From c71dacd4680aa6077c647416d3a400eb1129bed0 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Mon, 17 Jul 2023 12:19:22 +0200 Subject: [PATCH 01/33] wip Generate python model from spec: vocabs Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 368 ++++++++++++++++++++++++++++++ 1 file changed, 368 insertions(+) create mode 100644 dev/gen_python_model_from_spec.py diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py new file mode 100644 index 000000000..fc6236c99 --- /dev/null +++ b/dev/gen_python_model_from_spec.py @@ -0,0 +1,368 @@ +# SPDX-FileCopyrightText: 2023 spdx contributors +# +# SPDX-License-Identifier: Apache-2.0 + +""" +Auto-generates the python model representation from the SPDX3 model spec. + +Usage: fetch a fresh copy of the spdx-3-model and the spec-parser, then generate a json dump of the model with +the spec-parser: + + python main.py --json-dump ../spdx-3-model/model + +Copy the generated `model_dump.json` in `md_generated` next to this file, then run it: + + python gen_python_model_from_spec.py + +Commit resulting changes. +""" + +import json +import os.path +from pathlib import Path +from typing import IO + +from spdx_tools.spdx.casing_tools import camel_case_to_snake_case + +VOCAB_FILE = """# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class {typename}(Enum): +{values} + + def __str__(self) -> str: +{values_to_str} + + +def {python_typename}_from_str(value: str) -> Optional[{typename}]: +{str_to_values} + return None +""" + +VOCAB_ENTRY = " {value} = auto()" + +VOCAB_VALUE_TO_STR = " if self == {typename}.{python_value}:\n return \"{str_value}\"" + +VOCAB_STR_TO_VALUE = " if value == \"{str_value}\":\n return {typename}.{python_value}" + +FILE_HEADER = """# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_model_to_rdf.py +# Do not manually edit! +# flake8: noqa +# isort:skip_file + +# fmt: off + +from rdflib import Graph, URIRef, RDF, Literal, BNode +from rdflib.term import Identifier +from spdx_tools.spdx.casing_tools import snake_case_to_camel_case +{namespace_imports} + + +""" + +CLS_CONVERTER_FUNC_BODY = """def {type_name}_to_rdf(obj, graph: Graph) -> Identifier: + if '_spdx_id' in obj.__dict__: + element_node = URIRef(obj.spdx_id) + else: + element_node = BNode() + type_node = URIRef("{type_id}") + graph.add((element_node, RDF.type, type_node)) + {type_name}_properties_to_rdf(element_node, obj, graph) + return element_node + + +""" + +CLS_CONVERTER_PROPERTIES_FUNC_BODY = """def {type_name}_properties_to_rdf(node: Identifier, obj, graph: Graph): + from .converter import model_to_rdf{properties}{parent_call} + + +""" + +PROP_CONVERTER_BODY = """ + if obj.{prop_name} is not None: + prop_node = URIRef("{prop_id}") + value = obj.{prop_name} + graph.add((node, prop_node, {prop_conversion_code}))""" + +PROP_LIST_CONVERTER_BODY = """ + for value in obj.{prop_name}: + prop_node = URIRef("{prop_id}") + graph.add((node, prop_node, {prop_conversion_code}))""" + +VOCAB_CONVERTER_FUNC_BODY = """def {type_name}_to_rdf(obj, graph: Graph) -> Identifier: + from .converter import enum_value_to_str + name = enum_value_to_str(obj) + return URIRef("{vocab_id}/" + name) + + +""" + +MAIN_FILE_HEADER = """# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_model_to_rdf.py +# Do not manually edit! +# flake8: noqa +# fmt: off +# isort:skip_file + +from beartype.typing import List, Optional, Dict, Callable +from rdflib import Graph, Literal, URIRef +from rdflib.term import Identifier +from spdx_tools.spdx.casing_tools import snake_case_to_camel_case +from spdx_tools.spdx3.model import HashAlgorithm +{namespace_imports} + +""" + +MAIN_CONVERTER_MAP = """ +_CONVERTER_FUNCTIONS: Dict[str, Callable[[any, Graph], Identifier]] = {{ +{converters} +}} + +""" + +MAIN_MODULE_MAP = """ +def module_to_namespace(module: str) -> Optional[str]: + if not module.startswith("spdx_tools.spdx3.model"): + return None +{module_tests} + return "Core" + +""" + +MAIN_MODULE_TEST = """ if module.startswith("spdx_tools.spdx3.model.{snake_namespace_name}"): + return "{namespace_name}\"""" + +MAIN_CONVERTER_FUNC = """ +def literal_to_rdf(obj, _: Graph) -> Identifier: + return Literal(obj) + + +def enum_value_to_str(obj) -> str: + if obj == HashAlgorithm.BLAKE2B256: + return "blake2b256" + if obj == HashAlgorithm.BLAKE2B384: + return "blake2b384" + if obj == HashAlgorithm.BLAKE2B512: + return "blake2b512" + if obj == HashAlgorithm.SHA3_224: + return "sha3_224" + if obj == HashAlgorithm.SHA3_256: + return "sha3_224" + if obj == HashAlgorithm.SHA3_384: + return "sha3_384" + if obj == HashAlgorithm.SHA3_512: + return "sha3_512" + return snake_case_to_camel_case(obj.name.lower()) + + +def model_to_rdf(obj, graph: Graph) -> Identifier: + if isinstance(obj, str): + return URIRef(obj) + type_name = obj.__class__.__qualname__ + module_name = obj.__class__.__module__ + namespace = module_to_namespace(module_name) + if namespace is None: + return literal_to_rdf(obj, graph) + + lookup = f"{namespace}/{type_name}" + converter = _CONVERTER_FUNCTIONS[lookup] if lookup in _CONVERTER_FUNCTIONS else literal_to_rdf + return converter(obj, graph) +""" + +FINAL_LINE = """# fmt: on +""" + +output_dir = os.path.join(os.path.dirname(__file__), "../src/spdx_tools/spdx3/new_model") + + +def prop_name_to_python(prop_name: str): + special_cases = {"from": "from_element", "homePage": "homepage"} + if prop_name in special_cases: + return special_cases[prop_name] + return camel_case_to_snake_case(prop_name) + + +def namespace_name_to_python(namespace_name: str): + special_cases = {"AI": "ai"} + if namespace_name in special_cases: + return special_cases[namespace_name] + return camel_case_to_snake_case(namespace_name) + + +def get_file_path(typename: str, namespace: str) -> str: + namespace = namespace_name_to_python(namespace) + typename = camel_case_to_snake_case(typename) + return os.path.join(output_dir, namespace, f"{typename}.py") + + +class GenPythonModelFromSpec: + prop_name_to_id: dict[str, str] + class_to_converter_func: dict[str, str] + namespace_imports: str + + def __init__(self): + self.prop_name_to_id = {} + self.class_to_converter_func = {} + self.namespace_imports = "" + + def create_namespace_import(self, model: dict): + namespaces = [namespace_name_to_python(namespace["name"]) for namespace in model.values()] + if namespaces: + self.namespace_imports = "from . import " + ", ".join(namespaces) + + def map_prop_names_to_ids(self, model: dict): + for namespace in model.values(): + namespace_name = namespace["name"] + for prop_name, prop in namespace["properties"].items(): + full_prop_name = f"{namespace_name}/{prop_name}" + prop_id = prop["metadata"]["id"] + self.prop_name_to_id[full_prop_name] = prop_id + + def is_literal_type(self, typename: str, namespace_name: str, model: dict) -> bool: + if typename.startswith('/'): + typename = typename[1:] + if typename.startswith("xsd:"): + return True + if '/' in typename: + namespace_name, _, typename = typename.partition('/') + namespace = model[namespace_name] if namespace_name in model else None + if namespace and typename in namespace["vocabs"]: + return False + clazz = namespace["classes"][typename] if namespace and typename in namespace["classes"] else None + if not clazz: + return True + if "SubclassOf" not in clazz["metadata"] or clazz["metadata"]["SubclassOf"] == "none" or clazz["metadata"]["SubclassOf"].startswith("xsd:"): + return not clazz["properties"] + return False + + def get_type_uri(self, typename: str, namespace_name: str) -> str: + if typename.startswith('/'): + typename = typename[1:] + if typename.startswith("xsd:"): + return typename.replace("xsd:", "http://www.w3.org/2001/XMLSchema#") + if '/' in typename: + namespace_name, _, typename = typename.partition('/') + return f"https://spdx.org/rdf/v3/{namespace_name}/{typename}" + + def prop_conversion_code(self, typename: str, namespace_name: str, model: dict) -> str: + if self.is_literal_type(typename, namespace_name, model): + return f"Literal(value, datatype=\"{self.get_type_uri(typename, namespace_name)}\")" + return "model_to_rdf(value, graph)" + + def handle_class(self, output_file: IO[str], clazz: dict, namespace_name: str, model: dict): + parent_class = ( + clazz["metadata"]["SubclassOf"] + if "SubclassOf" in clazz["metadata"] and clazz["metadata"]["SubclassOf"] != "none" + else None + ) + parent_namespace = namespace_name + if parent_class == "xsd:string": + return + + type_name = camel_case_to_snake_case(clazz["metadata"]["name"]) + self.class_to_converter_func[ + f"{namespace_name}/{clazz['metadata']['name']}" + ] = f"{namespace_name_to_python(namespace_name)}.{type_name}_to_rdf" + output_file.write(CLS_CONVERTER_FUNC_BODY.format(type_name=type_name, type_id=clazz["metadata"]["id"])) + + prop_code = "" + for prop_name, prop in clazz["properties"].items(): + if prop_name == "spdxId": + continue + full_prop_name = f"{namespace_name}/{prop_name}" if "/" not in prop_name else prop_name + _, _, prop_name = full_prop_name.partition("/") + is_list = not ("maxCount" in prop and prop["maxCount"] == "1") + prop_conversion_code = self.prop_conversion_code(prop["type"], namespace_name, model) + if is_list: + prop_code += PROP_LIST_CONVERTER_BODY.format( + prop_name=prop_name_to_python(prop_name), prop_id=self.prop_name_to_id[full_prop_name], prop_conversion_code=prop_conversion_code + ) + else: + prop_code += PROP_CONVERTER_BODY.format( + prop_name=prop_name_to_python(prop_name), prop_id=self.prop_name_to_id[full_prop_name], prop_conversion_code=prop_conversion_code + ) + + parent_call = "" + if parent_class: + if parent_class.startswith("/"): + parent_class = parent_class[1:] + if "/" in parent_class: + parent_namespace, _, parent_class = parent_class.partition("/") + parent_call = f"\n {namespace_name_to_python(parent_namespace)}.{camel_case_to_snake_case(parent_class)}_properties_to_rdf(node, obj, graph)" + + output_file.write( + CLS_CONVERTER_PROPERTIES_FUNC_BODY.format( + type_name=type_name, properties=prop_code, parent_call=parent_call + ) + ) + + def handle_vocab(self, vocab: dict, namespace_name: str): + typename = vocab["metadata"]["name"] + python_typename = camel_case_to_snake_case(typename) + values_text = "\n".join([VOCAB_ENTRY.format(value=camel_case_to_snake_case(value).upper()) for value in vocab["entries"]]) + values_to_str_text = "\n".join([VOCAB_VALUE_TO_STR.format(python_value=camel_case_to_snake_case(value).upper(), str_value=value, typename=typename) for value in vocab["entries"]]) + str_to_values_text = "\n".join([VOCAB_STR_TO_VALUE.format(python_value=camel_case_to_snake_case(value).upper(), str_value=value, typename=typename) for value in vocab["entries"]]) + file_path = get_file_path(typename, namespace_name) + os.makedirs(os.path.dirname(file_path), exist_ok=True) + with open(file_path, "w") as output_file: + output_file.write(VOCAB_FILE.format(typename=typename, values=values_text, values_to_str=values_to_str_text, str_to_values=str_to_values_text, python_typename=python_typename)) + + def handle_namespace(self, namespace: dict, model: dict): + namespace_name = namespace["name"] + #for clazz in namespace["classes"].values(): + # self.handle_class(output_file, clazz, namespace_name, model) + for vocab in namespace["vocabs"].values(): + self.handle_vocab(vocab, namespace_name) + + def create_main_converter(self, model: dict): + with open(os.path.join(output_dir, "converter.py"), "w") as output_file: + output_file.write(MAIN_FILE_HEADER.format(namespace_imports=self.namespace_imports)) + converters = ",\n".join( + [ + f' "{class_name}": {converter_func}' + for class_name, converter_func in self.class_to_converter_func.items() + ] + ) + output_file.write(MAIN_CONVERTER_MAP.format(converters=converters)) + module_tests = "\n".join( + [ + MAIN_MODULE_TEST.format( + snake_namespace_name=namespace_name_to_python(namespace["name"]), + namespace_name=namespace["name"], + ) + for namespace in model.values() + ] + ) + output_file.write(MAIN_MODULE_MAP.format(module_tests=module_tests)) + output_file.write(MAIN_CONVERTER_FUNC) + output_file.write(FINAL_LINE) + + def run(self): + os.makedirs(output_dir, exist_ok=True) + Path(os.path.join(output_dir, "__init__.py")).touch() + + with open("model_dump.json") as model_file: + model = json.load(model_file) + + self.create_namespace_import(model) + self.map_prop_names_to_ids(model) + + for namespace in model.values(): + module_name = namespace_name_to_python(namespace["name"]) + self.handle_namespace(namespace, model) + + #self.create_main_converter(model) + + +if __name__ == "__main__": + GenPythonModelFromSpec().run() From 049f2ec2bb6d993a050c8dfd100f8bc50c90b3c1 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 18 Jul 2023 13:52:52 +0200 Subject: [PATCH 02/33] wip Generate init files for SPDX3 model modules Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 45 ++++++++++++++++--------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index fc6236c99..199d0b944 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -24,12 +24,14 @@ from spdx_tools.spdx.casing_tools import camel_case_to_snake_case -VOCAB_FILE = """# SPDX-License-Identifier: Apache-2.0 +FILE_HEADER = """# SPDX-License-Identifier: Apache-2.0 # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! -from beartype.typing import Optional +""" + +VOCAB_FILE = FILE_HEADER + """from beartype.typing import Optional from enum import Enum, auto @@ -38,6 +40,7 @@ class {typename}(Enum): def __str__(self) -> str: {values_to_str} + return "unknown" def {python_typename}_from_str(value: str) -> Optional[{typename}]: @@ -51,23 +54,6 @@ def {python_typename}_from_str(value: str) -> Optional[{typename}]: VOCAB_STR_TO_VALUE = " if value == \"{str_value}\":\n return {typename}.