diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py new file mode 100644 index 000000000..9b0a70946 --- /dev/null +++ b/dev/gen_python_model_from_spec.py @@ -0,0 +1,134 @@ +# SPDX-FileCopyrightText: 2023 spdx contributors +# +# SPDX-License-Identifier: Apache-2.0 + +""" +Auto-generates the python model representation from the SPDX3 model spec. + +Usage: fetch a fresh copy of the spdx-3-model and the spec-parser, then generate a json dump of the model with +the spec-parser: + + python main.py --json-dump ../spdx-3-model/model + +Copy the generated `model_dump.json` in `md_generated` next to this file, then run it: + + python gen_python_model_from_spec.py + +Commit resulting changes. + +Note: needs an additional dependency for proper formatting of docstrings: + + pip install mistletoe +""" + +import json +import os.path +from pathlib import Path + +from model_gen.gen_class import GenClassFromSpec +from model_gen.general_templates import FILE_HEADER +from model_gen.utils import ( + SPECIAL_TYPE_MAPPINGS, + get_file_path, + get_python_docstring, + get_qualified_name, + namespace_name_to_python, +) +from model_gen.vocab_templates import VOCAB_ENTRY, VOCAB_FILE, VOCAB_STR_TO_VALUE, VOCAB_VALUE_TO_STR + +from spdx_tools.spdx.casing_tools import camel_case_to_snake_case + +# TODO: use the actual model package path rather than a separate path +output_dir = os.path.join(os.path.dirname(__file__), "../src/spdx_tools/spdx3/new_model") + + +class GenPythonModelFromSpec: + namespace_imports: str + init_imports: dict[str, dict[str, str]] + + def __init__(self): + self.namespace_imports = "" + self.init_imports = {} + + def create_namespace_import(self, model: dict): + namespaces = [namespace_name_to_python(namespace["name"]) for namespace in model.values()] + if namespaces: + self.namespace_imports = "from . import " + ", ".join(namespaces) + + def handle_class(self, clazz: dict, namespace_name: str, model: dict): + qualified_name = get_qualified_name(clazz["metadata"]["name"], namespace_name) + if qualified_name in SPECIAL_TYPE_MAPPINGS: + # do not generate Python classes for types we are mapping differently + return + + clsinfo = GenClassFromSpec(clazz, namespace_name, model, output_dir) + clsinfo.gen_file() + + if namespace_name not in self.init_imports: + self.init_imports[namespace_name] = dict() + self.init_imports[namespace_name][clsinfo.filename] = clsinfo.typename + + def handle_vocab(self, vocab: dict, namespace_name: str): + typename = vocab["metadata"]["name"] + python_typename = camel_case_to_snake_case(typename) + values_text = "\n".join([VOCAB_ENTRY.format(value=camel_case_to_snake_case(value).upper(), + docstring=get_python_docstring(description, 4)) for + value, description in vocab["entries"].items()]) + values_to_str_text = "\n".join([VOCAB_VALUE_TO_STR.format(python_value=camel_case_to_snake_case(value).upper(), + str_value=value, typename=typename) for value in + vocab["entries"]]) + str_to_values_text = "\n".join([VOCAB_STR_TO_VALUE.format(python_value=camel_case_to_snake_case(value).upper(), + str_value=value, typename=typename) for value in + vocab["entries"]]) + docstring = get_python_docstring(vocab["description"], 4) + file_path = get_file_path(typename, namespace_name, output_dir) + with open(file_path, "w") as output_file: + output_file.write(VOCAB_FILE.format(typename=typename, values=values_text, + values_to_str=values_to_str_text, str_to_values=str_to_values_text, + python_typename=python_typename, docstring=docstring)) + + if namespace_name not in self.init_imports: + self.init_imports[namespace_name] = dict() + self.init_imports[namespace_name][python_typename] = typename + + def handle_namespace(self, namespace: dict, model: dict): + namespace_name = namespace["name"] + namespace_path = os.path.join(output_dir, namespace_name_to_python(namespace_name)) + os.makedirs(namespace_path, exist_ok=True) + for clazz in namespace["classes"].values(): + self.handle_class(clazz, namespace_name, model) + for vocab in namespace["vocabs"].values(): + self.handle_vocab(vocab, namespace_name) + + if namespace_name in self.init_imports: + with open(os.path.join(output_dir, namespace_name_to_python(namespace_name), "__init__.py"), + "w") as init_file: + init_file.write(FILE_HEADER) + for module, typename in sorted(self.init_imports[namespace_name].items()): + init_file.write(f"from .{module} import {typename}\n") + + def run(self): + os.makedirs(output_dir, exist_ok=True) + Path(os.path.join(output_dir, "__init__.py")).touch() + + with open("model_dump.json") as model_file: + model = json.load(model_file) + + self.create_namespace_import(model) + + for namespace in model.values(): + self.handle_namespace(namespace, model) + + with open(os.path.join(output_dir, "__init__.py"), "w") as init_file: + init_file.write(FILE_HEADER) + namespace_imports = ", ".join( + [namespace_name_to_python(namespace) for namespace in self.init_imports.keys()]) + init_file.write(f"from . import {namespace_imports}\n") + init_file.write("from .core import *\n") + + os.system(f'black "{output_dir}"') + os.system(f'isort "{output_dir}"') + + +if __name__ == "__main__": + GenPythonModelFromSpec().run() diff --git a/dev/model_dump.json b/dev/model_dump.json new file mode 100644 index 000000000..76b71d9cd --- /dev/null +++ b/dev/model_dump.json @@ -0,0 +1,4461 @@ +{ + "ExpandedLicensing": { + "name": "ExpandedLicensing", + "classes": { + "ListedLicense": { + "summary": "A license that is listed on the SPDX License List.", + "description": "A ListedLicense represents a License that is listed on the SPDX License List\nat https://spdx.org/licenses.", + "metadata": { + "name": "ListedLicense", + "SubclassOf": "License", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/ListedLicense" + }, + "properties": { + "listVersionAdded": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "deprecatedVersion": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "WithAdditionOperator": { + "summary": "Portion of an AnyLicenseInfo representing a License which has additional\ntext applied to it.", + "description": "A WithAdditionOperator indicates that the designated License is subject to the\ndesignated LicenseAddition, which might be a license exception on the SPDX\nExceptions List (ListedLicenseException) or may be other additional text\n(CustomLicenseAddition). It is represented in the SPDX License Expression\nSyntax by the `WITH` operator.", + "metadata": { + "name": "WithAdditionOperator", + "SubclassOf": "/SimpleLicensing/AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/WithAdditionOperator" + }, + "properties": { + "subjectLicense": { + "type": "ExtendableLicense", + "minCount": "1", + "maxCount": "1" + }, + "subjectAddition": { + "type": "LicenseAddition", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "License": { + "summary": "Abstract class for the portion of an AnyLicenseInfo representing a license.", + "description": "A License represents a license text, whether listed on the SPDX License List\n(ListedLicense) or defined by an SPDX data creator (CustomLicense).", + "metadata": { + "name": "License", + "SubclassOf": "ExtendableLicense", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/License" + }, + "properties": { + "/SimpleLicensing/licenseText": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + }, + "isOsiApproved": { + "type": "xsd:boolean", + "minCount": "0", + "maxCount": "1" + }, + "isFsfLibre": { + "type": "xsd:boolean", + "minCount": "0", + "maxCount": "1" + }, + "standardLicenseHeader": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "standardLicenseTemplate": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "isDeprecatedLicenseId": { + "type": "xsd:boolean", + "minCount": "0", + "maxCount": "1" + }, + "obsoletedBy": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "CustomLicenseAddition": { + "summary": "A license addition that is not listed on the SPDX Exceptions List.", + "description": "A CustomLicenseAddition represents an addition to a License that is not listed\non the SPDX Exceptions List at https://spdx.org/licenses/exceptions-index.html,\nand is therefore defined by an SPDX data creator.\n\nIt is intended to represent additional language which is meant to be added to\na License, but which is not itself a standalone License.", + "metadata": { + "name": "CustomLicenseAddition", + "SubclassOf": "LicenseAddition", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/CustomLicenseAddition" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "ConjunctiveLicenseSet": { + "summary": "Portion of an AnyLicenseInfo representing a set of licensing information\nwhere all elements apply.", + "description": "A ConjunctiveLicenseSet indicates that _each_ of its subsidiary\nAnyLicenseInfos apply. In other words, a ConjunctiveLicenseSet of two or\nmore licenses represents a licensing situation where _all_ of the specified\nlicenses are to be complied with. It is represented in the SPDX License\nExpression Syntax by the `AND` operator.\n\nIt is syntactically correct to specify a ConjunctiveLicenseSet where the\nsubsidiary AnyLicenseInfos may be \"incompatible\" according to a particular\ninterpretation of the corresponding Licenses. The SPDX License Expression\nSyntax does not take into account interpretation of license texts, which is\nleft to the consumer of SPDX data to determine for themselves.", + "metadata": { + "name": "ConjunctiveLicenseSet", + "SubclassOf": "/SimpleLicensing/AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/ConjunctiveLicenseSet" + }, + "properties": { + "member": { + "type": "/SimpleLicensing/AnyLicenseInfo", + "minCount": "2", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "LicenseAddition": { + "summary": "Abstract class for additional text intended to be added to a License, but\nwhich is not itself a standalone License.", + "description": "A LicenseAddition represents text which is intended to be added to a License\nas additional text, but which is not itself intended to be a standalone\nLicense.\n\nIt may be an exception which is listed on the SPDX Exceptions List\n(ListedLicenseException), or may be any other additional text (as an exception\nor otherwise) which is defined by an SPDX data creator (CustomLicenseAddition).", + "metadata": { + "name": "LicenseAddition", + "SubclassOf": "/Core/Element", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/LicenseAddition" + }, + "properties": { + "additionText": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + }, + "standardAdditionTemplate": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "isDeprecatedAdditionId": { + "type": "xsd:boolean", + "minCount": "0", + "maxCount": "1" + }, + "obsoletedBy": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "OrLaterOperator": { + "summary": "Portion of an AnyLicenseInfo representing this version, or any later version,\nof the indicated License.", + "description": "An OrLaterOperator indicates that this portion of the AnyLicenseInfo\nrepresents either (1) the specified version of the corresponding License, or\n(2) any later version of that License. It is represented in the SPDX License\nExpression Syntax by the `+` operator.\n\nIt is context-dependent, and unspecified by SPDX, as to what constitutes a\n\"later version\" of any particular License. Some Licenses may not be versioned,\nor may not have clearly-defined ordering for versions. The consumer of SPDX\ndata will need to determine for themselves what meaning to attribute to a\n\"later version\" operator for a particular License.", + "metadata": { + "name": "OrLaterOperator", + "SubclassOf": "ExtendableLicense", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/OrLaterOperator" + }, + "properties": { + "subjectLicense": { + "type": "License", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "DisjunctiveLicenseSet": { + "summary": "Portion of an AnyLicenseInfo representing a set of licensing information\nwhere only any one of the elements applies.", + "description": "A DisjunctiveLicenseSet indicates that _only one_ of its subsidiary\nAnyLicenseInfos is required to apply. In other words, a\nDisjunctiveLicenseSet of two or more licenses represents a licensing\nsituation where _only one_ of the specified licenses are to be complied with.\nA consumer of SPDX data would typically understand this to permit the recipient\nof the licensed content to choose which of the corresponding license they\nwould prefer to use. It is represented in the SPDX License Expression Syntax\nby the `OR` operator.", + "metadata": { + "name": "DisjunctiveLicenseSet", + "SubclassOf": "/SimpleLicensing/AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/DisjunctiveLicenseSet" + }, + "properties": { + "member": { + "type": "/SimpleLicensing/AnyLicenseInfo", + "minCount": "2", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "CustomLicense": { + "summary": "A license that is not listed on the SPDX License List.", + "description": "A CustomLicense represents a License that is not listed on the SPDX License\nList at https://spdx.org/licenses, and is therefore defined by an SPDX data\ncreator.", + "metadata": { + "name": "CustomLicense", + "SubclassOf": "License", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/CustomLicense" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "ListedLicenseException": { + "summary": "A license exception that is listed on the SPDX Exceptions list.", + "description": "A ListedLicenseException represents an exception to a License (in other words,\nan exception to a license condition or an additional permission beyond those\ngranted in a License) which is listed on the SPDX Exceptions List at\nhttps://spdx.org/licenses/exceptions-index.html.", + "metadata": { + "name": "ListedLicenseException", + "SubclassOf": "LicenseAddition", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/ListedLicenseException" + }, + "properties": { + "listVersionAdded": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "deprecatedVersion": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "ExtendableLicense": { + "summary": "Abstract class representing a License or an OrLaterOperator.", + "description": "The WithAdditionOperator can have a License or an OrLaterOperator as the license property value. This class is used for the value.", + "metadata": { + "name": "ExtendableLicense", + "SubclassOf": "/Licensing/AnyLicenseInfo", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/ExtendableLicense" + }, + "properties": {}, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "seeAlso": { + "summary": "Contains a URL where the License or LicenseAddition can be found in use.", + "description": "A seeAlso defines a cross-reference with a URL where the License or\nLicenseAddition can be found in use by one or a few projects.\n\nIf applicable, it should include a URL where the license text is posted by\nthe license steward, particularly if the license steward has made available a\n\"canonical\" primary URL for the license text.\n\nIf the license is OSI approved, a seeAlso should be included with the URL for\nthe license's listing on the OSI website.\n\nThe seeAlso URL may refer to a previously-available URL for the License or\nLicenseAddition which is no longer active.\n\nWhere applicable, the seeAlso URL should include the license text in its\nnative language. seeAlso URLs to English or other translations may be included\nwhere multiple, equivalent official translations exist.", + "metadata": { + "name": "seeAlso", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/seeAlso" + } + }, + "standardLicenseHeader": { + "summary": "Provides a License author's preferred text to indicate that a file is covered\nby the License.", + "description": "A standardLicenseHeader contains the plain text of the License author's\npreferred wording to be used, typically in a source code file's header\ncomments or similar location, to indicate that the file is subject to\nthe specified License.", + "metadata": { + "name": "standardLicenseHeader", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/standardLicenseHeader", + "Domain": [ + "License" + ] + } + }, + "licenseName": { + "summary": "Identifies the full name of a License.", + "description": "A licenseName contains the full name of a License, preferably using the title found\nin the applicable license text or file, or as otherwise specified by the\nLicense's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the License from other Licenses.", + "metadata": { + "name": "licenseName", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/licenseName" + } + }, + "isDeprecatedLicenseId": { + "summary": "Specifies whether a license or additional text identifier has been marked as\ndeprecated.", + "description": "The isDeprecatedLicenseId property specifies whether an identifier for a\nLicense or LicenseAddition has been marked as deprecated. If the property\nis not defined, then it is presumed to be false (i.e., not deprecated).\n\nIf the License or LicenseAddition is included on the SPDX License List, then\nthe `deprecatedVersion` property indicates on which version release of the\nLicense List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license. In other words, even if a License's\nauthor or steward has stated that a particular License generally should not be\nused, that would _not_ mean that the License's identifier is \"deprecated.\"\nRather, a License or LicenseAddition operator is typically marked as\n\"deprecated\" when it is determined that use of another identifier is\npreferable.", + "metadata": { + "name": "isDeprecatedLicenseId", + "Nature": "DataProperty", + "Range": "xsd:boolean", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/isDeprecatedLicenseId", + "Domain": [ + "License" + ] + } + }, + "isDeprecatedAdditionId": { + "summary": "Specifies whether an additional text identifier has been marked as deprecated.", + "description": "The isDeprecatedAdditionId property specifies whether an identifier for a\nLicenseAddition has been marked as deprecated. If the property is not defined,\nthen it is presumed to be false (i.e., not deprecated).\n\nIf the LicenseAddition is included on the SPDX Exceptions List, then\nthe `deprecatedVersion` property indicates on which version release of the\nExceptions List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license addition. In other words, even if a\nLicenseAddition's author or steward has stated that a particular\nLicenseAddition generally should not be used, that would _not_ mean that the\nLicenseAddition's identifier is \"deprecated.\" Rather, a LicenseAddition\noperator is typically marked as \"deprecated\" when it is determined that use of\nanother identifier is preferable.", + "metadata": { + "name": "isDeprecatedAdditionId", + "Nature": "DataProperty", + "Range": "xsd:boolean", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/isDeprecatedAdditionId", + "Domain": [ + "LicenseAddition" + ] + } + }, + "subjectLicense": { + "summary": "A License participating in a 'with addition' or 'or later' model.", + "description": "A subjectLicense is a License which is subject to either an 'or later' effect\n(OrLaterOperator) or a 'with additional text' effect (WithAdditionOperator).", + "metadata": { + "name": "subjectLicense", + "Nature": "ObjectProperty", + "Range": "License", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/subjectLicense", + "Domain": [ + "WithAdditionOperator", + "OrLaterOperator" + ] + } + }, + "additionText": { + "summary": "Identifies the full text of a LicenseAddition.", + "description": "An additionText contains the plain text of the LicenseAddition, without\ntemplating or other similar markup.\n\nUsers of the additionText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", + "metadata": { + "name": "additionText", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/additionText", + "Domain": [ + "LicenseAddition" + ] + } + }, + "isFsfLibre": { + "summary": "Specifies whether the License is listed as free by the\n[Free Software Foundation (FSF)](https://fsf.org).", + "description": "isFsfLibre specifies whether the [Free Software Foundation FSF](https://fsf.org)\nhas listed this License as \"free\" in their commentary on licenses, located at\nthe time of this writing at https://www.gnu.org/licenses/license-list.en.html.\n\nA value of \"true\" indicates that the FSF has listed this License as _free_.\n\nA value of \"false\" indicates that the FSF has listed this License as _not free_.\n\nIf the isFsfLibre field is not specified, the SPDX data creator makes no\nassertions about whether the License is listed in the FSF's commentary.", + "metadata": { + "name": "isFsfLibre", + "Nature": "DataProperty", + "Range": "xsd:boolean", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/isFsfLibre", + "Domain": [ + "License" + ] + } + }, + "listVersionAdded": { + "summary": "Specifies the SPDX License List version in which this ListedLicense or\nListedLicenseException identifier was first added.", + "description": "A listVersionAdded for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was included.", + "metadata": { + "name": "listVersionAdded", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/listVersionAdded", + "Domain": [ + "ListedLicense", + "ListedLicenseException" + ] + } + }, + "subjectAddition": { + "summary": "A LicenseAddition participating in a 'with addition' model.", + "description": "A subjectAddition is a LicenseAddition which is subject to a 'with additional\ntext' effect (WithAdditionOperator).", + "metadata": { + "name": "subjectAddition", + "Nature": "ObjectProperty", + "Range": "LicenseAddition", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/subjectAddition", + "Domain": [ + "WithAdditionOperator" + ] + } + }, + "obsoletedBy": { + "summary": "Specifies the licenseId that is preferred to be used in place of a deprecated\nLicense or LicenseAddition.", + "description": "An obsoletedBy value for a deprecated License or LicenseAddition specifies\nthe licenseId of the replacement License or LicenseAddition that is preferred\nto be used in its place. It should use the same format as specified for a\nlicenseId.\n\nThe License's or LicenseAddition's comment value may include more information\nabout the reason why the licenseId specified in the obsoletedBy value is\npreferred.", + "metadata": { + "name": "obsoletedBy", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/obsoletedBy", + "Domain": [ + "License", + "LicenseAddition" + ] + } + }, + "standardLicenseTemplate": { + "summary": "Identifies the full text of a License, in SPDX templating format.", + "description": "A standardLicenseTemplate contains a license template which describes\nsections of the License text which can be varied. See the Legacy Text Template\nformat section of the SPDX specification for format information.", + "metadata": { + "name": "standardLicenseTemplate", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/standardLicenseTemplate", + "Domain": [ + "License" + ] + } + }, + "additionName": { + "summary": "Identifies the full name of a LicenseAddition.", + "description": "An additionName contains the full name of a LicenseAddition, preferably using\nthe title found in the applicable license addition text or file, or as\notherwise specified by the LicenseAddition's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses additions (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the LicenseAddition from other LicenseAdditions.", + "metadata": { + "name": "additionName", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/additionName" + } + }, + "standardAdditionTemplate": { + "summary": "Identifies the full text of a LicenseAddition, in SPDX templating format.", + "description": "A standardAdditionTemplate contains a license addition template which describes\nsections of the LicenseAddition text which can be varied. See the Legacy Text\nTemplate format section of the SPDX specification for format information.", + "metadata": { + "name": "standardAdditionTemplate", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/standardAdditionTemplate", + "Domain": [ + "LicenseAddition" + ] + } + }, + "licenseComment": { + "summary": "Identifies general comments about the License.", + "description": "A licenseComment describes general factual information about the License. It\nshould not contain information (or links to information) that includes any kind\nof interpretation about the meaning or effect of the License, even if written\nby the license's author.\n\nExamples of information for a licenseComment may include the following:\n\n* If the License's identifier is deprecated, it may briefly explain the reason\n for deprecation.\n* It may include the date of release, if identified, for Licenses with multiple\n versions.\n* It may include links to other official language translations for the License.\n* For LicenseAdditions, it may include a reference to the License(s) with\n which this additional text is typically used.", + "metadata": { + "name": "licenseComment", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/licenseComment" + } + }, + "deprecatedVersion": { + "summary": "Specifies the SPDX License List version in which this license or exception\nidentifier was deprecated.", + "description": "A deprecatedVersion for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was marked as deprecated.", + "metadata": { + "name": "deprecatedVersion", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/deprecatedVersion", + "Domain": [ + "ListedLicense", + "ListedLicenseException" + ] + } + }, + "member": { + "summary": "A license expression participating in a license set.", + "description": "A member is a license expression participating in a conjunctive (of type\nConjunctiveLicenseSet) or a disjunctive (of type DisjunctiveLicenseSet)\nlicense set.", + "metadata": { + "name": "member", + "Nature": "ObjectProperty", + "Range": "/SimpleLicensing/AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/member", + "Domain": [ + "ConjunctiveLicenseSet", + "DisjunctiveLicenseSet" + ] + } + }, + "licenseId": { + "summary": "Provides a short, unique identifier to refer to a License.", + "description": "A licenseId contains a human-readable, short-form license identifier for a\nLicense. It may only include letters, numbers, period (\".\") and hyphen (\"-\")\ncharacters.\n\nFor a ListedLicense, the licenseId will be as specified on the\n[SPDX License List](https://spdx.org/licenses) for the particular license.\n\nFor a CustomLicense, the short-form license identifier must begin with the\nprefix `LicenseRef-` and must be unique within the applicable SPDX namespace.\nThe short-form license ID may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", + "metadata": { + "name": "licenseId", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/licenseId" + } + }, + "additionId": { + "summary": "Provides a short, unique identifier to refer to a LicenseAddition.", + "description": "An additionId contains a human-readable, short-form identifier for a\nLicenseAddition. It may only include letters, numbers, period (\".\") and\nhyphen (\"-\") characters.\n\nFor a ListedLicenseException, the licenseId will be as specified on the\n[SPDX Exceptions List](https://spdx.org/licenses/exceptions-index.html) for the\nparticular exception.\n\nFor a CustomLicenseAddition, the short-form identifier must begin with the\nprefix `AdditionRef-` and must be unique within the applicable SPDX namespace.\nThe short-form identifier may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", + "metadata": { + "name": "additionId", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/additionId" + } + }, + "isOsiApproved": { + "summary": "Specifies whether the License is listed as approved by the\n[Open Source Initiative (OSI)](https://opensource.org).", + "description": "isOsiApproved specifies whether the [Open Source Initiative (OSI)](https://opensource.org)\nhas listed this License as \"approved\" in their list of OSI Approved Licenses,\nlocated at the time of this writing at https://opensource.org/licenses/.\n\nA value of \"true\" indicates that the OSI has listed this License as approved.\n\nA value of \"false\" indicates that the OSI has not listed this License as\napproved.\n\nIf the isOsiApproved field is not specified, the SPDX data creator makes no\nassertions about whether the License is approved by the OSI.", + "metadata": { + "name": "isOsiApproved", + "Nature": "DataProperty", + "Range": "xsd:boolean", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/isOsiApproved", + "Domain": [ + "License" + ] + } + }, + "additionComment": { + "summary": "Identifies general comments about the LicenseAddition.", + "description": "An additionComment for a LicenseAddition describes general factual information\nabout the LicenseAddition. It should not contain information (or links to\ninformation) that includes any kind of interpretation about the meaning or\neffect of the License, even if written by the license addition's author.\n\nExamples of information for an additionComment may include the following:\n\n* If the LicenseAddition's identifier is deprecated, it may briefly explain the\n reason for deprecation.\n* It may include the date of release, if identified, for LicenseAdditions with\n multiple versions.\n* It may include links to other official language translations for the\n LicenseAddition.\n* It may include a reference to the License(s) with which this LicenseAddition\n is typically used.", + "metadata": { + "name": "additionComment", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/additionComment" + } + } + }, + "vocabs": {} + }, + "Core": { + "name": "Core", + "classes": { + "PositiveIntegerRange": { + "summary": "A tuple of two positive integers that define a range.", + "description": "PositiveIntegerRange is a tuple of two positive integers that define a range.\n\"begin\" must be less than or equal to \"end\".", + "metadata": { + "name": "PositiveIntegerRange", + "SubclassOf": "owl:Thing", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/PositiveIntegerRange" + }, + "properties": { + "begin": { + "type": "xsd:positiveInteger", + "minCount": "1", + "maxCount": "1" + }, + "end": { + "type": "xsd:positiveInteger", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "ElementCollection": { + "summary": "A collection of Elements, not necessarily with unifying context.", + "description": "An SpdxCollection is a collection of Elements, not necessarily with unifying context.", + "metadata": { + "name": "ElementCollection", + "SubclassOf": "Element", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ElementCollection" + }, + "properties": { + "element": { + "type": "Element", + "minCount": "1", + "maxCount": "*" + }, + "rootElement": { + "type": "Element", + "minCount": "1", + "maxCount": "*" + }, + "imports": { + "type": "ExternalMap", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "ExternalReference": { + "summary": "A reference to a resource outside the scope of SPDX-3.0 content.", + "description": "An External Reference points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", + "metadata": { + "name": "ExternalReference", + "SubclassOf": "owl:Thing", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ExternalReference" + }, + "properties": { + "externalReferenceType": { + "type": "ExternalReferenceType", + "maxCount": "1", + "minCount": "0" + }, + "locator": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "*" + }, + "contentType": { + "type": "MediaType", + "maxCount": "1", + "minCount": "0" + }, + "comment": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} + }, + "ExternalIdentifier": { + "summary": "A reference to a resource outside the scope of SPDX-3.0 content that uniquely identifies an Element.", + "description": "An ExternalIdentifier is a reference to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", + "metadata": { + "name": "ExternalIdentifier", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ExternalIdentifier" + }, + "properties": { + "externalIdentifierType": { + "type": "ExternalIdentifierType", + "minCount": "1", + "maxCount": "1" + }, + "identifier": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + }, + "comment": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "identifierLocator": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "*" + }, + "issuingAuthority": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "Bom": { + "summary": "A container for a grouping of SPDX-3.0 content characterizing details\n(provenence, composition, licensing, etc.) about a product.", + "description": "A Bill Of Materials (BOM) is a container for a grouping of SPDX-3.0 content\ncharacterizing details about a product.\nThis could include details of the content and composition of the product,\nprovenence details of the product and/or\nits composition, licensing information, known quality or security issues, etc.", + "metadata": { + "name": "Bom", + "SubclassOf": "Bundle", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Bom" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "SpdxDocument": { + "summary": "Assembles a collection of Elements under a common string, the name of the document.", + "description": "An SpdxDocument assembles a collection of Elements under a common string, the name of the document.\nCommonly used when representing a unit of transfer of SPDX Elements.\nExternal property restriction on /Core/Element/name: minCount: 1", + "metadata": { + "name": "SpdxDocument", + "SubclassOf": "Bundle", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/SpdxDocument" + }, + "properties": {}, + "externalPropertyRestrictions": { + "/Core/Element/name": { + "minCount": "1", + "maxCount": "*" + } + } + }, + "Tool": { + "summary": "An element of hardware and/or software utilized to carry out a particular function.", + "description": "A Tool is an element of hardware and/or software utilized to carry out a particular function.", + "metadata": { + "name": "Tool", + "SubclassOf": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Tool" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "CreationInfo": { + "summary": "Provides information about the creation of the Element.", + "description": "The CreationInfo provides information about who created the Element, and when and how it was created. \n\nThe dateTime created is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", + "metadata": { + "name": "CreationInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/CreationInfo" + }, + "properties": { + "specVersion": { + "type": "SemVer", + "minCount": "1", + "maxCount": "1" + }, + "comment": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "created": { + "type": "DateTime", + "maxCount": "1", + "minCount": "0" + }, + "createdBy": { + "type": "Agent", + "minCount": "1", + "maxCount": "*" + }, + "createdUsing": { + "type": "Tool", + "minCount": "0", + "maxCount": "*" + }, + "profile": { + "type": "ProfileIdentifierType", + "minCount": "1", + "maxCount": "*" + }, + "dataLicense": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} + }, + "Organization": { + "summary": "A group of people who work together in an organized way for a shared purpose.", + "description": "An Organization is a group of people who work together in an organized way for a shared purpose.", + "metadata": { + "name": "Organization", + "SubclassOf": "Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Organization" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "LifecycleScopedRelationship": { + "summary": "", + "description": "TODO", + "metadata": { + "name": "LifecycleScopedRelationship", + "SubclassOf": "Relationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/LifecycleScopedRelationship" + }, + "properties": { + "scope": { + "type": "LifecycleScopeType", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "SoftwareAgent": { + "summary": "A software agent.", + "description": "A SoftwareAgent is a software program that is given the authority (similar to a user's authority) to act on a system.", + "metadata": { + "name": "SoftwareAgent", + "SubclassOf": "Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/SoftwareAgent" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "IntegrityMethod": { + "summary": "Provides an independently reproducible mechanism that permits verification of a specific Element.", + "description": "An IntegrityMethod provides an independently reproducible mechanism that permits verification\nof a specific Element that correlates to the data in this SPDX document. This identifier enables\na recipient to determine if anything in the original Element has been changed and eliminates\nconfusion over which version or modification of a specific Element is referenced.", + "metadata": { + "name": "IntegrityMethod", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/IntegrityMethod" + }, + "properties": { + "comment": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} + }, + "Relationship": { + "summary": "Describes a relationship between one or more elements.", + "description": "A Relationship is a grouping of characteristics unique to an assertion\nthat one Element is related to one or more other Elements in some way.", + "metadata": { + "name": "Relationship", + "SubclassOf": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Relationship" + }, + "properties": { + "from": { + "type": "Element", + "minCount": "1", + "maxCount": "1" + }, + "to": { + "type": "Element", + "minCount": "0", + "maxCount": "*" + }, + "relationshipType": { + "type": "RelationshipType", + "minCount": "1", + "maxCount": "1" + }, + "completeness": { + "type": "RelationshipCompleteness", + "minCount": "0", + "maxCount": "1" + }, + "startTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + }, + "endTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "Element": { + "summary": "Base domain class from which all other SPDX-3.0 domain classes derive.", + "description": "An Element is a representation of a fundamental concept either directly inherent\nto the Bill of Materials (BOM) domain or indirectly related to the BOM domain\nand necessary for contextually characterizing BOM concepts and relationships.\nWithin SPDX-3.0 structure this is the base class acting as a consistent,\nunifying, and interoperable foundation for all explicit\nand inter-relatable content objects.", + "metadata": { + "name": "Element", + "SubclassOf": "owl:Thing", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Element" + }, + "properties": { + "spdxId": { + "type": "xsd:anyURI", + "minCount": "1", + "maxCount": "1" + }, + "name": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + }, + "summary": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + }, + "description": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + }, + "comment": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + }, + "creationInfo": { + "type": "CreationInfo", + "minCount": "1", + "maxCount": "1" + }, + "verifiedUsing": { + "type": "IntegrityMethod", + "minCount": "0", + "maxCount": "*" + }, + "externalReference": { + "type": "ExternalReference", + "minCount": "0", + "maxCount": "*" + }, + "externalIdentifier": { + "type": "ExternalIdentifier", + "minCount": "0", + "maxCount": "*" + }, + "extension": { + "type": "Extension", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "Agent": { + "summary": "Agent represents anything with the potential to act on a system.", + "description": "The Agent class represents anything that has the potential to act on a system. This could be a person, organization, software agent, etc. This is not to be confused with tools that are used to perform tasks.", + "metadata": { + "name": "Agent", + "SubclassOf": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Agent" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "Hash": { + "summary": "A mathematically calculated representation of a grouping of data.", + "description": "A hash is a grouping of characteristics unique to the result\nof applying a mathematical algorithm\nthat maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is,\na function which is practically infeasible to invert.\nThis is commonly used for integrity checking of data.", + "metadata": { + "name": "Hash", + "SubclassOf": "IntegrityMethod", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Hash" + }, + "properties": { + "algorithm": { + "type": "HashAlgorithm", + "minCount": "1", + "maxCount": "1" + }, + "hashValue": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "DictionaryEntry": { + "summary": "A key with an associated value.", + "description": "The class used for implementing a generic string mapping (also known as associative array, dictionary, or hash map) in SPDX. Each DictionaryEntry contains a key-value pair which maps the key to its associated value. To implement a dictionary, this class is to be used in a collection with unique keys.", + "metadata": { + "name": "DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/DictionaryEntry" + }, + "properties": { + "key": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + }, + "value": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} + }, + "Person": { + "summary": "An individual human being.", + "description": "A Person is an individual human being.", + "metadata": { + "name": "Person", + "SubclassOf": "Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Person" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "Bundle": { + "summary": "A collection of Elements that have a shared context.", + "description": "A bundle is a collection of Elements that have a shared context.", + "metadata": { + "name": "Bundle", + "SubclassOf": "ElementCollection", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Bundle" + }, + "properties": { + "context": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} + }, + "Artifact": { + "summary": "A distinct article or unit within the digital domain.", + "description": "An artifact is a distinct article or unit within the digital domain,\nsuch as an electronic file, a software package, a device or an element of data.", + "metadata": { + "name": "Artifact", + "SubclassOf": "Element", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Artifact" + }, + "properties": { + "originatedBy": { + "type": "Agent", + "minCount": "0", + "maxCount": "*" + }, + "suppliedBy": { + "type": "Agent", + "minCount": "0", + "maxCount": "*" + }, + "builtTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + }, + "releaseTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + }, + "validUntilTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + }, + "standard": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "Annotation": { + "summary": "An assertion made in relation to one or more elements.", + "description": "An Annotation is an assertion made in relation to one or more elements.", + "metadata": { + "name": "Annotation", + "SubclassOf": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Annotation" + }, + "properties": { + "annotationType": { + "type": "AnnotationType", + "minCount": "1", + "maxCount": "1" + }, + "contentType": { + "type": "MediaType", + "minCount": "0", + "maxCount": "*" + }, + "statement": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "subject": { + "type": "Element", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "ExternalMap": { + "summary": "A map of Element identifiers that are used within a Document but defined external to that Document.", + "description": "An External Map is a map of Element identifiers that are used within a Document\nbut defined external to that Document.\nThe external map provides details about the externally-defined Element\nsuch as its provenance, where to retrieve it, and how to verify its integrity.", + "metadata": { + "name": "ExternalMap", + "SubclassOf": "owl:Thing", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ExternalMap" + }, + "properties": { + "externalId": { + "type": "xsd:anyURI", + "minCount": "1", + "maxCount": "1" + }, + "verifiedUsing": { + "type": "IntegrityMethod", + "minCount": "0", + "maxCount": "*" + }, + "locationHint": { + "type": "xsd:anyURI", + "maxCount": "1", + "minCount": "0" + }, + "definingDocument": { + "type": "xsd:anyURI", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "begin": { + "summary": "Defines the beginning of a range.", + "description": "begin is a positive integer that defines the beginning of a range.", + "metadata": { + "name": "begin", + "Nature": "DataProperty", + "Range": "xsd:positiveInteger", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/begin", + "Domain": [ + "PositiveIntegerRange" + ] + } + }, + "createdUsing": { + "summary": "Identifies the tooling that was used during the creation of the Element.", + "description": "CreatedUsing identifies the tooling that was used during the creation of the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", + "metadata": { + "name": "createdUsing", + "Nature": "ObjectProperty", + "Range": "Tool", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/createdUsing", + "Domain": [ + "CreationInfo" + ] + } + }, + "statement": { + "summary": "Commentary on an assertion that an annotator has made.", + "description": "A statement is a commentary on an assertion that an annotator has made.", + "metadata": { + "name": "statement", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/statement", + "Domain": [ + "Annotation" + ] + } + }, + "creationInfo": { + "summary": "Provides information about the creation of the Element.", + "description": "CreationInfo provides information about the creation of the Element.", + "metadata": { + "name": "creationInfo", + "Nature": "ObjectProperty", + "Range": "CreationInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/creationInfo", + "Domain": [ + "Element" + ] + } + }, + "locationHint": { + "summary": "Provides an indication of where to retrieve an external Element.", + "description": "A locationHint provides an indication of where to retrieve an external Element.", + "metadata": { + "name": "locationHint", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/locationHint", + "Domain": [ + "ExternalMap" + ] + } + }, + "identifierLocator": { + "summary": "TODO", + "description": "A identifierLocator is TODO", + "metadata": { + "name": "identifierLocator", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/identifierLocator", + "Domain": [ + "ExternalIdentifier" + ] + } + }, + "subject": { + "summary": "An Element an annotator has made an assertion about.", + "description": "A subject is an Element an annotator has made an assertion about.", + "metadata": { + "name": "subject", + "Nature": "ObjectProperty", + "Range": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/subject", + "Domain": [ + "Annotation" + ] + } + }, + "validUntilTime": { + "summary": "Specifies until when the artifact can be used before its usage needs to be reassessed.", + "description": "A validUntilTime specifies until when the artifact can be used before its usage needs to be reassessed.", + "metadata": { + "name": "validUntilTime", + "Nature": "DataProperty", + "Range": "DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/validUntilTime", + "Domain": [ + "Artifact" + ] + } + }, + "definingDocument": { + "summary": "URI for an SPDX document which defines an SPDX element.", + "description": "A definingDocument property is used to link an Element identifier to an SpdxDocument which contains the definition for the Element.", + "metadata": { + "name": "definingDocument", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/definingDocument", + "Domain": [ + "ExternalMap" + ] + } + }, + "suppliedBy": { + "summary": "Identifies who or what supplied the Artifact.", + "description": "Identify the actual distribution source for the Artifact being referenced.