(registered 2021-01-28, last updated 2021-01-28) Media type name: application Media subtype name: vnd.cyclonedx+xml Required parameters: N/A Optional parameters: charset This parameter has semantics identical to the charset parameter of the "application/xml" media type as specified in [RFC7303]. version The version parameter refers to the CycloneDX specification version in use. version = 1*DIGIT "." 1*DIGIT Encoding considerations: binary This media type has all of the same encoding considerations of application/xml as described in [RFC7303]. Security considerations: This media type has all of the same security considerations of application/xml as described in [RFC7303]. Additional care should be taken when processing the attachedTextType elements diff, license element text and swid element text. Although the contents should be text, an application processing them should not assume the encoded content is text. Especially if using an external application or system to view or further process the contents of these elements. Depending on the operational context of the device or software being described by the SBOM there may be additional security requirements. These may include, but are not limited to, encryption at rest, encryption in transit and restrictions on the transmission of the SBOM to 3rd parties. These additional requirements are considered out of scope for the specification. And will typically be enforced by contract or copyright terms. Interoperability considerations: This media type has the same interoperability considerations of application/xml as described in [RFC7303]. Published specification: The specification can be found on the CycloneDX website, https://cyclonedx.org/ The current schema version, 1.2, can be found at https://github.com/CycloneDX/specification/blob/605e262/schema/bom-1.2.xsd Applications which use this media: This media type is used to specify a software bill of materials. It will be used by tools that produce SBOMs either during the software build process or as a result of software composition analysis. It will also be used by tools that consume SBOMs for software supply chain, component, supplier, license and vulnerability analysis. Fragment identifier considerations: N/A Restrictions on usage: N/A Additional information: 1. Deprecated alias names for this type: N/A 2. Magic number(s): N/A 3. File extension(s): .xml 4. Macintosh file type code: N/A 5. Object Identifiers: N/A General Comments: Person to contact for further information: 1. Name: Patrick Dwyer 2. Email: patrick.dwyer&owasp.org Intended usage: Common CycloneDX is an open source software bill of materials specification. And is intended to be exchanged between different parties of the software supply chain. Author/Change controller: Patrick Dwyer, on behalf of CycloneDX