SPDX 2.2.2 external reference category schema.json on 2.2.2 tag does not match documentation

[wterpstra]

The spec is a bit weird about the external reference categories

When looking at the reference category documentation the following values are allowed: SECURITY | PACKAGE-MANAGER | PERSISTENT-ID | OTHER

If you have a look at the json schema in the v2.2.2 tag the allowed values are "OTHER", "SECURITY", "PACKAGE_MANAGER"

This was raised in #792. It was decided that both values should be read, but the hyphens are be preferred over underscores. However, the docs nor the schema state this.

In issue https://github.com/CycloneDX/cyclonedx-dotnet-library/issues/267#issuecomment-1789586099 @andreas-hilti found that there is a development branch with a schema file with updated enum values: "OTHER", "PERSISTENT-ID", "PERSISTENT_ID", "SECURITY", "PACKAGE-MANAGER", "PACKAGE_MANAGER"

I guess this means that the 2.2.2 schema got amended after the fact, which is fine i guess(?), but now it's inconsistent between the documentation and there are different schema files floating around.

What schema file should be used when validating, reading and writing SPDX files? Should the docs be changed to include both hyphens and underscore values?

[goneall]

I would recommend using the draft schema. If we end up doing another dot release of SPDX 2, it will include a fully documented official fix - until then, I'll be using the draft schema.