\nThis might or might not be different from the originating distribution source for the artifact.", + "metadata": { + "name": "suppliedBy", + "Nature": "ObjectProperty", + "Range": "Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/suppliedBy", + "Domain": [ + "Artifact" + ] + } + }, + "value": { + "summary": "A value used in a generic key-value pair.", + "description": "A value used in a generic key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", + "metadata": { + "name": "value", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/value", + "Domain": [ + "DictionaryEntry" + ] + } + }, + "to": { + "summary": "References an Element on the right-hand side of a relationship.", + "description": "This field references an Element on the right-hand side of a relationship.", + "metadata": { + "name": "to", + "Nature": "ObjectProperty", + "Range": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/to", + "Domain": [ + "Relationship" + ] + } + }, + "extension": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "extension", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/extension", + "Domain": [ + "Element" + ] + } + }, + "externalId": { + "summary": "Identifies an external Element used within a Document but defined external to that Document.", + "description": "ExternalId identifies an external Element used within a Document but defined external to that Document.", + "metadata": { + "name": "externalId", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/externalId", + "Domain": [ + "ExternalMap" + ] + } + }, + "externalReference": { + "summary": "Points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", + "description": "This field points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", + "metadata": { + "name": "externalReference", + "Nature": "ObjectProperty", + "Range": "ExternalReference", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/externalReference", + "Domain": [ + "Element" + ] + } + }, + "from": { + "summary": "References the Element on the left-hand side of a relationship.", + "description": "This field references the Element on the left-hand side of a relationship.", + "metadata": { + "name": "from", + "Nature": "ObjectProperty", + "Range": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/from", + "Domain": [ + "Relationship" + ] + } + }, + "created": { + "summary": "Identifies when the Element was originally created.", + "description": "Created is a date that identifies when the Element was originally created.\nThe time stamp can serve as an indication as to whether the analysis needs to be updated. This is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", + "metadata": { + "name": "created", + "Nature": "DataProperty", + "Range": "DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/created", + "Domain": [ + "CreationInfo" + ] + } + }, + "releaseTime": { + "summary": "Specifies the time an artifact was released.", + "description": "A releaseTime specifies the time an artifact was released.", + "metadata": { + "name": "releaseTime", + "Nature": "DataProperty", + "Range": "DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/releaseTime", + "Domain": [ + "Artifact" + ] + } + }, + "startTime": { + "summary": "Specifies the time from which an element is applicable / valid.", + "description": "A startTime specifies the time from which element is applicable / valid.", + "metadata": { + "name": "startTime", + "Nature": "DataProperty", + "Range": "DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/startTime", + "Domain": [ + "Relationship" + ] + } + }, + "rootElement": { + "summary": "Top level Element from which all other Elements are reached via relationships.", + "description": "A rootElement of a collection is the top level Element from which all other Elements are reached via relationships.", + "metadata": { + "name": "rootElement", + "Nature": "ObjectProperty", + "Range": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/rootElement", + "Domain": [ + "ElementCollection" + ] + } + }, + "prefix": { + "summary": "A substitute for a URI.", + "description": "A prefix is a substitute for a URI.", + "metadata": { + "name": "prefix", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/prefix" + } + }, + "externalIdentifierType": { + "summary": "Specifies the type of the external identifier.", + "description": "An externalIdentifierType specifies the type of the external identifier.", + "metadata": { + "name": "externalIdentifierType", + "Nature": "ObjectProperty", + "Range": "ExternalIdentifierType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/externalIdentifierType", + "Domain": [ + "ExternalIdentifier" + ] + } + }, + "contentType": { + "summary": "Specifies the media type of an Element.", + "description": "ContentType specifies the media type of an Element.", + "metadata": { + "name": "contentType", + "Nature": "DataProperty", + "Range": "MediaType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/contentType", + "Domain": [ + "ExternalReference", + "Annotation" + ] + } + }, + "element": { + "summary": "Refers to one or more Elements that are part of an ElementCollection.", + "description": "This field refers to one or more Elements that are part of an ElementCollection.", + "metadata": { + "name": "element", + "Nature": "ObjectProperty", + "Range": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/element", + "Domain": [ + "ElementCollection" + ] + } + }, + "relationshipType": { + "summary": "Information about the relationship between two Elements.", + "description": "This field provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.", + "metadata": { + "name": "relationshipType", + "Nature": "ObjectProperty", + "Range": "RelationshipType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/relationshipType", + "Domain": [ + "Relationship" + ] + } + }, + "specVersion": { + "summary": "Provides a reference number that can be used to understand how to parse and interpret an Element.", + "description": "The specVersion provides a reference number that can be used to understand how to parse and interpret an Element.\nIt will enable both future changes to the specification and to support backward compatibility.\nThe major version number shall be incremented when incompatible changes between versions are made\n(one or more sections are created, modified or deleted).\nThe minor version number shall be incremented when backwards compatible changes are made.\n\nHere, parties exchanging information in accordance with the SPDX specification need to provide \n100% transparency as to which SPDX specification version such information is conforming to.", + "metadata": { + "name": "specVersion", + "Nature": "DataProperty", + "Range": "SemVer", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/specVersion", + "Domain": [ + "CreationInfo" + ] + } + }, + "originatedBy": { + "summary": "Identifies from where or whom the Element originally came.", + "description": "OriginatedBy identifies from where or whom the Element originally came.", + "metadata": { + "name": "originatedBy", + "Nature": "ObjectProperty", + "Range": "Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/originatedBy", + "Domain": [ + "Artifact" + ] + } + }, + "verifiedUsing": { + "summary": "Provides an IntegrityMethod with which the integrity of an Element can be asserted.", + "description": "VerifiedUsing provides an IntegrityMethod with which the integrity of an Element can be asserted.", + "metadata": { + "name": "verifiedUsing", + "Nature": "ObjectProperty", + "Range": "IntegrityMethod", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/verifiedUsing", + "Domain": [ + "Element", + "ExternalMap" + ] + } + }, + "dataLicense": { + "summary": "Provides the license under which the SPDX documentation of the Element can be used.", + "description": "The data license provides the license under which the SPDX documentation of the Element can be used.\nThis is to alleviate any concern that content (the data or database) in an SPDX file\nis subject to any form of intellectual property right that could restrict the re-use\nof the information or the creation of another SPDX file for the same project(s).\nThis approach avoids intellectual property and related restrictions over the SPDX file,\nhowever individuals can still contract with each other to restrict release\nof specific collections of SPDX files (which map to software bill of materials)\nand the identification of the supplier of SPDX files.\nCompliance with this document includes populating the SPDX fields therein\nwith data related to such fields (\"SPDX-Metadata\"). \nThis document contains numerous fields where an SPDX file creator may provide\nrelevant explanatory text in SPDX-Metadata. Without opining on the lawfulness\nof \"database rights\" (in jurisdictions where applicable),\nsuch explanatory text is copyrightable subject matter in most Berne Convention countries.\nBy using the SPDX specification, or any portion hereof,\nyou hereby agree that any copyright rights (as determined by your jurisdiction)\nin any SPDX-Metadata, including without limitation explanatory text,\nshall be subject to the terms of the Creative Commons CC0 1.0 Universal license. \nFor SPDX-Metadata not containing any copyright rights, \nyou hereby agree and acknowledge that the SPDX-Metadata is provided to you \u201cas-is\u201d\nand without any representations or warranties of any kind concerning the SPDX-Metadata,\nexpress, implied, statutory or otherwise, including without limitation warranties\nof title, merchantability, fitness for a particular purpose, non-infringement,\nor the absence of latent or other defects, accuracy, or the presence or absence of errors,\nwhether or not discoverable, all to the greatest extent permissible under applicable law.", + "metadata": { + "name": "dataLicense", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/dataLicense", + "Domain": [ + "CreationInfo" + ] + } + }, + "algorithm": { + "summary": "Specifies the algorithm used for calculating the hash value.", + "description": "An algorithm specifies the algorithm that was used for calculating the hash value.", + "metadata": { + "name": "algorithm", + "Nature": "ObjectProperty", + "Range": "HashAlgorithm", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/algorithm", + "Domain": [ + "Hash" + ] + } + }, + "summary": { + "summary": "A short description of an Element.", + "description": "A summary is a short description of an Element. Here, the intent is to allow the Element creator to \nprovide concise information about the function or use of the Element.", + "metadata": { + "name": "summary", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/summary", + "Domain": [ + "Element" + ] + } + }, + "end": { + "summary": "Defines the end of a range.", + "description": "end is a positive integer that defines the end of a range.", + "metadata": { + "name": "end", + "Nature": "DataProperty", + "Range": "xsd:positiveInteger", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/end", + "Domain": [ + "PositiveIntegerRange" + ] + } + }, + "hashValue": { + "summary": "The result of applying a hash algorithm to an Element.", + "description": "HashValue is the result of applying a hash algorithm to an Element.", + "metadata": { + "name": "hashValue", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/hashValue", + "Domain": [ + "Hash" + ] + } + }, + "externalIdentifier": { + "summary": "Provides a reference to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", + "description": "ExternalIdentifier points to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", + "metadata": { + "name": "externalIdentifier", + "Nature": "ObjectProperty", + "Range": "ExternalIdentifier", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/externalIdentifier", + "Domain": [ + "Element" + ] + } + }, + "spdxId": { + "summary": "Identifies an Element to be referenced by other Elements.", + "description": "SpdxId uniquely identifies an Element which may thereby be referenced by other Elements.\nThese references may be internal or external.\nWhile there may be several versions of the same Element, each one needs to be able to be referred to uniquely\nso that relationships between Elements can be clearly articulated.", + "metadata": { + "name": "spdxId", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/spdxId", + "Domain": [ + "Element" + ] + } + }, + "description": { + "summary": "Provides a detailed description of the Element.", + "description": "This field is a detailed description of the Element. It may also be extracted from the Element itself.\nThe intent is to provide recipients of the SPDX file with a detailed technical explanation\nof the functionality, anticipated use, and anticipated implementation of the Element.\nThis field may also include a description of improvements over prior versions of the Element.", + "metadata": { + "name": "description", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/description", + "Domain": [ + "Element" + ] + } + }, + "locator": { + "summary": "Provides the location of an external reference.", + "description": "A locator provides the location of an external reference.", + "metadata": { + "name": "locator", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/locator", + "Domain": [ + "ExternalReference" + ] + } + }, + "annotationType": { + "summary": "Describes the type of annotation.", + "description": "An annotationType describes the type of an annotation.", + "metadata": { + "name": "annotationType", + "Nature": "ObjectProperty", + "Range": "AnnotationType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/annotationType", + "Domain": [ + "Annotation" + ] + } + }, + "issuingAuthority": { + "summary": "TODO", + "description": "A issuingAuthority is TODO", + "metadata": { + "name": "issuingAuthority", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/issuingAuthority", + "Domain": [ + "ExternalIdentifier" + ] + } + }, + "builtTime": { + "summary": "Specifies the time an artifact was built.", + "description": "A builtTime specifies the time an artifact was built.", + "metadata": { + "name": "builtTime", + "Nature": "DataProperty", + "Range": "DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/builtTime", + "Domain": [ + "Artifact" + ] + } + }, + "profile": { + "summary": "Provides information about which profiles the Element belongs to.", + "description": "This field provides information about which profiles the Element belongs to.", + "metadata": { + "name": "profile", + "Nature": "ObjectProperty", + "Range": "ProfileIdentifierType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/profile", + "Domain": [ + "CreationInfo" + ] + } + }, + "context": { + "summary": "Gives information about the circumstances or unifying properties\nthat Elements of the bundle have been assembled under.", + "description": "A context gives information about the circumstances or unifying properties\nthat Elements of the bundle have been assembled under.", + "metadata": { + "name": "context", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/context", + "Domain": [ + "Bundle" + ] + } + }, + "comment": { + "summary": "Provide consumers with comments by the creator of the Element about the Element.", + "description": "A comment is an optional field for creators of the Element to provide comments\nto the readers/reviewers of the document.", + "metadata": { + "name": "comment", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/comment", + "Domain": [ + "ExternalReference", + "ExternalIdentifier", + "CreationInfo", + "IntegrityMethod", + "Element" + ] + } + }, + "imports": { + "summary": "Provides an ExternalMap of Element identifiers.", + "description": "Imports provides an ExternalMap of Element identifiers that are used within a document\nbut defined external to that document.", + "metadata": { + "name": "imports", + "Nature": "ObjectProperty", + "Range": "ExternalMap", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/imports", + "Domain": [ + "ElementCollection" + ] + } + }, + "name": { + "summary": "Identifies the name of an Element as designated by the creator.", + "description": "This field identifies the name of an Element as designated by the creator. \nThe name of an Element is an important convention and easier to refer to than the URI.", + "metadata": { + "name": "name", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/name", + "Domain": [ + "Element" + ] + } + }, + "standard": { + "summary": "The relevant standards that may apply to an artifact.", + "description": "Various standards may be relevant to useful to capture for specific artifacts.", + "metadata": { + "name": "standard", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/standard", + "Domain": [ + "Artifact" + ] + } + }, + "endTime": { + "summary": "Specifies the time from which an element is no longer applicable / valid.", + "description": "A endTime specifies the time from which element is no applicable / valid.", + "metadata": { + "name": "endTime", + "Nature": "DataProperty", + "Range": "DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/endTime", + "Domain": [ + "Relationship" + ] + } + }, + "scope": { + "summary": "TODO", + "description": "A scope is TODO", + "metadata": { + "name": "scope", + "Nature": "ObjectProperty", + "Range": "LifecycleScopeType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/scope", + "Domain": [ + "LifecycleScopedRelationship" + ] + } + }, + "key": { + "summary": "A key used in a generic key-value pair.", + "description": "A key used in generic a key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", + "metadata": { + "name": "key", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/key", + "Domain": [ + "DictionaryEntry" + ] + } + }, + "identifier": { + "summary": "Uniquely identifies an external element.", + "description": "An identifier uniquely identifies an external element.", + "metadata": { + "name": "identifier", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/identifier", + "Domain": [ + "ExternalIdentifier" + ] + } + }, + "completeness": { + "summary": "Provides information about the completeness of relationships.", + "description": "Completeness gives information about whether the provided relationships are\ncomplete, known to be incomplete or if no assertion is made either way.", + "metadata": { + "name": "completeness", + "Nature": "ObjectProperty", + "Range": "RelationshipCompleteness", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/completeness", + "Domain": [ + "Relationship" + ] + } + }, + "externalReferenceType": { + "summary": "Specifies the type of the external reference.", + "description": "An externalReferenceType specifies the type of the external reference.", + "metadata": { + "name": "externalReferenceType", + "Nature": "ObjectProperty", + "Range": "ExternalReferenceType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/externalReferenceType", + "Domain": [ + "ExternalReference" + ] + } + }, + "createdBy": { + "summary": "Identifies who or what created the Element.", + "description": "CreatedBy identifies who or what created the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", + "metadata": { + "name": "createdBy", + "Nature": "ObjectProperty", + "Range": "Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/createdBy", + "Domain": [ + "CreationInfo" + ] + } + } + }, + "vocabs": { + "RelationshipCompleteness": { + "summary": "Indicates whether a relationship is complete or known to be incomplete or if there\nis made no assertion either way.", + "description": "RelationshipCompleteness indicates whether a relationship is complete or \nknown to be incomplete or if there is made no assertion either way.", + "metadata": { + "name": "RelationshipCompleteness", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/RelationshipCompleteness" + }, + "entries": { + "incomplete": "The relationship is known not to be exhaustive.", + "complete": "The relationship is known to be exhaustive.", + "noAssertion": "There can be made no assertion about the completeness of the relationship." + } + }, + "ProfileIdentifierType": { + "summary": "Enumeration of the valid profiles that an element can be specified to be part of.", + "description": "There are a set of profiles that have been defined to be valid for a specific release This file enumerates the values that have been agreed on, and may be applied to the creation information for an an element.", + "metadata": { + "name": "ProfileIdentifierType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType" + }, + "entries": { + "core": "the element follows the Core profile specification", + "software": "the element follows the Software profile specification", + "simpleLicensing": "the element follows the simple Licensing profile specification", + "expandedLicensing": "the element follows the expanded Licensing profile specification", + "security": "the element follows the Security profile specification", + "build": "the element follows the Build profile specification", + "ai": "the element follows the AI profile specification", + "dataset": "the element follows the Dataset profile specification", + "usage": "the element follows the Usage profile specification", + "extension": "the element follows the Extension profile specification" + } + }, + "ExternalIdentifierType": { + "summary": "Specifies the type of an external identifier.", + "description": "ExteralIdentifierType specifies the type of an external identifier.", + "metadata": { + "name": "ExternalIdentifierType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType" + }, + "entries": { + "cpe22": "https://cpe.mitre.org/files/cpe-specification_2.2.pdf", + "cpe23": "https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf", + "cve": "An identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the CVE specification as defined by https://csrc.nist.gov/glossary/term/cve_id.", + "email": "https://datatracker.ietf.org/doc/html/rfc3696#section-3", + "gitoid": "https://www.iana.org/assignments/uri-schemes/prov/gitoid Gitoid stands for [Git Object ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) and a gitoid of type blob is a unique hash of a binary artifact. A gitoid may represent the software [Artifact ID](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-id) or the [OmniBOR Identifier](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-identifier) for the software artifact's associated [OmniBOR Document](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-document); this ambiguity exists because the OmniBOR Document is itself an artifact, and the gitoid of that artifact is its valid identifier. Omnibor is a minimalistic schema to describe software [Artifact Dependency Graphs](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-dependency-graph-adg). Gitoids calculated on software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's ContentIdentifier property. Gitoids calculated on the OmniBOR Document (OmniBOR Identifiers) should be recorded in the SPDX 3.0 Element's ExternalIdentifier property.", + "other": "Used when the type doesn't match any of the other options.", + "pkgUrl": "https://github.com/package-url/purl-spec", + "securityOther": "Used when there is a security related identifier of unspecified type.", + "swhid": "https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html", + "swid": "https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-21.html#section-2.3", + "urlScheme": "the scheme used in order to locate a resource https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml" + } + }, + "ExternalReferenceType": { + "summary": "Specifies the type of an external reference.", + "description": "ExteralReferenceType specifies the type of an external reference.", + "metadata": { + "name": "ExternalReferenceType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ExternalReferenceType" + }, + "entries": { + "altDownloadLocation": "A reference to an alternative download location.", + "altWebPage": "A reference to an alternative web page.", + "binaryArtifact": "A reference to binary artifacts related to a package.", + "buildMeta": "A reference build metadata related to a published package.", + "buildSystem": "A reference build system used to create or publish the package.", + "chat": "A reference to the instant messaging system used by the maintainer for a package.", + "certificationReport": "A reference to a certification report for a package from an accredited/independent body.", + "componentAnalysisReport": "A reference to a Software Composition Analysis (SCA) report.", + "documentation": "A reference to the documentation for a package.", + "dynamicAnalysisReport": "A reference to a dynamic analysis report for a package.", + "eolNotice": "A reference to the End Of Sale (EOS) and/or End Of Life (EOL) information related to a package.", + "exportControlAssessment": "A reference to a export control assessment for a package.", + "funding": "A reference to funding information related to a package.", + "issueTracker": "A reference to the issue tracker for a package.", + "mailingList": "A reference to the mailing list used by the maintainer for a package.", + "metrics": "A reference to metrics related to package such as OpenSSF scorecards.", + "license": "A reference to additional license information related to an artifact.", + "other": "Used when the type doesn't match any of the other options.", + "privacyAssessment": "A reference to a privacy assessment for a package.", + "productMetadata": "A reference to additional product metadata such as reference within organization's product catalog.", + "purchaseOrder": "A reference to a purchase order for a package.", + "releaseNotes": "A reference to the release notes for a package.", + "releaseHistory": "A reference to a published list of releases for a package.", + "riskAssessment": "A reference to a risk assessment for a package.", + "runtimeAnalysisReport": "A reference to a runtime analysis report for a package.", + "secureSoftwareAttestation": "A reference to information assuring that the software is developed using security practices as defined by [NIST SP 800-218 Secure Software Development Framework (SSDF)](https://csrc.nist.gov/publications/detail/sp/800-218/final) or [CISA Secure Software Development Attestation Form](https://www.cisa.gov/sites/default/files/2023-04/secure-software-self-attestation_common-form_508.pdf).", + "securityAdvisory": "A reference to a published security advisory (where advisory as defined per ISO 29147:2018) that may affect one or more elements, e.g., vendor advisories or specific NVD entries.", + "securityAdversaryModel": "A reference to the security adversary model for a package.", + "securityFix": "A reference to the patch or source code that fixes a vulnerability.", + "securityOther": "A reference to related security information of unspecified type.", + "securityPenTestReport": "A reference to a [penetration test](https://en.wikipedia.org/wiki/Penetration_test) report for a package.", + "securityPolicy": "A reference to instructions for reporting newly discovered security vulnerabilities for a package.", + "securityThreatModel": "A reference the [security threat model](https://en.wikipedia.org/wiki/Threat_model) for a package.", + "socialMedia": "A reference to a social media channel for a package.", + "sourceArtifact": "A reference to an artifact containing the sources for a package.", + "staticAnalysisReport": "A reference to a static analysis report for a package.", + "support": "A reference to the software support channel or other support information for a package.", + "vcs": "A reference to a version control system related to a software artifact.", + "vulnerabilityDisclosureReport": "A reference to a Vulnerability Disclosure Report (VDR) which provides the software supplier's analysis and findings describing the impact (or lack of impact) that reported vulnerabilities have on packages or products in the supplier's SBOM as defined in [NIST SP 800-161](https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final).", + "vulnerabilityExploitabilityAssessment": "A reference to a Vulnerability Exploitability eXchange (VEX) statement which provides information on whether a product is impacted by a specific vulnerability in an included package and, if affected, whether there are actions recommended to remediate. See also [NTIA VEX one-page](https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf)..", + "qualityAssessmentReport": "A reference to a quality assessment for a package." + } + }, + "LifecycleScopeType": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "LifecycleScopeType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType" + }, + "entries": { + "design": "TODOdescription", + "build": "TODOdescription", + "development": "TODOdescription", + "test": "TODOdescription", + "runtime": "TODOdescription", + "other": "TODOdescription" + } + }, + "AnnotationType": { + "summary": "Specifies the type of an annotation.", + "description": "AnnotationType specifies the type of an annotation.", + "metadata": { + "name": "AnnotationType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/AnnotationType" + }, + "entries": { + "other": "Used to store extra information about an Element which is not part of a Review (e.g. extra information provided during the creation of the Element).", + "review": "Used when someone reviews the Element." + } + }, + "HashAlgorithm": { + "summary": "A mathematical algorithm that maps data of arbitrary size to a bit string.", + "description": "A HashAlgorithm is a mathematical algorithm that maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is, a function which is practically infeasible to invert.", + "metadata": { + "name": "HashAlgorithm", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/HashAlgorithm" + }, + "entries": { + "blake2b256": "blake2b algorithm with a digest size of 256 https://datatracker.ietf.org/doc/html/rfc7693#section-4", + "blake2b384": "blake2b algorithm with a digest size of 384 https://datatracker.ietf.org/doc/html/rfc7693#section-4", + "blake2b512": "blake2b algorithm with a digest size of 512 https://datatracker.ietf.org/doc/html/rfc7693#section-4", + "blake3": "https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf", + "crystalsKyber": "https://pq-crystals.org/kyber/index.shtml", + "crystalsDilithium": "https://pq-crystals.org/dilithium/index.shtml", + "falcon": "https://falcon-sign.info/falcon.pdf", + "md2": "https://datatracker.ietf.org/doc/rfc1319/", + "md4": "https://datatracker.ietf.org/doc/html/rfc1186", + "md5": "https://datatracker.ietf.org/doc/html/rfc1321", + "md6": "https://people.csail.mit.edu/rivest/pubs/RABCx08.pdf", + "other": "any hashing algorithm that does not exist in this list of entries", + "sha1": "https://datatracker.ietf.org/doc/html/rfc3174", + "sha224": "secure hashing algorithm with a digest length of 224 https://datatracker.ietf.org/doc/html/draft-ietf-pkix-sha224-01", + "sha256": "secure hashing algorithm with a digest length of 256 https://www.rfc-editor.org/rfc/rfc4634", + "sha3_224": "sha3 with a digest length of 224 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", + "sha3_256": "sha3 with a digest length of 256 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", + "sha3_384": "sha3 with a digest length of 384 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", + "sha3_512": "sha3 with a digest length of 512 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", + "sha384": "secure hashing algorithm with a digest length of 384 https://www.rfc-editor.org/rfc/rfc4634", + "sha512": "secure hashing algorithm with a digest length of 512 https://www.rfc-editor.org/rfc/rfc4634", + "spdxPvcSha1": "TODOdescription", + "spdxPvcSha256": "TODOdescription", + "sphincsPlus": "TODOdescription" + } + }, + "RelationshipType": { + "summary": "Information about the relationship between two Elements.", + "description": "Provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.", + "metadata": { + "name": "RelationshipType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/RelationshipType" + }, + "entries": { + "affects": "(Security/VEX) Designates one or more elements as affected by a vulnerability", + "amends": "Every `to` Element amends the `from` Element", + "ancestor": "Every `to` Element is an ancestor of the `from` Element", + "availableFrom": "This relationship is used to identify additional suppliers where an artifact is available from.", + "buildDependency": "Every `to` Element is a build dependency of the `from` Element", + "buildTool": "Build tool used to build an Element. This may be used to describe the build tool of a Build instance", + "coordinatedBy": "(Security) Used to identify the vendor, researcher, or consumer agent performing coordination for a vulnerability", + "contains": "Every `to` Element is contained by the `from` Element", + "configOf": "(Build) Configuration information applied to an Element instance during a LifeycleScopeType period. Example: Build configuration of the build instance", + "copy": "Every `to` Element is a copy of the `from` Element", + "dataFile": "Every `to` Element is a data file related to the the `from` Element", + "dependencyManifest": "Every `to` Element is manifest file containing dependency information related to the `from` Element", + "dependsOn": "Every `to` Element is a dependecy of the `from` Element", + "descendant": "This relationship may be used to describe child builds of a Build instance.", + "describes": "Every `to` Element is described by the `from` Element. This can be used to denote the root(s) of a tree of elements contained in an SBOM.", + "devDependency": "Every `to` Element is a development dependency for the `from` Element", + "devTool": "Every `to` Element is a development tool for the `from` Element", + "distributionArtifact": "Every `to` Element is an artifact intended for distribution of the `from` Element (e.g. an RPM or archive file)", + "documentation": "Every `to` Element is documentation for the `from` Element", + "doesNotAffect": "(Security/VEX) Specifies a vulnerability has no impact on one or more elements", + "dynamicLink": "Every `to` Element is dynamically linked to the `from` Element", + "example": "Every `to` Element is an example for the `from` Element", + "evidenceFor": "(Dataset) Every `to` Element is can be considered as evidence for the `from` Element", + "expandedFromArchive": "Every `to` Element is an artifact expanded from the `from` archive file", + "exploitCreatedBy": "(Security) Designates an agent has created an exploit against a vulnerability", + "fileAdded": "Every `to` Element is is a file added to the `from` Element", + "fileDeleted": "Every `to` Element is a file deleted from the `from` Element", + "fileModified": "Every `to` Element is a modification of the `from` Element", + "fixedBy": "(Security) Designates a vulnerability has been fixed by an agent", + "fixedIn": "(Security/VEX) A vulnerability has been fixed in one or more elements", + "foundBy": "(Security) Designates an agent was the original discoverer of a security vulnerability", + "generates": "Every `to` Element is generated from the `from` Element", + "hasAssessmentFor": "(Security) Relates a Vulnerability and an Element with a security assessment.", + "hasAssociatedVulnerability": "(Security) Used to associate a security vulnerability with a software artifact", + "hostOf": "(Build) The`from` Element in which every instance of the `to` Element during a LifecycleScopeType period runs on. Example: host that the build runs on for an element.", + "inputOf": "(Build) Input to the Element instance during a LifecycleScopeType period. Example: input to the build instance for an element.", + "invokedBy": "(Build) Every`to` Agent that invoked a `from` Element instance during a LifecycleScopeType period. Example: Agent that invoked the build for an element", + "metafile": "Every `to` Element is is a file containing metadata about the `from` Element", + "onBehalfOf": "(Build) Every `to` Agent acting on behalf of another `from` Agent during a LifecycleScopeType period", + "optionalComponent": "Every `to` Element is an optional component of the `from` Element", + "optionalDependency": "Every `to` Element is an optional dependency of the `from` Element", + "other": "Every `to` Element is related to the `from` Element where the relationship type is not described by any of the SPDX relationhip types", + "outputOf": "(Build) `from` Element that is output `to` the Element instance during a LifecycleScopeType period. Example: output of the build instance", + "packages": "Every `to` Element is a packaged form of the `from` Element", + "patch": "Every `to` Element is a patch for the `from` Element", + "prerequisite": "Every `to` Element is a prerequisite of the `from` Element", + "providedDependency": "Every `to` Element is a dependency not included in the distributed artifact but is assumed to be provided the `from` Element", + "publishedBy": "(Security) Designates the agent that made a vulnerability record available for public use or reference", + "reportedBy": "(Security) Designates the agent that first reported a vulnerability to the project, vendor, or tracking database for formal identification", + "republishedBy": "(Security) Designates the agent that tracked, aggregated, and/or enriched vulnerability details to improve context (i.e. NVD)", + "requirementFor": "Every `to` Element is required for the `from` Element", + "runtimeDependency": "Every `to` Element is a runtime dependency for the `from` Element", + "specificationFor": "Every `to` Element is a specification for the `from` Element", + "staticLink": "Every `to` Element is statically linked to the `from` Element", + "test": "Every `to` Element is a test artifact for the `from` Element", + "testCase": "Every `to` Element is a test case for the `from` Element", + "testDependency": "Every `to` Element is a test dependency for the `from` Element", + "testTool": "Every `to` Element is a test tool for the `from` Element", + "testedOn": "(AI, Dataset) The `from` Element has been tested on the `to` Element", + "trainedOn": "(AI, Dataset) The `from` Element has been trained by the `to` Element(s)", + "underInvestigationFor": "(Security/VEX) The impact of a vulnerability is being investigated", + "variant": "Every `to` Element is a variant the `from` Element" + } + } + } + }, + "Dataset": { + "name": "Dataset", + "classes": { + "Dataset": { + "summary": "Provides information about the fields in the Dataset profile.", + "description": "Metadata information that can be added to a dataset that may be used in a software or to train/test an AI package.\nExternal property restriction on /Core/Artifact/originatedBy: minCount: 1\nExternal property restriction on /Software/Package/downloadLocation: minCount: 1\nExternal property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1\nExternal property restriction on /Core/Artifact/releaseTime: minCount: 1\nExternal property restriction on /Core/Artifact/builtTime: minCount: 1", + "metadata": { + "name": "Dataset", + "SubclassOf": "/Software/Package", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/Dataset" + }, + "properties": { + "datasetType": { + "type": "DatasetType", + "minCount": "1", + "maxCount": "*" + }, + "dataCollectionProcess": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "intendedUse": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "datasetSize": { + "type": "xsd:nonNegativeInteger", + "minCount": "0", + "maxCount": "1" + }, + "datasetNoise": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "dataPreprocessing": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "sensor": { + "type": "/Core/DictionaryEntry", + "minCount": "0", + "maxCount": "*" + }, + "knownBias": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "sensitivePersonalInformation": { + "type": "PresenceType", + "minCount": "0", + "maxCount": "1" + }, + "anonymizationMethodUsed": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "confidentialityLevel": { + "type": "ConfidentialityLevelType", + "minCount": "0", + "maxCount": "1" + }, + "datasetUpdateMechanism": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "datasetAvailability": { + "type": "DatasetAvailabilityType", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": { + "/Core/Artifact/originatedBy": { + "minCount": "1", + "maxCount": "*" + }, + "/Software/Package/downloadLocation": { + "minCount": "1", + "maxCount": "*" + }, + "/Software/SoftwareArtifact/primaryPurpose": { + "minCount": "1", + "maxCount": "*" + }, + "/Core/Artifact/releaseTime": { + "minCount": "1", + "maxCount": "*" + }, + "/Core/Artifact/builtTime": { + "minCount": "1", + "maxCount": "*" + } + } + } + }, + "properties": { + "knownBias": { + "summary": "Records the biases that the dataset is known to encompass.", + "description": "KnownBias is a free form text field that describes the different biases that the dataset encompasses.", + "metadata": { + "name": "knownBias", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/knownBias", + "Domain": [ + "Dataset" + ] + } + }, + "dataPreprocessing": { + "summary": "Describes the preprocessing steps that were applied to the raw data to create the given dataset.", + "description": "DataPreprocessing describes the various preprocessing steps\nthat were applied to the raw data to create the dataset.", + "metadata": { + "name": "dataPreprocessing", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/dataPreprocessing", + "Domain": [ + "Dataset" + ] + } + }, + "datasetNoise": { + "summary": "Describes potentially noisy elements of the dataset.", + "description": "DatasetNoise describes what kinds of noises a dataset might encompass.\nThe field uses free form text to specify the fields or the samples that might be noisy.\nAlternatively, it can also be used to describe various noises that could impact the whole dataset.", + "metadata": { + "name": "datasetNoise", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/datasetNoise", + "Domain": [ + "Dataset" + ] + } + }, + "datasetUpdateMechanism": { + "summary": "Describes a mechanism to update the dataset.", + "description": "DatasetUpdateMechanism describes a mechanism to update the dataset.", + "metadata": { + "name": "datasetUpdateMechanism", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/datasetUpdateMechanism", + "Domain": [ + "Dataset" + ] + } + }, + "datasetSize": { + "summary": "Captures the size of the dataset.", + "description": "DatasetSize Captures how large a dataset is.\nThe size is to be measured in bytes.", + "metadata": { + "name": "datasetSize", + "Nature": "DataProperty", + "Range": "xsd:nonNegativeInteger", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/datasetSize", + "Domain": [ + "Dataset" + ] + } + }, + "sensitivePersonalInformation": { + "summary": "Describes if any sensitive personal information is present in the dataset.", + "description": "SensitivePersonalInformation indicates the presence of sensitive personal data\nor information that allows drawing conclusions about a person's identity.", + "metadata": { + "name": "sensitivePersonalInformation", + "Nature": "ObjectProperty", + "Range": "PresenceType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/sensitivePersonalInformation", + "Domain": [ + "Dataset" + ] + } + }, + "confidentialityLevel": { + "summary": "Describes the confidentiality level of the data points contained in the dataset.", + "description": "ConfidentialityLevel describes the levels of confidentiality of the data points contained in the dataset.", + "metadata": { + "name": "confidentialityLevel", + "Nature": "ObjectProperty", + "Range": "ConfidentialityLevelType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/confidentialityLevel", + "Domain": [ + "Dataset" + ] + } + }, + "dataCollectionProcess": { + "summary": "Describes how the dataset was collected.", + "description": "DataCollectionProcess describes how a dataset was collected.\nExamples include the sources from which a dataset was scrapped or\nthe interview protocol that was used for data collection.", + "metadata": { + "name": "dataCollectionProcess", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/dataCollectionProcess", + "Domain": [ + "Dataset" + ] + } + }, + "anonymizationMethodUsed": { + "summary": "Describes the anonymization methods used.", + "description": "AnonymizationMethodUsed describes the methods used to anonymize the dataset (of fields in the dataset).", + "metadata": { + "name": "anonymizationMethodUsed", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/anonymizationMethodUsed", + "Domain": [ + "Dataset" + ] + } + }, + "datasetAvailability": { + "summary": "The field describes the availability of a dataset.", + "description": "Some datasets are publicly available and can be downloaded directly. Others are only accessible behind a clickthrough, or after filling a registration form. This field will describe the dataset availability from that perspective.", + "metadata": { + "name": "datasetAvailability", + "Nature": "DataProperty", + "Range": "DatasetAvailabilityType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/datasetAvailability", + "Domain": [ + "Dataset" + ] + } + }, + "intendedUse": { + "summary": "Describes what the given dataset should be used for.", + "description": "IntendedUse describes what the given dataset should be used for.\nSome datasets are collected to be used only for particular purposes. \nFor example, medical data collected from a specific demography might only be applicable\nfor training machine learning models to make predictions for that demography.\nIn such a case, the intendedUse field would capture this information.\nSimilarly, if a dataset is collected for building a facial recognition model,\nthe intendedUse field would specify that.", + "metadata": { + "name": "intendedUse", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/intendedUse", + "Domain": [ + "Dataset" + ] + } + }, + "sensor": { + "summary": "Describes a sensor used for collecting the data.", + "description": "Sensor describes a sensor that was used for collecting the data\nand its calibration value as a key-value pair.", + "metadata": { + "name": "sensors", + "Nature": "ObjectProperty", + "Range": "/Core/DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/sensor", + "Domain": [ + "Dataset" + ] + } + }, + "datasetType": { + "summary": "Describes the type of the given dataset.", + "description": "Type describes the datatype contained in the dataset. For example a dataset can be an image dataset for computer vision applications, a text dataset such as the contents of a book or Wikipedia article, or sometimes a multimodal dataset that contains multiple types of data.", + "metadata": { + "name": "datasetType", + "Nature": "DataProperty", + "Range": "DatasetType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/datasetType", + "Domain": [ + "Dataset" + ] + } + } + }, + "vocabs": { + "DatasetType": { + "summary": "Enumeration of dataset types.", + "description": "Describes the different structures of data within a given dataset. A dataset can have multiple types of data, or even a single type of data but still match multiple types, for example sensor data could also be timeseries or labeled image data could also be considered categorical.", + "metadata": { + "name": "DatasetType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/DatasetType" + }, + "entries": { + "structured": "data is stored in tabular format or retrieved from a relational database.", + "numeric": "data consists only of numeric entries.", + "text": "data consists of unstructured text, such as a book, wikipedia article (without images), or transcript.", + "categorical": "data that is classified into a discrete number of categories, such as the eye color of a population of people.", + "graph": "data is in the form of a graph where entries are somehow related to each other through edges, such a social network of friends.", + "timeseries": "data is recorded in an ordered sequence of timestamped entries, such as the price of a stock over the course of a day.", + "timestamp": "data is recorded with a timestamp for each entry, but not necessarily ordered or at specific intervals, such as when a taxi ride starts and ends.", + "sensor": "data is recorded from a physical sensor, such as a thermometer reading or biometric device.", + "image": "data is a collection of images such as pictures of animals.", + "syntactic": "data describes the syntax or semantics of a language or text, such as a parse tree used for natural language processing.", + "audio": "data is audio based, such as a collection of music from the 80s.", + "video": "data is video based, such as a collection of movie clips featuring Tom Hanks.", + "other": "data is of a type not included in this list.", + "noAssertion": "data type is not known." + } + }, + "DatasetAvailabilityType": { + "summary": "Availability of dataset", + "description": "Describes the possible types of availability of a dataset, indicating whether the dataset can be directly downloaded, can be assembled using a script for scraping the data, is only available after a clickthrough or a registration form.", + "metadata": { + "name": "DatasetAvailabilityType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType" + }, + "entries": { + "Direct-Download": "the dataset is publicly available and can be downloaded directly.", + "Scraping-Script": "the dataset provider is not making available the underlying data and the dataset must be reassembled, typically using the provided script for scraping the data.", + "Query": "the dataset is publicly available, but not all at once, and can only be accessed through queries which return parts of the dataset.", + "Clickthrough": "the dataset is not publicly available and can only be accessed after affirmatively accepting terms on a clickthrough webpage.", + "Registration": "the dataset is not publicly available and an email registration is required before accessing the dataset, although without an affirmative acceptance of terms." + } + }, + "ConfidentialityLevelType": { + "summary": "Categories of confidentiality level.", + "description": "Describes the different confidentiality levels as given by the [Traffic Light Protocol](https://en.wikipedia.org/wiki/Traffic_Light_Protocol).", + "metadata": { + "name": "ConfidentialityLevelType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType" + }, + "entries": { + "Red": "Data points in the dataset are highly confidential and can only be shared with named recipients.", + "Amber": "Data points in the dataset can be shared only with specific organizations and their clients on a need to know basis.", + "Green": "Dataset can be shared within a community of peers and partners.", + "Clear": "Dataset may be distributed freely, without restriction." + } + } + } + }, + "AI": { + "name": "AI", + "classes": { + "AIPackage": { + "summary": "Provides information about the fields in the AI package profile.", + "description": "Metadata information that can be added to a package to describe an AI application or trained AI model.