(registered 2020-05-04, last updated 2020-05-04) Name: Rose Judge Email: rjudge&vmware.com Media type name: text Media subtype name: spdx Required parameters: N/A Optional parameters: N/A Encoding considerations: 8bit The spdx media type must support UTF-8 encoding. Security considerations: The 'ExternalRef' tag, which may be included in the spdx file, provides coordinates to the NVD via CPE identifier for the software. If an ‘ExternalRef’ value is provided. If an ‘ExternalRef’ value is used, it can connect the software referenced by the media type to other tracking systems. Data can also be stored in spdx files that may contain printf-style format characters that could cause a program to display unintended information. Interoperability considerations: The spdx media type can be distributed free of external systems or processors and is represented in a human-readable format. There are also internet text-processing applications that may consume these documents. Published specification: Current versions of the specification are available at https://spdx.github.io/spdx-spec/. Historical versions can be found at https://spdx.org/specifications. Applications which use this media: An SPDX media type will be associated with a particular software package or set of packages (i.e. containers, applications) and will contain information about the package(s) in accordance to the SPDX spec. In general, companies and organizations will use this media type to share human-readable and machine-processable software package metadata in order to facilitate software supply chain processes. Specifically, this media type may be consumed by proprietary internal company software designed to parse and understand this media type or by Open Source software designed to interpret and record spdx metadata such as FOSSology (https://www.fossology.org/). Applications that generate SPDX documents will inventory a set of software packages, record information about them in spdx format and organize the information in a way that is human readable or machine-processable. Tern (https://github.com/tern-tools/tern) is an example of a tool that generates SPDX documents for container images. More examples of open source and commercial tools generating and consuming SPDX documents are available. See https://docs.google.com/document/d/1A1jFIYihB-IyT0gv7E_KoSjLbwNGmu_wOXBs6siemXA/edit for a work in progress on enumerating them. NTIA whitepaper of Existing SBOM Formats and Standards recognizes SPDX as a standard SBoM format. See here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf Fragment identifier considerations: N/A Restrictions on usage: spdx media types should only be associated with validated SPDX documents that follow the SPDX specification. Additional information: The "charset" parameter is not used for the defined subtype because the charset information is transported inside the payload. 1. Deprecated alias names for this type: N/A 2. Magic number(s): N/A 3. File extension(s): .spdx 4. Macintosh file type code: N/A 5. Object Identifiers: N/A General Comments: Software Package Data Exchange® (SPDX®) is an open standard for communicating software bill of material information (including components, licenses, copyrights, and security references). Person to contact for further information: 1. Name: Rose Judge 2. Email: rjudge&vmware.com Intended usage: Common Intended to be used to enable companies and organizations to share human-readable and machine-processable software package metadata to facilitate software supply chain processes. An SPDX media type will be associated with a particular software package or set of packages and will contain information about it in the SPDX format in accordance with the SPDX specification. Author/Change controller: Linux Foundation, kstewart&linuxfoundation.org