Re: JSON schema v2.2 PACKAGE_MANAGER discrepancy

Gary O'Neall

Hi Keith,


Please feel free to create an issue and/or a pull requests for the 2.2 JSON schema update.


If there are no objections, we can merge it into the 2.2 spec branch.



From: spdx@... <spdx@...> On Behalf Of Keith Zantow via
Sent: Wednesday, February 22, 2023 9:47 AM
To: spdx@...
Subject: [spdx] JSON schema v2.2 PACKAGE_MANAGER discrepancy


Hi All,


There has been a small discrepancy in the SPDX 2.2 JSON schema and the SPDX spec for a while: the 2.2 spec indicates External Reference Category should have a value of: SECURITY | PACKAGE-MANAGER | PERSISTENT-ID | OTHER, however the latest JSON schema has values of: "OTHER", "PERSISTENT_ID", "SECURITY", "PACKAGE_MANAGER". Note the differences between dash and underscore.


As I understand it, the guidance has been that tools should accept both values (e.g. PACKAGE_MANAGER and PACKAGE-MANAGER).


Would it be possible to get a new version of the 2.2 schema published that includes the correct values?


The 2.3 schema already has this, but some users are still tied to 2.2 and it would be nice to have this corrected so documents adhering to the SPDX spec are also valid against the JSON schema.


Would a GitHub issue be a better place for this request?



-Keith Zantow

Join { to automatically receive all group messages.