SPDX Vocabulary Specification

Abstract

This specification describes the SPDX language, defined as a dictionary of named properties and classes using W3C's RDF Technology.

SPDX is a designed to allow the exchange of data about software package. This information includes both lists of files contained in the package and the licensing information related to the contained files or the package as a whole.

The prefix spdx prefix used in this document expands to http://spdx.org/rdf/terms#.

Other vocabularies used by this one

Classes

Class: SpdxDocument

Each SdpxDocument represents the results of a provenance, ownership and licensing analysis of exactly on software package. This is, effectively, the top level of SPDX information.

Status:
testing
Properties:

Class: Package

Each Package represents a piece software that is delivered as a single unit.

Status:
testing
Properties:

Class: File

Each File represents a sequence of octets that is contained in a software package.

Status:
testing
Properties:

Class: License

Each License represents a software license. This class is used by the SPDX license repository to represent standard license.

Status:
testing
Properties:

Class: Checksum

Each Checksum is a digest of a file. This digest is produced using a cryptographic hash algorithm which allows the contents of a file to be verified.

Status:
testing
Properties:

Class: CreationInfo

Each CreationInfo provides information about an individual, organization or tool that was involved in the creation of this SpdxDocument.

Status:
testing
Properties:

Class: Review

Each Review represents a signoff by an individual on the information in the SpdxDocument.

Status:
testing
Properties:

Class: ExtractedLicensingInfo

Each ExtractedLicensingInfo represents a license or licensing notice that was found in the package. Any license text that is recognized as a license may be represented as a License rather than and ExtractedLicensingInfo.

Status:
testing
Properties:

Class: ConjunctiveLicenseSet

Each ConjunctiveLicenseSet represents set of licenses, or other licensing information, all of which apply.

Refines rdfs:Container.

Status:
testing
Properties:
  • member
    Cardinality: Mandatory, one or more.

Class: DisjunctiveLicenseSet

Each DisjunctiveLicenseSet represents set of licenses, or other licensing information, only one of which apply.

Refines rdfs:Container.

Status:
testing
Properties:
  • member
    Cardinality: Mandatory, one or more.

Class: AnyLicenseInfo

The AnyLicenseInfo class includes all resources that represent licensing information.

Status:
testing
Members
All resources in any of the following classes:

Class: SimpleLicenseInfo

The SimpleLicenseInfo class includes all resources that represent simple, atomic, licensing information.

Status:
testing
Members
All resources in any of the following classes:

Properties

Property: algorithm

Identifies the algorithm used to produce the subject checksum.

Currently, SHA-1 is the only supported algorithm. It is anticpated that other algorithms will be supported at a later time.

Status:
testing
Domain:
Checksum
Range:
spdx:checksumAlgorithm_sha1

Property: artifactOf

Indicates the project in which the file originated. Full doap:Project resources are supported. However, some SPDX specific formats can only encode the doap:name and doap:homepage properties. Those formats also encode the doap:Project URI so if the resource is publicly dereferenceable and has an RDF representation the full set of data can pass through those formats. If the URI is not publicly dereferenceable all properties except the name and homepage will be lost in the translation.

Status:
testing
Domain:
File
Range:
doap:Project

Property: checksum

The checksum property provides a digest of a File or Package. This allows consumers of the SPDX document to verify that the content of the files or package has not changed.

Status:
testing
Domain:
Any of:
Range:
Checksum

Property: checksumValue

The checksumValue property provides a hex encoded digest value produced using a specific algorithm.

Status:
testing
Domain:
Checksum
Range:
xsd:hexBinary

Property: created

The date and time at which the SpdxDocument was created. This value must in UTC and have 'Z' as its timezone indicator.

Status:
testing
Domain:
CreationInfo
Range:
xsd:dateTime

Property: copyrightText

The text of copyright declarations discovered in the package or file.

Status:
testing
Domain:
Any of:
Range:
xsd:string

Property: creationInfo

The creationInfo property relates an SpdxDocument to a set of information about the creation of the SpdxDocument.

Status:
testing
Domain:
SpdxDocument
Range:
CreationInfo

Property: creator

The name and, optionally, contact information of a person, organization or tool that created, or was used to create, the SpdxDocument.

Status:
testing
Domain:
CreationInfo
Range:
xsd:string

Property: describesPackage

The describesPackage property relates an SpdxDocument to the package which it describes.

Status:
testing
Domain:
SpdxDocument
Range:
Package

Property: description

Provides a detailed description of the package.

Status:
testing
Domain:
Package
Range:
xsd:string

Property: downloadLocation

The URI at which this package is available for download. Private (ie, not publicly reachable) URIs are acceptable as values of this property.

The values http://spdx.org/rdf/terms#none and http://spdx.org/rdf/terms#undetermined may be used to specify that the package is not downloadable or that no attempt was made to determine its download location, respectively.

