About SPDX | Contact Us | Code of Conduct | Privacy Policy | Terms of Use
Copyright © 2010-2011 Linux Foundation and its Contributors. All other rights are expressly reserved.
This specification describes the SPDX language, defined as a dictionary of named properties and classes using W3C's RDF Technology.
SPDX is a designed to allow the exchange of data about software packages. This information includes general information about the package, licensing information about the package as a whole, a manifest of files contained in the package and licensing information related to the contained files.
The prefix spdx
prefix used in this document expands to http://spdx.org/rdf/terms#
. Any terms in this document without an explicit prefix may be assumed to be in the spdx
namespace.
SpdxDocument
Package
Checksum
PackageVerificationCode
CreationInfo
Review
File
License
ExtractedLicensingInfo
ConjunctiveLicenseSet
DisjunctiveLicenseSet
AnyLicenseInfo
SimpleLicenseInfo
SpdxDocument
An SdpxDocument
represents the results of a contents, provenance, ownership and licensing analysis of exactly one software package. This is, effectively, the top level of SPDX information.
specVersion
Cardinality: Mandatory, one
confidentiality
Cardinality: Mandatory, one
creationInfo
Cardinality: Mandatory, one
reviewed
Cardinality: Optional, zero or more.
describesPackage
Cardinality: Mandatory, one
hasExtractedLicensingInfo
Cardinality: Optional, zero or more
referencesFile
Cardinality: Mandatory, one or more
dataLicense
Cardinality: Mandatory, one
Package
A Package
represents a piece software that is delivered as a single unit.
name
Cardinality: Mandatory, one
versionInfo
Cardinality: Optional, zero or one
summary
Cardinality: Optional, zero or one
description
Cardinality: Optional, zero or one
packageFileName
Cardinality: Mandatory, one
downloadLocation
Cardinality: Mandatory, one
checksum
Cardinality: Optional, zero or one
packageVerificationCode
Cardinality: Mandatory, one
sourceInfo
Cardinality: Optional, zero or one
copyrightText
Cardinality: Mandatory, one
licenseComments
Cardinality: Optional, zero or one
licenseDeclared
Cardinality: Mandatory, one
licenseConcluded
Cardinality: Mandatory, one
licenseInfoFromFiles
Cardinality: Mandatory, one or more
hasFile
Cardinality: Mandatory, one or more
File
A File
represents a named sequence of information that is contained in a software package.
fileName
Cardinality: Mandatory, one
fileType
Cardinality: Optional, zero or one
copyrightText
Cardinality: Mandatory, one
licenseComments
Cardinality: Optional, zero or one
licenseConcluded
Cardinality: Mandatory, one
licenseInfoInFile
Cardinality: Mandatory, one or more
checksum
Cardinality: Mandatory, one
artifactOf
Cardinality: Optional, zero or one
License
A License
represents a software copyright license. This class is used by the SPDX license list to represent standard license.
licenseId
Cardinality: Mandatory, one
licenseText
Cardinality: Mandatory, one
Checksum
A Checksum
is simple value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change it's checksum value.
algorithm
Cardinality: Mandatory, one
checksumValue
Cardinality: Mandatory, one
PackageVerificationCode
A PackageVerificationCode
is a value that allows authentication of the package. This differs from the Checksum
in that it uses an algorithm that allows the the SPDX file to be embedded in the pacakge. This digest is produced using a cryptographic hash algorithm applied to a manifest of the package. Some files in the package (ie, the SPDX files) are explicitly excluded from the digest. This allows those files to not impact the verification code.
packageVerificationCodeExcludedFile
Cardinality: Optional, zero or more
packageVerificationCodeValue
Cardinality: Mandatory, one
CreationInfo
A CreationInfo
provides information about the individuals, organizations and tools involved in the creation of an SpdxDocument
.
creator
Cardinality: Mandatory, one or more
created
Cardinality: Mandatory, one
rdfs:comment
Cardinality: Optional, zero or one
Review
A Review
represents a signoff by an individual on the information in an SpdxDocument
.
reviewer
Cardinality: Mandatory, one
reviewDate
Cardinality: Mandatory, one
rdfs:comment
Cardinality: Optional, zero or one
ExtractedLicensingInfo
An ExtractedLicensingInfo
represents a license or licensing notice that was found in the package. Any license text that is recognized as a license may be represented as a License
rather than a ExtractedLicensingInfo
.
licenseId
Cardinality: Mandatory, one
extractedText
Cardinality: Mandatory, one
ConjunctiveLicenseSet
A ConjunctiveLicenseSet
represents a set of licensing information all of which apply.
This class refines rdfs:Container
.
member
Cardinality: Mandatory, two or more.
DisjunctiveLicenseSet
A DisjunctiveLicenseSet
represents a set of licensing information only one of which applies. This class implies that the copier gets to choose which of these licenses they would prefer to use.
This class refines rdfs:Container
.
member
Cardinality: Mandatory, two or more.
AnyLicenseInfo
The AnyLicenseInfo
class includes all resources that represent licensing information.
SimpleLicenseInfo
The SimpleLicenseInfo
class includes all resources that represent simple, atomic, licensing information.
algorithm
artifactOf
checksum
checksumValue
copyrightText
confidentiality
created
creationInfo
creator
dataLicense
describesPackage
description
downloadLocation
extractedText
fileName
fileType
hasExtractedLicensingInfo
hasFile
licenseComments
licenseConcluded
licenseDeclared
licenseId
licenseText
licenseInfoFromFiles
licenseInfoInFile
member
name
packageFileName
packageVerificationCode
packageVerificationCodeExcludedFile
packageVerificationCodeValue
referencesFile
reviewDate
reviewed
reviewer
sourceInfo
specVerison
summary
versionInfo
algorithm
Identifies the algorithm used to produce the subject Checksum
.
Currently, SHA-1 is the only supported algorithm. It is anticpated that other algorithms will be supported at a later time.
Checksum
spdx:checksumAlgorithm_sha1
artifactOf
Indicates the project in which the file originated.
Tools must preserve doap:hompage
and doap:name
properties and the URI (if one is known) of doap:Project
resources that are values of this property. All other properties of doap:Projects
are not directly supported by SPDX and may be dropped when translating to or from some SPDX formats.
File
doap:Project
checksum
The checksum
property provides a digest of a File
or Package
. This allows consumers of the SPDX document to verify that the content of the files or package has not changed.
checksumValue
The checksumValue
property provides a hex encoded digest value produced using a specific algorithm.
Checksum
xsd:hexBinary
created
The date and time at which the SpdxDocument
was created. This value must in UTC and have 'Z' as its timezone indicator.
CreationInfo
xsd:dateTime
copyrightText
The text of copyright declarations discovered in the Package
or File
.
confidentiality
Indicates the level of confidentiality the producer of this SpdxDocument
expects to apply to this document.
SpdxDocument
creationInfo
The creationInfo
property relates an SpdxDocument
to a set of information about the creation of the SpdxDocument
.
SpdxDocument
CreationInfo
creator
The name and, optionally, contact information of a person, organization or tool that created, or was used to create, the SpdxDocument
.
CreationInfo
xsd:string
dataLicense
The licensing under which the the preparer of this SPDX document allows this data to be copied. By default this is PDDL.
SpdxDocument
AnyLicenseInfo
describesPackage
The describesPackage
property relates an SpdxDocument
to the package which it describes.
SpdxDocument
Package
description
Provides a detailed description of the package.
Package
xsd:string
downloadLocation
The URI at which this package is available for download. Private (ie, not publicly reachable) URIs are acceptable as values of this property.
The values http://spdx.org/rdf/terms#none
and http://spdx.org/rdf/terms#noassertion
may be used to specify that the package is not downloadable or that no attempt was made to determine its download location, respectively.
Package
xsd:anyURI
extractedText
Verbatim license or licensing notice text that was discovered.
ExtractedLicensingInfo
xsd:string
fileName
The name of the file relative to the root of the package.
File
xsd:string
fileType
The type of the file.
File
spdx:fileType_source
Indicates the file is a source code file.
spdx:fileType_archive
Indicates the file is an archive file.
spdx:fileType_binary
Indicates the file is not a text file. filetype_archive
is preferred for archive files even though they are binary.
spdx:fileType_other
Indicates the file did not fall into any of the other categories.
hasExtractedLicensingInfo
Indicates that a particular ExtractedLicensingInfo
was defined in the subject SpdxDocument
.
SpdxDocument
ExtractedLicensingInfo
hasFile
licenseComments
The licenseComments
property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded
was chosen.
xsd:string
licenseConcluded
The licensing that the preparer of this SPDX document has concluded, based on the evidence, actual applies to the package.
licenseDeclared
The licensing that the creators of the software in the package, or the packager, have declared. Declarations by the original software creator should be preferred, if they exist.
Package
licenseId
A short name for the license that is at least 3 characters long and made up of the characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', '.', and '-'. Formally, all licenseId
values must match the regular expression: [-+_.a-zA-Z0-9]{3,}
xsd:string
licenseText
The full text of the license.
License
xsd:string
licenseInfoFromFiles
Licensing information that was discovered directly in the package. There will be an instance of this property for each distinct value of all licenseInfoInFile
properties of all files contained in the package.
Package
licenseInfoInFile
Licensing information that was discovered directly in the subject file.
File
member
A license, or other licensing information, that is a member of the subject license set.
AnyLicenseInfo
rdfs:member
name
The full name of the package including version information.
Package
xsd:string
packageFileName
The base name of the package file name. For example, zlib-1.2.5.tar.gz
.
Package
xsd:string
packageVerificationCode
A manifest based digest (the algorithm is defined in section 4.5 of the full specification) of the package. This allows consumers of this dataset to determine if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package. This algorithm is described in detail in the SPDX spec.
Package
PackageVerificationCode
packageVerificationCodeExcludedFile
A file that was excluded when calculating the package verification code. This is usually be a file containg SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done each recalculation of the package verification code in one file will require the other to be recalculated to be valid which will require the original which will require the original file's be recalculated, ad infinitum.
PackageVerificationCode
xsd:string
packageVerificationCodeValue
The actual package verification code as a hex encoded value.
PackageVerificationCode
xsd:hexBinary
referencesFile
Indicates that the intellectual property metadata of the value is described in SpdxDocument
.
SpdxDocument
File
reviewDate
The date and time at which the SpdxDocument
was reviewed. This value must be in UTC and have 'Z' as its timezone indicator.
Review
xsd:dateTime
reviewed
The review
property relates a SpdxDocument
to the review history.
SpdxDocument
Review
reviewer
The name and, optionally, contact information of the person who performed the review.
Review
xsd:string
sourceInfo
Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.
Package
xsd:string
specVersion
Identifies the version of this specification that was used to produce this SPDX document. Currently the only supported value is SPDX-1.0
.
SpdxDocument
xsd:string
summary
Provides a short description of the package.
Package
xsd:string
versionInfo
Provides an indication of the version of the package that is described by this SpdxDocument
.
Package
xsd:string
checksumAlgorithm_sha1
confidentiality_private
confidentiality_public
fileType_archive
fileType_binary
fileType_other
fileType_source
noassertion
none
confidentiality_private
Indicates the producer of the SpdxDocument
desires the information in the document to be kept seceret.
confidentiality_public
Indicates the producer of the SpdxDocument
places no restriction on public release of the information contained in the document.
fileType_archive
Indicates the file is a archive file.
fileType_binary
Indicates the file is not a text file. spdx:filetype_archive
is preferred for archive files even though they are binary.
fileType_other
Indicates the file is not a source, archive or binary file.
fileType_source
Indicates the file is a source code file.
noassertion
Indicates that the preparer of the SPDX document is not making any assertion regarding the value of this field.
none
When this value is used as the object of a property it indicates that the preparer of the SpdxDocument
believes that there is no value for the property. This value should only be used if there is sufficient evidence to support this contention.
© 2008-2011 The Linux Foundation. Linux is a registered trademark of Linus Torvalds.
Software Package Data Exchange and SPDX are trademarks of the Linux Foundation.
Please see our code of conduct and
privacy policy.