THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/SPDX RDF Vocabularies and Terms/1.0/Terms
SPDX Vocabulary Specification
Version:
1.0
Latest Version:
http://spdx.org/rdf/terms
Alternate Formats:
RDF/XML
Turtle
Copyright © 2010-2011 Linux Foundation and its Contributors. All other rights are expressly reserved.
Licensed under the Creative Commons Attribution License 3.0 unported.
Abstract
This specification describes the SPDX language, defined as a dictionary of named properties and classes using W3C's RDF Technology.
SPDX is a designed to allow the exchange of data about software packages. This information includes general information about the package, licensing information about the package as a whole, a manifest of files contained in the package and licensing information related to the contained files.
The spdx prefix used in this document expands to http://spdx.org/rdf/terms#. Any terms in this document without an explicit prefix may be assumed to be in the spdx namespace.
Other vocabularies used by this one
DOAP
Classes
SpdxDocument
CreationInfo
Package
ExtractedLicensingInfo
Checksum
PackageVerificationCode
File
Review
License
ConjunctiveLicenseSet
DisjunctiveLicenseSet
AnyLicenseInfo
SimpleLicenseInfo
Class: SpdxDocument
An SdpxDocument is a summary of the contents, provenance, ownership and licensing analysis of a specific software package. This is, effectively, the top level of SPDX information.
Status:
stable
Properties:
specVersion
Cardinality: Mandatory, one
dataLicense
Cardinality: Mandatory, one
creationInfo
Cardinality: Mandatory, one
describesPackage
Cardinality: Mandatory, one
hasExtractedLicensingInfo
Cardinality: Optional, zero or more
referencesFile
Cardinality: Mandatory, one or more
reviewed
Cardinality: Optional, zero or more.
Class: CreationInfo
A CreationInfo provides information about the individuals, organizations and tools involved in the creation of an SpdxDocument.
Status:
stable
Properties:
creator
Cardinality: Mandatory, one or more
created
Cardinality: Mandatory, one
rdfs:comment
Cardinality: Optional, zero or one
Class: Package
A Package represents a collection of software files that are delivered as a single functional component.
Status:
stable
Properties:
name
Cardinality: Mandatory, one
versionInfo
Cardinality: Optional, zero or one
packageFileName
Cardinality: Mandatory, one
supplier
Cardinality: Optional, zero or one
originator
Cardinality: Optional, zero or one
downloadLocation
Cardinality: Mandatory, one
packageVerificationCode
Cardinality: Mandatory, one
checksum
Cardinality: Optional, zero or one
sourceInfo
Cardinality: Optional, zero or one
licenseConcluded
Cardinality: Mandatory, one
licenseInfoFromFiles
Cardinality: Mandatory, one or more
licenseDeclared
Cardinality: Mandatory, one
licenseComments
Cardinality: Optional, zero or one
copyrightText
Cardinality: Mandatory, one
summary
Cardinality: Optional, zero or one
description
Cardinality: Optional, zero or one
hasFile
Cardinality: Mandatory, one or more
Class: ExtractedLicensingInfo
An ExtractedLicensingInfo represents a license or licensing notice that was found in the package. Any license text that is recognized as a license may be represented as a License rather than an ExtractedLicensingInfo.
Status:
stable
Properties:
licenseId
Cardinality: Mandatory, one
extractedText
Cardinality: Mandatory, one
Class: File
A File represents a named sequence of information that is contained in a software package.
Status:
stable
Properties:
fileName
Cardinality: Mandatory, one
fileType
Cardinality: Optional, zero or one
checksum
Cardinality: Mandatory, one
licenseConcluded
Cardinality: Mandatory, one
licenseInfoInFile
Cardinality: Mandatory, one or more
licenseComments
Cardinality: Optional, zero or one
copyrightText
Cardinality: Mandatory, one
artifactOf
Cardinality: Optional, zero or one
Class: Review
A Review represents an audit and signoff by an individual, organization or tool on the information in an SpdxDocument.
Status:
stable
Properties:
reviewer
Cardinality: Mandatory, one
reviewDate
Cardinality: Mandatory, one
rdfs:comment
Cardinality: Optional, zero or one
Class: License
A License represents a software copyright license. This class is used by the SPDX license list to represent standard licenses.
Status:
stable
Properties:
licenseId
Cardinality: Mandatory, one
licenseText
Cardinality: Mandatory, one
Class: Checksum
A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change it's checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented.
Status:
stable
Properties:
algorithm
Cardinality: Mandatory, one
checksumValue
Cardinality: Mandatory, one
Class: PackageVerificationCode
A PackageVerificationCode is a value that allows authentication of the package. This differs from the Checksum in that it uses an algorithm that allows the SPDX file to be embedded in the package. This verification code is produced using a cryptographic hash algorithm applied to a manifest of the package. Some files in the package (e.g. the SPDX files) are explicitly excluded from the verification code. This allows those excluded files to not impact the verification code.
Status:
stable
Properties:
packageVerificationCodeExcludedFile
Cardinality: Optional, zero or more
packageVerificationCodeValue
Cardinality: Mandatory, one
Class: ConjunctiveLicenseSet
A ConjunctiveLicenseSet represents a set of licensing information all of which apply.
This class refines rdfs:Container.
Status:
stable
Properties:
member
Cardinality: Mandatory, two or more.
Class: DisjunctiveLicenseSet
A DisjunctiveLicenseSet represents a set of licensing information where only one license applies at a time. This class implies that the recipient gets to choose one of these licenses they would prefer to use.
This class refines rdfs:Container.
Status:
stable
Properties:
member
Cardinality: Mandatory, two or more.
Class: AnyLicenseInfo
The AnyLicenseInfo class includes all resources that represent licensing information.
Status:
stable
Members
All resources in any of the following classes:
License
ExtractedLicensingInfo
ConjunctiveLicenseSet
DisjunctiveLicenseSet
Class: SimpleLicenseInfo
The SimpleLicenseInfo class includes all resources that represent simple, atomic, licensing information.
Status:
stable
Members
All resources in any of the following classes:
License
ExtractedLicensingInfo
Properties
algorithm
artifactOf
checksum
checksumValue
copyrightText
created
creationInfo
creator
dataLicense
describesPackage
description
downloadLocation
extractedText
fileName
fileType
hasExtractedLicensingInfo
hasFile
licenseComments
licenseConcluded
licenseDeclared
licenseId
licenseText
licenseInfoFromFiles
licenseInfoInFile
member
name
originator
packageFileName
packageVerificationCode
packageVerificationCodeExcludedFile
packageVerificationCodeValue
referencesFile
reviewDate
reviewed
reviewer
sourceInfo
specVerison
summary
supplier
versionInfo
Property: algorithm
Identifies the algorithm used to produce the subject Checksum.
Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.
Status: stable
Domain: Checksum
Range:
spdx:checksumAlgorithm_sha1
Property: artifactOf
Indicates the project in which the file originated.
Tools must preserve doap:hompage and doap:name properties and the URI (if one is known) of doap:Project resources that are values of this property. All other properties of doap:Projects are not directly supported by SPDX and may be dropped when translating to or from some SPDX formats.
Status: stable
Domain: File
Range: doap:Project
Property: checksum
The checksum property provides a mechanism that can be used to verify that the contents of a File or Package have not changed.
Status: stable
Domain: Any of:
Package
File
Range:Checksum
Property: checksumValue
The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.
Status: stable
Domain:Checksum
Range:xsd:hexBinary
Property: created
The date and time at which the SpdxDocument was created. This value must in UTC and have 'Z' as its timezone indicator.
Status: stable
Domain:CreationInfo
Range:xsd:dateTime
Property: copyrightText
The text of copyright declarations recited in the Package or File.
Status: stable
Domain: Any of:
Package
File
Range: Any of:
rdfs:Literal
spdx:none
spdx:noassertion
Property: creationInfo
The creationInfo property relates an SpdxDocument to a set of information about the creation of the SpdxDocument.
Status: stable
Domain:SpdxDocument
Range:CreationInfo
Property: creator
The name and, optionally, contact information of a person, organization or tool that created, or was used to create, the SpdxDocument.
Values of this property must conform to the agent and tool syntax.
Status: stable
Domain:CreationInfo
Range:xsd:string
Property: dataLicense
The licensing under which the creator of this SPDX document allows related data to be reproduced.
The only valid value for this property is http://spdx.org/licenses/PDDL-1.0. This is to alleviate any concern that content (the data) in an SPDX file is subject to any form of intellectual property right that could restrict the re-use of the information or the creation of another SPDX file for the same project(s). This approach avoids intellectual property and related restrictions over the SPDX file, however individuals can still contract one to one to restrict release of specific collections of SPDX files (which map to software bill of materials) and the identification of the supplier of SPDX files.
Status: stable
Domain:SpdxDocument
Range:
http://spdx.org/licenses/PDDL-1.0
Property: describesPackage
The describesPackage property relates an SpdxDocument to the package which it describes.
Status: stable
Domain:SpdxDocument
Range:Package
Property: description
Provides a detailed description of the package.
Status: stable
Domain:Package
Range:xsd:string
Property: downloadLocation
The URI at which this package is available for download. Private (i.e., not publicly reachable) URIs are acceptable as values of this property.
The values http://spdx.org/rdf/terms#none and http://spdx.org/rdf/terms#noassertion may be used to specify that the package is not downloadable or that no attempt was made to determine its download location, respectively.
Status: stable
Domain: Package
Range: xsd:anyURI
Property: extractedText
Verbatim license or licensing notice text that was discovered.
Status: stable
Domain: ExtractedLicensingInfo
Range: xsd:string
Property: fileName
The name of the file relative to the root of the package.
Status: stable
Domain:File
Range: xsd:string
Property: fileType
The type of the file.
Status: stable
Domain: File
Range:
One of:
spdx:fileType_source
Indicates the file is a source code file.
spdx:fileType_archive
Indicates the file is an archive file.
spdx:fileType_binary
Indicates the file is not a text file. filetype_archive is preferred for archive files even though they are binary.
spdx:fileType_other
Indicates the file did not fall into any of the other categories.
Property: hasExtractedLicensingInfo
Indicates that a particular ExtractedLicensingInfo was defined in the subject SpdxDocument.
Status: stable
Domain:SpdxDocument
Range:ExtractedLicensingInfo
Property: hasFile
Indicates that a particular file belongs to a package.
Status: stable
Domain:Package
Range:File
Property: licenseComments
The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.
Status: stable
Domain: Any of:
Package
File
Range:xsd:string
Property: licenseConcluded
The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the package.
Status: stable
Domain: Any of:
Package
File
Range:
Any of:
AnyLicenseInfo
spdx:none
spdx:noassertion
Property: licenseDeclared
The licensing that the creators of the software in the package, or the packager, have declared. Declarations by the original software creator should be preferred, if they exist.
Status: stable
Domain: Package
Range:
Any of:
AnyLicenseInfo
spdx:none
spdx:noassertion
Property: licenseId
A short name for the license that is at least 3 characters long and made up of the characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', '.', and '-'. Formally, all licenseId values must match the regular expression: [-+_.a-zA-Z0-9]{3,}
Status:
stable
Domain:
License
ExtractedLicensingInfo
Range: xsd:string
Property: licenseText
The full text of the license.
Status: stable
Domain: License
Range: xsd:string
Property: licenseInfoFromFiles
The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of all licenseInfoInFile properties of all files contained in the package.
Status: stable
Domain: Package
Range:
Any of:
SimpleLicenseInfo
spdx:none
spdx:noassertion
Property: licenseInfoInFile
Licensing information that was discovered directly in the subject file.
Status: stable
Domain: File
Range:
Any of:
SimpleLicenseInfo
spdx:none
spdx:noassertion
Property: member
A license, or other licensing information, that is a member of the subject license set.
Status: stable
Domain:
Any of:
ConjunctiveLicenseSet
DisjunctiveLicenseSet
Range: AnyLicenseInfo
Refines: rdfs:member
Property: name
The full name of the package including version information.
Status: stable
Domain:Package
Range: xsd:string
Property: originator
The name and, optionally, contact information of the person or organization that originally created the package.
Values of this property must conform to the agent and tool syntax.
Status: stable
Domain: Package
Range:
xsd:string or the individual spdx:noassertion
Property: packageFileName
The base name of the package file name. For example, zlib-1.2.5.tar.gz.
Status: stable
Domain: Package
Range: xsd:string
Property: packageVerificationCode
A manifest based authentication code for the package. This allows consumers of this data to determine if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package. This algorithm is described in detail in the SPDX specification.
The package verification code algorithm is defined in section 4.7 of the full specification.
Status: stable
Domain: Package
Range: PackageVerificationCode
Property: packageVerificationCodeExcludedFile
A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files.
Status: stable
Domain: PackageVerificationCode
Range: xsd:string
Property: packageVerificationCodeValue
The actual package verification code as a hex encoded value.
Status: stable
Domain: PackageVerificationCode
Range:xsd:hexBinary
Property: referencesFile
Indicates that a particular file belongs as part of the set of analyzed files in the SpdxDocument.
Status: stable
Domain:SpdxDocument
Range:File
Property: reviewDate
The date and time at which the SpdxDocument was reviewed. This value must be in UTC and have 'Z' as its timezone indicator.
Status: stable
Domain:Review
Range:xsd:dateTime
Property: reviewed
The review property relates a SpdxDocument to the review history.
Status: stable
Domain:SpdxDocument
Range:Review
Property: reviewer
The name and, optionally, contact information of the person who performed the review.
Values of this property must conform to the agent and tool syntax.
Status: stable
Domain:Review
Range:xsd:string
Property: sourceInfo
Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.
Status: stable
Domain: Package
Range: xsd:string
Property: specVersion
Identifies the version of this specification that was used to produce this SPDX document. Currently the only supported value is SPDX-1.0.
Status: stable
Domain: SpdxDocument
Range: xsd:string
Property: summary
Provides a short description of the package.
Status: stable
Domain: Package
Range: xsd:string
Property: supplier
The name and, optionally, contact information of the person or organization that is the immediate supplier of this package to the recipient. The supplier may be different than originator when the software has been repackaged. For example if you get glibc from RedHat, RedHat is the Package Supplier, but FSF is the originator.
Values of this property must conform to the agent and tool syntax.
Status: stable
Domain: Package
Range:
xsd:string or the individual spdx:noassertion
Property: versionInfo
Provides an indication of the version of the package that is described by this SpdxDocument.
Status: stable
Domain: Package
Range: xsd:string
Individuals
checksumAlgorithm_sha1
fileType_archive
fileType_binary
fileType_other
fileType_source
noassertion
none
Individual: checksumAlgorithm_sha1
Indicates the algorithm used was SHA-1
Status: stable
Individual: fileType_archive
Indicates the file is an archive file.
Status: stable
Individual: fileType_binary
Indicates the file is not a text file. spdx:filetype_archive is preferred for archive files even though they are binary.
Status: stable
Individual: fileType_other
Indicates the file is not a source, archive or binary file.
Status: stable
Individual: fileType_source
Indicates the file is a source code file.
Status: stable
Individual: noassertion
Indicates that the preparer of the SPDX document is not making any assertion
regarding the value of this field.
Status: stable
Individual: none
When this value is used as the object of a property it indicates that the preparer of the SpdxDocument believes that there is no value for the property. This value should only be used if there is sufficient evidence to support this assertion.
Status: stable
Agent and Tool Identifiers
Fields that identify entities that have acted in relation to the SPDX file are single line of text which name the agent or tool and, optionally, provide contact information. For example, "Person: Jane Doe (jane.doe@example.com)", "Organization: ExampleCodeInspect (contact@example.com)" and "Tool: LicenseFind - 1.0". The exact syntax of agent and tool identifications is described below in ABNF.
agent = person / organization
tool = "Tool: " name 0*1( " " DASH " " version)
person = "Person: " name 0*1contact-info
organization = "Organization: " name 0*1contact-info
name = 1*( UNRESERVED ) / U+0022 1*( VCHAR-SANS-QUOTE ) U+0022
contact-info = " (" email-addr ")"
email-addr = local-name-atom *( "." local-name-atom ) "@" domain-name-atom 1*( "." domain-name-atom )
version = 1*VCHAR-SANS-QUOTE
local-name-atom = 1*( ALPHA / DIGIT / ; Printable US-ASCII
"!" / "#" / ; characters not including
"$" / "%" / ; specials.
"&" / "'" /
"*" / "+" /
"-" / "/" /
"=" / "?" /
"^" / "_" /
"`" / "{" /
"|" / "}" /
"~" )
domain-name-atom = 1*( ALPHA / DIGIT / "-" )
DASH = U+2010 / U+2212 / ; hyphen, minus, em dash and
U+2013 / U+2014 ; en dash
UNRESERVED = U+0020-U+0027 / ; visible unicode characters
U+0029-U+0080 / ; except '(' and dashes
U+00A0-U+200F /
U+2011-U+2027 /
U+202A-U+2211 /
U+2213-U+E01EF
VCHAR-SANS-QUOTE = U+0020-U+0021 / ; visible unicode characters
U+0023-U+0080 / ; except quotation mark
U+00a0-U+E01EF