SPDX version 2.3 support

[neo42man]

According to the documentation and output files, the format of the SPDX document is in version 2.2 ("spdxVersion": "SPDX-2.2")

However, according to the German Federal Office for Information Security (BSI), SPDX documents must be version 2.3 or higher to meet the requirements. Source: BSI-TR-03183-2.pdf

Are there any plans to update the sbom-tool to output version 2.3 documents?

[jlperkins]

We are eagerly anticipating the release of the SPDX 3.0 spec (may be soon! 😉).

[riteshnoronha]

In SPDX 2.3, new features include optional fields for Primary Package Purpose, support for additional hashing algorithms (SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32), new relationship types (REQUIREMENT_DESCRIPTION_FOR and SPECIFICATION_FOR), package fields for ValidUntilDate, and expanded external repository identifiers in Security (introducing advisory, fix, URL, and SWID categories).

Note that most fields remain optional, and compliance with SPDX 2.3 doesn't require mandatory use of new fields, making SPDX 2.3 documents backward compatible with SPDX 2.2.

For BSI compliance, the following fields are more of a challenge:

1. Packages Creator: (Package Supplier) (email or url is required)
2. Package Dependencies: (Relationships) Direct dependencies
3. Package Vuln Ids: cpe or purl(inaccuracies)

[0xabdi]

Any idea when support for spdx 2.3 will be added to the tool?

[henning-krause]

Hmm.. the Version 3 of spdx was released: https://spdx.github.io/spdx-spec/v3.0/.

[wglenos]

Also interested in finding out about sbom-tool support for spdx 2.3 output if anybody can provide any details or ETA (if any)

I realize the 3.0 spec is also out however spdx 2.3 output is what we are currently looking to use at the moment - thanks for any info