THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Difference between revisions of "Technical Team/SPDX RDF Vocabularies and Terms/1.1/Terms"
(Convert to MediaWiki syntax) |
|||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
+ | __NOTOC__ | ||
+ | ==SPDX® Vocabulary Specification== | ||
+ | ; Version: | ||
+ | : 1.1 (Final) | ||
+ | ; Latest Version: | ||
+ | : http://spdx.org/rdf/terms | ||
+ | |||
+ | Copyright © 2010-2012 Linux Foundation and its Contributors. All other rights are expressly reserved. | ||
+ | |||
+ | Licensed under the [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License 3.0 unported]. | ||
+ | |||
+ | ==Introduction== | ||
+ | |||
+ | This specification describes the SPDX® language, defined as a dictionary of named properties and classes using W3C's RDF Technology. | ||
+ | |||
+ | SPDX® is a designed to allow the exchange of data about software packages. This information includes general information about the package, licensing information about the package as a whole, a manifest of files contained in the package and licensing information related to the contained files. | ||
+ | |||
+ | ===About this document=== | ||
+ | |||
+ | This is an RDFa annotated HTML document that defines the SPDX® RDF vocabulary using the Web Ontology Language. It is RDFa 1.0 compatible and may be consumed by any RDFa 1.0 compatible parser. The same information is available in [http://spdx.org/rdf/terms.rdf RDF/XML] and [http://spdx.org/rdf/terms.ttl Turtle] formats if those are more convenient. | ||
+ | |||
+ | RDF it is a widely used data interchange technology which allows heterogeneous systems communicate even when their internal models/implementations are incompatible. For more details on RDF, this [http://notabug.com/2002/rdfprimer/ RDF primer] helpful for gaining a basic understanding. | ||
+ | |||
+ | ===Prefixes used in this document=== | ||
+ | |||
+ | The <code>spdx</code> prefix used in this document expands to <code>http://spdx.org/rdf/terms#</code>. Any terms in this document without an explicit prefix may be assumed to be in the <code>spdx</code> namespace. | ||
+ | |||
+ | ====Other vocabularies used by this one==== | ||
+ | |||
+ | In addition to the <code>spdx</code> prefix the following prefixes are also used. Each of these reference another vocabulary imported and used by the SPDX vocabulary. | ||
+ | |||
+ | * [http://trac.usefulinc.com/doap DOAP] | ||
+ | * [http://www.w3.org/TR/rdf-schema RDFS] | ||
+ | |||
+ | ==Classes== | ||
+ | |||
+ | * <code>SpdxDocument</code> | ||
+ | * <code>CreationInfo</code> | ||
+ | * <code>Package</code> | ||
+ | * <code>ExtractedLicensingInfo</code> | ||
+ | * <code>Checksum</code> | ||
+ | * <code>PackageVerificationCode</code> | ||
+ | * <code>File</code> | ||
+ | * <code>Review</code> | ||
+ | * <code>License</code> | ||
+ | * <code>ConjunctiveLicenseSet</code> | ||
+ | * <code>DisjunctiveLicenseSet</code> | ||
+ | * <code>AnyLicenseInfo</code> | ||
+ | * <code>SimpleLicenseInfo</code> | ||
+ | |||
+ | ===Class: <code>SpdxDocument</code>=== | ||
+ | |||
+ | An <code>SpdxDocument</code> is a summary of the contents, provenance, ownership and licensing analysis of a specific software package. This is, effectively, the top level of SPDX information. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Properties: | ||
+ | :* <code>specVersion</code> Cardinality: Mandatory, one | ||
+ | :* <code>dataLicense</code> Cardinality: Mandatory, one | ||
+ | :* [http://www.w3.org/TR/rdf-schema/#ch_comment <code>rdfs:comment</code>] Cardinality: Optional, zero or one | ||
+ | :* <code>creationInfo</code> Cardinality: Mandatory, one | ||
+ | :* <code>describesPackage</code> Cardinality: Mandatory, one | ||
+ | :* <code>hasExtractedLicensingInfo</code> Cardinality: Optional, zero or more | ||
+ | :* <code>referencesFile</code> Cardinality: Mandatory, one or more | ||
+ | :* <code>reviewed</code> Cardinality: Optional, zero or more. | ||
+ | |||
+ | ===Class: <code>CreationInfo</code>=== | ||
+ | |||
+ | A <code>CreationInfo</code> provides information about the individuals, organizations and tools involved in the creation of an <code>SpdxDocument</code>. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Properties: | ||
+ | :* <code>creator</code> Cardinality: Mandatory, one or more | ||
+ | :* <code>created</code> Cardinality: Mandatory, one | ||
+ | :* [http://www.w3.org/TR/rdf-schema/#ch_comment <code>rdfs:comment</code>] Cardinality: Optional, zero or one | ||
+ | |||
+ | ===Class: <code>Package</code>=== | ||
+ | |||
+ | A <code>Package</code> represents a collection of software files that are delivered as a single functional component. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Properties: | ||
+ | :* <code>name</code> Cardinality: Mandatory, one | ||
+ | :* <code>versionInfo</code> Cardinality: Optional, zero or one | ||
+ | :* <code>packageFileName</code> Cardinality: Optional, zero or one | ||
+ | :* <code>supplier</code> Cardinality: Optional, zero or one | ||
+ | :* <code>originator</code> Cardinality: Optional, zero or one | ||
+ | :* <code>downloadLocation</code> Cardinality: Mandatory, one | ||
+ | :* <code>packageVerificationCode</code> Cardinality: Mandatory, one | ||
+ | :* <code>checksum</code> Cardinality: Optional, zero or one | ||
+ | :* <code>sourceInfo</code> Cardinality: Optional, zero or one | ||
+ | :* <code>licenseConcluded</code> Cardinality: Mandatory, one | ||
+ | :* <code>licenseInfoFromFiles</code> Cardinality: Mandatory, one or more | ||
+ | :* <code>licenseDeclared</code> Cardinality: Mandatory, one | ||
+ | :* <code>licenseComments</code> Cardinality: Optional, zero or one | ||
+ | :* <code>copyrightText</code> Cardinality: Mandatory, one | ||
+ | :* <code>summary</code> Cardinality: Optional, zero or one | ||
+ | :* <code>description</code> Cardinality: Optional, zero or one | ||
+ | :* <code>hasFile</code> Cardinality: Mandatory, one or more | ||
+ | |||
+ | ===Class: <code>ExtractedLicensingInfo</code>=== | ||
+ | |||
+ | An <code>ExtractedLicensingInfo</code> represents a license or licensing notice that was found in the package. Any license text that is recognized as a license may be represented as a <code>License</code> rather than an <code>ExtractedLicensingInfo</code>. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Properties: | ||
+ | :* <code>licenseId</code> Cardinality: Mandatory, one | ||
+ | :* <code>name</code> Cardinality: Optional, zero or more | ||
+ | :* <code>extractedText</code> Cardinality: Mandatory, one | ||
+ | :* [http://www.w3.org/TR/rdf-schema/#ch_comment <code>rdfs:comment</code>] Cardinality: Optional, zero or one | ||
+ | :* [http://www.w3.org/TR/rdf-schema/#ch_seealso <code>rdfs:seeAlso</code>] Cardinality: Optional, zero or more | ||
+ | |||
+ | ===Class: <code>File</code>=== | ||
+ | |||
+ | A <code>File</code> represents a named sequence of information that is contained in a software package. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Properties: | ||
+ | :* <code>fileName</code> Cardinality: Mandatory, one | ||