{python_value}" -FILE_HEADER = """# SPDX-License-Identifier: Apache-2.0 -# -# This file was auto-generated by dev/gen_model_to_rdf.py -# Do not manually edit! -# flake8: noqa -# isort:skip_file - -# fmt: off - -from rdflib import Graph, URIRef, RDF, Literal, BNode -from rdflib.term import Identifier -from spdx_tools.spdx.casing_tools import snake_case_to_camel_case -{namespace_imports} - - -""" - CLS_CONVERTER_FUNC_BODY = """def {type_name}_to_rdf(obj, graph: Graph) -> Identifier: if '_spdx_id' in obj.__dict__: element_node = URIRef(obj.spdx_id) @@ -209,11 +195,13 @@ class GenPythonModelFromSpec: prop_name_to_id: dict[str, str] class_to_converter_func: dict[str, str] namespace_imports: str + init_imports: dict[str, dict[str, str]] def __init__(self): self.prop_name_to_id = {} self.class_to_converter_func = {} self.namespace_imports = "" + self.init_imports = {} def create_namespace_import(self, model: dict): namespaces = [namespace_name_to_python(namespace["name"]) for namespace in model.values()] @@ -313,17 +301,28 @@ def handle_vocab(self, vocab: dict, namespace_name: str): values_to_str_text = "\n".join([VOCAB_VALUE_TO_STR.format(python_value=camel_case_to_snake_case(value).upper(), str_value=value, typename=typename) for value in vocab["entries"]]) str_to_values_text = "\n".join([VOCAB_STR_TO_VALUE.format(python_value=camel_case_to_snake_case(value).upper(), str_value=value, typename=typename) for value in vocab["entries"]]) file_path = get_file_path(typename, namespace_name) - os.makedirs(os.path.dirname(file_path), exist_ok=True) with open(file_path, "w") as output_file: output_file.write(VOCAB_FILE.format(typename=typename, values=values_text, values_to_str=values_to_str_text, str_to_values=str_to_values_text, python_typename=python_typename)) + if not namespace_name in self.init_imports: + self.init_imports[namespace_name] = dict() + self.init_imports[namespace_name][python_typename] = typename + def handle_namespace(self, namespace: dict, model: dict): namespace_name = namespace["name"] + namespace_path = os.path.join(output_dir, namespace_name_to_python(namespace_name)) + os.makedirs(namespace_path, exist_ok=True) #for clazz in namespace["classes"].values(): # self.handle_class(output_file, clazz, namespace_name, model) for vocab in namespace["vocabs"].values(): self.handle_vocab(vocab, namespace_name) + if namespace_name in self.init_imports: + with open(os.path.join(output_dir, namespace_name_to_python(namespace_name), "__init__.py"), "w") as init_file: + init_file.write(FILE_HEADER) + for module, typename in sorted(self.init_imports[namespace_name].items()): + init_file.write(f"from .{module} import {typename}\n") + def create_main_converter(self, model: dict): with open(os.path.join(output_dir, "converter.py"), "w") as output_file: output_file.write(MAIN_FILE_HEADER.format(namespace_imports=self.namespace_imports)) @@ -361,7 +360,11 @@ def run(self): module_name = namespace_name_to_python(namespace["name"]) self.handle_namespace(namespace, model) - #self.create_main_converter(model) + with open(os.path.join(output_dir, "__init__.py"), "w") as init_file: + init_file.write(FILE_HEADER) + namespace_imports = ", ".join([namespace_name_to_python(namespace) for namespace in self.init_imports.keys()]) + init_file.write(f"from . import {namespace_imports}\n") + init_file.write("from .core import *\n") if __name__ == "__main__": From 3f8d0b5abb72dea7293cc6455f1d3f02ac058171 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 18 Jul 2023 14:20:52 +0200 Subject: [PATCH 03/33] Add docstrings to generated Vocab enum types Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 199d0b944..e8231527f 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -19,8 +19,9 @@ import json import os.path +import textwrap from pathlib import Path -from typing import IO +from typing import IO, Optional from spdx_tools.spdx.casing_tools import camel_case_to_snake_case @@ -35,7 +36,8 @@ from enum import Enum, auto -class {typename}(Enum): +class {typename}(Enum):{docstring} + {values} def __str__(self) -> str: @@ -48,7 +50,7 @@ def {python_typename}_from_str(value: str) -> Optional[{typename}]: return None """ -VOCAB_ENTRY = " {value} = auto()" +VOCAB_ENTRY = " {value} = auto(){docstring}" VOCAB_VALUE_TO_STR = " if self == {typename}.{python_value}:\n return \"{str_value}\"" @@ -191,6 +193,16 @@ def get_file_path(typename: str, namespace: str) -> str: return os.path.join(output_dir, namespace, f"{typename}.py") +def get_python_docstring(description: Optional[str], indent: int) -> str: + if not description: + return "" + + line_length = 79 - indent + text = textwrap.fill(description, line_length) + text = '\n"""\n' + text + '\n"""' + return textwrap.indent(text, ' ' * indent) + + class GenPythonModelFromSpec: prop_name_to_id: dict[str, str] class_to_converter_func: dict[str, str] @@ -297,12 +309,13 @@ def handle_class(self, output_file: IO[str], clazz: dict, namespace_name: str, m def handle_vocab(self, vocab: dict, namespace_name: str): typename = vocab["metadata"]["name"] python_typename = camel_case_to_snake_case(typename) - values_text = "\n".join([VOCAB_ENTRY.format(value=camel_case_to_snake_case(value).upper()) for value in vocab["entries"]]) + values_text = "\n".join([VOCAB_ENTRY.format(value=camel_case_to_snake_case(value).upper(), docstring=get_python_docstring(description, 4)) for value, description in vocab["entries"].items()]) values_to_str_text = "\n".join([VOCAB_VALUE_TO_STR.format(python_value=camel_case_to_snake_case(value).upper(), str_value=value, typename=typename) for value in vocab["entries"]]) str_to_values_text = "\n".join([VOCAB_STR_TO_VALUE.format(python_value=camel_case_to_snake_case(value).upper(), str_value=value, typename=typename) for value in vocab["entries"]]) + docstring = get_python_docstring(vocab["description"], 4) file_path = get_file_path(typename, namespace_name) with open(file_path, "w") as output_file: - output_file.write(VOCAB_FILE.format(typename=typename, values=values_text, values_to_str=values_to_str_text, str_to_values=str_to_values_text, python_typename=python_typename)) + output_file.write(VOCAB_FILE.format(typename=typename, values=values_text, values_to_str=values_to_str_text, str_to_values=str_to_values_text, python_typename=python_typename, docstring=docstring)) if not namespace_name in self.init_imports: self.init_imports[namespace_name] = dict() From b9cd9097791d9dc3a195c9ab9243d120f2e2a58b Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 25 Jul 2023 11:00:20 +0200 Subject: [PATCH 04/33] Generate properties for SPDX3 dataclasses Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 322 +++++++++++++----------------- 1 file changed, 144 insertions(+), 178 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index e8231527f..36d00b3ad 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -20,6 +20,7 @@ import json import os.path import textwrap +from dataclasses import dataclass from pathlib import Path from typing import IO, Optional @@ -56,116 +57,18 @@ def {python_typename}_from_str(value: str) -> Optional[{typename}]: VOCAB_STR_TO_VALUE = " if value == \"{str_value}\":\n return {typename}.{python_value}" -CLS_CONVERTER_FUNC_BODY = """def {type_name}_to_rdf(obj, graph: Graph) -> Identifier: - if '_spdx_id' in obj.__dict__: - element_node = URIRef(obj.spdx_id) - else: - element_node = BNode() - type_node = URIRef("{type_id}") - graph.add((element_node, RDF.type, type_node)) - {type_name}_properties_to_rdf(element_node, obj, graph) - return element_node +CLS_FILE = FILE_HEADER + """{imports} +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties -""" - -CLS_CONVERTER_PROPERTIES_FUNC_BODY = """def {type_name}_properties_to_rdf(node: Identifier, obj, graph: Graph): - from .converter import model_to_rdf{properties}{parent_call} - - -""" - -PROP_CONVERTER_BODY = """ - if obj.{prop_name} is not None: - prop_node = URIRef("{prop_id}") - value = obj.{prop_name} - graph.add((node, prop_node, {prop_conversion_code}))""" - -PROP_LIST_CONVERTER_BODY = """ - for value in obj.{prop_name}: - prop_node = URIRef("{prop_id}") - graph.add((node, prop_node, {prop_conversion_code}))""" - -VOCAB_CONVERTER_FUNC_BODY = """def {type_name}_to_rdf(obj, graph: Graph) -> Identifier: - from .converter import enum_value_to_str - name = enum_value_to_str(obj) - return URIRef("{vocab_id}/" + name) - - -""" - -MAIN_FILE_HEADER = """# SPDX-License-Identifier: Apache-2.0 -# -# This file was auto-generated by dev/gen_model_to_rdf.py -# Do not manually edit! -# flake8: noqa -# fmt: off -# isort:skip_file - -from beartype.typing import List, Optional, Dict, Callable -from rdflib import Graph, Literal, URIRef -from rdflib.term import Identifier -from spdx_tools.spdx.casing_tools import snake_case_to_camel_case -from spdx_tools.spdx3.model import HashAlgorithm -{namespace_imports} - -""" - -MAIN_CONVERTER_MAP = """ -_CONVERTER_FUNCTIONS: Dict[str, Callable[[any, Graph], Identifier]] = {{ -{converters} -}} - -""" - -MAIN_MODULE_MAP = """ -def module_to_namespace(module: str) -> Optional[str]: - if not module.startswith("spdx_tools.spdx3.model"): - return None -{module_tests} - return "Core" +@dataclass_with_properties +class {typename}({parent}):{docstring} +{properties} """ -MAIN_MODULE_TEST = """ if module.startswith("spdx_tools.spdx3.model.{snake_namespace_name}"): - return "{namespace_name}\"""" - -MAIN_CONVERTER_FUNC = """ -def literal_to_rdf(obj, _: Graph) -> Identifier: - return Literal(obj) - - -def enum_value_to_str(obj) -> str: - if obj == HashAlgorithm.BLAKE2B256: - return "blake2b256" - if obj == HashAlgorithm.BLAKE2B384: - return "blake2b384" - if obj == HashAlgorithm.BLAKE2B512: - return "blake2b512" - if obj == HashAlgorithm.SHA3_224: - return "sha3_224" - if obj == HashAlgorithm.SHA3_256: - return "sha3_224" - if obj == HashAlgorithm.SHA3_384: - return "sha3_384" - if obj == HashAlgorithm.SHA3_512: - return "sha3_512" - return snake_case_to_camel_case(obj.name.lower()) - - -def model_to_rdf(obj, graph: Graph) -> Identifier: - if isinstance(obj, str): - return URIRef(obj) - type_name = obj.__class__.__qualname__ - module_name = obj.__class__.__module__ - namespace = module_to_namespace(module_name) - if namespace is None: - return literal_to_rdf(obj, graph) - - lookup = f"{namespace}/{type_name}" - converter = _CONVERTER_FUNCTIONS[lookup] if lookup in _CONVERTER_FUNCTIONS else literal_to_rdf - return converter(obj, graph) -""" +CLS_IMPORTS = "from {module} import {types}\n" +CLS_PROP = " {prop_name}: {prop_type}{default}{docstring}\n" FINAL_LINE = """# fmt: on """ @@ -197,12 +100,138 @@ def get_python_docstring(description: Optional[str], indent: int) -> str: if not description: return "" - line_length = 79 - indent - text = textwrap.fill(description, line_length) + line_length = 120 - indent + text = textwrap.fill(description, line_length, replace_whitespace=False) text = '\n"""\n' + text + '\n"""' return textwrap.indent(text, ' ' * indent) +def full_type_name(typename: str, namespace: str): + if typename.startswith('/'): + typename = typename[1:] + if typename.startswith("xsd:"): + return typename + if '/' in typename: + return typename + return f"{namespace}/{typename}" + + +def split_full_type(typename: str) -> tuple[str, str]: + if '/' not in typename: + return "", typename + namespace, _, typename = typename.partition('/') + return namespace, typename + + +def to_python_type(typename: str) -> str: + if typename == "xsd:datetime" or typename == "Core/DateTime": + return "datetime" + if typename.startswith("xsd:"): + return "str" + _, typename = split_full_type(typename) + return typename + + +@dataclass +class Property: + name: str + type: str + optional: bool + is_list: bool + + +class GenClassFromSpec: + cls: dict + model: dict + + typename: str + namespace: str + filename: str + file_path: str + parent_class: str + docstring: str + # module -> types + imports: dict[str, set[str]] + props: list[Property] + + def __init__(self, cls: dict, namespace: str, model: dict): + self.cls = cls + self.namespace = namespace + self.model = model + self.imports = dict() + self.props = list() + + self.typename = cls["metadata"]["name"] + self.filename = camel_case_to_snake_case(self.typename) + parent_class = ( + cls["metadata"]["SubclassOf"] + if "SubclassOf" in cls["metadata"] and cls["metadata"]["SubclassOf"] != "none" + else None + ) + parent_namespace = namespace + self.parent_class = "ABC" + self.docstring = get_python_docstring(cls["description"], 4) + self.file_path = get_file_path(self.typename, namespace) + + self._collect_props() + + def _add_import(self, module: str, typename: str): + if module not in self.imports: + self.imports[module] = set() + self.imports[module].add(typename) + + def _import_spdx_type(self, typename: str): + if typename == "Core/DateTime": + self._add_import("datetime", "datetime") + return + if typename.startswith("xsd:"): + return + namespace, typename = split_full_type(typename) + namespace = f"..