Update References chapter

docs/references.md

@@ -0,0 +1,111 @@
+# 2 References
+
+## 2.1 Normative References <a name="2.1"></a>
+
+The following documents are referred to in the text in such a way that some or
+all of their content constitutes requirements of this document. For dated
+references, only the edition cited applies. For undated references, the latest
+edition of the referenced document (including any amendments) applies.
+
+*Apache Maven*, Apache Software Foundation,
+[https://maven.apache.org/](https://maven.apache.org/)
+
+*Bower API*,
+[https://bower.io/docs/api/#install](https://bower.io/docs/api/#install)
+
+*Common Platform Enumeration (CPE) – Specification 2.2*,
+The MITRE Corporation,
+[https://cpe.mitre.org/files/cpe-specification_2.2.pdf](https://cpe.mitre.org/files/cpe-specification_2.2.pdf)
+
+NIST IR 7695, *Common Platform Enumeration: Naming Specification Version 2.3*,
+NIST,
+[https://csrc.nist.gov/pubs/ir/7695/final](https://csrc.nist.gov/pubs/ir/7695/final)
+
+*npm-package.json*, npm Inc.,
+[https://docs.npmjs.com/files/package.json](https://docs.npmjs.com/files/package.json)
+
+*NuGet documentation*, Microsoft,
+[https://docs.nuget.org/](https://docs.nuget.org/)
+
+POSIX.1-2017 *The Open Group Base Specifications Issue 7*, 2018 edition,
+IEEE/Open Group,
+[https://pubs.opengroup.org/onlinepubs/9699919799/](https://pubs.opengroup.org/onlinepubs/9699919799/)
+
+*Package URL specification*,
+[https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec)
+
+*Resource Description Framework (RDF)*, 2014-02-25, W3C,
+[http://www.w3.org/standards/techs/rdf](http://www.w3.org/standards/techs/rdf)
+
+RFC 1321, *The MD5 Message-Digest Algorithm*,
+The Internet Society Network Working Group,
+[https://www.rfc-editor.org/info/rfc1321](https://www.rfc-editor.org/info/rfc1321)
+
+RFC 3174, *US Secure Hash Algorithm 1 (SHA1)*,
+The Internet Society Network Working Group,
+[https://www.rfc-editor.org/info/rfc3174](https://www.rfc-editor.org/info/rfc3174)
+
+RFC 3986, *Uniform Resource Identifier (URI): Generic Syntax*,
+The Internet Society Network Working Group,
+[https://www.rfc-editor.org/info/rfc3986](https://www.rfc-editor.org/info/rfc3986)
+
+RFC 5234, *Augmented BNF for Syntax Specifications: ABNF*,
+The Internet Society Network Working Group,
+[https://www.rfc-editor.org/info/rfc5234](https://www.rfc-editor.org/info/rfc5234)
+
+RFC 6234, *US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)*,
+The Internet Society Network Working Group,
+[https://www.rfc-editor.org/info/rfc6234](https://www.rfc-editor.org/info/rfc6234)
+
+*SoftWare Heritage persistent IDentifiers (SWHIDs)*,
+[https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html)
+
+*SPDX and RDF Ontology*,
+[http://spdx.org/rdf/ontology/spdx-3-0-1](http://spdx.org/rdf/ontology/spdx-3-0-1)
+
+*SPDX License List*, Linux Foundation,
+[https://spdx.org/licenses/](https://spdx.org/licenses/)
+
+*SPDX License Exceptions*, Linux Foundation,
+[https://spdx.org/licenses/exceptions-index.html](https://spdx.org/licenses/exceptions-index.html)
+
+## 2.2 Non-normative References <a name="2.2"></a>
+
+The following documents are referred to in the text.
+
+1. CISQ Software Bill of Materials project, *Tool-to-Tool Software Bill of
+  Materials Exchange*,
+  [https://www.it-cisq.org/software-bill-of-materials/](https://www.it-cisq.org/software-bill-of-materials/)
+1. Dan Geer and Joshua Corman, *Almost Too Big to Fail*,
+  Usenix ;login: article, Vol. 39. No. 4, August 2014,
+  [https://www.usenix.org/publications/login/august14/geer](https://www.usenix.org/publications/login/august14/geer)
+1. Josh Corman, testimony at the Cybersecurity of the Internet of Things
+  Hearing Before the Subcommittee on Information Technology of The Committee on
+  Oversight and Government Reform House of Representatives One Hundred
+  Fifteenth Congress First Session calling for software bill of materials in
+  pending legislation, October 3, 2017, page 38,
+  [https://www.govinfo.gov/app/details/CHRG-115hhrg27760/CHRG-115hhrg27760](https://www.govinfo.gov/app/details/CHRG-115hhrg27760/CHRG-115hhrg27760)
+1. MITRE, *Standardizing SBOM within the SW Development Tooling Ecosystem*,
+  Nov 2019,
+  [https://www.mitre.org/news-insights/publication/standardizing-sbom-within-sw-development-tooling-ecosystem](https://www.mitre.org/news-insights/publication/standardizing-sbom-within-sw-development-tooling-ecosystem)
+1. MITRE, *Deliver Uncompromised: Securing Critical Software Supply Chains
+  Proposal to Establish an End-To-End Framework For Software Supply Chain
+  Integrity*, Jan 2021,
+  [https://www.mitre.org/news-insights/publication/deliver-uncompromised-securing-critical-software-supply-chains](https://www.mitre.org/news-insights/publication/deliver-uncompromised-securing-critical-software-supply-chains)
+1. NTIA, *Notice of 07/19/18 Meeting of Multistakeholder Process on Promoting
+  Software Component Transparency*, July 2018.
+  [https://www.ntia.gov/federal-register-notice/notice-071918-meeting-multistakeholder-process-promoting-software-component](https://www.ntia.gov/federal-register-notice/notice-071918-meeting-multistakeholder-process-promoting-software-component)
+1. NTIA Software Bill Of Materials web page,
+  [https://ntia.gov/sbom/](https://ntia.gov/sbom/)
+1. Open Source Initiative (OSI) Approved Licenses;
+  [https://opensource.org/licenses](https://opensource.org/licenses)
+1. Software Package Data Exchange (SPDX®) Specification Version 1.0 and 1.1,
+  1.2, 2.0, 2.1, 2.2 and 2.3; SPDX.dev,
+  [https://spdx.dev/specifications](https://spdx.dev/specifications)
+1. The United States Department of Commerce, *The Minimum Elements For a
+  Software Bill of Materials (SBOM) Pursuant to Executive Order 14028 on
+  Improving the Nation’s Cybersecurity*, Jul 2021,
+  [https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom](https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom)
+1. White House, *Executive Order on Improving the Nation’s Cybersecurity*,
+  May 2021,
+  [https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/)