+ | :* [http://www.w3.org/TR/rdf-schema/#ch_comment <code>rdfs:comment</code>] Cardinality: Optional, zero or one | ||
+ | :* <code>fileType</code> Cardinality: Optional, zero or one | ||
+ | :* <code>checksum</code> Cardinality: Mandatory, one | ||
+ | :* <code>licenseConcluded</code> Cardinality: Mandatory, one | ||
+ | :* <code>licenseInfoInFile</code> Cardinality: Mandatory, one or more | ||
+ | :* <code>licenseComments</code> Cardinality: Optional, zero or one | ||
+ | :* <code>copyrightText</code> Cardinality: Mandatory, one | ||
+ | :* <code>artifactOf</code> Cardinality: Optional, zero or one | ||
+ | |||
+ | ===Class: <code>Review</code>=== | ||
+ | |||
+ | A <code>Review</code> represents an audit and signoff by an individual, organization or tool on the information in an <code>SpdxDocument</code>. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Properties: | ||
+ | :* <code>reviewer</code> Cardinality: Mandatory, one | ||
+ | :* <code>reviewDate</code> Cardinality: Mandatory, one | ||
+ | :* [http://www.w3.org/TR/rdf-schema/#ch_comment <code>rdfs:comment</code>] Cardinality: Optional, zero or one | ||
+ | |||
+ | ===Class: <code>License</code>=== | ||
+ | |||
+ | A <code>License</code> represents a copyright license. The [http://spdx.org/licenses SPDX license list website] is annotated with these properties (using [http://www.w3.org/TR/2008/REC-rdfa-syntax-20081014/ RDFa]) to allow license data published there to be easily processed. | ||
+ | |||
+ | The license list is populated in accordance with the [http://spdx.org/wiki/spdx-license-list License List fields guidelines]. These guidelines are not normative and may change over time. SPDX tooling should not rely on values in the license list conforming to the current guidelines. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Properties: | ||
+ | :* <code>licenseId</code> Cardinality: Mandatory, oneA short human readable unique name for the license. | ||
+ | :* <code>name</code> Cardinality: Optional, zero or oneA full name, including version if applicable, of the license. | ||
+ | :* <code>licenseText</code> Cardinality: Mandatory, oneFull text of the license. | ||
+ | :* <code>isOsiApproved</code> Cardinality: Mandatory, oneIndicates if the [http://opensource.org/ OSI] has approved the license. | ||
+ | :* <code>standardLicenseHeader</code> Cardinality: Optional, zero or oneLicense author's preferred text to indicated that a file is covered by the license.</> | ||
+ | :* [http://www.w3.org/TR/rdf-schema/#ch_comment <code>rdfs:comment</code>] Cardinality: Optional, zero or oneFactual notes regarding the license such as release date. | ||
+ | :* [http://www.w3.org/TR/rdf-schema/#ch_seealso <code>rdfs:seeAlso</code>] Cardinality: Optional, zero or moreA link to the license on another website. | ||
+ | |||
+ | ===Class: <code>Checksum</code>=== | ||
+ | |||
+ | A <code>Checksum</code> is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change it's checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Properties: | ||
+ | :* <code>algorithm</code> Cardinality: Mandatory, one | ||
+ | :* <code>checksumValue</code> Cardinality: Mandatory, one | ||
+ | |||
+ | ===Class: <code>PackageVerificationCode</code>=== | ||
+ | |||
+ | A manifest based verification code (the algorithm is defined in section 4.7 of the full specification) of the package. This allows consumers of this data and/or database to determine if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Properties: | ||
+ | :* <code>packageVerificationCodeExcludedFile</code> Cardinality: Optional, zero or more | ||
+ | :* <code>packageVerificationCodeValue</code> Cardinality: Mandatory, one | ||
+ | |||
+ | ===Class: <code>ConjunctiveLicenseSet</code>=== | ||
+ | |||
+ | A <code>ConjunctiveLicenseSet</code> represents a set of licensing information all of which apply. | ||
+ | |||
+ | This class refines [http://www.w3.org/TR/rdf-schema/#ch_container <code>rdfs:Container</code>]. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Properties: | ||
+ | :* <code>member</code> Cardinality: Mandatory, two or more. | ||
+ | |||
+ | ===Class: <code>DisjunctiveLicenseSet</code>=== | ||
+ | |||
+ | A <code>DisjunctiveLicenseSet</code> represents a set of licensing information where only one license applies at a time. This class implies that the recipient gets to choose one of these licenses they would prefer to use. | ||
+ | |||
+ | This class refines [http://www.w3.org/TR/rdf-schema/#ch_container <code>rdfs:Container</code>]. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Properties: | ||
+ | :* <code>member</code> Cardinality: Mandatory, two or more. | ||
+ | |||
+ | ===Class: <code>AnyLicenseInfo</code>=== | ||
+ | |||
+ | The <code>AnyLicenseInfo</code> class includes all resources that represent licensing information. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Members | ||
+ | : All resources in any of the following classes: | ||
+ | :* <code>License</code> | ||
+ | :* <code>ExtractedLicensingInfo</code> | ||
+ | :* <code>ConjunctiveLicenseSet</code> | ||
+ | :* <code>DisjunctiveLicenseSet</code> | ||
+ | |||
+ | ===Class: <code>SimpleLicenseInfo</code>=== | ||
+ | |||
+ | The <code>SimpleLicenseInfo</code> class includes all resources that represent simple, atomic, licensing information. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Members | ||
+ | : All resources in any of the following classes: | ||
+ | :* <code>License</code> | ||
+ | :* <code>ExtractedLicensingInfo</code> | ||
+ | |||
+ | ==Properties== | ||
+ | |||
+ | * <code>algorithm</code> | ||
+ | * <code>artifactOf</code> | ||
+ | * <code>checksum</code> | ||
+ | * <code>checksumValue</code> | ||
+ | * <code>copyrightText</code> | ||
+ | * <code>created</code> | ||
+ | * <code>creationInfo</code> | ||
+ | * <code>creator</code> | ||
+ | * <code>dataLicense</code> | ||
+ | * <code>describesPackage</code> | ||
+ | * <code>description</code> | ||
+ | * <code>downloadLocation</code> | ||
+ | * <code>extractedText</code> | ||
+ | * <code>fileName</code> | ||
+ | * <code>fileType</code> | ||
+ | * <code>hasExtractedLicensingInfo</code> | ||
+ | * <code>hasFile</code> | ||
+ | * <code>isOsiApproved</code> | ||
+ | * <code>licenseComments</code> | ||
+ | * <code>licenseConcluded</code> | ||
+ | * <code>licenseDeclared</code> | ||
+ | * <code>licenseId</code> | ||
+ | * <code>licenseText</code> | ||
+ | * <code>licenseInfoFromFiles</code> | ||
+ | * <code>licenseInfoInFile</code> | ||
+ | * <code>member</code> | ||
+ | * <code>name</code> | ||
+ | * <code>originator</code> | ||
+ | * <code>packageFileName</code> | ||
+ | * <code>packageVerificationCode</code> | ||
+ | * <code>packageVerificationCodeExcludedFile</code> | ||
+ | * <code>packageVerificationCodeValue</code> | ||
+ | * <code>referencesFile</code> | ||
+ | * <code>reviewDate</code> | ||
+ | * <code>reviewed</code> | ||
+ | * <code>reviewer</code> | ||
+ | * <code>sourceInfo</code> | ||
+ | * <code>specVerison</code> | ||
+ | * <code>standardLicenseHeader</code> | ||
+ | * <code>summary</code> | ||
+ | * <code>supplier</code> | ||
+ | * <code>versionInfo</code> | ||
+ | |||
+ | ===Property: <code>algorithm</code>=== | ||
+ | |||
+ | Identifies the algorithm used to produce the subject <code>Checksum</code>. | ||
+ | |||
+ | Currently, [http://www.itl.nist.gov/fipspubs/fip180-1.htm SHA-1] is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Checksum</code> | ||
+ | ; Range: | ||
+ | : <code>spdx:checksumAlgorithm_sha1</code> | ||
+ | |||
+ | ===Property: <code>artifactOf</code>=== | ||
+ | |||
+ | Indicates the project in which the file originated. | ||
+ | |||
+ | Tools must preserve <code>doap:hompage</code> and <code>doap:name</code> properties and the URI (if one is known) of <code>doap:Project</code> resources that are values of this property. All other properties of <code>doap:Projects</code> are not directly supported by SPDX and may be dropped when translating to or from some SPDX formats. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>File</code> | ||
+ | ; Range: | ||
+ | : [http://usefulinc.com/ns/doap#Project <code>doap:Project</code>] | ||
+ | |||
+ | ===Property: <code>checksum</code>=== | ||
+ | |||
+ | The <code>checksum</code> property provides a mechanism that can be used to verify that the contents of a <code>File</code> or <code>Package</code> have not changed. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : Any of: | ||
+ | :* <code>Package</code> | ||
+ | :* <code>File</code> | ||
+ | ; Range: | ||
+ | : Checksum | ||
+ | |||
+ | ===Property: <code>checksumValue</code>=== | ||
+ | |||
+ | The <code>checksumValue</code> property provides a lower case hexidecimal encoded digest value produced using a specific algorithm. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Checksum</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#hexBinary <code>xsd:hexBinary</code>] | ||
+ | |||
+ | ===Property: <code>created</code>=== | ||
+ | |||
+ | The date and time at which the <code>SpdxDocument</code> was created. This value must in UTC and have 'Z' as its timezone indicator. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>CreationInfo</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#dateTime <code>xsd:dateTime</code>] | ||
+ | |||
+ | ===Property: <code>copyrightText</code>=== | ||
+ | |||
+ | The text of copyright declarations recited in the <code>Package</code> or <code>File</code>. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : Any of: | ||
+ | :* <code>Package</code> | ||
+ | :* <code>File</code> | ||
+ | ; Range: | ||
+ | : Any of: | ||
+ | :* [http://www.w3.org/TR/rdf-schema/#ch_literal <code>rdfs:Literal</code>] | ||
+ | :* <code>spdx:none</code> | ||
+ | :* <code>spdx:noassertion</code> | ||
+ | |||
+ | ===Property: <code>creationInfo</code>=== | ||
+ | |||
+ | The <code>creationInfo</code> property relates an <code>SpdxDocument</code> to a set of information about the creation of the <code>SpdxDocument</code>. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>SpdxDocument</code> | ||
+ | ; Range: | ||
+ | : <code>CreationInfo</code> | ||
+ | |||
+ | ===Property: <code>creator</code>=== | ||
+ | |||
+ | The name and, optionally, contact information of a person, organization or tool that created, or was used to create, the <code>SpdxDocument</code>. | ||
+ | |||
+ | Values of this property must conform to the agent and tool syntax. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>CreationInfo</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>dataLicense</code>=== | ||
+ | |||
+ | The licensing under which the <code>creator</code> of this SPDX document allows related data to be reproduced. | ||
+ | |||
+ | The only valid value for this property is <code>http://spdx.org/licenses/CC0-1.0</code>. This is to alleviate any concern that content (the data) in an SPDX file is subject to any form of intellectual property right that could restrict the re-use of the information or the creation of another SPDX file for the same project(s). This approach avoids intellectual property and related restrictions over the SPDX file, however individuals can still contract one to one to restrict release of specific collections of SPDX files (which map to software bill of materials) and the identification of the supplier of SPDX files. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>SpdxDocument</code> | ||
+ | ; Range: | ||
+ | : [http://spdx.org/licenses/CC0-1.0 <code>http://spdx.org/licenses/CC0-1.0</code>] | ||
+ | |||
+ | ===Property: <code>describesPackage</code>=== | ||
+ | |||
+ | The <code>describesPackage</code> property relates an <code>SpdxDocument</code> to the package which it describes. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>SpdxDocument</code> | ||
+ | ; Range: | ||
+ | : <code>Package</code> | ||
+ | |||
+ | ===Property: <code>description</code>=== | ||
+ | |||
+ | Provides a detailed description of the package. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Package</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>downloadLocation</code>=== | ||
+ | |||
+ | The URI at which this package is available for download. Private (i.e., not publicly reachable) URIs are acceptable as values of this property. | ||
+ | |||
+ | The values <code>http://spdx.org/rdf/terms#none</code> and <code>http://spdx.org/rdf/terms#noassertion</code> may be used to specify that the package is not downloadable or that no attempt was made to determine its download location, respectively. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Package</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#anyURI <code>xsd:anyURI</code>] | ||
+ | |||
+ | ===Property: <code>extractedText</code>=== | ||
+ | |||
+ | Verbatim license or licensing notice text that was discovered. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>ExtractedLicensingInfo</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>fileName</code>=== | ||
+ | |||
+ | The name of the file relative to the root of the package. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>File</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>fileType</code>=== | ||
+ | |||
+ | The type of the file. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>File</code> | ||
+ | ; Range: | ||
+ | : One of: | ||
+ | :* <code>spdx:fileType_source</code> Indicates the file is a source code file. | ||
+ | :* <code>spdx:fileType_archive</code> Indicates the file is an archive file. | ||
+ | :* <code>spdx:fileType_binary</code> Indicates the file is not a text file. <code>filetype_archive</code> is preferred for archive files even though they are binary. | ||
+ | :* <code>spdx:fileType_other</code> Indicates the file did not fall into any of the other categories. | ||
+ | |||
+ | ===Property: <code>hasExtractedLicensingInfo</code>=== | ||
+ | |||
+ | Indicates that a particular <code>ExtractedLicensingInfo</code> was defined in the subject <code>SpdxDocument</code>. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>SpdxDocument</code> | ||
+ | ; Range: | ||
+ | : <code>ExtractedLicensingInfo</code> | ||
+ | |||