{namespace_name_to_python(namespace)}" + self._add_import(namespace, typename) + + def _collect_props(self): + for propname, propinfo in self.cls["properties"].items(): + proptype = full_type_name(propinfo["type"], self.namespace) + optional = "minCount" not in propinfo or propinfo["minCount"] == "0" + is_list = "maxCount" not in propinfo or propinfo["maxCount"] != "1" + prop = Property(propname, proptype, optional, is_list) + self.props.append(prop) + self._import_spdx_type(proptype) + + def gen_file(self): + properties = self._gen_props() + # imports should be last, as we may add additional types to import during generation + imports = self._gen_imports() + with open(self.file_path, "w") as output_file: + output_file.write(CLS_FILE.format(typename=self.typename, parent=self.parent_class, docstring=self.docstring, properties=properties, imports=imports)) + + def _gen_imports(self) -> str: + imports = "" + for module in sorted(self.imports.keys()): + types = ", ".join(sorted(self.imports[module])) + imports += CLS_IMPORTS.format(module=module, types=types) + return imports + + def _gen_props(self) -> str: + code = "" + for prop in self.props: + default = "" + name = prop_name_to_python(prop.name) + proptype = to_python_type(prop.type) + if prop.is_list: + proptype = f"List[{proptype}]" + default = " = field(default_factory=list)" + self._add_import("beartype.typing", "List") + self._add_import("dataclasses", "field") + elif prop.optional: + proptype = f"Optional[{proptype}]" + default = " = None" + self._add_import("beartype.typing", "Optional") + code += CLS_PROP.format(prop_name=name, prop_type=proptype, default=default, docstring="") + return code + + class GenPythonModelFromSpec: prop_name_to_id: dict[str, str] class_to_converter_func: dict[str, str] @@ -259,52 +288,13 @@ def prop_conversion_code(self, typename: str, namespace_name: str, model: dict) return f"Literal(value, datatype=\"{self.get_type_uri(typename, namespace_name)}\")" return "model_to_rdf(value, graph)" - def handle_class(self, output_file: IO[str], clazz: dict, namespace_name: str, model: dict): - parent_class = ( - clazz["metadata"]["SubclassOf"] - if "SubclassOf" in clazz["metadata"] and clazz["metadata"]["SubclassOf"] != "none" - else None - ) - parent_namespace = namespace_name - if parent_class == "xsd:string": - return + def handle_class(self, clazz: dict, namespace_name: str, model: dict): + clsinfo = GenClassFromSpec(clazz, namespace_name, model) + clsinfo.gen_file() - type_name = camel_case_to_snake_case(clazz["metadata"]["name"]) - self.class_to_converter_func[ - f"{namespace_name}/{clazz['metadata']['name']}" - ] = f"{namespace_name_to_python(namespace_name)}.{type_name}_to_rdf" - output_file.write(CLS_CONVERTER_FUNC_BODY.format(type_name=type_name, type_id=clazz["metadata"]["id"])) - - prop_code = "" - for prop_name, prop in clazz["properties"].items(): - if prop_name == "spdxId": - continue - full_prop_name = f"{namespace_name}/{prop_name}" if "/" not in prop_name else prop_name - _, _, prop_name = full_prop_name.partition("/") - is_list = not ("maxCount" in prop and prop["maxCount"] == "1") - prop_conversion_code = self.prop_conversion_code(prop["type"], namespace_name, model) - if is_list: - prop_code += PROP_LIST_CONVERTER_BODY.format( - prop_name=prop_name_to_python(prop_name), prop_id=self.prop_name_to_id[full_prop_name], prop_conversion_code=prop_conversion_code - ) - else: - prop_code += PROP_CONVERTER_BODY.format( - prop_name=prop_name_to_python(prop_name), prop_id=self.prop_name_to_id[full_prop_name], prop_conversion_code=prop_conversion_code - ) - - parent_call = "" - if parent_class: - if parent_class.startswith("/"): - parent_class = parent_class[1:] - if "/" in parent_class: - parent_namespace, _, parent_class = parent_class.partition("/") - parent_call = f"\n {namespace_name_to_python(parent_namespace)}.{camel_case_to_snake_case(parent_class)}_properties_to_rdf(node, obj, graph)" - - output_file.write( - CLS_CONVERTER_PROPERTIES_FUNC_BODY.format( - type_name=type_name, properties=prop_code, parent_call=parent_call - ) - ) + if namespace_name not in self.init_imports: + self.init_imports[namespace_name] = dict() + self.init_imports[namespace_name][clsinfo.filename] = clsinfo.typename def handle_vocab(self, vocab: dict, namespace_name: str): typename = vocab["metadata"]["name"] @@ -325,8 +315,8 @@ def handle_namespace(self, namespace: dict, model: dict): namespace_name = namespace["name"] namespace_path = os.path.join(output_dir, namespace_name_to_python(namespace_name)) os.makedirs(namespace_path, exist_ok=True) - #for clazz in namespace["classes"].values(): - # self.handle_class(output_file, clazz, namespace_name, model) + for clazz in namespace["classes"].values(): + self.handle_class(clazz, namespace_name, model) for vocab in namespace["vocabs"].values(): self.handle_vocab(vocab, namespace_name) @@ -336,29 +326,6 @@ def handle_namespace(self, namespace: dict, model: dict): for module, typename in sorted(self.init_imports[namespace_name].items()): init_file.write(f"from .{module} import {typename}\n") - def create_main_converter(self, model: dict): - with open(os.path.join(output_dir, "converter.py"), "w") as output_file: - output_file.write(MAIN_FILE_HEADER.format(namespace_imports=self.namespace_imports)) - converters = ",\n".join( - [ - f' "{class_name}": {converter_func}' - for class_name, converter_func in self.class_to_converter_func.items() - ] - ) - output_file.write(MAIN_CONVERTER_MAP.format(converters=converters)) - module_tests = "\n".join( - [ - MAIN_MODULE_TEST.format( - snake_namespace_name=namespace_name_to_python(namespace["name"]), - namespace_name=namespace["name"], - ) - for namespace in model.values() - ] - ) - output_file.write(MAIN_MODULE_MAP.format(module_tests=module_tests)) - output_file.write(MAIN_CONVERTER_FUNC) - output_file.write(FINAL_LINE) - def run(self): os.makedirs(output_dir, exist_ok=True) Path(os.path.join(output_dir, "__init__.py")).touch() @@ -370,7 +337,6 @@ def run(self): self.map_prop_names_to_ids(model) for namespace in model.values(): - module_name = namespace_name_to_python(namespace["name"]) self.handle_namespace(namespace, model) with open(os.path.join(output_dir, "__init__.py"), "w") as init_file: From b5b615322bcff178b619411f220657a5c6da7e71 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 25 Jul 2023 11:15:48 +0200 Subject: [PATCH 05/33] Set parent class correctly when generating SPDX dataclasses Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 36d00b3ad..07c4a64c5 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -163,13 +163,14 @@ def __init__(self, cls: dict, namespace: str, model: dict): self.typename = cls["metadata"]["name"] self.filename = camel_case_to_snake_case(self.typename) - parent_class = ( - cls["metadata"]["SubclassOf"] - if "SubclassOf" in cls["metadata"] and cls["metadata"]["SubclassOf"] != "none" - else None - ) - parent_namespace = namespace - self.parent_class = "ABC" + parent_class = cls["metadata"].get("SubclassOf") or "none" + if parent_class == "none": + self.parent_class = "ABC" + self._add_import("abc", "ABC") + else: + parent_class = full_type_name(parent_class, namespace) + self.parent_class = to_python_type(parent_class) + self._import_spdx_type(parent_class) self.docstring = get_python_docstring(cls["description"], 4) self.file_path = get_file_path(self.typename, namespace) From c742cfdfd64e1f2c4de9d2e417cbc466be30e223 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 25 Jul 2023 11:44:32 +0200 Subject: [PATCH 06/33] Add docstrings for class properties Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 40 ++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 07c4a64c5..7ed0811b8 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -78,6 +78,7 @@ class {typename}({parent}):{docstring} def prop_name_to_python(prop_name: str): special_cases = {"from": "from_element", "homePage": "homepage"} + _, prop_name = split_qualified_name(prop_name) if prop_name in special_cases: return special_cases[prop_name] return camel_case_to_snake_case(prop_name) @@ -106,17 +107,17 @@ def get_python_docstring(description: Optional[str], indent: int) -> str: return textwrap.indent(text, ' ' * indent) -def full_type_name(typename: str, namespace: str): - if typename.startswith('/'): - typename = typename[1:] - if typename.startswith("xsd:"): - return typename - if '/' in typename: - return typename - return f"{namespace}/{typename}" +def get_qualified_name(name: str, namespace: str): + if name.startswith('/'): + name = name[1:] + if name.startswith("xsd:"): + return name + if '/' in name: + return name + return f"{namespace}/{name}" -def split_full_type(typename: str) -> tuple[str, str]: +def split_qualified_name(typename: str) -> tuple[str, str]: if '/' not in typename: return "", typename namespace, _, typename = typename.partition('/') @@ -128,7 +129,7 @@ def to_python_type(typename: str) -> str: return "datetime" if typename.startswith("xsd:"): return "str" - _, typename = split_full_type(typename) + _, typename = split_qualified_name(typename) return typename @@ -168,7 +169,7 @@ def __init__(self, cls: dict, namespace: str, model: dict): self.parent_class = "ABC" self._add_import("abc", "ABC") else: - parent_class = full_type_name(parent_class, namespace) + parent_class = get_qualified_name(parent_class, namespace) self.parent_class = to_python_type(parent_class) self._import_spdx_type(parent_class) self.docstring = get_python_docstring(cls["description"], 4) @@ -187,13 +188,14 @@ def _import_spdx_type(self, typename: str): return if typename.startswith("xsd:"): return - namespace, typename = split_full_type(typename) + namespace, typename = split_qualified_name(typename) namespace = f"..{namespace_name_to_python(namespace)}" self._add_import(namespace, typename) def _collect_props(self): for propname, propinfo in self.cls["properties"].items(): - proptype = full_type_name(propinfo["type"], self.namespace) + propname = get_qualified_name(propname, self.namespace) + proptype = get_qualified_name(propinfo["type"], self.namespace) optional = "minCount" not in propinfo or propinfo["minCount"] == "0" is_list = "maxCount" not in propinfo or propinfo["maxCount"] != "1" prop = Property(propname, proptype, optional, is_list) @@ -220,6 +222,7 @@ def _gen_props(self) -> str: default = "" name = prop_name_to_python(prop.name) proptype = to_python_type(prop.type) + docstring = self._get_prop_docstring(prop.name) if prop.is_list: proptype = f"List[{proptype}]" default = " = field(default_factory=list)" @@ -229,9 +232,18 @@ def _gen_props(self) -> str: proptype = f"Optional[{proptype}]" default = " = None" self._add_import("beartype.typing", "Optional") - code += CLS_PROP.format(prop_name=name, prop_type=proptype, default=default, docstring="") + code += CLS_PROP.format(prop_name=name, prop_type=proptype, default=default, docstring=docstring) return code + def _get_prop_docstring(self, name: str) -> str: + namespace, propname = split_qualified_name(name) + if namespace not in self.model or "properties" not in self.model[namespace]: + return "" + prop = self.model[namespace]["properties"].get(propname) + if not prop: + return "" + return get_python_docstring(prop["description"], 4) + class GenPythonModelFromSpec: prop_name_to_id: dict[str, str] From fc43ed7105256b5627248d9e988e3c5c836aec6c Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 25 Jul 2023 14:36:23 +0200 Subject: [PATCH 07/33] Collect properties from parent classes, too Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 38 +++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 7ed0811b8..29df9560e 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -127,18 +127,28 @@ def split_qualified_name(typename: str) -> tuple[str, str]: def to_python_type(typename: str) -> str: if typename == "xsd:datetime" or typename == "Core/DateTime": return "datetime" + if typename == "Core/SemVer": + return "str" if typename.startswith("xsd:"): return "str" _, typename = split_qualified_name(typename) return typename +def extract_parent_type(cls: dict, namespace: str) -> Optional[str]: + parent_class = cls["metadata"].get("SubclassOf") or "none" + if parent_class == "none": + return None + return get_qualified_name(parent_class, namespace) + + @dataclass class Property: name: str type: str optional: bool is_list: bool + inherited: bool class GenClassFromSpec: @@ -164,18 +174,17 @@ def __init__(self, cls: dict, namespace: str, model: dict): self.typename = cls["metadata"]["name"] self.filename = camel_case_to_snake_case(self.typename) - parent_class = cls["metadata"].get("SubclassOf") or "none" - if parent_class == "none": + parent_class = extract_parent_type(cls, namespace) + if not parent_class: self.parent_class = "ABC" self._add_import("abc", "ABC") else: - parent_class = get_qualified_name(parent_class, namespace) self.parent_class = to_python_type(parent_class) self._import_spdx_type(parent_class) self.docstring = get_python_docstring(cls["description"], 4) self.file_path = get_file_path(self.typename, namespace) - self._collect_props() + self._collect_props(self.cls, self.namespace, False) def _add_import(self, module: str, typename: str): if module not in self.imports: @@ -186,19 +195,27 @@ def _import_spdx_type(self, typename: str): if typename == "Core/DateTime": self._add_import("datetime", "datetime") return + if typename == "Core/SemVer": + return if typename.startswith("xsd:"): return namespace, typename = split_qualified_name(typename) namespace = f"..