diff --git a/404.html b/404.html
index 63e31a2..56d2e68 100644
--- a/404.html
+++ b/404.html
@@ -63,11 +63,11 @@
model
- Vocabularies
+ Vocabularies
RelationshipType
SupportType
+ Datatypes
+ Individuals
+
+ Datatypes
Software
+ Software
Vocabularies
+ Vocabularies
Security
+ Security
Properties
+ Properties
Vocabularies
+ Vocabularies
Licensing
+ Licensing
SimpleLicensing
+ SimpleLicensing
Properties
+ Properties
ExpandedLicensing
+ ExpandedLicensing
Properties
+ Properties
Individuals
+ Individuals
Dataset
+ Dataset
Vocabularies
+ Vocabularies
AI
+ AI
Vocabularies
+ Vocabularies
Build
+ Build
Lite
+ Lite
Extension
+ Extension
@@ -759,7 +809,7 @@ 404
-
DRAFT version generated from 3a34e99 (model) by b892fcc (parser)
+
DRAFT version generated on 2024-06-17 from 47f98d2 (model) by d2adcc9 (parser)
MkDocs using a theme provided by Read the Docs .
diff --git a/ISO_foreword/index.html b/ISO_foreword/index.html
index d69c749..c88e512 100644
--- a/ISO_foreword/index.html
+++ b/ISO_foreword/index.html
@@ -70,11 +70,11 @@
model
originatedBy
packageVerificationCodeExcludedFile
+ Prefix
profileConformance
@@ -216,7 +220,7 @@
specVersion
Standard
+ standardName
startTime
suppliedBy
supportLevel
+ To
validUntilTime
@@ -238,7 +244,7 @@
Vocabularies
+ Vocabularies
RelationshipType
SupportType
+ Datatypes
+ Individuals
+
+ Datatypes
Software
+ Software
Vocabularies
+ Vocabularies
Security
+ Security
Properties
+ Properties
Vocabularies
+ Vocabularies
Licensing
+ Licensing
SimpleLicensing
+ SimpleLicensing
Properties
+ Properties
ExpandedLicensing
+ ExpandedLicensing
Properties
+ Properties
Individuals
+ Individuals
Dataset
+ Dataset
Vocabularies
+ Vocabularies
AI
+ AI
Vocabularies
+ Vocabularies
Build
+ Build
Lite
+ Lite
Extension
+ Extension
@@ -770,7 +820,7 @@ Foreword
-
DRAFT version generated from 3a34e99 (model) by b892fcc (parser)
+
DRAFT version generated on 2024-06-17 from 47f98d2 (model) by d2adcc9 (parser)
MkDocs using a theme provided by Read the Docs .
diff --git a/annexes/RDF-object-model-and-identifier-syntax/index.html b/annexes/RDF-object-model-and-identifier-syntax/index.html
index 1eb1e6d..5eaa261 100644
--- a/annexes/RDF-object-model-and-identifier-syntax/index.html
+++ b/annexes/RDF-object-model-and-identifier-syntax/index.html
@@ -70,11 +70,11 @@
model
originatedBy
packageVerificationCodeExcludedFile
+ Prefix
profileConformance
@@ -216,7 +220,7 @@
specVersion
Standard
+ standardName
startTime
suppliedBy
supportLevel
+ To
validUntilTime
@@ -238,7 +244,7 @@
Vocabularies
+ Vocabularies
RelationshipType
SupportType
+ Datatypes
+ Individuals
+
+ Datatypes
Software
+ Software
Vocabularies
+ Vocabularies
Security
+ Security
Properties
+ Properties
Vocabularies
+ Vocabularies
Licensing
+ Licensing
SimpleLicensing
+ SimpleLicensing
Properties
+ Properties
ExpandedLicensing
+ ExpandedLicensing
Properties
+ Properties
Individuals
+ Individuals
Dataset
+ Dataset
Vocabularies
+ Vocabularies
AI
+ AI
Vocabularies
+ Vocabularies
Build
+ Build
Lite
+ Lite
Extension
+ Extension
@@ -707,7 +757,7 @@
annexes
suppliedBy
supportLevel
+ To
validUntilTime
@@ -238,7 +244,7 @@
Vocabularies
+ Vocabularies
RelationshipType
SupportType
+ Datatypes
+ Individuals
+
+ Datatypes
Software
+ Software
Vocabularies
+ Vocabularies
Security
+ Security
Properties
+ Properties
Vocabularies
+ Vocabularies
Licensing
+ Licensing
SimpleLicensing
+ SimpleLicensing
Properties
+ Properties
ExpandedLicensing
+ ExpandedLicensing
Properties
+ Properties
Individuals
+ Individuals
Dataset
+ Dataset
Vocabularies
+ Vocabularies
AI
+ AI
Vocabularies
+ Vocabularies
Build
+ Build
Lite
+ Lite
Extension
+ Extension
@@ -709,7 +759,7 @@
RDF Object Model and Identifier Syntax
SPDX License Expressions
+ SPDX License Expressions
D.1 Overview
D.1 Overview
Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).
SPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-[idString]; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.
The exact syntax of license expressions is described below in ABNF .
- idstring = 1*(ALPHA / DIGIT / "-" / "." )
+idstring = 1*(ALPHA / DIGIT / "-" / "." )
license-id = <short form license identifier in Annex A.1>
@@ -807,7 +857,7 @@ D.1 Overview
"(" compound-expression ")" )
license-expression = (simple-expression / compound-expression)
-
+
In the following sections we describe in more detail <license-expression> construct, a licensing expression string that enables a more accurate representation of the licensing terms of modern-day software.
A valid <license-expression> string consists of either:
@@ -827,12 +877,12 @@ D.3 Simple license expressions
Some examples:
-LicenseRef-23
+LicenseRef-23
LicenseRef-MIT-Style-1
DocumentRef-spdx-tool-1.2:LicenseRef-MIT-Style-2
-
+
D.4 Composite license expressions
D.4.1 Introduction
@@ -842,61 +892,61 @@ D.4.1 Introduction
D.4.2 Disjunctive "OR" operator
If presented with a choice between two or more licenses, use the disjunctive binary "OR" operator to construct a new license expression, where both the left and right operands are valid license expression values.
For example, when given a choice between the LGPL-2.1-only or MIT licenses, a valid expression would be:
-LGPL-2.1-only OR MIT
-The "OR" operator is commutative, meaning that the above expression should be considered equivalent to:
-MIT OR LGPL-2.1-only
-An example representing a choice between three different licenses would be:
-LGPL-2.1-only OR MIT OR BSD-3-Clause
-LGPL-2.1-only OR MIT OR BSD-3-Clause
+D.4.3 Conjunctive "AND" operator
If required to simultaneously comply with two or more licenses, use the conjunctive binary "AND" operator to construct a new license expression, where both the left and right operands are a valid license expression values.
For example, when one is required to comply with both the LGPL-2.1-only or MIT licenses, a valid expression would be:
-LGPL-2.1-only AND MIT
-The "AND" operator is commutative, meaning that the above expression should be considered equivalent to:
-MIT AND LGPL-2.1-only
-An example where all three different licenses apply would be:
-LGPL-2.1-only AND MIT AND BSD-2-Clause
-LGPL-2.1-only AND MIT AND BSD-2-Clause
+D.4.4 Exception "WITH" operator
Sometimes a set of license terms apply except under special circumstances. In this case, use the binary "WITH" operator to construct a new license expression to represent the special exception situation. A valid <license-expression> is where the left operand is a <simple-expression> value and the right operand is a <license-exception-id> that represents the special exception terms.
For example, when the Bison exception is to be applied to GPL-2.0-or-later, the expression would be:
-GPL-2.0-or-later WITH Bison-exception-2.2
-GPL-2.0-or-later WITH Bison-exception-2.2
+The current set of valid exceptions can be found in Annex A.2 . For the most up to date set of exceptions please see spdx.org/licenses . If the applicable exception is not found on the SPDX License Exception List, then use a single <license-ref> to represent the entire license terms (including the exception).
D.4.5 Order of precedence and parentheses
The order of application of the operators in an expression matters (similar to mathematical operators). The default operator order of precedence of a <license-expression> a is:
-+
+
where a lower order operator is applied before a higher order operator.
For example, the following expression:
-LGPL-2.1-only OR BSD-3-Clause AND MIT
-LGPL-2.1-only OR BSD-3-Clause AND MIT
+represents a license choice between either LGPL-2.1-only and the expression BSD-3-Clause AND MIT because the AND operator takes precedence over (is applied before) the OR operator.
When required to express an order of precedence that is different from the default order a <license-expression> can be encapsulated in pairs of parentheses: ( ), to indicate that the operators found inside the parentheses takes precedence over operators outside. This is also similar to the use of parentheses in an algebraic expression e.g., (5+7)/2.
For instance, the following expression:
-MIT AND (LGPL-2.1-or-later OR BSD-3-Clause)
-MIT AND (LGPL-2.1-or-later OR BSD-3-Clause)
+states the OR operator should be applied before the AND operator. That is, one should first select between the LGPL-2.1-or-later or the BSD-3-Clause license before applying the MIT license.
D.4.6 License expressions in RDF
A conjunctive license can be expressed in RDF via a <spdx:ConjunctiveLicenseSet> element, with an spdx:member property for each element in the conjunctive license. Two or more members are required.
-<spdx:ConjunctiveLicenseSet>
+<spdx:ConjunctiveLicenseSet>
<spdx:member rdf:resource="http://spdx.org/licenses/GPL-2.0-only"/>
<spdx:ExtractedLicensingInfo rdf:about
="http://example.org#LicenseRef-EternalSurrender">
@@ -910,10 +960,10 @@ D.4.6 License expressions in RDF
+
A disjunctive license can be expressed in RDF via a <spdx:DisjunctiveLicenseSet> element, with an spdx:member property for each element in the disjunctive license. Two or more members are required.
-<spdx:DisjunctiveLicenseSet>
+<spdx:DisjunctiveLicenseSet>
<spdx:member rdf:resource="http://spdx.org/licenses/GPL-2.0-only"/>
<spdx:member>
<spdx:ExtractedLicensingInfo rdf:about
@@ -930,7 +980,7 @@ D.4.6 License expressions in RDF
+
A License Exception can be expressed in RDF via a <spdx:LicenseException> element. This element has the following unique mandatory (unless specified otherwise) attributes:
licenseExceptionText - Full text of the license exception.<rdf:Description rdf:about
+<rdf:Description rdf:about
="http://example.org#SPDXRef-ButIdDontWantToException">
<rdfs:comment>This exception may be invalid in some
jurisdictions.</rdfs:comment>
@@ -958,7 +1008,7 @@ D.4.6 License expressions in RDF
+
@@ -971,7 +1021,7 @@ model
- Vocabularies
+ Vocabularies
RelationshipType
SupportType
+ Datatypes
+ Individuals
+
+ Datatypes
Software
+ Software
Vocabularies
+ Vocabularies
Security
+ Security
Properties
+ Properties
Vocabularies
+ Vocabularies
Licensing
+ Licensing
SimpleLicensing
+ SimpleLicensing
Properties
+ Properties
ExpandedLicensing
+ ExpandedLicensing
Properties
+ Properties
Individuals
+ Individuals
Dataset
+ Dataset
Vocabularies
+ Vocabularies
AI
+ AI
Vocabularies
+ Vocabularies
Build
+ Build
Lite
+ Lite
Extension
+ Extension
@@ -721,7 +771,7 @@
How To Use SPDX in Different Scenarios
Differences from Earlier SPDX Versions
+ Differences from Earlier SPDX Versions
I.6 Differences between V2.0 and V1.
-
DRAFT version generated from 3a34e99 (model) by b892fcc (parser)
+
DRAFT version generated on 2024-06-17 from 47f98d2 (model) by d2adcc9 (parser)
MkDocs using a theme provided by Read the Docs .
diff --git a/annexes/external-repository-identifiers/index.html b/annexes/external-repository-identifiers/index.html
index aa088eb..fb2d133 100644
--- a/annexes/external-repository-identifiers/index.html
+++ b/annexes/external-repository-identifiers/index.html
@@ -70,11 +70,11 @@
model
- Vocabularies
+ Vocabularies
RelationshipType
SupportType
+ Datatypes
+ Individuals
+
+ Datatypes
Software
+ Software
Vocabularies
+ Vocabularies
Security
+ Security
Properties
+ Properties
Vocabularies
+ Vocabularies
Licensing
+ Licensing
SimpleLicensing
+ SimpleLicensing
Properties
+ Properties
ExpandedLicensing
+ ExpandedLicensing
Properties
+ Properties
Individuals
+ Individuals
Dataset
+ Dataset
Vocabularies
+ Vocabularies
AI
+ AI
Vocabularies
+ Vocabularies
Build
+ Build
Lite
+ Lite
Extension
+ Extension
@@ -715,7 +765,7 @@
SPDX File Tags
External Repository Identifiers
+ External Repository Identifiers
F.1 Introduction
F.2 Security
It’s recommended practice for SPDX SBOM document creators to include one or more package identifiers (e.g. CPE, GitBOM, PURL or SWID) when using SPDX external references for the purpose of resolving current security vulnerability information. The specified identifiers are contained in this section, F.2 Security, as well as section F.4.
F.2.1 cpe22Type
Locator Format:
- [c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}
-[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}
+Contextual Example:
-cpe:/o:canonical:ubuntu_linux:10.04:-:lts
-cpe:/o:canonical:ubuntu_linux:10.04:-:lts
+External Reference Site: https://nvd.nist.gov/products/cpe
Documentation: https://cpe.mitre.org/files/cpe-specification_2.2.pdf
F.2.2 cpe23Type
Locator Format:
-cpe:2\.3:[aho\*\]
+cpe:2\.3:[aho\*\]
(:(((\?*|\*?)([azAZ09\\._]|(\\[\\\*\?!
-"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~])
+"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~])
)+(\?*|\*?))|[\*\])){5}
(:(([azAZ]{2,3}(([azAZ]{2}|[09]{3
}))?)|[\*\]))
(:(((\?*|\*?)([azAZ09\\._]|(\\[\\\*\?!
