Comment by phendrenad2

10 hours ago

> the security world has been pushing CycloneDX and SPDX

> CycloneDX supports JSON, XML, and YAML

And SPDX is JSON.

Are there any other examples of government-mandated non-human-readable file formats? I feel like bureaucracies have a natural tendency to water down requirements such as this and instead focuses on getting wet signatures on pen-and-paper.

3 comments

phendrenad2

Reply
Tomte  6 hours ago

Or tag-value, which is actually preferred by many practitioners. Nesting is implicit in that format, but SBOMs should be mostly flat, anyway.

Unfortunately, T-V hs been dropped in SPDX 3.0.

  • zvr  5 hours ago

    It was dropped exactly because it was flat and it was becoming completely unmanageable.

    SPDX v3 is based on a graph model that can represent hierarchies natively. It can then be serialized in a file, for example, in JSON format.

    • Tomte  5 hours ago

      But it was the best format for manually creating an SBOM.

      Most SBOM use cases don‘t need the ability to put your detailed software architecture in the SBOM.