Add an external ref for an X.509 Cert

Implements security information to satisfy the Services profile use case 10. Reference discussion in Jun 3 2024 services profile meeting: https://github.com/spdx/meetings/blob/main/service/2024-06-03.md
spdx · Jan 22, 2025 · d470942 · d470942
1 parent 2f946a3
commit d470942
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/model/Core/Vocabularies/ExternalRefType.md b/model/Core/Vocabularies/ExternalRefType.md
@@ -62,3 +62,4 @@ ExternalRefType specifies the type of an external reference.
 - vcs: A reference to a version control system related to a software artifact.
 - vulnerabilityDisclosureReport: A reference to a Vulnerability Disclosure Report (VDR) which provides the software supplier's analysis and findings describing the impact (or lack of impact) that reported vulnerabilities have on packages or products in the supplier's SBOM as defined in [NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations](https://csrc.nist.gov/pubs/sp/800/161/r1/final).
 - vulnerabilityExploitabilityAssessment: A reference to a Vulnerability Exploitability eXchange (VEX) statement which provides information on whether a product is impacted by a specific vulnerability in an included package and, if affected, whether there are actions recommended to remediate. See also [NTIA VEX one-page summary](https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf).
+- x509Cert: A reference to an X.509 certificate as defined in [RFC 1422](https://datatracker.ietf.org/doc/html/rfc1422).  The media type should be one of application/x-x509-ca-cert or application/x-x509-user-cert.