Open gernot-h opened 1 month ago
jkowalleck
commented
2 weeks ago CycloneDX JSON implementation utilizes JSON spec, and therefore all spec of JSON applies, including the encoding.
I do not see a need to hint people how JSON works, as it is an external standard.
gernot-h
commented
1 week ago CycloneDX JSON implementation utilizes JSON spec, and therefore all spec of JSON applies, including the encoding.
I do not see a need to hint people how JSON works, as it is an external standard.
Well, as written above, this was just meant as a hint to downstream users and tool developers probably not aware of all JSON aspects either that they should support all allowed encodings or that SBOMs SHOULD be encoded in UTF8 or whatever you consider right(tm). The blog article above or e.g. the lengthy discussion in https://docs.python.org/3/library/json.html#character-encodings shows that this is probably not a topic everyone is aware of...
After asking myself whether I need to support any encoding besides UTF-8 when consuming CycloneDX JSON BOMs, I stumbled over https://mobiarch.wordpress.com/2022/12/10/lets-talk-about-json-and-character-encoding/.
With https://github.com/CycloneDX/specification/blob/1.6/schema/bom-1.6.xsd and the XML examples using UTF-8, I wonder whether some downstream users also assume CycloneDX JSON BOMs are always UTF-8 encoded, while RFC 7159 also allows UTF-16 and UTF-32 in LE/BE flavors.
So perhaps it would be good to add a clarifying sentence about expected/recommended/required encodings to https://cyclonedx.org/specification/overview/, wdyt?