lib4sbom icon indicating copy to clipboard operation
lib4sbom copied to clipboard
verified publisher icon anthonyharrison

Support SPDX 3

Open rossburton opened this issue 7 months ago • 3 comments

SPDX v3 is out now, and is much better than v2.

rossburton avatar May 19 '25 17:05 rossburton

I am aware. I have played with it earlier this year, but the tooling was still immature. SPDX3 is very different to SPDX2. It is on the roadmap but I am not seeing any demand for SBOMs conforming to this version at the moment.

I still see lots of SPDX 2.2 files, so many tools still haven't made the step upto SPDX 2.3 despite being released over 2 years ago.

anthonyharrison avatar Jun 06 '25 19:06 anthonyharrison

Datapoint: I want to manipulate/parse/display/process SBOMs from yoctoproject.org and that writes SPDXv3 by default.

rossburton avatar Jun 06 '25 20:06 rossburton

@rossburton I believe the yocto project already supports SPDX v3 as it is the early adopter for SPDX3.

The supporting libraries for generating or parsing SPDX 3 were still under development and weren't stable when I looked at them a few months back. Having checked back today, they are still under development but currently fail to parse valid files.

anthonyharrison avatar Jun 15 '25 19:06 anthonyharrison