sbom-tool icon indicating copy to clipboard operation
sbom-tool copied to clipboard

Published 20 hours ago verified publisher icon microsoft

SPDX version 2.3 support

Open neo42man opened this issue 10 months ago • 9 comments

According to the documentation and output files, the format of the SPDX document is in version 2.2 ("spdxVersion": "SPDX-2.2")

However, according to the German Federal Office for Information Security (BSI), SPDX documents must be version 2.3 or higher to meet the requirements. Source: BSI-TR-03183-2.pdf

Are there any plans to update the sbom-tool to output version 2.3 documents?

neo42man avatar Apr 04 '24 08:04 neo42man

We are eagerly anticipating the release of the SPDX 3.0 spec (may be soon! 😉).

jlperkins avatar Apr 04 '24 18:04 jlperkins

In SPDX 2.3, new features include optional fields for Primary Package Purpose, support for additional hashing algorithms (SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32), new relationship types (REQUIREMENT_DESCRIPTION_FOR and SPECIFICATION_FOR), package fields for ValidUntilDate, and expanded external repository identifiers in Security (introducing advisory, fix, URL, and SWID categories).

Note that most fields remain optional, and compliance with SPDX 2.3 doesn't require mandatory use of new fields, making SPDX 2.3 documents backward compatible with SPDX 2.2.

For BSI compliance, the following fields are more of a challenge:

  1. Packages Creator: (Package Supplier) (email or url is required)
  2. Package Dependencies: (Relationships) Direct dependencies
  3. Package Vuln Ids: cpe or purl(inaccuracies)

riteshnoronha avatar Apr 04 '24 19:04 riteshnoronha

Any idea when support for spdx 2.3 will be added to the tool?

0xabdi avatar May 13 '24 13:05 0xabdi

Hmm.. the Version 3 of spdx was released: https://spdx.github.io/spdx-spec/v3.0/.

henning-krause avatar May 13 '24 14:05 henning-krause

Also interested in finding out about sbom-tool support for spdx 2.3 output if anybody can provide any details or ETA (if any)

I realize the 3.0 spec is also out however spdx 2.3 output is what we are currently looking to use at the moment - thanks for any info

wglenos avatar May 13 '24 14:05 wglenos

@jlperkins Bumping this since there was no activity on this for a while. The new SPDX version was released. Any idea when the new version will be available in the SBOM tool?

henning-krause avatar Aug 06 '24 09:08 henning-krause

We are still actively working on the tool but these updates have been pushed back such that we no longer have a ETA

sfoslund avatar Aug 08 '24 18:08 sfoslund

@bobmartin3000 fyi

bact avatar Oct 07 '24 14:10 bact

  • From Version 2.0.0 of the BSI TR-03183 Part 2 guideline which is just released few weeks ago (2024-09-20), the minimum required SPDX version is now 2.2.1 (was SPDX 2.3 in TR-03183 Part 2 V1.1).
  • So if TR-03183 support is the only concerns, supporting SPDX 2.2.1 may be enough for the job. (SPDX 2.2 and SPDX 2.2.1 have no technical difference, so may be it can be faster to get the support)
  • See https://github.com/microsoft/sbom-tool/issues/738

bact avatar Oct 07 '24 14:10 bact