Media type for Syft SBoM JSON format #612
Comments
|
Hey @sclevine! Is there another link to that Buildpacks project? The above link sends me to a domain that seems to be for sale. |
|
@spiffcs https://buildpacks.io/ should work :) |
|
Apologies, URI fixed :) |
|
Hey @sclevine — yes, absolutely we need to do this. We were just chatting about this today. There are other needs for Syft "types" coming up, such as in attestations. I saw the issue you linked. It sounds like one suggestion is cc: @wagoodman |
|
Great to hear 😄
That's my suggestion, similar to CycloneDX's
See RFC6838 section 3.2 for details. See other examples here: https://www.iana.org/assignments/media-types/media-types.xhtml#application It would be good practice to register whatever you choose with IANA: |
|
The vendor tree registration process is fairly straightforward. Although it can be a bit daunting trying to grok all the media type registration related RFCs. You should be able to use the application/vnd.cyclonedx+json registration as a pretty good starting point. The good thing, being in JSON, you can basically just reference RFC8259. One thing to note is media type parameters, which you'll see in the CycloneDX media type registrations. You can specify a parameter, like version, as optional. This can help with http content negotiation. i.e. |
@coderpatros Good to know! This will be helpful — we'd like to track versions of the schema, and we do anticipate changes to the data shape. |
|
@sclevine We'll start looking at this registration today. @anchore/tools I propose we use the media type Stephen has suggested: If you have any hesitations about this being our media type name, please let me know immediately! Otherwise let's start the registration process by EOD today (Nov 5). |
|
Thanks @coderpatros for the references - I was able to use the cyclonedx registration as a great base document to pull from. |
|
@spiffcs would you be comfortable associating the file extension .syft.json instead of json with the media type? That would help determine the media type based on the extension/file name more easily. SPDX for eg does this https://www.iana.org/assignments/media-types/application/spdx+json Entirely upto the syft community but it will make it easier to detect and automate tooling around this without passing explicit flags to denote the type, especially wrt support in cosign sbom attach media type detection and eventually when we get to sbom oci artifact support with buildpacks and other container build projects. |
|
+1 for using |
|
Just a quick update here - our submission has been accepted by IANA. |
|
|
|
thanks guys 💪🏻 👏🏻 |
What would you like to be added:
Declaration of an official media type for Syft's JSON SBoM format.
Why is this needed:
Integration with the Cloud Native Buildpacks project, which allows complete SBoM to be generated automatically (e.g., using Syft) during the application build process.
Additional context:
See: buildpacks/lifecycle#755
The CNCF Buildpacks project has an API that allows SBoM files with CycloneDX and SPDX media types to be generated by buildpacks and automatically attached to container images. This allows vulnerability scanning tools that consume SBoMs (like Grype) to match software components to vulnerabilities with a strong guarantee that the SBoMs are complete (due to the contractual nature of the buildpack API). Parts of this model were assessed by the CNCF Security TAG, with notes and details here.
I would like users of Cloud Native Buildpacks to be able to scan buildpack-generated SBoMs with Grype, but Grype currently only supports Syft's JSON format. I'm proposing that Cloud Native Buildpacks add Syft's JSON format as a possible SBoM format, but this requires a defined a media type for Syft's JSON format. I might recommend something like:
application/vnd.syft+json.The text was updated successfully, but these errors were encountered: