SPDX Vocabulary Specification

Abstract

This specification describes the SPDX language, defined as a dictionary of named properties and classes using W3C's RDF Technology.

SPDX is a designed to allow the exchange of data about software package. This information includes both lists of files contained in the package and the licensing information related to the contained files or the package as a whole.

Classes

Class: SpdxDocument

Each SdpxDocument represents the results of an analysis of a software package. This is, effectively, the top level of SPDX information.

Properties

Class: Package

Each Package represents a piece software that is delivered as a single unit.

Properties

Class: File

Each File represents a sequence of octets that is contained in a software package.

Properties

Class: License

Each License represents a software license.

Properties

Class: Checksum

Each Checksum is a digest of a file. This digest is produced using a cryptographic hash algorithm which allows the contents of a file to be verified.

Properties

Class: CreationInfo

Each CreationInfo provides information about an individual, organization or tool that was involved in the creation of this SpdxDocument.

Properties

Class: Review

Each Review represents a signoff by an individual on the information in the SpdxDocument.

Properties

Class: ExtractedLicensingInfo

Each ExtractedLicensingInfo represents a license or licensing notice that was found in the package. Any license text that is recognized as a license may be represented as a License rather than and ExtractedLicensingInfo.

Properties

Class: ConjunctiveLicenseSet

Each ConjunctiveLicenseSet represents set of licenses, or other licensing information, all of which apply.

Properties

Class: DisjunctiveLicenseSet

Each DisjunctiveLicenseSet represents set of licenses, or other licensing information, only one of which apply.

Properties

Properties

Property: algorithm

Identifies the algorithm used to produce a checksum.

Currently, SHA-1 is the only supported algorithm. It is anticpated that other algorithms will be supported at a later time"

Domain: Checksum
Range: http://spdx.org/rdf/terms#checksumAlgorithm_sha1

Property: checksum

The checksum property provides a digest of a File or File. This allows consumers of the SPDX document to verify that the content of the files or package has not changed.

Domain: Any of:
Range:Checksum

Property: checksumValue

The checksumValue property provides a digest value produced using a specific algorithm.

Domain:Checksum
Range:xsd:string

Property: created

The date and time at which the SpdxDocument was created.

Domain:CreationInfo
Range:UtcXsdDate

Property: creationInfo

The creationInfo property relates an SpdxDocument to a set of information about the creation of the SpdxDocument.

Domain:SpdxDocument
Range:CreationInfo

Property: creator

The name and, optionally, contact information of a person, organization or tool that created, or was used to create, the SpdxDocument.

Domain:CreationInfo
Range:xsd:string

Property: describesPackage

The describesPackage property relates an SpdxDocument to the package which it describes.

Domain:SpdxDocument
Range:Package

Property: downloadLocation

The URI at which this package is available for download. Private (ie, not publicly reachable) URIs are acceptable as values of this property.

Domain: File
Range: xsd:anyURI

Property: extractedText

Verbatim license or licensing notice text that was discovered.

Domain: License
Range: xsd:string

Property: fileName

The name of the file relative to the root of the package.

Domain:File
Range: xsd:string

Property: fileType

The type of the file.

Domain: File
Range: One of:
  • http://spdx.org/rdf/terms#fileType_source

    Indicates the file is a source code file.

  • http://spdx.org/rdf/terms#fileType_archive

    Indicates the file is an archive file.

  • http://spdx.org/rdf/terms#fileType_binary

    Indicates the file is not a text file. filetype_archive is preferred for archive files even though they are binary.

  • http://spdx.org/rdf/terms#fileType_other

    Indicates the file did not fall into any of the other categories.

Property: hasFile

Indicates that a particular file belongs to a package.

Domain:Package
Range:File

Property: licenseConcluded

The licensing that the preparer of this SPDX document has concluded, based on the evidence, actual applies to the package.

Domain: Any of:
Range: Any of:

Property: licenseDeclared

The licensing that is declared by the authors of the package.

Domain: Package
Range: Any of:

Property: licenseId

A short name for the license that is made up of ascii characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', and '-'.

Domain: License
Range: LicenseSlug

Property: licenseText

The full text of the license.

Domain: license
Range: xsd:string

Property: licenseInfoFromFiles

Licensing information that was discovered directly in the package. This is effectively a union of the licenseInfoInFile properties of all the files contained in the package.

Domain: Package
Range: Any of:
  • License
  • ExtractedLicensingInfo
  • http://spdx.org/rdf/terms#none

    The none value is used to indicate that all files in the package appear to be devoid of licensing information. If no attempt was made to find licensing information this property should be omitted entirely.

Property: licenseInfoInFile

Licensing information that was discovered directly in the subject File.

Domain: File
Range: Any of:
  • License
  • ExtractedLicensingInfo
  • http://spdx.org/rdf/terms#none

    The none value is used to indicate that the file appears to be devoid of licensing information. If no attempt was made to find licensing information this property should be omitted entirely.

Property: member

A license, or other licensing information, that is a member of the subject license set.

Domain: Any of:
Range: Any of:

Property: name

The full name of the package including version information.

Domain:Package
Range: xsd:string

Property: packageFileName

The base name of the package filename. This will often included the package name, version information and archive/compression method. For example, zlib-1.2.5.tar.gz.

Domain: Package
Range: xsd:string

Property: packageVerificationCode

A manifest based hash of the package. This allows consumers of this dataset to determin if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package. This algorithm is described in detail in the SPDX spec.

Domain: Package
Range: xsd:string

Property: reviewDate

The date and time at which the SpdxDocument was reviewed.

Domain:Review
Range:UtcXsdDate

Property: reviewed

The review property relates a SpdxDocument to the review history.

Domain:SpdxDocument
Range:Review

Property: reviewer

The name and, optionally, contact information of the person who performed the review.

Domain:Review
Range:xsd:string

Property: sourceInfo

Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.

Domain: Package
Range: xsd:string

Property: sdpxVersion

Identifies the version of this specification that was used to produce this SPDX document.

Domain: SpdxDocument
Range: xsd:string

Datatypes

Datatype: UtcXsdDate

An xsd:dateTime where the timezone is UTC and the timezone indicator is set to 'Z'.

Datatype: LicenseSlug

A shorten name/identifier for a license suitable for use in URIs. License slugs are xsd:strings that match the following regular expression: [-+_a-zA-Z0-9]+