Software Package Data eXchange (SPDX™) The Software Package Data Exchange(SPDX™) specification is a standard format for communicating the components, licenses and copyrights associated with a software package. An SPDX file is associated with a particular software package and contains information about that package in the SPDX format. DeclaredCopyright Package A package is an artifact of a software development effort. It is generally a snapshot of the source code at a particular point in time or an mechanism to be used to install the software. A package can contain sub-packages, but the overview is a reference to the entire contents of the package listed. DeclaredLicense LicensingInfo A LicenseingInfo resource represents a License or set of Licenses under which a File or Package may be copied. DetectedLicense BaseLicense This is a the base license of this set. The full set of members is calculated to include the BaseLicense plus any other licenses which are later versions of this license. LicenseOrLaterVersion A LicenseOrLaterVersion is a disjunctive set Licenses. It's members are the specified BaseLicense, as well an any future versions of that License. License This field contains the license governing the file if it is known. It will either be explicit from the file header or other information found in the file’s source code or the default from the package. If no license information is found it should be denoted as “NotSpecified”. If no license information can be determined, the license is denoted as “Unknown”. The licenses should use the standard short form names. See Appendix I for standardized license short forms. If a Detected License is not one of the standardized license short forms, this field must contain a reference to the full licenses text included in this SPDX file in section 4. If more than one license is detected in the file, then each should be listed. If any of the detected licenses offer the recipient a choice of licenses, then each of the choices will be declared as a “disjunctive” license. This section is used for any detected or declared licenses that are NOT one of the standard licenses. One instance should be created for every unique license detected in package that does not match one of the standard license short forms from Appendix I. Each license instance should have the following fields. ConjunctiveLicenseSet A ConjunctiveLicenseSet is a set Licenses, or LicensingInfo, that any one of which constitues the complete terms and conditions of coping a File or Package. The copier/user of a File or Package may choose, at their disgression, which License in a disjuntive set. 1 Copyright This field identifies the copyright holders and associated dates of their copyright that are in this specific file if known. Note: Copyright holder identifier may have developer names, companies, email addresses, and may be specified in international character sets. This will be a freeform text field extracted from the package information files. File A file is a series of related octets that will be placed in a single file when the package is installed or unpacked. One File resources should be created for each file in a Package Created SPDXDoc An SpdxDoc is a collection of license and copyright informatixon regarding one or more packages and the files contained in those packages. CreatedBy Identify how the meta data information in the SPDX file was generated. If it was generated manually, it should indicate – who did the analysis. If the information in the file was generated with a software tool, the file should indicate an identifier and version for that tool. DeclaredName Description DisjunctiveLicenseSet A DisjunctiveLicenseSet is a set Licenses, or LicensingInfo, that any one of which constitues the complete terms and conditions of coping a File or Package. The copier/user of a File or Package may choose, at their disgression, which License in a disjuntive set. 1 DownloadURL LicenseID LicenseText MachineName Name Identify path to file that corresponds to this information. ReviewedBy List of the people who have reviewed the SPDX file and the date of that review. Note that there is no requirement for a particular reviewer to add their name to the file, however it may be important for participants in the software supply chain to validate whether upstream providers have reviewed the SPDX file. This can be considered as an equivalent to “signed off” or “reviewed by”. Additional reviewers can be added after the original version of the SPDX file is created and can occur as an append to the original file. SPDXVersion Provide a reference number that can be used to understand how to parse and interpret the rest of the file. It will enable both future changes to the specification and to support backward compatibility. The version number consists of a Major and Minor version indicator. The Major field will be incramented when one or more sections are created, modified or deleted. The Minor field will be incremented when either only the fields within a section are modified or standard recognized licenses are added to appendix. ShortDesc SourceInfo Type This field Identifies common types of files where there may be different treatment of copyright and license information: source, binary, machine generated, etc. Licenses This is a list of members of this set. SHA1 Provide a unique identifier to match analysis information on specific files between packages. 1 1 1 0 0 1 1 1 1 1 0 1 1 1 1 1 1 1 1