SPDX 3.0 support

[riteshnoronha]

We need to add support for SPDX 3.0 scoring. Lets try and understand what this means.

[goneall]

There are a couple of pull requests for the SPDX Golang Library that implements SPDX 3 format:

• DO NOT MERGE: SPDX 3 Bindings spdx/tools-golang#249
• feat: prototype 3.0 model spdx/tools-golang#247

We're looking for feedback from consumers of the library on the changes. Once we get sufficient review and feedback, we can merge those in and provide support for sbomqs SPDX 3 support.

[riteshnoronha]

@goneall thanks for reaching out, yeah we can provide feedback once we test this out. What we are lacking is sample SPDX3 sboms.

cc: @viveksahu26 @surendrapathak

[goneall]

I'm working on collecting a few real-world examples for you. The Yocto project now produces SPDX 3 files. We're using this as an example in the CISA SBOM reference implementation (reference this pull request). I'm also close to release support for SPDX 3 in the SPDX Maven Plugin (reference this pull request) which should end up generating more SPDX 3 files.

Here's what we have so far:

• Example in the spec repo - very basic example
• Converted examples in the SPDX examples repo - currently they are pull requests, but should be merged within a week

[goneall]

Another update on the SPDX Golang tools library. In our last weekly SPDX implementers call, we decided to split out the generated SPDX 3 model language bindings from the higher level Golang tools. The new repo is here: https://github.com/spdx/spdx-go-model

Feedback on the language bindings are much appreciated.

[viveksahu26]

Thanks for providing examples, would go though these examples, and would love to provide feedback on tools-golang PR.