-"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~])
+"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~])
)+(\?*|\*?))|[\*\])){4}
-
+
Contextual Example:
-cpe:2.3:o:canonical:ubuntu_linux:10.04::lts:*:*:*:*:*
-cpe:2.3:o:canonical:ubuntu_linux:10.04::lts:*:*:*:*:*
+External Reference Site: https://nvd.nist.gov/products/cpe
Documentation: https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
@@ -871,60 +921,60 @@ F.2.6 swid
F.3 Package-Manager
F.3.1 maven-central
Locator Format:
-group:artifact[:version]
+group:artifact[:version]
^[^:]+:[^:]+(:[^:]+)?$
-
+
Contextual Example:
-org.apache.tomcat:tomcat:9.0.0.M4
-org.apache.tomcat:tomcat:9.0.0.M4
+External Reference Site: https://repo1.maven.org/maven2/
Documentation: https://maven.apache.org
F.3.2 npm
Locator Format:
-package@version
+package@version
^[^@]+@[^@]+$
-
+
Contextual Example:
-http-server@0.3.0
-External Reference Site: https://www.npmjs.com
Documentation: https://docs.npmjs.com/files/package.json
F.3.3 nuget
Locator Format:
-package/version
+package/version
^[^\/]+\/[^\/]+$
-
+
Contextual Example:
-Microsoft.AspNet.MVC/5.0.0
-Microsoft.AspNet.MVC/5.0.0
+External Reference Site: https://www.nuget.org
Documentation: https://docs.nuget.org
F.3.4 bower
Locator Format:
-package#version
+package#version
^[^#]+#[^#]+$
-
+
Contextual Example:
-modernizr#2.6.2
-External Reference Site: https://bower.io
Documentation: https://bower.io/docs/api/#install
F.3.5 purl
Locator Format:
-scheme:type/namespace/name@version?qualifiers#subpath
-scheme:type/namespace/name@version?qualifiers#subpath
+Contextual Example:
-pkg:docker/debian@sha256:2f04d3d33b6027bb74ecc81397abe780649ec89f1a2af18d7022737d0482cefe
-pkg:docker/debian@sha256:2f04d3d33b6027bb74ecc81397abe780649ec89f1a2af18d7022737d0482cefe
+External Reference Site: https://github.com/package-url/purl-spec
Documentation: https://github.com/package-url/purl-spec
@@ -947,12 +997,12 @@ F.4.1 swh
The SWHID follow the swh: IANA-registered URI scheme.
Grammar for locator format:
-<locator> ::= "swh" ":" <scheme_version> ":" <object_type> ":" <object_id> ;
+<locator> ::= "swh" ":" <scheme_version> ":" <object_type> ":" <object_id> ;
<scheme_version> ::= "1" ;
<object_type> ::= "cnt" | "dir" | "rev" | "rel" | "snp" ;
<object_id> ::= 40 * <hex_digit> ; *intrinsic object id, as hex-encoded SHA1*
<hex_digit> ::= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" | "a" | "b" | "c" | "d" | "e" | "f" ;
-
+
Examples:
"gitoid:"<git object type>":"<hash algorithm>":"<hash value>
-"gitoid:"<git object type>":"<hash algorithm>":"<hash value>
+Locator Format Reference: https://www.iana.org/assignments/uri-schemes/prov/gitoid
Grammar for Locator Format:
-<git object type>: "blob", "tree", "commit", "tag".
+<git object type>: "blob", "tree", "commit", "tag".
<hash algorithm>: "sha1", "sha256"
<hash value> should be expressed as a hexadecimal string in lower case
-
+
Contextual Examples:
* gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64 is the git identifier of a software artifact using the SHA1 algorithm
@@ -998,7 +1048,7 @@
F.5.1 [idstring]
-
DRAFT version generated from 3a34e99 (model) by b892fcc (parser)
+
DRAFT version generated on 2024-06-17 from 47f98d2 (model) by d2adcc9 (parser)
MkDocs using a theme provided by Read the Docs .
diff --git a/annexes/file-tags/index.html b/annexes/file-tags/index.html
index ba7daed..7ec602f 100644
--- a/annexes/file-tags/index.html
+++ b/annexes/file-tags/index.html
@@ -70,11 +70,11 @@
model
originatedBy
packageVerificationCodeExcludedFile
+ Prefix
profileConformance
@@ -216,7 +220,7 @@
specVersion
Standard
+ standardName
startTime
suppliedBy
supportLevel
+ To
validUntilTime
@@ -238,7 +244,7 @@
Vocabularies
+ Vocabularies
RelationshipType
SupportType
+ Datatypes
+ Individuals
+
+ Datatypes
Software
+ Software
Vocabularies
+ Vocabularies
Security
+ Security
Properties
+ Properties
Vocabularies
+ Vocabularies
Licensing
+ Licensing
SimpleLicensing
+ SimpleLicensing
Properties
+ Properties
ExpandedLicensing
+ ExpandedLicensing
Properties
+ Properties
Individuals
+ Individuals
Dataset
+ Dataset
Vocabularies
+ Vocabularies
AI
+ AI
Vocabularies
+ Vocabularies
Build
+ Build
Lite
+ Lite
Extension
+ Extension
@@ -713,7 +763,7 @@
Using SPDX short identifiers in Source Files
SPDX File Tags
+ SPDX File Tags
H.1 Rationale
H.1 Rationale
This appendix describes a mechanism, similar to SPDX-License-Identifier, for developers to convey such other file-based and snippet-based information easily in comments in their files. This in turn enables software tools to easily find and extract that information, and to insert it into the corresponding fields of an SPDX document generated by those tools.
