Can SPDX be update to 2.3?

[kestewart]

Some of the NOASSERTION fields need no longer need to be included.

https://spdx.github.io/spdx-spec/v2.3/

[sei-vsarvepalli]

Hello @kestewart

Can you send an example, it will be easier to work off of it. I was trying to read through the docs, there are quite a few updates, finding it hard to compare myself. If in fact, you can get the enclosed example

SPDX-ACME-INFUSION-1-0-SBOM-DRAFT-30-8-2022-13-23-spdx.txt

upconverted to v 2.3, it will make it easy to work from.

Thanks
Vijay

[swinslow]

Hi @sei-vsarvepalli, here's a modified version of this file which I believe should be a valid SPDX 2.3 file:

SPDX-ACME-INFUSION-1-0-SBOM-DRAFT-30-8-2022-13-23-spdx-revised-for-2.3.txt

[swinslow]

For ease of tracking, the changes I've made here for 2.1 to 2.3 are:

• changing the SPDXVersion from SPDX-2.1 to SPDX-2.3
• removing the PackageLicenseConcluded, PackageLicenseDeclared and PackageCopyrightText fields

Additionally, please note that the file you shared originally does not appear to be a fully valid SPDX 2.1 document, for a few reasons:

• it uses purl external references, which were not defined until SPDX 2.2
• there are some issues with the Packages with FilesAnalyzed: true:
  • some don't list subsequent File information sections
  • those that do, don't include some of the required File information section fields (such as separate SPDX IDs for those Files)
  • and, other Package information required for Packages with FilesAnalyzed: true is missing -- the Package Verification Code is not present

Because of this, in the attached example I am changing all FilesAnalyzed fields to false and removing the FileName / FileChecksum fields. I can provide more details about this if you have questions.

Below is the diff between the two files:

2c2
< SPDXVersion: SPDX-2.1
---
> SPDXVersion: SPDX-2.3
21,24c21
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
---
> FilesAnalyzed: false
38,41c35
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
---
> FilesAnalyzed: false
55,58c49
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
---
> FilesAnalyzed: false
72,77c63
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
< FileName: SQL-2005-Express.msi
< FileChecksum: SHA256: 8dc52671c9828e3c480de384488298f58b4b21df3fe975175ec6a3ab90a0988c
---
> FilesAnalyzed: false
89,92c75
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
---
> FilesAnalyzed: false
106,109c89
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
---
> FilesAnalyzed: false
123,126c103
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
---
> FilesAnalyzed: false
140,145c117
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
< FileName: spring-instrument.jar
< FileChecksum: SHA256: ea8436f23b06d4649626f6a87a65e0128d6fe674d9a180d800737555adbae829
---
> FilesAnalyzed: false

[sei-vsarvepalli]

Hello @swinslow

Very helpful. I believe the work done for Medical Proof of Concept had a desire to represent examples where a package was analyzed and some signature could provide assertion for such a claim - specifically that there was a validation of a SHA256 signature of a file that was a component of a full SBOM. That was the reason to introduce the FilesAnalyzed. Can you provide an example where a valid FilesAnalyzed: true can be fully demonstrated.

Thanks again for your help.
Vijay