{namespace_name_to_python(namespace)}" self._add_import(namespace, typename) - def _collect_props(self): - for propname, propinfo in self.cls["properties"].items(): - propname = get_qualified_name(propname, self.namespace) - proptype = get_qualified_name(propinfo["type"], self.namespace) + def _collect_props(self, cls: dict, namespace: str, is_parent: bool): + parent = extract_parent_type(cls, namespace) + if parent: + parent_namespace, parent_class = split_qualified_name(parent) + if parent_namespace in self.model and parent_class in self.model[parent_namespace]["classes"]: + self._collect_props(self.model[parent_namespace]["classes"][parent_class], parent_namespace, True) + + for propname, propinfo in cls["properties"].items(): + propname = get_qualified_name(propname, namespace) + proptype = get_qualified_name(propinfo["type"], namespace) optional = "minCount" not in propinfo or propinfo["minCount"] == "0" is_list = "maxCount" not in propinfo or propinfo["maxCount"] != "1" - prop = Property(propname, proptype, optional, is_list) + prop = Property(propname, proptype, optional, is_list, is_parent) self.props.append(prop) self._import_spdx_type(proptype) @@ -218,7 +235,8 @@ def _gen_imports(self) -> str: def _gen_props(self) -> str: code = "" - for prop in self.props: + own_props = (prop for prop in self.props if not prop.inherited) + for prop in own_props: default = "" name = prop_name_to_python(prop.name) proptype = to_python_type(prop.type) From f39930c54770a4cebd3fb373502791629d91a3b9 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 25 Jul 2023 15:24:03 +0200 Subject: [PATCH 08/33] Make the string to enum function a static class method of the enum Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 29df9560e..16f8ee536 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -45,17 +45,17 @@ def __str__(self) -> str: {values_to_str} return "unknown" - -def {python_typename}_from_str(value: str) -> Optional[{typename}]: + @staticmethod + def from_str(value: str) -> Optional['{typename}']: {str_to_values} - return None + return None """ VOCAB_ENTRY = " {value} = auto(){docstring}" VOCAB_VALUE_TO_STR = " if self == {typename}.{python_value}:\n return \"{str_value}\"" -VOCAB_STR_TO_VALUE = " if value == \"{str_value}\":\n return {typename}.{python_value}" +VOCAB_STR_TO_VALUE = " if value == \"{str_value}\":\n return {typename}.{python_value}" CLS_FILE = FILE_HEADER + """{imports} from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties From 0c083efaedf3d0bf262fd978c8cbdae3de22e959 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 25 Jul 2023 15:36:32 +0200 Subject: [PATCH 09/33] Generate constructor with all arguments, including inherited, and potential default values Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 55 ++++++++++++++++++++++++++----- 1 file changed, 47 insertions(+), 8 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 16f8ee536..d8804f467 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -63,13 +63,27 @@ def from_str(value: str) -> Optional['{typename}']: @dataclass_with_properties class {typename}({parent}):{docstring} - {properties} -""" +{constructor}""" CLS_IMPORTS = "from {module} import {types}\n" + CLS_PROP = " {prop_name}: {prop_type}{default}{docstring}\n" +CLS_INIT = """ def __init__( + self,{arguments} + ):{remaps} + check_types_and_set_values(self, locals()) +""" +CLS_INIT_ARG = "\n {prop_name}: {prop_type}," +CLS_INIT_ARG_OPT = "\n {prop_name}: {prop_type} = None," +CLS_INIT_REMAP = "\n {prop_name} = [] if {prop_name} is None else {prop_name}" + +CLS_INIT_ABSTRACT = """ @abstractmethod + def __init__(self): + pass +""" + FINAL_LINE = """# fmt: on """ @@ -150,6 +164,14 @@ class Property: is_list: bool inherited: bool + def get_python_type(self) -> str: + prop_type = to_python_type(self.type) + if self.is_list: + prop_type = f"List[{prop_type}]" + elif self.optional: + prop_type = f"Optional[{prop_type}]" + return prop_type + class GenClassFromSpec: cls: dict @@ -219,12 +241,18 @@ def _collect_props(self, cls: dict, namespace: str, is_parent: bool): self.props.append(prop) self._import_spdx_type(proptype) + if is_list: + self._add_import("beartype.typing", "List") + elif optional: + self._add_import("beartype.typing", "Optional") + def gen_file(self): properties = self._gen_props() + constructor = self._gen_constructor() # imports should be last, as we may add additional types to import during generation imports = self._gen_imports() with open(self.file_path, "w") as output_file: - output_file.write(CLS_FILE.format(typename=self.typename, parent=self.parent_class, docstring=self.docstring, properties=properties, imports=imports)) + output_file.write(CLS_FILE.format(typename=self.typename, parent=self.parent_class, docstring=self.docstring, properties=properties, imports=imports, constructor=constructor)) def _gen_imports(self) -> str: imports = "" @@ -239,17 +267,13 @@ def _gen_props(self) -> str: for prop in own_props: default = "" name = prop_name_to_python(prop.name) - proptype = to_python_type(prop.type) + proptype = prop.get_python_type() docstring = self._get_prop_docstring(prop.name) if prop.is_list: - proptype = f"List[{proptype}]" default = " = field(default_factory=list)" - self._add_import("beartype.typing", "List") self._add_import("dataclasses", "field") elif prop.optional: - proptype = f"Optional[{proptype}]" default = " = None" - self._add_import("beartype.typing", "Optional") code += CLS_PROP.format(prop_name=name, prop_type=proptype, default=default, docstring=docstring) return code @@ -262,6 +286,21 @@ def _get_prop_docstring(self, name: str) -> str: return "" return get_python_docstring(prop["description"], 4) + def _gen_constructor(self) -> str: + self._add_import("spdx_tools.common.typing.type_checks", "check_types_and_set_values") + args = "" + remaps = "" + required_props = (prop for prop in self.props if not prop.optional) + optional_props = (prop for prop in self.props if prop.optional) + for prop in required_props: + args += CLS_INIT_ARG.format(prop_name=prop_name_to_python(prop.name), prop_type=prop.get_python_type()) + for prop in optional_props: + prop_name = prop_name_to_python(prop.name) + args += CLS_INIT_ARG_OPT.format(prop_name=prop_name, prop_type=prop.get_python_type()) + if prop.is_list: + remaps += CLS_INIT_REMAP.format(prop_name=prop_name) + return CLS_INIT.format(arguments=args, remaps=remaps) + class GenPythonModelFromSpec: prop_name_to_id: dict[str, str] From 1eec56b1c003b70bdc9383290a44fd20e49e7162 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 25 Jul 2023 15:40:29 +0200 Subject: [PATCH 10/33] Remove dead code Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 47 ------------------------------- 1 file changed, 47 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index d8804f467..2daaa3e72 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -84,9 +84,6 @@ def __init__(self): pass """ -FINAL_LINE = """# fmt: on -""" - output_dir = os.path.join(os.path.dirname(__file__), "../src/spdx_tools/spdx3/new_model") @@ -303,14 +300,10 @@ def _gen_constructor(self) -> str: class GenPythonModelFromSpec: - prop_name_to_id: dict[str, str] - class_to_converter_func: dict[str, str] namespace_imports: str init_imports: dict[str, dict[str, str]] def __init__(self): - self.prop_name_to_id = {} - self.class_to_converter_func = {} self.namespace_imports = "" self.init_imports = {} @@ -319,45 +312,6 @@ def create_namespace_import(self, model: dict): if namespaces: self.namespace_imports = "from . import " + ", ".join(namespaces) - def map_prop_names_to_ids(self, model: dict): - for namespace in model.values(): - namespace_name = namespace["name"] - for prop_name, prop in namespace["properties"].items(): - full_prop_name = f"{namespace_name}/{prop_name}" - prop_id = prop["metadata"]["id"] - self.prop_name_to_id[full_prop_name] = prop_id - - def is_literal_type(self, typename: str, namespace_name: str, model: dict) -> bool: - if typename.startswith('/'): - typename = typename[1:] - if typename.startswith("xsd:"): - return True - if '/' in typename: - namespace_name, _, typename = typename.partition('/') - namespace = model[namespace_name] if namespace_name in model else None - if namespace and typename in namespace["vocabs"]: - return False - clazz = namespace["classes"][typename] if namespace and typename in namespace["classes"] else None - if not clazz: - return True - if "SubclassOf" not in clazz["metadata"] or clazz["metadata"]["SubclassOf"] == "none" or clazz["metadata"]["SubclassOf"].startswith("xsd:"): - return not clazz["properties"] - return False - - def get_type_uri(self, typename: str, namespace_name: str) -> str: - if typename.startswith('/'): - typename = typename[1:] - if typename.startswith("xsd:"): - return typename.replace("xsd:", "http://www.w3.org/2001/XMLSchema#") - if '/' in typename: - namespace_name, _, typename = typename.partition('/') - return f"https://spdx.org/rdf/v3/{namespace_name}/{typename}" - - def prop_conversion_code(self, typename: str, namespace_name: str, model: dict) -> str: - if self.is_literal_type(typename, namespace_name, model): - return f"Literal(value, datatype=\"{self.get_type_uri(typename, namespace_name)}\")" - return "model_to_rdf(value, graph)" - def handle_class(self, clazz: dict, namespace_name: str, model: dict): clsinfo = GenClassFromSpec(clazz, namespace_name, model) clsinfo.gen_file() @@ -404,7 +358,6 @@ def run(self): model = json.load(model_file) self.create_namespace_import(model) - self.map_prop_names_to_ids(model) for namespace in model.values(): self.handle_namespace(namespace, model) From e21ab69ec0ea19e1cdc799f23d5db6fd818e70bc Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 25 Jul 2023 15:48:34 +0200 Subject: [PATCH 11/33] Add abstract constructor if type is not instantiable Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 2daaa3e72..feb1f79d9 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -284,6 +284,10 @@ def _get_prop_docstring(self, name: str) -> str: return get_python_docstring(prop["description"], 4) def _gen_constructor(self) -> str: + if self.cls["metadata"].get("Instantiability") == "Abstract": + self._add_import("abc", "abstractmethod") + return CLS_INIT_ABSTRACT + self._add_import("spdx_tools.common.typing.type_checks", "check_types_and_set_values") args = "" remaps = "" From be773b5b9540b90118e4584af031dbf24822fdc9 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 25 Jul 2023 15:49:35 +0200 Subject: [PATCH 12/33] Exclude unfinished Extension type Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index feb1f79d9..f947f7ea9 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -138,7 +138,7 @@ def split_qualified_name(typename: str) -> tuple[str, str]: def to_python_type(typename: str) -> str: if typename == "xsd:datetime" or typename == "Core/DateTime": return "datetime" - if typename == "Core/SemVer": + if typename == "Core/SemVer" or