From b6aaddc05cbf04819221f9c7084399d4615b9d27 Mon Sep 17 00:00:00 2001
From: Sambhav Kothari <skothari44@bloomberg.net>
Date: Thu, 6 Jan 2022 19:38:41 +0000
Subject: [PATCH] Update SBOM spec to indicate compat for syft (#1278)

* Update SBOM spec to indicate compat for syft

This documents the support for syft json added in #1137

Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>

* Reword SBOM wording to indicate that the formats are cosign specific

As noted by @VinodAnandan - the previous message may have caused confusion about NTIA recorgnized formats v/s formats cosign uses. Updating the wording to explicitly call out cosign supported formats.

Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
---
 specs/SBOM_SPEC.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/specs/SBOM_SPEC.md b/specs/SBOM_SPEC.md
index 782ef04f328..9ba685de570 100644
--- a/specs/SBOM_SPEC.md
+++ b/specs/SBOM_SPEC.md
@@ -101,13 +101,14 @@ In this example, the SBOM only refers to a single layer:
 
 ## MediaTypes
 
-The two main SBOM formats in use are [SPDX](https://spdx.org) and [CycloneDX](https://cyclonedx.org/).
+The SBOM formats supported by cosign are [SPDX](https://spdx.org), [CycloneDX](https://cyclonedx.org/) and [syft](https://github.com/anchore/syft).
 The `mediaTypes` for these should be indicated in the `descriptor` for each `layer`.
 
 The `mediaTypes` are:
 
 * `application/vnd.cyclonedx`
 * `text/spdx`
+* `application/vnd.syft+json` (`syft` is a JSON only format)
 
 These `mediaTypes` can contain format-specific suffixes as well. For example: