Merge branch 'development/v3.0.1' into update-contributing-guideline

bact · Aug 9, 2024 · fd025e5 · fd025e5
2 parents 151553a + 0dbf279
commit fd025e5
Show file tree

Hide file tree

Showing 4 changed files with 158 additions and 39 deletions.
diff --git a/docs/annexes/diffs-from-previous-editions.md b/docs/annexes/diffs-from-previous-editions.md
@@ -2,6 +2,12 @@
 
 ## A.1 Differences between V3.0 and V2.3 <a name="A.1"></a>
 
+### SPDX meaning
+
+In previous editions of the specification, SPDX meant "Software Package Data Exchange".
+
+Starting with V3.0, the scope of SPDX has expanded beyond software and now means "System Package Data Exchange".
+
 ### Structural Differences
 
 These are the most significant breaking changes requiring a change in logic to handle a different model or structure for the information.  Each structural difference will describe the change, describe an approach to translate from 2.3 to 3.0, and provide a rationale for the change.

diff --git a/docs/normative-references.md b/docs/normative-references.md
diff --git a/docs/references.md b/docs/references.md
@@ -0,0 +1,111 @@
+# 2 References
+
+## 2.1 Normative References <a name="2.1"></a>
+
+The following documents are referred to in the text in such a way that some or
+all of their content constitutes requirements of this document. For dated
+references, only the edition cited applies. For undated references, the latest
+edition of the referenced document (including any amendments) applies.
+
+*Apache Maven*, Apache Software Foundation,
+[https://maven.apache.org/](https://maven.apache.org/)
+
+*Bower API*,
+[https://bower.io/docs/api/#install](https://bower.io/docs/api/#install)
+
+*Common Platform Enumeration (CPE) – Specification 2.2*,
+The MITRE Corporation,
+[https://cpe.mitre.org/files/cpe-specification_2.2.pdf](https://cpe.mitre.org/files/cpe-specification_2.2.pdf)
+
+NIST IR 7695, *Common Platform Enumeration: Naming Specification Version 2.3*,
+NIST,
+[https://csrc.nist.gov/pubs/ir/7695/final](https://csrc.nist.gov/pubs/ir/7695/final)
+
+*npm-package.json*, npm Inc.,
+[https://docs.npmjs.com/files/package.json](https://docs.npmjs.com/files/package.json)
+
+*NuGet documentation*, Microsoft,
+[https://docs.nuget.org/](https://docs.nuget.org/)
+
+POSIX.1-2017 *The Open Group Base Specifications Issue 7*, 2018 edition,
+IEEE/Open Group,
+[https://pubs.opengroup.org/onlinepubs/9699919799/](https://pubs.opengroup.org/onlinepubs/9699919799/)
+
+*Package URL specification*,
+[https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec)
+
+*Resource Description Framework (RDF)*, 2014-02-25, W3C,
+[http://www.w3.org/standards/techs/rdf](http://www.w3.org/standards/techs/rdf)
+
+RFC 1321, *The MD5 Message-Digest Algorithm*,
+The Internet Society Network Working Group,
+[https://www.rfc-editor.org/info/rfc1321](https://www.rfc-editor.org/info/rfc1321)
+
+RFC 3174, *US Secure Hash Algorithm 1 (SHA1)*,
+The Internet Society Network Working Group,
+[https://www.rfc-editor.org/info/rfc3174](https://www.rfc-editor.org/info/rfc3174)
+
+RFC 3986, *Uniform Resource Identifier (URI): Generic Syntax*,
+The Internet Society Network Working Group,
+[https://www.rfc-editor.org/info/rfc3986](https://www.rfc-editor.org/info/rfc3986)
+
+RFC 5234, *Augmented BNF for Syntax Specifications: ABNF*,
+The Internet Society Network Working Group,
+[https://www.rfc-editor.org/info/rfc5234](https://www.rfc-editor.org/info/rfc5234)
+
+RFC 6234, *US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)*,
+The Internet Society Network Working Group,
+[https://www.rfc-editor.org/info/rfc6234](https://www.rfc-editor.org/info/rfc6234)
+
+*SoftWare Heritage persistent IDentifiers (SWHIDs)*,
+[https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html)
+
+*SPDX and RDF Ontology*,
+[http://spdx.org/rdf/ontology/spdx-3-0-1](http://spdx.org/rdf/ontology/spdx-3-0-1)
+
+*SPDX License List*, Linux Foundation,
+[https://spdx.org/licenses/](https://spdx.org/licenses/)
+
+*SPDX License Exceptions*, Linux Foundation,
+[https://spdx.org/licenses/exceptions-index.html](https://spdx.org/licenses/exceptions-index.html)
+
+## 2.2 Non-normative References <a name="2.2"></a>
+
+The following documents are referred to in the text.
+
+1. CISQ Software Bill of Materials project, *Tool-to-Tool Software Bill of
+  Materials Exchange*,
+  [https://www.it-cisq.org/software-bill-of-materials/](https://www.it-cisq.org/software-bill-of-materials/)