+ | ===Property: <code>hasFile</code>=== | ||
+ | |||
+ | Indicates that a particular file belongs to a package. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Package</code> | ||
+ | ; Range: | ||
+ | : <code>File</code> | ||
+ | |||
+ | ===Property: <code>isOsiApproved</code>=== | ||
+ | |||
+ | Indicates that a particular license] has been approved by the [http://opensource.org/ OSI] as an open source licenses. If this property is true there ''should'' be a <code>seeAlso</code> property linking to the OSI version of the license. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>License</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#boolean <code>xsd:boolean</code>] | ||
+ | |||
+ | ===Property: <code>licenseComments</code>=== | ||
+ | |||
+ | The <code>licenseComments</code> property allows the preparer of the SPDX document to describe why the licensing in <code>spdx:licenseConcluded</code> was chosen. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : Any of: | ||
+ | :* <code>Package</code> | ||
+ | :* <code>File</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>licenseConcluded</code>=== | ||
+ | |||
+ | The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the package. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : Any of: | ||
+ | :* <code>Package</code> | ||
+ | :* <code>File</code> | ||
+ | ; Range: | ||
+ | : Any of: | ||
+ | :* <code>AnyLicenseInfo</code> | ||
+ | :* <code>spdx:none</code> | ||
+ | :* <code>spdx:noassertion</code> | ||
+ | |||
+ | ===Property: <code>licenseDeclared</code>=== | ||
+ | |||
+ | The licensing that the creators of the software in the package, or the packager, have declared. Declarations by the original software creator should be preferred, if they exist. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Package</code> | ||
+ | ; Range: | ||
+ | : Any of: | ||
+ | :* <code>AnyLicenseInfo</code> | ||
+ | :* <code>spdx:none</code> | ||
+ | :* <code>spdx:noassertion</code> | ||
+ | |||
+ | ===Property: <code>licenseId</code>=== | ||
+ | |||
+ | A short name for the license that is at least 3 characters long and made up of the characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', '.', and '-'. Formally, all <code>licenseId</code> values must match the regular expression: <code>[-+_.a-zA-Z0-9]{3,}</code> | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | :* <code>License</code> | ||
+ | :* <code>ExtractedLicensingInfo</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>licenseText</code>=== | ||
+ | |||
+ | The full text of the license. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>License</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>licenseInfoFromFiles</code>=== | ||
+ | |||
+ | The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of all <code>licenseInfoInFile</code> properties of all files contained in the package. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Package</code> | ||
+ | ; Range: | ||
+ | : Any of: | ||
+ | :* <code>SimpleLicenseInfo</code> | ||
+ | :* <code>spdx:none</code> | ||
+ | :* <code>spdx:noassertion</code> | ||
+ | |||
+ | ===Property: <code>licenseInfoInFile</code>=== | ||
+ | |||
+ | Licensing information that was discovered directly in the subject file. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>File</code> | ||
+ | ; Range: | ||
+ | : Any of: | ||
+ | :* <code>SimpleLicenseInfo</code> | ||
+ | :* <code>spdx:none</code> | ||
+ | :* <code>spdx:noassertion</code> | ||
+ | |||
+ | ===Property: <code>member</code>=== | ||
+ | |||
+ | A license, or other licensing information, that is a member of the subject license set. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : Any of: | ||
+ | :* <code>ConjunctiveLicenseSet</code> | ||
+ | :* <code>DisjunctiveLicenseSet</code> | ||
+ | ; Range: | ||
+ | : <code>AnyLicenseInfo</code> | ||
+ | ; Refines: | ||
+ | : [http://www.w3.org/TR/rdf-schema/#ch_member <code>rdfs:member</code>] | ||
+ | |||
+ | ===Property: <code>name</code>=== | ||
+ | |||
+ | The full human readable name of the item. This should include version information when applicable. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : Any of: | ||
+ | :* <code>Package</code> | ||
+ | :* <code>ExtractedLicensingInfo</code> | ||
+ | :* <code>License</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | ; Refines: | ||
+ | : [http://www.w3.org/TR/rdf-schema/#ch_label <code>rdfs:label</code>] | ||
+ | |||
+ | ===Property: <code>originator</code>=== | ||
+ | |||
+ | The name and, optionally, contact information of the person or organization that originally created the package. | ||
+ | |||
+ | Values of this property must conform to the agent and tool syntax. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Package</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] or the individual <code>spdx:noassertion</code> | ||
+ | |||
+ | ===Property: <code>packageFileName</code>=== | ||
+ | |||
+ | The base name of the package file name. For example, <code>zlib-1.2.5.tar.gz</code>. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Package</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>packageVerificationCode</code>=== | ||
+ | |||
+ | A manifest based authentication code for the package. This allows consumers of this data to determine if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package. This algorithm is described in detail in the SPDX specification. | ||
+ | |||
+ | The package verification code algorithm is defined in section 4.7 of the full specification. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Package</code> | ||
+ | ; Range: | ||
+ | : <code>PackageVerificationCode</code> | ||
+ | |||
+ | ===Property: <code>packageVerificationCodeExcludedFile</code>=== | ||
+ | |||
+ | A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>PackageVerificationCode</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>packageVerificationCodeValue</code>=== | ||
+ | |||
+ | The actual package verification code as a hex encoded value. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>PackageVerificationCode</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#hexBinary <code>xsd:hexBinary</code>] | ||
+ | |||
+ | ===Property: <code>referencesFile</code>=== | ||
+ | |||
+ | Indicates that a particular file belongs as part of the set of analyzed files in the <code>SpdxDocument</code>. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>SpdxDocument</code> | ||
+ | ; Range: | ||
+ | : <code>File</code> | ||
+ | |||
+ | ===Property: <code>reviewDate</code>=== | ||
+ | |||
+ | The date and time at which the <code>SpdxDocument</code> was reviewed. This value must be in UTC and have 'Z' as its timezone indicator. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Review</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#dateTime <code>xsd:dateTime</code>] | ||
+ | |||
+ | ===Property: <code>reviewed</code>=== | ||
+ | |||
+ | The <code>review</code> property relates a <code>SpdxDocument</code> to the review history. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>SpdxDocument</code> | ||
+ | ; Range: | ||
+ | : <code>Review</code> | ||
+ | |||
+ | ===Property: <code>reviewer</code>=== | ||
+ | |||
+ | The name and, optionally, contact information of the person who performed the review. | ||
+ | |||
+ | Values of this property must conform to the agent and tool syntax. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Review</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>sourceInfo</code>=== | ||
+ | |||
+ | Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Package</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>specVersion</code>=== | ||
+ | |||
+ | Identifies the version of this specification that was used to produce this SPDX document. The value for this version of the spec is <code>SPDX-1.1</code>. The value <code>SPDX-1.0</code> may also be supported by SPDX tools for backwards compatibility purposes. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>SpdxDocument</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>standardLicenseHeader</code>=== | ||
+ | |||
+ | Text specifically delineated by the license, or license appendix, as the preferred way to indicate that a source, or other, file is copyable under the license. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>License</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>summary</code>=== | ||
+ | |||
+ | Provides a short description of the package. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Package</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ===Property: <code>supplier</code>=== | ||
+ | |||
+ | The name and, optionally, contact information of the person or organization who was the immediate supplier of this package to the recipient. The supplier may be different than <code>originator</code> when the software has been repackaged. | ||
+ | |||
+ | Values of this property must conform to the agent and tool syntax. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Package</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] or the individual <code>spdx:noassertion</code> | ||
+ | |||
+ | ===Property: <code>versionInfo</code>=== | ||
+ | |||
+ | Provides an indication of the version of the package that is described by this <code>SpdxDocument</code>. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | ; Domain: | ||
+ | : <code>Package</code> | ||
+ | ; Range: | ||
+ | : [http://www.w3.org/TR/xmlschema-2/#string <code>xsd:string</code>] | ||
+ | |||
+ | ==Individuals== | ||
+ | |||
+ | * <code>checksumAlgorithm_sha1</code> | ||
+ | * <code>fileType_archive</code> | ||
+ | * <code>fileType_binary</code> | ||
+ | * <code>fileType_other</code> | ||
+ | * <code>fileType_source</code> | ||
+ | * <code>noassertion</code> | ||
+ | * <code>none</code> | ||
+ | |||
+ | ===Individual: <code>checksumAlgorithm_sha1</code>=== | ||
+ | |||
+ | Indicates the algorithm used was [http://www.itl.nist.gov/fipspubs/fip180-1.htm SHA-1] | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | |||
+ | ===Individual: <code>fileType_archive</code>=== | ||
+ | |||
+ | Indicates the file is an archive file. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | |||
+ | ===Individual: <code>fileType_binary</code>=== | ||
+ | |||
+ | Indicates the file is not a text file. <code>spdx:filetype_archive</code> is preferred for archive files even though they are binary. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | |||
+ | ===Individual: <code>fileType_other</code>=== | ||
+ | |||
+ | Indicates the file is not a source, archive or binary file. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | |||
+ | ===Individual: <code>fileType_source</code>=== | ||
+ | |||
+ | Indicates the file is a source code file. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | |||
+ | ===Individual: <code>noassertion</code>=== | ||
+ | |||
+ | Indicates that the preparer of the SPDX document is not making any assertion regarding the value of this field. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | |||
+ | ===Individual: <code>none</code>=== | ||
+ | |||
+ | When this value is used as the object of a property it indicates that the preparer of the <code>SpdxDocument</code> believes that there is no value for the property. This value should only be used if there is sufficient evidence to support this assertion. | ||
+ | |||
+ | ; Status: | ||
+ | : stable | ||
+ | |||
+ | ==Agent and Tool Identifiers== | ||
+ | |||
+ | Fields that identify entities that have acted in relation to the SPDX file are single line of text which name the agent or tool and, optionally, provide contact information. For example, "Person: Jane Doe (jane.doe@example.com)", "Organization: ExampleCodeInspect (contact@example.com)" and "Tool: LicenseFind - 1.0". The exact syntax of agent and tool identifications is described below in [http://tools.ietf.org/html/rfc5234 ABNF]. | ||
+ | |||
+ | agent = person / organization tool = "Tool: " name 0*1( " " DASH " " version) person = | ||
+ | "Person: " name 0*1contact-info organization = "Organization: " name 0*1contact-info name = | ||
+ | 1*( UNRESERVED ) / U+0022 1*( VCHAR-SANS-QUOTE ) U+0022 contact-info = " (" email-addr ")" | ||
+ | email-addr = local-name-atom *( "." local-name-atom ) "@" domain-name-atom 1*( "." domain- | ||
+ | name-atom ) version = 1*VCHAR-SANS-QUOTE local-name-atom = 1*( ALPHA / DIGIT / ; Printable | ||
+ | US-ASCII "!" / "#" / ; characters not including "$" / "%" / ; specials. "&" / "'" / "*" / | ||
+ | "+" / "-" / "/" / "=" / "?" / "^" / "_" / "`" / "{" / "|" / "}" / "~" ) domain-name-atom = | ||
+ | 1*( ALPHA / DIGIT / "-" ) DASH = U+2010 / U+2212 / ; hyphen, minus, em dash and U+2013 / | ||
+ | U+2014 ; en dash UNRESERVED = U+0020-U+0027 / ; visible unicode characters U+0029-U+0080 / | ||
+ | ; except '(' and dashes U+00A0-U+200F / U+2011-U+2027 / U+202A-U+2211 / U+2213-U+E01EF | ||
+ | VCHAR-SANS-QUOTE = U+0020-U+0021 / ; visible unicode characters U+0023-U+0080 / ; except | ||
+ | quotation mark U+00a0-U+E01EF | ||
+ | |||
+ | [[Category:Technical]] |
Latest revision as of 15:34, 7 March 2013
SPDX® Vocabulary Specification
- Version
- 1.1 (Final)
- Latest Version
- http://spdx.org/rdf/terms
Copyright © 2010-2012 Linux Foundation and its Contributors. All other rights are expressly reserved.
Licensed under the Creative Commons Attribution License 3.0 unported.
Introduction
This specification describes the SPDX® language, defined as a dictionary of named properties and classes using W3C's RDF Technology.
SPDX® is a designed to allow the exchange of data about software packages. This information includes general information about the package, licensing information about the package as a whole, a manifest of files contained in the package and licensing information related to the contained files.
About this document
This is an RDFa annotated HTML document that defines the SPDX® RDF vocabulary using the Web Ontology Language. It is RDFa 1.0 compatible and may be consumed by any RDFa 1.0 compatible parser. The same information is available in RDF/XML and Turtle formats if those are more convenient.
