Add SPDX 3 reader

[bact]

An SPDX 3 reader is required in order to be able to check the conformance of SBOM in SPDX 3 format.

There are options available for that functionality:

• tools-python:

  • Pros: Native Python, should be easier to call from Python tool alike.
  • Cons: Not support the released SPDX 3.0.1 yet

• schacl2code: Convert SPDX model to Python code.

  • Pros: Native Python, reflect exactly the 3.0.1 model.
  • Cons: have to implement everything ourselves on top of that

• spdx-java-library:

  • Pros: support 3.0.1.
  • Cons: Need some kind of binding. Maybe large size if bundled with JAR.

• tools-golang ?

[jspeed-meyers]

My preference is to use only tools-python within ntia-conformance-checker. If this is important to implement, I suggest putting in a PR to tools-python to implement SPDX 3.0.1.

[bact]

Thank you. I will try to see what we can do with tools-python. May be we can propose them to use a binding from shacl2code.