Add support for SPDX v2.3

[CarolinaOliiveira]

Upgrade SPDX to version 2.3

This PR was developed to update SPDX implementation from version 2.2 to version 2.3. In this link, differences between these two versions are listed, where only the first four are relevant since annexes have not been implemented. In the following section, I’ll briefly explain the changes to version 2.3.

1. Added four new fields to Package Information: Primary Package Purpose, Built Date, Release Date, Valid Until Date.

   • Primary Package Purpose - This field provides information about the primary purpose of the identified package. Package Purpose is intrinsic to how the package is being used rather than the content of the package. The possible values for this field are APPLICATION, FRAMEWORK, LIBRARY, CONTAINER, OPERATING-SYSTEM, DEVIDE, FIRMWARE, SOURCE, ARCHIVE, FILE, INSTALL and OTHER.
   • Built Date - This field provides a place for recording the actual date the package was built.
   • Release Date - This field provides a place for recording the date the package was released.
   • Valid Until Date - This field provides a place for recording the end of the support period for a package from the supplier.

2. Added eight hash algorithms (SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32) to the set recognized by Package Checksum field and File checksum field.

3. Update Package Information, File Information and Snippet information to make several of the licensing properties optional rather than requiring the use of "NOASSERTION" when no value is provided. The required fields for these sections are now:

   • Package Information - SPDXID, downloadLocation and name
   • File Information - SPDXID, checksums and fileName
   • Snippet information - SPDXID, ranges and snippetFromFile

4. Update Relationships between SPDX elements to add the new relationship types: REQUIREMENT_DESCRIPTION_FOR and SPECIFICATION_FOR.

Support for version 2.2:

• SPDX JSON is still valid for 2.2 since only non-required fields were added. But for xml, 2.2 is no longer valid since it has to respect an order and some field's order changed.
• Although SPDX 2.2 is still valid for JSON, once you deserialize it, it will automatically be converted to version 2.3, keeping the same information it already had, the only change is in the field spdxVersion.
• SPDX 2.2 JSON can still be converted to CycloneDX, but Cyclone will have the information that the SPDX version was 2.3.
• If you convert SPDX to CycloneDX and back to SPDX, the converted SPDX version will be 2.3.

[p-brito]

@coderpatros @stevespringett can you review this?

[mtsfoni]

First of all thank you for the contribution.

I currently maintain this project, however I know only very little about SPDX.

Can you(eg. @Kiril1512) assure me, that you reviewed the code good and deep enough and @CarolinaOliiveira, that you can take time to fix bugs that might arrise from the integration of your code?

[andreas-hilti]

@mtsfoni What is the strategy here with respect to version support? Support only the latest 2.x version of SPDX (or is the aim to support both 2.2 and 2.3)?

[p-brito]

@andreas-hilti the code was built to support only the latest version, if we want to support both 2.2 and 2.3 it will require a lot more work.

[Kiril1512]

Hello @mtsfoni

Me and @p-brito did an extended review and also @CarolinaOliiveira updated the PR description so it will be much easier for you to navigate what was changed and allow a smoother review.
Also, we tested the dll's in our internal services for energetic SPDX and cycloneDx and parsed them and everything works as expected.

This is not the first time we have contributed to this repo Add support to SPDX.xml so we can assure maintenance and bug fixing that may rise.

[p-brito]

@mtsfoni can you please review it?

[p-brito]

@mtsfoni @coderpatros can you please review this?

[Sbennett99]

eta on this being merged?

[Kiril1512]

eta on this being merged?

Waiting for a review from @mtsfoni or @andreas-hilti

[andreas-hilti]

I'm not familiar with SPDX and this part of the code base, but it LGTM.

There is at least one mentioning of version 2.2 in the readme that should be changed as well.

In general, I wonder if we anyway support only one SPDX 2.x version, whether we shouldn't use the subfolder "v2" instead of "v2_3" (but maybe it is a bit more explicit).

Why are there so many whitespace changes?

I would consider it a breaking change.