RDF it is a widely used data interchange technology which allows heterogeneous systems communicate even when their internal models/implementations are incompatible. For more details on RDF, this RDF primer helpful for gaining a basic understanding.
Prefixes used in this document
The spdx
prefix used in this document expands to http://spdx.org/rdf/terms#
. Any terms in this document without an explicit prefix may be assumed to be in the spdx
namespace.
Other vocabularies used by this one
In addition to the spdx
prefix the following prefixes are also used. Each of these reference another vocabulary imported and used by the SPDX vocabulary.
Classes
-
SpdxDocument
-
CreationInfo
-
Package
-
ExtractedLicensingInfo
-
Checksum
-
PackageVerificationCode
-
File
-
Review
-
License
-
ConjunctiveLicenseSet
-
DisjunctiveLicenseSet
-
AnyLicenseInfo
-
SimpleLicenseInfo
Class: SpdxDocument
An SpdxDocument
is a summary of the contents, provenance, ownership and licensing analysis of a specific software package. This is, effectively, the top level of SPDX information.
- Status
- stable
- Properties
-
-
specVersion
Cardinality: Mandatory, one -
dataLicense
Cardinality: Mandatory, one -
rdfs:comment
Cardinality: Optional, zero or one -
creationInfo
Cardinality: Mandatory, one -
describesPackage
Cardinality: Mandatory, one -
hasExtractedLicensingInfo
Cardinality: Optional, zero or more -
referencesFile
Cardinality: Mandatory, one or more -
reviewed
Cardinality: Optional, zero or more.
-
Class: CreationInfo
A CreationInfo
provides information about the individuals, organizations and tools involved in the creation of an SpdxDocument
.
- Status
- stable
- Properties
-
-
creator
Cardinality: Mandatory, one or more -
created
Cardinality: Mandatory, one -
rdfs:comment
Cardinality: Optional, zero or one
-
Class: Package
A Package
represents a collection of software files that are delivered as a single functional component.
- Status
- stable
- Properties
-
-
name
Cardinality: Mandatory, one -
versionInfo
Cardinality: Optional, zero or one -
packageFileName
Cardinality: Optional, zero or one -
supplier
Cardinality: Optional, zero or one -
originator
Cardinality: Optional, zero or one -
downloadLocation
Cardinality: Mandatory, one -
packageVerificationCode
Cardinality: Mandatory, one -
checksum
Cardinality: Optional, zero or one -
sourceInfo
Cardinality: Optional, zero or one -
licenseConcluded
Cardinality: Mandatory, one -
licenseInfoFromFiles
Cardinality: Mandatory, one or more -
licenseDeclared
Cardinality: Mandatory, one -
licenseComments
Cardinality: Optional, zero or one -
copyrightText
Cardinality: Mandatory, one -
summary
Cardinality: Optional, zero or one -
description
Cardinality: Optional, zero or one -
hasFile
Cardinality: Mandatory, one or more
-
Class: ExtractedLicensingInfo
An ExtractedLicensingInfo
represents a license or licensing notice that was found in the package. Any license text that is recognized as a license may be represented as a License
rather than an ExtractedLicensingInfo
.
- Status
- stable
- Properties
-
-
licenseId
Cardinality: Mandatory, one -
name
Cardinality: Optional, zero or more -
extractedText
Cardinality: Mandatory, one -
rdfs:comment
Cardinality: Optional, zero or one -
rdfs:seeAlso
Cardinality: Optional, zero or more
-
Class: File
A File
represents a named sequence of information that is contained in a software package.
- Status
- stable
- Properties
-
-
fileName
Cardinality: Mandatory, one -
rdfs:comment
Cardinality: Optional, zero or one -
fileType
Cardinality: Optional, zero or one -
checksum
Cardinality: Mandatory, one -
licenseConcluded
Cardinality: Mandatory, one -
licenseInfoInFile
Cardinality: Mandatory, one or more -
licenseComments
Cardinality: Optional, zero or one -
copyrightText
Cardinality: Mandatory, one -
artifactOf
Cardinality: Optional, zero or one
-
Class: Review
A Review
represents an audit and signoff by an individual, organization or tool on the information in an SpdxDocument
.
- Status
- stable
- Properties
-
-
reviewer
Cardinality: Mandatory, one -
reviewDate
Cardinality: Mandatory, one -
rdfs:comment
Cardinality: Optional, zero or one
-
Class: License
A License
represents a copyright license. The SPDX license list website is annotated with these properties (using RDFa) to allow license data published there to be easily processed.
The license list is populated in accordance with the License List fields guidelines. These guidelines are not normative and may change over time. SPDX tooling should not rely on values in the license list conforming to the current guidelines.
- Status
- stable
- Properties
-
-
licenseId
Cardinality: Mandatory, oneA short human readable unique name for the license. -
name
Cardinality: Optional, zero or oneA full name, including version if applicable, of the license. -
licenseText
Cardinality: Mandatory, oneFull text of the license. -
isOsiApproved
Cardinality: Mandatory, oneIndicates if the OSI has approved the license. -
standardLicenseHeader
Cardinality: Optional, zero or oneLicense author's preferred text to indicated that a file is covered by the license.</> -
rdfs:comment
Cardinality: Optional, zero or oneFactual notes regarding the license such as release date. -
rdfs:seeAlso
Cardinality: Optional, zero or moreA link to the license on another website.
-
Class: Checksum
A Checksum
is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change it's checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented.
- Status
- stable
- Properties
-
-
algorithm
Cardinality: Mandatory, one -
checksumValue
Cardinality: Mandatory, one
-
Class: PackageVerificationCode
A manifest based verification code (the algorithm is defined in section 4.7 of the full specification) of the package. This allows consumers of this data and/or database to determine if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package.
- Status
- stable
- Properties
-
-
packageVerificationCodeExcludedFile
Cardinality: Optional, zero or more -
packageVerificationCodeValue
Cardinality: Mandatory, one
-
Class: ConjunctiveLicenseSet
A ConjunctiveLicenseSet
represents a set of licensing information all of which apply.
This class refines rdfs:Container
.
- Status
- stable
- Properties
-
-
member
Cardinality: Mandatory, two or more.
-
Class: DisjunctiveLicenseSet
A DisjunctiveLicenseSet
represents a set of licensing information where only one license applies at a time. This class implies that the recipient gets to choose one of these licenses they would prefer to use.
This class refines rdfs:Container
.
- Status
- stable
- Properties
-
-
member
Cardinality: Mandatory, two or more.
-
Class: AnyLicenseInfo
The AnyLicenseInfo
class includes all resources that represent licensing information.