typename == "Core/Extension": return "str" if typename.startswith("xsd:"): return "str" @@ -214,7 +214,7 @@ def _import_spdx_type(self, typename: str): if typename == "Core/DateTime": self._add_import("datetime", "datetime") return - if typename == "Core/SemVer": + if typename == "Core/SemVer" or typename == "Core/Extension": return if typename.startswith("xsd:"): return From c4146b913ad70c00367d44573c3fe855c3c0b94b Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 25 Jul 2023 15:59:23 +0200 Subject: [PATCH 13/33] Use mistletoe for properly reformatting the docstrings Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index f947f7ea9..27df3798f 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -15,6 +15,10 @@ python gen_python_model_from_spec.py Commit resulting changes. + +Note: needs an additional dependency for proper formatting of docstrings: + + pip install mistletoe """ import json @@ -22,7 +26,10 @@ import textwrap from dataclasses import dataclass from pathlib import Path -from typing import IO, Optional +from typing import Optional + +import mistletoe +from mistletoe.markdown_renderer import MarkdownRenderer from spdx_tools.spdx.casing_tools import camel_case_to_snake_case @@ -113,8 +120,9 @@ def get_python_docstring(description: Optional[str], indent: int) -> str: return "" line_length = 120 - indent - text = textwrap.fill(description, line_length, replace_whitespace=False) - text = '\n"""\n' + text + '\n"""' + with MarkdownRenderer(max_line_length=line_length) as renderer: + text = renderer.render(mistletoe.Document(description)) + text = '\n"""\n' + text + '"""' return textwrap.indent(text, ' ' * indent) From de4c9e243cd89a88edc12a4840da0ed5c530ade8 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 25 Jul 2023 16:08:54 +0200 Subject: [PATCH 14/33] Fix ai_package filename Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 27df3798f..cdf2cbaf1 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -91,6 +91,7 @@ def __init__(self): pass """ +# TODO: use the actual model package path rather than a separate path output_dir = os.path.join(os.path.dirname(__file__), "../src/spdx_tools/spdx3/new_model") @@ -111,7 +112,7 @@ def namespace_name_to_python(namespace_name: str): def get_file_path(typename: str, namespace: str) -> str: namespace = namespace_name_to_python(namespace) - typename = camel_case_to_snake_case(typename) + typename = camel_case_to_snake_case(typename) if typename != "AIPackage" else "ai_package" return os.path.join(output_dir, namespace, f"{typename}.py") From 98eee375e0d7c35e46c5ffd8a56b3b7c5bbe1ca4 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Tue, 25 Jul 2023 16:09:25 +0200 Subject: [PATCH 15/33] Commit current generator output for review Signed-off-by: Holger Frydrych --- src/spdx_tools/spdx3/new_model/__init__.py | 7 + src/spdx_tools/spdx3/new_model/ai/__init__.py | 8 + .../spdx3/new_model/ai/ai_package.py | 169 ++++++ .../spdx3/new_model/ai/presence_type.py | 45 ++ .../ai/safety_risk_assessment_type.py | 55 ++ .../spdx3/new_model/build/__init__.py | 6 + src/spdx_tools/spdx3/new_model/build/build.py | 127 +++++ .../spdx3/new_model/core/__init__.py | 39 ++ src/spdx_tools/spdx3/new_model/core/agent.py | 36 ++ .../spdx3/new_model/core/annotation.py | 57 ++ .../spdx3/new_model/core/annotation_type.py | 38 ++ .../spdx3/new_model/core/artifact.py | 49 ++ src/spdx_tools/spdx3/new_model/core/bom.py | 44 ++ src/spdx_tools/spdx3/new_model/core/bundle.py | 47 ++ .../spdx3/new_model/core/creation_info.py | 92 +++ .../spdx3/new_model/core/date_time.py | 22 + .../spdx3/new_model/core/dictionary_entry.py | 36 ++ .../spdx3/new_model/core/element.py | 74 +++ .../new_model/core/element_collection.py | 39 ++ .../new_model/core/external_identifier.py | 52 ++ .../core/external_identifier_type.py | 121 ++++ .../spdx3/new_model/core/external_map.py | 48 ++ .../new_model/core/external_reference.py | 47 ++ .../new_model/core/external_reference_type.py | 358 ++++++++++++ src/spdx_tools/spdx3/new_model/core/hash.py | 35 ++ .../spdx3/new_model/core/hash_algorithm.py | 214 +++++++ .../spdx3/new_model/core/integrity_method.py | 28 + .../new_model/core/lifecycle_scope_type.py | 69 +++ .../core/lifecycle_scoped_relationship.py | 48 ++ .../spdx3/new_model/core/media_type.py | 22 + .../spdx3/new_model/core/namespace_map.py | 32 ++ .../spdx3/new_model/core/organization.py | 35 ++ src/spdx_tools/spdx3/new_model/core/person.py | 35 ++ .../new_model/core/positive_integer_range.py | 32 ++ .../new_model/core/profile_identifier_type.py | 94 ++++ .../spdx3/new_model/core/relationship.py | 72 +++ .../core/relationship_completeness.py | 46 ++ .../spdx3/new_model/core/relationship_type.py | 529 ++++++++++++++++++ .../spdx3/new_model/core/sem_ver.py | 22 + .../spdx3/new_model/core/software_agent.py | 36 ++ .../spdx3/new_model/core/spdx_document.py | 50 ++ src/spdx_tools/spdx3/new_model/core/tool.py | 35 ++ .../spdx3/new_model/dataset/__init__.py | 9 + .../dataset/confidentiality_level_type.py | 54 ++ .../spdx3/new_model/dataset/dataset.py | 147 +++++ .../dataset/dataset_availability_type.py | 67 +++ .../spdx3/new_model/dataset/dataset_type.py | 139 +++++ .../new_model/expanded_license/__init__.py | 8 + .../conjunctive_license_set.py | 50 ++ .../disjunctive_license_set.py | 47 ++ .../expanded_license/extendable_license.py | 23 + .../spdx3/new_model/licensing/__init__.py | 15 + .../new_model/licensing/any_license_info.py | 24 + .../new_model/licensing/custom_license.py | 30 + .../licensing/custom_license_addition.py | 44 ++ .../spdx3/new_model/licensing/license.py | 88 +++ .../new_model/licensing/license_addition.py | 60 ++ .../new_model/licensing/license_expression.py | 63 +++ .../new_model/licensing/listed_license.py | 41 ++ .../licensing/listed_license_exception.py | 54 ++ .../new_model/licensing/or_later_operator.py | 34 ++ .../licensing/with_addition_operator.py | 49 ++ .../spdx3/new_model/security/__init__.py | 20 + .../cvss_v2_vuln_assessment_relationship.py | 117 ++++ .../cvss_v3_vuln_assessment_relationship.py | 118 ++++ .../epss_vuln_assessment_relationship.py | 82 +++ .../security/exploit_catalog_type.py | 37 ++ ...it_catalog_vuln_assessment_relationship.py | 87 +++ .../new_model/security/ssvc_decision_type.py | 65 +++ .../ssvc_vuln_assessment_relationship.py | 77 +++ ...x_affected_vuln_assessment_relationship.py | 89 +++ .../vex_fixed_vuln_assessment_relationship.py | 74 +++ .../security/vex_justification_type.py | 63 +++ ...t_affected_vuln_assessment_relationship.py | 101 ++++ ...estigation_vuln_assessment_relationship.py | 76 +++ .../vex_vuln_assessment_relationship.py | 47 ++ .../security/vuln_assessment_relationship.py | 44 ++ .../spdx3/new_model/security/vulnerability.py | 126 +++++ .../spdx3/new_model/software/__init__.py | 15 + .../dependency_conditionality_type.py | 61 ++ .../spdx3/new_model/software/file.py | 62 ++ .../spdx3/new_model/software/package.py | 118 ++++ .../spdx3/new_model/software/sbom.py | 55 ++ .../spdx3/new_model/software/sbom_type.py | 83 +++ .../spdx3/new_model/software/snippet.py | 73 +++ .../new_model/software/software_artifact.py | 147 +++++ .../software/software_dependency_link_type.py | 53 ++ .../software_dependency_relationship.py | 55 ++ .../new_model/software/software_purpose.py | 225 ++++++++ 89 files changed, 6266 insertions(+) create mode 100644 src/spdx_tools/spdx3/new_model/__init__.py create mode 100644 src/spdx_tools/spdx3/new_model/ai/__init__.py create mode 100644 src/spdx_tools/spdx3/new_model/ai/ai_package.py create mode 100644 src/spdx_tools/spdx3/new_model/ai/presence_type.py create mode 100644 src/spdx_tools/spdx3/new_model/ai/safety_risk_assessment_type.py create mode 100644 src/spdx_tools/spdx3/new_model/build/__init__.py create mode 100644 src/spdx_tools/spdx3/new_model/build/build.py create mode 100644 src/spdx_tools/spdx3/new_model/core/__init__.py create mode 100644 src/spdx_tools/spdx3/new_model/core/agent.py create mode 100644 src/spdx_tools/spdx3/new_model/core/annotation.py create mode 100644 src/spdx_tools/spdx3/new_model/core/annotation_type.py create mode 100644 src/spdx_tools/spdx3/new_model/core/artifact.py create mode 100644 src/spdx_tools/spdx3/new_model/core/bom.py create mode 100644 src/spdx_tools/spdx3/new_model/core/bundle.py create mode 100644 src/spdx_tools/spdx3/new_model/core/creation_info.py create mode 100644 src/spdx_tools/spdx3/new_model/core/date_time.py create mode 100644 src/spdx_tools/spdx3/new_model/core/dictionary_entry.py create mode 100644 src/spdx_tools/spdx3/new_model/core/element.py create mode 100644 src/spdx_tools/spdx3/new_model/core/element_collection.py create mode 100644 src/spdx_tools/spdx3/new_model/core/external_identifier.py create mode 100644 src/spdx_tools/spdx3/new_model/core/external_identifier_type.py create mode 100644 src/spdx_tools/spdx3/new_model/core/external_map.py create mode 100644 src/spdx_tools/spdx3/new_model/core/external_reference.py create mode 100644 src/spdx_tools/spdx3/new_model/core/external_reference_type.py create mode 100644 src/spdx_tools/spdx3/new_model/core/hash.py create mode 100644 src/spdx_tools/spdx3/new_model/core/hash_algorithm.py create mode 100644 src/spdx_tools/spdx3/new_model/core/integrity_method.py create mode 100644 src/spdx_tools/spdx3/new_model/core/lifecycle_scope_type.py create mode 100644 src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/core/media_type.py create mode 100644 src/spdx_tools/spdx3/new_model/core/namespace_map.py create mode 100644 src/spdx_tools/spdx3/new_model/core/organization.py create mode 100644 src/spdx_tools/spdx3/new_model/core/person.py create mode 100644 src/spdx_tools/spdx3/new_model/core/positive_integer_range.py create mode 100644 src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py create mode 100644 src/spdx_tools/spdx3/new_model/core/relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/core/relationship_completeness.py create mode 100644 src/spdx_tools/spdx3/new_model/core/relationship_type.py create mode 100644 src/spdx_tools/spdx3/new_model/core/sem_ver.py create mode 100644 src/spdx_tools/spdx3/new_model/core/software_agent.py create mode 100644 src/spdx_tools/spdx3/new_model/core/spdx_document.py create mode 100644 src/spdx_tools/spdx3/new_model/core/tool.py create mode 100644 src/spdx_tools/spdx3/new_model/dataset/__init__.py create mode 100644 src/spdx_tools/spdx3/new_model/dataset/confidentiality_level_type.py create mode 100644 src/spdx_tools/spdx3/new_model/dataset/dataset.py create mode 100644 src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py create mode 100644 src/spdx_tools/spdx3/new_model/dataset/dataset_type.py create mode 100644 src/spdx_tools/spdx3/new_model/expanded_license/__init__.py create mode 100644 src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py create mode 100644 src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py create mode 100644 src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py create mode 100644 src/spdx_tools/spdx3/new_model/licensing/__init__.py create mode 100644 src/spdx_tools/spdx3/new_model/licensing/any_license_info.py create mode 100644 src/spdx_tools/spdx3/new_model/licensing/custom_license.py create mode 100644 src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py create mode 100644 src/spdx_tools/spdx3/new_model/licensing/license.py create mode 100644 src/spdx_tools/spdx3/new_model/licensing/license_addition.py create mode 100644 src/spdx_tools/spdx3/new_model/licensing/license_expression.py create mode 100644 src/spdx_tools/spdx3/new_model/licensing/listed_license.py create mode 100644 src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py create mode 100644 src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py create mode 100644 src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py create mode 100644 src/spdx_tools/spdx3/new_model/security/__init__.py create mode 100644 src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/security/exploit_catalog_type.py create mode 100644 src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/security/ssvc_decision_type.py create mode 100644 src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/security/vex_justification_type.py create mode 100644 src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/security/vulnerability.py create mode 100644 src/spdx_tools/spdx3/new_model/software/__init__.py create mode 100644 src/spdx_tools/spdx3/new_model/software/dependency_conditionality_type.py create mode 100644 src/spdx_tools/spdx3/new_model/software/file.py create mode 100644 src/spdx_tools/spdx3/new_model/software/package.py create mode 100644 src/spdx_tools/spdx3/new_model/software/sbom.py create mode 100644 src/spdx_tools/spdx3/new_model/software/sbom_type.py create mode 100644 src/spdx_tools/spdx3/new_model/software/snippet.py create mode 100644 src/spdx_tools/spdx3/new_model/software/software_artifact.py create mode 100644 src/spdx_tools/spdx3/new_model/software/software_dependency_link_type.py create mode 100644 src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py create mode 100644 src/spdx_tools/spdx3/new_model/software/software_purpose.py diff --git a/src/spdx_tools/spdx3/new_model/__init__.py b/src/spdx_tools/spdx3/new_model/__init__.py new file mode 100644 index 000000000..8784e760a --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/__init__.py @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from . import expanded_license, core, dataset, licensing, ai, security, build, software +from .core import * diff --git a/src/spdx_tools/spdx3/new_model/ai/__init__.py b/src/spdx_tools/spdx3/new_model/ai/__init__.py new file mode 100644 index 000000000..b7ffdec03 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/ai/__init__.py @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from .a_ipackage import AIPackage +from .presence_type import PresenceType +from .safety_risk_assessment_type import SafetyRiskAssessmentType diff --git a/src/spdx_tools/spdx3/new_model/ai/ai_package.py b/src/spdx_tools/spdx3/new_model/ai/ai_package.py new file mode 100644 index 000000000..2b0996d81 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/ai/ai_package.py @@ -0,0 +1,169 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..ai import PresenceType, SafetyRiskAssessmentType +from ..core import Agent, CreationInfo, DictionaryEntry, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo +from ..software import Package, SoftwarePurpose +from beartype.typing import List, Optional +from dataclasses import field +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class AIPackage(Package): + """ + Metadata information that can be added to a package to describe an AI application or trained AI model. External + property restriction on /Core/Artifact/suppliedBy: minCount: 1 External property restriction on + /Software/Package/downloadLocation: minCount: 1 External property restriction on /Software/Package/packageVersion: + minCount: 1 External property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1 External + property restriction on /Core/Artifact/releaseTime: minCount: 1 + """ + energy_consumption: Optional[str] = None + """ + EnergyConsumption captures the amount of energy needed to train and operate the AI model. This value is also known + as training energy consumption or inference energy consumption. + """ + standard_compliance: List[str] = field(default_factory=list) + """ + StandardCompliance captures a standard that the AI software complies with. This includes both published and + unpublished standards, for example ISO, IEEE, ETSI etc. The standard could (but not necessarily have to) be used to + satisfy a legal or regulatory requirement. + """ + limitation: Optional[str] = None + """ + Limitation captures a limitation of the AI Package (or of the AI models present in the AI package), expressed as + free form text. Note that this is not guaranteed to be exhaustive. For instance, a limitation might be that the AI + package cannot be used on datasets from a certain demography. + """ + type_of_model: List[str] = field(default_factory=list) + """ + TypeOfModel records the type of the AI model(s) used in the software. For instance, if it is a supervised model, + unsupervised model, reinforcement learning model or a combination of those. + """ + information_about_training: Optional[str] = None + """ + InformationAboutTraining describes the specific steps involved in the training of the AI model. For example, it can + be specified whether supervised fine-tuning or active learning is used as part of training the model. + """ + information_about_application: Optional[str] = None + """ + InformationAboutApplication describes any relevant information in free form text about how the AI model is used + inside the software, as well as any relevant pre-processing steps, third party APIs etc. + """ + hyperparameter: List[DictionaryEntry] = field(default_factory=list) + """ + This field records a hyperparameter value. Hyperparameters are parameters of the machine learning model that are + used to control the learning process, for example the optimization and learning rate used during the training of the + model. + """ + model_data_preprocessing: List[str] = field(default_factory=list) + """ + ModelDataPreprocessing is a free form text that describes the preprocessing steps applied to the training data + before training of the model(s) contained in the AI software. + """ + model_explainability: List[str] = field(default_factory=list) + """ + ModelExplainability is a free form text that lists the different explainability mechanisms (such as SHAP, or other + model specific explainability mechanisms) that can be used to explain the model. + """ + sensitive_personal_information: Optional[PresenceType] = None + """ + SensitivePersonalInformation notes if sensitive personal information is used in the training or inference of the AI + models. This might include biometric data, addresses or other data that can be used to infer a person's identity. + """ + metric_decision_threshold: List[DictionaryEntry] = field(default_factory=list) + """ + Each metric might be computed based on a decision threshold. For instance, precision or recall is typically computed + by checking if the probability of the outcome is larger than 0.5. Each decision threshold should match with a metric + field defined in the AI Package. + """ + metric: List[DictionaryEntry] = field(default_factory=list) + """ + Metric records the measurement with which the AI model was evaluated. This makes statements about the prediction + quality including uncertainty, accuracy, characteristics of the tested population, quality, fairness, + explainability, robustness etc. + """ + domain: List[str] = field(default_factory=list) + """ + Domain describes the domain in which the AI model contained in the AI software can be expected to operate + successfully. Examples include computer vision, natural language etc. + """ + autonomy_type: Optional[PresenceType] = None + """ + AutonomyType indicates if a human is involved in any of the decisions of the AI software or if that software is + fully automatic. + """ + safety_risk_assessment: Optional[SafetyRiskAssessmentType] = None + """ + SafetyRiskAssessment categorizes the safety risk impact of the AI software in accordance with Article 20 of [EC + Regulation No 765/2008](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf). + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + originated_by: List[Agent] = None, + supplied_by: List[Agent] = None, + built_time: Optional[datetime] = None, + release_time: Optional[datetime] = None, + valid_until_time: Optional[datetime] = None, + standard: List[str] = None, + content_identifier: Optional[str] = None, + primary_purpose: Optional[SoftwarePurpose] = None, + additional_purpose: List[SoftwarePurpose] = None, + concluded_license: Optional[AnyLicenseInfo] = None, + declared_license: Optional[AnyLicenseInfo] = None, + copyright_text: Optional[str] = None, + attribution_text: Optional[str] = None, + package_version: Optional[str] = None, + download_location: Optional[str] = None, + package_url: Optional[str] = None, + homepage: Optional[str] = None, + source_info: Optional[str] = None, + energy_consumption: Optional[str] = None, + standard_compliance: List[str] = None, + limitation: Optional[str] = None, + type_of_model: List[str] = None, + information_about_training: Optional[str] = None, + information_about_application: Optional[str] = None, + hyperparameter: List[DictionaryEntry] = None, + model_data_preprocessing: List[str] = None, + model_explainability: List[str] = None, + sensitive_personal_information: Optional[PresenceType] = None, + metric_decision_threshold: List[DictionaryEntry] = None, + metric: List[DictionaryEntry] = None, + domain: List[str] = None, + autonomy_type: Optional[PresenceType] = None, + safety_risk_assessment: Optional[SafetyRiskAssessmentType] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + originated_by = [] if originated_by is None else originated_by + supplied_by = [] if supplied_by is None else supplied_by + standard = [] if standard is None else standard + additional_purpose = [] if additional_purpose is None else additional_purpose + standard_compliance = [] if standard_compliance is None else standard_compliance + type_of_model = [] if type_of_model is None else type_of_model + hyperparameter = [] if hyperparameter is None else hyperparameter + model_data_preprocessing = [] if model_data_preprocessing is None else model_data_preprocessing + model_explainability = [] if model_explainability is None else model_explainability + metric_decision_threshold = [] if metric_decision_threshold is None else metric_decision_threshold + metric = [] if metric is None else metric + domain = [] if domain is None else domain + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/ai/presence_type.py b/src/spdx_tools/spdx3/new_model/ai/presence_type.py new file mode 100644 index 000000000..99f97ffcb --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/ai/presence_type.py @@ -0,0 +1,45 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class PresenceType(Enum): + """ + This type is used to indicate if a given field is present or absent or unknown. + """ + + YES = auto() + """ + Indicates presence of the field. + """ + NO = auto() + """ + Indicates absence of the field. + """ + NO_ASSERTION = auto() + """ + Makes no assertion about the field. + """ + + def __str__(self) -> str: + if self == PresenceType.YES: + return "yes" + if self == PresenceType.NO: + return "no" + if self == PresenceType.NO_ASSERTION: + return "noAssertion" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['PresenceType']: + if value == "yes": + return PresenceType.YES + if value == "no": + return PresenceType.NO + if value == "noAssertion": + return PresenceType.NO_ASSERTION + return None diff --git a/src/spdx_tools/spdx3/new_model/ai/safety_risk_assessment_type.py b/src/spdx_tools/spdx3/new_model/ai/safety_risk_assessment_type.py new file mode 100644 index 000000000..348ec7c0f --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/ai/safety_risk_assessment_type.py @@ -0,0 +1,55 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class SafetyRiskAssessmentType(Enum): + """ + Lists the different safety risk type values that can be used to describe the safety risk of AI software according to + [Article 20 of Regulation + 765/2008/EC](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf). + """ + + SERIOUS = auto() + """ + The highest level of risk posed by an AI software. + """ + HIGH = auto() + """ + The second-highest level of risk posed by an AI software. + """ + MEDIUM = auto() + """ + The third-highest level of risk posed by an AI software. + """ + LOW = auto() + """ + Low/no risk is posed by the AI software. + """ + + def __str__(self) -> str: + if self == SafetyRiskAssessmentType.SERIOUS: + return "serious" + if self == SafetyRiskAssessmentType.HIGH: + return "high" + if self == SafetyRiskAssessmentType.MEDIUM: + return "medium" + if self == SafetyRiskAssessmentType.LOW: + return "low" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['SafetyRiskAssessmentType']: + if value == "serious": + return SafetyRiskAssessmentType.SERIOUS + if value == "high": + return SafetyRiskAssessmentType.HIGH + if value == "medium": + return SafetyRiskAssessmentType.MEDIUM + if value == "low": + return SafetyRiskAssessmentType.LOW + return None diff --git a/src/spdx_tools/spdx3/new_model/build/__init__.py b/src/spdx_tools/spdx3/new_model/build/__init__.py new file mode 100644 index 000000000..54564cf9f --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/build/__init__.py @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from .build import Build diff --git a/src/spdx_tools/spdx3/new_model/build/build.py b/src/spdx_tools/spdx3/new_model/build/build.py new file mode 100644 index 000000000..78bbc5421 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/build/build.py @@ -0,0 +1,127 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, DictionaryEntry, Element, ExternalIdentifier, ExternalReference, Hash, IntegrityMethod +from beartype.typing import List, Optional +from dataclasses import field +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Build(Element): + """ + A build is a representation of the process in which a piece of software or artifact is built. It encapsulates + information related to a build process and provides an element from which relationships can be created to describe + the build's inputs, outputs, and related