v2.3
V2.3 has added new fields to improve the ability to capture security related information and to improve interoperability with other SBOM formats.
Key changes include:
- Added fields to Clause 7 ( Package Information ) to describe "Primary Package Purpose" and standardize recording of "Built Date", "Release Date", "Valid Until Date".
- Added hash algorithms (SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32 ) to the set recognized by 7.10 (Package Checksum field) and 8.4 (File checksum field)
- Update C
spdx-spec-v2.3.zip
lause 7, 8, and 9 to make several of the licensing properties optional rather than requiring the use of "NOASSERTION" when no value is provided. - Update Clause 11 to add the new relationship types: REQUIREMENT_DESCRIPTION_FOR and SPECIFICATION_FOR.
- Update Annex B ( License matching guidelines and templates ) to use the License List XML format
- Update Annex F ( External Repository Identifiers ) to expand security references to include advisory, fix, URL, SWID. Expand persistent identifiers to include gitoid.
- Update Annex G ( SPDX Lite Profile ) to include NTIA SBOM mandatory minimum fields as required.
- Update Annex H to documented how the snippet information in files to be consistent with REUSE recommendations.
- Added Annex K ( How To Use SPDX in Different Scenarios ) to illustrate linking to external security information, and illustrate how the NTIA SBOM mandatory minimum elements map to SPDX fields.
Thanks to all the contributors to the 2.3 release:
- @lastthyme
- @goneall
- @seabass-labrax
- @fu7mu4
- @Jayman2000
- @tsteenbe
- @jlovejoy
- @swinslow
- @rnjudge
- @kestewart
- @tschmidtb51
- @nishakm
- @NorioKobota
- @hfukuchi
- @Cynical-Optimist
- @henkbirkholz
- @vargenau
- @AevaOnline
- @ivanayov
- @MarkLodato
- @silverhook
- @HansBusch
- @iamwillbar
- @zvr
- @puerco
- @alilleybrinker
Full Changelog: v2.2.2...v2.3
Contributors
MarkLodato, zvr, and 24 other contributors