SPDX version 2.3 support

microsoft / sbom-tool

The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.

MIT License

1.63k stars 133 forks source link

SPDX version 2.3 support #537

Open neo42man opened 7 months ago

neo42man commented 7 months ago

According to the documentation and output files, the format of the SPDX document is in version 2.2 ("spdxVersion": "SPDX-2.2")

However, according to the German Federal Office for Information Security (BSI), SPDX documents must be version 2.3 or higher to meet the requirements. Source: BSI-TR-03183-2.pdf

Are there any plans to update the sbom-tool to output version 2.3 documents?

jlperkins commented 7 months ago

We are eagerly anticipating the release of the SPDX 3.0 spec (may be soon! 😉).

riteshnoronha commented 7 months ago

In SPDX 2.3, new features include optional fields for Primary Package Purpose, support for additional hashing algorithms (SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32), new relationship types (REQUIREMENT_DESCRIPTION_FOR and SPECIFICATION_FOR), package fields for ValidUntilDate, and expanded external repository identifiers in Security (introducing advisory, fix, URL, and SWID categories).

Note that most fields remain optional, and compliance with SPDX 2.3 doesn't require mandatory use of new fields, making SPDX 2.3 documents backward compatible with SPDX 2.2.

For BSI compliance, the following fields are more of a challenge:

Packages Creator: (Package Supplier) (email or url is required)
Package Dependencies: (Relationships) Direct dependencies
Package Vuln Ids: cpe or purl(inaccuracies)

0xabdi commented 6 months ago

Any idea when support for spdx 2.3 will be added to the tool?

henning-krause commented 6 months ago

Hmm.. the Version 3 of spdx was released: https://spdx.github.io/spdx-spec/v3.0/.

wglenos commented 6 months ago

Also interested in finding out about sbom-tool support for spdx 2.3 output if anybody can provide any details or ETA (if any)

I realize the 3.0 spec is also out however spdx 2.3 output is what we are currently looking to use at the moment - thanks for any info

henning-krause commented 3 months ago

@jlperkins Bumping this since there was no activity on this for a while. The new SPDX version was released. Any idea when the new version will be available in the SBOM tool?

sfoslund commented 3 months ago

We are still actively working on the tool but these updates have been pushed back such that we no longer have a ETA

bact commented 1 month ago

@bobmartin3000 fyi

bact commented 1 month ago

From Version 2.0.0 of the BSI TR-03183 Part 2 guideline which is just released few weeks ago (2024-09-20), the minimum required SPDX version is now 2.2.1 (was SPDX 2.3 in TR-03183 Part 2 V1.1).
So if TR-03183 support is the only concerns, supporting SPDX 2.2.1 may be enough for the job. (SPDX 2.2 and SPDX 2.2.1 have no technical difference, so may be it can be faster to get the support)
See https://github.com/microsoft/sbom-tool/issues/738