An SPDX file tag consists of a single line, generally as part of a comment near the top of the file, in the following format:
- SPDX-tagname: <value>
-where tagname is replaced by the 'tag' defined for tag-value SPDX documents for that field, according to the File Information section of the SPDX specification. The meaning and semantics of any SPDX file tag are intended to be identical to those described in the File Information (Clause 8 ) section of the SPDX specification.
Examples:
File type (see 8.3 ):
-SPDX-FileType: SOURCE
+SPDX-FileType: SOURCE
SPDX-FileType: DOCUMENTATION
SPDX-FileType: TEXT
-
+
Copyright text (see 8.8 ):
-SPDX-FileCopyrightText: 2019 Jane Doe <jane@example.com>
+SPDX-FileCopyrightText: 2019 Jane Doe <jane@example.com>
SPDX-FileCopyrightText: Copyright 2008-2010 John Smith
SPDX-FileCopyrightText: Copyright Example Company
SPDX-FileCopyrightText: Copyright contributors to the Foo project.
-
+
File contributors (see 8.14 ):
-SPDX-FileContributor: Modified by Jane Doe
+SPDX-FileContributor: Modified by Jane Doe
SPDX-FileContributor: The Regents of the University of California
-
+
SPDX file tags of a particular type may appear one or multiple times in a file, depending on the corresponding cardinality defined for that field in the File Information section of the SPDX specification.
Multiple-line values are not recommended, because doing so will make it harder for simple search tools to extract all data by looking only for lines beginning with the relevant tag.
@@ -802,30 +852,30 @@
If certain SPDX tags are to apply only to a certain snippet instead of the whole file, SPDX snippet tags should be used.
SPDX snippet tags should start with SPDX-SnippetBegin to mark the beginning of the snippet and end with SPDX-SnippetEnd to mark its end, in the following format:
-SPDX-SnippetBegin
+SPDX-SnippetBegin
SPDX-tagname: <value>
...
SPDX-SnippetEnd
-
+
where tagname is replaced by the 'tag' defined for tag-value SPDX documents for that field, according to the Snippet Information section of the SPDX specification, and ... represents the code snippet itself. The meaning and semantics of any SPDX snippet tag are intended to be identical to those described in the Snippet Information (Clause 9 ) section of the SPDX specification.
Any Snippet Information (Clause 9 ) and short-form license identifiers (Annex E ) tags found between begin and end tags mentioned above apply only to such snippet.
Snippets may nest, and this is denoted by having SPDX-SnippetBegin/SPDX-SnippetEnd pairs within other pairs, in the same way that parentheses nest in mathematical expressions. In the case of nested snippets, the SPDX file tags are considered to apply to the inner-most snippet.
Examples:
Simple stand-alone example:
-SPDX-SnippetBegin
+SPDX-SnippetBegin
SPDX-License-Identifier: MIT
SPDX-SnippetCopyrightText: 2022 Jane Doe <jane@example.com>
...
SPDX-SnippetEnd
-
+
Two snippets with a different license and additional information in the broader context of a file:
-SPDX-License-Identifier: GPL-2.0-or-later
+SPDX-License-Identifier: GPL-2.0-or-later
SPDX-FileCopyrightText: Copyright contributors to the Foo project.
...
@@ -849,10 +899,10 @@
...
SPDX-SnippetEnd
-
+
Nesting snippets:
-SPDX-SnippetBegin
+SPDX-SnippetBegin
SPDX-License-Identifier: MIT
SPDX-SnippetCopyrightText: 2022 Jane Doe <jane@example.com>
@@ -869,7 +919,7 @@
...
SPDX-SnippetEnd
-
+
H.4 Caveats
A creator of an SPDX document may elect to disregard any or all file tags in any file. SPDX document creators should determine for themselves the extent to which they will rely upon the information specified in a file tag.
@@ -888,7 +938,7 @@ H.4 Caveats
-
DRAFT version generated from 3a34e99 (model) by b892fcc (parser)
+
DRAFT version generated on 2024-06-17 from 47f98d2 (model) by d2adcc9 (parser)
MkDocs using a theme provided by Read the Docs .
