Support German BSI TR-03183 2.0.0 by supporting SPDX 2.2.1 or higher

[bact]

Background

• SBOM Tool currently only supports SPDX 2.2.

• New version (2.0.0) of Germany BSI TR-03183 Part 2 SBOM guideline is just released on 20 Sep 2024.

  • BSI TR-03183 Version 1.1 required SPDX 2.3 or higher.

  • BSI TR-03183 Version 2.0.0 is now required SPDX 2.2.1 or higher (page 9):

    4 SBOM formats

    A newly generated or updated SBOM MUST be in JSON- or XML-format that meets one of the following specifications in one of the specified versions.

    • CycloneDX9, version 1.5 or higher
    • Software Package Data eXchange (SPDX), version 2.2.1 or higher

    The transitional system of this Technical Guideline is specified in section 7

• SPDX 2.2.1 is the one that is ISO standard: https://www.iso.org/standard/81870.html

• There's no technical differences between V2.2 and V2.2.1, according to SPDX's Differences between V2.2.1 and V2.2 documentation.

  A.4 Differences between V2.2.1 and V2.2

  There were no technical differences; V2.2.1 is V2.2 reformatted for submission to ISO via the PAS process. As a result, new clauses were added causing the previous clause-numbering sequence to change. Also, Annexes went from having Roman numbers to Latin letters. Here is the translation between numbering in V2.2.1 and the version that came before it:

What are need for SPDX 2.2.1 support?

• SBOM generation side: as there's no technical difference between SPDX 2.2 and SPDX 2.2.1, it is very likely that SBOM Tool can generate the same SBOM (2.2) and merely change "spdxVersion" to "SPDX-2.2.1" to support SPDX 2.2.1. Also changing relevant IRIs.
• Validation: schema and RDF IRIs for validation may need to be updated? For SPDX 2.2.1.