(registered 2021-11-03, updated 2021-11-03)

Media type name: application

Media subtype name: spdx+json

Required parameters: N/A

Optional parameters: N/A

Encoding considerations: binary

This media type inherits the encoding considerations for JSON per RFC 
   8259 section 8.1
   (https://datatracker.ietf.org/doc/html/rfc8259#section-8.1)

Security considerations: The ExternalRef tag provides linkage to the 
   NVD via CPE.

   This format does not include any embedded digital signatures for
   integrity verification of elements and providing non-repudiation. 
   If such services are desired, they need to be provided by external
   transport and storage mechanisms.

   SPDX documents don't allow embedding executable content.

   Additionally, this media type inherits the security considerations 
   for JSON per RFC 8259 section 12.

Interoperability considerations: The application/spdx+json media type 
   can be distributed free of external systems or processors. 
   Internet text-processing applications will likely consume these 
   documents.

   Additionally, this media type inherits the interoperability 
   considerations for JSON per RFC 8259.

Published specification: Current versions of the specification are 
   available at https://spdx.github.io/spdx-spec/. Historical 
   versions can be found at https://spdx.org/specifications.

   The current SPDX JSON schema version is available at 
   https://github.com/spdx/spdx-spec/blob/master/schemas/spdx-schema.json

Applications which use this media: This media is intended to 
   represent a software bill of materials (SBOM) and will be used by 
   tools that produce or consume SBOMs as part of their software 
   build and distribution pipeline.

Fragment identifier considerations: N/A

Restrictions on usage: The application/spdx+json media type should 
   only be associated with validated SPDX documents that follow the 
   SPDX specification.

Additional information:

   1. Deprecated alias names for this type: N/A
   2. Magic number(s): N/A
   3. File extension(s): .spdx.json
   4. Macintosh file type code: N/A
   5. Object Identifiers: N/A

General Comments: Software Package Data Exchange® (SPDX®) is an open 
   standard for communicating software bill of material (SBOM) 
   information including components, licenses, copyrights, and 
   security references. It is internationally recognized as an 
   ISO/IEC JTC 1 standard (ISO/IEC 5962:2021 - 
   https://www.iso.org/standard/81870.html).

Person to contact for further information:

   1. Name: Rose Judge
   2. Email: rjudge&vmware.com

Intended usage: Common

   SPDX is an open standard. It is intended to be used to enable 
   companies and organizations to share human-readable and 
   machine-processable software package metadata to facilitate secure 
   and compliant software supply chain processes. An SPDX JSON media 
   type will be associated with a particular software package or set 
   of packages and will contain information about it in the SPDX JSON 
   format.

Author/Change controller: kstewart&linuxfoundation.org - The Linux 
   Foundation