diff --git a/annexes/how-to-use/index.html b/annexes/how-to-use/index.html
index c8535d7..4e03280 100644
--- a/annexes/how-to-use/index.html
+++ b/annexes/how-to-use/index.html
@@ -70,11 +70,11 @@
model
originatedBy
packageVerificationCodeExcludedFile
+ Prefix
profileConformance
@@ -216,7 +220,7 @@
specVersion
Standard
+ standardName
startTime
suppliedBy
supportLevel
+ To
validUntilTime
@@ -238,7 +244,7 @@
Vocabularies
+ Vocabularies
RelationshipType
SupportType
+ Datatypes
+ Individuals
+
+ Datatypes
Software
+ Software
Vocabularies
+ Vocabularies
Security
+ Security
Properties
+ Properties
Vocabularies
+ Vocabularies
Licensing
+ Licensing
SimpleLicensing
+ SimpleLicensing
Properties
+ Properties
ExpandedLicensing
+ ExpandedLicensing
Properties
+ Properties
Individuals
+ Individuals
Dataset
+ Dataset
Vocabularies
+ Vocabularies
AI
+ AI
Vocabularies
+ Vocabularies
Build
+ Build
Lite
+ Lite
Extension
+ Extension
@@ -719,7 +769,7 @@
Using SPDX Lite
How To Use SPDX in Different Scenarios
+ How To Use SPDX in Different Scenarios
K.1 Including security information in a SPDX document
@@ -818,7 +868,7 @@ Note that identifiers (e.g. CPE, GitBOM, SWID) are spread throughout Annex F and sometimes locators refer to identifiers.
K.1.1 Linking to an advisory
Including a reference to a Common Vulnerabilities and Exposures (CVE) advisory applicable to a package is shown in the example below. A SPDX creator should include current publicly known vulnerabilities at the time of document creation. SPDX consumers should always assume vulnerabilities enumerated by a SPDX creator to be out-of-date.
- "externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://nvd.nist.gov/vuln/detail/CVE-2020-29573",
"referenceType" : "advisory"
@@ -832,39 +882,39 @@ K.1.1 Linking to an advisory
"referenceLocator" : "https://nvd.nist.gov/vuln/detail/CVE-2020-3326",
"referenceType" : "advisory"
} ]
-
+
K.1.2 Linking to a CSAF
To learn how to reference to CSAF formatted security information
applicable to a package see the example below, and additional examples here and here.
-"externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/examples/csaf/csaf_vex/2022-evd-uc-01-a-001.json",
"referenceType" : "advisory"
} ]
-
+
K.1.3 Linking to a CycloneDX
To reference to CycloneDX formatted security information applicable to a package see the example below.
-"externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://raw.githubusercontent.com/CycloneDX/bom-examples/ed522d1f051c364e045b87c20665003a0c4ea777/SBOM/laravel-7.12.0/bom.json",
"referenceType" : "advisory"
} ]
-
+
K.1.4 Linking to an OSV
To learn how to include a reference to Open Source Vulnerability (OSV) formatted security information applicable to a package see the example below.
-"externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://github.com/github/advisory-database/tree/6b9d5bc96a62bb845ee71e4551a214eb1457e2c6/advisories/github-reviewed/2022/04/GHSA-2gwj-7jmv-h26r/GHSA-2gwj-7jmv-h26r.json",
"referenceType" : "advisory"
} ]
-
+
K.1.5 Linking to a GitBOM
To reference to GitBOM formatted security information applicable to a package see the example below.
-"externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "PERSISTENT-ID",
"referenceLocator" : "gitoid:blob:sha1:d8bcd58df2b14818b8237bb70c979d62c7df5747",
"referenceType" : "gitbom"
@@ -876,87 +926,87 @@ K.1.5 Linking to a GitBOM
"referenceType" : "gitbom"
"referenceComment" : "GitBOM Object Id for the HeartBleed fix in ssl/t1_lib.c"
} ]
-
+
K.1.6 Linking to a vulnerability disclosure document
To express a reference to a vulnerability disclosure document for a package such Cisco’s response to Apache log4j vulnerability.
-"externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
"referenceType" : "advisory"
} ]
-
+
To communicate that a package is not vulnerable to a specific vulnerability it is recommended to reference a web page indicating why given vulnerabilities are not applicable.
-"externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://example.com/product-x/security-info.html",
"referenceType" : "advisory"
} ]
-
+
To refer to a security disclosure feed, such as the security bulletins from CERT-EU .
-"externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://cert.europa.eu/cert/Data/newsletter/reviewlatest-SecurityBulletins.xml",
"referenceType" : "advisory"
} ]
-
+
K.1.7 Linking to a code fix for a security issue
To reference a code fix for a security issue applicable to a package see the example below.
In this example, the link points to a specific code revision containing the fix for CVE-2020-28498 .
-"externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f",
"referenceType" : "fix"
} ]
-
+
A fix reference may point to a configuration change for example the patch file as one of the fixes for CVE-2022-26499 .
-"externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://downloads.digium.com/pub/security/AST-2022-002-16.diff",
"referenceType" : "fix"
} ]
-
+
Alternatively, it may also link to a landing page with patches for a variety of products such as
Oracle patch information for CVE-2021-44228 .
-"externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://www.oracle.com/security-alerts/cpujan2022.html",
"referenceType" : "fix"
} ]
-
+
If you want to reference any security information related to a package but cannot or do not wish to specify its kind, use the url referenceType.
-"externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://github.com/christianlundkvist/blog/blob/aa3a69b5e4c06e4435070610c0c4a2b1e8731783/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md",
"referenceType" : "url"
} ]
-
+
One can also use it to refer to guidance related to a vulnerability such as CISA guidance for Apache Log4j.