\nExternal property restriction on /Core/Artifact/suppliedBy: minCount: 1\nExternal property restriction on /Software/Package/downloadLocation: minCount: 1\nExternal property restriction on /Software/Package/packageVersion: minCount: 1\nExternal property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1\nExternal property restriction on /Core/Artifact/releaseTime: minCount: 1", + "metadata": { + "name": "AIPackage", + "SubclassOf": "/Software/Package", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/AIPackage" + }, + "properties": { + "energyConsumption": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "standardCompliance": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "limitation": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "typeOfModel": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "informationAboutTraining": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "informationAboutApplication": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "hyperparameter": { + "type": "/Core/DictionaryEntry", + "minCount": "0", + "maxCount": "*" + }, + "modelDataPreprocessing": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "modelExplainability": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "sensitivePersonalInformation": { + "type": "PresenceType", + "minCount": "0", + "maxCount": "1" + }, + "metricDecisionThreshold": { + "type": "/Core/DictionaryEntry", + "minCount": "0", + "maxCount": "*" + }, + "metric": { + "type": "/Core/DictionaryEntry", + "minCount": "0", + "maxCount": "*" + }, + "domain": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "autonomyType": { + "type": "PresenceType", + "minCount": "0", + "maxCount": "1" + }, + "safetyRiskAssessment": { + "type": "SafetyRiskAssessmentType", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": { + "/Core/Artifact/suppliedBy": { + "minCount": "1", + "maxCount": "*" + }, + "/Software/Package/downloadLocation": { + "minCount": "1", + "maxCount": "*" + }, + "/Software/Package/packageVersion": { + "minCount": "1", + "maxCount": "*" + }, + "/Software/SoftwareArtifact/primaryPurpose": { + "minCount": "1", + "maxCount": "*" + }, + "/Core/Artifact/releaseTime": { + "minCount": "1", + "maxCount": "*" + } + } + } + }, + "properties": { + "safetyRiskAssessment": { + "summary": "Categorizes safety risk impact of AI software.", + "description": "SafetyRiskAssessment categorizes the safety risk impact of the AI software\nin accordance with Article 20 of [EC Regulation No 765/2008](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf).", + "metadata": { + "name": "safetyRiskAssessment", + "Nature": "ObjectProperty", + "Range": "SafetyRiskAssessmentType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/safetyRiskAssessment", + "Domain": [ + "AIPackage" + ] + } + }, + "typeOfModel": { + "summary": "Records the type of the model used in the AI software.", + "description": "TypeOfModel records the type of the AI model(s) used in the software. \nFor instance, if it is a supervised model, unsupervised model, reinforcement learning model or a combination of those.", + "metadata": { + "name": "typeOfModel", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/typeOfModel", + "Domain": [ + "AIPackage" + ] + } + }, + "hyperparameter": { + "summary": "Records a hyperparameter used to build the AI model contained in the AI package.", + "description": "This field records a hyperparameter value.\nHyperparameters are parameters of the machine learning model that are used to control the learning process,\nfor example the optimization and learning rate used during the training of the model.", + "metadata": { + "name": "hyperparameter", + "Nature": "ObjectProperty", + "Range": "/Core/DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/hyperparameter", + "Domain": [ + "AIPackage" + ] + } + }, + "informationAboutTraining": { + "summary": "Describes relevant information about different steps of the training process.", + "description": "InformationAboutTraining describes the specific steps involved in the training of the AI model.\nFor example, it can be specified whether supervised fine-tuning \nor active learning is used as part of training the model.", + "metadata": { + "name": "informationAboutTraining", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/informationAboutTraining", + "Domain": [ + "AIPackage" + ] + } + }, + "sensitivePersonalInformation": { + "summary": "Records if sensitive personal information is used during model training.", + "description": "SensitivePersonalInformation notes if sensitive personal information\nis used in the training or inference of the AI models.\nThis might include biometric data, addresses or other data that can be used to infer a person's identity.", + "metadata": { + "name": "sensitivePersonalInformation", + "Nature": "ObjectProperty", + "Range": "PresenceType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/sensitivePersonalInformation", + "Domain": [ + "AIPackage" + ] + } + }, + "modelDataPreprocessing": { + "summary": "Describes all the preprocessing steps applied to the training data before the model training.", + "description": "ModelDataPreprocessing is a free form text that describes the preprocessing steps\napplied to the training data before training of the model(s) contained in the AI software.", + "metadata": { + "name": "modelDataPreprocessing", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/modelDataPreprocessing", + "Domain": [ + "AIPackage" + ] + } + }, + "energyConsumption": { + "summary": "Indicates the amount of energy consumed to build the AI package.", + "description": "EnergyConsumption captures the amount of energy needed to train and operate the AI model. \nThis value is also known as training energy consumption or inference energy consumption.", + "metadata": { + "name": "energyConsumption", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/energyConsumption", + "Domain": [ + "AIPackage" + ] + } + }, + "domain": { + "summary": "Captures the domain in which the AI package can be used.", + "description": "Domain describes the domain in which the AI model contained in the AI software\ncan be expected to operate successfully. Examples include computer vision, natural language etc.", + "metadata": { + "name": "domain", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/domain", + "Domain": [ + "AIPackage" + ] + } + }, + "standardCompliance": { + "summary": "Captures a standard that is being complied with.", + "description": "StandardCompliance captures a standard that the AI software complies with. \nThis includes both published and unpublished standards, for example ISO, IEEE, ETSI etc. \nThe standard could (but not necessarily have to) be used to satisfy a legal or regulatory requirement.", + "metadata": { + "name": "standardCompliance", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/standardCompliance", + "Domain": [ + "AIPackage" + ] + } + }, + "metric": { + "summary": "Records the measurement of prediction quality of the AI model.", + "description": "Metric records the measurement with which the AI model was evaluated. \nThis makes statements about the prediction quality including uncertainty,\naccuracy, characteristics of the tested population, quality, fairness, explainability, robustness etc.", + "metadata": { + "name": "metric", + "Nature": "ObjectProperty", + "Range": "/Core/DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/metric", + "Domain": [ + "AIPackage" + ] + } + }, + "metricDecisionThreshold": { + "summary": "Captures the threshold that was used for computation of a metric described in the metric field.", + "description": "Each metric might be computed based on a decision threshold. \nFor instance, precision or recall is typically computed by checking\nif the probability of the outcome is larger than 0.5.\nEach decision threshold should match with a metric field defined in the AI Package.", + "metadata": { + "name": "metricDecisionThreshold", + "Nature": "ObjectProperty", + "Range": "/Core/DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/metricDecisionThreshold", + "Domain": [ + "AIPackage" + ] + } + }, + "modelExplainability": { + "summary": "Describes methods that can be used to explain the model.", + "description": "ModelExplainability is a free form text that lists the different explainability mechanisms\n(such as SHAP, or other model specific explainability mechanisms) that can be used to explain the model.", + "metadata": { + "name": "modelExplainability", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/modelExplainability", + "Domain": [ + "AIPackage" + ] + } + }, + "autonomyType": { + "summary": "States if a human is involved in the decisions of the AI software.", + "description": "AutonomyType indicates if a human is involved in any of the decisions of the AI software\nor if that software is fully automatic.", + "metadata": { + "name": "autonomyType", + "Nature": "ObjectProperty", + "Range": "PresenceType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/autonomyType", + "Domain": [ + "AIPackage" + ] + } + }, + "informationAboutApplication": { + "summary": "Provides relevant information about the AI software, not including the model description.", + "description": "InformationAboutApplication describes any relevant information in free form text about \nhow the AI model is used inside the software, as well as any relevant pre-processing steps, third party APIs etc.", + "metadata": { + "name": "informationAboutApplication", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/informationAboutApplication", + "Domain": [ + "AIPackage" + ] + } + }, + "limitation": { + "summary": "Captures a limitation of the AI software.", + "description": "Limitation captures a limitation of the AI Package (or of the AI models present in the AI package),\nexpressed as free form text. Note that this is not guaranteed to be exhaustive.\nFor instance, a limitation might be that the AI package cannot be used on datasets from a certain demography.", + "metadata": { + "name": "limitation", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/limitation", + "Domain": [ + "AIPackage" + ] + } + } + }, + "vocabs": { + "SafetyRiskAssessmentType": { + "summary": "Categories of safety risk impact of the application.", + "description": "Lists the different safety risk type values that can be used to describe the safety risk of AI software\naccording to [Article 20 of Regulation 765/2008/EC](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf).", + "metadata": { + "name": "SafetyRiskAssessmentType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/SafetyRiskAssessmentType" + }, + "entries": { + "serious": "The highest level of risk posed by an AI software.", + "high": "The second-highest level of risk posed by an AI software.", + "medium": "The third-highest level of risk posed by an AI software.", + "low": "Low/no risk is posed by the AI software." + } + }, + "PresenceType": { + "summary": "Categories of presence or absence.", + "description": "This type is used to indicate if a given field is present or absent or unknown.", + "metadata": { + "name": "PresenceType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/PresenceType" + }, + "entries": { + "yes": "Indicates presence of the field.", + "no": "Indicates absence of the field.", + "noAssertion": "Makes no assertion about the field." + } + } + } + }, + "Security": { + "name": "Security", + "classes": { + "VexNotAffectedVulnAssessmentRelationship": { + "summary": "Links a vulnerability and one or more elements designating the latter as products\nnot affected by the vulnerability.", + "description": "VexNotAffectedVulnAssessmentRelationship connects a vulnerability and a number\nof elements designating them as products not affected by the vulnerability.\nThis relationship corresponds to the VEX not_affected status.\n\n**Constraints**\n\nWhen linking elements using a VexNotVulnAffectedAssessmentRelationship, the\nfollowing requirements must be observed:\n\n* Relating elements with a VexNotAffectedVulnAssessmentRelationship is restricted\nto the doesNotAffect relationship type.\n* The from: end of the relationship must be a /Security/Vulnerability classed\nelement.\n* Both impactStatement and justificationType properties have a cardinality of\n0..1 making them optional. Nevertheless, to produce a valid VEX not_affected\nstatement, one of them MUST be defined. This is specified in the Minimum Elements\nfor VEX.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexNotAffectedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-not-affected-1\",\n \"relationshipType\": \"doesNotAffect\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"justificationType\": \"componentNotPresent\",\n \"impactStatement\": \"Not using this vulnerable part of this library.\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "VexNotAffectedVulnAssessmentRelationship", + "SubclassOf": "VexVulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VexNotAffectedVulnAssessmentRelationship" + }, + "properties": { + "justificationType": { + "type": "VexJustificationType", + "minCount": "0", + "maxCount": "1" + }, + "impactStatement": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "impactStatementTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "SsvcVulnAssessmentRelationship": { + "summary": "Provides an SSVC assessment for a vulnerability.", + "description": "An SsvcVulnAssessmentRelationship describes the decision made using the\nStakeholder-Specific Vulnerability Categorization (SSVC) decision tree as\ndefined on [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc).\nIt is intended to communicate the results of using the CISA SSVC Calculator.\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"SsvcVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:ssvc-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"decisionType\": \"act\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "SsvcVulnAssessmentRelationship", + "SubclassOf": "VulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/SsvcVulnAssessmentRelationship" + }, + "properties": { + "decisionType": { + "type": "SsvcDecisionType", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "VexFixedVulnAssessmentRelationship": { + "summary": "Links a vulnerability and elements representing products (in the VEX sense) where\na fix has been applied and are no longer affected.", + "description": "VexFixedVulnAssessmentRelationship links a vulnerability to a number of elements\nrepresenting VEX products where a vulnerability has been fixed and are no longer\naffected. It represents the VEX fixed status.\n\n**Constraints**\n\nWhen linking elements using a VexFixedVulnAssessmentRelationship, the following\nrequirements must be observed:\n\n- Elements linked with a VulnVexFixedAssessmentRelationship are constrained to\nusing the fixedIn relationship type.\n- The from: end of the relationship must ve a /Security/Vulnerability classed\nelement.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexFixedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-fixed-in-1\",\n \"relationshipType\": \"fixedIn\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.4\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "VexFixedVulnAssessmentRelationship", + "SubclassOf": "VexVulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VexFixedVulnAssessmentRelationship" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "VexVulnAssessmentRelationship": { + "summary": "Asbtract ancestor class for all VEX relationships", + "description": "VexVulnAssessmentRelationship is an abstract subclass that defined the common\nproperties shared by all the SPDX-VEX status relationships. \n\n**Constraints**\n\nWhen linking elements using a VexVulnAssessmentRelationship, the following\nrequirements must be observed:\n\n- The from: end must be a /Security/Vulnerability classed element\n- The to: end must point to elements representing the VEX _products_. To\nspecify a different element where the vulnerability was detected, the VEX\nrelationship can optionally specify _subcomponents_ using the assessedElement\nproperty.\n\nVEX inherits information from the document level down to its statements. When a\nstatement is missing information it can be completed by reading the equivalent \nfield from the containing document. For example, if a VEX relationship is\nmissing data in its createdBy property, tools must consider the entity\nlisted in the CreationInfo section of the document as the VEX author.\nIn the same way, when a VEX relationship does not have a created property,\nthe document's date must be considered as authoritative.", + "metadata": { + "name": "VexVulnAssessmentRelationship", + "SubclassOf": "VulnAssessmentRelationship", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VexVulnAssessmentRelationship" + }, + "properties": { + "vexVersion": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "statusNotes": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "CvssV3VulnAssessmentRelationship": { + "summary": "Provides a CVSS version 3.x assessment for a vulnerability.", + "description": "A CvssV3VulnAssessmentRelationship relationship describes the determined score,\nseverity, and vector of a vulnerability using version 3.1 of the Common\nVulnerability Scoring System (CVSS) as defined on \n[https://www.first.org/cvss/v3.1/specification-document](https://www.first.org/cvss/v3.1/specification-document). It is intented to communicate the results of using a CVSS calculator.\n\n**Constraints**\n\n- The value of severity must be one of 'none', 'low', 'medium', 'high' or 'critical'.\n- Absence of the property shall be interpreted as 'none'.\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"CvssV3VulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:cvssv3-cve-2020-28498\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"severity\": \"medium\",\n \"score\": 6.8,\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"externalReferences\": [\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityFix\",\n \"locator\": \"https://github.com/indutny/elliptic/commit/441b742\"\n }\n ],\n \"suppliedBy\": [\"urn:spdx.dev:agent-my-security-vendor\"],\n \"publishedTime\": \"2023-05-06T10:06:13Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\",\n \"relationshipType\": \"publishedBy\",\n \"from\": \"urn:spdx.dev:cvssv3-cve-2020-28498\",\n \"to\": \"urn:spdx.dev:agent-snyk\",\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", + "metadata": { + "name": "CvssV3VulnAssessmentRelationship", + "SubclassOf": "VulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/CvssV3VulnAssessmentRelationship" + }, + "properties": { + "score": { + "type": "xsd:decimal", + "minCount": "1", + "maxCount": "1" + }, + "severity": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "vector": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "VulnAssessmentRelationship": { + "summary": "Abstract ancestor class for all vulnerability assessments", + "description": "VulnAssessmentRelationship is the ancestor class common to all vulnerability\nassessment relationships. It factors out the common properties shared by them.\nExternal property restriction on /Core/Relationship/to: minCount: 1", + "metadata": { + "name": "VulnAssessmentRelationship", + "SubclassOf": "/Core/Relationship", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VulnAssessmentRelationship" + }, + "properties": { + "assessedElement": { + "type": "/Core/Element", + "minCount": "0", + "maxCount": "1" + }, + "publishedTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + }, + "suppliedBy": { + "type": "/Core/Agent", + "minCount": "0", + "maxCount": "1" + }, + "modifiedTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + }, + "withdrawnTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": { + "/Core/Relationship/to": { + "minCount": "1", + "maxCount": "*" + } + } + }, + "Vulnerability": { + "summary": "Specifies a vulnerability and its associated information.", + "description": "Specifies a vulnerability and its associated information.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"Vulnerability\",\n \"@id\": \"urn:spdx.dev:vuln-1\",\n \"summary\": \"Use of a Broken or Risky Cryptographic Algorithm\",\n \"description\": \"The npm package `elliptic` before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.\", \n \"modified\": \"2021-03-08T16:02:43Z\",\n \"published\": \"2021-03-08T16:06:50Z\",\n \"externalIdentifiers\": [\n {\n \"@type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"cve\",\n \"identifier\": \"CVE-2020-2849\",\n \"identifierLocator\": [\n \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498\",\n \"https://www.cve.org/CVERecord?id=CVE-2020-28498\"\n ],\n \"issuingAuthority\": \"urn:spdx.dev:agent-cve.org\"\n },\n {\n \"type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"securityOther\",\n \"identifier\": \"GHSA-r9p9-mrjm-926w\",\n \"identifierLocator\": \"https://github.com/advisories/GHSA-r9p9-mrjm-926w\"\n },\n {\n \"type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"securityOther\",\n \"identifier\": \"SNYK-JS-ELLIPTIC-1064899\",\n \"identifierLocator\": \"https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n }\n ],\n \"externalReferences\": [\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://ubuntu.com/security/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityOther\",\n \"locator\": \"https://github.com/indutny/elliptic/pull/244/commits\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityOther\",\n \"locator\": \"https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md\"\n }\n ]\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnRelationship-1\",\n \"relationshipType\": \"hasAssociatedVulnerability\",\n \"from\": \"urn:npm-elliptic-6.5.2\",\n \"to\": [\"urn:spdx.dev:vuln-1\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\", \n \"relationshipType\": \"publishedBy\", \n \"from\": \"urn:spdx.dev:vuln-1\",\n \"to\": [\"urn:spdx.dev:agent-snyk\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", + "metadata": { + "name": "Vulnerability", + "SubclassOf": "/Core/Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/Vulnerability" + }, + "properties": { + "publishedTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + }, + "modifiedTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + }, + "withdrawnTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "CvssV2VulnAssessmentRelationship": { + "summary": "Provides a CVSS version 2.0 assessment for a vulnerability.", + "description": "A CvssV2VulnAssessmentRelationship relationship describes the determined score and vector of a vulnerability using version 2.0 of the Common Vulnerability Scoring System\n(CVSS) as defined on [https://www.first.org/cvss/v2/guide](https://www.first.org/cvss/v2/guide). It is intented to communicate the results of using a CVSS calculator.\n\n**Constraints**\n\n- The value of severity must be one of 'low', 'medium' or 'high'\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"CvssV2VulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:cvssv2-cve-2020-28498\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"score\": 4.3,\n \"vector\": \"(AV:N/AC:M/Au:N/C:P/I:N/A:N)\",\n \"severity\": \"low\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"externalReferences\": [\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityFix\",\n \"locator\": \"https://github.com/indutny/elliptic/commit/441b742\"\n }\n ],\n \"suppliedBy\": [\"urn:spdx.dev:agent-my-security-vendor\"],\n \"publishedTime\": \"2023-05-06T10:06:13Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\", \n \"relationshipType\": \"publishedBy\", \n \"from\": \"urn:spdx.dev:cvssv2-cve-2020-28498\",\n \"to\": [\"urn:spdx.dev:agent-snyk\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", + "metadata": { + "name": "CvssV2VulnAssessmentRelationship", + "SubclassOf": "VulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/CvssV2VulnAssessmentRelationship" + }, + "properties": { + "score": { + "type": "xsd:decimal", + "minCount": "1", + "maxCount": "1" + }, + "severity": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "vector": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "VexAffectedVulnAssessmentRelationship": { + "summary": "Connects a vulnerability and an element designating the element as a product\naffected by the vulnerability.", + "description": "VexAffectedVulnAssessmentRelationship connects a vulnerability and a number\nof elements. The relationship marks these elements as products affected by the\nvulnerability. This relationship corresponds to the VEX affected status.\n\n**Constraints**\n\nWhen linking elements using a VexAffectedVulnAssessmentRelationship, the\nfollowing requirements must be observed:\n\n- Elements linked with a VulnVexAffectedAssessmentRelationship are constrained\nto the affects relationship type.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexAffectedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-affected-1\",\n \"relationshipType\": \"affects\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"actionStatement\": \"Upgrade to version 1.4 of ACME application.\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "VexAffectedVulnAssessmentRelationship", + "SubclassOf": "VexVulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VexAffectedVulnAssessmentRelationship" + }, + "properties": { + "actionStatement": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "actionStatementTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "ExploitCatalogVulnAssessmentRelationship": { + "summary": "Provides an exploit assessment of a vulnerability.", + "description": "An ExploitCatalogVulnAssessmentRelationship describes if a vulnerability is\nlisted in any exploit catalog such as the CISA Known Exploited Vulnerabilities\nCatalog (KEV) \n[https://www.cisa.gov/known-exploited-vulnerabilities-catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"ExploitCatalogVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:exploit-catalog-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"catalogType\": \"kev\",\n \"locator\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n \"exploited\": \"true\",\n \"from\": \"urn:spdx.dev:vuln-cve-2023-2136\",\n \"to\": [\"urn:product-google-chrome-112.0.5615.136\"],\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "ExploitCatalogVulnAssessmentRelationship", + "SubclassOf": "VulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/ExploitCatalogVulnAssessmentRelationship" + }, + "properties": { + "catalogType": { + "type": "ExploitCatalogType", + "minCount": "1", + "maxCount": "1" + }, + "exploited": { + "type": "xsd:boolean", + "minCount": "1", + "maxCount": "1" + }, + "locator": { + "type": "xsd:anyURI", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "EpssVulnAssessmentRelationship": { + "summary": "Provides an EPSS assessment for a vulnerability.", + "description": "An EpssVulnAssessmentRelationship relationship describes the likelihood or\nprobability that a vulnerability will be exploited in the wild using the Exploit\nPrediction Scoring System (EPSS) as defined on \n[https://www.first.org/epss/model](https://www.first.org/epss/model).\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"EpssVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:epss-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"probability\": 80,\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "EpssVulnAssessmentRelationship", + "SubclassOf": "VulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/EpssVulnAssessmentRelationship" + }, + "properties": { + "probability": { + "type": "xsd:nonNegativeInteger", + "minCount": "1", + "maxCount": "1" + }, + "severity": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "VexUnderInvestigationVulnAssessmentRelationship": { + "summary": "Designates elements as products where the impact of a vulnerability is being\ninvestigated.", + "description": "VexUnderInvestigationVulnAssessmentRelationship links a vulnerability to a\nnumber of products stating the vulnerability's impact on them is being\ninvestigated. It represents the VEX under_investigation status.\n\n**Constraints**\n\nWhen linking elements using a VexUnderInvestigationVulnAssessmentRelationship\nthe following requirements must be observed:\n\n- Elements linked with a VexUnderInvestigationVulnAssessmentRelationship are\nconstrained to using the underInvestigationFor relationship type.\n- The from: end of the relationship must ve a /Security/Vulnerability classed\nelement.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexUnderInvestigationVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-underInvestigation-1\",\n \"relationshipType\": \"underInvestigationFor\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "VexUnderInvestigationVulnAssessmentRelationship", + "SubclassOf": "VexVulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VexUnderInvestigationVulnAssessmentRelationship" + }, + "properties": {}, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "justificationType": { + "summary": "Impact justification label to be used when linking a vulnerability to an element\nrepresenting a VEX product with a VexNotAffectedVulnAssessmentRelationship\nrelationship.", + "description": "When stating that an element is not affected by a vulnerability, the\nVexNotAffectedVulnAssessmentRelationship must include a justification from the\nmachine-readable labels catalog informing the reason the element is not impacted.\n\nimpactStatement which is a string with English prose can be used instead or as\ncomplementary to the justification label, but one of both MUST be defined.", + "metadata": { + "name": "justificationType", + "Nature": "ObjectProperty", + "Range": "VexJustificationType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/justificationType", + "Domain": [ + "VexNotAffectedVulnAssessmentRelationship" + ] + } + }, + "actionStatementTime": { + "summary": "Records the time when a recommended action was communicated in a VEX statement \nto mitigate a vulnerability.", + "description": "When a VEX statement communicates an affected status, the author MUST\ninclude an action statement with a recommended action to help mitigate the\nvulnerability's impact. The actionStatementTime property records the time\nwhen the action statement was first communicated.", + "metadata": { + "name": "actionStatementTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/actionStatementTime", + "Domain": [ + "VexAffectedVulnAssessmentRelationship" + ] + } + }, + "assessedElement": { + "summary": "Specifies an element contained in a piece of software where a vulnerability was\nfound.", + "description": "Specifies subpackages, files or snippets referenced by a security assessment\nto specify the precise location where a vulnerability was found.", + "metadata": { + "name": "assessedElement", + "Nature": "ObjectProperty", + "Range": "/Core/Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/assessedElement", + "Domain": [ + "VulnAssessmentRelationship" + ] + } + }, + "suppliedBy": { + "summary": "Identifies who or what supplied the vulnerability assessment relationship.", + "description": "Identify the actual distribution source for the vulnerability assessment relationship being referenced.", + "metadata": { + "name": "suppliedBy", + "Nature": "ObjectProperty", + "Range": "/Core/Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/suppliedBy", + "Domain": [ + "VulnAssessmentRelationship" + ] + } + }, + "decisionType": { + "summary": "Provide the enumeration of possible decisions in the Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree [https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf](https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf)", + "description": "A decisionType is a mandatory value and must select one of the four entries in the `SsvcDecisionType.md` vocabulary.", + "metadata": { + "name": "decisionType", + "Nature": "ObjectProperty", + "Range": "SsvcDecisionType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/decisionType", + "Domain": [ + "SsvcVulnAssessmentRelationship" + ] + } + }, + "exploited": { + "summary": "Describe that a CVE is known to have an exploit because it's been listed in an exploit catalog.", + "description": "This field is set when a CVE is listed in an exploit catalog.", + "metadata": { + "name": "exploited", + "Nature": "DataProperty", + "Range": "xsd:boolean", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/exploited", + "Domain": [ + "ExploitCatalogVulnAssessmentRelationship" + ] + } + }, + "catalogType": { + "summary": "TODO", + "description": "A catalogType is a mandatory value and must select one of the two entries in the `ExploitCatalogType.md` vocabulary.", + "metadata": { + "name": "catalogType", + "Nature": "ObjectProperty", + "Range": "ExploitCatalogType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/catalogType", + "Domain": [ + "ExploitCatalogVulnAssessmentRelationship" + ] + } + }, + "probability": { + "summary": "A probability score between 0 and 1 of a vulnerability being exploited.", + "description": "The probability score between 0 and 1 (0 and 100%) estimating the likelihood\nthat a vulnerability will be exploited in the next 12 months.", + "metadata": { + "name": "probability", + "Nature": "DataProperty", + "Range": "xsd:decimal", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/probability", + "Domain": [ + "EpssVulnAssessmentRelationship" + ] + } + }, + "statusNotes": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "statusNotes", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/statusNotes", + "Domain": [ + "VexVulnAssessmentRelationship" + ] + } + }, + "publishedTime": { + "summary": "Specifies the time when a vulnerability was published.", + "description": "Specifies the time when a vulnerability was first published.", + "metadata": { + "name": "publishedTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/publishedTime", + "Domain": [ + "VulnAssessmentRelationship", + "Vulnerability" + ] + } + }, + "vexVersion": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "vexVersion", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/vexVersion", + "Domain": [ + "VexVulnAssessmentRelationship" + ] + } + }, + "actionStatement": { + "summary": "Provides advise on how to mitigate or remediate a vulnerability when a VEX product\nis affected by it.", + "description": "When an element is referenced with a VexAffectedVulnAssessmentRelationship,\nthe relationship MUST include one actionStatement that SHOULD describe actions\nto remediate or mitigate the vulnerability.", + "metadata": { + "name": "actionStatement", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/actionStatement", + "Domain": [ + "VexAffectedVulnAssessmentRelationship" + ] + } + }, + "locator": { + "summary": "Provides the location of an exploit catalog.", + "description": "A locator provides the location of an exploit catalog.", + "metadata": { + "name": "locator", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/locator", + "Domain": [ + "ExploitCatalogVulnAssessmentRelationship" + ] + } + }, + "vector": { + "summary": "Specifies the vector string of a vulnerability.", + "description": "Sepcifies the vector string of a vulnerability, a string combining metrics\nfrom an assessment of its severity.", + "metadata": { + "name": "vector", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/vector", + "Domain": [ + "CvssV3VulnAssessmentRelationship", + "CvssV2VulnAssessmentRelationship" + ] + } + }, + "impactStatementTime": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "impactStatementTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/impactStatementTime", + "Domain": [ + "VexNotAffectedVulnAssessmentRelationship" + ] + } + }, + "withdrawnTime": { + "summary": "Specified the time and date when a vulnerability was withdrawn.", + "description": "Specified the time and date when a vulnerability was withdrawn.", + "metadata": { + "name": "withdrawnTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/withdrawnTime", + "Domain": [ + "VulnAssessmentRelationship", + "Vulnerability" + ] + } + }, + "impactStatement": { + "summary": "Explains why a VEX product is not affected by a vulnerability. It is an\nalternative in VexNotAffectedVulnAssessmentRelationship to the machine-readable\njustification label.", + "description": "When a VEX product element is related with a VexNotAffectedVulnAssessmentRelationship\nand a machine readable justification label is not provided, then an impactStatement\nthat further explains how or why the prouct(s) are not affected by the vulnerability\nmust be provided.", + "metadata": { + "name": "impactStatement", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/impactStatement", + "Domain": [ + "VexNotAffectedVulnAssessmentRelationship" + ] + } + }, + "score": { + "summary": "Provides a numerical (0-10) representation of the severity of a vulnerability.", + "description": "The score provides information on the severity of a vulnerability per the\nCommon Vulnerability Scoring System as defined on [https://www.first.org/cvss](https://www.first.org/cvss/).", + "metadata": { + "name": "score", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/score", + "Domain": [ + "CvssV3VulnAssessmentRelationship", + "CvssV2VulnAssessmentRelationship" + ] + } + }, + "severity": { + "summary": "The severity of a vulnerability in relation to a piece of software.", + "description": "The severity field provides a human readable string, a label that can be used\nas an English adjective that qualifies its numerical score.", + "metadata": { + "name": "severity", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/severity", + "Domain": [ + "CvssV3VulnAssessmentRelationship", + "CvssV2VulnAssessmentRelationship", + "EpssVulnAssessmentRelationship" + ] + } + }, + "modifiedTime": { + "summary": "Specifies a time when a vulnerability assessment was modified", + "description": "Specifies a time when a vulnerability assessment was last modified.", + "metadata": { + "name": "modifiedTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/modifiedTime", + "Domain": [ + "VulnAssessmentRelationship", + "Vulnerability" + ] + } + } + }, + "vocabs": { + "VexJustificationType": { + "summary": "Specifies the VEX justification type.", + "description": "VexJustificationType specifies the type of Vulnerability Exploitability eXchange (VEX) justification.", + "metadata": { + "name": "VexJustificationType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VexJustificationType" + }, + "entries": { + "componentNotPresent": "The software is not affected because the vulnerable component is not in the product.", + "vulnerableCodeNotPresent": "The product is not affected because the code underlying the vulnerability is not present in the product.", + "vulnerableCodeCannotBeControlledByAdversary": "The vulnerable component is present, and the component contains the vulnerable code. However, vulnerable code is used in such a way that an attacker cannot mount any anticipated attack.", + "vulnerableCodeNotInExecutePath": "The affected code is not reachable through the execution of the code, including non-anticipated states of the product.", + "inlineMitigationsAlreadyExist": "Built-in inline controls or mitigations prevent an adversary from leveraging the vulnerability." + } + }, + "ExploitCatalogType": { + "summary": "Specifies the exploit catalog type.", + "description": "ExploitCatalogType specifies the type of exploit catalog that a vulnerability is listed in.", + "metadata": { + "name": "ExploitCatalogType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/ExploitCatalogType" + }, + "entries": { + "kev": "CISA's Known Exploited Vulnerability (KEV) Catalog", + "other": "Other exploit catalogs" + } + }, + "SsvcDecisionType": { + "summary": "Specifies the SSVC decision type.", + "description": "SsvcDecisionType specifies the type of decision that's been made according to the Stakeholder-Specific Vulnerability Categorization (SSVC) system [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc)", + "metadata": { + "name": "SsvcDecisionType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/SsvcDecisionType" + }, + "entries": { + "act": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible.", + "attend": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability, and may involve publishing a notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.", + "track": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines.", + "trackStar": "(Track* in the SSVC spec) The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." + } + } + } + }, + "Build": { + "name": "Build", + "classes": { + "Build": { + "summary": "Class that describes a build instance of software/artifacts.", + "description": "A build is a representation of the process in which a piece of software or artifact is built. It encapsulates information related to a build process and\nprovides an element from which relationships can be created to describe the build's inputs, outputs, and related entities (e.g. builders, identities, etc.).\n\nDefinitions of \"BuildType\", \"ConfigSource\", \"Parameters\" and \"Environment\" follow\nthose defined in [SLSA provenance](https://slsa.dev/provenance/v0.2).\n\nExternalIdentifier of type \"urlScheme\" may be used to identify build logs. In this case, the comment of the ExternalIdentifier should be \"LogReference\".\n\nNote that buildStart and buildEnd are optional, and may be omitted to simplify creating reproducible builds.", + "metadata": { + "name": "Build", + "SubclassOf": "/Core/Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/Build" + }, + "properties": { + "buildType": { + "type": "xsd:anyURI", + "minCount": "1", + "maxCount": "1" + }, + "buildId": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "configSourceEntrypoint": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "configSourceUri": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "*" + }, + "configSourceDigest": { + "type": "/Core/Hash", + "minCount": "0", + "maxCount": "*" + }, + "parameters": { + "type": "/Core/DictionaryEntry", + "minCount": "0", + "maxCount": "*" + }, + "buildStartTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + }, + "buildEndTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + }, + "environment": { + "type": "/Core/DictionaryEntry", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "buildStartTime": { + "summary": "Property describing the start time of a build.", + "description": "buildStartTime is the time at which a build is triggered. The builder typically records this value.", + "metadata": { + "name": "buildStartTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/buildStartTime", + "Domain": [ + "Build" + ] + } + }, + "configSourceUri": { + "summary": "Property that describes the URI of the build configuration source file.", + "description": "If a build configuration exists for the toolchain or platform performing the build, the configSourceUri of a build is the URI of that build configuration. For example, a build triggered by a GitHub action is defined by a build configuration YAML file. In this case, the configSourceUri is the URL of that YAML file. \nm", + "metadata": { + "name": "configSourceUri", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/configSourceUri", + "Domain": [ + "Build" + ] + } + }, + "buildEndTime": { + "summary": "Property that describes the time at which a build stops.", + "description": "buildEndTime describes the time at which a build stops or finishes. This value is typically recorded by the builder.", + "metadata": { + "name": "buildEndTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/buildEndTime", + "Domain": [ + "Build" + ] + } + }, + "parameters": { + "summary": "Property describing the parameters used in an instance of a build.", + "description": "parameters is a key-value map of all build parameters and their values that were provided to the builder for a build instance. This is different from the [environment](environment.md) property in that the keys and values are provided as command line arguments or a configuration file to the builder.", + "metadata": { + "name": "parameters", + "Nature": "ObjectProperty", + "Range": "/Core/DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/parameters", + "Domain": [ + "Build" + ] + } + }, + "environment": { + "summary": "Property describing the session in which a build is invoked.", + "description": "environment is a map of environment variables and values that are set during a build session. This is different from the [parameters](parameters.md) property in that it describes the environment variables set before a build is invoked rather than the variables provided to the builder.", + "metadata": { + "name": "environment", + "Nature": "ObjectProperty", + "Range": "/Core/DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/environment", + "Domain": [ + "Build" + ] + } + }, + "configSourceDigest": { + "summary": "Property that describes the digest of the build configuration file used to invoke a build.", + "description": "configSourceDigest is the checksum of the build configuration file used by a builder to execute a build. This Property uses the Core model's [Hash](../../Core/Classes/Hash.md) class.", + "metadata": { + "name": "configSourceDigest", + "Nature": "ObjectProperty", + "Range": "/Core/Hash", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/configSourceDigest", + "Domain": [ + "Build" + ] + } + }, + "configSourceEntrypoint": { + "summary": "Property describes the invocation entrypoint of a build.", + "description": "A build entrypoint is the invoked executable of a build which always runs when the build is triggered. For example, when a build is triggered by running a shell script, the entrypoint is `script.sh`. In terms of a declared build, the entrypoint is the position in a configuration file or a build declaration which is always run when the build is triggered. For example, in the following configuration file, the entrypoint of the build is `publish`.\n\n```\nname: Publish packages to PyPI\n\non:\ncreate:\ntags: \"*\"\n\njobs:\npublish:\nruns-on: ubuntu-latest\nif: startsWith(github.ref, 'refs/tags/')\nsteps:\n\n...\n```", + "metadata": { + "name": "configSourceEntrypoint", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/configSourceEntrypoint", + "Domain": [ + "Build" + ] + } + }, + "buildId": { + "summary": "A buildId is a locally unique identifier used by a builder to identify a unique instance of a build produced by it.", + "description": "A buildId is a locally unique identifier to identify a unique instance of a build. This identifier differs based on build toolchain, platform, or naming convention used by an organization or standard.", + "metadata": { + "name": "buildId", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/buildId", + "Domain": [ + "Build" + ] + } + }, + "buildType": { + "summary": "A buildType is a hint that is used to indicate the toolchain, platform, or infrastructure that the build was invoked on.", + "description": "A buildType is a URI expressing the toolchain, platform, or infrastructure that the build was invoked on. For example, if the build was invoked on GitHub's CI platform using github actions, the buildType can be expressed as `https://github.com/actions`. In contrast, if the build was invoked on a local machine, the buildType can be expressed as `file://username@host/path/to/build`.", + "metadata": { + "name": "buildType", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/buildType", + "Domain": [ + "Build" + ] + } + } + }, + "vocabs": {} + }, + "Software": { + "name": "Software", + "classes": { + "Package": { + "summary": "Refers to any unit of content that can be associated with a distribution of software.", + "description": "A package refers to any unit of content that can be associated with a distribution of software.