spdx
Combine Package external reference and external reference comment
chapters/package-information.md has Section 7.21 External reference field, and Section 7.22 External reference comment field. This is confusing, since a comment is a property of a specific external reference, not an independent type.
In tag:value format an external reference with comment is encoded with two tags. Including the <text> field directly after the category, type, and locator fields without the second tag would be cleaner, but is a breaking change. In the documentation the category/type/locator/comment fields can be a single type encoded as one type in RDF and as one type with two tags in tag:value.
Suggest that Section 7.22 be merged into section 7.21, with
7.21.3 Examples
EXAMPLE 1 Tag: ExternalRef:
ExternalRef: SECURITY cpe23Type cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*
ExternalRefComment: <text>NIST National Vulnerability Database (NVD)
describes security vulnerabilities (CVEs) which affect Vendor Product
Version acmecorp:acmenator:6.6.6.</text>
This would eliminate the inadequate explanation:
In
tag:valueformat this is delimited by<text>...</text>and is expected to follow an External Reference (7.21) so that the association can be made.
since the comment isn't "expected" to follow the reference, it MUST follow the reference because it is a part of the reference.
Note that license comments (section 16) appears similar to reference comments, but there is no requirement for license comments to be linked to or immediately follow concluded license (section 13), and rdf example 7.16.3 does not show comments as a subproperty, in contrast to rdf example 7.22.3 which does.
Thus license comments appears to be an independent standalone property, not a sub-property of concluded license.