-"externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance",
"referenceType" : "url"
} ]
-
+
K.1.9 Linking to an SBOM vulnerability report for a Software Product (per NIST Executive Order 14028)
The National Institute of Standards and Technology (NIST) describes the concept of correlating vulnerability and SBOM information for a software product at the component level in “Software Security in Supply Chains: Software Bill of Materials (SBOM) ”. Use the ExternalRefs SECURITY category and advisory referenceType to report on vulnerabilities related to the components contained in a software product’s SBOM.
This enables a software producer to articulate to software consumers the status of vulnerabilities contained in the software product, by means of reporting vulnerability information at either the SBOM document or component level.
Providing a link to such data at the time the SBOM is published provides a pointer for where to find this relevant vulnerability information without promulgating vulnerability information inside the SBOM. This is advantageous because the vulnerability information has a short shelf-life (it will change frequently) while the SBOM component data isn’t likely to change if the software has not changed.
-"externalRefs" : [ {
+"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "https://github.com/rjb4standards/REA-Products/blob/master/SBOM_and_VDRbaseline/sag-pm-118_VDR.json",
"referenceType" : "advisory"
} ]
-
+
K.2 Satisfying NTIA Minimum Elements for an SBOM using SPDX
K.2.1 US Executive Order 14028 Minimum Elements for an SBOM
@@ -1092,7 +1142,7 @@ K.3.2.4 Direct
-
DRAFT version generated from 3a34e99 (model) by b892fcc (parser)
+
DRAFT version generated on 2024-06-17 from 47f98d2 (model) by d2adcc9 (parser)
MkDocs using a theme provided by Read the Docs .
diff --git a/annexes/using-SPDX-lite/index.html b/annexes/using-SPDX-lite/index.html
index 94a9828..c9257ce 100644
--- a/annexes/using-SPDX-lite/index.html
+++ b/annexes/using-SPDX-lite/index.html
@@ -70,11 +70,11 @@
model
originatedBy
packageVerificationCodeExcludedFile
+ Prefix
profileConformance
@@ -216,7 +220,7 @@
specVersion
Standard
+ standardName
startTime
suppliedBy
supportLevel
+ To
validUntilTime
@@ -238,7 +244,7 @@
Vocabularies
+ Vocabularies
RelationshipType
SupportType
+ Datatypes
+ Individuals
+
+ Datatypes
Software
+ Software
Vocabularies
+ Vocabularies
Security
+ Security
Properties
+ Properties
Vocabularies
+ Vocabularies
Licensing
+ Licensing
SimpleLicensing
+ SimpleLicensing
Properties
+ Properties
ExpandedLicensing
+ ExpandedLicensing
Properties
+ Properties
Individuals
+ Individuals
Dataset
+ Dataset
Vocabularies
+ Vocabularies
AI
+ AI
Vocabularies
+ Vocabularies
Build
+ Build
Lite
+ Lite
Extension
+ Extension
@@ -717,7 +767,7 @@
External Repository Identifiers
Using SPDX Lite
+ Using SPDX Lite
-
DRAFT version generated from 3a34e99 (model) by b892fcc (parser)
+
DRAFT version generated on 2024-06-17 from 47f98d2 (model) by d2adcc9 (parser)
MkDocs using a theme provided by Read the Docs .
diff --git a/annexes/using-SPDX-short-identifiers-in-source-files/index.html b/annexes/using-SPDX-short-identifiers-in-source-files/index.html
index 24bcd99..a5b9949 100644
--- a/annexes/using-SPDX-short-identifiers-in-source-files/index.html
+++ b/annexes/using-SPDX-short-identifiers-in-source-files/index.html
@@ -70,11 +70,11 @@
model
- Vocabularies
+ Vocabularies
RelationshipType
SupportType
+ Datatypes
+ Individuals
+
+ Datatypes
Software
+ Software
Vocabularies
+ Vocabularies
Security
+ Security
Properties
+ Properties
Vocabularies
+ Vocabularies
Licensing
+ Licensing
SimpleLicensing
+ SimpleLicensing
Properties
+ Properties
ExpandedLicensing
+ ExpandedLicensing
Properties
+ Properties
Individuals
+ Individuals
Dataset
+ Dataset
Vocabularies
+ Vocabularies
AI
+ AI
Vocabularies
+ Vocabularies
Build
+ Build
Lite
+ Lite
Extension
+ Extension
@@ -711,7 +761,7 @@
SPDX License Expressions
Using SPDX short identifiers in Source Files
+ Using SPDX short identifiers in Source Files
E.1 Introduction
The SPDX-License-Identifier tag declares the license the file is under and should be placed at or near the top of the file in a comment.
The SPDX License Identifier syntax may consist of a single license (represented by a short identifier from the SPDX license list ) or a compound set of licenses (represented by joining together multiple licenses using the license expression syntax).
The tag should appear on its own line in the source file, generally as part of a comment.
