In SPDX models CreationInfo class we have license_list_version: Optional[Version] = None and in the Version class we only have support for Major and Minor version numbers but since SPDX License List version 3.24.0 there are also patch versions used:

• https://github.com/spdx/license-list-data/releases/tag/v3.25.0
• https://github.com/spdx/license-list-data/releases/tag/v3.24.0

See also https://github.com/spdx/license-list-XML/blob/main/RELEASE-NOTES.md?plain=1#L55, this seems to be included to align with SPDX 3.0 requirements, but there is not SPDX 3.0 stable release yet and even after a SPDX 3.0 release there can be tools which still use the SPDX 2.3 models but choose to use the newer SPDX License List versions.

This is weird because:

• There is no release at https://github.com/spdx/license-list-data/releases/ which actually uses the patch version, so why introduce it which introduces extra work in the tool here and also tools downstream?
• Why not update also the tool for this version after, there has been two SPDX License List releases with this patch version already.

This means in scancode-toolkit we would not be able to show SPDX License List versions correctly (we have to skip the patch number) unless the tool is updated accordingly. Refer: aboutcode-org/scancode-toolkit#3897