Add migration guides for latest apis

Natalie Arellano · Natalie Arellano · commit 93b84896489b · 2021-11-18T16:28:08.000-05:00
Signed-off-by: Natalie Arellano &lt;narellano@vmware.com&gt;
diff --git a/content/docs/reference/spec/buildpack-api.md b/content/docs/reference/spec/buildpack-api.md
@@ -129,7 +129,7 @@ A buildpack must contain a `buildpack.toml` file in its root directory.
 ### Example
 
 ```
-api = "0.5"
+api = "0.7"
 
 [buildpack]
 id = "example.com/python"
@@ -163,6 +163,27 @@ The schema is as follows:
 
     - **`clear-env`** _(boolean, optional, default: `false`)_\
     Clears user-defined environment variables when `true` on executions of `bin/detect` and `bin/build`.
+    
+    - **`homepage`** _(string, optional)_\
+    Buildpack homepage.
+    
+    - **`description`** _(string, optional)_\
+    A short description of the buildpack.
+    
+    - **`keywords`** _(string(s), optional)_\
+    Keywords to help locate the buildpack. These can be useful if publishing to the [Buildpack Registry](https://registry.buildpacks.io/).
+    
+    - **`sbom-formats`** _(string(s), optional)_\
+    SBOM formats output by the buildpack. Supported values are the following media types: `application/vnd.cyclonedx+json`, `application/spdx+json`, and `application/vnd.syft+json`.
+    
+    - **`licenses`** _(list, optional)_\
+    A list of licenses pertaining to the buildpack.
+    
+        - **`type`** _(string, optional)_\
+        The type of the license. This may use the [SPDX 2.1 license expression](https://spdx.org/spdx-specification-21-web-version), but it is not limited to identifiers in the [SPDX Licenses List](https://spdx.org/licenses/). If the buildpack is using a nonstandard license, then the `uri` key may be specified in lieu of or in addition to `type` to point to the license.
+    
+        - **`uri`** _(string, optional)_\
+        A URL or path to the license.
 
 - **`stacks`** _(list, optional)_\
     A list of stacks supported by the buildpack.
diff --git a/content/docs/reference/spec/migration/buildpack-api-0.6-0.7.md b/content/docs/reference/spec/migration/buildpack-api-0.6-0.7.md
@@ -0,0 +1,36 @@
++++
+title="Buildpack API 0.6 -> 0.7"
++++
+
+<!--more-->
+
+This guide is most relevant to buildpack authors.
+
+See the [spec release](https://github.com/buildpacks/spec/releases/tag/buildpack%2Fv0.7) for buildpack API 0.7 for the full list of changes and further details.
+
+### New standardized SBOM format
+
+Buildpacks may write Software Bill of Materials (SBOM) files describing build- or run-time dependencies. These files must use the `application/vnd.cyclonedx+json`, `application/spdx+json`, or `application/vnd.syft+json` media types (a buildpack may output SBOM files in multiple formats). Files may be written to the following locations:
+
+* `<layers>/<layer>.sbom.<ext>` - for describing dependencies associated with a layer
+  * Example (launch layer): libraries that were included in an output compiled binary (e.g., `go` libraries in a `go` binary)
+  * Example (build layer): tools like a package manager
+* `<layers>/launch.sbom.<ext>` - for describing run-time dependencies not associated with a layer
+  * Example: dependencies installed in the `/workspace` directory
+* `<layers>/build.sbom.<ext>` - for describing build-time dependencies not associated with a layer
+  * Example: build time configuration
+
+Valid `<ext>` extensions are as follows:
+ | SBOM Media Type                  | File Extension
+ |----------------------------------|----------------------------------------------
+ | `application/vnd.cyclonedx+json` | `cdx.json`
+ | `application/spdx+json`          | `spdx.json`
+ | `application/vnd.syft+json`      | `syft.json`
+
+SBOM files for launch will be included in the application image if the platform api supports it; SBOM files for build may be saved off by the platform prior to the build container exiting. Layer-associated SBOM files will be cached and restored to the buildpack layers directory on re-builds of the same image (much like the `<layers>/<layer>.toml` metadata file).
+
+The `[bom]` tables in launch.toml and build.toml are no longer supported.
+
+### New fields in buildpack descriptor
+
+* A `sbom-formats` array indicating the SBOM formats output by the buildpack.
diff --git a/content/docs/reference/spec/migration/platform-api-0.7-0.8.md b/content/docs/reference/spec/migration/platform-api-0.7-0.8.md
@@ -0,0 +1,48 @@
++++
+title="Platform API 0.7 -> 0.8"
++++
+
+<!--more-->
+
+This guide is most relevant to platform operators.
+
+See the [spec release](https://github.com/buildpacks/spec/releases/tag/platform%2Fv0.8) for platform API 0.8 for the full list of changes and further details.
+
+## Platform Operator
+
+### New standardized SBOM format
+
+Buildpacks implementing Buildpack API 0.7+ may output write Software Bill of Materials (SBOM) files describing build- or run-time dependencies. These files must use the `application/vnd.cyclonedx+json`, `application/spdx+json`, or `application/vnd.syft+json` media types (a buildpack may output SBOM files in multiple formats). Files may be written to the following locations:
+                                                      
+* `<layers>/<buildpack-id>/<layer>.sbom.<ext>` - for describing dependencies associated with a layer
+* `<layers>/<buildpack-id>/launch.sbom.<ext>` - for describing run-time dependencies not associated with a layer
+* `<layers>/<buildpack-id>/build.sbom.<ext>` - for describing build-time dependencies not associated with a layer
+
+Valid `<ext>` extensions are as follows:
+ | SBOM Media Type                  | File Extension
+ |----------------------------------|----------------------------------------------
+ | `application/vnd.cyclonedx+json` | `cdx.json`
+ | `application/spdx+json`          | `spdx.json`
+ | `application/vnd.syft+json`      | `syft.json`
+
+#### Launch
+ 
+SBOM files for launch will be included in the application image at the following locations:
+
+* `<layers>/<buildpack-id>/<layer>.sbom.<ext>` (as written by the buildpack) is moved to `<layers>/sbom/launch/<buildpack-id>/<layer>/sbom.<ext>` for launch layers
+* `<layers>/<buildpack-id>/launch.sbom.<ext>` (as written by the buildpack) is moved to `<layers>/sbom/launch/<buildpack-id>/sbom.<ext>`
+
+The platform can retrieve the digest of the layer containing the SBOM files by reading the `sbom` key from the `io.buildpacks.lifecycle.metadata` label.
+
+#### Build
+
+SBOM files for build will be available in the build container at the following locations:
+
+* `<layers>/<buildpack-id>/<layer>.sbom.<ext>` (as written by the buildpack) is moved to `<layers>/sbom/build/<buildpack-id>/<layer>/sbom.<ext>` for non-launch layers
+* `<layers>/<buildpack-id>/build.sbom.<ext>` (as written by the buildpack) is moved to `<layers>/sbom/build/<buildpack-id>/sbom.<ext>`
+
+Note that the `<layers>/sbom/build` directory is NOT present in the application image. It may be saved off by the platform prior to the build container exiting.
+
+#### Backwards compatibility - older buildpacks
+
+Platforms can continue to retrieve BOM information output by buildpacks implementing Buildpack API < 0.7 by reading the `bom` key in the `io.buildpacks.build.metadata` label (for run-time dependencies), and by saving off report.toml prior to the build container exiting (for build-time dependencies). 