Status:
testing
Domain:
Package
Range:
xsd:anyURI

Property: extractedText

Verbatim license or licensing notice text that was discovered.

Status:
testing
Domain:
ExtractedLicensingInfo
Range:
xsd:string

Property: fileName

The name of the file relative to the root of the package.

Status:
testing
Domain:
File
Range:
xsd:string

Property: fileType

The type of the file.

Status:
testing
Domain:
File
Range:
One of:

Property: hasFile

Indicates that a particular file belongs to a package.

Status:
testing
Domain:
Package
Range:
File

Property: licenseComments

The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.

Status:
testing
Domain:
Any of:
Range:
xsd:string

Property: licenseConcluded

The licensing that the preparer of this SPDX document has concluded, based on the evidence, actual applies to the package.

Status:
testing
Domain:
Any of:
Range:
Any of:

Property: licenseDeclared

The licensing that is declared by the authors of the package.

Status:
testing
Domain:
Package
Range:
Any of:

Property: licenseId

A short name for the license that is at least 3 characters long and made up of the characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', '.', and '-'. Formally, all licenseId values must match the regular expression: [-+_.a-zA-Z0-9]{3,}

Status:
testing
Domain:
Range:
xsd:string

Property: licenseText

The full text of the license.

Status:
testing
Domain:
License
Range:
xsd:string

Property: licenseInfoFromFiles

Licensing information that was discovered directly in the package. This is effectively a union of the licenseInfoInFile properties of all the files contained in the package.

Status:
testing
Domain:
Package
Range:
Any of:

Property: licenseInfoInFile

Licensing information that was discovered directly in the subject File.

Status:
testing
Domain:
File
Range:
Any of:

Property: member

A license, or other licensing information, that is a member of the subject license set.

Status:
testing
Domain:
Any of:
Range:
AnyLicenseInfo
Refines:
rdfs:member

Property: name

The full name of the package including version information.

Status:
testing
Domain:
Package
Range:
xsd:string

Property: packageFileName

The base name of the package file name. For example, zlib-1.2.5.tar.gz.

Status:
testing
Domain:
Package
Range:
xsd:string

Property: packageVerificationCode

A manifest based hash (the algorithm is defined in section [link goes here]) of the package. This allows consumers of this dataset to determine if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package. This algorithm is described in detail in the SPDX spec.

Status:
testing
Domain:
Package
Range:
xsd:string

Property: reviewDate

The date and time at which the SpdxDocument was reviewed. This value must be in UTC and have 'Z' as its timezone indicator.

Status:
testing
Domain:
Review
Range:
xsd:dateTime

Property: reviewed

The review property relates a SpdxDocument to the review history.

Status:
testing
Domain:
SpdxDocument
Range:
Review

Property: reviewer

The name and, optionally, contact information of the person who performed the review.

Status:
testing
Domain:
Review
Range:
xsd:string

Property: sourceInfo

Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.

Status:
testing
Domain:
Package
Range:
xsd:string

Property: specVersion

Identifies the version of this specification that was used to produce this SPDX document. Currently the only supported value is SPDX-1.0.

Status:
testing
Domain:
SpdxDocument
Range:
xsd:string

Property: summary

Provides a short description of the package.

Status:
testing
Domain:
Package
Range:
xsd:string

Individuals

Individual: checksumAlgorithm_sha1

Indicates the algorithm used was SHA-1

Status:
testing

Individual: fileType_archive

Indicates the file is a archive file.

Status:
testing

Individual: fileType_binary

Indicates the file is not a text file. spdx:filetype_archive is preferred for archive files even though they are binary.

Status:
testing

Individual: fileType_other

Indicates the file is not a source, archive or binary file.

Status:
testing

Individual: fileType_source

Indicates the file is a source code file.

Status:
testing

Individual: none

When this value is used as the object of a property it indicates that the preparer of the SpdxDocument believes that there is no value for the property. This value should only be used if there is sufficient evidence to support this contention. This is different from spdx:undetermined in that spdx:none indicates some effort was taken to determine the value.

A convenience class, None, is provided which contains only the spdx:none value.

Status:
testing

Individual: noneSeen

When this value is used as the object of a property it indicates that the preparer of the SpdxDocument found no information for the property.

A convenience class, NoneSeen, is provided which contains only the spdx:noneSeen value.

Status:
testing

Individual: notAnalyzed

When this value is used as the object of a property it indicates that the preparer of the SpdxDocument made no attempt to determine the actual value.

A convenience class, NotAnalyzed, is provided which contains only the spdx:notAnalyzed value.

Status:
testing

Individual: undetermined

When this value is used as the object of a property it indicates that the preparer of the SpdxDocument made no attempt to determine the actual value.

A convenience class, Undetermined, is provided which contains only the spdx:undetermined value.

Status:
testing