+1. Dan Geer and Joshua Corman, *Almost Too Big to Fail*,
+  Usenix ;login: article, Vol. 39. No. 4, August 2014,
+  [https://www.usenix.org/publications/login/august14/geer](https://www.usenix.org/publications/login/august14/geer)
+1. Josh Corman, testimony at the Cybersecurity of the Internet of Things
+  Hearing Before the Subcommittee on Information Technology of The Committee on
+  Oversight and Government Reform House of Representatives One Hundred
+  Fifteenth Congress First Session calling for software bill of materials in
+  pending legislation, October 3, 2017, page 38,
+  [https://www.govinfo.gov/app/details/CHRG-115hhrg27760/CHRG-115hhrg27760](https://www.govinfo.gov/app/details/CHRG-115hhrg27760/CHRG-115hhrg27760)
+1. MITRE, *Standardizing SBOM within the SW Development Tooling Ecosystem*,
+  Nov 2019,
+  [https://www.mitre.org/news-insights/publication/standardizing-sbom-within-sw-development-tooling-ecosystem](https://www.mitre.org/news-insights/publication/standardizing-sbom-within-sw-development-tooling-ecosystem)
+1. MITRE, *Deliver Uncompromised: Securing Critical Software Supply Chains
+  Proposal to Establish an End-To-End Framework For Software Supply Chain
+  Integrity*, Jan 2021,
+  [https://www.mitre.org/news-insights/publication/deliver-uncompromised-securing-critical-software-supply-chains](https://www.mitre.org/news-insights/publication/deliver-uncompromised-securing-critical-software-supply-chains)
+1. NTIA, *Notice of 07/19/18 Meeting of Multistakeholder Process on Promoting
+  Software Component Transparency*, July 2018.
+  [https://www.ntia.gov/federal-register-notice/notice-071918-meeting-multistakeholder-process-promoting-software-component](https://www.ntia.gov/federal-register-notice/notice-071918-meeting-multistakeholder-process-promoting-software-component)
+1. NTIA Software Bill Of Materials web page,
+  [https://ntia.gov/sbom/](https://ntia.gov/sbom/)
+1. Open Source Initiative (OSI) Approved Licenses;
+  [https://opensource.org/licenses](https://opensource.org/licenses)
+1. Software Package Data Exchange (SPDX®) Specification Version 1.0 and 1.1,
+  1.2, 2.0, 2.1, 2.2 and 2.3; SPDX.dev,
+  [https://spdx.dev/specifications](https://spdx.dev/specifications)
+1. The United States Department of Commerce, *The Minimum Elements For a
+  Software Bill of Materials (SBOM) Pursuant to Executive Order 14028 on
+  Improving the Nation’s Cybersecurity*, Jul 2021,
+  [https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom](https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom)
+1. White House, *Executive Order on Improving the Nation’s Cybersecurity*,
+  May 2021,
+  [https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/)
diff --git a/docs/symbols.md b/docs/symbols.md
@@ -0,0 +1,41 @@
+# 4 Symbols
+
+List of symbols/abbreviations.
+
+| | |
+|-|-|
+| 3T-SBOM | Tool-to-Tool Software Bill of Material |
+| ABNF | Augmented Backus–Naur form |
+| AI | Artificial Intelligence |
+| BNF | Backus–Naur form |
+| BOM | Bill of Material |
+| CISA | Cybersecurity and Information Security Agency |
+| CISQ | Center for Information and Security Quality |
+| CPE | Common Package Enumeration |
+| CVE | Common Vulnerabilies and Exposures |
+| CVSS | Common Vulnerability Scoring System |
+| EPSS | Exploit Prediction Scoring System |
+| ISO | International Organization for Standardization |
+| JSON-LD | JavaScript Object Notation for Linked Data |
+| KEV | Known Exploited Vulnerabilities |
+| ML | Machine Learning |
+| NISTIR | National Institute of Standards and Technology Internal/Interagency Reports |
+| NTIA | National Telecommunications and Information Administration |
+| OSI | Open Source Initiative |
+| OWL | Web Ontology Language |
+| PAS | Publicly Available Specification |
+| POSIX | Portable Operating System Interface |
+| PTF | Platform Task Force |
+| PURL | Package Uniform Resource Identifier |
+| RDF | Resource Description Framework |
+| RFC | Request For Comment |
+| SBOM | Software Bill of Material |
+| SHA | Secure Hash Algorithms |
+| SHACL | Shapes Constraint Language |
+| SPDX | System Package Data Exchange (previously Software Package Data Exchange) |
+| SSVC | Stakeholder- Specific Vulnerability Categorization |
+| SWHID | SoftWare Heritage persistent IDentifiers |
+| URI | Uniform Resource Identifier |
+| URL | Uniform Resource Locator |
+| VEX | Vulnerability Exploitable eXchange |
+| XML | Extensible Markup Language |