This specification describes the SPDX language, defined as a dictionary of named properties and classes using W3C's RDF Technology.
SPDX is a designed to allow the exchange of data about software package. This information includes both lists of files contained in the package and the licensing information related to the contained files or the package as a whole.
Each SdpxDocument represents the results of an analysis of a software package. This is, effectively, the top level of SPDX information.
spdxVersion
Cardinality: Mandatory, one.
creationInfo
Cardinality: Mandatory, one or more.
An SpdxDocument may have more than one creationInfo because more than one person, oranization and tool may be involved in the creation of the SpdxDocument
reviewed
Cardinality: Optional, zero or more.
describesPackage
Cardinality: Mandatory, one.
An SpdxDocument provides information for only one package.
Each Package represents a piece software that is delivered as a single unit.
name
Cardinality: Mandatory, one.
packageFileName
Cardinality: Mandatory, one.
downloadLocation
Cardinality: Mandatory, one.
checksum
Cardinality: Optional, zero or one.
packageVerificationCode
Cardinality: Mandatory, one.
sourceInfo
Cardinality: Optional, zero or one.
licenseDeclared
Cardinality: Optional, one.
licenseConcluded
Cardinality: Optional, zero or one.
licenseInfoFromFiles
Cardinality: Optional, one or more.
hasFile
Cardinality: Mandatory, one or more.
Each File represents a sequence of octets that is contained in a software package.
FileName
Cardinality: Mandatory, one.
fileType
Cardinality: Mandatory, one.
licenseConcluded
Cardinality: Mandatory, one.
licenseInfoInFile
Cardinality: Mandatory, one or more.
checksum
Cardinality: Mandatory, one.
Each License represents a software license.
licenseId
Cardinality: Mandatory, one.
licenseText
Cardinality: Mandatory, one.
noticeText
Cardinality: Optional, one or more.
Each Checksum is a digest of a file. This digest is produced using a cryptographic hash algorithm which allows the contents of a file to be verified.
algorithm
Cardinality: Mandatory, one.
checksumValue
Cardinality: Mandatory, one.
Each CreationInfo provides information about an individual, organization or tool that was involved in the creation of this SpdxDocument.
creator
Cardinality: Mandatory, one.
created
Cardinality: Mandatory, one.
rdfs:comment
Cardinality: Mandatory, one.
Each Review represents a signoff by an individual on the information in the SpdxDocument.
reviewer
Cardinality: Mandatory, one.
reviewDate
Cardinality: Mandatory, one.
rdfs:comment
Cardinality: Mandatory, one.
Each ExtractedLicensingInfo represents a license or licensing notice that was found in the package. Any license text that is recognized as a license may be represented as a License rather than and ExtractedLicensingInfo.
licenseId
Cardinality: Mandatory, one.
extractedText
Cardinality: Mandatory, one.
Each ConjunctiveLicenseSet represents set of licenses, or other licensing information, all of which apply.
member
Cardinality: Mandatory, one or more.
Each DisjunctiveLicenseSet represents set of licenses, or other licensing information, only one of which apply.
member
Cardinality: Mandatory, one or more.
Identifies the algorithm used to produce a checksum.
Currently, SHA-1 is the only supported algorithm. It is anticpated that other algorithms will be supported at a later time"
| Domain: | Checksum |
|---|---|
| Range: |
http://spdx.org/rdf/terms#checksumAlgorithm_sha1
|
The checksum property provides a digest of a File or File. This allows consumers of the SPDX document to verify that the content of the files or package has not changed.
| Domain: | Any of: |
|---|---|
| Range: | Checksum |
The checksumValue property provides a digest value produced using a specific algorithm.
| Domain: | Checksum |
|---|---|
| Range: | xsd:string |
The date and time at which the SpdxDocument was created.
| Domain: | CreationInfo |
|---|---|
| Range: | UtcXsdDate |
The creationInfo property relates an SpdxDocument to a set of information about the creation of the SpdxDocument.
| Domain: | SpdxDocument |
|---|---|
| Range: | CreationInfo |
The name and, optionally, contact information of a person, organization or tool that created, or was used to create, the SpdxDocument.
| Domain: | CreationInfo |
|---|---|
| Range: | xsd:string |
The describesPackage property relates an SpdxDocument to the package which it describes.
| Domain: | SpdxDocument |
|---|---|
| Range: | Package |
The URI at which this package is available for download. Private (ie, not publicly reachable) URIs are acceptable as values of this property.
| Domain: | File |
|---|---|
| Range: | xsd:anyURI |
Verbatim license or licensing notice text that was discovered.
| Domain: | License |
|---|---|
| Range: | xsd:string |
The name of the file relative to the root of the package.
| Domain: | File |
|---|---|
| Range: | xsd:string |
The type of the file.
| Domain: | File |
|---|---|
| Range: |
One of:
|
The licensing that the preparer of this SPDX document has concluded, based on the evidence, actual applies to the package.
| Domain: | Any of: |
|---|---|
| Range: | Any of: |
The licensing that is declared by the authors of the package.
| Domain: | Package |
|---|---|
| Range: | Any of: |
A short name for the license that is made up of ascii characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', and '-'.
| Domain: | License |
|---|---|
| Range: | LicenseSlug |
Licensing information that was discovered directly in the package. This is effectively a union of the licenseInfoInFile properties of all the files contained in the package.
| Domain: | Package |
|---|---|
| Range: | Any of: |
Licensing information that was discovered directly in the subject File.
| Domain: | File |
|---|---|
| Range: | Any of: |
A license, or other licensing information, that is a member of the subject license set.
| Domain: | Any of: |
|---|---|
| Range: | Any of: |
The full name of the package including version information.
| Domain: | Package |
|---|---|
| Range: | xsd:string |
The base name of the package filename. This will often included the package name, version information and archive/compression method. For example, zlib-1.2.5.tar.gz.
| Domain: | Package |
|---|---|
| Range: | xsd:string |
A manifest based hash of the package. This allows consumers of this dataset to determin if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package. This algorithm is described in detail in the SPDX spec.
| Domain: | Package |
|---|---|
| Range: | xsd:string |
The date and time at which the SpdxDocument was reviewed.
| Domain: | Review |
|---|---|
| Range: | UtcXsdDate |
The review property relates a SpdxDocument to the review history.
| Domain: | SpdxDocument |
|---|---|
| Range: | Review |
The name and, optionally, contact information of the person who performed the review.
| Domain: | Review |
|---|---|
| Range: | xsd:string |
Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.
| Domain: | Package |
|---|---|
| Range: | xsd:string |
Identifies the version of this specification that was used to produce this SPDX document.
| Domain: | SpdxDocument |
|---|---|
| Range: | xsd:string |
An xsd:dateTime where the timezone is UTC and the timezone indicator is set to 'Z'.
A shorten name/identifier for a license suitable for use in URIs. License slugs are xsd:strings that match the following regular expression: [-+_a-zA-Z0-9]+