- Status
- stable
- Members
- All resources in any of the following classes:
-
License
-
ExtractedLicensingInfo
-
ConjunctiveLicenseSet
-
DisjunctiveLicenseSet
-
Class: SimpleLicenseInfo
The SimpleLicenseInfo
class includes all resources that represent simple, atomic, licensing information.
- Status
- stable
- Members
- All resources in any of the following classes:
-
License
-
ExtractedLicensingInfo
-
Properties
-
algorithm
-
artifactOf
-
checksum
-
checksumValue
-
copyrightText
-
created
-
creationInfo
-
creator
-
dataLicense
-
describesPackage
-
description
-
downloadLocation
-
extractedText
-
fileName
-
fileType
-
hasExtractedLicensingInfo
-
hasFile
-
isOsiApproved
-
licenseComments
-
licenseConcluded
-
licenseDeclared
-
licenseId
-
licenseText
-
licenseInfoFromFiles
-
licenseInfoInFile
-
member
-
name
-
originator
-
packageFileName
-
packageVerificationCode
-
packageVerificationCodeExcludedFile
-
packageVerificationCodeValue
-
referencesFile
-
reviewDate
-
reviewed
-
reviewer
-
sourceInfo
-
specVerison
-
standardLicenseHeader
-
summary
-
supplier
-
versionInfo
Property: algorithm
Identifies the algorithm used to produce the subject Checksum
.
Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.
- Status
- stable
- Domain
-
Checksum
- Range
-
spdx:checksumAlgorithm_sha1
Property: artifactOf
Indicates the project in which the file originated.
Tools must preserve doap:hompage
and doap:name
properties and the URI (if one is known) of doap:Project
resources that are values of this property. All other properties of doap:Projects
are not directly supported by SPDX and may be dropped when translating to or from some SPDX formats.
- Status
- stable
- Domain
-
File
- Range
-
doap:Project
Property: checksum
The checksum
property provides a mechanism that can be used to verify that the contents of a File
or Package
have not changed.
- Status
- stable
- Domain
- Any of:
-
Package
-
File
-
- Range
- Checksum
Property: checksumValue
The checksumValue
property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.
- Status
- stable
- Domain
-
Checksum
- Range
-
xsd:hexBinary
Property: created
The date and time at which the SpdxDocument
was created. This value must in UTC and have 'Z' as its timezone indicator.
- Status
- stable
- Domain
-
CreationInfo
- Range
-
xsd:dateTime
Property: copyrightText
The text of copyright declarations recited in the Package
or File
.
- Status
- stable
- Domain
- Any of:
-
Package
-
File
-
- Range
- Any of:
-
rdfs:Literal
-
spdx:none
-
spdx:noassertion
-
Property: creationInfo
The creationInfo
property relates an SpdxDocument
to a set of information about the creation of the SpdxDocument
.
- Status
- stable
- Domain
-
SpdxDocument
- Range
-
CreationInfo
Property: creator
The name and, optionally, contact information of a person, organization or tool that created, or was used to create, the SpdxDocument
.
Values of this property must conform to the agent and tool syntax.
- Status
- stable
- Domain
-
CreationInfo
- Range
-
xsd:string
Property: dataLicense
The licensing under which the creator
of this SPDX document allows related data to be reproduced.
The only valid value for this property is http://spdx.org/licenses/CC0-1.0
. This is to alleviate any concern that content (the data) in an SPDX file is subject to any form of intellectual property right that could restrict the re-use of the information or the creation of another SPDX file for the same project(s). This approach avoids intellectual property and related restrictions over the SPDX file, however individuals can still contract one to one to restrict release of specific collections of SPDX files (which map to software bill of materials) and the identification of the supplier of SPDX files.
- Status
- stable
- Domain
-
SpdxDocument
- Range
-
http://spdx.org/licenses/CC0-1.0
Property: describesPackage
The describesPackage
property relates an SpdxDocument
to the package which it describes.
- Status
- stable
- Domain
-
SpdxDocument
- Range
-
Package
Property: description
Provides a detailed description of the package.
- Status
- stable
- Domain
-
Package
- Range
-
xsd:string
Property: downloadLocation
The URI at which this package is available for download. Private (i.e., not publicly reachable) URIs are acceptable as values of this property.
The values http://spdx.org/rdf/terms#none
and http://spdx.org/rdf/terms#noassertion
may be used to specify that the package is not downloadable or that no attempt was made to determine its download location, respectively.
- Status
- stable
- Domain
-
Package
- Range
-
xsd:anyURI
Property: extractedText
Verbatim license or licensing notice text that was discovered.
- Status
- stable
- Domain
-
ExtractedLicensingInfo
- Range
-
xsd:string
Property: fileName
The name of the file relative to the root of the package.
- Status
- stable
- Domain
-
File
- Range
-
xsd:string
Property: fileType
The type of the file.
- Status
- stable
- Domain
-
File
- Range
- One of:
-
spdx:fileType_source
Indicates the file is a source code file. -
spdx:fileType_archive
Indicates the file is an archive file. -
spdx:fileType_binary
Indicates the file is not a text file.filetype_archive
is preferred for archive files even though they are binary. -
spdx:fileType_other
Indicates the file did not fall into any of the other categories.
-
Property: hasExtractedLicensingInfo
Indicates that a particular ExtractedLicensingInfo
was defined in the subject SpdxDocument
.
- Status
- stable
- Domain
-
SpdxDocument
- Range
-
ExtractedLicensingInfo
Property: hasFile
Indicates that a particular file belongs to a package.
- Status
- stable
- Domain
-
Package
- Range
-
File
Property: isOsiApproved
Indicates that a particular license] has been approved by the OSI as an open source licenses. If this property is true there should be a seeAlso
property linking to the OSI version of the license.
- Status
- stable
- Domain
-
License
- Range
-
xsd:boolean
Property: licenseComments
The licenseComments
property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded
was chosen.
- Status
- stable
- Domain
- Any of:
-
Package
-
File
-
- Range
-
xsd:string
Property: licenseConcluded
The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the package.
- Status
- stable
- Domain
- Any of:
-
Package
-
File
-
- Range
- Any of:
-
AnyLicenseInfo
-
spdx:none
-
spdx:noassertion
-
Property: licenseDeclared
The licensing that the creators of the software in the package, or the packager, have declared. Declarations by the original software creator should be preferred, if they exist.
- Status
- stable
- Domain
-
Package
- Range
- Any of:
-
AnyLicenseInfo
-
spdx:none
-
spdx:noassertion
-
Property: licenseId
A short name for the license that is at least 3 characters long and made up of the characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', '.', and '-'. Formally, all licenseId
values must match the regular expression: [-+_.a-zA-Z0-9]{3,}
- Status
- stable
- Domain
-
-
License
-
ExtractedLicensingInfo
-
- Range
-
xsd:string
Property: licenseText
The full text of the license.
