Update SBOM spec to indicate compat for syft (#1278)

* Update SBOM spec to indicate compat for syft This documents the support for syft json added in #1137 Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Reword SBOM wording to indicate that the formats are cosign specific As noted by @VinodAnandan - the previous message may have caused confusion about NTIA recorgnized formats v/s formats cosign uses. Updating the wording to explicitly call out cosign supported formats. Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
sigstore · Jan 6, 2022 · b6aaddc · b6aaddc
1 parent f19f4f7
commit b6aaddc
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/specs/SBOM_SPEC.md b/specs/SBOM_SPEC.md
@@ -101,13 +101,14 @@ In this example, the SBOM only refers to a single layer:
 
 ## MediaTypes
 
-The two main SBOM formats in use are [SPDX](https://spdx.org) and [CycloneDX](https://cyclonedx.org/).
+The SBOM formats supported by cosign are [SPDX](https://spdx.org), [CycloneDX](https://cyclonedx.org/) and [syft](https://github.com/anchore/syft).
 The `mediaTypes` for these should be indicated in the `descriptor` for each `layer`.
 
 The `mediaTypes` are:
 
 * `application/vnd.cyclonedx`
 * `text/spdx`
+* `application/vnd.syft+json` (`syft` is a JSON only format)
 
 These `mediaTypes` can contain format-specific suffixes as well. For example: