Releases: spdx/spdx-spec
Releases · spdx/spdx-spec
Release 3.0 of the SPDX Specifications
What's Changes since 2.3
Note that 3.0 is a major revision with several breaking changes from the previous released version of the SPDX specification.
See the Diffs from Previous Versions Annex for differences and a guide to upgrading from 2.3 to 3.0.
What's Changed since 3.0-RC2
- Model updates - see the SPDX model repo release notes for details
- Update examples for version 2.3 by @goneall in #782
- fix: fix typo (definined to defined) by @ninoseki in #791
- Update index.md by @jeff-schutt in #789
- Update JSON schema for dash and underscore enums by @goneall in #793
- fix: Correct cardinality of Primary Package Purpose field by @kzantow in #797
- Update examples with correct referenceType for purl by @goneall in #800
- Add documentDescribes to required fields in JSON Schema by @goneall in #796
- Fix package typos by @bee64 in #831
- Add pkg verification code + checksum clarification by @rnjudge in #828
- Fixes external reference page hyperlinks for CPE by @ccsmith117 in #834
- Update reference by @zvr in #837
- chore: deprecate shorthand properties by @kzantow in #841
- feat: allow $schema entry in SPDX 2.3 JSON by @mcombuechen in #865
- New workflow for deploying the v3 spec to the site. by @licquia in #874
- Add back SPDX license expressions to version 3 branch by @goneall in #877
- Update index.md by @kestewart in #880
- Remove license related annexes from SPDX 3 by @goneall in #878
- Remove files no longer used in the 3.0 RC2 version of the spec by @goneall in #883
- Update mkdocs config for model by @goneall in #884
- Update terms-and-definitions.md by @kestewart in #885
- Build and deploy the v3.0 spec on changes. by @licquia in #888
- Add 3.0rc2 Ontology by @zvr in #887
- Sync the model diagrams with the model repo by @goneall in #886
- allow
and,orandwithoperators by @xsuchy in #892 - Generate JSON Schema using shacl2code by @JPEWdev in #893
- Attempt to fix CI failures related to PyYAML. by @licquia in #897
- Add JSON-LD example by @JPEWdev in #895
- Add 3.0 changes to diffs annex by @goneall in #898
- Update for Community Specification 1.0 license by @swinslow in #900
- github actions: Update to latest spec parser by @JPEWdev in #901
- Add serialization info by @zvr in #909
- Change "Software" to "System" in SPDX by @zvr in #908
- Update migration info for ContentIdentifier by @goneall in #910
- Adds Annex for the Lite profile by @NorioKobota in #907
- Add getting started annex by @JPEWdev in #906
- Port 2.x Annexes to 3.0 spec by @rnjudge in #904
- Update mkdocs.yml by @rnjudge in #913
- Organize annexes by @rnjudge in #915
- Update index.md by @kestewart in #911
- Update model images for release by @goneall in #917
New Contributors
- @ninoseki made their first contribution in #791
- @jeff-schutt made their first contribution in #789
- @bee64 made their first contribution in #831
- @ccsmith117 made their first contribution in #834
- @mcombuechen made their first contribution in #865
- @licquia made their first contribution in #874
- @xsuchy made their first contribution in #892
- @JPEWdev made their first contribution in #893
Full Changelog: v2.3...v3.0
Contributors
xsuchy, zvr, and 13 other contributors
Assets 2
v3.0-RC2
Release candidate 2 of the SPDX specification.
This specification documents the SPDX 3.0 RC2 release of the SPDX Model.
What's Changed
- Update examples for version 2.3 by @goneall in #782
- fix: fix typo (definined to defined) by @ninoseki in #791
- Update index.md by @jeff-schutt in #789
- Update JSON schema for dash and underscore enums by @goneall in #793
- fix: Correct cardinality of Primary Package Purpose field by @kzantow in #797
- Update examples with correct referenceType for purl by @goneall in #800
- Add documentDescribes to required fields in JSON Schema by @goneall in #796
- Fix package typos by @bee64 in #831
- Add pkg verification code + checksum clarification by @rnjudge in #828
- Fixes external reference page hyperlinks for CPE by @ccsmith117 in #834
- Update reference by @zvr in #837
- chore: deprecate shorthand properties by @kzantow in #841
- feat: allow $schema entry in SPDX 2.3 JSON by @mcombuechen in #865
- New workflow for deploying the v3 spec to the site. by @licquia in #874
- Add back SPDX license expressions to version 3 branch by @goneall in #877
- Update index.md by @kestewart in #880
- Remove license related annexes from SPDX 3 by @goneall in #878
- Remove files no longer used in the 3.0 RC2 version of the spec by @goneall in #883
- Update mkdocs config for model by @goneall in #884
- Update terms-and-definitions.md by @kestewart in #885
- Build and deploy the v3.0 spec on changes. by @licquia in #888
- Add 3.0rc2 Ontology by @zvr in #887
- Sync the model diagrams with the model repo by @goneall in #886
New Contributors
- @ninoseki made their first contribution in #791
- @jeff-schutt made their first contribution in #789
- @bee64 made their first contribution in #831
- @ccsmith117 made their first contribution in #834
- @mcombuechen made their first contribution in #865
- @licquia made their first contribution in #874
Full Changelog: v2.3...v3.0-RC2
Contributors
zvr, ninoseki, and 9 other contributors
Assets 4
v2.3
V2.3 has added new fields to improve the ability to capture security related information and to improve interoperability with other SBOM formats.
Key changes include:
- Added fields to Clause 7 ( Package Information ) to describe "Primary Package Purpose" and standardize recording of "Built Date", "Release Date", "Valid Until Date".
- Added hash algorithms (SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32 ) to the set recognized by 7.10 (Package Checksum field) and 8.4 (File checksum field)
- Update C
spdx-spec-v2.3.zip
lause 7, 8, and 9 to make several of the licensing properties optional rather than requiring the use of "NOASSERTION" when no value is provided. - Update Clause 11 to add the new relationship types: REQUIREMENT_DESCRIPTION_FOR and SPECIFICATION_FOR.
- Update Annex B ( License matching guidelines and templates ) to use the License List XML format
- Update Annex F ( External Repository Identifiers ) to expand security references to include advisory, fix, URL, SWID. Expand persistent identifiers to include gitoid.
- Update Annex G ( SPDX Lite Profile ) to include NTIA SBOM mandatory minimum fields as required.
- Update Annex H to documented how the snippet information in files to be consistent with REUSE recommendations.
- Added Annex K ( How To Use SPDX in Different Scenarios ) to illustrate linking to external security information, and illustrate how the NTIA SBOM mandatory minimum elements map to SPDX fields.
Thanks to all the contributors to the 2.3 release:
- @lastthyme
- @goneall
- @seabass-labrax
- @fu7mu4
- @Jayman2000
- @tsteenbe
- @jlovejoy
- @swinslow
- @rnjudge
- @kestewart
- @tschmidtb51
- @nishakm
- @NorioKobota
- @hfukuchi
- @Cynical-Optimist
- @henkbirkholz
- @vargenau
- @AevaOnline
- @ivanayov
- @MarkLodato
- @silverhook
- @HansBusch
- @iamwillbar
- @zvr
- @puerco
- @alilleybrinker
Full Changelog: v2.2.2...v2.3
Contributors
MarkLodato, zvr, and 24 other contributors
Assets 2
v2.2.2
This release fixes formatting, grammatical and spelling issues found since ISO/IEC 5962:2021 SPDX v2.2.1 was published.
What's Changed
- ISO-required editorial fixes
- clarify optional cardinality contradictions
- update OWL document
- fix typos in JSON schema
- clarify information on using license list short form identifiers
- make some of the tables easier to read
- fixes to broken links from format conversions
- rearrange some of the appendices to fix links
Thanks to the contributors for this release
- @RexJaeschke
- @tsteenbe
- @lhh
- @Jayman2000
- @fu7mu4
- @jlovejoy
- @goneall
- @rnjudge
- @seabass-labrax
- @swinslow
- @kestewart
Full Changelog: v2.2.1...development/v2.2.2
Contributors
goneall, tsteenbe, and 9 other contributors
Assets 2
v2.2.1
This release includes:
- Includes all updates for the final ISO/IEC 5962:2021 SPDX specification
- Updates to the SPDX examples to resolve issues found in the v2.2 version of the JSON example
- Fix numerous formatting, grammatical, and spelling issue that were not found or resolved in previous versions
Interested in the exact changes? Have a look at this detailed overview of all changes since the last release.
v2.2
This release includes:
- Updated Charter to broaden applicable scenarios that SPDX documents can be used to represent that have been requested by users, and align with NTIA SBOM efforts.
- Extended the valid file formats that can be used to represent an SPDX document to include JSON, YAML, and a development version of XML. A set of example documents illustrating use of these formats can be found in v2.2/examples.
- Extended Relationships by addition of 13 new relationship types requested from tool creators (mostly to represent dependencies), as well as support for relationships to NOASSERTION or NONE as a way to indicate “known unknown” and “no relationships” respectively.
- Added new fields to Packages, Files, and Snippets to capture “Attribution text”.
- Extended Appendix VI: External Repository Identifiers to include support for PURL (Package URLs) and SWHIDs (Software Heritage Persistent Identifiers).
- Added Appendix VIII: SPDX Lite as a first recognized SPDX profile. This subset of SPDX 2.2 originated from the use cases that the OpenChain Japan workgroup highlighted. They created it to be able to accept basic information from their suppliers who were not able to generate full SPDX documents with all optional fields.
- Added Appendix IX: SPDX File Tags to enable use of file-specific information from SPDX defined fields in source code as supported by Version 3.0 of the REUSE Software Specification.
- Updated Appendix V: Using SPDX License List short identifiers in Source Files to include support for use of LicenseRef- identifiers, to express custom identifiers for licenses that are not on the SPDX License List. This has been coordinated with Version 3.0 of the REUSE Software Specification to enable projects to provide a standardized format that can optionally be used for providing the corresponding license text for these identifiers.
- Updated Appendix II: License Matching Guidelines to allow embedded rules within optional rules for generated SPDX license templates.
- Updated Appendix IV: SPDX License Expressions to add some clarification on the case sensitivity of license expressions and handling of multi-line license expressions.
- Updated Appendix I: License List to now reference version 3.8.
- And numerous formatting, grammatical, and spelling fixes that escaped our reviewers in version 2.1.1.
Interested in the exact changes? Have a look at this detailed overview of all changes since the last release.