About SPDX | Contact Us | Code of Conduct | Privacy Policy | Terms of Use
Copyright © 2010-2011 Linux Foundation and its Contributors. All other rights are expressly reserved.
This specification describes the SPDX language, defined as a dictionary of named properties and classes using W3C's RDF Technology.
SPDX is a designed to allow the exchange of data about software package. This information includes both lists of files contained in the package and the licensing information related to the contained files or the package as a whole.
The prefix spdx
prefix used in this document expands to http://spdx.org/rdf/terms#
.
Each SdpxDocument
represents the results of a provenance, ownership and licensing analysis of exactly on software package. This is, effectively, the top level of SPDX information.
specVersion
Cardinality: Mandatory, one
creationInfo
Cardinality: Mandatory, one
reviewed
Cardinality: Optional, zero or more.
describesPackage
Cardinality: Mandatory, one
hasExtractedLicensingInfo
Cardinality: Optional, zero or more
Each Package
represents a piece software that is delivered as a single unit.
name
Cardinality: Mandatory, one
summary
Cardinality: Optional, zero or one
description
Cardinality: Optional, zero or one
packageFileName
Cardinality: Mandatory, one
downloadLocation
Cardinality: Mandatory, one
checksum
Cardinality: Optional, zero or one
packageVerificationCode
Cardinality: Mandatory, one
sourceInfo
Cardinality: Optional, zero or one
copyrightText
Cardinality: Mandatory, one
licenseComments
Cardinality: Optional, zero or one
licenseDeclared
Cardinality: Mandatory, one
licenseConcluded
Cardinality: Mandatory, one
licenseInfoFromFiles
Cardinality: Mandatory, one or more
hasFile
Cardinality: Mandatory, one or more
Each File
represents a sequence of octets that is contained in a software package.
fileName
Cardinality: Mandatory, one
fileType
Cardinality: Optional, zero or one
copyrightText
Cardinality: Mandatory, one
licenseComments
Cardinality: Optional, zero or one
licenseConcluded
Cardinality: Mandatory, one
licenseInfoInFile
Cardinality: Mandatory, one or more
checksum
Cardinality: Mandatory, one
artifactOf
Cardinality: Optional, zero or one
Each License
represents a software license. This class is used by the SPDX license repository to represent standard license.
licenseId
Cardinality: Mandatory, one
licenseText
Cardinality: Mandatory, one
Each Checksum
is a digest of a file. This digest is produced using a cryptographic hash algorithm which allows the contents of a file to be verified.
algorithm
Cardinality: Mandatory, one
checksumValue
Cardinality: Mandatory, one
The PackageVerificationCode
is a digest of the package which allows the the package contents to be verified when the SPDX file is embedded in the packageas well as when it is external to the package. This digest is produced using a cryptographic hash algorithm applied to a manifest of the package.
packageVerificationCodeExcludedFile
Cardinality: Optional, zero or more
packageVerificationCodeValue
Cardinality: Mandatory, one
Each CreationInfo
provides information about an individual, organization or tool that was involved in the creation of this SpdxDocument.
creator
Cardinality: Mandatory, one or more
created
Cardinality: Mandatory, one
rdfs:comment
Cardinality: Optional, zero or one
Each Review
represents a signoff by an individual on the information in the SpdxDocument.
reviewer
Cardinality: Mandatory, one
reviewDate
Cardinality: Mandatory, one
rdfs:comment
Cardinality: Optional, zero or one
Each ExtractedLicensingInfo
represents a license or licensing notice that was found in the package. Any license text that is recognized as a license may be represented as a License rather than and ExtractedLicensingInfo.
licenseId
Cardinality: Mandatory, one
extractedText
Cardinality: Mandatory, one
Each ConjunctiveLicenseSet
represents set of licenses, or other licensing information, all of which apply.
Refines rdfs:Container.
member
Cardinality: Mandatory, one or more.
Each DisjunctiveLicenseSet
represents set of licenses, or other licensing information, only one of which apply.
Refines rdfs:Container.
member
Cardinality: Mandatory, one or more.
The AnyLicenseInfo
class includes all resources that represent licensing information.
The SimpleLicenseInfo
class includes all resources that represent simple, atomic, licensing information.
Identifies the algorithm used to produce the subject checksum.
Currently, SHA-1 is the only supported algorithm. It is anticpated that other algorithms will be supported at a later time.
spdx:checksumAlgorithm_sha1
Indicates the project in which the file originated.
Tools must preserve doap:hompage
and doap:name
properties and the URI (if one is known) of doap:Project
resources that are values of this property. All other properties of doap:Projects
are not directly supported by SPDX and may be dropped when translating to or from some SPDX formats.
The checksum
property provides a digest of a File
or Package
. This allows consumers of the SPDX document to verify that the content of the files or package has not changed.
The checksumValue
property provides a hex encoded digest value produced using a specific algorithm.
The date and time at which the SpdxDocument was created. This value must in UTC and have 'Z' as its timezone indicator.
The text of copyright declarations discovered in the package or file.
The creationInfo
property relates an SpdxDocument
to a set of information about the creation of the SpdxDocument.
The name and, optionally, contact information of a person, organization or tool that created, or was used to create, the SpdxDocument.
The describesPackage
property relates an SpdxDocument
to the package which it describes.
Provides a detailed description of the package.
The URI at which this package is available for download. Private (ie, not publicly reachable) URIs are acceptable as values of this property.
The values http://spdx.org/rdf/terms#none
and http://spdx.org/rdf/terms#noassertion
may be used to specify that the package is not downloadable or that no attempt was made to determine its download location, respectively.
xsd:anyURI
Verbatim license or licensing notice text that was discovered.
The name of the file relative to the root of the package.
The type of the file.
spdx:fileType_source
Indicates the file is a source code file.
spdx:fileType_archive
Indicates the file is an archive file.
spdx:fileType_binary
Indicates the file is not a text file. filetype_archive
is preferred for archive files even though they are binary.
spdx:fileType_other
Indicates the file did not fall into any of the other categories.
Indicates that a particular ExtractedLicensingInfo was defined in the subject SpdxDocument.
The licenseComments
property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded
was chosen.
The licensing that the preparer of this SPDX document has concluded, based on the evidence, actual applies to the package.
The licensing that is declared by the authors of the package.
A short name for the license that is at least 3 characters long and made up of the characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', '.', and '-'. Formally, all licenseId
values must match the regular expression: [-+_.a-zA-Z0-9]{3,}
The full text of the license.
Licensing information that was discovered directly in the package. This is effectively a union of the licenseInfoInFile properties of all the files contained in the package.
Licensing information that was discovered directly in the subject File.
A license, or other licensing information, that is a member of the subject license set.
The full name of the package including version information.
The base name of the package file name. For example, zlib-1.2.5.tar.gz
.
A manifest based digest (the algorithm is defined in section [link goes here]) of the package. This allows consumers of this dataset to determine if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package. This algorithm is described in detail in the SPDX spec.
A file that was excluded when calculating the package verification code.
The actual package verification code as a hex encoded value.
The date and time at which the SpdxDocument was reviewed. This value must be in UTC and have 'Z' as its timezone indicator.
The review
property relates a SpdxDocument
to the review history.
The name and, optionally, contact information of the person who performed the review.
Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.
Identifies the version of this specification that was used to produce this SPDX document. Currently the only supported value is SPDX-1.0
.
Provides a short description of the package.
Indicates the file is a archive file.
Indicates the file is not a text file. spdx:filetype_archive
is preferred for archive files even though they are binary.
Indicates the file is not a source, archive or binary file.
Indicates the file is a source code file.
When this value is used as the object of a property it indicates that the preparer of the SpdxDocument believes that there is no value for the property. This value should only be used if there is sufficient evidence to support this contention.
Indicates that the preparer of the SPDX document is not making any assertion regarding the value of this field.
© 2008-2011 The Linux Foundation. Linux is a registered trademark of Linus Torvalds.
Software Package Data Exchange and SPDX are trademarks of the Linux Foundation.
Please see our code of conduct and
privacy policy.