> the security world has been pushing CycloneDX and SPDX

> CycloneDX supports JSON, XML, and YAML

And SPDX is JSON.

Are there any other examples of government-mandated non-human-readable file formats? I feel like bureaucracies have a natural tendency to water down requirements such as this and instead focuses on getting wet signatures on pen-and-paper.

▲

Tomte 4 hours ago | parent [-]

Or tag-value, which is actually preferred by many practitioners. Nesting is implicit in that format, but SBOMs should be mostly flat, anyway.

Unfortunately, T-V hs been dropped in SPDX 3.0.

▲

zvr 4 hours ago | parent [-]

It was dropped exactly because it was flat and it was becoming completely unmanageable.

SPDX v3 is based on a graph model that can represent hierarchies natively. It can then be serialized in a file, for example, in JSON format.

	▲	Tomte 3 hours ago \| parent [-]
		But it was the best format for manually creating an SBOM. Most SBOM use cases don‘t need the ability to put your detailed software architecture in the SBOM.