Skip to content

[3.0] Last bunch of fixes for ISO #1297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 30, 2025
+8 −50
Merged

[3.0] Last bunch of fixes for ISO #1297

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9d85624
Fixing wording, per spdx-spec#1270
zvr Oct 30, 2025
f7bdc76
Fixing error in JSON, per #1271
zvr Oct 30, 2025
94e7d6b
leave only Normative references, per spdx-spec#1235
zvr Oct 30, 2025
1691240
Fixes a capitalization error
zvr Oct 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/annexes/license-matching-guidelines-and-templates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ The original replaceable text appears on the SPDX License List webpage in red te

Some licenses have text that can simply be ignored. The intent here is to avoid the inclusion of certain text that is superfluous or irrelevant in regard to the substantive license text resulting in a non-match where the license is otherwise an exact match (e.g., directions on how to apply the license or other similar exhibits). In these cases, there shall be a positive license match.

The license shall be considered a match if the text indicated is present and matches OR the text indicated is missing altogether.
The license shall be considered a match if the text indicated is present and matches or the text indicated is missing altogether.

The following XML tag is used to implement this guideline: `<optional>`

Expand Down
2 changes: 1 addition & 1 deletion docs/conformance.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ the SPDX community, it has been preserved in this document.
## Introduction to profiles

Profile is the term for a compliance point within the SPDX community across The
Linux Foundation and OMG. The System Package Data Exchange (SPDX) specification
Linux Foundation and OMG. This document
defines the following nine compliance points, defined as “profiles”:

- Core profile
Expand Down
52 changes: 5 additions & 47 deletions docs/references.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
# References

## Normative references
# Normative references

The following documents are referred to in the text in such a way that some or
all of their content constitutes requirements of this document. For dated
Expand Down Expand Up @@ -145,13 +143,13 @@ Tom Preston-Werner and SemVer contributors,
[https://slsa.dev/spec/v0.2/provenance](https://slsa.dev/spec/v0.2/provenance).

SoftWare Heritage persistent IDentifiers (SWHIDs), in
Draft International Standard
*ISO/IEC DIS 18670 Information technology — SoftWare Hash IDentifier (SWHID) Specification V1.2*[https://www.iso.org/standard/89985.html](https://www.iso.org/standard/89985.html),
International Standard
*ISO/IEC 18670 Information technology — SoftWare Hash IDentifier (SWHID) Specification V1.2*[https://www.iso.org/standard/89985.html](https://www.iso.org/standard/89985.html),
also available at
[https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html)
[https://www.swhid.org/swhid-specification/v1.2/](https://www.swhid.org/swhid-specification/v1.2/)

*SPDX and RDF Ontology*,
[http://spdx.org/rdf/ontology/spdx-3-0-1](http://spdx.org/rdf/ontology/spdx-3-0-1)
[http://spdx.org/rdf/ontology/spdx-3-0](http://spdx.org/rdf/ontology/spdx-3-0)

*SPDX License List*, The Linux Foundation,
[https://spdx.org/licenses/](https://spdx.org/licenses/)
Expand All @@ -171,43 +169,3 @@ Forum of Incident Response and Security Teams, Inc (FIRST),
CISA,
[https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf).

## Non-normative references

The following documents are referred to in the text.

1. CISQ Software Bill of Materials project, *Tool-to-Tool Software Bill of
Materials Exchange*,
[https://www.it-cisq.org/software-bill-of-materials/](https://www.it-cisq.org/software-bill-of-materials/)
1. Dan Geer and Joshua Corman, *Almost Too Big to Fail*,
Usenix ;login: article, Vol. 39. No. 4, August 2014,
[https://www.usenix.org/publications/login/august14/geer](https://www.usenix.org/publications/login/august14/geer)
1. Josh Corman, testimony at the Cybersecurity of the Internet of Things
Hearing Before the Subcommittee on Information Technology of The Committee on
Oversight and Government Reform House of Representatives One Hundred
Fifteenth Congress First Session calling for software bill of materials in
pending legislation, October 3, 2017, page 38,
[https://www.govinfo.gov/app/details/CHRG-115hhrg27760/CHRG-115hhrg27760](https://www.govinfo.gov/app/details/CHRG-115hhrg27760/CHRG-115hhrg27760)
1. MITRE, *Standardizing SBOM within the SW Development Tooling Ecosystem*,
Nov 2019,
[https://www.mitre.org/news-insights/publication/standardizing-sbom-within-sw-development-tooling-ecosystem](https://www.mitre.org/news-insights/publication/standardizing-sbom-within-sw-development-tooling-ecosystem)
1. MITRE, *Deliver Uncompromised: Securing Critical Software Supply Chains
Proposal to Establish an End-To-End Framework For Software Supply Chain
Integrity*, Jan 2021,
[https://www.mitre.org/news-insights/publication/deliver-uncompromised-securing-critical-software-supply-chains](https://www.mitre.org/news-insights/publication/deliver-uncompromised-securing-critical-software-supply-chains)
1. NTIA, *Notice of 07/19/18 Meeting of Multistakeholder Process on Promoting
Software Component Transparency*, July 2018.
[https://www.ntia.gov/federal-register-notice/notice-071918-meeting-multistakeholder-process-promoting-software-component](https://www.ntia.gov/federal-register-notice/notice-071918-meeting-multistakeholder-process-promoting-software-component)
1. NTIA Software Bill Of Materials web page,
[https://ntia.gov/sbom/](https://ntia.gov/sbom/)
1. Open Source Initiative (OSI) Approved Licenses;
[https://opensource.org/licenses](https://opensource.org/licenses)
1. Software Package Data Exchange (SPDX®) Specification Version 1.0 and 1.1,
1.2, 2.0, 2.1, 2.2 and 2.3; SPDX.dev,
[https://spdx.dev/specifications](https://spdx.dev/specifications)
1. The United States Department of Commerce, *The Minimum Elements For a
Software Bill of Materials (SBOM) Pursuant to Executive Order 14028 on
Improving the Nation’s Cybersecurity*, Jul 2021,
[https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom](https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom)
1. White House, *Executive Order on Improving the Nation’s Cybersecurity*,
May 2021,
[https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/)
2 changes: 1 addition & 1 deletion docs/serializations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ global context file at the top level.
This reference is achieved using the following JSON construct:

```json
"@context": "https://spdx.org/rdf/3.0/spdx-context.jsonld"
{ "@context": "https://spdx.org/rdf/3.0/spdx-context.jsonld" }
```

The SPDX context file defines aliases for specific JSON-LD properties to
Expand Down
Loading