NIST.IR.8060 PRI-13 requires additional attributes for Meta

[adelton]

Addressing swidval errors

ERROR PRI-13-3: The <Meta> @colloquialVersion attribute was not provided.
ERROR PRI-13-4: The <Meta> @revision attribute was not provided.
ERROR PRI-13-5: The <Meta> @edition attribute was not provided.

Leaving the attribute values empty seems enough to make swidval happy. We could put the name (sans version) to product and then have version in colloquialVersion, to turn

  <Meta colloquialVersion="" edition="" product="Fedora 28 i686" revision=""/>

into (say)

  <Meta colloquialVersion="28" edition="" product="Fedora" revision=""/>

But I plan to add option to use Meta for information about the package, not about the distribution.

[tobiasbrunner]

PRI-13 states:

If appropriate values exist and can be determined, a <Meta> element MUST be provided and MUST furnish values for as many of the following attributes as possible: @product, @colloquialVersion, @revision, and @edition.

This doesn't read to me like "... attribute MUST be provided", but I guess "furnish values" could be interpreted to mean add the attributes but leave those empty for which no value exists or can be determined. However, according to the schema all these attributes of the SoftwareMeta are optional (there are actually a lot more than listed there in NIST.IR.8060) and I don't really see an advantage in specifying empty attributes. So I think SWIDVal might be too restrictive here too.

[adelton]

Thank you for the analysis. Have you guys talked to NIST about it or should we try to bring it up?

[tobiasbrunner]

We currently have no plans to contact NIST about this. Thanks.