Expected media type for spdx json/xml documents

[sambhav]

Hello SPDX team. We are trying to integrate spdx support in buildpacks. One of the things that we had a question about was the appropriate media type for spdx documents. It looks like the IANA media type for spdx is registered as text/spdx. Looking at the entry document this seems to be specifically for the spdx tag format. https://www.iana.org/assignments/media-types/text/spdx What is the expected media type for json/xml spdx documents?

text/spdx+json or text/spdx+xml based on https://en.wikipedia.org/wiki/Media_type#Suffix Or would all of them be text/spdx?

Wondering as we were looking at some other sbom formats on the list

CycloneDX seems to have

application/vnd.cyclonedx+json and application/vnd.cyclonedx+xml respectively.
. Swid seems to have application/swid+xml

Any guidance here would be greatly appreciated.

[sambhav]

cc: @nishakm maybe you can help?

[nishakm]

@rnjudge Applied on behalf of SPDX. We could also apply for something like application/org.spdx+json. It's something we can bring up in the next SPDX tech meeting.

[rnjudge]

@samj1912 Yes, the current IANA SPDX type was intended to represent tag-value format with the intention being to re-visit adding other formats in the future so I suppose the future is upon us :) Definitely worth raising at the next meeting and I would be happy to lead this effort. Thanks for surfacing this.

[rnjudge]

Hi @samj1912 - just wanted to update you that I will open an application to add SPDX JSON/XML IANA media types this week.

[rnjudge]

The application/spdx+json media type is officially approved and recorded with IANA: https://www.iana.org/assignments/media-types/application/spdx+json.

After discussing with a few SPDX folks, it was determined that the XML schema needs further review before officially submitting to IANA. I am having conversations around this now and will try to report back with an estimated time frame for when we can expect this.

[nishakm]

This is excellent news! Thanks @rnjudge for pushing this through!
cc: @SteveLasker for OCI mediaTypes

[kestewart]

Rose discussed: Only missing media type is now XML. Need to get follow up for @zvr for review.

[bact]

Media type information page on IANA also has a field about file extension.
The tag:value SPDX text file has an extension of ".spdx" in IANA.

For JSON, in SPDX 2.3 spec it suggests ".spdx.json"
https://spdx.github.io/spdx-spec/v2.3/conformance/#44-standard-data-format-requirements
-- which is the same as specified in https://www.iana.org/assignments/media-types/application/spdx+json

For SPDX 3, there's no suggested file extension in the spec

• Suggested naming convention for SPDX v3 files #987
  (but as it is also a JSON, can we assume ".spdx.json" as well? -- although SPDX 2 and SPDX 3 have different JSON format)