Software Package Data eXchange (SPDX™)
The Software Package Data Exchange(SPDX™)
specification is a standard format for communicating the components,
licenses and copyrights associated with a software package. An SPDX
file is associated with a particular software package and contains
information about that package in the SPDX format.
DeclaredCopyright
Package
A package is an artifact of a software development effort. It
is generally a snapshot of the source code at a particular point
in time or an mechanism to be used to install the software. A
package can contain sub-packages, but the overview is a
reference to the entire contents of the package listed.
DeclaredLicense
LicensingInfo
A LicenseingInfo resource represents
a License or set of Licenses under which
a File or Package
may be copied.
DetectedLicense
BaseLicense
This is a the base license of this set.
The full set of members is calculated to include the BaseLicense
plus any other licenses which are later versions of this license.
LicenseOrLaterVersion
A LicenseOrLaterVersion is a disjunctive
set Licenses. It's members are the
specified BaseLicense, as well an any
future versions of that License.
License
This field contains the license governing
the file if it is known. It will either be explicit from the file
header or other information found in the file’s source code or the
default from the package. If no license information is found it
should be denoted as “NotSpecified”. If no license information can
be determined, the license is denoted as “Unknown”. The licenses
should use the standard short form names. See Appendix I for
standardized license short forms. If a Detected License is not one
of the standardized license short forms, this field must contain a
reference to the full licenses text included in this SPDX file in
section 4. If more than one license is detected in the file, then
each should be listed. If any of the detected licenses offer the
recipient a choice of licenses, then each of the choices will be
declared as a “disjunctive” license.
This section is used for any detected
or declared licenses that are NOT one of the standard licenses.
One instance should be created for every unique license detected
in package that does not match one of the standard license short
forms from Appendix I. Each license instance should have the
following fields.
ConjunctiveLicenseSet
A ConjunctiveLicenseSet is a
set Licenses,
or LicensingInfo, that any one of which
constitues the complete terms and conditions of coping
a File or Package. The
copier/user of a File or Package may choose, at their disgression,
which License in a disjuntive set.
1
Copyright
This field identifies the copyright
holders and associated dates of their copyright that are in this
specific file if known. Note: Copyright holder identifier may have
developer names, companies, email addresses, and may be specified
in international character sets. This will be a freeform text
field extracted from the package information files.
File
A file is a series of related octets that
will be placed in a single file when the package is installed or
unpacked. One File resources should be created for each file in a
Package
Created
SPDXDoc
An SpdxDoc is a collection of license and copyright informatixon regarding one or more packages and the files contained in those packages.
CreatedBy
Identify how the meta data information in the
SPDX file was generated. If it was generated manually, it
should indicate – who did the analysis. If the information in
the file was generated with a software tool, the file should
indicate an identifier and version for that tool.
DeclaredName
Description
DisjunctiveLicenseSet
A DisjunctiveLicenseSet is a
set Licenses,
or LicensingInfo, that any one of which
constitues the complete terms and conditions of coping
a File or Package. The
copier/user of a File or Package may choose, at their disgression,
which License in a disjuntive set.
1
DownloadURL
LicenseID
LicenseText
MachineName
Name
Identify path to file that corresponds to this information.
ReviewedBy
List of the people who
have reviewed the SPDX file and the date of that review. Note
that there is no requirement for a particular reviewer to add
their name to the file, however it may be important for
participants in the software supply chain to validate whether
upstream providers have reviewed the SPDX file. This can be
considered as an equivalent to “signed off” or “reviewed
by”. Additional reviewers can be added after the original
version of the SPDX file is created and can occur as an append to
the original file.
SPDXVersion
Provide a reference number
that can be used to understand how to parse and interpret the
rest of the file. It will enable both future changes to the
specification and to support backward compatibility. The
version number consists of a Major and Minor version indicator.
The Major field will be incramented when one or more sections are
created, modified or deleted. The Minor field will be
incremented when either only the fields within a section are
modified or standard recognized licenses are added to appendix.
ShortDesc
SourceInfo
Type
This field Identifies common types of
files where there may be different treatment of copyright and
license information: source, binary, machine generated, etc.
Licenses
This is a list of members of this set.
SHA1
Provide a unique identifier to match
analysis information on specific files between packages.
1
1
1
0
0
1
1
1
1
1
0
1
1
1
1
1
1
1
1