- Status
- stable
- Domain
-
License
- Range
-
xsd:string
Property: licenseInfoFromFiles
The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of all licenseInfoInFile
properties of all files contained in the package.
- Status
- stable
- Domain
-
Package
- Range
- Any of:
-
SimpleLicenseInfo
-
spdx:none
-
spdx:noassertion
-
Property: licenseInfoInFile
Licensing information that was discovered directly in the subject file.
- Status
- stable
- Domain
-
File
- Range
- Any of:
-
SimpleLicenseInfo
-
spdx:none
-
spdx:noassertion
-
Property: member
A license, or other licensing information, that is a member of the subject license set.
- Status
- stable
- Domain
- Any of:
-
ConjunctiveLicenseSet
-
DisjunctiveLicenseSet
-
- Range
-
AnyLicenseInfo
- Refines
-
rdfs:member
Property: name
The full human readable name of the item. This should include version information when applicable.
- Status
- stable
- Domain
- Any of:
-
Package
-
ExtractedLicensingInfo
-
License
-
- Range
-
xsd:string
- Refines
-
rdfs:label
Property: originator
The name and, optionally, contact information of the person or organization that originally created the package.
Values of this property must conform to the agent and tool syntax.
- Status
- stable
- Domain
-
Package
- Range
-
xsd:string
or the individualspdx:noassertion
Property: packageFileName
The base name of the package file name. For example, zlib-1.2.5.tar.gz
.
- Status
- stable
- Domain
-
Package
- Range
-
xsd:string
Property: packageVerificationCode
A manifest based authentication code for the package. This allows consumers of this data to determine if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package. This algorithm is described in detail in the SPDX specification.
The package verification code algorithm is defined in section 4.7 of the full specification.
- Status
- stable
- Domain
-
Package
- Range
-
PackageVerificationCode
Property: packageVerificationCodeExcludedFile
A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files.
- Status
- stable
- Domain
-
PackageVerificationCode
- Range
-
xsd:string
Property: packageVerificationCodeValue
The actual package verification code as a hex encoded value.
- Status
- stable
- Domain
-
PackageVerificationCode
- Range
-
xsd:hexBinary
Property: referencesFile
Indicates that a particular file belongs as part of the set of analyzed files in the SpdxDocument
.
- Status
- stable
- Domain
-
SpdxDocument
- Range
-
File
Property: reviewDate
The date and time at which the SpdxDocument
was reviewed. This value must be in UTC and have 'Z' as its timezone indicator.
- Status
- stable
- Domain
-
Review
- Range
-
xsd:dateTime
Property: reviewed
The review
property relates a SpdxDocument
to the review history.
- Status
- stable
- Domain
-
SpdxDocument
- Range
-
Review
Property: reviewer
The name and, optionally, contact information of the person who performed the review.
Values of this property must conform to the agent and tool syntax.
- Status
- stable
- Domain
-
Review
- Range
-
xsd:string
Property: sourceInfo
Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.
- Status
- stable
- Domain
-
Package
- Range
-
xsd:string
Property: specVersion
Identifies the version of this specification that was used to produce this SPDX document. The value for this version of the spec is SPDX-1.1
. The value SPDX-1.0
may also be supported by SPDX tools for backwards compatibility purposes.
- Status
- stable
- Domain
-
SpdxDocument
- Range
-
xsd:string
Property: standardLicenseHeader
Text specifically delineated by the license, or license appendix, as the preferred way to indicate that a source, or other, file is copyable under the license.
- Status
- stable
- Domain
-
License
- Range
-
xsd:string
Property: summary
Provides a short description of the package.
- Status
- stable
- Domain
-
Package
- Range
-
xsd:string
Property: supplier
The name and, optionally, contact information of the person or organization who was the immediate supplier of this package to the recipient. The supplier may be different than originator
when the software has been repackaged.
Values of this property must conform to the agent and tool syntax.
- Status
- stable
- Domain
-
Package
- Range
-
xsd:string
or the individualspdx:noassertion
Property: versionInfo
Provides an indication of the version of the package that is described by this SpdxDocument
.
- Status
- stable
- Domain
-
Package
- Range
-
xsd:string
Individuals
-
checksumAlgorithm_sha1
-
fileType_archive
-
fileType_binary
-
fileType_other
-
fileType_source
-
noassertion
-
none
Individual: checksumAlgorithm_sha1
Indicates the algorithm used was SHA-1
- Status
- stable
Individual: fileType_archive
Indicates the file is an archive file.
- Status
- stable
Individual: fileType_binary
Indicates the file is not a text file. spdx:filetype_archive
is preferred for archive files even though they are binary.
- Status
- stable
Individual: fileType_other
Indicates the file is not a source, archive or binary file.
- Status
- stable
Individual: fileType_source
Indicates the file is a source code file.
- Status
- stable
Individual: noassertion
Indicates that the preparer of the SPDX document is not making any assertion regarding the value of this field.
- Status
- stable
Individual: none
When this value is used as the object of a property it indicates that the preparer of the SpdxDocument
believes that there is no value for the property. This value should only be used if there is sufficient evidence to support this assertion.
- Status
- stable
Agent and Tool Identifiers
Fields that identify entities that have acted in relation to the SPDX file are single line of text which name the agent or tool and, optionally, provide contact information. For example, "Person: Jane Doe (jane.doe@example.com)", "Organization: ExampleCodeInspect (contact@example.com)" and "Tool: LicenseFind - 1.0". The exact syntax of agent and tool identifications is described below in ABNF.
agent = person / organization tool = "Tool: " name 0*1( " " DASH " " version) person = "Person: " name 0*1contact-info organization = "Organization: " name 0*1contact-info name = 1*( UNRESERVED ) / U+0022 1*( VCHAR-SANS-QUOTE ) U+0022 contact-info = " (" email-addr ")" email-addr = local-name-atom *( "." local-name-atom ) "@" domain-name-atom 1*( "." domain- name-atom ) version = 1*VCHAR-SANS-QUOTE local-name-atom = 1*( ALPHA / DIGIT / ; Printable US-ASCII "!" / "#" / ; characters not including "$" / "%" / ; specials. "&" / "'" / "*" / "+" / "-" / "/" / "=" / "?" / "^" / "_" / "`" / "{" / "|" / "}" / "~" ) domain-name-atom = 1*( ALPHA / DIGIT / "-" ) DASH = U+2010 / U+2212 / ; hyphen, minus, em dash and U+2013 / U+2014 ; en dash UNRESERVED = U+0020-U+0027 / ; visible unicode characters U+0029-U+0080 / ; except '(' and dashes U+00A0-U+200F / U+2011-U+2027 / U+202A-U+2211 / U+2213-U+E01EF VCHAR-SANS-QUOTE = U+0020-U+0021 / ; visible unicode characters U+0023-U+0080 / ; except quotation mark U+00a0-U+E01EF