-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPDX version 2.3 support #537
Comments
We are eagerly anticipating the release of the SPDX 3.0 spec (may be soon! 😉). |
In SPDX 2.3, new features include optional fields for Primary Package Purpose, support for additional hashing algorithms (SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32), new relationship types (REQUIREMENT_DESCRIPTION_FOR and SPECIFICATION_FOR), package fields for ValidUntilDate, and expanded external repository identifiers in Security (introducing advisory, fix, URL, and SWID categories). Note that most fields remain optional, and compliance with SPDX 2.3 doesn't require mandatory use of new fields, making SPDX 2.3 documents backward compatible with SPDX 2.2. For BSI compliance, the following fields are more of a challenge:
|
Any idea when support for spdx 2.3 will be added to the tool? |
Hmm.. the Version 3 of spdx was released: https://spdx.github.io/spdx-spec/v3.0/. |
Also interested in finding out about sbom-tool support for spdx 2.3 output if anybody can provide any details or ETA (if any) I realize the 3.0 spec is also out however spdx 2.3 output is what we are currently looking to use at the moment - thanks for any info |
@jlperkins Bumping this since there was no activity on this for a while. The new SPDX version was released. Any idea when the new version will be available in the SBOM tool? |
We are still actively working on the tool but these updates have been pushed back such that we no longer have a ETA |
@bobmartin3000 fyi |
|
According to the documentation and output files, the format of the SPDX document is in version 2.2 ("spdxVersion": "SPDX-2.2")
However, according to the German Federal Office for Information Security (BSI), SPDX documents must be version 2.3 or higher to meet the requirements.
Source: BSI-TR-03183-2.pdf
Are there any plans to update the sbom-tool to output version 2.3 documents?
The text was updated successfully, but these errors were encountered: