Skip to content

Releases: spdx/spdx-spec

Patch release 3.0.1

17 Dec 18:58
@goneall goneall
3.0.1
61a649d
Compare
Choose a tag to compare
Patch release 3.0.1 Latest
Latest

This release includes changes to support the OMG standard and ISO standard submissions. There are also fixes for spec issues identified during implementation of the 3.0.0 version of the spec.

Changes to the model are summarized in the SPDX 3 Model Repo Changelog.

The changes to the spec documentation are summarized in the spec changelog.

Below are the details of the spec repo changes.

What's Changed

  • Update examples for version 2.3 by @goneall in #783
  • Add 3.0 and 2.3 changes to CHANGELOG.md by @goneall in #920
  • Validate only specific doc examples with SHACL in CI. by @licquia in #935
  • Update index.md by @kestewart in #918
  • Annex A: Fix typo: SpecVerion, interoperabiility by @bact in #923
  • mkdocs: Fix ref not found warnings by @bact in #955
  • Remove stale ontology by @JPEWdev in #963
  • Validate documentation by @JPEWdev in #938
  • Fix ABNF for license expressions by @zvr in #960
  • Fix typo in TOC entry for Lite profile by @stefan6419846 in #967
  • annexes: getting started: Fix SPDX IDs by @JPEWdev in #964
  • Add build instruction and flow diagram by @bact in #971
  • New annex on license matching by @zvr in #968
  • Add package-url specification as an annex by @zvr in #969
  • Update publish_v3.yml to alias "v3.0" (and later "v3.0.1") as "latest" by @bact in #950
  • Fix Philippe Ombredanne name by @vargenau in #943
  • Use H2 for headings in Annex A by @bact in #988
  • Bug fixes for Lite profile annex by @NorioKobota in #991
  • Add clarification for case-sensitivity for LicenseRef- by @vargenau in #984
  • Publish 3.0.1 as v3.0.1-draft by @bact in #995
  • Annex B: Change model URL to new one at spdx.org + update to 3.0.1 URL by @bact in #936
  • Update Scope chapter by @bact in #1005
  • Add OMG Preface page by @bact in #1011
  • Add serialization info + NamespaceMap info by @bact in #1016
  • Additional migration documentation for relationship types by @goneall in #1019
  • examples/README.md: Add ref to spdx/spdx-examples repo for more examples by @bact in #941
  • Add Legacy Text Template format section back to the Matching Guidelines by @bact in #1026
  • Meaning of the SPDX acronym has changed in SPDX 3.0 by @goneall in #1030
  • Add Symbols chapter by @bact in #1003
  • Update References chapter by @bact in #1006
  • Update CONTRIBUTING and CHANGELOG (rework) by @bact in #1031
  • Fix bullet list in Serialization chapter (rework) by @bact in #1032
  • Fix diagram filenames, make them display properly by @bact in #989
  • Add ISO Foreword by @bact in #1001
  • Add Copyrights and licensing page by @bact in #1010
  • "The" in "The Linux Foundation" should be first-letter-capitalized by @bact in #1036
  • Update Conformance chapter by @bact in #1002
  • Add fileContributor change to diffs-from-previous-editions by @goneall in #1038
  • .gitignore: docs/model/ by @bact in #945
  • Fix bullet list of BSI in Annex F by @bact in #1037
  • Fix CI by commented out "mike set-default" for now by @bact in #1039
  • Fix copy/paste error in diffs-from-previous-editions by @goneall in #1035
  • Validate examples only when examples/**/.json and docs/annexes/.md changes by @bact in #1027
  • License expression annex re-do by @zvr in #1028
  • Update Introduction chapter by @bact in #1007
  • Update SPDX schema URL in Conformance chapter by @bact in #1046
  • Remove numbering, set list of files by @zvr in #1044
  • Update References by @zvr in #1050
  • Fixes in Conformance chapter by @zvr in #1047
  • Add OMG History to mkdocs.yml by @bact in #1055
  • Add OMG History chapter by @bact in #1053
  • Lowercase filenames for cleaner URLs by @bact in #1052
  • Fix 404: Add conformance.md and changes-from-previous-iso.md to the website build by @bact in #1057
  • SPDX Lite annex by @zvr in #1061
  • Update Python module shacl2code to 0.0.13 by @bact in #1056
  • Add elements array to the example for SpdxPackage and SBOM by @goneall in #1054
  • Add JSON-LD context and validation info to Serialization chapter by @bact in #1059
  • add SPDX Lite contributors by @NorioKobota in #1065
  • Fix HTTP casing + update links to license-list-XML repo by @bact in #1071
  • Update diagrams 2024-08-16 by @bact in #1074
  • Add "Terms and definitions" back to navigation bar by @bact in #1064
  • Add the generated RDF files by @zvr in #1067
  • Update SPDX License List link to v3.25.0 by @bact in #1075
  • Remove ref to SLSA v0.2 by @bact in #1076
  • Fix typos in Build and Lite Profiles Conformance by @bact in #1091
  • Fix typos in 3.0.1 spec by @bact in #1087
  • Update model diagrams 22 Aug 2024 by @bact in #1077
  • Add "Profile" to Terms and defintions by @bact in #1095
  • Preparing for submissions by @zvr in #1099
  • [WEBSITE BROKEN] Fix 404 File Not Found for spec website homepage (root) by @bact in #1101
  • CI for v3.0.1 publication by @bact in #1100
  • Update example to 3.0.1 by @goneall in #1098
  • Fix bad links related to abbreviations in References chapter by @bact in #1106
  • Fix typo in Lite annex: concludedLicense -> hasConcludedLicense by @bact in #1110
  • Update base IRI in annotations.ttl to 3.0.1 by @bact in #1096
  • Update examples validation to v3.0.1 by @bact in #1111
  • CI update for spec-parser 2.5.0 by @bact in #1113
  • Update shacl2code to 0.0.14 by @bact in #1117
  • Add missing para of JSON-LD context section to Model and serializations chapter by @bact in #1090
  • Remove heading numbering, fix internal refs, standardized RFC links by @bact in #1107
  • [Diagram] Remove all named individuals by @bact in #1120
  • Remove "License Information in File" from License List Matching guidelines by @bact in #1126
  • Add Extension Profile diagram to Annex by @bact in #1128
  • Standardize RFC links to https://datatracker.ietf.org/doc/rfc... by @bact in #1129
  • Adjust grammar of README.md by @kadenlnelson in #1131
  • Use Python 3.12 to avoid htmlmin issue with 3.13; update other dependencies by @bact in #1133
  • Conformance: fix typo: refering -> referring by @bact in #1136
  • Separate build instructions from the README by @bact in #1137
  • Remove double "the" in Intro chapter by @bact in #1145
  • Update dependencies in CI by @bact in #1142
  • Add SPDX favicon.ico to the website by @bact in #1130
  • Create dependabot.yml for GitHub Dependabot by @bact in #1143
  • Change log update for v3.0.1 spec by @bact in #1123
  • Fix i...
Read more

Contributors

bact, zvr, and 8 other contributors
Assets 3
Loading

Release 3.0 of the SPDX Specifications

15 Apr 16:54
@goneall goneall
v3.0
f148837
Compare
Choose a tag to compare
Release 3.0 of the SPDX Specifications

What's Changes since 2.3

Note that 3.0 is a major revision with several breaking changes from the previous released version of the SPDX specification.

See the Diffs from Previous Versions Annex for differences and a guide to upgrading from 2.3 to 3.0.

What's Changed since 3.0-RC2

New Contributors

Full Changelog: v2.3...v3.0

Contributors

xsuchy, zvr, and 13 other contributors
Assets 2
Loading

v3.0-RC2

06 Mar 21:50
@goneall goneall
v3.0-RC2
6171b39
Compare
Choose a tag to compare
v3.0-RC2 Pre-release
Pre-release

Release candidate 2 of the SPDX specification.

This specification documents the SPDX 3.0 RC2 release of the SPDX Model.

What's Changed

New Contributors

Full Changelog: v2.3...v3.0-RC2

Contributors

zvr, ninoseki, and 9 other contributors
Assets 4
Loading

v2.3

03 Nov 04:18
@goneall goneall
v2.3
aadf3b0
Compare
Choose a tag to compare
v2.3

V2.3 has added new fields to improve the ability to capture security related information and to improve interoperability with other SBOM formats.

Key changes include:

  • Added fields to Clause 7 ( Package Information ) to describe "Primary Package Purpose" and standardize recording of "Built Date", "Release Date", "Valid Until Date".
  • Added hash algorithms (SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32 ) to the set recognized by 7.10 (Package Checksum field) and 8.4 (File checksum field)
  • Update C
    spdx-spec-v2.3.zip
    lause 7, 8, and 9 to make several of the licensing properties optional rather than requiring the use of "NOASSERTION" when no value is provided.
  • Update Clause 11 to add the new relationship types: REQUIREMENT_DESCRIPTION_FOR and SPECIFICATION_FOR.
  • Update Annex B ( License matching guidelines and templates ) to use the License List XML format
  • Update Annex F ( External Repository Identifiers ) to expand security references to include advisory, fix, URL, SWID. Expand persistent identifiers to include gitoid.
  • Update Annex G ( SPDX Lite Profile ) to include NTIA SBOM mandatory minimum fields as required.
  • Update Annex H to documented how the snippet information in files to be consistent with REUSE recommendations.
  • Added Annex K ( How To Use SPDX in Different Scenarios ) to illustrate linking to external security information, and illustrate how the NTIA SBOM mandatory minimum elements map to SPDX fields.

