v2.3

V2.3 has added new fields to improve the ability to capture security related information and to improve interoperability with other SBOM formats.

Key changes include:

• Added fields to Clause 7 ( Package Information ) to describe "Primary Package Purpose" and standardize recording of "Built Date", "Release Date", "Valid Until Date".
• Added hash algorithms (SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32 ) to the set recognized by 7.10 (Package Checksum field) and 8.4 (File checksum field)
• Update C
  spdx-spec-v2.3.zip
  lause 7, 8, and 9 to make several of the licensing properties optional rather than requiring the use of "NOASSERTION" when no value is provided.
• Update Clause 11 to add the new relationship types: REQUIREMENT_DESCRIPTION_FOR and SPECIFICATION_FOR.
• Update Annex B ( License matching guidelines and templates ) to use the License List XML format
• Update Annex F ( External Repository Identifiers ) to expand security references to include advisory, fix, URL, SWID. Expand persistent identifiers to include gitoid.
• Update Annex G ( SPDX Lite Profile ) to include NTIA SBOM mandatory minimum fields as required.
• Update Annex H to documented how the snippet information in files to be consistent with REUSE recommendations.
• Added Annex K ( How To Use SPDX in Different Scenarios ) to illustrate linking to external security information, and illustrate how the NTIA SBOM mandatory minimum elements map to SPDX fields.

Thanks to all the contributors to the 2.3 release:

• @lastthyme
• @goneall
• @seabass-labrax
• @fu7mu4
• @Jayman2000
• @tsteenbe
• @jlovejoy
• @swinslow
• @rnjudge
• @kestewart
• @tschmidtb51
• @nishakm
• @NorioKobota
• @hfukuchi
• @Cynical-Optimist
• @henkbirkholz
• @vargenau
• @AevaOnline
• @ivanayov
• @MarkLodato
• @silverhook
• @HansBusch
• @iamwillbar
• @zvr
• @puerco
• @alilleybrinker

Full Changelog: v2.2.2...v2.3