Change Log

All notable changes to this project will be documented in this file.

3.0

Added more relationship types to Relationships.
Updated License Matching Guidelines to allow embedded rules within optional rules.
Updated Charter to broaden applicable scenarios for SPDX documents.
Updated License List to v3.7.
Added support for PURL and container images to External Repository Identifiers.
Added the license matching guideline content to Appendix II.
Added sample documents (both for final and draft formats) under examples/.
Added definitions for the rdf: and rdf-schema: namespaces.
Added clarification of the meaning of Package with an SPDX document.
Added SPDX Lite which defines a minimal subset of SPDX for scenarios not requiring full SPDX documents.
Added SPDX File Tags which defines a mechanism to add file-specific information from SPDX-defined fields to source code files.
Added optional field to be able to convey attribution text information for packages & files.
Added support for LicenseRef- in short form identifiers.
Added support for relationships to NOASSERTION or NONE as a way to indicate "known unknown" and "no dependencies" respectively.
Added YAML, JSON, and .xls as supported formats and XML as an in-development format.
Removed support for multi-line license expressions.
Added swh as an external reference to support linking to Software Heritage persistent identifiers.
Added clarification on the case sensitivity of license expressions.
Numerous formatting, gramatical, and spelling fixes.

Snippets allow a portion of a file to be identified as having different properties from the file it resides within. The use of snippets is completely optional, and it is not mandatory for snippets to be identified;
Improvements in referencing external packages and repositories; users can now associate packages with security vulnerability databases as well as component repositories, such as npm, maven, bower, among others; and
A new appendix has been added to explain how to use SPDX License List identifiers in source files. An increasing number of open source projects are adding these short identifiers to code, as they allow anyone to quickly scan a directory of files to identify the licenses included. SPDX license identifier tags also eliminate common mistakes based on scanning headers to conclude the license of a source file

The new relationship view makes the SPDX standard more useful for a broader range of uses, including exchanging data about software and modules introduced throughout the supply chain. The improvements are said to ease the exchange of open source and license data, streamline compliance with open source licenses, and help vendors more easily identify obligations or security vulnerabilities before shipment.
Descriptions of multiple packages in a single SPDX document, allowing aggregation of information that should be kept together
Expanded annotations that include replacing “review” comments, available for any specific element in an SPDX document
New license expression syntax with improved license matching guidelines, making the capture of complex licensing within a file easier and more reliable
Additional file types and checksum algorithms with expanded file types, allowing for more precise identification of a file
Support for referencing software pulled from version control systems, in addition to software served as downloads

Optional fields for including license names and cross references to license sites
New comment fields added to capture important facts in the document, license, and file sections
Expanded list of licenses, new short form identifiers for all licenses