\nTypically, a package is composed of one or more files. \nAny of the following non-limiting examples may be (but are not required to be) represented in SPDX as a package:\n\n - a tarball, zip file or other archive\n - a directory or sub-directory\n - a separately distributed piece of software which another Package or File uses or depends upon (e.g., a Python package, a Go module, ...)\n - a container image, and/or each image layer within a container image\n - a collection of one or more sub-packages\n - a Git repository snapshot from a particular point in time\n\nNote that some of these could be represented in SPDX as a file as well.\nExternal property restriction on /Core/Element/name: minCount: 1", + "metadata": { + "name": "Package", + "SubclassOf": "/Software/SoftwareArtifact", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/Package" + }, + "properties": { + "packageVersion": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "downloadLocation": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "1" + }, + "packageUrl": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "1" + }, + "homePage": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "1" + }, + "sourceInfo": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": { + "/Core/Element/name": { + "minCount": "1", + "maxCount": "*" + } + } + }, + "File": { + "summary": "Refers to any object that stores content on a computer.", + "description": "Refers to any object that stores content on a computer.\nThe type of content can optionally be provided in the contentType property.\nExternal property restriction on /Core/Element/name: minCount: 1", + "metadata": { + "name": "File", + "SubclassOf": "/Software/SoftwareArtifact", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/File" + }, + "properties": { + "contentType": { + "type": "/Core/MediaType", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": { + "/Core/Element/name": { + "minCount": "1", + "maxCount": "*" + } + } + }, + "Snippet": { + "summary": "Describes a certain part of a file.", + "description": "A Snippet describes a certain part of a file and can be used when the file is known to have some content\nthat has been included from another original source. Snippets are useful for denoting when part of a file\nmay have been originally created under another license or copied from a place with a known vulnerability.", + "metadata": { + "name": "Snippet", + "SubclassOf": "/Software/SoftwareArtifact", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/Snippet" + }, + "properties": { + "byteRange": { + "type": "/Core/PositiveIntegerRange", + "minCount": "0", + "maxCount": "1" + }, + "lineRange": { + "type": "/Core/PositiveIntegerRange", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "Sbom": { + "summary": "A collection of SPDX Elements describing a single package.", + "description": "A Software Bill of Materials (SBOM) is a collection of SPDX Elements describing a single package.\nThis could include details of the content and composition of the product,\nprovenance details of the product and/or\nits composition, licensing information, known quality or security issues, etc.", + "metadata": { + "name": "Sbom", + "SubclassOf": "/Core/Bom", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/Sbom" + }, + "properties": { + "sbomType": { + "type": "SbomType", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "SoftwareArtifact": { + "summary": "A distinct article or unit related to Software.", + "description": "A software artifact is a distinct article or unit related to software\nsuch as a package, a file, or a snippet.", + "metadata": { + "name": "SoftwareArtifact", + "SubclassOf": "/Core/Artifact", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/SoftwareArtifact" + }, + "properties": { + "contentIdentifier": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "1" + }, + "primaryPurpose": { + "type": "SoftwarePurpose", + "minCount": "0", + "maxCount": "1" + }, + "additionalPurpose": { + "type": "SoftwarePurpose", + "minCount": "0", + "maxCount": "*" + }, + "concludedLicense": { + "type": "/Licensing/AnyLicenseInfo", + "minCount": "0", + "maxCount": "1" + }, + "declaredLicense": { + "type": "/Licensing/AnyLicenseInfo", + "minCount": "0", + "maxCount": "1" + }, + "copyrightText": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "attributionText": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "SoftwareDependencyRelationship": { + "summary": "", + "description": "TODO", + "metadata": { + "name": "SoftwareDependencyRelationship", + "SubclassOf": "/Core/LifecycleScopedRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/SoftwareDependencyRelationship" + }, + "properties": { + "softwareLinkage": { + "type": "SoftwareDependencyLinkType", + "minCount": "0", + "maxCount": "1" + }, + "conditionality": { + "type": "DependencyConditionalityType", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "lineRange": { + "summary": "Defines the line range in the original host file that the snippet information applies to.", + "description": "This field defines the line range in the original host file that the snippet information applies to.\nIf there is a disagreement between the byte range and line range, the byte range values will take precedence.\nA range of lines is a convenient reference for those files where there is a known line delimiter. \nThe choice was made to start the numbering of the lines at 1 to be consistent with the W3C pointer method vocabulary.", + "metadata": { + "name": "lineRange", + "Nature": "DataProperty", + "Range": "/Core/PositiveIntegerRange", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/lineRange", + "Domain": [ + "Snippet" + ] + } + }, + "primaryPurpose": { + "summary": "Provides information about the primary purpose of the software artifact.", + "description": "primaryPurpose provides information about the primary purpose of the software artifact.", + "metadata": { + "name": "primaryPurpose", + "Nature": "ObjectProperty", + "Range": "SoftwarePurpose", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/primaryPurpose", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "packageVersion": { + "summary": "Identify the version of a package.", + "description": "A packageVersion is useful for identification purposes and for indicating later changes of the package version.", + "metadata": { + "name": "packageVersion", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/packageVersion", + "Domain": [ + "Package" + ] + } + }, + "conditionality": { + "summary": "TODO", + "description": "A conditionality is TODO", + "metadata": { + "name": "conditionality", + "Nature": "ObjectProperty", + "Range": "DependencyConditionalityType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/conditionality", + "Domain": [ + "SoftwareDependencyRelationship" + ] + } + }, + "sbomType": { + "summary": "Provides information about the type of an SBOM.", + "description": "This field is a reasonable estimation of the type of SBOM created from a creator perspective.\nIt is intended to be used to give guidance on the elements that may be contained within it.\nAligning with the guidance produced in [Types of Software Bill of Material (SBOM) Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf).", + "metadata": { + "name": "sbomType", + "Nature": "ObjectProperty", + "Range": "SbomType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/sbomType", + "Domain": [ + "Sbom" + ] + } + }, + "concludedLicense": { + "summary": "Identifies the license that that SPDX data creator has concluded as governing\nthe software Package, File or Snippet.", + "description": "A concludedLicense is the license identified by the SPDX data creator,\nbased on analyzing the license information in the software Package, File\nor Snippet and other information to arrive at a reasonably objective\nconclusion as to what license governs it.\n\nIf a concludedLicense has a NONE value (NoneLicense), this indicates that the\nSPDX data creator has looked and did not find any license information for this\nsoftware Package, File or Snippet.\n\nIf a concludedLicense has a NOASSERTION value (NoAssertionLicense), this\nindicates that one of the following applies:\n* the SPDX data creator has attempted to but cannot reach a reasonable\n objective determination;\n* the SPDX data creator has made no attempt to determine this field; or\n* the SPDX data creator has intentionally provided no information (no\n meaning should be implied by doing so).\n\nA written explanation of a NOASSERTION value (NoAssertionLicense) MAY be\nprovided in the licenseComment field.\n\nIf the concludedLicense for a software Package, File or Snippet is not the\nsame as its declaredLicense, a written explanation SHOULD be provided in\nthe licenseComment field.\n\nIf the declaredLicense for a software Package, File or Snippet is a choice\nof more than one license (e.g. a license expression combining two licenses\nthrough use of the `OR` operator), then the concludedLicense may either\nretain the license choice or identify which license was chosen.", + "metadata": { + "name": "concludedLicense", + "Nature": "ObjectProperty", + "Range": "/Licensing/AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/concludedLicense", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "sourceInfo": { + "summary": "Records any relevant background information or additional comments\nabout the origin of the package.", + "description": "SourceInfo records any relevant background information or additional comments\nabout the origin of the package. For example, this field might include comments \nindicating whether the package was pulled from a source code management system \nor has been repackaged. The creator can provide additional information to describe\nany anomalies or discoveries in the determination of the origin of the package.", + "metadata": { + "name": "sourceInfo", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/sourceInfo", + "Domain": [ + "Package" + ] + } + }, + "contentType": { + "summary": "Provides information about the content type of an Element.", + "description": "This field is a reasonable estimation of the content type of the Element, from a creator perspective.\nContent type is intrinsic to the Element, independent of how the Element is being used.", + "metadata": { + "name": "contentType", + "Nature": "DataProperty", + "Range": "/Core/MediaType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/contentType", + "Domain": [ + "File" + ] + } + }, + "declaredLicense": { + "summary": "Identifies the license information actually found in the software Package,\nFile or Snippet, for example as detected by use of automated tooling.", + "description": "A declaredLicense is the license identified in text in the software package,\nfile or snippet as the license declared by its authors.\n\nThis field is not intended to capture license information obtained from an\nexternal source, such as a package's website. Such information can be\nincluded, as needed, in a concludedLicense field.\n\nA declaredLicense may be expressed differently in practice for different\ntypes of artifacts. For example:\n\n* for Packages:\n * would include license info describing the license of the Package as a\n whole, when it is found in the Package itself (e.g., LICENSE file,\n README file, metadata in the repository, etc.)\n * would not include any license information that is not in the Package\n itself (e.g., license information from the project\u2019s website or from a\n third party repository or website)\n* for Files:\n * would include license info found in the File itself (e.g., license\n header or notice, comments, SPDX-License-Identifier expression)\n * would not include license info found in a different file (e.g., LICENSE\n file in the top directory of a repository)\n* for Snippets:\n * would include license info found in the Snippet itself (e.g., license\n notice, comments, SPDX-License-Identifier expression)\n * would not include license info found elsewhere in the File or in a\n different File (e.g., comment at top of File if it is not within the\n Snippet, LICENSE file in the top directory of a repository)\n\nIf a declaredLicense has a NONE value (NoneLicense), this indicates that the\ncorresponding Package, File or Snippet contains no license information\nwhatsoever.\n\nIf a declaredLicense has a NOASSERTION value (NoAssertionLicense), this\nindicates that one of the following applies:\n* the SPDX data creator has attempted to but cannot reach a reasonable\n objective determination;\n* the SPDX data creator has made no attempt to determine this field; or\n* the SPDX data creator has intentionally provided no information (no meaning\n should be implied by doing so).", + "metadata": { + "name": "declaredLicense", + "Nature": "ObjectProperty", + "Range": "/Licensing/AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/declaredLicense", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "additionalPurpose": { + "summary": "Provides additional purpose information of the software artifact.", + "description": "Additional purpose provides information about the additional purposes of the software artifact in addition to the primaryPurpose.", + "metadata": { + "name": "additionalPurpose", + "Nature": "ObjectProperty", + "Range": "SoftwarePurpose", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/additionalPurpose", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "attributionText": { + "summary": "Provides a place for the SPDX data creator to record acknowledgement text for\na software Package, File or Snippet.", + "description": "An attributionText for a software Package, File or Snippet provides a consumer\nof SPDX data with acknowledgement content, to assist redistributors of the\nPackage, File or Snippet with reproducing those acknowledgements.\n\nFor example, this field may include a statement that is required by a\nparticular license to be reproduced in end-user documentation, advertising\nmaterials, or another form.\n\nThis field may describe where, or in which contexts, the acknowledgements\nneed to be reproduced, but it is not required to do so. The SPDX data creator\nmay also explain elsewhere (such as in a licenseComment field) how they intend\nfor data in this field to be used.\n\nAn attributionText is is not meant to include the software Package, File or\nSnippet\u2019s actual complete license text (see concludedLicense to identify the\ncorresponding license).", + "metadata": { + "name": "attributionText", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/attributionText", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "homePage": { + "summary": "A place for the SPDX document creator to record a website that serves as the package's home page.", + "description": "HomePage is a place for the SPDX document creator to record a website that serves as the package's home page.\nThis saves the recipient of the SPDX document who is looking for more info from\nhaving to search for and verify a match between the package and the associated project home page.\nThis link can also be used to reference further information about the package\nreferenced by the SPDX document creator.", + "metadata": { + "name": "homePage", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/homePage", + "Domain": [ + "Package" + ] + } + }, + "contentIdentifier": { + "summary": "Provides a place to record the canonical, unique, immutable identifier for each software artifact using the artifact's gitoid.", + "description": "The contentIdentifier provides a canonical, unique, immutable artifact identifier for each software artifact. SPDX 3.0 describes software artifacts as Snippet, File, or Package Elements. The ContentIdentifier can be calculated for any software artifact and can be recorded for any of these SPDX 3.0 Elements using Omnibor, an attempt to standardize how software artifacts are identified independent of which programming language, version control system, build tool, package manager, or software distribution mechanism is in use. \n\nThe contentIdentifier is defined as the [Git Object Identifier](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) (gitoid) of type `blob` of the software artifact. The use of a git-based version control system is not necessary to calculate a contentIdentifier for any software artifact.\n\nThe gitoid is expressed in the ContentIdentifier property by using the IANA [gitoid URI scheme](https://www.iana.org/assignments/uri-schemes/prov/gitoid).\n\n```\nScheme syntax: gitoid\":\"\":\"\":\"\n```\n\nThe OmniBOR ID for the OmniBOR Document associated with a software artifact should not be recorded in this field. Rather, OmniBOR IDs should be recorded in the SPDX Element's ExternalIdentifier property. See [https://omnibor.io](https://omnibor.io) for more details.", + "metadata": { + "name": "contentIdentifier", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/contentIdentifier", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "copyrightText": { + "summary": "Identifies the text of one or more copyright notices for a software Package,\nFile or Snippet, if any.", + "description": "A copyrightText consists of the text(s) of the copyright notice(s) found\nfor a software Package, File or Snippet, if any.\n\nIf a copyrightText contains text, then it may contain any text related to\none or more copyright notices (even if not complete) for that software\nPackage, File or Snippet.\n\nIf a copyrightText has a \"NONE\" value, this indicates that the software\nPackage, File or Snippet contains no copyright notice whatsoever.\n\nIf a copyrightText has a \"NOASSERTION\" value, this indicates that one of the\nfollowing applies:\n* the SPDX data creator has attempted to but cannot reach a reasonable\n objective determination;\n* the SPDX data creator has made no attempt to determine this field; or\n* the SPDX data creator has intentionally provided no information (no\n meaning should be implied by doing so).", + "metadata": { + "name": "copyrightText", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/copyrightText", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "packageUrl": { + "summary": "Provides a place for the SPDX data creator to record the package URL string (in accordance with the [package URL spec](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst)) for a software Package.", + "description": "A packageUrl (commonly pronounced and referred to as \"purl\") is an attempt to standardize package representations in order to reliably identify and locate software packages. A purl is a URL string which represents a package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.\n\nthe purl URL string is defined by seven components:\n```\nscheme:type/namespace/name@version?qualifiers#subpath\n```\n\nThe definition for each component can be found in the [purl specification](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst). Components are designed such that they form a hierarchy from the most significant on the left to the least significant components on the right. \n\nParsing a purl string into its components works from left to right. Some extra type-specific normalizations are required. For more information, see [How to parse a purl string in its components](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#how-to-parse-a-purl-string-in-its-components).", + "metadata": { + "name": "packageUrl", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/packageUrl", + "Domain": [ + "Package" + ] + } + }, + "byteRange": { + "summary": "Defines the byte range in the original host file that the snippet information applies to.", + "description": "This field defines the byte range in the original host file that the snippet information applies to.\nA range of bytes is independent of various formatting concerns, and the most accurate way \nof referring to the differences. The choice was made to start the numbering of \nthe byte range at 1 to be consistent with the W3C pointer method vocabulary.", + "metadata": { + "name": "byteRange", + "Nature": "DataProperty", + "Range": "/Core/PositiveIntegerRange", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/byteRange", + "Domain": [ + "Snippet" + ] + } + }, + "softwareLinkage": { + "summary": "TODO", + "description": "A softwareLinkage is TODO", + "metadata": { + "name": "softwareLinkage", + "Nature": "ObjectProperty", + "Range": "SoftwareDependencyLinkType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/softwareLinkage", + "Domain": [ + "SoftwareDependencyRelationship" + ] + } + }, + "downloadLocation": { + "summary": "Identifies the download Uniform Resource Identifier for the package at the time that the document was created.", + "description": "DownloadLocation identifies the download Uniform Resource Identifier \nfor the package at the time that the document was created.\nWhere and how to download the exact package being referenced \nis critical for verification and tracking data.", + "metadata": { + "name": "downloadLocation", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/downloadLocation", + "Domain": [ + "Package" + ] + } + } + }, + "vocabs": { + "DependencyConditionalityType": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "DependencyConditionalityType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/DependencyConditionalityType" + }, + "entries": { + "optional": "TODOdescription", + "required": "TODOdescription", + "provided": "TODOdescription", + "prerequisite": "TODOdescription", + "other": "TODOdescription" + } + }, + "SoftwarePurpose": { + "summary": "Provides information about the primary purpose of an Element.", + "description": "This field provides information about the primary purpose of an Element.\nSoftware Purpose is intrinsic to how the Element is being used rather than the content of the Element.\nThis field is a reasonable estimate of the most likely usage of the Element\nfrom the producer and consumer perspective from which both parties can draw conclusions\nabout the context in which the Element exists.", + "metadata": { + "name": "SoftwarePurpose", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose" + }, + "entries": { + "application": "the Element is a software application", + "archive": "the Element is an archived collection of one or more files (.tar, .zip, etc)", + "bom": "Element is a bill of materials", + "configuration": "Element is configuration data", + "container": "the Element is a container image which can be used by a container runtime application", + "data": "Element is data", + "device": "the Element refers to a chipset, processor, or electronic board", + "documentation": "Element is documentation", + "evidence": "the Element is the evidence that a specification or requirement has been fulfilled", + "executable": "Element is an Artifact that can be run on a computer", + "file": "the Element is a single file which can be independently distributed (configuration file, statically linked binary, Kubernetes deployment, etc)", + "firmware": "the Element provides low level control over a device's hardware", + "framework": "the Element is a software framework", + "install": "the Element is used to install software on disk", + "library": "the Element is a software library", + "manifest": "the Element is a software manifest", + "model": "the Element is a machine learning or artificial intelligence model", + "module": "the Element is a module of a piece of software", + "operatingSystem": "the Element is an operating system", + "other": "the Element doesn't fit into any of the other categories", + "patch": "Element contains a set of changes to update, fix, or improve another Element", + "requirement": "the Element provides a requirement needed as input for another Element", + "source": "the Element is a single or a collection of source files", + "specification": "the Element is a plan, guideline or strategy how to create, perform or analyse an application", + "test": "The Element is a test used to verify functionality on an software element" + } + }, + "SoftwareDependencyLinkType": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "SoftwareDependencyLinkType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/SoftwareDependencyLinkType" + }, + "entries": { + "static": "TODOdescription", + "dynamic": "TODOdescription", + "tool": "TODOdescription", + "other": "TODOdescription" + } + }, + "SbomType": { + "summary": "Provides a set of values to be used to describe the common types of SBOMs that tools may create.", + "description": "The set of SBOM types with definitions as defined in [Types of Software Bill of Material (SBOM) Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf), published on April 21, 2023. \nAn SBOM type describes the most likely type of an SBOM from the producer perspective, so that consumers can draw conclusions about the data inside an SBOM. A single SBOM can have multiple SBOM document types associated with it.", + "metadata": { + "name": "SbomType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/SbomType" + }, + "entries": { + "design": "SBOM of intended, planned software project or product with included components (some of which may not yet exist) for a new software artifact.", + "source": "SBOM created directly from the development environment, source files, and included dependencies used to build an product artifact.", + "build": "SBOM generated as part of the process of building the software to create a releasable artifact (e.g., executable or package) from data such as source files, dependencies, built components, build process ephemeral data, and other SBOMs.", + "deployed": "SBOM provides an inventory of software that is present on a system. This may be an assembly of other SBOMs that combines analysis of configuration options, and examination of execution behavior in a (potentially simulated) deployment environment.", + "runtime": "SBOM generated through instrumenting the system running the software, to capture only components present in the system, as well as external call-outs or dynamically loaded components. In some contexts, this may also be referred to as an \u201cInstrumented\u201d or \u201cDynamic\u201d SBOM.", + "analyzed": "SBOM generated through analysis of artifacts (e.g., executables, packages, containers, and virtual machine images) after its build. Such analysis generally requires a variety of heuristics. In some contexts, this may also be referred to as a \u201c3rd party\u201d SBOM." + } + } + } + }, + "SimpleLicensing": { + "name": "SimpleLicensing", + "classes": { + "SimpleLicensingText": { + "summary": "A license or addition that is not listed on the SPDX License List.", + "description": "A SimpleLicensingText represents a License or Addition that is not listed on the SPDX License\nList at https://spdx.org/licenses, and is therefore defined by an SPDX data\ncreator.", + "metadata": { + "name": "SimpleLicensingText", + "SubclassOf": "/Core/Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/SimpleLicensing/SimpleLicensingText" + }, + "properties": { + "licenseText": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "LicenseExpression": { + "summary": "An SPDX Element containing an SPDX license expression string.", + "description": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", + "metadata": { + "name": "LicenseExpression", + "SubclassOf": "AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/SimpleLicensing/LicenseExpression" + }, + "properties": { + "licenseExpression": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "AnyLicenseInfo": { + "summary": "Abstract class representing a license combination consisting of one or more\nlicenses (optionally including additional text), which may be combined\naccording to the SPDX license expression syntax.", + "description": "An AnyLicenseInfo is used by licensing properties of software artifacts.\nIt can be a NoneLicense, a NoAssertionLicense,\nsingle license (either on the SPDX License List or a custom-defined license);\na single license with an \"or later\" operator applied; the foregoing with\nadditional text applied; or a set of licenses combined by applying \"AND\" and\n\"OR\" operators recursively.", + "metadata": { + "name": "AnyLicenseInfo", + "SubclassOf": "/Core/Element", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/SimpleLicensing/AnyLicenseInfo" + }, + "properties": {}, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "licenseText": { + "summary": "Identifies the full text of a License or Addition.", + "description": "A licenseText contains the plain text of the License or Addition,\nwithout templating or other similar markup.\n\nUsers of the licenseText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", + "metadata": { + "name": "licenseText", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/SimpleLicensing/licenseText", + "Domain": [ + "SimpleLicensingText" + ] + } + }, + "licenseExpression": { + "summary": "A string in the license expression format.", + "description": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", + "metadata": { + "name": "licenseExpression", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/SimpleLicensing/licenseExpression", + "Domain": [ + "LicenseExpression" + ] + } + } + }, + "vocabs": {} + } +} \ No newline at end of file diff --git a/dev/model_gen/__init__.py b/dev/model_gen/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/dev/model_gen/class_templates.py b/dev/model_gen/class_templates.py new file mode 100644 index 000000000..e5f3c14ec --- /dev/null +++ b/dev/model_gen/class_templates.py @@ -0,0 +1,32 @@ +# SPDX-FileCopyrightText: 2023 spdx contributors +# +# SPDX-License-Identifier: Apache-2.0 + +from .general_templates import FILE_HEADER + +CLS_FILE = FILE_HEADER + """{imports} +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class {typename}({parent}):{docstring} +{properties} +{constructor}""" + +CLS_IMPORTS = "from {module} import {types}\n" + +CLS_PROP = " {prop_name}: {prop_type}{default}{docstring}\n" + +CLS_INIT = """ def __init__( + self,{arguments} + ):{remaps} + check_types_and_set_values(self, locals()) +""" +CLS_INIT_ARG = "\n {prop_name}: {prop_type}," +CLS_INIT_ARG_OPT = "\n {prop_name}: {prop_type} = None," +CLS_INIT_REMAP = "\n {prop_name} = {default} if {prop_name} is None else {prop_name}" + +CLS_INIT_ABSTRACT = """ @abstractmethod + def __init__(self): + pass +""" diff --git a/dev/model_gen/gen_class.py b/dev/model_gen/gen_class.py new file mode 100644 index 000000000..51f709d07 --- /dev/null +++ b/dev/model_gen/gen_class.py @@ -0,0 +1,233 @@ +# SPDX-FileCopyrightText: 2023 spdx contributors +# +# SPDX-License-Identifier: Apache-2.0 +import logging +from dataclasses import dataclass + +from beartype.typing import Optional + +from spdx_tools.spdx.casing_tools import camel_case_to_snake_case + +from .class_templates import ( + CLS_FILE, + CLS_IMPORTS, + CLS_INIT, + CLS_INIT_ABSTRACT, + CLS_INIT_ARG, + CLS_INIT_ARG_OPT, + CLS_INIT_REMAP, + CLS_PROP, +) +from .utils import ( + SPECIAL_TYPE_MAPPINGS, + extract_parent_type, + get_file_path, + get_python_docstring, + get_qualified_name, + namespace_name_to_python, + prop_name_to_python, + split_qualified_name, + to_python_type, +) + +SPECIAL_PROPTYPE_MAPPINGS: dict[str, tuple[str, Optional[str]]] = { + # for the moment, we replace Element and Agent references with string references to their ID + # otherwise, there is a cyclic dependency between CreationInfo and Agent/Tool that is problematic to deal with + "Core/Agent": ("str", None), + "Core/Element": ("str", None), + "Core/Tool": ("str", None), +} + + +@dataclass +class Property: + name: str + type: str + optional: bool + is_list: bool + inherited: bool + + def get_python_type(self) -> str: + if self.type == "Core/DictionaryEntry": + return "Dict[str, Optional[str]]" + if self.type in SPECIAL_PROPTYPE_MAPPINGS: + prop_type = SPECIAL_PROPTYPE_MAPPINGS[self.type][0] + else: + prop_type = to_python_type(self.type) + if self.is_list: + prop_type = f"List[{prop_type}]" + elif self.optional: + prop_type = f"Optional[{prop_type}]" + return prop_type + + +class GenClassFromSpec: + cls: dict + model: dict + + typename: str + namespace: str + filename: str + file_path: str + parent_class: str + docstring: str + # module -> types + imports: dict[str, set[str]] + props: list[Property] + + def __init__(self, cls: dict, namespace: str, model: dict, output_dir: str): + self.cls = cls + self.namespace = namespace + self.model = model + self.imports = dict() + self.props = list() + + self.typename = cls["metadata"]["name"] + self.filename = camel_case_to_snake_case(self.typename) if self.typename != "AIPackage" else "ai_package" + parent_class = extract_parent_type(cls, namespace) + if not parent_class: + self.parent_class = "ABC" + self._add_import("abc", "ABC") + else: + self.parent_class = to_python_type(parent_class) + self._import_spdx_type(parent_class) + self.docstring = get_python_docstring(cls["description"], 4) + self.file_path = get_file_path(self.typename, namespace, output_dir) + + self._collect_props(self.cls, self.namespace, False) + + def _add_import(self, module: str, typename: str): + if module not in self.imports: + self.imports[module] = set() + self.imports[module].add(typename) + + def _import_spdx_type(self, typename: str): + if typename in SPECIAL_TYPE_MAPPINGS: + import_type, import_module = SPECIAL_TYPE_MAPPINGS[typename] + if import_module: + self._add_import(import_module, import_type) + return + if typename.startswith("xsd:"): + return + namespace, typename = split_qualified_name(typename) + module = camel_case_to_snake_case(typename) if typename != "AIPackage" else "ai_package" + python_path = f"..{namespace_name_to_python(namespace)}.{module}" + self._add_import(python_path, typename) + + def _find_prop(self, propname: str) -> Optional[Property]: + propname = prop_name_to_python(propname) + return next(filter(lambda p: prop_name_to_python(p.name) == propname, self.props), None) + + def _collect_props(self, cls: dict, namespace: str, is_parent: bool): + parent = extract_parent_type(cls, namespace) + if parent: + parent_namespace, parent_class = split_qualified_name(parent) + if parent_namespace in self.model and parent_class in self.model[parent_namespace]["classes"]: + self._collect_props(self.model[parent_namespace]["classes"][parent_class], parent_namespace, True) + + for propname, propinfo in cls["properties"].items(): + if self._find_prop(propname): + logging.warning("Class %s is redefining property %s from a parent class, ignoring", + cls["metadata"]["name"], propname) + continue + propname = get_qualified_name(propname, namespace) + proptype = get_qualified_name(propinfo["type"], namespace) + optional = "minCount" not in propinfo or propinfo["minCount"] == "0" + is_list = "maxCount" not in propinfo or propinfo["maxCount"] != "1" + prop = Property(propname, proptype, optional, is_list, is_parent) + self.props.append(prop) + + if "externalPropertyRestrictions" not in cls: + return + for propname, propinfo in cls["externalPropertyRestrictions"].items(): + prop = self._find_prop(propname) + if not prop: + continue + if "minCount" in propinfo: + prop.optional = prop.optional and propinfo["minCount"] == "0" + if "maxCount" in propinfo: + prop.is_list = prop.is_list and propinfo["maxCount"] != "1" + + def gen_file(self): + properties = self._gen_props() + constructor = self._gen_constructor() + # imports should be last, as we may add additional types to import during generation + imports = self._gen_imports() + with open(self.file_path, "w") as output_file: + output_file.write( + CLS_FILE.format(typename=self.typename, parent=self.parent_class, docstring=self.docstring, + properties=properties, imports=imports, constructor=constructor)) + + def _gen_imports(self) -> str: + imports = "" + for module in sorted(self.imports.keys()): + types = ", ".join(sorted(self.imports[module])) + imports += CLS_IMPORTS.format(module=module, types=types) + return imports + + def _import_prop_type(self, prop: Property): + if prop.type in SPECIAL_PROPTYPE_MAPPINGS: + import_type, import_module = SPECIAL_PROPTYPE_MAPPINGS[prop.type] + if import_module: + self._add_import(import_module, import_type) + else: + self._import_spdx_type(prop.type) + + if prop.type == "Core/DictionaryEntry": + self._add_import("beartype.typing", "Dict") + self._add_import("beartype.typing", "Optional") + elif prop.is_list: + self._add_import("beartype.typing", "List") + elif prop.optional: + self._add_import("beartype.typing", "Optional") + + def _gen_props(self) -> str: + code = "" + own_props = (prop for prop in self.props if not prop.inherited) + for prop in own_props: + name = prop_name_to_python(prop.name) + proptype = prop.get_python_type() + docstring = self._get_prop_docstring(prop.name) + self._import_prop_type(prop) + if prop.type == "Core/DictionaryType": + default = " = field(default_factory=dict)" + self._add_import("dataclasses", "field") + elif prop.is_list: + default = " = field(default_factory=list)" + self._add_import("dataclasses", "field") + else: + default = " = None" + code += CLS_PROP.format(prop_name=name, prop_type=proptype, default=default, docstring=docstring) + return code + + def _get_prop_docstring(self, name: str) -> str: + namespace, propname = split_qualified_name(name) + if namespace not in self.model or "properties" not in self.model[namespace]: + return "" + prop = self.model[namespace]["properties"].get(propname) + if not prop: + return "" + return get_python_docstring(prop["description"], 4) + + def _gen_constructor(self) -> str: + if self.cls["metadata"].get("Instantiability") == "Abstract": + self._add_import("abc", "abstractmethod") + return CLS_INIT_ABSTRACT + + self._add_import("spdx_tools.common.typing.type_checks", "check_types_and_set_values") + args = "" + remaps = "" + required_props = (prop for prop in self.props if not prop.optional) + optional_props = (prop for prop in self.props if prop.optional) + for prop in required_props: + self._import_prop_type(prop) + args += CLS_INIT_ARG.format(prop_name=prop_name_to_python(prop.name), prop_type=prop.get_python_type()) + for prop in optional_props: + self._import_prop_type(prop) + prop_name = prop_name_to_python(prop.name) + args += CLS_INIT_ARG_OPT.format(prop_name=prop_name, prop_type=prop.get_python_type()) + if prop.type == "Core/DictionaryEntry": + remaps += CLS_INIT_REMAP.format(prop_name=prop_name, default="{}") + elif prop.is_list: + remaps += CLS_INIT_REMAP.format(prop_name=prop_name, default="[]") + return CLS_INIT.format(arguments=args, remaps=remaps) diff --git a/dev/model_gen/general_templates.py b/dev/model_gen/general_templates.py new file mode 100644 index 000000000..067d5d119 --- /dev/null +++ b/dev/model_gen/general_templates.py @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2023 spdx contributors +# +# SPDX-License-Identifier: Apache-2.0 + +FILE_HEADER = """# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +""" diff --git a/dev/model_gen/utils.py b/dev/model_gen/utils.py new file mode 100644 index 000000000..a745c2bc4 --- /dev/null +++ b/dev/model_gen/utils.py @@ -0,0 +1,103 @@ +# SPDX-FileCopyrightText: 2023 spdx contributors +# +# SPDX-License-Identifier: Apache-2.0 +import os +import textwrap + +import mistletoe +from beartype.typing import Optional +from mistletoe.markdown_renderer import MarkdownRenderer + +from spdx_tools.spdx.casing_tools import camel_case_to_snake_case + +SPECIAL_TYPE_MAPPINGS: dict[str, tuple[str, Optional[str]]] = { + "Core/DateTime": ("datetime", "datetime"), + "Core/DictionaryEntry": ("Dict[str, Optional[str]]", None), + "Core/Extension": ("str", None), + "Core/MediaType": ("str", None), + "Core/SemVer": ("Version", "semantic_version"), + "xsd:anyURI": ("str", None), + "xsd:boolean": ("bool", None), + "xsd:datetime": ("datetime", "datetime"), + "xsd:decimal": ("float", None), + "xsd:double": ("float", None), + "xsd:float": ("float", None), + "xsd:int": ("int", None), + "xsd:integer": ("int", None), + "xsd:negativeInteger": ("int", None), + "xsd:nonNegativeInteger": ("int", None), + "xsd:nonPositiveInteger": ("int", None), + "xsd:positiveInteger": ("int", None), + "xsd:string": ("str", None), +} + + +def prop_name_to_python(prop_name: str): + special_cases = {"from": "from_element", "homePage": "homepage"} + prop_name = get_short_prop_name(prop_name) + if prop_name in special_cases: + return special_cases[prop_name] + return camel_case_to_snake_case(prop_name) + + +def namespace_name_to_python(namespace_name: str): + special_cases = {"AI": "ai"} + if namespace_name in special_cases: + return special_cases[namespace_name] + return camel_case_to_snake_case(namespace_name) + + +def get_file_path(typename: str, namespace: str, output_dir: str) -> str: + namespace = namespace_name_to_python(namespace) + typename = camel_case_to_snake_case(typename) if typename != "AIPackage" else "ai_package" + return os.path.join(output_dir, namespace, f"{typename}.py") + + +def get_python_docstring(description: Optional[str], indent: int) -> str: + if not description: + return "" + + line_length = 119 - indent + with MarkdownRenderer(max_line_length=line_length) as renderer: + text = renderer.render(mistletoe.Document(description)) + text = '\n"""\n' + text + '"""' + return textwrap.indent(text, ' ' * indent) + + +def get_qualified_name(name: str, namespace: str): + if name.startswith('/'): + name = name[1:] + if name.startswith("xsd:"): + return name + if '/' in name: + return name + return f"{namespace}/{name}" + + +def split_qualified_name(typename: str) -> tuple[str, str]: + if '/' not in typename: + return "", typename + namespace, _, typename = typename.partition('/') + return namespace, typename + + +def to_python_type(typename: str) -> str: + if typename in SPECIAL_TYPE_MAPPINGS: + return SPECIAL_TYPE_MAPPINGS[typename][0] + if typename.startswith("xsd:"): + return "str" + _, typename = split_qualified_name(typename) + return typename + + +def extract_parent_type(cls: dict, namespace: str) -> Optional[str]: + parent_class = cls["metadata"].get("SubclassOf") or "none" + if parent_class == "none" or parent_class == "owl:Thing": + return None + return get_qualified_name(parent_class, namespace) + + +def get_short_prop_name(qualified_name: str) -> str: + if '/' not in qualified_name: + return qualified_name + return qualified_name[qualified_name.rindex('/') + 1:] diff --git a/dev/model_gen/vocab_templates.py b/dev/model_gen/vocab_templates.py new file mode 100644 index 000000000..2d1214bc0 --- /dev/null +++ b/dev/model_gen/vocab_templates.py @@ -0,0 +1,27 @@ +# SPDX-FileCopyrightText: 2023 spdx contributors +# +# SPDX-License-Identifier: Apache-2.0 + +from .general_templates import FILE_HEADER + +VOCAB_FILE = FILE_HEADER + """from beartype.typing import Optional +from enum import Enum, auto + + +class {typename}(Enum):{docstring} + +{values} + + def __str__(self) -> str: +{values_to_str} + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['{typename}']: +{str_to_values} + return None +""" + +VOCAB_ENTRY = " {value} = auto(){docstring}" +VOCAB_VALUE_TO_STR = " if self == {typename}.{python_value}:\n return \"{str_value}\"" +VOCAB_STR_TO_VALUE = " if value == \"{str_value}\":\n return {typename}.{python_value}" diff --git a/src/spdx_tools/spdx/casing_tools.py b/src/spdx_tools/spdx/casing_tools.py index c143cfd45..24a8b92e4 100644 --- a/src/spdx_tools/spdx/casing_tools.py +++ b/src/spdx_tools/spdx/casing_tools.py @@ -10,5 +10,5 @@ def snake_case_to_camel_case(snake_case_string: str) -> str: def camel_case_to_snake_case(camel_case_string: str) -> str: - snake_case_string = sub("(?!^)([A-Z]+)", r"_\1", camel_case_string).lower() + snake_case_string = sub("(?!^)-?