Re: [spdx-tech] SPDX Version 2.3 Spec Schema Updates

[Rose Judge via lists.spdx.org]

Hi Dick,

The PR cannot be reopened once it is merged. On the call, we discussed opening 
a new PR with any edits to Appendix G.

As far as the specific comments you made, are you able to join the defects call 
today? That seems like the best forum to discuss. I can help with the PR side 
of it once we come to a conclusion about how to proceed with your suggestions.

Thanks,
Rose

From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> on behalf of Dick 
Brooks via lists.spdx.org <dick=reliableenergyanalytics....@lists.spdx.org>
Date: Tuesday, May 24, 2022 at 12:57 PM
To: 'Gary O'Neall' <g...@sourceauditor.com>, Spdx-tech@lists.spdx.org 
<Spdx-tech@lists.spdx.org>
Subject: Re: [spdx-tech] SPDX Version 2.3 Spec Schema Updates

⚠ External Email
Kate, Gary, et al

There were two pending items in PR 670 that did not get resolved when the merge 
occurred. I request that PR 670 be reopened and the two pending items have 
action taken (accept or reject) and then merge the pull request based on the 
consensus outcome of these two items. Here are the two pending items I'm 
referring to:


Add new Annex G with howto information #670
Merged
kestewart merged 1 commit into development/v2.3 from annex-howto
1 hour ago
+180 −0
Conversation 2 Commits 1 Checks 2
Files changed 1


 1. rjb4standards Pending G.1.3.1 Linking to a CycloneDX Vulnerability 
Disclosure Report (VDR) for a Software Product (see NIST SP 800-161r1 RA-5 and 
IEC 29147:2018 for VDR information)
"externalRefs" : [ {
  "referenceCategory" : "SECURITY",
  "referenceLocator" : 
"https://raw.githubusercontent.com/rjb4standards/REA-Products/master/CDXVEX/CDX14.xml<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fraw.githubusercontent.com%2Frjb4standards%2FREA-Products%2Fmaster%2FCDXVEX%2FCDX14.xml&data=05%7C01%7Crjudge%40vmware.com%7Ca3bb72a8c4984e05512708da3dbf8f21%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637890190207023574%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PHlg1u1cImu9hmdXJpwtfkhFL%2B0b3W2Ia2CMWcHSgzY%3D&reserved=0>",
  "referenceType" : "advisory"
} ]
2. rjb4standards Pending G.1.9 Linking to a Vulnerability Disclosure Report 
(VDR) for a Software Product, (see NIST SP 800-161r1 RA-5 and IEC 29147:2018 
for VDR information)
Use this method to reference an "impact statement" per the SECURITY advisory 
type, following the NIST VDR description.
"externalRefs" : [ {
  "referenceCategory" : "SECURITY",
  "referenceLocator" : 
"https://github.com/rjb4standards/REA-Products/blob/master/SBOM_and_VDRbaseline/sag-pm-118_VDR.json<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frjb4standards%2FREA-Products%2Fblob%2Fmaster%2FSBOM_and_VDRbaseline%2Fsag-pm-118_VDR.json&data=05%7C01%7Crjudge%40vmware.com%7Ca3bb72a8c4984e05512708da3dbf8f21%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637890190207023574%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=kE4OuREW1VcUZuIxy8KhVKNV72zhHKPwiSg6j3pCde8%3D&reserved=0>",
  "referenceType" : "advisory"
} ]


Thanks,

Dick Brooks
[cid:image001.png@01D86F86.E187E4F0]  [cid:image002.png@01D86F86.E187E4F0]
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and 
report!<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Freliableenergyanalytics.com%2Fproducts&data=05%7C01%7Crjudge%40vmware.com%7Ca3bb72a8c4984e05512708da3dbf8f21%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637890190207023574%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jBuNNoVPrOqI3MxgT06%2FrYN%2FdojhCWFrKGj5hZ66hK8%3D&reserved=0>
 ™
http://www.reliableenergyanalytics.com<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.reliableenergyanalytics.com%2F&data=05%7C01%7Crjudge%40vmware.com%7Ca3bb72a8c4984e05512708da3dbf8f21%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637890190207023574%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6mRdCC5ESZaYuKDAHIsylwubfG3pMjzLBrZuIw5MLK0%3D&reserved=0>
Email: d...@reliableenergyanalytics.com<mailto:d...@reliableenergyanalytics.com>
Tel: +1 978-696-1788

From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> On Behalf Of Gary 
O'Neall
Sent: Tuesday, May 24, 2022 3:05 PM
To: Spdx-tech@lists.spdx.org
Subject: [spdx-tech] SPDX Version 2.3 Spec Schema Updates

Important for 2.3 schedule!

I just created a meta-issue to track the activities needed to update the 
schemas for SPDX release 2.3: 
https://github.com/spdx/spdx-spec/issues/691<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fspdx%2Fspdx-spec%2Fissues%2F691&data=05%7C01%7Crjudge%40vmware.com%7Ca3bb72a8c4984e05512708da3dbf8f21%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637890190207023574%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=AF5ZQkRdh2cJ%2Bhbvpxme1X%2BRNRQskbwCcUr%2FjweMMx0%3D&reserved=0>

I’m assuming that there is only ONE potential update to the spec which impacts 
the schemas 
(https://github.com/spdx/spdx-spec/pull/671<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fspdx%2Fspdx-spec%2Fpull%2F671&data=05%7C01%7Crjudge%40vmware.com%7Ca3bb72a8c4984e05512708da3dbf8f21%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637890190207023574%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fx1C5lQFhAmQVao8tcuOoFsFKy4sefngZw67O4OX1eM%3D&reserved=0>).

The schema is impacted by any change in classes, properties, fields and tags 
described in the spec.  This includes descriptions as well as cardinality and 
additions.

If you know of or are even contemplating a change to the 2.3 spec which will 
impact the schema, please add a comment to the above issue within the next day 
or two.  It takes time and effort to update the schema and we don’t want to do 
it more times than needed.

Thanks,
Gary

-------------------------------------------------
Gary O'Neall
Principal Consultant
Source Auditor Inc.
Mobile: 408.805.0586
Email: g...@sourceauditor.com<mailto:g...@sourceauditor.com>
CONFIDENTIALITY NOTE: The information transmitted, including attachments, is 
intended only for the person(s) or entity to which it is addressed and may 
contain confidential and/or privileged material. Any review, re-transmission, 
dissemination or other use of, or taking of any action in reliance upon this 
information by persons or entities other than the intended recipient is 
prohibited. If you received this in error, please contact the sender and 
destroy any copies of this information.



________________________________

⚠ External Email: This email originated from outside of the organization. Do 
not click links or open attachments unless you recognize the sender.


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4531): https://lists.spdx.org/g/Spdx-tech/message/4531
Mute This Topic: https://lists.spdx.org/mt/91318438/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-