Gary, Based on the W3C wiki description, that is consistent. 1) Blank nodes must not have an IRI, like Coordinate and CreationInformation instances 2) Blank nodes may apply to more than one IRI (RDF g

Thanks David for the additional info. I was planning allowing the fields of “data types” as objects in RDF triples in SPDX 3.0. The difference between Elements and “data types” was whether URI types w

At the SPDX Serialisation Meeting 2023-03-16: Sean presented a deck of slides that he and Alexios had created to explain concepts relating to JSON-LD and RDF with regard to SPDX. The presentation cove

I want to contribute in https://github.com/opensbom-generator/parsers project. I would love to have some suggestions and things I need to mention in my proposal. This project seems very interesting to

#spdx

Hi Anthony, My suggestion is to report the license as stated in the Declared License property, even though invalid, and use either NOASSERTION (or better yet) the correct license in the Concluded Lice

Anthony: <anthony.p.harrison@...> wrote: Can you share some concrete examples?

I can only speak to what my understanding of SPDX 2.x is. However, before getting to that, I would ask exactly what you mean by "invalid licenses"? Are these files that have some license text that a t

Team In generating SBOMs, I am encountering a lot of issues with licence information obtained from either ecosystem meta data or actual source files most do not appear to be using SPDX license identif

Norio, Thanks for your response. I refer you to the SPDX V2.3 spec for externalRef SECURITY https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-refe rence-field and https://spdx.gi

Hello Dick, Thank you for pointing out. I added the figure of externalDocumentRefs. https://qiita.com/nori0428/items/b1892da6bd30ed6efff4#externaldocumentrefs And as far as I've checked the current sc

Hi all, we just released v0.7.1 of the tools-python! Best, Meret

Reminder: SPDX tech team meeting When: Tuesday, March 14, 2023 11:00am to 12:30pm (UTC-05:00) America/Chicago Where: https://zoom.us/j/663426859 Organizer: Kate Stewart kstewart@... Vi

#cal-reminder

FYI: Update an update today from Allan Friedman re: CISA SBOM activities – see email below. NOTE from Allan: As a reminder, CISA facilitates these open discussions, but the participants shape the agen

Norio, This is excellent work, thank you. I did not see the externalRefs SECURITY advisory object in the model, see Appendix K for examples; https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k19-linki

Dear SPDX tech communities, Thank you for providing a lot of useful documents about SPDX! We, OpenChain Japan SBOM-sg members, illustrated the v2.3 JSON schema a little easier to see. https://qiita.co

Serialization subteam members: Alexios contributed a toy example JSON file for Issue #89, which illustrates both the correspondence and the difference between any Set class defined in a logical model

https://github.com/ossf/wg-vulnerability-disclosures/issues/125 This video leaves me questioning where Microsoft stands on OpenVEX. Art Manion’s, description of the CISA process is worth listening to:

I think Alexios’ example table is a good approach.. I created a Google Sheets copy of his table below and added the CycloneDX related properties. Feel free to update the table. Here’s the link: https:

We didn’t have time to go over this topic on the call, so no updates on the table below. I can provide some input, however, from the cdx2spdx tool which interprets the CycloneDX fields. CDX Supplier m

Hi guys, I am Banula Kumarage. I am interested in contributing to the "SPDX License Submission Online Tool - increase functionality" through GSOC 2023. I have given a brief intro about myself in the g