Thanks to all the contributors to the 2.3 release:

Full Changelog: v2.2.2...v2.3

Contributors

MarkLodato, zvr, and 24 other contributors
Assets 2
Loading

v2.2.2

27 Apr 18:47
@kestewart kestewart
v2.2.2
a05c12a
Compare
Choose a tag to compare
v2.2.2

This release fixes formatting, grammatical and spelling issues found since ISO/IEC 5962:2021 SPDX v2.2.1 was published.

What's Changed

  • ISO-required editorial fixes
  • clarify optional cardinality contradictions
  • update OWL document
  • fix typos in JSON schema
  • clarify information on using license list short form identifiers
  • make some of the tables easier to read
  • fixes to broken links from format conversions
  • rearrange some of the appendices to fix links

Thanks to the contributors for this release

Full Changelog: v2.2.1...development/v2.2.2

Contributors

goneall, tsteenbe, and 9 other contributors
Assets 2
Loading

v2.2.1

28 Sep 23:27
@goneall goneall
v2.2.1
239189b
Compare
Choose a tag to compare
v2.2.1

This release includes:

  • Includes all updates for the final ISO/IEC 5962:2021 SPDX specification
  • Updates to the SPDX examples to resolve issues found in the v2.2 version of the JSON example
  • Fix numerous formatting, grammatical, and spelling issue that were not found or resolved in previous versions

Interested in the exact changes? Have a look at this detailed overview of all changes since the last release.

Assets 2
Loading

v2.2

04 Jun 12:32
@tsteenbe tsteenbe
v2.2
9903ae3
Compare
Choose a tag to compare
v2.2

This release includes:

  • Updated Charter to broaden applicable scenarios that SPDX documents can be used to represent that have been requested by users, and align with NTIA SBOM efforts.
  • Extended the valid file formats that can be used to represent an SPDX document to include JSON, YAML, and a development version of XML. A set of example documents illustrating use of these formats can be found in v2.2/examples.
  • Extended Relationships by addition of 13 new relationship types requested from tool creators (mostly to represent dependencies), as well as support for relationships to NOASSERTION or NONE as a way to indicate “known unknown” and “no relationships” respectively.
  • Added new fields to Packages, Files, and Snippets to capture “Attribution text”.
  • Extended Appendix VI: External Repository Identifiers to include support for PURL (Package URLs) and SWHIDs (Software Heritage Persistent Identifiers).
  • Added Appendix VIII: SPDX Lite as a first recognized SPDX profile. This subset of SPDX 2.2 originated from the use cases that the OpenChain Japan workgroup highlighted. They created it to be able to accept basic information from their suppliers who were not able to generate full SPDX documents with all optional fields.
  • Added Appendix IX: SPDX File Tags to enable use of file-specific information from SPDX defined fields in source code as supported by Version 3.0 of the REUSE Software Specification.
  • Updated Appendix V: Using SPDX License List short identifiers in Source Files to include support for use of LicenseRef- identifiers, to express custom identifiers for licenses that are not on the SPDX License List. This has been coordinated with Version 3.0 of the REUSE Software Specification to enable projects to provide a standardized format that can optionally be used for providing the corresponding license text for these identifiers.
  • Updated Appendix II: License Matching Guidelines to allow embedded rules within optional rules for generated SPDX license templates.
  • Updated Appendix IV: SPDX License Expressions to add some clarification on the case sensitivity of license expressions and handling of multi-line license expressions.
  • Updated Appendix I: License List to now reference version 3.8.
  • And numerous formatting, grammatical, and spelling fixes that escaped our reviewers in version 2.1.1.

Interested in the exact changes? Have a look at this detailed overview of all changes since the last release.

Assets 2
Loading

v2.1

03 Jul 19:55
@tsteenbe tsteenbe
v2.1
9e3b2e4
Compare
Choose a tag to compare
v2.1 
Release 2.1
Assets 3
Loading

v2.0

03 Jul 19:55
@tsteenbe tsteenbe
v2.0
7f894b4
Compare
Choose a tag to compare
v2.0 
Release 2.0
Assets 5
Loading

v1.2

03 Jul 19:55
@tsteenbe tsteenbe
v1.2
d2d06d0
Compare
Choose a tag to compare
v1.2 
Release 1.2
Assets 5
Loading