([A-Z]+)", r"_\1", camel_case_string).lower() return snake_case_string diff --git a/src/spdx_tools/spdx3/new_model/__init__.py b/src/spdx_tools/spdx3/new_model/__init__.py new file mode 100644 index 000000000..31e22bb17 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/__init__.py @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from . import expanded_licensing, core, dataset, ai, security, build, software, simple_licensing +from .core import * diff --git a/src/spdx_tools/spdx3/new_model/ai/__init__.py b/src/spdx_tools/spdx3/new_model/ai/__init__.py new file mode 100644 index 000000000..b46705af6 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/ai/__init__.py @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from .ai_package import AIPackage +from .presence_type import PresenceType +from .safety_risk_assessment_type import SafetyRiskAssessmentType diff --git a/src/spdx_tools/spdx3/new_model/ai/ai_package.py b/src/spdx_tools/spdx3/new_model/ai/ai_package.py new file mode 100644 index 000000000..d557a7523 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/ai/ai_package.py @@ -0,0 +1,179 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from dataclasses import field +from datetime import datetime + +from beartype.typing import Dict, List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..ai.presence_type import PresenceType +from ..ai.safety_risk_assessment_type import SafetyRiskAssessmentType +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..licensing.any_license_info import AnyLicenseInfo +from ..software.package import Package +from ..software.software_purpose import SoftwarePurpose + + +@dataclass_with_properties +class AIPackage(Package): + """ + Metadata information that can be added to a package to describe an AI application or trained AI model. External + property restriction on /Core/Artifact/suppliedBy: minCount: 1 External property restriction on + /Software/Package/downloadLocation: minCount: 1 External property restriction on /Software/Package/packageVersion: + minCount: 1 External property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1 External + property restriction on /Core/Artifact/releaseTime: minCount: 1 + """ + + energy_consumption: Optional[str] = None + """ + EnergyConsumption captures the amount of energy needed to train and operate the AI model. This value is also known + as training energy consumption or inference energy consumption. + """ + standard_compliance: List[str] = field(default_factory=list) + """ + StandardCompliance captures a standard that the AI software complies with. This includes both published and + unpublished standards, for example ISO, IEEE, ETSI etc. The standard could (but not necessarily have to) be used to + satisfy a legal or regulatory requirement. + """ + limitation: Optional[str] = None + """ + Limitation captures a limitation of the AI Package (or of the AI models present in the AI package), expressed as + free form text. Note that this is not guaranteed to be exhaustive. For instance, a limitation might be that the AI + package cannot be used on datasets from a certain demography. + """ + type_of_model: List[str] = field(default_factory=list) + """ + TypeOfModel records the type of the AI model(s) used in the software. For instance, if it is a supervised model, + unsupervised model, reinforcement learning model or a combination of those. + """ + information_about_training: Optional[str] = None + """ + InformationAboutTraining describes the specific steps involved in the training of the AI model. For example, it can + be specified whether supervised fine-tuning or active learning is used as part of training the model. + """ + information_about_application: Optional[str] = None + """ + InformationAboutApplication describes any relevant information in free form text about how the AI model is used + inside the software, as well as any relevant pre-processing steps, third party APIs etc. + """ + hyperparameter: Dict[str, Optional[str]] = field(default_factory=list) + """ + This field records a hyperparameter value. Hyperparameters are parameters of the machine learning model that are + used to control the learning process, for example the optimization and learning rate used during the training of + the model. + """ + model_data_preprocessing: List[str] = field(default_factory=list) + """ + ModelDataPreprocessing is a free form text that describes the preprocessing steps applied to the training data + before training of the model(s) contained in the AI software. + """ + model_explainability: List[str] = field(default_factory=list) + """ + ModelExplainability is a free form text that lists the different explainability mechanisms (such as SHAP, or other + model specific explainability mechanisms) that can be used to explain the model. + """ + sensitive_personal_information: Optional[PresenceType] = None + """ + SensitivePersonalInformation notes if sensitive personal information is used in the training or inference of the AI + models. This might include biometric data, addresses or other data that can be used to infer a person's identity. + """ + metric_decision_threshold: Dict[str, Optional[str]] = field(default_factory=list) + """ + Each metric might be computed based on a decision threshold. For instance, precision or recall is typically + computed by checking if the probability of the outcome is larger than 0.5. Each decision threshold should match + with a metric field defined in the AI Package. + """ + metric: Dict[str, Optional[str]] = field(default_factory=list) + """ + Metric records the measurement with which the AI model was evaluated. This makes statements about the prediction + quality including uncertainty, accuracy, characteristics of the tested population, quality, fairness, + explainability, robustness etc. + """ + domain: List[str] = field(default_factory=list) + """ + Domain describes the domain in which the AI model contained in the AI software can be expected to operate + successfully. Examples include computer vision, natural language etc. + """ + autonomy_type: Optional[PresenceType] = None + """ + AutonomyType indicates if a human is involved in any of the decisions of the AI software or if that software is + fully automatic. + """ + safety_risk_assessment: Optional[SafetyRiskAssessmentType] = None + """ + SafetyRiskAssessment categorizes the safety risk impact of the AI software in accordance with Article 20 of [EC + Regulation No + 765/2008](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf). + """ + + def __init__( + self, + spdx_id: str, + name: str, + creation_info: CreationInfo, + supplied_by: List[str], + release_time: datetime, + primary_purpose: SoftwarePurpose, + package_version: str, + download_location: str, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + originated_by: List[str] = None, + built_time: Optional[datetime] = None, + valid_until_time: Optional[datetime] = None, + standard: List[str] = None, + content_identifier: Optional[str] = None, + additional_purpose: List[SoftwarePurpose] = None, + concluded_license: Optional[AnyLicenseInfo] = None, + declared_license: Optional[AnyLicenseInfo] = None, + copyright_text: Optional[str] = None, + attribution_text: Optional[str] = None, + package_url: Optional[str] = None, + homepage: Optional[str] = None, + source_info: Optional[str] = None, + energy_consumption: Optional[str] = None, + standard_compliance: List[str] = None, + limitation: Optional[str] = None, + type_of_model: List[str] = None, + information_about_training: Optional[str] = None, + information_about_application: Optional[str] = None, + hyperparameter: Dict[str, Optional[str]] = None, + model_data_preprocessing: List[str] = None, + model_explainability: List[str] = None, + sensitive_personal_information: Optional[PresenceType] = None, + metric_decision_threshold: Dict[str, Optional[str]] = None, + metric: Dict[str, Optional[str]] = None, + domain: List[str] = None, + autonomy_type: Optional[PresenceType] = None, + safety_risk_assessment: Optional[SafetyRiskAssessmentType] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + originated_by = [] if originated_by is None else originated_by + standard = [] if standard is None else standard + additional_purpose = [] if additional_purpose is None else additional_purpose + standard_compliance = [] if standard_compliance is None else standard_compliance + type_of_model = [] if type_of_model is None else type_of_model + hyperparameter = {} if hyperparameter is None else hyperparameter + model_data_preprocessing = [] if model_data_preprocessing is None else model_data_preprocessing + model_explainability = [] if model_explainability is None else model_explainability + metric_decision_threshold = {} if metric_decision_threshold is None else metric_decision_threshold + metric = {} if metric is None else metric + domain = [] if domain is None else domain + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/ai/presence_type.py b/src/spdx_tools/spdx3/new_model/ai/presence_type.py new file mode 100644 index 000000000..c6fdb33ac --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/ai/presence_type.py @@ -0,0 +1,47 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class PresenceType(Enum): + """ + This type is used to indicate if a given field is present or absent or unknown. + """ + + YES = auto() + """ + Indicates presence of the field. + """ + NO = auto() + """ + Indicates absence of the field. + """ + NO_ASSERTION = auto() + """ + Makes no assertion about the field. + """ + + def __str__(self) -> str: + if self == PresenceType.YES: + return "yes" + if self == PresenceType.NO: + return "no" + if self == PresenceType.NO_ASSERTION: + return "noAssertion" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["PresenceType"]: + if value == "yes": + return PresenceType.YES + if value == "no": + return PresenceType.NO + if value == "noAssertion": + return PresenceType.NO_ASSERTION + return None diff --git a/src/spdx_tools/spdx3/new_model/ai/safety_risk_assessment_type.py b/src/spdx_tools/spdx3/new_model/ai/safety_risk_assessment_type.py new file mode 100644 index 000000000..7073c4bc0 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/ai/safety_risk_assessment_type.py @@ -0,0 +1,57 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class SafetyRiskAssessmentType(Enum): + """ + Lists the different safety risk type values that can be used to describe the safety risk of AI software according + to [Article 20 of Regulation + 765/2008/EC](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf). + """ + + SERIOUS = auto() + """ + The highest level of risk posed by an AI software. + """ + HIGH = auto() + """ + The second-highest level of risk posed by an AI software. + """ + MEDIUM = auto() + """ + The third-highest level of risk posed by an AI software. + """ + LOW = auto() + """ + Low/no risk is posed by the AI software. + """ + + def __str__(self) -> str: + if self == SafetyRiskAssessmentType.SERIOUS: + return "serious" + if self == SafetyRiskAssessmentType.HIGH: + return "high" + if self == SafetyRiskAssessmentType.MEDIUM: + return "medium" + if self == SafetyRiskAssessmentType.LOW: + return "low" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["SafetyRiskAssessmentType"]: + if value == "serious": + return SafetyRiskAssessmentType.SERIOUS + if value == "high": + return SafetyRiskAssessmentType.HIGH + if value == "medium": + return SafetyRiskAssessmentType.MEDIUM + if value == "low": + return SafetyRiskAssessmentType.LOW + return None diff --git a/src/spdx_tools/spdx3/new_model/build/__init__.py b/src/spdx_tools/spdx3/new_model/build/__init__.py new file mode 100644 index 000000000..71778e5e3 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/build/__init__.py @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from .build import Build diff --git a/src/spdx_tools/spdx3/new_model/build/build.py b/src/spdx_tools/spdx3/new_model/build/build.py new file mode 100644 index 000000000..f41d9ccb3 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/build/build.py @@ -0,0 +1,137 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from dataclasses import field +from datetime import datetime + +from beartype.typing import Dict, List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.element import Element +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.hash import Hash +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class Build(Element): + """ + A build is a representation of the process in which a piece of software or artifact is built. It encapsulates + information related to a build process and provides an element from which relationships can be created to describe + the build's inputs, outputs, and related entities (e.g. builders, identities, etc.). + + Definitions of "BuildType", "ConfigSource", "Parameters" and "Environment" follow those defined in [SLSA + provenance](https://slsa.dev/provenance/v0.2). + + ExternalIdentifier of type "urlScheme" may be used to identify build logs. In this case, the comment of the + ExternalIdentifier should be "LogReference". + + Note that buildStart and buildEnd are optional, and may be omitted to simplify creating reproducible builds. + """ + build_type: str = None + """ + A buildType is a URI expressing the toolchain, platform, or infrastructure that the build was invoked on. For + example, if the build was invoked on GitHub's CI platform using github actions, the buildType can be expressed as + `https://github.com/actions`. In contrast, if the build was invoked on a local machine, the buildType can be + expressed as `file://username@host/path/to/build`. + """ + build_id: Optional[str] = None + """ + A buildId is a locally unique identifier to identify a unique instance of a build. This identifier differs based on + build toolchain, platform, or naming convention used by an organization or standard. + """ + config_source_entrypoint: List[str] = field(default_factory=list) + """ + A build entrypoint is the invoked executable of a build which always runs when the build is triggered. For example, + when a build is triggered by running a shell script, the entrypoint is `script.sh`. In terms of a declared build, + the entrypoint is the position in a configuration file or a build declaration which is always run when the build is + triggered. For example, in the following configuration file, the entrypoint of the build is `publish`. + + ``` + name: Publish packages to PyPI + + on: + create: + tags: "*" + + jobs: + publish: + runs-on: ubuntu-latest + if: startsWith(github.ref, 'refs/tags/') + steps: + + ... + ``` + """ + config_source_uri: List[str] = field(default_factory=list) + """ + If a build configuration exists for the toolchain or platform performing the build, the configSourceUri of a build + is the URI of that build configuration. For example, a build triggered by a GitHub action is defined by a build + configuration YAML file. In this case, the configSourceUri is the URL of that YAML file. m + """ + config_source_digest: List[Hash] = field(default_factory=list) + """ + configSourceDigest is the checksum of the build configuration file used by a builder to execute a build. This + Property uses the Core model's [Hash](../../Core/Classes/Hash.md) class. + """ + parameters: Dict[str, Optional[str]] = field(default_factory=list) + """ + parameters is a key-value map of all build parameters and their values that were provided to the builder for a + build instance. This is different from the [environment](environment.md) property in that the keys and values are + provided as command line arguments or a configuration file to the builder. + """ + build_start_time: Optional[datetime] = None + """ + buildStartTime is the time at which a build is triggered. The builder typically records this value. + """ + build_end_time: Optional[datetime] = None + """ + buildEndTime describes the time at which a build stops or finishes. This value is typically recorded by the + builder. + """ + environment: Dict[str, Optional[str]] = field(default_factory=list) + """ + environment is a map of environment variables and values that are set during a build session. This is different + from the [parameters](parameters.md) property in that it describes the environment variables set before a build is + invoked rather than the variables provided to the builder. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + build_type: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + build_id: Optional[str] = None, + config_source_entrypoint: List[str] = None, + config_source_uri: List[str] = None, + config_source_digest: List[Hash] = None, + parameters: Dict[str, Optional[str]] = None, + build_start_time: Optional[datetime] = None, + build_end_time: Optional[datetime] = None, + environment: Dict[str, Optional[str]] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + config_source_entrypoint = [] if config_source_entrypoint is None else config_source_entrypoint + config_source_uri = [] if config_source_uri is None else config_source_uri + config_source_digest = [] if config_source_digest is None else config_source_digest + parameters = {} if parameters is None else parameters + environment = {} if environment is None else environment + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/__init__.py b/src/spdx_tools/spdx3/new_model/core/__init__.py new file mode 100644 index 000000000..ccb03b42c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/__init__.py @@ -0,0 +1,35 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from .agent import Agent +from .annotation import Annotation +from .annotation_type import AnnotationType +from .artifact import Artifact +from .bom import Bom +from .bundle import Bundle +from .creation_info import CreationInfo +from .element import Element +from .element_collection import ElementCollection +from .external_identifier import ExternalIdentifier +from .external_identifier_type import ExternalIdentifierType +from .external_map import ExternalMap +from .external_reference import ExternalReference +from .external_reference_type import ExternalReferenceType +from .hash import Hash +from .hash_algorithm import HashAlgorithm +from .integrity_method import IntegrityMethod +from .lifecycle_scope_type import LifecycleScopeType +from .lifecycle_scoped_relationship import LifecycleScopedRelationship +from .organization import Organization +from .person import Person +from .positive_integer_range import PositiveIntegerRange +from .profile_identifier_type import ProfileIdentifierType +from .relationship import Relationship +from .relationship_completeness import RelationshipCompleteness +from .relationship_type import RelationshipType +from .software_agent import SoftwareAgent +from .spdx_document import SpdxDocument +from .tool import Tool diff --git a/src/spdx_tools/spdx3/new_model/core/agent.py b/src/spdx_tools/spdx3/new_model/core/agent.py new file mode 100644 index 000000000..e40870cd1 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/agent.py @@ -0,0 +1,43 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.element import Element +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class Agent(Element): + """ + The Agent class represents anything that has the potential to act on a system. This could be a person, + organization, software agent, etc. This is not to be confused with tools that are used to perform tasks. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/annotation.py b/src/spdx_tools/spdx3/new_model/core/annotation.py new file mode 100644 index 000000000..19019a21f --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/annotation.py @@ -0,0 +1,67 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from dataclasses import field + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.annotation_type import AnnotationType +from ..core.creation_info import CreationInfo +from ..core.element import Element +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class Annotation(Element): + """ + An Annotation is an assertion made in relation to one or more elements. + """ + + annotation_type: AnnotationType = None + """ + An annotationType describes the type of an annotation. + """ + content_type: List[str] = field(default_factory=list) + """ + ContentType specifies the media type of an Element. + """ + statement: Optional[str] = None + """ + A statement is a commentary on an assertion that an annotator has made. + """ + subject: str = None + """ + A subject is an Element an annotator has made an assertion about. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + annotation_type: AnnotationType, + subject: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + content_type: List[str] = None, + statement: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + content_type = [] if content_type is None else content_type + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/annotation_type.py b/src/spdx_tools/spdx3/new_model/core/annotation_type.py new file mode 100644 index 000000000..d93324a09 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/annotation_type.py @@ -0,0 +1,40 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class AnnotationType(Enum): + """ + AnnotationType specifies the type of an annotation. + """ + + OTHER = auto() + """ + Used to store extra information about an Element which is not part of a Review (e.g. extra information provided + during the creation of the Element). + """ + REVIEW = auto() + """ + Used when someone reviews the Element. + """ + + def __str__(self) -> str: + if self == AnnotationType.OTHER: + return "other" + if self == AnnotationType.REVIEW: + return "review" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["AnnotationType"]: + if value == "other": + return AnnotationType.OTHER + if value == "review": + return AnnotationType.REVIEW + return None diff --git a/src/spdx_tools/spdx3/new_model/core/artifact.py b/src/spdx_tools/spdx3/new_model/core/artifact.py new file mode 100644 index 000000000..02fccc15d --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/artifact.py @@ -0,0 +1,53 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import abstractmethod +from dataclasses import field +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + +from ..core.element import Element + + +@dataclass_with_properties +class Artifact(Element): + """ + An artifact is a distinct article or unit within the digital domain, such as an electronic file, a software + package, a device or an element of data. + """ + + originated_by: List[str] = field(default_factory=list) + """ + OriginatedBy identifies from where or whom the Element originally came. + """ + supplied_by: List[str] = field(default_factory=list) + """ + Identify the actual distribution source for the Artifact being referenced. This might or might not be different + from the originating distribution source for the artifact. + """ + built_time: Optional[datetime] = None + """ + A builtTime specifies the time an artifact was built. + """ + release_time: Optional[datetime] = None + """ + A releaseTime specifies the time an artifact was released. + """ + valid_until_time: Optional[datetime] = None + """ + A validUntilTime specifies until when the artifact can be used before its usage needs to be reassessed. + """ + standard: List[str] = field(default_factory=list) + """ + Various standards may be relevant to useful to capture for specific artifacts. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/core/bom.py b/src/spdx_tools/spdx3/new_model/core/bom.py new file mode 100644 index 000000000..68de8f951 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/bom.py @@ -0,0 +1,50 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.bundle import Bundle +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_map import ExternalMap +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class Bom(Bundle): + """ + A Bill Of Materials (BOM) is a container for a grouping of SPDX-3.0 content characterizing details about a product. + This could include details of the content and composition of the product, provenence details of the product and/or + its composition, licensing information, known quality or security issues, etc. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + element: List[str], + root_element: List[str], + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + imports: List[ExternalMap] = None, + context: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + imports = [] if imports is None else imports + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/bundle.py b/src/spdx_tools/spdx3/new_model/core/bundle.py new file mode 100644 index 000000000..a8e4a215e --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/bundle.py @@ -0,0 +1,54 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.element_collection import ElementCollection +from ..core.external_identifier import ExternalIdentifier +from ..core.external_map import ExternalMap +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class Bundle(ElementCollection): + """ + A bundle is a collection of Elements that have a shared context. + """ + + context: Optional[str] = None + """ + A context gives information about the circumstances or unifying properties that Elements of the bundle have been + assembled under. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + element: List[str], + root_element: List[str], + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + imports: List[ExternalMap] = None, + context: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + imports = [] if imports is None else imports + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/creation_info.py b/src/spdx_tools/spdx3/new_model/core/creation_info.py new file mode 100644 index 000000000..4a55a552c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/creation_info.py @@ -0,0 +1,97 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import ABC +from dataclasses import field +from datetime import datetime + +from beartype.typing import List, Optional +from semantic_version import Version + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.profile_identifier_type import ProfileIdentifierType + + +@dataclass_with_properties +class CreationInfo(ABC): + """ + The CreationInfo provides information about who created the Element, and when and how it was created. + + The dateTime created is often the date of last change (e.g., a git commit date), not the date when the SPDX data + was created, as doing so supports reproducible builds. + """ + + spec_version: Version = None + """ + The specVersion provides a reference number that can be used to understand how to parse and interpret an Element. + It will enable both future changes to the specification and to support backward compatibility. The major version + number shall be incremented when incompatible changes between versions are made (one or more sections are created, + modified or deleted). The minor version number shall be incremented when backwards compatible changes are made. + + Here, parties exchanging information in accordance with the SPDX specification need to provide 100% transparency as + to which SPDX specification version such information is conforming to. + """ + comment: Optional[str] = None + """ + A comment is an optional field for creators of the Element to provide comments to the readers/reviewers of the + document. + """ + created: Optional[datetime] = None + """ + Created is a date that identifies when the Element was originally created. The time stamp can serve as an + indication as to whether the analysis needs to be updated. This is often the date of last change (e.g., a git + commit date), not the date when the SPDX data was created, as doing so supports reproducible builds. + """ + created_by: List[str] = field(default_factory=list) + """ + CreatedBy identifies who or what created the Element. The generation method will assist the recipient of the + Element in assessing the general reliability/accuracy of the analysis information. + """ + created_using: List[str] = field(default_factory=list) + """ + CreatedUsing identifies the tooling that was used during the creation of the Element. The generation method will + assist the recipient of the Element in assessing the general reliability/accuracy of the analysis information. + """ + profile: List[ProfileIdentifierType] = field(default_factory=list) + """ + This field provides information about which profiles the Element belongs to. + """ + data_license: Optional[str] = None + """ + The data license provides the license under which the SPDX documentation of the Element can be used. This is to + alleviate any concern that content (the data or database) in an SPDX file is subject to any form of intellectual + property right that could restrict the re-use of the information or the creation of another SPDX file for the same + project(s). This approach avoids intellectual property and related restrictions over the SPDX file, however + individuals can still contract with each other to restrict release of specific collections of SPDX files (which map + to software bill of materials) and the identification of the supplier of SPDX files. Compliance with this document + includes populating the SPDX fields therein with data related to such fields ("SPDX-Metadata"). This document + contains numerous fields where an SPDX file creator may provide relevant explanatory text in SPDX-Metadata. Without + opining on the lawfulness of "database rights" (in jurisdictions where applicable), such explanatory text is + copyrightable subject matter in most Berne Convention countries. By using the SPDX specification, or any portion + hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any SPDX-Metadata, + including without limitation explanatory text, shall be subject to the terms of the Creative Commons CC0 1.0 + Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree and acknowledge that the + SPDX-Metadata is provided to you “as-is” and without any representations or warranties of any kind concerning the + SPDX-Metadata, express, implied, statutory or otherwise, including without limitation warranties of title, + merchantability, fitness for a particular purpose, non-infringement, or the absence of latent or other defects, + accuracy, or the presence or absence of errors, whether or not discoverable, all to the greatest extent permissible + under applicable law. + """ + + def __init__( + self, + spec_version: Version, + created_by: List[str], + profile: List[ProfileIdentifierType], + comment: Optional[str] = None, + created: Optional[datetime] = None, + created_using: List[str] = None, + data_license: Optional[str] = None, + ): + created_using = [] if created_using is None else created_using + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/element.py b/src/spdx_tools/spdx3/new_model/core/element.py new file mode 100644 index 000000000..3939adbdf --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/element.py @@ -0,0 +1,81 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import ABC, abstractmethod +from dataclasses import field + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class Element(ABC): + """ + An Element is a representation of a fundamental concept either directly inherent to the Bill of Materials (BOM) + domain or indirectly related to the BOM domain and necessary for contextually characterizing BOM concepts and + relationships. Within SPDX-3.0 structure this is the base class acting as a consistent, unifying, and interoperable + foundation for all explicit and inter-relatable content objects. + """ + + spdx_id: str = None + """ + SpdxId uniquely identifies an Element which may thereby be referenced by other Elements. These references may be + internal or external. While there may be several versions of the same Element, each one needs to be able to be + referred to uniquely so that relationships between Elements can be clearly articulated. + """ + name: Optional[str] = None + """ + This field identifies the name of an Element as designated by the creator. The name of an Element is an important + convention and easier to refer to than the URI. + """ + summary: Optional[str] = None + """ + A summary is a short description of an Element. Here, the intent is to allow the Element creator to provide concise + information about the function or use of the Element. + """ + description: Optional[str] = None + """ + This field is a detailed description of the Element. It may also be extracted from the Element itself. The intent + is to provide recipients of the SPDX file with a detailed technical explanation of the functionality, anticipated + use, and anticipated implementation of the Element. This field may also include a description of improvements over + prior versions of the Element. + """ + comment: Optional[str] = None + """ + A comment is an optional field for creators of the Element to provide comments to the readers/reviewers of the + document. + """ + creation_info: CreationInfo = None + """ + CreationInfo provides information about the creation of the Element. + """ + verified_using: List[IntegrityMethod] = field(default_factory=list) + """ + VerifiedUsing provides an IntegrityMethod with which the integrity of an Element can be asserted. + """ + external_reference: List[ExternalReference] = field(default_factory=list) + """ + This field points to a resource outside the scope of the SPDX-3.0 content that provides additional characteristics + of an Element. + """ + external_identifier: List[ExternalIdentifier] = field(default_factory=list) + """ + ExternalIdentifier points to a resource outside the scope of SPDX-3.0 content that uniquely identifies an Element. + """ + extension: List[str] = field(default_factory=list) + """ + TODO + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/core/element_collection.py b/src/spdx_tools/spdx3/new_model/core/element_collection.py new file mode 100644 index 000000000..e1f874b51 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/element_collection.py @@ -0,0 +1,40 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import abstractmethod +from dataclasses import field + +from beartype.typing import List + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + +from ..core.element import Element +from ..core.external_map import ExternalMap + + +@dataclass_with_properties +class ElementCollection(Element): + """ + An SpdxCollection is a collection of Elements, not necessarily with unifying context. + """ + + element: List[str] = field(default_factory=list) + """ + This field refers to one or more Elements that are part of an ElementCollection. + """ + root_element: List[str] = field(default_factory=list) + """ + A rootElement of a collection is the top level Element from which all other Elements are reached via relationships. + """ + imports: List[ExternalMap] = field(default_factory=list) + """ + Imports provides an ExternalMap of Element identifiers that are used within a document but defined external to that + document. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/core/external_identifier.py b/src/spdx_tools/spdx3/new_model/core/external_identifier.py new file mode 100644 index 000000000..0e0e183c9 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/external_identifier.py @@ -0,0 +1,56 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import ABC +from dataclasses import field + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.external_identifier_type import ExternalIdentifierType + + +@dataclass_with_properties +class ExternalIdentifier(ABC): + """ + An ExternalIdentifier is a reference to a resource outside the scope of SPDX-3.0 content that uniquely identifies + an Element. + """ + + external_identifier_type: ExternalIdentifierType = None + """ + An externalIdentifierType specifies the type of the external identifier. + """ + identifier: str = None + """ + An identifier uniquely identifies an external element. + """ + comment: Optional[str] = None + """ + A comment is an optional field for creators of the Element to provide comments to the readers/reviewers of the + document. + """ + identifier_locator: List[str] = field(default_factory=list) + """ + A identifierLocator is TODO + """ + issuing_authority: Optional[str] = None + """ + A issuingAuthority is TODO + """ + + def __init__( + self, + external_identifier_type: ExternalIdentifierType, + identifier: str, + comment: Optional[str] = None, + identifier_locator: List[str] = None, + issuing_authority: Optional[str] = None, + ): + identifier_locator = [] if identifier_locator is None else identifier_locator + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/external_identifier_type.py b/src/spdx_tools/spdx3/new_model/core/external_identifier_type.py new file mode 100644 index 000000000..a39ce2d41 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/external_identifier_type.py @@ -0,0 +1,123 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class ExternalIdentifierType(Enum): + """ + ExteralIdentifierType specifies the type of an external identifier. + """ + + CPE22 = auto() + """ + https://cpe.mitre.org/files/cpe-specification_2.2.pdf + """ + CPE23 = auto() + """ + https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf + """ + CVE = auto() + """ + An identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the CVE + specification as defined by https://csrc.nist.gov/glossary/term/cve_id. + """ + EMAIL = auto() + """ + https://datatracker.ietf.org/doc/html/rfc3696#section-3 + """ + GITOID = auto() + """ + https://www.iana.org/assignments/uri-schemes/prov/gitoid Gitoid stands for [Git Object + ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) and a gitoid of type blob is a unique hash of a + binary artifact. A gitoid may represent the software [Artifact + ID](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-id) or the [OmniBOR + Identifier](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-identifier) for the software artifact's + associated [OmniBOR Document](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-document); this + ambiguity exists because the OmniBOR Document is itself an artifact, and the gitoid of that artifact is its valid + identifier. Omnibor is a minimalistic schema to describe software [Artifact Dependency + Graphs](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-dependency-graph-adg). Gitoids calculated + on software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's + ContentIdentifier property. Gitoids calculated on the OmniBOR Document (OmniBOR Identifiers) should be recorded in + the SPDX 3.0 Element's ExternalIdentifier property. + """ + OTHER = auto() + """ + Used when the type doesn't match any of the other options. + """ + PKG_URL = auto() + """ + https://github.com/package-url/purl-spec + """ + SECURITY_OTHER = auto() + """ + Used when there is a security related identifier of unspecified type. + """ + SWHID = auto() + """ + https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html + """ + SWID = auto() + """ + https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-21.html#section-2.3 + """ + URL_SCHEME = auto() + """ + the scheme used in order to locate a resource https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml + """ + + def __str__(self) -> str: + if self == ExternalIdentifierType.CPE22: + return "cpe22" + if self == ExternalIdentifierType.CPE23: + return "cpe23" + if self == ExternalIdentifierType.CVE: + return "cve" + if self == ExternalIdentifierType.EMAIL: + return "email" + if self == ExternalIdentifierType.GITOID: + return "gitoid" + if self == ExternalIdentifierType.OTHER: + return "other" + if self == ExternalIdentifierType.PKG_URL: + return "pkgUrl" + if self == ExternalIdentifierType.SECURITY_OTHER: + return "securityOther" + if self == ExternalIdentifierType.SWHID: + return "swhid" + if self == ExternalIdentifierType.SWID: + return "swid" + if self == ExternalIdentifierType.URL_SCHEME: + return "urlScheme" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["ExternalIdentifierType"]: + if value == "cpe22": + return ExternalIdentifierType.CPE22 + if value == "cpe23": + return ExternalIdentifierType.CPE23 + if value == "cve": + return ExternalIdentifierType.CVE + if value == "email": + return ExternalIdentifierType.EMAIL + if value == "gitoid": + return ExternalIdentifierType.GITOID + if value == "other": + return ExternalIdentifierType.OTHER + if value == "pkgUrl": + return ExternalIdentifierType.PKG_URL + if value == "securityOther": + return ExternalIdentifierType.SECURITY_OTHER + if value == "swhid": + return ExternalIdentifierType.SWHID + if value == "swid": + return ExternalIdentifierType.SWID + if value == "urlScheme": + return ExternalIdentifierType.URL_SCHEME + return None diff --git a/src/spdx_tools/spdx3/new_model/core/external_map.py b/src/spdx_tools/spdx3/new_model/core/external_map.py new file mode 100644 index 000000000..2045c661c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/external_map.py @@ -0,0 +1,52 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import ABC +from dataclasses import field + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class ExternalMap(ABC): + """ + An External Map is a map of Element identifiers that are used within a Document but defined external to that + Document. The external map provides details about the externally-defined Element such as its provenance, where to + retrieve it, and how to verify its integrity. + """ + + external_id: str = None + """ + ExternalId identifies an external Element used within a Document but defined external to that Document. + """ + verified_using: List[IntegrityMethod] = field(default_factory=list) + """ + VerifiedUsing provides an IntegrityMethod with which the integrity of an Element can be asserted. + """ + location_hint: Optional[str] = None + """ + A locationHint provides an indication of where to retrieve an external Element. + """ + defining_document: Optional[str] = None + """ + A definingDocument property is used to link an Element identifier to an SpdxDocument which contains the definition + for the Element. + """ + + def __init__( + self, + external_id: str, + verified_using: List[IntegrityMethod] = None, + location_hint: Optional[str] = None, + defining_document: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/external_reference.py b/src/spdx_tools/spdx3/new_model/core/external_reference.py new file mode 100644 index 000000000..2b5ae8775 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/external_reference.py @@ -0,0 +1,51 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import ABC +from dataclasses import field + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.external_reference_type import ExternalReferenceType + + +@dataclass_with_properties +class ExternalReference(ABC): + """ + An External Reference points to a resource outside the scope of the SPDX-3.0 content that provides additional + characteristics of an Element. + """ + + external_reference_type: Optional[ExternalReferenceType] = None + """ + An externalReferenceType specifies the type of the external reference. + """ + locator: List[str] = field(default_factory=list) + """ + A locator provides the location of an external reference. + """ + content_type: Optional[str] = None + """ + ContentType specifies the media type of an Element. + """ + comment: Optional[str] = None + """ + A comment is an optional field for creators of the Element to provide comments to the readers/reviewers of the + document. + """ + + def __init__( + self, + external_reference_type: Optional[ExternalReferenceType] = None, + locator: List[str] = None, + content_type: Optional[str] = None, + comment: Optional[str] = None, + ): + locator = [] if locator is None else locator + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/external_reference_type.py b/src/spdx_tools/spdx3/new_model/core/external_reference_type.py new file mode 100644 index 000000000..e96545cd0 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/external_reference_type.py @@ -0,0 +1,360 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class ExternalReferenceType(Enum): + """ + ExteralReferenceType specifies the type of an external reference. + """ + + ALT_DOWNLOAD_LOCATION = auto() + """ + A reference to an alternative download location. + """ + ALT_WEB_PAGE = auto() + """ + A reference to an alternative web page. + """ + BINARY_ARTIFACT = auto() + """ + A reference to binary artifacts related to a package. + """ + BUILD_META = auto() + """ + A reference build metadata related to a published package. + """ + BUILD_SYSTEM = auto() + """ + A reference build system used to create or publish the package. + """ + CHAT = auto() + """ + A reference to the instant messaging system used by the maintainer for a package. + """ + CERTIFICATION_REPORT = auto() + """ + A reference to a certification report for a package from an accredited/independent body. + """ + COMPONENT_ANALYSIS_REPORT = auto() + """ + A reference to a Software Composition Analysis (SCA) report. + """ + DOCUMENTATION = auto() + """ + A reference to the documentation for a package. + """ + DYNAMIC_ANALYSIS_REPORT = auto() + """ + A reference to a dynamic analysis report for a package. + """ + EOL_NOTICE = auto() + """ + A reference to the End Of Sale (EOS) and/or End Of Life (EOL) information related to a package. + """ + EXPORT_CONTROL_ASSESSMENT = auto() + """ + A reference to a export control assessment for a package. + """ + FUNDING = auto() + """ + A reference to funding information related to a package. + """ + ISSUE_TRACKER = auto() + """ + A reference to the issue tracker for a package. + """ + MAILING_LIST = auto() + """ + A reference to the mailing list used by the maintainer for a package. + """ + METRICS = auto() + """ + A reference to metrics related to package such as OpenSSF scorecards. + """ + LICENSE = auto() + """ + A reference to additional license information related to an artifact. + """ + OTHER = auto() + """ + Used when the type doesn't match any of the other options. + """ + PRIVACY_ASSESSMENT = auto() + """ + A reference to a privacy assessment for a package. + """ + PRODUCT_METADATA = auto() + """ + A reference to additional product metadata such as reference within organization's product catalog. + """ + PURCHASE_ORDER = auto() + """ + A reference to a purchase order for a package. + """ + RELEASE_NOTES = auto() + """ + A reference to the release notes for a package. + """ + RELEASE_HISTORY = auto() + """ + A reference to a published list of releases for a package. + """ + RISK_ASSESSMENT = auto() + """ + A reference to a risk assessment for a package. + """ + RUNTIME_ANALYSIS_REPORT = auto() + """ + A reference to a runtime analysis report for a package. + """ + SECURE_SOFTWARE_ATTESTATION = auto() + """ + A reference to information assuring that the software is developed using security practices as defined by [NIST SP + 800-218 Secure Software Development Framework (SSDF)](https://csrc.nist.gov/publications/detail/sp/800-218/final) + or [CISA Secure Software Development Attestation + Form](https://www.cisa.gov/sites/default/files/2023-04/secure-software-self-attestation_common-form_508.pdf). + """ + SECURITY_ADVISORY = auto() + """ + A reference to a published security advisory (where advisory as defined per ISO 29147:2018) that may affect one or + more elements, e.g., vendor advisories or specific NVD entries. + """ + SECURITY_ADVERSARY_MODEL = auto() + """ + A reference to the security adversary model for a package. + """ + SECURITY_FIX = auto() + """ + A reference to the patch or source code that fixes a vulnerability. + """ + SECURITY_OTHER = auto() + """ + A reference to related security information of unspecified type. + """ + SECURITY_PEN_TEST_REPORT = auto() + """ + A reference to a [penetration test](https://en.wikipedia.org/wiki/Penetration_test) report for a package. + """ + SECURITY_POLICY = auto() + """ + A reference to instructions for reporting newly discovered security vulnerabilities for a package. + """ + SECURITY_THREAT_MODEL = auto() + """ + A reference the [security threat model](https://en.wikipedia.org/wiki/Threat_model) for a package. + """ + SOCIAL_MEDIA = auto() + """ + A reference to a social media channel for a package. + """ + SOURCE_ARTIFACT = auto() + """ + A reference to an artifact containing the sources for a package. + """ + STATIC_ANALYSIS_REPORT = auto() + """ + A reference to a static analysis report for a package. + """ + SUPPORT = auto() + """ + A reference to the software support channel or other support information for a package. + """ + VCS = auto() + """ + A reference to a version control system related to a software artifact. + """ + VULNERABILITY_DISCLOSURE_REPORT = auto() + """ + A reference to a Vulnerability Disclosure Report (VDR) which provides the software supplier's analysis and findings + describing the impact (or lack of impact) that reported vulnerabilities have on packages or products in the + supplier's SBOM as defined in [NIST SP 800-161](https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final). + """ + VULNERABILITY_EXPLOITABILITY_ASSESSMENT = auto() + """ + A reference to a Vulnerability Exploitability eXchange (VEX) statement which provides information on whether a + product is impacted by a specific vulnerability in an included package and, if affected, whether there are actions + recommended to remediate. See also [NTIA VEX + one-page](https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf).. + """ + QUALITY_ASSESSMENT_REPORT = auto() + """ + A reference to a quality assessment for a package. + """ + + def __str__(self) -> str: + if self == ExternalReferenceType.ALT_DOWNLOAD_LOCATION: + return "altDownloadLocation" + if self == ExternalReferenceType.ALT_WEB_PAGE: + return "altWebPage" + if self == ExternalReferenceType.BINARY_ARTIFACT: + return "binaryArtifact" + if self == ExternalReferenceType.BUILD_META: + return "buildMeta" + if self == ExternalReferenceType.BUILD_SYSTEM: + return "buildSystem" + if self == ExternalReferenceType.CHAT: + return "chat" + if self == ExternalReferenceType.CERTIFICATION_REPORT: + return "certificationReport" + if self == ExternalReferenceType.COMPONENT_ANALYSIS_REPORT: + return "componentAnalysisReport" + if self == ExternalReferenceType.DOCUMENTATION: + return "documentation" + if self == ExternalReferenceType.DYNAMIC_ANALYSIS_REPORT: + return "dynamicAnalysisReport" + if self == ExternalReferenceType.EOL_NOTICE: + return "eolNotice" + if self == ExternalReferenceType.EXPORT_CONTROL_ASSESSMENT: + return "exportControlAssessment" + if self == ExternalReferenceType.FUNDING: + return "funding" + if self == ExternalReferenceType.ISSUE_TRACKER: + return "issueTracker" + if self == ExternalReferenceType.MAILING_LIST: + return "mailingList" + if self == ExternalReferenceType.METRICS: + return "metrics" + if self == ExternalReferenceType.LICENSE: + return "license" + if self == ExternalReferenceType.OTHER: + return "other" + if self == ExternalReferenceType.PRIVACY_ASSESSMENT: + return "privacyAssessment" + if self == ExternalReferenceType.PRODUCT_METADATA: + return "productMetadata" + if self == ExternalReferenceType.PURCHASE_ORDER: + return "purchaseOrder" + if self == ExternalReferenceType.RELEASE_NOTES: + return "releaseNotes" + if self == ExternalReferenceType.RELEASE_HISTORY: + return "releaseHistory" + if self == ExternalReferenceType.RISK_ASSESSMENT: + return "riskAssessment" + if self == ExternalReferenceType.RUNTIME_ANALYSIS_REPORT: + return "runtimeAnalysisReport" + if self == ExternalReferenceType.SECURE_SOFTWARE_ATTESTATION: + return "secureSoftwareAttestation" + if self == ExternalReferenceType.SECURITY_ADVISORY: + return "securityAdvisory" + if self == ExternalReferenceType.SECURITY_ADVERSARY_MODEL: + return "securityAdversaryModel" + if self == ExternalReferenceType.SECURITY_FIX: + return "securityFix" + if self == ExternalReferenceType.SECURITY_OTHER: + return "securityOther" + if self == ExternalReferenceType.SECURITY_PEN_TEST_REPORT: + return "securityPenTestReport" + if self == ExternalReferenceType.SECURITY_POLICY: + return "securityPolicy" + if self == ExternalReferenceType.SECURITY_THREAT_MODEL: + return "securityThreatModel" + if self == ExternalReferenceType.SOCIAL_MEDIA: + return "socialMedia" + if self == ExternalReferenceType.SOURCE_ARTIFACT: + return "sourceArtifact" + if self == ExternalReferenceType.STATIC_ANALYSIS_REPORT: + return "staticAnalysisReport" + if self == ExternalReferenceType.SUPPORT: + return "support" + if self == ExternalReferenceType.VCS: + return "vcs" + if self == ExternalReferenceType.VULNERABILITY_DISCLOSURE_REPORT: + return "vulnerabilityDisclosureReport" + if self == ExternalReferenceType.VULNERABILITY_EXPLOITABILITY_ASSESSMENT: + return "vulnerabilityExploitabilityAssessment" + if self == ExternalReferenceType.QUALITY_ASSESSMENT_REPORT: + return "qualityAssessmentReport" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["ExternalReferenceType"]: + if value == "altDownloadLocation": + return ExternalReferenceType.ALT_DOWNLOAD_LOCATION + if value == "altWebPage": + return ExternalReferenceType.ALT_WEB_PAGE + if value == "binaryArtifact": + return ExternalReferenceType.BINARY_ARTIFACT + if value == "buildMeta": + return ExternalReferenceType.BUILD_META + if value == "buildSystem": + return ExternalReferenceType.BUILD_SYSTEM + if value == "chat": + return ExternalReferenceType.CHAT + if value == "certificationReport": + return ExternalReferenceType.CERTIFICATION_REPORT + if value == "componentAnalysisReport": + return ExternalReferenceType.COMPONENT_ANALYSIS_REPORT + if value == "documentation": + return ExternalReferenceType.DOCUMENTATION + if value == "dynamicAnalysisReport": + return ExternalReferenceType.DYNAMIC_ANALYSIS_REPORT + if value == "eolNotice": + return ExternalReferenceType.EOL_NOTICE + if value == "exportControlAssessment": + return ExternalReferenceType.EXPORT_CONTROL_ASSESSMENT + if value == "funding": + return ExternalReferenceType.FUNDING + if value == "issueTracker": + return ExternalReferenceType.ISSUE_TRACKER + if value == "mailingList": + return ExternalReferenceType.MAILING_LIST + if value == "metrics": + return ExternalReferenceType.METRICS + if value == "license": + return ExternalReferenceType.LICENSE + if value == "other": + return ExternalReferenceType.OTHER + if value == "privacyAssessment": + return ExternalReferenceType.PRIVACY_ASSESSMENT + if value == "productMetadata": + return ExternalReferenceType.PRODUCT_METADATA + if value == "purchaseOrder": + return ExternalReferenceType.PURCHASE_ORDER + if value == "releaseNotes": + return ExternalReferenceType.RELEASE_NOTES + if value == "releaseHistory": + return ExternalReferenceType.RELEASE_HISTORY + if value == "riskAssessment": + return ExternalReferenceType.RISK_ASSESSMENT + if value == "runtimeAnalysisReport": + return ExternalReferenceType.RUNTIME_ANALYSIS_REPORT + if value == "secureSoftwareAttestation": + return ExternalReferenceType.SECURE_SOFTWARE_ATTESTATION + if value == "securityAdvisory": + return ExternalReferenceType.SECURITY_ADVISORY + if value == "securityAdversaryModel": + return ExternalReferenceType.SECURITY_ADVERSARY_MODEL + if value == "securityFix": + return ExternalReferenceType.SECURITY_FIX + if value == "securityOther": + return ExternalReferenceType.SECURITY_OTHER + if value == "securityPenTestReport": + return ExternalReferenceType.SECURITY_PEN_TEST_REPORT + if value == "securityPolicy": + return ExternalReferenceType.SECURITY_POLICY + if value == "securityThreatModel": + return ExternalReferenceType.SECURITY_THREAT_MODEL + if value == "socialMedia": + return ExternalReferenceType.SOCIAL_MEDIA + if value == "sourceArtifact": + return ExternalReferenceType.SOURCE_ARTIFACT + if value == "staticAnalysisReport": + return ExternalReferenceType.STATIC_ANALYSIS_REPORT + if value == "support": + return ExternalReferenceType.SUPPORT + if value == "vcs": + return ExternalReferenceType.VCS + if value == "vulnerabilityDisclosureReport": + return ExternalReferenceType.VULNERABILITY_DISCLOSURE_REPORT + if value == "vulnerabilityExploitabilityAssessment": + return ExternalReferenceType.VULNERABILITY_EXPLOITABILITY_ASSESSMENT + if value == "qualityAssessmentReport": + return ExternalReferenceType.QUALITY_ASSESSMENT_REPORT + return None diff --git a/src/spdx_tools/spdx3/new_model/core/hash.py b/src/spdx_tools/spdx3/new_model/core/hash.py new file mode 100644 index 000000000..1889b254c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/hash.py @@ -0,0 +1,39 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.hash_algorithm import HashAlgorithm +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class Hash(IntegrityMethod): + """ + A hash is a grouping of characteristics unique to the result of applying a mathematical algorithm that maps data of + arbitrary size to a bit string (the hash) and is a one-way function, that is, a function which is practically + infeasible to invert. This is commonly used for integrity checking of data. + """ + + algorithm: HashAlgorithm = None + """ + An algorithm specifies the algorithm that was used for calculating the hash value. + """ + hash_value: str = None + """ + HashValue is the result of applying a hash algorithm to an Element. + """ + + def __init__( + self, + algorithm: HashAlgorithm, + hash_value: str, + comment: Optional[str] = None, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/hash_algorithm.py b/src/spdx_tools/spdx3/new_model/core/hash_algorithm.py new file mode 100644 index 000000000..611ab3e09 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/hash_algorithm.py @@ -0,0 +1,217 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class HashAlgorithm(Enum): + """ + A HashAlgorithm is a mathematical algorithm that maps data of arbitrary size to a bit string (the hash) and is a + one-way function, that is, a function which is practically infeasible to invert. + """ + + BLAKE2B256 = auto() + """ + blake2b algorithm with a digest size of 256 https://datatracker.ietf.org/doc/html/rfc7693#section-4 + """ + BLAKE2B384 = auto() + """ + blake2b algorithm with a digest size of 384 https://datatracker.ietf.org/doc/html/rfc7693#section-4 + """ + BLAKE2B512 = auto() + """ + blake2b algorithm with a digest size of 512 https://datatracker.ietf.org/doc/html/rfc7693#section-4 + """ + BLAKE3 = auto() + """ + https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf + """ + CRYSTALS_KYBER = auto() + """ + https://pq-crystals.org/kyber/index.shtml + """ + CRYSTALS_DILITHIUM = auto() + """ + https://pq-crystals.org/dilithium/index.shtml + """ + FALCON = auto() + """ + https://falcon-sign.info/falcon.pdf + """ + MD2 = auto() + """ + https://datatracker.ietf.org/doc/rfc1319/ + """ + MD4 = auto() + """ + https://datatracker.ietf.org/doc/html/rfc1186 + """ + MD5 = auto() + """ + https://datatracker.ietf.org/doc/html/rfc1321 + """ + MD6 = auto() + """ + https://people.csail.mit.edu/rivest/pubs/RABCx08.pdf + """ + OTHER = auto() + """ + any hashing algorithm that does not exist in this list of entries + """ + SHA1 = auto() + """ + https://datatracker.ietf.org/doc/html/rfc3174 + """ + SHA224 = auto() + """ + secure hashing algorithm with a digest length of 224 + https://datatracker.ietf.org/doc/html/draft-ietf-pkix-sha224-01 + """ + SHA256 = auto() + """ + secure hashing algorithm with a digest length of 256 https://www.rfc-editor.org/rfc/rfc4634 + """ + SHA3_224 = auto() + """ + sha3 with a digest length of 224 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf + """ + SHA3_256 = auto() + """ + sha3 with a digest length of 256 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf + """ + SHA3_384 = auto() + """ + sha3 with a digest length of 384 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf + """ + SHA3_512 = auto() + """ + sha3 with a digest length of 512 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf + """ + SHA384 = auto() + """ + secure hashing algorithm with a digest length of 384 https://www.rfc-editor.org/rfc/rfc4634 + """ + SHA512 = auto() + """ + secure hashing algorithm with a digest length of 512 https://www.rfc-editor.org/rfc/rfc4634 + """ + SPDX_PVC_SHA1 = auto() + """ + TODOdescription + """ + SPDX_PVC_SHA256 = auto() + """ + TODOdescription + """ + SPHINCS_PLUS = auto() + """ + TODOdescription + """ + + def __str__(self) -> str: + if self == HashAlgorithm.BLAKE2B256: + return "blake2b256" + if self == HashAlgorithm.BLAKE2B384: + return "blake2b384" + if self == HashAlgorithm.BLAKE2B512: + return "blake2b512" + if self == HashAlgorithm.BLAKE3: + return "blake3" + if self == HashAlgorithm.CRYSTALS_KYBER: + return "crystalsKyber" + if self == HashAlgorithm.CRYSTALS_DILITHIUM: + return "crystalsDilithium" + if self == HashAlgorithm.FALCON: + return "falcon" + if self == HashAlgorithm.MD2: + return "md2" + if self == HashAlgorithm.MD4: + return "md4" + if self == HashAlgorithm.MD5: + return "md5" + if self == HashAlgorithm.MD6: + return "md6" + if self == HashAlgorithm.OTHER: + return "other" + if self == HashAlgorithm.SHA1: + return "sha1" + if self == HashAlgorithm.SHA224: + return "sha224" + if self == HashAlgorithm.SHA256: + return "sha256" + if self == HashAlgorithm.SHA3_224: + return "sha3_224" + if self == HashAlgorithm.SHA3_256: + return "sha3_256" + if self == HashAlgorithm.SHA3_384: + return "sha3_384" + if self == HashAlgorithm.SHA3_512: + return "sha3_512" + if self == HashAlgorithm.SHA384: + return "sha384" + if self == HashAlgorithm.SHA512: + return "sha512" + if self == HashAlgorithm.SPDX_PVC_SHA1: + return "spdxPvcSha1" + if self == HashAlgorithm.SPDX_PVC_SHA256: + return "spdxPvcSha256" + if self == HashAlgorithm.SPHINCS_PLUS: + return "sphincsPlus" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["HashAlgorithm"]: + if value == "blake2b256": + return HashAlgorithm.BLAKE2B256 + if value == "blake2b384": + return HashAlgorithm.BLAKE2B384 + if value == "blake2b512": + return HashAlgorithm.BLAKE2B512 + if value == "blake3": + return HashAlgorithm.BLAKE3 + if value == "crystalsKyber": + return HashAlgorithm.CRYSTALS_KYBER + if value == "crystalsDilithium": + return HashAlgorithm.CRYSTALS_DILITHIUM + if value == "falcon": + return HashAlgorithm.FALCON + if value == "md2": + return HashAlgorithm.MD2 + if value == "md4": + return HashAlgorithm.MD4 + if value == "md5": + return HashAlgorithm.MD5 + if value == "md6": + return HashAlgorithm.MD6 + if value == "other": + return HashAlgorithm.OTHER + if value == "sha1": + return HashAlgorithm.SHA1 + if value == "sha224": + return HashAlgorithm.SHA224 + if value == "sha256": + return HashAlgorithm.SHA256 + if value == "sha3_224": + return HashAlgorithm.SHA3_224 + if value == "sha3_256": + return HashAlgorithm.SHA3_256 + if value == "sha3_384": + return HashAlgorithm.SHA3_384 + if value == "sha3_512": + return HashAlgorithm.SHA3_512 + if value == "sha384": + return HashAlgorithm.SHA384 + if value == "sha512": + return HashAlgorithm.SHA512 + if value == "spdxPvcSha1": + return HashAlgorithm.SPDX_PVC_SHA1 + if value == "spdxPvcSha256": + return HashAlgorithm.SPDX_PVC_SHA256 + if value == "sphincsPlus": + return HashAlgorithm.SPHINCS_PLUS + return None diff --git a/src/spdx_tools/spdx3/new_model/core/integrity_method.py b/src/spdx_tools/spdx3/new_model/core/integrity_method.py new file mode 100644 index 000000000..c0dcca0ea --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/integrity_method.py @@ -0,0 +1,31 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import ABC, abstractmethod + +from beartype.typing import Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class IntegrityMethod(ABC): + """ + An IntegrityMethod provides an independently reproducible mechanism that permits verification of a specific Element + that correlates to the data in this SPDX document. This identifier enables a recipient to determine if anything in + the original Element has been changed and eliminates confusion over which version or modification of a specific + Element is referenced. + """ + + comment: Optional[str] = None + """ + A comment is an optional field for creators of the Element to provide comments to the readers/reviewers of the + document. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/core/lifecycle_scope_type.py b/src/spdx_tools/spdx3/new_model/core/lifecycle_scope_type.py new file mode 100644 index 000000000..9325e1aff --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/lifecycle_scope_type.py @@ -0,0 +1,71 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class LifecycleScopeType(Enum): + """ + TODO + """ + + DESIGN = auto() + """ + TODOdescription + """ + BUILD = auto() + """ + TODOdescription + """ + DEVELOPMENT = auto() + """ + TODOdescription + """ + TEST = auto() + """ + TODOdescription + """ + RUNTIME = auto() + """ + TODOdescription + """ + OTHER = auto() + """ + TODOdescription + """ + + def __str__(self) -> str: + if self == LifecycleScopeType.DESIGN: + return "design" + if self == LifecycleScopeType.BUILD: + return "build" + if self == LifecycleScopeType.DEVELOPMENT: + return "development" + if self == LifecycleScopeType.TEST: + return "test" + if self == LifecycleScopeType.RUNTIME: + return "runtime" + if self == LifecycleScopeType.OTHER: + return "other" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["LifecycleScopeType"]: + if value == "design": + return LifecycleScopeType.DESIGN + if value == "build": + return LifecycleScopeType.BUILD + if value == "development": + return LifecycleScopeType.DEVELOPMENT + if value == "test": + return LifecycleScopeType.TEST + if value == "runtime": + return LifecycleScopeType.RUNTIME + if value == "other": + return LifecycleScopeType.OTHER + return None diff --git a/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py b/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py new file mode 100644 index 000000000..27cb1cc24 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py @@ -0,0 +1,60 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.lifecycle_scope_type import LifecycleScopeType +from ..core.relationship import Relationship +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType + + +@dataclass_with_properties +class LifecycleScopedRelationship(Relationship): + """ + TODO + """ + + scope: Optional[LifecycleScopeType] = None + """ + A scope is TODO + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: str, + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + to: List[str] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + scope: Optional[LifecycleScopeType] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/organization.py b/src/spdx_tools/spdx3/new_model/core/organization.py new file mode 100644 index 000000000..f9237dcab --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/organization.py @@ -0,0 +1,42 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.agent import Agent +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class Organization(Agent): + """ + An Organization is a group of people who work together in an organized way for a shared purpose. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/person.py b/src/spdx_tools/spdx3/new_model/core/person.py new file mode 100644 index 000000000..5a729873c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/person.py @@ -0,0 +1,42 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.agent import Agent +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class Person(Agent): + """ + A Person is an individual human being. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py b/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py new file mode 100644 index 000000000..652eb3eb9 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py @@ -0,0 +1,34 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import ABC + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + + +@dataclass_with_properties +class PositiveIntegerRange(ABC): + """ + PositiveIntegerRange is a tuple of two positive integers that define a range. "begin" must be less than or equal to + "end". + """ + + begin: int = None + """ + begin is a positive integer that defines the beginning of a range. + """ + end: int = None + """ + end is a positive integer that defines the end of a range. + """ + + def __init__( + self, + begin: int, + end: int, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py b/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py new file mode 100644 index 000000000..e40539360 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py @@ -0,0 +1,104 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class ProfileIdentifierType(Enum): + """ + There are a set of profiles that have been defined to be valid for a specific release This file enumerates the + values that have been agreed on, and may be applied to the creation information for an an element. + """ + + CORE = auto() + """ + the element follows the Core profile specification + """ + SOFTWARE = auto() + """ + the element follows the Software profile specification + """ + SIMPLE_LICENSING = auto() + """ + the element follows the simple Licensing profile specification + """ + EXPANDED_LICENSING = auto() + """ + the element follows the expanded Licensing profile specification + """ + SECURITY = auto() + """ + the element follows the Security profile specification + """ + BUILD = auto() + """ + the element follows the Build profile specification + """ + AI = auto() + """ + the element follows the AI profile specification + """ + DATASET = auto() + """ + the element follows the Dataset profile specification + """ + USAGE = auto() + """ + the element follows the Usage profile specification + """ + EXTENSION = auto() + """ + the element follows the Extension profile specification + """ + + def __str__(self) -> str: + if self == ProfileIdentifierType.CORE: + return "core" + if self == ProfileIdentifierType.SOFTWARE: + return "software" + if self == ProfileIdentifierType.SIMPLE_LICENSING: + return "simpleLicensing" + if self == ProfileIdentifierType.EXPANDED_LICENSING: + return "expandedLicensing" + if self == ProfileIdentifierType.SECURITY: + return "security" + if self == ProfileIdentifierType.BUILD: + return "build" + if self == ProfileIdentifierType.AI: + return "ai" + if self == ProfileIdentifierType.DATASET: + return "dataset" + if self == ProfileIdentifierType.USAGE: + return "usage" + if self == ProfileIdentifierType.EXTENSION: + return "extension" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["ProfileIdentifierType"]: + if value == "core": + return ProfileIdentifierType.CORE + if value == "software": + return ProfileIdentifierType.SOFTWARE + if value == "simpleLicensing": + return ProfileIdentifierType.SIMPLE_LICENSING + if value == "expandedLicensing": + return ProfileIdentifierType.EXPANDED_LICENSING + if value == "security": + return ProfileIdentifierType.SECURITY + if value == "build": + return ProfileIdentifierType.BUILD + if value == "ai": + return ProfileIdentifierType.AI + if value == "dataset": + return ProfileIdentifierType.DATASET + if value == "usage": + return ProfileIdentifierType.USAGE + if value == "extension": + return ProfileIdentifierType.EXTENSION + return None diff --git a/src/spdx_tools/spdx3/new_model/core/relationship.py b/src/spdx_tools/spdx3/new_model/core/relationship.py new file mode 100644 index 000000000..7c8fc579e --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/relationship.py @@ -0,0 +1,83 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from dataclasses import field +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.element import Element +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType + + +@dataclass_with_properties +class Relationship(Element): + """ + A Relationship is a grouping of characteristics unique to an assertion that one Element is related to one or more + other Elements in some way. + """ + + from_element: str = None + """ + This field references the Element on the left-hand side of a relationship. + """ + to: List[str] = field(default_factory=list) + """ + This field references an Element on the right-hand side of a relationship. + """ + relationship_type: RelationshipType = None + """ + This field provides information about the relationship between two Elements. For example, you can represent a + relationship between two different Files, between a Package and a File, between two Packages, or between one + SPDXDocument and another SPDXDocument. + """ + completeness: Optional[RelationshipCompleteness] = None + """ + Completeness gives information about whether the provided relationships are complete, known to be incomplete or if + no assertion is made either way. + """ + start_time: Optional[datetime] = None + """ + A startTime specifies the time from which element is applicable / valid. + """ + end_time: Optional[datetime] = None + """ + A endTime specifies the time from which element is no applicable / valid. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: str, + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + to: List[str] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/relationship_completeness.py b/src/spdx_tools/spdx3/new_model/core/relationship_completeness.py new file mode 100644 index 000000000..60fda809d --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/relationship_completeness.py @@ -0,0 +1,48 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class RelationshipCompleteness(Enum): + """ + RelationshipCompleteness indicates whether a relationship is complete or known to be incomplete or if there is made + no assertion either way. + """ + + INCOMPLETE = auto() + """ + The relationship is known not to be exhaustive. + """ + COMPLETE = auto() + """ + The relationship is known to be exhaustive. + """ + NO_ASSERTION = auto() + """ + There can be made no assertion about the completeness of the relationship. + """ + + def __str__(self) -> str: + if self == RelationshipCompleteness.INCOMPLETE: + return "incomplete" + if self == RelationshipCompleteness.COMPLETE: + return "complete" + if self == RelationshipCompleteness.NO_ASSERTION: + return "noAssertion" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["RelationshipCompleteness"]: + if value == "incomplete": + return RelationshipCompleteness.INCOMPLETE + if value == "complete": + return RelationshipCompleteness.COMPLETE + if value == "noAssertion": + return RelationshipCompleteness.NO_ASSERTION + return None diff --git a/src/spdx_tools/spdx3/new_model/core/relationship_type.py b/src/spdx_tools/spdx3/new_model/core/relationship_type.py new file mode 100644 index 000000000..d1bde71de --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/relationship_type.py @@ -0,0 +1,531 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class RelationshipType(Enum): + """ + Provides information about the relationship between two Elements. For example, you can represent a relationship + between two different Files, between a Package and a File, between two Packages, or between one SPDXDocument and + another SPDXDocument. + """ + + AFFECTS = auto() + """ + (Security/VEX) Designates one or more elements as affected by a vulnerability + """ + AMENDS = auto() + """ + Every `to` Element amends the `from` Element + """ + ANCESTOR = auto() + """ + Every `to` Element is an ancestor of the `from` Element + """ + AVAILABLE_FROM = auto() + """ + This relationship is used to identify additional suppliers where an artifact is available from. + """ + BUILD_DEPENDENCY = auto() + """ + Every `to` Element is a build dependency of the `from` Element + """ + BUILD_TOOL = auto() + """ + Build tool used to build an Element. This may be used to describe the build tool of a Build instance + """ + COORDINATED_BY = auto() + """ + (Security) Used to identify the vendor, researcher, or consumer agent performing coordination for a vulnerability + """ + CONTAINS = auto() + """ + Every `to` Element is contained by the `from` Element + """ + CONFIG_OF = auto() + """ + (Build) Configuration information applied to an Element instance during a LifeycleScopeType period. Example: Build + configuration of the build instance + """ + COPY = auto() + """ + Every `to` Element is a copy of the `from` Element + """ + DATA_FILE = auto() + """ + Every `to` Element is a data file related to the the `from` Element + """ + DEPENDENCY_MANIFEST = auto() + """ + Every `to` Element is manifest file containing dependency information related to the `from` Element + """ + DEPENDS_ON = auto() + """ + Every `to` Element is a dependecy of the `from` Element + """ + DESCENDANT = auto() + """ + This relationship may be used to describe child builds of a Build instance. + """ + DESCRIBES = auto() + """ + Every `to` Element is described by the `from` Element. This can be used to denote the root(s) of a tree of elements + contained in an SBOM. + """ + DEV_DEPENDENCY = auto() + """ + Every `to` Element is a development dependency for the `from` Element + """ + DEV_TOOL = auto() + """ + Every `to` Element is a development tool for the `from` Element + """ + DISTRIBUTION_ARTIFACT = auto() + """ + Every `to` Element is an artifact intended for distribution of the `from` Element (e.g. an RPM or archive file) + """ + DOCUMENTATION = auto() + """ + Every `to` Element is documentation for the `from` Element + """ + DOES_NOT_AFFECT = auto() + """ + (Security/VEX) Specifies a vulnerability has no impact on one or more elements + """ + DYNAMIC_LINK = auto() + """ + Every `to` Element is dynamically linked to the `from` Element + """ + EXAMPLE = auto() + """ + Every `to` Element is an example for the `from` Element + """ + EVIDENCE_FOR = auto() + """ + (Dataset) Every `to` Element is can be considered as evidence for the `from` Element + """ + EXPANDED_FROM_ARCHIVE = auto() + """ + Every `to` Element is an artifact expanded from the `from` archive file + """ + EXPLOIT_CREATED_BY = auto() + """ + (Security) Designates an agent has created an exploit against a vulnerability + """ + FILE_ADDED = auto() + """ + Every `to` Element is is a file added to the `from` Element + """ + FILE_DELETED = auto() + """ + Every `to` Element is a file deleted from the `from` Element + """ + FILE_MODIFIED = auto() + """ + Every `to` Element is a modification of the `from` Element + """ + FIXED_BY = auto() + """ + (Security) Designates a vulnerability has been fixed by an agent + """ + FIXED_IN = auto() + """ + (Security/VEX) A vulnerability has been fixed in one or more elements + """ + FOUND_BY = auto() + """ + (Security) Designates an agent was the original discoverer of a security vulnerability + """ + GENERATES = auto() + """ + Every `to` Element is generated from the `from` Element + """ + HAS_ASSESSMENT_FOR = auto() + """ + (Security) Relates a Vulnerability and an Element with a security assessment. + """ + HAS_ASSOCIATED_VULNERABILITY = auto() + """ + (Security) Used to associate a security vulnerability with a software artifact + """ + HOST_OF = auto() + """ + (Build) The`from` Element in which every instance of the `to` Element during a LifecycleScopeType period runs on. + Example: host that the build runs on for an element. + """ + INPUT_OF = auto() + """ + (Build) Input to the Element instance during a LifecycleScopeType period. Example: input to the build instance for + an element. + """ + INVOKED_BY = auto() + """ + (Build) Every`to` Agent that invoked a `from` Element instance during a LifecycleScopeType period. Example: Agent + that invoked the build for an element + """ + METAFILE = auto() + """ + Every `to` Element is is a file containing metadata about the `from` Element + """ + ON_BEHALF_OF = auto() + """ + (Build) Every `to` Agent acting on behalf of another `from` Agent during a LifecycleScopeType period + """ + OPTIONAL_COMPONENT = auto() + """ + Every `to` Element is an optional component of the `from` Element + """ + OPTIONAL_DEPENDENCY = auto() + """ + Every `to` Element is an optional dependency of the `from` Element + """ + OTHER = auto() + """ + Every `to` Element is related to the `from` Element where the relationship type is not described by any of the SPDX + relationhip types + """ + OUTPUT_OF = auto() + """ + (Build) `from` Element that is output `to` the Element instance during a LifecycleScopeType period. Example: output + of the build instance + """ + PACKAGES = auto() + """ + Every `to` Element is a packaged form of the `from` Element + """ + PATCH = auto() + """ + Every `to` Element is a patch for the `from` Element + """ + PREREQUISITE = auto() + """ + Every `to` Element is a prerequisite of the `from` Element + """ + PROVIDED_DEPENDENCY = auto() + """ + Every `to` Element is a dependency not included in the distributed artifact but is assumed to be provided the + `from` Element + """ + PUBLISHED_BY = auto() + """ + (Security) Designates the agent that made a vulnerability record available for public use or reference + """ + REPORTED_BY = auto() + """ + (Security) Designates the agent that first reported a vulnerability to the project, vendor, or tracking database + for formal identification + """ + REPUBLISHED_BY = auto() + """ + (Security) Designates the agent that tracked, aggregated, and/or enriched vulnerability details to improve context + (i.e. NVD) + """ + REQUIREMENT_FOR = auto() + """ + Every `to` Element is required for the `from` Element + """ + RUNTIME_DEPENDENCY = auto() + """ + Every `to` Element is a runtime dependency for the `from` Element + """ + SPECIFICATION_FOR = auto() + """ + Every `to` Element is a specification for the `from` Element + """ + STATIC_LINK = auto() + """ + Every `to` Element is statically linked to the `from` Element + """ + TEST = auto() + """ + Every `to` Element is a test artifact for the `from` Element + """ + TEST_CASE = auto() + """ + Every `to` Element is a test case for the `from` Element + """ + TEST_DEPENDENCY = auto() + """ + Every `to` Element is a test dependency for the `from` Element + """ + TEST_TOOL = auto() + """ + Every `to` Element is a test tool for the `from` Element + """ + TESTED_ON = auto() + """ + (AI, Dataset) The `from` Element has been tested on the `to` Element + """ + TRAINED_ON = auto() + """ + (AI, Dataset) The `from` Element has been trained by the `to` Element(s) + """ + UNDER_INVESTIGATION_FOR = auto() + """ + (Security/VEX) The impact of a vulnerability is being investigated + """ + VARIANT = auto() + """ + Every `to` Element is a variant the `from` Element + """ + + def __str__(self) -> str: + if self == RelationshipType.AFFECTS: + return "affects" + if self == RelationshipType.AMENDS: + return "amends" + if self == RelationshipType.ANCESTOR: + return "ancestor" + if self == RelationshipType.AVAILABLE_FROM: + return "availableFrom" + if self == RelationshipType.BUILD_DEPENDENCY: + return "buildDependency" + if self == RelationshipType.BUILD_TOOL: + return "buildTool" + if self == RelationshipType.COORDINATED_BY: + return "coordinatedBy" + if self == RelationshipType.CONTAINS: + return "contains" + if self == RelationshipType.CONFIG_OF: + return "configOf" + if self == RelationshipType.COPY: + return "copy" + if self == RelationshipType.DATA_FILE: + return "dataFile" + if self == RelationshipType.DEPENDENCY_MANIFEST: + return "dependencyManifest" + if self == RelationshipType.DEPENDS_ON: + return "dependsOn" + if self == RelationshipType.DESCENDANT: + return "descendant" + if self == RelationshipType.DESCRIBES: + return "describes" + if self == RelationshipType.DEV_DEPENDENCY: + return "devDependency" + if self == RelationshipType.DEV_TOOL: + return "devTool" + if self == RelationshipType.DISTRIBUTION_ARTIFACT: + return "distributionArtifact" + if self == RelationshipType.DOCUMENTATION: + return "documentation" + if self == RelationshipType.DOES_NOT_AFFECT: + return "doesNotAffect" + if self == RelationshipType.DYNAMIC_LINK: + return "dynamicLink" + if self == RelationshipType.EXAMPLE: + return "example" + if self == RelationshipType.EVIDENCE_FOR: + return "evidenceFor" + if self == RelationshipType.EXPANDED_FROM_ARCHIVE: + return "expandedFromArchive" + if self == RelationshipType.EXPLOIT_CREATED_BY: + return "exploitCreatedBy" + if self == RelationshipType.FILE_ADDED: + return "fileAdded" + if self == RelationshipType.FILE_DELETED: + return "fileDeleted" + if self == RelationshipType.FILE_MODIFIED: + return "fileModified" + if self == RelationshipType.FIXED_BY: + return "fixedBy" + if self == RelationshipType.FIXED_IN: + return "fixedIn" + if self == RelationshipType.FOUND_BY: + return "foundBy" + if self == RelationshipType.GENERATES: + return "generates" + if self == RelationshipType.HAS_ASSESSMENT_FOR: + return "hasAssessmentFor" + if self == RelationshipType.HAS_ASSOCIATED_VULNERABILITY: + return "hasAssociatedVulnerability" + if self == RelationshipType.HOST_OF: + return "hostOf" + if self == RelationshipType.INPUT_OF: + return "inputOf" + if self == RelationshipType.INVOKED_BY: + return "invokedBy" + if self == RelationshipType.METAFILE: + return "metafile" + if self == RelationshipType.ON_BEHALF_OF: + return "onBehalfOf" + if self == RelationshipType.OPTIONAL_COMPONENT: + return "optionalComponent" + if self == RelationshipType.OPTIONAL_DEPENDENCY: + return "optionalDependency" + if self == RelationshipType.OTHER: + return "other" + if self == RelationshipType.OUTPUT_OF: + return "outputOf" + if self == RelationshipType.PACKAGES: + return "packages" + if self == RelationshipType.PATCH: + return "patch" + if self == RelationshipType.PREREQUISITE: + return "prerequisite" + if self == RelationshipType.PROVIDED_DEPENDENCY: + return "providedDependency" + if self == RelationshipType.PUBLISHED_BY: + return "publishedBy" + if self == RelationshipType.REPORTED_BY: + return "reportedBy" + if self == RelationshipType.REPUBLISHED_BY: + return "republishedBy" + if self == RelationshipType.REQUIREMENT_FOR: + return "requirementFor" + if self == RelationshipType.RUNTIME_DEPENDENCY: + return "runtimeDependency" + if self == RelationshipType.SPECIFICATION_FOR: + return "specificationFor" + if self == RelationshipType.STATIC_LINK: + return "staticLink" + if self == RelationshipType.TEST: + return "test" + if self == RelationshipType.TEST_CASE: + return "testCase" + if self == RelationshipType.TEST_DEPENDENCY: + return "testDependency" + if self == RelationshipType.TEST_TOOL: + return "testTool" + if self == RelationshipType.TESTED_ON: + return "testedOn" + if self == RelationshipType.TRAINED_ON: + return "trainedOn" + if self == RelationshipType.UNDER_INVESTIGATION_FOR: + return "underInvestigationFor" + if self == RelationshipType.VARIANT: + return "variant" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["RelationshipType"]: + if value == "affects": + return RelationshipType.AFFECTS + if value == "amends": + return RelationshipType.AMENDS + if value == "ancestor": + return RelationshipType.ANCESTOR + if value == "availableFrom": + return RelationshipType.AVAILABLE_FROM + if value == "buildDependency": + return RelationshipType.BUILD_DEPENDENCY + if value == "buildTool": + return RelationshipType.BUILD_TOOL + if value == "coordinatedBy": + return RelationshipType.COORDINATED_BY + if value == "contains": + return RelationshipType.CONTAINS + if value == "configOf": + return RelationshipType.CONFIG_OF + if value == "copy": + return RelationshipType.COPY + if value == "dataFile": + return RelationshipType.DATA_FILE + if value == "dependencyManifest": + return RelationshipType.DEPENDENCY_MANIFEST + if value == "dependsOn": + return RelationshipType.DEPENDS_ON + if value == "descendant": + return RelationshipType.DESCENDANT + if value == "describes": + return RelationshipType.DESCRIBES + if value == "devDependency": + return RelationshipType.DEV_DEPENDENCY + if value == "devTool": + return RelationshipType.DEV_TOOL + if value == "distributionArtifact": + return RelationshipType.DISTRIBUTION_ARTIFACT + if value == "documentation": + return RelationshipType.DOCUMENTATION + if value == "doesNotAffect": + return RelationshipType.DOES_NOT_AFFECT + if value == "dynamicLink": + return RelationshipType.DYNAMIC_LINK + if value == "example": + return RelationshipType.EXAMPLE + if value == "evidenceFor": + return RelationshipType.EVIDENCE_FOR + if value == "expandedFromArchive": + return RelationshipType.EXPANDED_FROM_ARCHIVE + if value == "exploitCreatedBy": + return RelationshipType.EXPLOIT_CREATED_BY + if value == "fileAdded": + return RelationshipType.FILE_ADDED + if value == "fileDeleted": + return RelationshipType.FILE_DELETED + if value == "fileModified": + return RelationshipType.FILE_MODIFIED + if value == "fixedBy": + return RelationshipType.FIXED_BY + if value == "fixedIn": + return RelationshipType.FIXED_IN + if value == "foundBy": + return RelationshipType.FOUND_BY + if value == "generates": + return RelationshipType.GENERATES + if value == "hasAssessmentFor": + return RelationshipType.HAS_ASSESSMENT_FOR + if value == "hasAssociatedVulnerability": + return RelationshipType.HAS_ASSOCIATED_VULNERABILITY + if value == "hostOf": + return RelationshipType.HOST_OF + if value == "inputOf": + return RelationshipType.INPUT_OF + if value == "invokedBy": + return RelationshipType.INVOKED_BY + if value == "metafile": + return RelationshipType.METAFILE + if value == "onBehalfOf": + return RelationshipType.ON_BEHALF_OF + if value == "optionalComponent": + return RelationshipType.OPTIONAL_COMPONENT + if value == "optionalDependency": + return RelationshipType.OPTIONAL_DEPENDENCY + if value == "other": + return RelationshipType.OTHER + if value == "outputOf": + return RelationshipType.OUTPUT_OF + if value == "packages": + return RelationshipType.PACKAGES + if value == "patch": + return RelationshipType.PATCH + if value == "prerequisite": + return RelationshipType.PREREQUISITE + if value == "providedDependency": + return RelationshipType.PROVIDED_DEPENDENCY + if value == "publishedBy": + return RelationshipType.PUBLISHED_BY + if value == "reportedBy": + return RelationshipType.REPORTED_BY + if value == "republishedBy": + return RelationshipType.REPUBLISHED_BY + if value == "requirementFor": + return RelationshipType.REQUIREMENT_FOR + if value == "runtimeDependency": + return RelationshipType.RUNTIME_DEPENDENCY + if value == "specificationFor": + return RelationshipType.SPECIFICATION_FOR + if value == "staticLink": + return RelationshipType.STATIC_LINK + if value == "test": + return RelationshipType.TEST + if value == "testCase": + return RelationshipType.TEST_CASE + if value == "testDependency": + return RelationshipType.TEST_DEPENDENCY + if value == "testTool": + return RelationshipType.TEST_TOOL + if value == "testedOn": + return RelationshipType.TESTED_ON + if value == "trainedOn": + return RelationshipType.TRAINED_ON + if value == "underInvestigationFor": + return RelationshipType.UNDER_INVESTIGATION_FOR + if value == "variant": + return RelationshipType.VARIANT + return None diff --git a/src/spdx_tools/spdx3/new_model/core/software_agent.py b/src/spdx_tools/spdx3/new_model/core/software_agent.py new file mode 100644 index 000000000..41a347860 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/software_agent.py @@ -0,0 +1,43 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.agent import Agent +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class SoftwareAgent(Agent): + """ + A SoftwareAgent is a software program that is given the authority (similar to a user's authority) to act on a + system. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/spdx_document.py b/src/spdx_tools/spdx3/new_model/core/spdx_document.py new file mode 100644 index 000000000..10927f714 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/spdx_document.py @@ -0,0 +1,50 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.bundle import Bundle +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_map import ExternalMap +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class SpdxDocument(Bundle): + """ + An SpdxDocument assembles a collection of Elements under a common string, the name of the document. Commonly used + when representing a unit of transfer of SPDX Elements. External property restriction on /Core/Element/name: + minCount: 1 + """ + + def __init__( + self, + spdx_id: str, + name: str, + creation_info: CreationInfo, + element: List[str], + root_element: List[str], + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + imports: List[ExternalMap] = None, + context: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + imports = [] if imports is None else imports + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/tool.py b/src/spdx_tools/spdx3/new_model/core/tool.py new file mode 100644 index 000000000..261ec0019 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/tool.py @@ -0,0 +1,42 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.element import Element +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class Tool(Element): + """ + A Tool is an element of hardware and/or software utilized to carry out a particular function. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/dataset/__init__.py b/src/spdx_tools/spdx3/new_model/dataset/__init__.py new file mode 100644 index 000000000..be53750c2 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/dataset/__init__.py @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from .confidentiality_level_type import ConfidentialityLevelType +from .dataset import Dataset +from .dataset_availability_type import DatasetAvailabilityType +from .dataset_type import DatasetType diff --git a/src/spdx_tools/spdx3/new_model/dataset/confidentiality_level_type.py b/src/spdx_tools/spdx3/new_model/dataset/confidentiality_level_type.py new file mode 100644 index 000000000..f271233de --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/dataset/confidentiality_level_type.py @@ -0,0 +1,57 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class ConfidentialityLevelType(Enum): + """ + Describes the different confidentiality levels as given by the [Traffic Light + Protocol](https://en.wikipedia.org/wiki/Traffic_Light_Protocol). + """ + + RED = auto() + """ + Data points in the dataset are highly confidential and can only be shared with named recipients. + """ + AMBER = auto() + """ + Data points in the dataset can be shared only with specific organizations and their clients on a need to know + basis. + """ + GREEN = auto() + """ + Dataset can be shared within a community of peers and partners. + """ + CLEAR = auto() + """ + Dataset may be distributed freely, without restriction. + """ + + def __str__(self) -> str: + if self == ConfidentialityLevelType.RED: + return "Red" + if self == ConfidentialityLevelType.AMBER: + return "Amber" + if self == ConfidentialityLevelType.GREEN: + return "Green" + if self == ConfidentialityLevelType.CLEAR: + return "Clear" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["ConfidentialityLevelType"]: + if value == "Red": + return ConfidentialityLevelType.RED + if value == "Amber": + return ConfidentialityLevelType.AMBER + if value == "Green": + return ConfidentialityLevelType.GREEN + if value == "Clear": + return ConfidentialityLevelType.CLEAR + return None diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset.py b/src/spdx_tools/spdx3/new_model/dataset/dataset.py new file mode 100644 index 000000000..67d92109a --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset.py @@ -0,0 +1,159 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from dataclasses import field +from datetime import datetime + +from beartype.typing import Dict, List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..dataset.confidentiality_level_type import ConfidentialityLevelType +from ..dataset.dataset_availability_type import DatasetAvailabilityType +from ..dataset.dataset_type import DatasetType +from ..dataset.presence_type import PresenceType +from ..licensing.any_license_info import AnyLicenseInfo +from ..software.package import Package +from ..software.software_purpose import SoftwarePurpose + + +@dataclass_with_properties +class Dataset(Package): + """ + Metadata information that can be added to a dataset that may be used in a software or to train/test an AI package. + External property restriction on /Core/Artifact/originatedBy: minCount: 1 External property restriction on + /Software/Package/downloadLocation: minCount: 1 External property restriction on + /Software/SoftwareArtifact/primaryPurpose: minCount: 1 External property restriction on /Core/Artifact/releaseTime: + minCount: 1 External property restriction on /Core/Artifact/builtTime: minCount: 1 + """ + + dataset_type: List[DatasetType] = field(default_factory=list) + """ + Type describes the datatype contained in the dataset. For example a dataset can be an image dataset for computer + vision applications, a text dataset such as the contents of a book or Wikipedia article, or sometimes a multimodal + dataset that contains multiple types of data. + """ + data_collection_process: Optional[str] = None + """ + DataCollectionProcess describes how a dataset was collected. Examples include the sources from which a dataset was + scrapped or the interview protocol that was used for data collection. + """ + intended_use: Optional[str] = None + """ + IntendedUse describes what the given dataset should be used for. Some datasets are collected to be used only for + particular purposes. For example, medical data collected from a specific demography might only be applicable for + training machine learning models to make predictions for that demography. In such a case, the intendedUse field + would capture this information. Similarly, if a dataset is collected for building a facial recognition model, the + intendedUse field would specify that. + """ + dataset_size: Optional[int] = None + """ + DatasetSize Captures how large a dataset is. The size is to be measured in bytes. + """ + dataset_noise: Optional[str] = None + """ + DatasetNoise describes what kinds of noises a dataset might encompass. The field uses free form text to specify the + fields or the samples that might be noisy. Alternatively, it can also be used to describe various noises that could + impact the whole dataset. + """ + data_preprocessing: List[str] = field(default_factory=list) + """ + DataPreprocessing describes the various preprocessing steps that were applied to the raw data to create the + dataset. + """ + sensor: Dict[str, Optional[str]] = field(default_factory=list) + """ + Sensor describes a sensor that was used for collecting the data and its calibration value as a key-value pair. + """ + known_bias: List[str] = field(default_factory=list) + """ + KnownBias is a free form text field that describes the different biases that the dataset encompasses. + """ + sensitive_personal_information: Optional[PresenceType] = None + """ + SensitivePersonalInformation indicates the presence of sensitive personal data or information that allows drawing + conclusions about a person's identity. + """ + anonymization_method_used: List[str] = field(default_factory=list) + """ + AnonymizationMethodUsed describes the methods used to anonymize the dataset (of fields in the dataset). + """ + confidentiality_level: Optional[ConfidentialityLevelType] = None + """ + ConfidentialityLevel describes the levels of confidentiality of the data points contained in the dataset. + """ + dataset_update_mechanism: Optional[str] = None + """ + DatasetUpdateMechanism describes a mechanism to update the dataset. + """ + dataset_availability: Optional[DatasetAvailabilityType] = None + """ + Some datasets are publicly available and can be downloaded directly. Others are only accessible behind a + clickthrough, or after filling a registration form. This field will describe the dataset availability from that + perspective. + """ + + def __init__( + self, + spdx_id: str, + name: str, + creation_info: CreationInfo, + originated_by: List[str], + built_time: datetime, + release_time: datetime, + primary_purpose: SoftwarePurpose, + download_location: str, + dataset_type: List[DatasetType], + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + supplied_by: List[str] = None, + valid_until_time: Optional[datetime] = None, + standard: List[str] = None, + content_identifier: Optional[str] = None, + additional_purpose: List[SoftwarePurpose] = None, + concluded_license: Optional[AnyLicenseInfo] = None, + declared_license: Optional[AnyLicenseInfo] = None, + copyright_text: Optional[str] = None, + attribution_text: Optional[str] = None, + package_version: Optional[str] = None, + package_url: Optional[str] = None, + homepage: Optional[str] = None, + source_info: Optional[str] = None, + data_collection_process: Optional[str] = None, + intended_use: Optional[str] = None, + dataset_size: Optional[int] = None, + dataset_noise: Optional[str] = None, + data_preprocessing: List[str] = None, + sensor: Dict[str, Optional[str]] = None, + known_bias: List[str] = None, + sensitive_personal_information: Optional[PresenceType] = None, + anonymization_method_used: List[str] = None, + confidentiality_level: Optional[ConfidentialityLevelType] = None, + dataset_update_mechanism: Optional[str] = None, + dataset_availability: Optional[DatasetAvailabilityType] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + supplied_by = [] if supplied_by is None else supplied_by + standard = [] if standard is None else standard + additional_purpose = [] if additional_purpose is None else additional_purpose + data_preprocessing = [] if data_preprocessing is None else data_preprocessing + sensor = {} if sensor is None else sensor + known_bias = [] if known_bias is None else known_bias + anonymization_method_used = [] if anonymization_method_used is None else anonymization_method_used + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py b/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py new file mode 100644 index 000000000..4547800ed --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py @@ -0,0 +1,69 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class DatasetAvailabilityType(Enum): + """ + Describes the possible types of availability of a dataset, indicating whether the dataset can be directly + downloaded, can be assembled using a script for scraping the data, is only available after a clickthrough or a + registration form. + """ + + DIRECT_DOWNLOAD = auto() + """ + the dataset is publicly available and can be downloaded directly. + """ + SCRAPING_SCRIPT = auto() + """ + the dataset provider is not making available the underlying data and the dataset must be reassembled, typically + using the provided script for scraping the data. + """ + QUERY = auto() + """ + the dataset is publicly available, but not all at once, and can only be accessed through queries which return parts + of the dataset. + """ + CLICKTHROUGH = auto() + """ + the dataset is not publicly available and can only be accessed after affirmatively accepting terms on a + clickthrough webpage. + """ + REGISTRATION = auto() + """ + the dataset is not publicly available and an email registration is required before accessing the dataset, although + without an affirmative acceptance of terms. + """ + + def __str__(self) -> str: + if self == DatasetAvailabilityType.DIRECT_DOWNLOAD: + return "Direct-Download" + if self == DatasetAvailabilityType.SCRAPING_SCRIPT: + return "Scraping-Script" + if self == DatasetAvailabilityType.QUERY: + return "Query" + if self == DatasetAvailabilityType.CLICKTHROUGH: + return "Clickthrough" + if self == DatasetAvailabilityType.REGISTRATION: + return "Registration" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["DatasetAvailabilityType"]: + if value == "Direct-Download": + return DatasetAvailabilityType.DIRECT_DOWNLOAD + if value == "Scraping-Script": + return DatasetAvailabilityType.SCRAPING_SCRIPT + if value == "Query": + return DatasetAvailabilityType.QUERY + if value == "Clickthrough": + return DatasetAvailabilityType.CLICKTHROUGH + if value == "Registration": + return DatasetAvailabilityType.REGISTRATION + return None diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset_type.py b/src/spdx_tools/spdx3/new_model/dataset/dataset_type.py new file mode 100644 index 000000000..1c2d643ec --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset_type.py @@ -0,0 +1,141 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class DatasetType(Enum): + """ + Describes the different structures of data within a given dataset. A dataset can have multiple types of data, or + even a single type of data but still match multiple types, for example sensor data could also be timeseries or + labeled image data could also be considered categorical. + """ + + STRUCTURED = auto() + """ + data is stored in tabular format or retrieved from a relational database. + """ + NUMERIC = auto() + """ + data consists only of numeric entries. + """ + TEXT = auto() + """ + data consists of unstructured text, such as a book, wikipedia article (without images), or transcript. + """ + CATEGORICAL = auto() + """ + data that is classified into a discrete number of categories, such as the eye color of a population of people. + """ + GRAPH = auto() + """ + data is in the form of a graph where entries are somehow related to each other through edges, such a social network + of friends. + """ + TIMESERIES = auto() + """ + data is recorded in an ordered sequence of timestamped entries, such as the price of a stock over the course of a + day. + """ + TIMESTAMP = auto() + """ + data is recorded with a timestamp for each entry, but not necessarily ordered or at specific intervals, such as + when a taxi ride starts and ends. + """ + SENSOR = auto() + """ + data is recorded from a physical sensor, such as a thermometer reading or biometric device. + """ + IMAGE = auto() + """ + data is a collection of images such as pictures of animals. + """ + SYNTACTIC = auto() + """ + data describes the syntax or semantics of a language or text, such as a parse tree used for natural language + processing. + """ + AUDIO = auto() + """ + data is audio based, such as a collection of music from the 80s. + """ + VIDEO = auto() + """ + data is video based, such as a collection of movie clips featuring Tom Hanks. + """ + OTHER = auto() + """ + data is of a type not included in this list. + """ + NO_ASSERTION = auto() + """ + data type is not known. + """ + + def __str__(self) -> str: + if self == DatasetType.STRUCTURED: + return "structured" + if self == DatasetType.NUMERIC: + return "numeric" + if self == DatasetType.TEXT: + return "text" + if self == DatasetType.CATEGORICAL: + return "categorical" + if self == DatasetType.GRAPH: + return "graph" + if self == DatasetType.TIMESERIES: + return "timeseries" + if self == DatasetType.TIMESTAMP: + return "timestamp" + if self == DatasetType.SENSOR: + return "sensor" + if self == DatasetType.IMAGE: + return "image" + if self == DatasetType.SYNTACTIC: + return "syntactic" + if self == DatasetType.AUDIO: + return "audio" + if self == DatasetType.VIDEO: + return "video" + if self == DatasetType.OTHER: + return "other" + if self == DatasetType.NO_ASSERTION: + return "noAssertion" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["DatasetType"]: + if value == "structured": + return DatasetType.STRUCTURED + if value == "numeric": + return DatasetType.NUMERIC + if value == "text": + return DatasetType.TEXT + if value == "categorical": + return DatasetType.CATEGORICAL + if value == "graph": + return DatasetType.GRAPH + if value == "timeseries": + return DatasetType.TIMESERIES + if value == "timestamp": + return DatasetType.TIMESTAMP + if value == "sensor": + return DatasetType.SENSOR + if value == "image": + return DatasetType.IMAGE + if value == "syntactic": + return DatasetType.SYNTACTIC + if value == "audio": + return DatasetType.AUDIO + if value == "video": + return DatasetType.VIDEO + if value == "other": + return DatasetType.OTHER + if value == "noAssertion": + return DatasetType.NO_ASSERTION + return None diff --git a/src/spdx_tools/spdx3/new_model/expanded_licensing/__init__.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/__init__.py new file mode 100644 index 000000000..2aec994e2 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/__init__.py @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from .conjunctive_license_set import ConjunctiveLicenseSet +from .custom_license import CustomLicense +from .custom_license_addition import CustomLicenseAddition +from .disjunctive_license_set import DisjunctiveLicenseSet +from .extendable_license import ExtendableLicense +from .license import License +from .license_addition import LicenseAddition +from .listed_license import ListedLicense +from .listed_license_exception import ListedLicenseException +from .or_later_operator import OrLaterOperator +from .with_addition_operator import WithAdditionOperator diff --git a/src/spdx_tools/spdx3/new_model/expanded_licensing/conjunctive_license_set.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/conjunctive_license_set.py new file mode 100644 index 000000000..db22b28d2 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/conjunctive_license_set.py @@ -0,0 +1,58 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from dataclasses import field + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..simple_licensing.any_license_info import AnyLicenseInfo + + +@dataclass_with_properties +class ConjunctiveLicenseSet(AnyLicenseInfo): + """ + A ConjunctiveLicenseSet indicates that _each_ of its subsidiary AnyLicenseInfos apply. In other words, a + ConjunctiveLicenseSet of two or more licenses represents a licensing situation where _all_ of the specified + licenses are to be complied with. It is represented in the SPDX License Expression Syntax by the `AND` operator. + + It is syntactically correct to specify a ConjunctiveLicenseSet where the subsidiary AnyLicenseInfos may be + "incompatible" according to a particular interpretation of the corresponding Licenses. The SPDX License Expression + Syntax does not take into account interpretation of license texts, which is left to the consumer of SPDX data to + determine for themselves. + """ + + member: List[AnyLicenseInfo] = field(default_factory=list) + """ + A member is a license expression participating in a conjunctive (of type ConjunctiveLicenseSet) or a disjunctive + (of type DisjunctiveLicenseSet) license set. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + member: List[AnyLicenseInfo], + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/expanded_licensing/custom_license.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/custom_license.py new file mode 100644 index 000000000..b284c1779 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/custom_license.py @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..expanded_licensing.license import License + + +@dataclass_with_properties +class CustomLicense(License): + """ + A CustomLicense represents a License that is not listed on the SPDX License List at https://spdx.org/licenses, and + is therefore defined by an SPDX data creator. + """ + + def __init__( + self, + license_text: str, + is_osi_approved: Optional[bool] = None, + is_fsf_libre: Optional[bool] = None, + standard_license_header: Optional[str] = None, + standard_license_template: Optional[str] = None, + is_deprecated_license_id: Optional[bool] = None, + obsoleted_by: Optional[str] = None, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/expanded_licensing/custom_license_addition.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/custom_license_addition.py new file mode 100644 index 000000000..865ca648f --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/custom_license_addition.py @@ -0,0 +1,50 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..expanded_licensing.license_addition import LicenseAddition + + +@dataclass_with_properties +class CustomLicenseAddition(LicenseAddition): + """ + A CustomLicenseAddition represents an addition to a License that is not listed on the SPDX Exceptions List at + https://spdx.org/licenses/exceptions-index.html, and is therefore defined by an SPDX data creator. + + It is intended to represent additional language which is meant to be added to a License, but which is not itself a + standalone License. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + addition_text: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + standard_addition_template: Optional[str] = None, + is_deprecated_addition_id: Optional[bool] = None, + obsoleted_by: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/expanded_licensing/disjunctive_license_set.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/disjunctive_license_set.py new file mode 100644 index 000000000..acc9fea25 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/disjunctive_license_set.py @@ -0,0 +1,55 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from dataclasses import field + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..simple_licensing.any_license_info import AnyLicenseInfo + + +@dataclass_with_properties +class DisjunctiveLicenseSet(AnyLicenseInfo): + """ + A DisjunctiveLicenseSet indicates that _only one_ of its subsidiary AnyLicenseInfos is required to apply. In other + words, a DisjunctiveLicenseSet of two or more licenses represents a licensing situation where _only one_ of the + specified licenses are to be complied with. A consumer of SPDX data would typically understand this to permit the + recipient of the licensed content to choose which of the corresponding license they would prefer to use. It is + represented in the SPDX License Expression Syntax by the `OR` operator. + """ + + member: List[AnyLicenseInfo] = field(default_factory=list) + """ + A member is a license expression participating in a conjunctive (of type ConjunctiveLicenseSet) or a disjunctive + (of type DisjunctiveLicenseSet) license set. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + member: List[AnyLicenseInfo], + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/expanded_licensing/extendable_license.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/extendable_license.py new file mode 100644 index 000000000..b911d9965 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/extendable_license.py @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import abstractmethod + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + +from ..licensing.any_license_info import AnyLicenseInfo + + +@dataclass_with_properties +class ExtendableLicense(AnyLicenseInfo): + """ + The WithAdditionOperator can have a License or an OrLaterOperator as the license property value. This class is used + for the value. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/expanded_licensing/license.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/license.py new file mode 100644 index 000000000..7bf2ed6ff --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/license.py @@ -0,0 +1,92 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import abstractmethod + +from beartype.typing import Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + +from ..expanded_licensing.extendable_license import ExtendableLicense + + +@dataclass_with_properties +class License(ExtendableLicense): + """ + A License represents a license text, whether listed on the SPDX License List (ListedLicense) or defined by an SPDX + data creator (CustomLicense). + """ + + license_text: str = None + """ + A licenseText contains the plain text of the License or Addition, without templating or other similar markup. + + Users of the licenseText for a License can apply the SPDX Matching Guidelines when comparing it to another text for + matching purposes. + """ + is_osi_approved: Optional[bool] = None + """ + isOsiApproved specifies whether the [Open Source Initiative (OSI)](https://opensource.org) has listed this License + as "approved" in their list of OSI Approved Licenses, located at the time of this writing at + https://opensource.org/licenses/. + + A value of "true" indicates that the OSI has listed this License as approved. + + A value of "false" indicates that the OSI has not listed this License as approved. + + If the isOsiApproved field is not specified, the SPDX data creator makes no assertions about whether the License is + approved by the OSI. + """ + is_fsf_libre: Optional[bool] = None + """ + isFsfLibre specifies whether the [Free Software Foundation FSF](https://fsf.org) has listed this License as "free" + in their commentary on licenses, located at the time of this writing at + https://www.gnu.org/licenses/license-list.en.html. + + A value of "true" indicates that the FSF has listed this License as _free_. + + A value of "false" indicates that the FSF has listed this License as _not free_. + + If the isFsfLibre field is not specified, the SPDX data creator makes no assertions about whether the License is + listed in the FSF's commentary. + """ + standard_license_header: Optional[str] = None + """ + A standardLicenseHeader contains the plain text of the License author's preferred wording to be used, typically in + a source code file's header comments or similar location, to indicate that the file is subject to the specified + License. + """ + standard_license_template: Optional[str] = None + """ + A standardLicenseTemplate contains a license template which describes sections of the License text which can be + varied. See the Legacy Text Template format section of the SPDX specification for format information. + """ + is_deprecated_license_id: Optional[bool] = None + """ + The isDeprecatedLicenseId property specifies whether an identifier for a License or LicenseAddition has been marked + as deprecated. If the property is not defined, then it is presumed to be false (i.e., not deprecated). + + If the License or LicenseAddition is included on the SPDX License List, then the `deprecatedVersion` property + indicates on which version release of the License List it was first marked as deprecated. + + "Deprecated" in this context refers to deprecating the use of the _identifier_, not the underlying license. In + other words, even if a License's author or steward has stated that a particular License generally should not be + used, that would _not_ mean that the License's identifier is "deprecated." Rather, a License or LicenseAddition + operator is typically marked as "deprecated" when it is determined that use of another identifier is preferable. + """ + obsoleted_by: Optional[str] = None + """ + An obsoletedBy value for a deprecated License or LicenseAddition specifies the licenseId of the replacement License + or LicenseAddition that is preferred to be used in its place. It should use the same format as specified for a + licenseId. + + The License's or LicenseAddition's comment value may include more information about the reason why the licenseId + specified in the obsoletedBy value is preferred. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/expanded_licensing/license_addition.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/license_addition.py new file mode 100644 index 000000000..201e6448b --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/license_addition.py @@ -0,0 +1,65 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import abstractmethod + +from beartype.typing import Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + +from ..core.element import Element + + +@dataclass_with_properties +class LicenseAddition(Element): + """ + A LicenseAddition represents text which is intended to be added to a License as additional text, but which is not + itself intended to be a standalone License. + + It may be an exception which is listed on the SPDX Exceptions List (ListedLicenseException), or may be any other + additional text (as an exception or otherwise) which is defined by an SPDX data creator (CustomLicenseAddition). + """ + + addition_text: str = None + """ + An additionText contains the plain text of the LicenseAddition, without templating or other similar markup. + + Users of the additionText for a License can apply the SPDX Matching Guidelines when comparing it to another text + for matching purposes. + """ + standard_addition_template: Optional[str] = None + """ + A standardAdditionTemplate contains a license addition template which describes sections of the LicenseAddition + text which can be varied. See the Legacy Text Template format section of the SPDX specification for format + information. + """ + is_deprecated_addition_id: Optional[bool] = None + """ + The isDeprecatedAdditionId property specifies whether an identifier for a LicenseAddition has been marked as + deprecated. If the property is not defined, then it is presumed to be false (i.e., not deprecated). + + If the LicenseAddition is included on the SPDX Exceptions List, then the `deprecatedVersion` property indicates on + which version release of the Exceptions List it was first marked as deprecated. + + "Deprecated" in this context refers to deprecating the use of the _identifier_, not the underlying license + addition. In other words, even if a LicenseAddition's author or steward has stated that a particular + LicenseAddition generally should not be used, that would _not_ mean that the LicenseAddition's identifier is + "deprecated." Rather, a LicenseAddition operator is typically marked as "deprecated" when it is determined that use + of another identifier is preferable. + """ + obsoleted_by: Optional[str] = None + """ + An obsoletedBy value for a deprecated License or LicenseAddition specifies the licenseId of the replacement License + or LicenseAddition that is preferred to be used in its place. It should use the same format as specified for a + licenseId. + + The License's or LicenseAddition's comment value may include more information about the reason why the licenseId + specified in the obsoletedBy value is preferred. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/expanded_licensing/listed_license.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/listed_license.py new file mode 100644 index 000000000..0ea9e4b57 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/listed_license.py @@ -0,0 +1,44 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..expanded_licensing.license import License + + +@dataclass_with_properties +class ListedLicense(License): + """ + A ListedLicense represents a License that is listed on the SPDX License List at https://spdx.org/licenses. + """ + + list_version_added: Optional[str] = None + """ + A listVersionAdded for a ListedLicense or ListedLicenseException on the SPDX License List specifies which version + release of the License List was the first one in which it was included. + """ + deprecated_version: Optional[str] = None + """ + A deprecatedVersion for a ListedLicense or ListedLicenseException on the SPDX License List specifies which version + release of the License List was the first one in which it was marked as deprecated. + """ + + def __init__( + self, + license_text: str, + is_osi_approved: Optional[bool] = None, + is_fsf_libre: Optional[bool] = None, + standard_license_header: Optional[str] = None, + standard_license_template: Optional[str] = None, + is_deprecated_license_id: Optional[bool] = None, + obsoleted_by: Optional[str] = None, + list_version_added: Optional[str] = None, + deprecated_version: Optional[str] = None, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/expanded_licensing/listed_license_exception.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/listed_license_exception.py new file mode 100644 index 000000000..907cd210c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/listed_license_exception.py @@ -0,0 +1,61 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..expanded_licensing.license_addition import LicenseAddition + + +@dataclass_with_properties +class ListedLicenseException(LicenseAddition): + """ + A ListedLicenseException represents an exception to a License (in other words, an exception to a license condition + or an additional permission beyond those granted in a License) which is listed on the SPDX Exceptions List at + https://spdx.org/licenses/exceptions-index.html. + """ + + list_version_added: Optional[str] = None + """ + A listVersionAdded for a ListedLicense or ListedLicenseException on the SPDX License List specifies which version + release of the License List was the first one in which it was included. + """ + deprecated_version: Optional[str] = None + """ + A deprecatedVersion for a ListedLicense or ListedLicenseException on the SPDX License List specifies which version + release of the License List was the first one in which it was marked as deprecated. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + addition_text: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + standard_addition_template: Optional[str] = None, + is_deprecated_addition_id: Optional[bool] = None, + obsoleted_by: Optional[str] = None, + list_version_added: Optional[str] = None, + deprecated_version: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/expanded_licensing/or_later_operator.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/or_later_operator.py new file mode 100644 index 000000000..831c23ecd --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/or_later_operator.py @@ -0,0 +1,37 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..expanded_licensing.extendable_license import ExtendableLicense +from ..expanded_licensing.license import License + + +@dataclass_with_properties +class OrLaterOperator(ExtendableLicense): + """ + An OrLaterOperator indicates that this portion of the AnyLicenseInfo represents either (1) the specified version of + the corresponding License, or (2) any later version of that License. It is represented in the SPDX License + Expression Syntax by the `+` operator. + + It is context-dependent, and unspecified by SPDX, as to what constitutes a "later version" of any particular + License. Some Licenses may not be versioned, or may not have clearly-defined ordering for versions. The consumer of + SPDX data will need to determine for themselves what meaning to attribute to a "later version" operator for a + particular License. + """ + + subject_license: License = None + """ + A subjectLicense is a License which is subject to either an 'or later' effect (OrLaterOperator) or a 'with + additional text' effect (WithAdditionOperator). + """ + + def __init__( + self, + subject_license: License, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/expanded_licensing/with_addition_operator.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/with_addition_operator.py new file mode 100644 index 000000000..ab17c656b --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/with_addition_operator.py @@ -0,0 +1,58 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..expanded_licensing.extendable_license import ExtendableLicense +from ..expanded_licensing.license_addition import LicenseAddition +from ..simple_licensing.any_license_info import AnyLicenseInfo + + +@dataclass_with_properties +class WithAdditionOperator(AnyLicenseInfo): + """ + A WithAdditionOperator indicates that the designated License is subject to the designated LicenseAddition, which + might be a license exception on the SPDX Exceptions List (ListedLicenseException) or may be other additional text + (CustomLicenseAddition). It is represented in the SPDX License Expression Syntax by the `WITH` operator. + """ + + subject_license: ExtendableLicense = None + """ + A subjectLicense is a License which is subject to either an 'or later' effect (OrLaterOperator) or a 'with + additional text' effect (WithAdditionOperator). + """ + subject_addition: LicenseAddition = None + """ + A subjectAddition is a LicenseAddition which is subject to a 'with additional text' effect (WithAdditionOperator). + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + subject_license: ExtendableLicense, + subject_addition: LicenseAddition, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/__init__.py b/src/spdx_tools/spdx3/new_model/security/__init__.py new file mode 100644 index 000000000..09a02d58b --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/__init__.py @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from .cvss_v2_vuln_assessment_relationship import CvssV2VulnAssessmentRelationship +from .cvss_v3_vuln_assessment_relationship import CvssV3VulnAssessmentRelationship +from .epss_vuln_assessment_relationship import EpssVulnAssessmentRelationship +from .exploit_catalog_type import ExploitCatalogType +from .exploit_catalog_vuln_assessment_relationship import ExploitCatalogVulnAssessmentRelationship +from .ssvc_decision_type import SsvcDecisionType +from .ssvc_vuln_assessment_relationship import SsvcVulnAssessmentRelationship +from .vex_affected_vuln_assessment_relationship import VexAffectedVulnAssessmentRelationship +from .vex_fixed_vuln_assessment_relationship import VexFixedVulnAssessmentRelationship +from .vex_justification_type import VexJustificationType +from .vex_not_affected_vuln_assessment_relationship import VexNotAffectedVulnAssessmentRelationship +from .vex_under_investigation_vuln_assessment_relationship import VexUnderInvestigationVulnAssessmentRelationship +from .vex_vuln_assessment_relationship import VexVulnAssessmentRelationship +from .vuln_assessment_relationship import VulnAssessmentRelationship +from .vulnerability import Vulnerability diff --git a/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py new file mode 100644 index 000000000..5febc98b4 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py @@ -0,0 +1,126 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vuln_assessment_relationship import VulnAssessmentRelationship + + +@dataclass_with_properties +class CvssV2VulnAssessmentRelationship(VulnAssessmentRelationship): + """ + A CvssV2VulnAssessmentRelationship relationship describes the determined score and vector of a vulnerability using + version 2.0 of the Common Vulnerability Scoring System (CVSS) as defined on + [https://www.first.org/cvss/v2/guide](https://www.first.org/cvss/v2/guide). It is intented to communicate the + results of using a CVSS calculator. + + **Constraints** + + - The value of severity must be one of 'low', 'medium' or 'high' + - The relationship type must be set to hasAssessmentFor. + + **Syntax** + + ```json + { + "@type": "CvssV2VulnAssessmentRelationship", + "@id": "urn:spdx.dev:cvssv2-cve-2020-28498", + "relationshipType": "hasAssessmentFor", + "score": 4.3, + "vector": "(AV:N/AC:M/Au:N/C:P/I:N/A:N)", + "severity": "low", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.2", + "externalReferences": [ + { + "@type": "ExternalReference", + "externalReferenceType": "securityAdvisory", + "locator": "https://nvd.nist.gov/vuln/detail/CVE-2020-28498" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityAdvisory", + "locator": "https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityFix", + "locator": "https://github.com/indutny/elliptic/commit/441b742" + } + ], + "suppliedBy": ["urn:spdx.dev:agent-my-security-vendor"], + "publishedTime": "2023-05-06T10:06:13Z" + }, + { + "@type": "Relationship", + "@id": "urn:spdx.dev:vulnAgentRel-1", + "relationshipType": "publishedBy", + "from": "urn:spdx.dev:cvssv2-cve-2020-28498", + "to": ["urn:spdx.dev:agent-snyk"], + "startTime": "2021-03-08T16:06:50Z" + } + ``` + """ + + score: float = None + """ + The score provides information on the severity of a vulnerability per the Common Vulnerability Scoring System as + defined on [https://www.first.org/cvss](https://www.first.org/cvss/). + """ + severity: Optional[str] = None + """ + The severity field provides a human readable string, a label that can be used as an English adjective that + qualifies its numerical score. + """ + vector: Optional[str] = None + """ + Sepcifies the vector string of a vulnerability, a string combining metrics from an assessment of its severity. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: str, + to: List[str], + relationship_type: RelationshipType, + score: float, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[str] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[str] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + severity: Optional[str] = None, + vector: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py new file mode 100644 index 000000000..20711eb3b --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py @@ -0,0 +1,127 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vuln_assessment_relationship import VulnAssessmentRelationship + + +@dataclass_with_properties +class CvssV3VulnAssessmentRelationship(VulnAssessmentRelationship): + """ + A CvssV3VulnAssessmentRelationship relationship describes the determined score, severity, and vector of a + vulnerability using version 3.1 of the Common Vulnerability Scoring System (CVSS) as defined on + [https://www.first.org/cvss/v3.1/specification-document](https://www.first.org/cvss/v3.1/specification-document). + It is intented to communicate the results of using a CVSS calculator. + + **Constraints** + + - The value of severity must be one of 'none', 'low', 'medium', 'high' or 'critical'. + - Absence of the property shall be interpreted as 'none'. + - The relationship type must be set to hasAssessmentFor. + + **Syntax** + + ```json + { + "@type": "CvssV3VulnAssessmentRelationship", + "@id": "urn:spdx.dev:cvssv3-cve-2020-28498", + "relationshipType": "hasAssessmentFor", + "severity": "medium", + "score": 6.8, + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.2", + "externalReferences": [ + { + "@type": "ExternalReference", + "externalReferenceType": "securityAdvisory", + "locator": "https://nvd.nist.gov/vuln/detail/CVE-2020-28498" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityAdvisory", + "locator": "https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityFix", + "locator": "https://github.com/indutny/elliptic/commit/441b742" + } + ], + "suppliedBy": ["urn:spdx.dev:agent-my-security-vendor"], + "publishedTime": "2023-05-06T10:06:13Z" + }, + { + "@type": "Relationship", + "@id": "urn:spdx.dev:vulnAgentRel-1", + "relationshipType": "publishedBy", + "from": "urn:spdx.dev:cvssv3-cve-2020-28498", + "to": "urn:spdx.dev:agent-snyk", + "startTime": "2021-03-08T16:06:50Z" + } + ``` + """ + + score: float = None + """ + The score provides information on the severity of a vulnerability per the Common Vulnerability Scoring System as + defined on [https://www.first.org/cvss](https://www.first.org/cvss/). + """ + severity: Optional[str] = None + """ + The severity field provides a human readable string, a label that can be used as an English adjective that + qualifies its numerical score. + """ + vector: Optional[str] = None + """ + Sepcifies the vector string of a vulnerability, a string combining metrics from an assessment of its severity. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: str, + to: List[str], + relationship_type: RelationshipType, + score: float, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[str] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[str] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + severity: Optional[str] = None, + vector: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py new file mode 100644 index 000000000..f1fe01fbd --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py @@ -0,0 +1,91 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vuln_assessment_relationship import VulnAssessmentRelationship + + +@dataclass_with_properties +class EpssVulnAssessmentRelationship(VulnAssessmentRelationship): + """ + An EpssVulnAssessmentRelationship relationship describes the likelihood or probability that a vulnerability will be + exploited in the wild using the Exploit Prediction Scoring System (EPSS) as defined on + [https://www.first.org/epss/model](https://www.first.org/epss/model). + + **Constraints** + + - The relationship type must be set to hasAssessmentFor. + + **Syntax** + + ```json + { + "@type": "EpssVulnAssessmentRelationship", + "@id": "urn:spdx.dev:epss-1", + "relationshipType": "hasAssessmentFor", + "probability": 80, + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + + probability: int = None + """ + The probability score between 0 and 1 (0 and 100%) estimating the likelihood that a vulnerability will be exploited + in the next 12 months. + """ + severity: Optional[str] = None + """ + The severity field provides a human readable string, a label that can be used as an English adjective that + qualifies its numerical score. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: str, + to: List[str], + relationship_type: RelationshipType, + probability: int, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[str] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[str] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + severity: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_type.py b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_type.py new file mode 100644 index 000000000..65de25290 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_type.py @@ -0,0 +1,39 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class ExploitCatalogType(Enum): + """ + ExploitCatalogType specifies the type of exploit catalog that a vulnerability is listed in. + """ + + KEV = auto() + """ + CISA's Known Exploited Vulnerability (KEV) Catalog + """ + OTHER = auto() + """ + Other exploit catalogs + """ + + def __str__(self) -> str: + if self == ExploitCatalogType.KEV: + return "kev" + if self == ExploitCatalogType.OTHER: + return "other" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["ExploitCatalogType"]: + if value == "kev": + return ExploitCatalogType.KEV + if value == "other": + return ExploitCatalogType.OTHER + return None diff --git a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py new file mode 100644 index 000000000..a33c11284 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py @@ -0,0 +1,98 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.exploit_catalog_type import ExploitCatalogType +from ..security.vuln_assessment_relationship import VulnAssessmentRelationship + + +@dataclass_with_properties +class ExploitCatalogVulnAssessmentRelationship(VulnAssessmentRelationship): + """ + An ExploitCatalogVulnAssessmentRelationship describes if a vulnerability is listed in any exploit catalog such as + the CISA Known Exploited Vulnerabilities Catalog (KEV) + [https://www.cisa.gov/known-exploited-vulnerabilities-catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog). + + **Constraints** + + - The relationship type must be set to hasAssessmentFor. + + **Syntax** + + ```json + { + "@type": "ExploitCatalogVulnAssessmentRelationship", + "@id": "urn:spdx.dev:exploit-catalog-1", + "relationshipType": "hasAssessmentFor", + "catalogType": "kev", + "locator": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "exploited": "true", + "from": "urn:spdx.dev:vuln-cve-2023-2136", + "to": ["urn:product-google-chrome-112.0.5615.136"], + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + + catalog_type: ExploitCatalogType = None + """ + A catalogType is a mandatory value and must select one of the two entries in the `ExploitCatalogType.md` + vocabulary. + """ + exploited: bool = None + """ + This field is set when a CVE is listed in an exploit catalog. + """ + locator: str = None + """ + A locator provides the location of an exploit catalog. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: str, + to: List[str], + relationship_type: RelationshipType, + catalog_type: ExploitCatalogType, + exploited: bool, + locator: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[str] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[str] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/ssvc_decision_type.py b/src/spdx_tools/spdx3/new_model/security/ssvc_decision_type.py new file mode 100644 index 000000000..c0c8edd7b --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/ssvc_decision_type.py @@ -0,0 +1,67 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class SsvcDecisionType(Enum): + """ + SsvcDecisionType specifies the type of decision that's been made according to the Stakeholder-Specific + Vulnerability Categorization (SSVC) system + [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc) + """ + + ACT = auto() + """ + The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level + individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as + publishing a notification either internally and/or externally. Typically, internal groups would meet to determine + the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon + as possible. + """ + ATTEND = auto() + """ + The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary + actions include requesting assistance or information about the vulnerability, and may involve publishing a + notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than + standard update timelines. + """ + TRACK = auto() + """ + The vulnerability does not require action at this time. The organization would continue to track the vulnerability + and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within + standard update timelines. + """ + TRACK_STAR = auto() + """ + (Track* in the SSVC spec) The vulnerability contains specific characteristics that may require closer monitoring + for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines. + """ + + def __str__(self) -> str: + if self == SsvcDecisionType.ACT: + return "act" + if self == SsvcDecisionType.ATTEND: + return "attend" + if self == SsvcDecisionType.TRACK: + return "track" + if self == SsvcDecisionType.TRACK_STAR: + return "trackStar" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["SsvcDecisionType"]: + if value == "act": + return SsvcDecisionType.ACT + if value == "attend": + return SsvcDecisionType.ATTEND + if value == "track": + return SsvcDecisionType.TRACK + if value == "trackStar": + return SsvcDecisionType.TRACK_STAR + return None diff --git a/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py new file mode 100644 index 000000000..8431299f6 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py @@ -0,0 +1,88 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.ssvc_decision_type import SsvcDecisionType +from ..security.vuln_assessment_relationship import VulnAssessmentRelationship + + +@dataclass_with_properties +class SsvcVulnAssessmentRelationship(VulnAssessmentRelationship): + """ + An SsvcVulnAssessmentRelationship describes the decision made using the Stakeholder-Specific Vulnerability + Categorization (SSVC) decision tree as defined on + [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc). + It is intended to communicate the results of using the CISA SSVC Calculator. + + **Constraints** + + - The relationship type must be set to hasAssessmentFor. + + **Syntax** + + ```json + { + "@type": "SsvcVulnAssessmentRelationship", + "@id": "urn:spdx.dev:ssvc-1", + "relationshipType": "hasAssessmentFor", + "decisionType": "act", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.2", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + + decision_type: SsvcDecisionType = None + """ + A decisionType is a mandatory value and must select one of the four entries in the `SsvcDecisionType.md` + vocabulary. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: str, + to: List[str], + relationship_type: RelationshipType, + decision_type: SsvcDecisionType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[str] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[str] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py new file mode 100644 index 000000000..4ec59b713 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py @@ -0,0 +1,98 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from dataclasses import field +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vex_vuln_assessment_relationship import VexVulnAssessmentRelationship + + +@dataclass_with_properties +class VexAffectedVulnAssessmentRelationship(VexVulnAssessmentRelationship): + """ + VexAffectedVulnAssessmentRelationship connects a vulnerability and a number of elements. The relationship marks + these elements as products affected by the vulnerability. This relationship corresponds to the VEX affected status. + + **Constraints** + + When linking elements using a VexAffectedVulnAssessmentRelationship, the following requirements must be observed: + + - Elements linked with a VulnVexAffectedAssessmentRelationship are constrained to the affects relationship type. + + **Syntax** + + ```json + { + "@type": "VexAffectedVulnAssessmentRelationship", + "@id": "urn:spdx.dev:vex-affected-1", + "relationshipType": "affects", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.2", + "actionStatement": "Upgrade to version 1.4 of ACME application.", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + + action_statement: Optional[str] = None + """ + When an element is referenced with a VexAffectedVulnAssessmentRelationship, the relationship MUST include one + actionStatement that SHOULD describe actions to remediate or mitigate the vulnerability. + """ + action_statement_time: List[datetime] = field(default_factory=list) + """ + When a VEX statement communicates an affected status, the author MUST include an action statement with a + recommended action to help mitigate the vulnerability's impact. The actionStatementTime property records the time + when the action statement was first communicated. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: str, + to: List[str], + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[str] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[str] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + vex_version: Optional[str] = None, + status_notes: Optional[str] = None, + action_statement: Optional[str] = None, + action_statement_time: List[datetime] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + action_statement_time = [] if action_statement_time is None else action_statement_time + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py new file mode 100644 index 000000000..2dc9d17b6 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py @@ -0,0 +1,82 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vex_vuln_assessment_relationship import VexVulnAssessmentRelationship + + +@dataclass_with_properties +class VexFixedVulnAssessmentRelationship(VexVulnAssessmentRelationship): + """ + VexFixedVulnAssessmentRelationship links a vulnerability to a number of elements representing VEX products where a + vulnerability has been fixed and are no longer affected. It represents the VEX fixed status. + + **Constraints** + + When linking elements using a VexFixedVulnAssessmentRelationship, the following requirements must be observed: + + - Elements linked with a VulnVexFixedAssessmentRelationship are constrained to using the fixedIn relationship type. + - The from: end of the relationship must ve a /Security/Vulnerability classed element. + + **Syntax** + + ```json + { + "@type": "VexFixedVulnAssessmentRelationship", + "@id": "urn:spdx.dev:vex-fixed-in-1", + "relationshipType": "fixedIn", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.4", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: str, + to: List[str], + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[str] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[str] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + vex_version: Optional[str] = None, + status_notes: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_justification_type.py b/src/spdx_tools/spdx3/new_model/security/vex_justification_type.py new file mode 100644 index 000000000..4864bb646 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vex_justification_type.py @@ -0,0 +1,65 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class VexJustificationType(Enum): + """ + VexJustificationType specifies the type of Vulnerability Exploitability eXchange (VEX) justification. + """ + + COMPONENT_NOT_PRESENT = auto() + """ + The software is not affected because the vulnerable component is not in the product. + """ + VULNERABLE_CODE_NOT_PRESENT = auto() + """ + The product is not affected because the code underlying the vulnerability is not present in the product. + """ + VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY = auto() + """ + The vulnerable component is present, and the component contains the vulnerable code. However, vulnerable code is + used in such a way that an attacker cannot mount any anticipated attack. + """ + VULNERABLE_CODE_NOT_IN_EXECUTE_PATH = auto() + """ + The affected code is not reachable through the execution of the code, including non-anticipated states of the + product. + """ + INLINE_MITIGATIONS_ALREADY_EXIST = auto() + """ + Built-in inline controls or mitigations prevent an adversary from leveraging the vulnerability. + """ + + def __str__(self) -> str: + if self == VexJustificationType.COMPONENT_NOT_PRESENT: + return "componentNotPresent" + if self == VexJustificationType.VULNERABLE_CODE_NOT_PRESENT: + return "vulnerableCodeNotPresent" + if self == VexJustificationType.VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY: + return "vulnerableCodeCannotBeControlledByAdversary" + if self == VexJustificationType.VULNERABLE_CODE_NOT_IN_EXECUTE_PATH: + return "vulnerableCodeNotInExecutePath" + if self == VexJustificationType.INLINE_MITIGATIONS_ALREADY_EXIST: + return "inlineMitigationsAlreadyExist" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["VexJustificationType"]: + if value == "componentNotPresent": + return VexJustificationType.COMPONENT_NOT_PRESENT + if value == "vulnerableCodeNotPresent": + return VexJustificationType.VULNERABLE_CODE_NOT_PRESENT + if value == "vulnerableCodeCannotBeControlledByAdversary": + return VexJustificationType.VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY + if value == "vulnerableCodeNotInExecutePath": + return VexJustificationType.VULNERABLE_CODE_NOT_IN_EXECUTE_PATH + if value == "inlineMitigationsAlreadyExist": + return VexJustificationType.INLINE_MITIGATIONS_ALREADY_EXIST + return None diff --git a/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py new file mode 100644 index 000000000..cba888597 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py @@ -0,0 +1,112 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vex_justification_type import VexJustificationType +from ..security.vex_vuln_assessment_relationship import VexVulnAssessmentRelationship + + +@dataclass_with_properties +class VexNotAffectedVulnAssessmentRelationship(VexVulnAssessmentRelationship): + """ + VexNotAffectedVulnAssessmentRelationship connects a vulnerability and a number of elements designating them as + products not affected by the vulnerability. This relationship corresponds to the VEX not_affected status. + + **Constraints** + + When linking elements using a VexNotVulnAffectedAssessmentRelationship, the following requirements must be + observed: + + * Relating elements with a VexNotAffectedVulnAssessmentRelationship is restricted to the doesNotAffect relationship + type. + * The from: end of the relationship must be a /Security/Vulnerability classed element. + * Both impactStatement and justificationType properties have a cardinality of 0..1 making them optional. + Nevertheless, to produce a valid VEX not_affected statement, one of them MUST be defined. This is specified in + the Minimum Elements for VEX. + + **Syntax** + + ```json + { + "@type": "VexNotAffectedVulnAssessmentRelationship", + "@id": "urn:spdx.dev:vex-not-affected-1", + "relationshipType": "doesNotAffect", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.2", + "justificationType": "componentNotPresent", + "impactStatement": "Not using this vulnerable part of this library.", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + + justification_type: Optional[VexJustificationType] = None + """ + When stating that an element is not affected by a vulnerability, the VexNotAffectedVulnAssessmentRelationship must + include a justification from the machine-readable labels catalog informing the reason the element is not impacted. + + impactStatement which is a string with English prose can be used instead or as complementary to the justification + label, but one of both MUST be defined. + """ + impact_statement: Optional[str] = None + """ + When a VEX product element is related with a VexNotAffectedVulnAssessmentRelationship and a machine readable + justification label is not provided, then an impactStatement that further explains how or why the prouct(s) are not + affected by the vulnerability must be provided. + """ + impact_statement_time: Optional[datetime] = None + """ + TODO + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: str, + to: List[str], + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[str] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[str] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + vex_version: Optional[str] = None, + status_notes: Optional[str] = None, + justification_type: Optional[VexJustificationType] = None, + impact_statement: Optional[str] = None, + impact_statement_time: Optional[datetime] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py new file mode 100644 index 000000000..7ad8181c7 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py @@ -0,0 +1,84 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vex_vuln_assessment_relationship import VexVulnAssessmentRelationship + + +@dataclass_with_properties +class VexUnderInvestigationVulnAssessmentRelationship(VexVulnAssessmentRelationship): + """ + VexUnderInvestigationVulnAssessmentRelationship links a vulnerability to a number of products stating the + vulnerability's impact on them is being investigated. It represents the VEX under_investigation status. + + **Constraints** + + When linking elements using a VexUnderInvestigationVulnAssessmentRelationship the following requirements must be + observed: + + - Elements linked with a VexUnderInvestigationVulnAssessmentRelationship are constrained to using the + underInvestigationFor relationship type. + - The from: end of the relationship must ve a /Security/Vulnerability classed element. + + **Syntax** + + ```json + { + "@type": "VexUnderInvestigationVulnAssessmentRelationship", + "@id": "urn:spdx.dev:vex-underInvestigation-1", + "relationshipType": "underInvestigationFor", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.2", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: str, + to: List[str], + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[str] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[str] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + vex_version: Optional[str] = None, + status_notes: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py new file mode 100644 index 000000000..f60ef6b60 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py @@ -0,0 +1,49 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import abstractmethod + +from beartype.typing import Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + +from ..security.vuln_assessment_relationship import VulnAssessmentRelationship + + +@dataclass_with_properties +class VexVulnAssessmentRelationship(VulnAssessmentRelationship): + """ + VexVulnAssessmentRelationship is an abstract subclass that defined the common properties shared by all the SPDX-VEX + status relationships. + + **Constraints** + + When linking elements using a VexVulnAssessmentRelationship, the following requirements must be observed: + + - The from: end must be a /Security/Vulnerability classed element + - The to: end must point to elements representing the VEX _products_. To specify a different element where the + vulnerability was detected, the VEX relationship can optionally specify _subcomponents_ using the assessedElement + property. + + VEX inherits information from the document level down to its statements. When a statement is missing information it + can be completed by reading the equivalent field from the containing document. For example, if a VEX relationship + is missing data in its createdBy property, tools must consider the entity listed in the CreationInfo section of the + document as the VEX author. In the same way, when a VEX relationship does not have a created property, the + document's date must be considered as authoritative. + """ + + vex_version: Optional[str] = None + """ + TODO + """ + status_notes: Optional[str] = None + """ + TODO + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py new file mode 100644 index 000000000..d39ef852f --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py @@ -0,0 +1,48 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import abstractmethod +from datetime import datetime + +from beartype.typing import Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + +from ..core.relationship import Relationship + + +@dataclass_with_properties +class VulnAssessmentRelationship(Relationship): + """ + VulnAssessmentRelationship is the ancestor class common to all vulnerability assessment relationships. It factors + out the common properties shared by them. External property restriction on /Core/Relationship/to: minCount: 1 + """ + + assessed_element: Optional[str] = None + """ + Specifies subpackages, files or snippets referenced by a security assessment to specify the precise location where + a vulnerability was found. + """ + published_time: Optional[datetime] = None + """ + Specifies the time when a vulnerability was first published. + """ + supplied_by: Optional[str] = None + """ + Identify the actual distribution source for the vulnerability assessment relationship being referenced. + """ + modified_time: Optional[datetime] = None + """ + Specifies a time when a vulnerability assessment was last modified. + """ + withdrawn_time: Optional[datetime] = None + """ + Specified the time and date when a vulnerability was withdrawn. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/security/vulnerability.py b/src/spdx_tools/spdx3/new_model/security/vulnerability.py new file mode 100644 index 000000000..fd50b6da5 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vulnerability.py @@ -0,0 +1,135 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.element import Element +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class Vulnerability(Element): + """ + Specifies a vulnerability and its associated information. + + **Syntax** + + ```json + { + "@type": "Vulnerability", + "@id": "urn:spdx.dev:vuln-1", + "summary": "Use of a Broken or Risky Cryptographic Algorithm", + "description": "The npm package `elliptic` before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.", + "modified": "2021-03-08T16:02:43Z", + "published": "2021-03-08T16:06:50Z", + "externalIdentifiers": [ + { + "@type": "ExternalIdentifier", + "externalIdentifierType": "cve", + "identifier": "CVE-2020-2849", + "identifierLocator": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498", + "https://www.cve.org/CVERecord?id=CVE-2020-28498" + ], + "issuingAuthority": "urn:spdx.dev:agent-cve.org" + }, + { + "type": "ExternalIdentifier", + "externalIdentifierType": "securityOther", + "identifier": "GHSA-r9p9-mrjm-926w", + "identifierLocator": "https://github.com/advisories/GHSA-r9p9-mrjm-926w" + }, + { + "type": "ExternalIdentifier", + "externalIdentifierType": "securityOther", + "identifier": "SNYK-JS-ELLIPTIC-1064899", + "identifierLocator": "https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899" + } + ], + "externalReferences": [ + { + "@type": "ExternalReference", + "externalReferenceType": "securityAdvisory", + "locator": "https://nvd.nist.gov/vuln/detail/CVE-2020-28498" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityAdvisory", + "locator": "https://ubuntu.com/security/CVE-2020-28498" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityOther", + "locator": "https://github.com/indutny/elliptic/pull/244/commits" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityOther", + "locator": "https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md" + } + ] + }, + { + "@type": "Relationship", + "@id": "urn:spdx.dev:vulnRelationship-1", + "relationshipType": "hasAssociatedVulnerability", + "from": "urn:npm-elliptic-6.5.2", + "to": ["urn:spdx.dev:vuln-1"], + "startTime": "2021-03-08T16:06:50Z" + }, + { + "@type": "Relationship", + "@id": "urn:spdx.dev:vulnAgentRel-1", + "relationshipType": "publishedBy", + "from": "urn:spdx.dev:vuln-1", + "to": ["urn:spdx.dev:agent-snyk"], + "startTime": "2021-03-08T16:06:50Z" + } + ``` + """ + + published_time: Optional[datetime] = None + """ + Specifies the time when a vulnerability was first published. + """ + modified_time: Optional[datetime] = None + """ + Specifies a time when a vulnerability assessment was last modified. + """ + withdrawn_time: Optional[datetime] = None + """ + Specified the time and date when a vulnerability was withdrawn. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + published_time: Optional[datetime] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/simple_licensing/__init__.py b/src/spdx_tools/spdx3/new_model/simple_licensing/__init__.py new file mode 100644 index 000000000..b77d4bfd0 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/simple_licensing/__init__.py @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from .any_license_info import AnyLicenseInfo +from .license_expression import LicenseExpression +from .simple_licensing_text import SimpleLicensingText diff --git a/src/spdx_tools/spdx3/new_model/simple_licensing/any_license_info.py b/src/spdx_tools/spdx3/new_model/simple_licensing/any_license_info.py new file mode 100644 index 000000000..e2c70d258 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/simple_licensing/any_license_info.py @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import abstractmethod + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + +from ..core.element import Element + + +@dataclass_with_properties +class AnyLicenseInfo(Element): + """ + An AnyLicenseInfo is used by licensing properties of software artifacts. It can be a NoneLicense, a + NoAssertionLicense, single license (either on the SPDX License List or a custom-defined license); a single license + with an "or later" operator applied; the foregoing with additional text applied; or a set of licenses combined by + applying "AND" and "OR" operators recursively. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/simple_licensing/license_expression.py b/src/spdx_tools/spdx3/new_model/simple_licensing/license_expression.py new file mode 100644 index 000000000..849b3cfcb --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/simple_licensing/license_expression.py @@ -0,0 +1,70 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..simple_licensing.any_license_info import AnyLicenseInfo + + +@dataclass_with_properties +class LicenseExpression(AnyLicenseInfo): + """ + Often a single license can be used to represent the licensing terms of a source code or binary file, but there are + situations where a single license identifier is not sufficient. A common example is when software is offered under + a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is + needed to represent a binary program constructed by compiling and linking two (or more) different source files each + governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause). + + SPDX License Expressions provide a way for one to construct expressions that more accurately represent the + licensing terms typically found in open source software source code. A license expression could be a single license + identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a + license identifier combined with an SPDX exception; or some combination of license identifiers, license references + and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the + definition of what constitutes a valid an SPDX License Expression in this section. + """ + + license_expression: str = None + """ + Often a single license can be used to represent the licensing terms of a source code or binary file, but there are + situations where a single license identifier is not sufficient. A common example is when software is offered under + a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is + needed to represent a binary program constructed by compiling and linking two (or more) different source files each + governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause). + + SPDX License Expressions provide a way for one to construct expressions that more accurately represent the + licensing terms typically found in open source software source code. A license expression could be a single license + identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a + license identifier combined with an SPDX exception; or some combination of license identifiers, license references + and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the + definition of what constitutes a valid an SPDX License Expression in this section. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + license_expression: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/simple_licensing/simple_licensing_text.py b/src/spdx_tools/spdx3/new_model/simple_licensing/simple_licensing_text.py new file mode 100644 index 000000000..e2be1a5b0 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/simple_licensing/simple_licensing_text.py @@ -0,0 +1,52 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.element import Element +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod + + +@dataclass_with_properties +class SimpleLicensingText(Element): + """ + A SimpleLicensingText represents a License or Addition that is not listed on the SPDX License List at + https://spdx.org/licenses, and is therefore defined by an SPDX data creator. + """ + + license_text: str = None + """ + A licenseText contains the plain text of the License or Addition, without templating or other similar markup. + + Users of the licenseText for a License can apply the SPDX Matching Guidelines when comparing it to another text for + matching purposes. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + license_text: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/__init__.py b/src/spdx_tools/spdx3/new_model/software/__init__.py new file mode 100644 index 000000000..b4497a6fd --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/__init__.py @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from .dependency_conditionality_type import DependencyConditionalityType +from .file import File +from .package import Package +from .sbom import Sbom +from .sbom_type import SbomType +from .snippet import Snippet +from .software_artifact import SoftwareArtifact +from .software_dependency_link_type import SoftwareDependencyLinkType +from .software_dependency_relationship import SoftwareDependencyRelationship +from .software_purpose import SoftwarePurpose diff --git a/src/spdx_tools/spdx3/new_model/software/dependency_conditionality_type.py b/src/spdx_tools/spdx3/new_model/software/dependency_conditionality_type.py new file mode 100644 index 000000000..427d65eab --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/dependency_conditionality_type.py @@ -0,0 +1,63 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class DependencyConditionalityType(Enum): + """ + TODO + """ + + OPTIONAL = auto() + """ + TODOdescription + """ + REQUIRED = auto() + """ + TODOdescription + """ + PROVIDED = auto() + """ + TODOdescription + """ + PREREQUISITE = auto() + """ + TODOdescription + """ + OTHER = auto() + """ + TODOdescription + """ + + def __str__(self) -> str: + if self == DependencyConditionalityType.OPTIONAL: + return "optional" + if self == DependencyConditionalityType.REQUIRED: + return "required" + if self == DependencyConditionalityType.PROVIDED: + return "provided" + if self == DependencyConditionalityType.PREREQUISITE: + return "prerequisite" + if self == DependencyConditionalityType.OTHER: + return "other" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["DependencyConditionalityType"]: + if value == "optional": + return DependencyConditionalityType.OPTIONAL + if value == "required": + return DependencyConditionalityType.REQUIRED + if value == "provided": + return DependencyConditionalityType.PROVIDED + if value == "prerequisite": + return DependencyConditionalityType.PREREQUISITE + if value == "other": + return DependencyConditionalityType.OTHER + return None diff --git a/src/spdx_tools/spdx3/new_model/software/file.py b/src/spdx_tools/spdx3/new_model/software/file.py new file mode 100644 index 000000000..9ac18b2f9 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/file.py @@ -0,0 +1,71 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..licensing.any_license_info import AnyLicenseInfo +from ..software.software_artifact import SoftwareArtifact +from ..software.software_purpose import SoftwarePurpose + + +@dataclass_with_properties +class File(SoftwareArtifact): + """ + Refers to any object that stores content on a computer. The type of content can optionally be provided in the + contentType property. External property restriction on /Core/Element/name: minCount: 1 + """ + + content_type: Optional[str] = None + """ + This field is a reasonable estimation of the content type of the Element, from a creator perspective. Content type + is intrinsic to the Element, independent of how the Element is being used. + """ + + def __init__( + self, + spdx_id: str, + name: str, + creation_info: CreationInfo, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + originated_by: List[str] = None, + supplied_by: List[str] = None, + built_time: Optional[datetime] = None, + release_time: Optional[datetime] = None, + valid_until_time: Optional[datetime] = None, + standard: List[str] = None, + content_identifier: Optional[str] = None, + primary_purpose: Optional[SoftwarePurpose] = None, + additional_purpose: List[SoftwarePurpose] = None, + concluded_license: Optional[AnyLicenseInfo] = None, + declared_license: Optional[AnyLicenseInfo] = None, + copyright_text: Optional[str] = None, + attribution_text: Optional[str] = None, + content_type: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + originated_by = [] if originated_by is None else originated_by + supplied_by = [] if supplied_by is None else supplied_by + standard = [] if standard is None else standard + additional_purpose = [] if additional_purpose is None else additional_purpose + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/package.py b/src/spdx_tools/spdx3/new_model/software/package.py new file mode 100644 index 000000000..7157a9b36 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/package.py @@ -0,0 +1,127 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..licensing.any_license_info import AnyLicenseInfo +from ..software.software_artifact import SoftwareArtifact +from ..software.software_purpose import SoftwarePurpose + + +@dataclass_with_properties +class Package(SoftwareArtifact): + """ + A package refers to any unit of content that can be associated with a distribution of software. Typically, a + package is composed of one or more files. + Any of the following non-limiting examples may be (but are not required to be) represented in SPDX as a package: + + - a tarball, zip file or other archive + - a directory or sub-directory + - a separately distributed piece of software which another Package or File uses or depends upon (e.g., a Python + package, a Go module, ...) + - a container image, and/or each image layer within a container image + - a collection of one or more sub-packages + - a Git repository snapshot from a particular point in time + + Note that some of these could be represented in SPDX as a file as well. External property restriction on + /Core/Element/name: minCount: 1 + """ + + package_version: Optional[str] = None + """ + A packageVersion is useful for identification purposes and for indicating later changes of the package version. + """ + download_location: Optional[str] = None + """ + DownloadLocation identifies the download Uniform Resource Identifier for the package at the time that the document + was created. Where and how to download the exact package being referenced is critical for verification and tracking + data. + """ + package_url: Optional[str] = None + """ + A packageUrl (commonly pronounced and referred to as "purl") is an attempt to standardize package representations + in order to reliably identify and locate software packages. A purl is a URL string which represents a package in a + mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs + and databases. + + the purl URL string is defined by seven components: + ``` + scheme:type/namespace/name@version?qualifiers#subpath + ``` + + The definition for each component can be found in the [purl + specification](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst). Components are + designed such that they form a hierarchy from the most significant on the left to the least significant components + on the right. + + Parsing a purl string into its components works from left to right. Some extra type-specific normalizations are + required. For more information, see [How to parse a purl string in its + components](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#how-to-parse-a-purl-string-in-its-components). + """ + homepage: Optional[str] = None + """ + HomePage is a place for the SPDX document creator to record a website that serves as the package's home page. This + saves the recipient of the SPDX document who is looking for more info from having to search for and verify a match + between the package and the associated project home page. This link can also be used to reference further + information about the package referenced by the SPDX document creator. + """ + source_info: Optional[str] = None + """ + SourceInfo records any relevant background information or additional comments about the origin of the package. For + example, this field might include comments indicating whether the package was pulled from a source code management + system or has been repackaged. The creator can provide additional information to describe any anomalies or + discoveries in the determination of the origin of the package. + """ + + def __init__( + self, + spdx_id: str, + name: str, + creation_info: CreationInfo, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + originated_by: List[str] = None, + supplied_by: List[str] = None, + built_time: Optional[datetime] = None, + release_time: Optional[datetime] = None, + valid_until_time: Optional[datetime] = None, + standard: List[str] = None, + content_identifier: Optional[str] = None, + primary_purpose: Optional[SoftwarePurpose] = None, + additional_purpose: List[SoftwarePurpose] = None, + concluded_license: Optional[AnyLicenseInfo] = None, + declared_license: Optional[AnyLicenseInfo] = None, + copyright_text: Optional[str] = None, + attribution_text: Optional[str] = None, + package_version: Optional[str] = None, + download_location: Optional[str] = None, + package_url: Optional[str] = None, + homepage: Optional[str] = None, + source_info: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + originated_by = [] if originated_by is None else originated_by + supplied_by = [] if supplied_by is None else supplied_by + standard = [] if standard is None else standard + additional_purpose = [] if additional_purpose is None else additional_purpose + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/sbom.py b/src/spdx_tools/spdx3/new_model/software/sbom.py new file mode 100644 index 000000000..b85d9ff2e --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/sbom.py @@ -0,0 +1,63 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from dataclasses import field + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.bom import Bom +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_map import ExternalMap +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..software.sbom_type import SbomType + + +@dataclass_with_properties +class Sbom(Bom): + """ + A Software Bill of Materials (SBOM) is a collection of SPDX Elements describing a single package. This could + include details of the content and composition of the product, provenance details of the product and/or its + composition, licensing information, known quality or security issues, etc. + """ + + sbom_type: List[SbomType] = field(default_factory=list) + """ + This field is a reasonable estimation of the type of SBOM created from a creator perspective. It is intended to be + used to give guidance on the elements that may be contained within it. Aligning with the guidance produced in + [Types of Software Bill of Material (SBOM) + Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf). + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + element: List[str], + root_element: List[str], + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + imports: List[ExternalMap] = None, + context: Optional[str] = None, + sbom_type: List[SbomType] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + imports = [] if imports is None else imports + sbom_type = [] if sbom_type is None else sbom_type + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/sbom_type.py b/src/spdx_tools/spdx3/new_model/software/sbom_type.py new file mode 100644 index 000000000..5a3640bb7 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/sbom_type.py @@ -0,0 +1,85 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class SbomType(Enum): + """ + The set of SBOM types with definitions as defined in [Types of Software Bill of Material (SBOM) + Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf), published on April 21, + 2023. An SBOM type describes the most likely type of an SBOM from the producer perspective, so that consumers can + draw conclusions about the data inside an SBOM. A single SBOM can have multiple SBOM document types associated with + it. + """ + + DESIGN = auto() + """ + SBOM of intended, planned software project or product with included components (some of which may not yet exist) + for a new software artifact. + """ + SOURCE = auto() + """ + SBOM created directly from the development environment, source files, and included dependencies used to build an + product artifact. + """ + BUILD = auto() + """ + SBOM generated as part of the process of building the software to create a releasable artifact (e.g., executable or + package) from data such as source files, dependencies, built components, build process ephemeral data, and other + SBOMs. + """ + DEPLOYED = auto() + """ + SBOM provides an inventory of software that is present on a system. This may be an assembly of other SBOMs that + combines analysis of configuration options, and examination of execution behavior in a (potentially simulated) + deployment environment. + """ + RUNTIME = auto() + """ + SBOM generated through instrumenting the system running the software, to capture only components present in the + system, as well as external call-outs or dynamically loaded components. In some contexts, this may also be referred + to as an “Instrumented” or “Dynamic” SBOM. + """ + ANALYZED = auto() + """ + SBOM generated through analysis of artifacts (e.g., executables, packages, containers, and virtual machine images) + after its build. Such analysis generally requires a variety of heuristics. In some contexts, this may also be + referred to as a “3rd party” SBOM. + """ + + def __str__(self) -> str: + if self == SbomType.DESIGN: + return "design" + if self == SbomType.SOURCE: + return "source" + if self == SbomType.BUILD: + return "build" + if self == SbomType.DEPLOYED: + return "deployed" + if self == SbomType.RUNTIME: + return "runtime" + if self == SbomType.ANALYZED: + return "analyzed" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["SbomType"]: + if value == "design": + return SbomType.DESIGN + if value == "source": + return SbomType.SOURCE + if value == "build": + return SbomType.BUILD + if value == "deployed": + return SbomType.DEPLOYED + if value == "runtime": + return SbomType.RUNTIME + if value == "analyzed": + return SbomType.ANALYZED + return None diff --git a/src/spdx_tools/spdx3/new_model/software/snippet.py b/src/spdx_tools/spdx3/new_model/software/snippet.py new file mode 100644 index 000000000..958b53c2e --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/snippet.py @@ -0,0 +1,83 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.positive_integer_range import PositiveIntegerRange +from ..licensing.any_license_info import AnyLicenseInfo +from ..software.software_artifact import SoftwareArtifact +from ..software.software_purpose import SoftwarePurpose + + +@dataclass_with_properties +class Snippet(SoftwareArtifact): + """ + A Snippet describes a certain part of a file and can be used when the file is known to have some content that has + been included from another original source. Snippets are useful for denoting when part of a file may have been + originally created under another license or copied from a place with a known vulnerability. + """ + + byte_range: Optional[PositiveIntegerRange] = None + """ + This field defines the byte range in the original host file that the snippet information applies to. A range of + bytes is independent of various formatting concerns, and the most accurate way of referring to the differences. The + choice was made to start the numbering of the byte range at 1 to be consistent with the W3C pointer method + vocabulary. + """ + line_range: Optional[PositiveIntegerRange] = None + """ + This field defines the line range in the original host file that the snippet information applies to. If there is a + disagreement between the byte range and line range, the byte range values will take precedence. A range of lines is + a convenient reference for those files where there is a known line delimiter. The choice was made to start the + numbering of the lines at 1 to be consistent with the W3C pointer method vocabulary. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + originated_by: List[str] = None, + supplied_by: List[str] = None, + built_time: Optional[datetime] = None, + release_time: Optional[datetime] = None, + valid_until_time: Optional[datetime] = None, + standard: List[str] = None, + content_identifier: Optional[str] = None, + primary_purpose: Optional[SoftwarePurpose] = None, + additional_purpose: List[SoftwarePurpose] = None, + concluded_license: Optional[AnyLicenseInfo] = None, + declared_license: Optional[AnyLicenseInfo] = None, + copyright_text: Optional[str] = None, + attribution_text: Optional[str] = None, + byte_range: Optional[PositiveIntegerRange] = None, + line_range: Optional[PositiveIntegerRange] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + originated_by = [] if originated_by is None else originated_by + supplied_by = [] if supplied_by is None else supplied_by + standard = [] if standard is None else standard + additional_purpose = [] if additional_purpose is None else additional_purpose + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/software_artifact.py b/src/spdx_tools/spdx3/new_model/software/software_artifact.py new file mode 100644 index 000000000..03e499d5d --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/software_artifact.py @@ -0,0 +1,151 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from abc import abstractmethod +from dataclasses import field + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + +from ..core.artifact import Artifact +from ..licensing.any_license_info import AnyLicenseInfo +from ..software.software_purpose import SoftwarePurpose + + +@dataclass_with_properties +class SoftwareArtifact(Artifact): + """ + A software artifact is a distinct article or unit related to software such as a package, a file, or a snippet. + """ + + content_identifier: Optional[str] = None + """ + The contentIdentifier provides a canonical, unique, immutable artifact identifier for each software artifact. SPDX + 3.0 describes software artifacts as Snippet, File, or Package Elements. The ContentIdentifier can be calculated for + any software artifact and can be recorded for any of these SPDX 3.0 Elements using Omnibor, an attempt to + standardize how software artifacts are identified independent of which programming language, version control + system, build tool, package manager, or software distribution mechanism is in use. + + The contentIdentifier is defined as the [Git Object + Identifier](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) (gitoid) of type `blob` of the software + artifact. The use of a git-based version control system is not necessary to calculate a contentIdentifier for any + software artifact. + + The gitoid is expressed in the ContentIdentifier property by using the IANA [gitoid URI + scheme](https://www.iana.org/assignments/uri-schemes/prov/gitoid). + + ``` + Scheme syntax: gitoid":"":"":" + ``` + + The OmniBOR ID for the OmniBOR Document associated with a software artifact should not be recorded in this field. + Rather, OmniBOR IDs should be recorded in the SPDX Element's ExternalIdentifier property. See + [https://omnibor.io](https://omnibor.io) for more details. + """ + primary_purpose: Optional[SoftwarePurpose] = None + """ + primaryPurpose provides information about the primary purpose of the software artifact. + """ + additional_purpose: List[SoftwarePurpose] = field(default_factory=list) + """ + Additional purpose provides information about the additional purposes of the software artifact in addition to the + primaryPurpose. + """ + concluded_license: Optional[AnyLicenseInfo] = None + """ + A concludedLicense is the license identified by the SPDX data creator, based on analyzing the license information + in the software Package, File or Snippet and other information to arrive at a reasonably objective conclusion as to + what license governs it. + + If a concludedLicense has a NONE value (NoneLicense), this indicates that the SPDX data creator has looked and did + not find any license information for this software Package, File or Snippet. + + If a concludedLicense has a NOASSERTION value (NoAssertionLicense), this indicates that one of the following + applies: + * the SPDX data creator has attempted to but cannot reach a reasonable objective determination; + * the SPDX data creator has made no attempt to determine this field; or + * the SPDX data creator has intentionally provided no information (no meaning should be implied by doing so). + + A written explanation of a NOASSERTION value (NoAssertionLicense) MAY be provided in the licenseComment field. + + If the concludedLicense for a software Package, File or Snippet is not the same as its declaredLicense, a written + explanation SHOULD be provided in the licenseComment field. + + If the declaredLicense for a software Package, File or Snippet is a choice of more than one license (e.g. a license + expression combining two licenses through use of the `OR` operator), then the concludedLicense may either retain + the license choice or identify which license was chosen. + """ + declared_license: Optional[AnyLicenseInfo] = None + """ + A declaredLicense is the license identified in text in the software package, file or snippet as the license + declared by its authors. + + This field is not intended to capture license information obtained from an external source, such as a package's + website. Such information can be included, as needed, in a concludedLicense field. + + A declaredLicense may be expressed differently in practice for different types of artifacts. For example: + + * for Packages: + * would include license info describing the license of the Package as a whole, when it is found in the Package + itself (e.g., LICENSE file, README file, metadata in the repository, etc.) + * would not include any license information that is not in the Package itself (e.g., license information from the + project’s website or from a third party repository or website) + * for Files: + * would include license info found in the File itself (e.g., license header or notice, comments, + SPDX-License-Identifier expression) + * would not include license info found in a different file (e.g., LICENSE file in the top directory of a + repository) + * for Snippets: + * would include license info found in the Snippet itself (e.g., license notice, comments, SPDX-License-Identifier + expression) + * would not include license info found elsewhere in the File or in a different File (e.g., comment at top of File + if it is not within the Snippet, LICENSE file in the top directory of a repository) + + If a declaredLicense has a NONE value (NoneLicense), this indicates that the corresponding Package, File or Snippet + contains no license information whatsoever. + + If a declaredLicense has a NOASSERTION value (NoAssertionLicense), this indicates that one of the following + applies: + * the SPDX data creator has attempted to but cannot reach a reasonable objective determination; + * the SPDX data creator has made no attempt to determine this field; or + * the SPDX data creator has intentionally provided no information (no meaning should be implied by doing so). + """ + copyright_text: Optional[str] = None + """ + A copyrightText consists of the text(s) of the copyright notice(s) found for a software Package, File or Snippet, + if any. + + If a copyrightText contains text, then it may contain any text related to one or more copyright notices (even if + not complete) for that software Package, File or Snippet. + + If a copyrightText has a "NONE" value, this indicates that the software Package, File or Snippet contains no + copyright notice whatsoever. + + If a copyrightText has a "NOASSERTION" value, this indicates that one of the following applies: + * the SPDX data creator has attempted to but cannot reach a reasonable objective determination; + * the SPDX data creator has made no attempt to determine this field; or + * the SPDX data creator has intentionally provided no information (no meaning should be implied by doing so). + """ + attribution_text: Optional[str] = None + """ + An attributionText for a software Package, File or Snippet provides a consumer of SPDX data with acknowledgement + content, to assist redistributors of the Package, File or Snippet with reproducing those acknowledgements. + + For example, this field may include a statement that is required by a particular license to be reproduced in + end-user documentation, advertising materials, or another form. + + This field may describe where, or in which contexts, the acknowledgements need to be reproduced, but it is not + required to do so. The SPDX data creator may also explain elsewhere (such as in a licenseComment field) how they + intend for data in this field to be used. + + An attributionText is is not meant to include the software Package, File or Snippet’s actual complete license text + (see concludedLicense to identify the corresponding license). + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/software/software_dependency_link_type.py b/src/spdx_tools/spdx3/new_model/software/software_dependency_link_type.py new file mode 100644 index 000000000..f9c3a0852 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/software_dependency_link_type.py @@ -0,0 +1,55 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class SoftwareDependencyLinkType(Enum): + """ + TODO + """ + + STATIC = auto() + """ + TODOdescription + """ + DYNAMIC = auto() + """ + TODOdescription + """ + TOOL = auto() + """ + TODOdescription + """ + OTHER = auto() + """ + TODOdescription + """ + + def __str__(self) -> str: + if self == SoftwareDependencyLinkType.STATIC: + return "static" + if self == SoftwareDependencyLinkType.DYNAMIC: + return "dynamic" + if self == SoftwareDependencyLinkType.TOOL: + return "tool" + if self == SoftwareDependencyLinkType.OTHER: + return "other" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["SoftwareDependencyLinkType"]: + if value == "static": + return SoftwareDependencyLinkType.STATIC + if value == "dynamic": + return SoftwareDependencyLinkType.DYNAMIC + if value == "tool": + return SoftwareDependencyLinkType.TOOL + if value == "other": + return SoftwareDependencyLinkType.OTHER + return None diff --git a/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py b/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py new file mode 100644 index 000000000..ef1e7783d --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py @@ -0,0 +1,68 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from datetime import datetime + +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.lifecycle_scope_type import LifecycleScopeType +from ..core.lifecycle_scoped_relationship import LifecycleScopedRelationship +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..software.dependency_conditionality_type import DependencyConditionalityType +from ..software.software_dependency_link_type import SoftwareDependencyLinkType + + +@dataclass_with_properties +class SoftwareDependencyRelationship(LifecycleScopedRelationship): + """ + TODO + """ + + software_linkage: Optional[SoftwareDependencyLinkType] = None + """ + A softwareLinkage is TODO + """ + conditionality: Optional[DependencyConditionalityType] = None + """ + A conditionality is TODO + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: str, + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, + to: List[str] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + scope: Optional[LifecycleScopeType] = None, + software_linkage: Optional[SoftwareDependencyLinkType] = None, + conditionality: Optional[DependencyConditionalityType] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/software_purpose.py b/src/spdx_tools/spdx3/new_model/software/software_purpose.py new file mode 100644 index 000000000..5ddd44be8 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/software_purpose.py @@ -0,0 +1,227 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from enum import Enum, auto + +from beartype.typing import Optional + + +class SoftwarePurpose(Enum): + """ + This field provides information about the primary purpose of an Element. Software Purpose is intrinsic to how the + Element is being used rather than the content of the Element. This field is a reasonable estimate of the most + likely usage of the Element from the producer and consumer perspective from which both parties can draw conclusions + about the context in which the Element exists. + """ + + APPLICATION = auto() + """ + the Element is a software application + """ + ARCHIVE = auto() + """ + the Element is an archived collection of one or more files (.tar, .zip, etc) + """ + BOM = auto() + """ + Element is a bill of materials + """ + CONFIGURATION = auto() + """ + Element is configuration data + """ + CONTAINER = auto() + """ + the Element is a container image which can be used by a container runtime application + """ + DATA = auto() + """ + Element is data + """ + DEVICE = auto() + """ + the Element refers to a chipset, processor, or electronic board + """ + DOCUMENTATION = auto() + """ + Element is documentation + """ + EVIDENCE = auto() + """ + the Element is the evidence that a specification or requirement has been fulfilled + """ + EXECUTABLE = auto() + """ + Element is an Artifact that can be run on a computer + """ + FILE = auto() + """ + the Element is a single file which can be independently distributed (configuration file, statically linked binary, + Kubernetes deployment, etc) + """ + FIRMWARE = auto() + """ + the Element provides low level control over a device's hardware + """ + FRAMEWORK = auto() + """ + the Element is a software framework + """ + INSTALL = auto() + """ + the Element is used to install software on disk + """ + LIBRARY = auto() + """ + the Element is a software library + """ + MANIFEST = auto() + """ + the Element is a software manifest + """ + MODEL = auto() + """ + the Element is a machine learning or artificial intelligence model + """ + MODULE = auto() + """ + the Element is a module of a piece of software + """ + OPERATING_SYSTEM = auto() + """ + the Element is an operating system + """ + OTHER = auto() + """ + the Element doesn't fit into any of the other categories + """ + PATCH = auto() + """ + Element contains a set of changes to update, fix, or improve another Element + """ + REQUIREMENT = auto() + """ + the Element provides a requirement needed as input for another Element + """ + SOURCE = auto() + """ + the Element is a single or a collection of source files + """ + SPECIFICATION = auto() + """ + the Element is a plan, guideline or strategy how to create, perform or analyse an application + """ + TEST = auto() + """ + The Element is a test used to verify functionality on an software element + """ + + def __str__(self) -> str: + if self == SoftwarePurpose.APPLICATION: + return "application" + if self == SoftwarePurpose.ARCHIVE: + return "archive" + if self == SoftwarePurpose.BOM: + return "bom" + if self == SoftwarePurpose.CONFIGURATION: + return "configuration" + if self == SoftwarePurpose.CONTAINER: + return "container" + if self == SoftwarePurpose.DATA: + return "data" + if self == SoftwarePurpose.DEVICE: + return "device" + if self == SoftwarePurpose.DOCUMENTATION: + return "documentation" + if self == SoftwarePurpose.EVIDENCE: + return "evidence" + if self == SoftwarePurpose.EXECUTABLE: + return "executable" + if self == SoftwarePurpose.FILE: + return "file" + if self == SoftwarePurpose.FIRMWARE: + return "firmware" + if self == SoftwarePurpose.FRAMEWORK: + return "framework" + if self == SoftwarePurpose.INSTALL: + return "install" + if self == SoftwarePurpose.LIBRARY: + return "library" + if self == SoftwarePurpose.MANIFEST: + return "manifest" + if self == SoftwarePurpose.MODEL: + return "model" + if self == SoftwarePurpose.MODULE: + return "module" + if self == SoftwarePurpose.OPERATING_SYSTEM: + return "operatingSystem" + if self == SoftwarePurpose.OTHER: + return "other" + if self == SoftwarePurpose.PATCH: + return "patch" + if self == SoftwarePurpose.REQUIREMENT: + return "requirement" + if self == SoftwarePurpose.SOURCE: + return "source" + if self == SoftwarePurpose.SPECIFICATION: + return "specification" + if self == SoftwarePurpose.TEST: + return "test" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional["SoftwarePurpose"]: + if value == "application": + return SoftwarePurpose.APPLICATION + if value == "archive": + return SoftwarePurpose.ARCHIVE + if value == "bom": + return SoftwarePurpose.BOM + if value == "configuration": + return SoftwarePurpose.CONFIGURATION + if value == "container": + return SoftwarePurpose.CONTAINER + if value == "data": + return SoftwarePurpose.DATA + if value == "device": + return SoftwarePurpose.DEVICE + if value == "documentation": + return SoftwarePurpose.DOCUMENTATION + if value == "evidence": + return SoftwarePurpose.EVIDENCE + if value == "executable": + return SoftwarePurpose.EXECUTABLE + if value == "file": + return SoftwarePurpose.FILE + if value == "firmware": + return SoftwarePurpose.FIRMWARE + if value == "framework": + return SoftwarePurpose.FRAMEWORK + if value == "install": + return SoftwarePurpose.INSTALL + if value == "library": + return SoftwarePurpose.LIBRARY + if value == "manifest": + return SoftwarePurpose.MANIFEST + if value == "model": + return SoftwarePurpose.MODEL + if value == "module": + return SoftwarePurpose.MODULE + if value == "operatingSystem": + return SoftwarePurpose.OPERATING_SYSTEM + if value == "other": + return SoftwarePurpose.OTHER + if value == "patch": + return SoftwarePurpose.PATCH + if value == "requirement": + return SoftwarePurpose.REQUIREMENT + if value == "source": + return SoftwarePurpose.SOURCE + if value == "specification": + return SoftwarePurpose.SPECIFICATION + if value == "test": + return SoftwarePurpose.TEST + return None