transparency-exchange-api icon indicating copy to clipboard operation
transparency-exchange-api copied to clipboard
Published 3 months ago verified publisher icon CycloneDX

Bom Post API should accept sbom payload as Base64 (URL Safe) encoded format.

Open rvsoni opened this issue 3 years ago • 2 comments

A Bom Post API should accept a Bom payload as Base64 (URL Safe) encoded format.

Dependency track application also accepts Bom JSON as Base64 Encoded data.

Project CycloneDX/cyclonedx-bom-repo-server implemented Post API to accept it as plain text.

Curl sample from CycloneDX/cyclonedx-bom-repo-server

curl -X POST "https://www.example.com/bom" -H "accept: /" -H "Content-Type: application/vnd.cyclonedx+json; version=1.3" -d "{"bomFormat":"CycloneDX","specVersion":"1.3","serialNumber":"urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79","version":1,"components":[{"type":"library","name":"acme-library","version":"1.0.0"}]}"```

rvsoni avatar May 25 '22 16:05 rvsoni

Is this an implementation issue or a requirement we should add to our specification?

oej avatar Aug 20 '24 06:08 oej

@oej - I think we should circle back to this once we have a more complete draft of the TEA Specification. FWIW, my starting view would be that the Content-Type header should dictate the body payload format - so if there is a requirement for body payloads to be, for example CycloneDX JSON (Base64 Encoded), then I'd expect the Content-Type header to include the fact the payload is Base64 encoded.

~~Would this also be use case for the Content-Encoding header? (although base64 does not seem to be a registered value)~~

Perhaps we just need to extend the Content-Type with additional sub-type parameter? see here. CycloneDX does this already to specify the CycloneDX Schema Version.

As part as I am aware, CycloneDX specification has not included a consideration for this. I have not been able to find equivalent details for SPDX.

madpah avatar Nov 11 '24 10:11 madpah