- SPDX-License-Identifier: <SPDX License Expression>
-SPDX-License-Identifier: <SPDX License Expression>
+E.3 Representing single license
A single license is represented by using the short identifier from SPDX license list , optionally with a unary "+" operator following it to indicate "or later" versions may be applicable.
Examples:
-SPDX-License-Identifier: CDDL-1.0+
+SPDX-License-Identifier: CDDL-1.0+
SPDX-License-Identifier: MIT
-
+
E.4 Representing multiple licenses
Multiple licenses can be represented using an SPDX license expression as defined in Annex D . A set of licenses may optionally be enclosed in parentheses, but are not required to be enclosed. As further described there:
@@ -805,16 +855,16 @@ Examples:
-SPDX-License-Identifier: GPL-2.0-only OR MIT
+SPDX-License-Identifier: GPL-2.0-only OR MIT
SPDX-License-Identifier: LGPL-2.1-only AND BSD-2-Clause
SPDX-License-Identifier: GPL-2.0-or-later WITH Bison-exception-2.2
-
+
Please see Annex D for more examples and details of the license expression specific syntax.
If you can’t express the license(s) as an expression using identifiers from the SPDX list, it is probably best to just put the text of your license header in the file (if there is a standard header), or refer to a neutral site URL where the text can be found. To request a license be added to the SPDX License List, please follow the process described here: https://github.com/spdx/license-list-XML/blob/master/CONTRIBUTING.md .
Alternatively, you can use a LicenseRef- custom license identifier to refer to a license that is not on the SPDX License List, such as the following:
-SPDX-License-Identifier: LicenseRef-my-special-license
-SPDX-License-Identifier: LicenseRef-my-special-license
+The LicenseRef- format is defined in Annex D . When using a custom LicenseRef- identifier, you will also need to provide a way for others to determine what license text corresponds to it. Version 3.0 of the REUSE Software Specification provides a standardized format that can optionally be used for providing the corresponding license text for these identifiers.
@@ -829,7 +879,7 @@ model
- Vocabularies
+ Vocabularies
RelationshipType
SupportType
+ Datatypes
+ Individuals
+
+ Datatypes
Software
+ Software
Vocabularies
+ Vocabularies
Security
+ Security
Properties
+ Properties
Vocabularies
+ Vocabularies
Licensing
+ Licensing
SimpleLicensing
+ SimpleLicensing
Properties
+ Properties
ExpandedLicensing
+ ExpandedLicensing
Properties
+ Properties
Individuals
+ Individuals
Dataset
+ Dataset
Vocabularies
+ Vocabularies
AI
+ AI
Vocabularies
+ Vocabularies
Build
+ Build
Lite
+ Lite
Extension
+ Extension
@@ -765,14 +815,14 @@ Bibliography
Vocabularies
+ Vocabularies
RelationshipType
SupportType
+ Datatypes
+ Individuals
+
+ Datatypes
Software
+ Software
Vocabularies
+ Vocabularies
Security
+ Security
Properties
+ Properties
Vocabularies
+ Vocabularies
Licensing
+ Licensing
SimpleLicensing
+ SimpleLicensing
Properties
+ Properties
ExpandedLicensing
+ ExpandedLicensing
Properties
+ Properties
Individuals
+ Individuals
Dataset
+ Dataset
Vocabularies
+ Vocabularies
AI
+ AI
Vocabularies
+ Vocabularies
Build
+ Build
Lite
+ Lite
Extension
+ Extension
@@ -888,7 +938,7 @@ 4.6 The SPDX Lite profile DRAFT version generated from 3a34e99 (model) by b892fcc (parser)
+ DRAFT version generated on 2024-06-17 from 47f98d2 (model) by d2adcc9 (parser)
Built with MkDocs using a theme provided by Read the Docs .
diff --git a/css/theme_extra.css b/css/theme_extra.css
index 9f4b063..ab0631a 100644
--- a/css/theme_extra.css
+++ b/css/theme_extra.css
@@ -103,7 +103,7 @@ pre .cs, pre .c {
form .search-query {
width: 100%;
border-radius: 50px;
- padding: 6px 12px; /* csslint allow: box-model */
+ padding: 6px 12px;
border-color: #D1D4D5;
}
@@ -135,7 +135,7 @@ form .search-query {
}
td, th {
- border: 1px solid #e1e4e5 !important; /* csslint allow: important */
+ border: 1px solid #e1e4e5 !important;
border-collapse: collapse;
}
@@ -155,6 +155,12 @@ td, th {
padding-bottom: 40px;
}
+/* For section-index only */
+.wy-menu-vertical .current-section p {
+ background-color: #e3e3e3;
+ color: #404040;
+}
+
/*
* The second step of above amendment: Here we make sure the items are aligned
* correctly within the .rst-current-version container. Using flexbox, we
diff --git a/index.html b/index.html
index fc08aa1..6c46c95 100644
--- a/index.html
+++ b/index.html
@@ -41,7 +41,7 @@