SPDX version 2.3 support #537
Comments
jlperkins
added
needs triage
|
We are eagerly anticipating the release of the SPDX 3.0 spec (may be soon! 😉). |
|
In SPDX 2.3, new features include optional fields for Primary Package Purpose, support for additional hashing algorithms (SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32), new relationship types (REQUIREMENT_DESCRIPTION_FOR and SPECIFICATION_FOR), package fields for ValidUntilDate, and expanded external repository identifiers in Security (introducing advisory, fix, URL, and SWID categories). Note that most fields remain optional, and compliance with SPDX 2.3 doesn't require mandatory use of new fields, making SPDX 2.3 documents backward compatible with SPDX 2.2. For BSI compliance, the following fields are more of a challenge:
|
|
Any idea when support for spdx 2.3 will be added to the tool? |
|
Hmm.. the Version 3 of spdx was released: https://spdx.github.io/spdx-spec/v3.0/. |
|
Also interested in finding out about sbom-tool support for spdx 2.3 output if anybody can provide any details or ETA (if any) I realize the 3.0 spec is also out however spdx 2.3 output is what we are currently looking to use at the moment - thanks for any info |
|
@jlperkins Bumping this since there was no activity on this for a while. The new SPDX version was released. Any idea when the new version will be available in the SBOM tool? |
|
We are still actively working on the tool but these updates have been pushed back such that we no longer have a ETA |
|
@bobmartin3000 fyi |
|
According to the documentation and output files, the format of the SPDX document is in version 2.2 ("spdxVersion": "SPDX-2.2")
However, according to the German Federal Office for Information Security (BSI), SPDX documents must be version 2.3 or higher to meet the requirements.
Source: BSI-TR-03183-2.pdf
Are there any plans to update the sbom-tool to output version 2.3 documents?
The text was updated successfully, but these errors were encountered: