:media-types-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/media-types/>
List-Post: <mailto:media-types@ietf.org>
List-Help: <mailto:media-types-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/media-types>, <mailto:media-types-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2021 15:57:33 -0000

Hello,



Please see below for application of a proposed new media type.



Name: Rose Judge

Email: rjudge@vmware.com



Media type name: application

Media subtype name: spdx+json



Required parameters: N/A



Optional parameters: N/A



Encoding considerations: binary

This media type inherits the encoding considerations for JSON per RFC 8259 (https://datatracker.ietf.org/doc/html/rfc8259#section-8.1)



Security considerations:

This media type inherits the security considerations for JSON per RFC 8259 section 12. (https://tools.ietf.org/html/rfc8259#section-12)


The ExternalRef tag provides linkage to the NVD via CPE. Data can be stored in spdx files that may contain printf-style format characters that could cause a program to display unintended information.



Interoperability considerations:

The application/spdx+json media type can be distributed free of external systems or processors. Internet text-processing applications will likely consume these documents.


Additionally, this media type inherits the interoperability considerations for JSON per RFC 8259.



Published specification:

Current versions of the specification are available at https://spdx.github.io/spdx-spec/. Historical versions can be found at https://spdx.org/specifications.


The current SPDX JSON schema version is available at https://github.com/spdx/spdx-spec/blob/master/schemas/spdx-schema.json



Applications which use this media:

This media is intended to represent a software bill of materials (SBOM) and will be used by tools that produce or consume SBOMs as part of their software build pipeline.



Fragment identifier considerations:

N/A



Restrictions on usage:

The application/spdx+json media type should only be associated with validated SPDX documents that follow the SPDX specification.



Provisional registration? (standards tree only):

N/A



Additional information:

1. Deprecated alias names for this type: N/A

2. Magic number(s): N/A

3. File extension(s): .spdx.json

4. Macintosh file type code: N/A

5. Object Identifiers: N/A



General Comments:

Software Package Data Exchange® (SPDX®) is an open standard for communicating software bill of material (SBOM) information including components, licenses, copyrights, and security references. SPDX is internationally recognized as an ISO/IEC JTC 1 standard (ISO/IEC 5962:2021 - https://www.iso.org/standard/81870.html).



Person to contact for further information:



1. Name: Rose Judge

2. Email: rjudge@vmware.com



Intended usage: Common

Intended to be used to enable companies and organizations to share human-readable and machine-processable software package metadata to facilitate secure and compliant software supply chain processes. An SPDX JSON media type will be associated with a particular software package or set of packages and will contain information about it in the SPDX JSON format.


Author/Change controller: kstewart@linuxfoundation.org

v2.8.7 | Report a Bug | By Email