From ac46408936e8c03d53ece23b2b7b0616e0858491 Mon Sep 17 00:00:00 2001
From: Sajay Antony <1821104+sajayantony@users.noreply.github.com>
Date: Wed, 17 Nov 2021 10:58:13 -0800
Subject: [PATCH] Merge pull request from GHSA-pwmf-hvvc-mxm3

* Revert "Fix artifactType examples"

This reverts commit 4580f939819af60a641b1230cd59ba161049c09c.

* Revert "Remove mediatype from artifact manifest"

This reverts commit c1fcb68243174c4174499cf1a85ace455ca0505c.

* Update as per draft v1.0.0-draft.1

Signed-off-by: Sajay Antony <sajaya@microsoft.com>
---
 artifact-manifest.md                                   | 4 ++++
 examples/net-monitor-image-nydus-ondemand-loading.json | 1 +
 examples/net-monitor-image-sbom.json                   | 2 ++
 examples/net-monitor-image-signature.json              | 1 +
 examples/oci-image-artifact.json                       | 3 ++-
 scenarios.md                                           | 3 +++
 specs-go/v1/manifest.go                                | 3 +++
 7 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/artifact-manifest.md b/artifact-manifest.md
index 42cacc3..482a3e2 100644
--- a/artifact-manifest.md
+++ b/artifact-manifest.md
@@ -12,6 +12,10 @@ This section defines the `application/vnd.cncf.oras.artifact.manifest.v1+json` m
 
 The `artifact.manifest` provides an optional collection of `blobs`, an optional reference to the manifest of another artifact and an `artifactType` to differentiate different types of artifacts (such as signatures, sboms and security scan results)
 
+- **`mediaType`** *string*
+
+  This field contains the `mediaType` of this document, differentiating from [image-manifest][oci-image-manifest-spec] and [image-index][oci-image-index]. The `mediaType` for this manifest type MUST be `application/vnd.cncf.oras.artifact.manifest.v1+json`, where the version WILL change to reflect newer versions.
+   
 - **`artifactType`** *string*
 
   The REQUIRED `artifactType` is a unique value, as registered with [iana.org][registering-iana].
diff --git a/examples/net-monitor-image-nydus-ondemand-loading.json b/examples/net-monitor-image-nydus-ondemand-loading.json
index 32c3c1b..7f84f8a 100644
--- a/examples/net-monitor-image-nydus-ondemand-loading.json
+++ b/examples/net-monitor-image-nydus-ondemand-loading.json
@@ -1,4 +1,5 @@
 {
+  "mediaType": "application/vnd.cncf.oras.artifact.manifest.v1+json",
   "artifactType": "application/vnd.cncf.nydus.v1",
   "blobs": [
     {
diff --git a/examples/net-monitor-image-sbom.json b/examples/net-monitor-image-sbom.json
index e66f335..e933efa 100644
--- a/examples/net-monitor-image-sbom.json
+++ b/examples/net-monitor-image-sbom.json
@@ -1,4 +1,5 @@
 {
+  "mediaType": "application/vnd.cncf.oras.artifact.manifest.v1+json",
   "artifactType": "sbom/example",
   "blobs": [
     {
@@ -16,3 +17,4 @@
     "example.sbom.author": "wabbit-networks.io"
   }
 }
+
diff --git a/examples/net-monitor-image-signature.json b/examples/net-monitor-image-signature.json
index fda113c..2ff7bd4 100644
--- a/examples/net-monitor-image-signature.json
+++ b/examples/net-monitor-image-signature.json
@@ -1,4 +1,5 @@
 {
+  "mediaType": "application/vnd.cncf.oras.artifact.manifest.v1+json",
   "artifactType": "application/vnd.cncf.notary.v2",
   "blobs": [
     {
diff --git a/examples/oci-image-artifact.json b/examples/oci-image-artifact.json
index 34f74ae..6b776b7 100644
--- a/examples/oci-image-artifact.json
+++ b/examples/oci-image-artifact.json
@@ -1,4 +1,5 @@
 {
+  "mediaType": "application/vnd.cncf.oras.artifact.manifest.v1+json",
   "artifactType": "application/vnd.oci.image.manifest.v1+json",
   "blobs": [
     {
@@ -17,4 +18,4 @@
       "size": 226
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/scenarios.md b/scenarios.md
index f2cf6b4..40fd464 100644
--- a/scenarios.md
+++ b/scenarios.md
@@ -92,6 +92,7 @@ Following the [oras.artifact.manifest][artifact-manifest-spec] spec, a signature
 - **tag**: _-none-_
   ```json
   {
+    "mediaType": "application/vnd.cncf.oras.artifact.manifest.v1+json",
     "artifactType": "application/vnd.cncf.notary.v2",
     "blobs": [
       {
@@ -123,6 +124,7 @@ The SBoM content would be persisted as one or more `[blobs]` with a `subject` re
 - **tag**: _-none-_
   ```json
   {
+    "mediaType": "application/vnd.cncf.oras.artifact.manifest.v1+json",
     "artifactType": "sbom/example",
     "blobs": [
       {
@@ -151,6 +153,7 @@ The  `net-monitor:v1` SBoM may also be signed, providing yet another leaf node.
 - **tag**: _-none-_
   ```json
   {
+    "mediaType": "application/vnd.cncf.oras.artifact.manifest.v1+json",
     "artifactType": "application/vnd.cncf.notary.v2",
     "blobs": [
       {
diff --git a/specs-go/v1/manifest.go b/specs-go/v1/manifest.go
index 67ded90..fceee79 100644
--- a/specs-go/v1/manifest.go
+++ b/specs-go/v1/manifest.go
@@ -17,6 +17,9 @@ package v1
 // Manifest describes an ORAS artifact.
 // This structure provides `application/vnd.oras.artifact.manifest.v1+json` mediatype when marshalled to JSON.
 type Manifest struct {
+	// MediaType is the media type of the object this schema refers to.
+	MediaType string `json:"mediaType"`
+
 	// ArtifactType is the artifact type of the object this schema refers to.
 	ArtifactType string `json:"artifactType"`