entities (e.g. builders, identities, etc.). + + Definitions of "BuildType", "ConfigSource", "Parameters" and "Environment" follow those defined in [SLSA + provenance](https://slsa.dev/provenance/v0.2). + + ExternalIdentifier of type "urlScheme" may be used to identify build logs. In this case, the comment of the + ExternalIdentifier should be "LogReference". + + Note that buildStart and buildEnd are optional, and may be omitted to simplify creating reproducible builds. + """ + build_type: str + """ + A buildType is a URI expressing the toolchain, platform, or infrastructure that the build was invoked on. For + example, if the build was invoked on GitHub's CI platform using github actions, the buildType can be expressed as + `https://github.com/actions`. In contrast, if the build was invoked on a local machine, the buildType can be + expressed as `file://username@host/path/to/build`. + """ + build_id: Optional[str] = None + """ + A buildId is a locally unique identifier to identify a unique instance of a build. This identifier differs based on + build toolchain, platform, or naming convention used by an organization or standard. + """ + config_source_entrypoint: List[str] = field(default_factory=list) + """ + A build entrypoint is the invoked executable of a build which always runs when the build is triggered. For example, + when a build is triggered by running a shell script, the entrypoint is `script.sh`. In terms of a declared build, + the entrypoint is the position in a configuration file or a build declaration which is always run when the build is + triggered. For example, in the following configuration file, the entrypoint of the build is `publish`. + + ``` + name: Publish packages to PyPI + + on: + create: + tags: "*" + + jobs: + publish: + runs-on: ubuntu-latest + if: startsWith(github.ref, 'refs/tags/') + steps: + + ... + ``` + """ + config_source_uri: List[str] = field(default_factory=list) + """ + If a build configuration exists for the toolchain or platform performing the build, the configSourceUri of a build + is the URI of that build configuration. For example, a build triggered by a GitHub action is defined by a build + configuration YAML file. In this case, the configSourceUri is the URL of that YAML file. m + """ + config_source_digest: List[Hash] = field(default_factory=list) + """ + configSourceDigest is the checksum of the build configuration file used by a builder to execute a build. This + Property uses the Core model's [Hash](../../Core/Classes/Hash.md) class. + """ + parameters: List[DictionaryEntry] = field(default_factory=list) + """ + parameters is a key-value map of all build parameters and their values that were provided to the builder for a build + instance. This is different from the [environment](environment.md) property in that the keys and values are provided + as command line arguments or a configuration file to the builder. + """ + build_start_time: Optional[datetime] = None + """ + buildStartTime is the time at which a build is triggered. The builder typically records this value. + """ + build_end_time: Optional[datetime] = None + """ + buildEndTime describes the time at which a build stops or finishes. This value is typically recorded by the builder. + """ + environment: List[DictionaryEntry] = field(default_factory=list) + """ + environment is a map of environment variables and values that are set during a build session. This is different from + the [parameters](parameters.md) property in that it describes the environment variables set before a build is + invoked rather than the variables provided to the builder. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + build_type: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + build_id: Optional[str] = None, + config_source_entrypoint: List[str] = None, + config_source_uri: List[str] = None, + config_source_digest: List[Hash] = None, + parameters: List[DictionaryEntry] = None, + build_start_time: Optional[datetime] = None, + build_end_time: Optional[datetime] = None, + environment: List[DictionaryEntry] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + config_source_entrypoint = [] if config_source_entrypoint is None else config_source_entrypoint + config_source_uri = [] if config_source_uri is None else config_source_uri + config_source_digest = [] if config_source_digest is None else config_source_digest + parameters = [] if parameters is None else parameters + environment = [] if environment is None else environment + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/__init__.py b/src/spdx_tools/spdx3/new_model/core/__init__.py new file mode 100644 index 000000000..b682c9784 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/__init__.py @@ -0,0 +1,39 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from .agent import Agent +from .annotation import Annotation +from .annotation_type import AnnotationType +from .artifact import Artifact +from .bom import Bom +from .bundle import Bundle +from .creation_info import CreationInfo +from .date_time import DateTime +from .dictionary_entry import DictionaryEntry +from .element import Element +from .element_collection import ElementCollection +from .external_identifier import ExternalIdentifier +from .external_identifier_type import ExternalIdentifierType +from .external_map import ExternalMap +from .external_reference import ExternalReference +from .external_reference_type import ExternalReferenceType +from .hash import Hash +from .hash_algorithm import HashAlgorithm +from .integrity_method import IntegrityMethod +from .lifecycle_scope_type import LifecycleScopeType +from .lifecycle_scoped_relationship import LifecycleScopedRelationship +from .media_type import MediaType +from .namespace_map import NamespaceMap +from .organization import Organization +from .person import Person +from .positive_integer_range import PositiveIntegerRange +from .profile_identifier_type import ProfileIdentifierType +from .relationship import Relationship +from .relationship_completeness import RelationshipCompleteness +from .relationship_type import RelationshipType +from .sem_ver import SemVer +from .software_agent import SoftwareAgent +from .spdx_document import SpdxDocument +from .tool import Tool diff --git a/src/spdx_tools/spdx3/new_model/core/agent.py b/src/spdx_tools/spdx3/new_model/core/agent.py new file mode 100644 index 000000000..166f5d097 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/agent.py @@ -0,0 +1,36 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod +from beartype.typing import List, Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Agent(Element): + """ + The Agent class represents anything that has the potential to act on a system. This could be a person, organization, + software agent, etc. This is not to be confused with tools that are used to perform tasks. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/annotation.py b/src/spdx_tools/spdx3/new_model/core/annotation.py new file mode 100644 index 000000000..4a3add41a --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/annotation.py @@ -0,0 +1,57 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import AnnotationType, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, MediaType +from beartype.typing import List, Optional +from dataclasses import field +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Annotation(Element): + """ + An Annotation is an assertion made in relation to one or more elements. + """ + annotation_type: AnnotationType + """ + An annotationType describes the type of an annotation. + """ + content_type: List[MediaType] = field(default_factory=list) + """ + ContentType specifies the media type of an Element. + """ + statement: Optional[str] = None + """ + A statement is a commentary on an assertion that an annotator has made. + """ + subject: Element + """ + A subject is an Element an annotator has made an assertion about. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + annotation_type: AnnotationType, + subject: Element, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + content_type: List[MediaType] = None, + statement: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + content_type = [] if content_type is None else content_type + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/annotation_type.py b/src/spdx_tools/spdx3/new_model/core/annotation_type.py new file mode 100644 index 000000000..a36e7dae4 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/annotation_type.py @@ -0,0 +1,38 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class AnnotationType(Enum): + """ + AnnotationType specifies the type of an annotation. + """ + + OTHER = auto() + """ + Used to store extra information about an Element which is not part of a Review (e.g. extra information provided + during the creation of the Element). + """ + REVIEW = auto() + """ + Used when someone reviews the Element. + """ + + def __str__(self) -> str: + if self == AnnotationType.OTHER: + return "other" + if self == AnnotationType.REVIEW: + return "review" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['AnnotationType']: + if value == "other": + return AnnotationType.OTHER + if value == "review": + return AnnotationType.REVIEW + return None diff --git a/src/spdx_tools/spdx3/new_model/core/artifact.py b/src/spdx_tools/spdx3/new_model/core/artifact.py new file mode 100644 index 000000000..30eed93ba --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/artifact.py @@ -0,0 +1,49 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod +from abc import abstractmethod +from beartype.typing import List, Optional +from dataclasses import field +from datetime import datetime + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Artifact(Element): + """ + An artifact is a distinct article or unit within the digital domain, such as an electronic file, a software package, + a device or an element of data. + """ + originated_by: List[Agent] = field(default_factory=list) + """ + OriginatedBy identifies from where or whom the Element originally came. + """ + supplied_by: List[Agent] = field(default_factory=list) + """ + Identify the actual distribution source for the Artifact being referenced. This might or might not be different from + the originating distribution source for the artifact. + """ + built_time: Optional[datetime] = None + """ + A builtTime specifies the time an artifact was built. + """ + release_time: Optional[datetime] = None + """ + A releaseTime specifies the time an artifact was released. + """ + valid_until_time: Optional[datetime] = None + """ + A validUntilTime specifies until when the artifact can be used before its usage needs to be reassessed. + """ + standard: List[str] = field(default_factory=list) + """ + Various standards may be relevant to useful to capture for specific artifacts. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/core/bom.py b/src/spdx_tools/spdx3/new_model/core/bom.py new file mode 100644 index 000000000..708f04e31 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/bom.py @@ -0,0 +1,44 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Bundle, CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod, NamespaceMap +from beartype.typing import List, Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Bom(Bundle): + """ + A Bill Of Materials (BOM) is a container for a grouping of SPDX-3.0 content characterizing details about a product. + This could include details of the content and composition of the product, provenence details of the product and/or + its composition, licensing information, known quality or security issues, etc. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + element: List[Element], + root_element: List[Element], + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + namespaces: List[NamespaceMap] = None, + imports: List[ExternalMap] = None, + context: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + namespaces = [] if namespaces is None else namespaces + imports = [] if imports is None else imports + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/bundle.py b/src/spdx_tools/spdx3/new_model/core/bundle.py new file mode 100644 index 000000000..4c79fa8c7 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/bundle.py @@ -0,0 +1,47 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, Element, ElementCollection, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod, NamespaceMap +from beartype.typing import List, Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Bundle(ElementCollection): + """ + A bundle is a collection of Elements that have a shared context. + """ + context: Optional[str] = None + """ + A context gives information about the circumstances or unifying properties that Elements of the bundle have been + assembled under. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + element: List[Element], + root_element: List[Element], + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + namespaces: List[NamespaceMap] = None, + imports: List[ExternalMap] = None, + context: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + namespaces = [] if namespaces is None else namespaces + imports = [] if imports is None else imports + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/creation_info.py b/src/spdx_tools/spdx3/new_model/core/creation_info.py new file mode 100644 index 000000000..859328698 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/creation_info.py @@ -0,0 +1,92 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, ProfileIdentifierType, Tool +from abc import ABC +from beartype.typing import List, Optional +from dataclasses import field +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class CreationInfo(ABC): + """ + The CreationInfo provides information about who created the Element, and when and how it was created. + + The dateTime created is often the date of last change (e.g., a git commit date), not the date when the SPDX data was + created, as doing so supports reproducible builds. + """ + spec_version: Optional[str] = None + """ + The specVersion provides a reference number that can be used to understand how to parse and interpret an Element. It + will enable both future changes to the specification and to support backward compatibility. The major version number + shall be incremented when incompatible changes between versions are made (one or more sections are created, modified + or deleted). The minor version number shall be incremented when backwards compatible changes are made. + + Here, parties exchanging information in accordance with the SPDX specification need to provide 100% transparency as + to which SPDX specification version such information is conforming to. + """ + comment: Optional[str] = None + """ + A comment is an optional field for creators of the Element to provide comments to the readers/reviewers of the + document. + """ + created: Optional[datetime] = None + """ + Created is a date that identifies when the Element was originally created. The time stamp can serve as an indication + as to whether the analysis needs to be updated. This is often the date of last change (e.g., a git commit date), not + the date when the SPDX data was created, as doing so supports reproducible builds. + """ + created_by: List[Agent] = field(default_factory=list) + """ + CreatedBy identifies who or what created the Element. The generation method will assist the recipient of the Element + in assessing the general reliability/accuracy of the analysis information. + """ + created_using: List[Tool] = field(default_factory=list) + """ + CreatedUsing identifies the tooling that was used during the creation of the Element. The generation method will + assist the recipient of the Element in assessing the general reliability/accuracy of the analysis information. + """ + profile: List[ProfileIdentifierType] = field(default_factory=list) + """ + This field provides information about which profiles the Element belongs to. + """ + data_license: Optional[str] = None + """ + The data license provides the license under which the SPDX documentation of the Element can be used. This is to + alleviate any concern that content (the data or database) in an SPDX file is subject to any form of intellectual + property right that could restrict the re-use of the information or the creation of another SPDX file for the same + project(s). This approach avoids intellectual property and related restrictions over the SPDX file, however + individuals can still contract with each other to restrict release of specific collections of SPDX files (which map + to software bill of materials) and the identification of the supplier of SPDX files. Compliance with this document + includes populating the SPDX fields therein with data related to such fields ("SPDX-Metadata"). This document + contains numerous fields where an SPDX file creator may provide relevant explanatory text in SPDX-Metadata. Without + opining on the lawfulness of "database rights" (in jurisdictions where applicable), such explanatory text is + copyrightable subject matter in most Berne Convention countries. By using the SPDX specification, or any portion + hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any SPDX-Metadata, + including without limitation explanatory text, shall be subject to the terms of the Creative Commons CC0 1.0 + Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree and acknowledge that the + SPDX-Metadata is provided to you “as-is” and without any representations or warranties of any kind concerning the + SPDX-Metadata, express, implied, statutory or otherwise, including without limitation warranties of title, + merchantability, fitness for a particular purpose, non-infringement, or the absence of latent or other defects, + accuracy, or the presence or absence of errors, whether or not discoverable, all to the greatest extent permissible + under applicable law. + """ + + def __init__( + self, + created_by: List[Agent], + profile: List[ProfileIdentifierType], + spec_version: Optional[str] = None, + comment: Optional[str] = None, + created: Optional[datetime] = None, + created_using: List[Tool] = None, + data_license: Optional[str] = None, + ): + created_using = [] if created_using is None else created_using + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/date_time.py b/src/spdx_tools/spdx3/new_model/core/date_time.py new file mode 100644 index 000000000..cee364688 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/date_time.py @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class DateTime(str): + """ + A Datetime is a string representation of a specific date and time. It has resolution of seconds and is always + expressed in UTC timezone. The specific format is one of the most commonly used ISO-8601 formats. Format + restriction: pattern: ^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$ + """ + + def __init__( + self, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/dictionary_entry.py b/src/spdx_tools/spdx3/new_model/core/dictionary_entry.py new file mode 100644 index 000000000..a587acb1e --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/dictionary_entry.py @@ -0,0 +1,36 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from abc import ABC +from beartype.typing import Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class DictionaryEntry(ABC): + """ + The class used for implementing a generic string mapping (also known as associative array, dictionary, or hash map) + in SPDX. Each DictionaryEntry contains a key-value pair which maps the key to its associated value. To implement a + dictionary, this class is to be used in a collection with unique keys. + """ + key: str + """ + A key used in generic a key-value pair. A key-value pair can be used to implement a dictionary which associates a + key with a value. + """ + value: Optional[str] = None + """ + A value used in a generic key-value pair. A key-value pair can be used to implement a dictionary which associates a + key with a value. + """ + + def __init__( + self, + key: str, + value: Optional[str] = None, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/element.py b/src/spdx_tools/spdx3/new_model/core/element.py new file mode 100644 index 000000000..59f6d111c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/element.py @@ -0,0 +1,74 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from abc import ABC, abstractmethod +from beartype.typing import List, Optional +from dataclasses import field + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Element(ABC): + """ + An Element is a representation of a fundamental concept either directly inherent to the Bill of Materials (BOM) + domain or indirectly related to the BOM domain and necessary for contextually characterizing BOM concepts and + relationships. Within SPDX-3.0 structure this is the base class acting as a consistent, unifying, and interoperable + foundation for all explicit and inter-relatable content objects. + """ + spdx_id: str + """ + SpdxId uniquely identifies an Element which may thereby be referenced by other Elements. These references may be + internal or external. While there may be several versions of the same Element, each one needs to be able to be + referred to uniquely so that relationships between Elements can be clearly articulated. + """ + name: Optional[str] = None + """ + This field identifies the name of an Element as designated by the creator. The name of an Element is an important + convention and easier to refer to than the URI. + """ + summary: Optional[str] = None + """ + A summary is a short description of an Element. Here, the intent is to allow the Element creator to provide concise + information about the function or use of the Element. + """ + description: Optional[str] = None + """ + This field is a detailed description of the Element. It may also be extracted from the Element itself. The intent is + to provide recipients of the SPDX file with a detailed technical explanation of the functionality, anticipated use, + and anticipated implementation of the Element. This field may also include a description of improvements over prior + versions of the Element. + """ + comment: Optional[str] = None + """ + A comment is an optional field for creators of the Element to provide comments to the readers/reviewers of the + document. + """ + creation_info: CreationInfo + """ + CreationInfo provides information about the creation of the Element. + """ + verified_using: List[IntegrityMethod] = field(default_factory=list) + """ + VerifiedUsing provides an IntegrityMethod with which the integrity of an Element can be asserted. + """ + external_reference: List[ExternalReference] = field(default_factory=list) + """ + This field points to a resource outside the scope of the SPDX-3.0 content that provides additional characteristics + of an Element. + """ + external_identifier: List[ExternalIdentifier] = field(default_factory=list) + """ + ExternalIdentifier points to a resource outside the scope of SPDX-3.0 content that uniquely identifies an Element. + """ + extension: Optional[str] = None + """ + TODO + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/core/element_collection.py b/src/spdx_tools/spdx3/new_model/core/element_collection.py new file mode 100644 index 000000000..9ac482fb8 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/element_collection.py @@ -0,0 +1,39 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod, NamespaceMap +from abc import abstractmethod +from beartype.typing import List, Optional +from dataclasses import field + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class ElementCollection(Element): + """ + An SpdxCollection is a collection of Elements, not necessarily with unifying context. + """ + element: List[Element] = field(default_factory=list) + """ + This field refers to one or more Elements that are part of an ElementCollection. + """ + root_element: List[Element] = field(default_factory=list) + """ + A rootElement of a collection is the top level Element from which all other Elements are reached via relationships. + """ + namespaces: List[NamespaceMap] = field(default_factory=list) + """ + This field provides a NamespaceMap applicable to an ElementCollection. + """ + imports: List[ExternalMap] = field(default_factory=list) + """ + Imports provides an ExternalMap of Element identifiers that are used within a document but defined external to that + document. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/core/external_identifier.py b/src/spdx_tools/spdx3/new_model/core/external_identifier.py new file mode 100644 index 000000000..d5bd1c251 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/external_identifier.py @@ -0,0 +1,52 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import ExternalIdentifierType +from abc import ABC +from beartype.typing import List, Optional +from dataclasses import field +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class ExternalIdentifier(ABC): + """ + An ExternalIdentifier is a reference to a resource outside the scope of SPDX-3.0 content that uniquely identifies an + Element. + """ + external_identifier_type: ExternalIdentifierType + """ + An externalIdentifierType specifies the type of the external identifier. + """ + identifier: str + """ + An identifier uniquely identifies an external element. + """ + comment: Optional[str] = None + """ + A comment is an optional field for creators of the Element to provide comments to the readers/reviewers of the + document. + """ + identifier_locator: List[str] = field(default_factory=list) + """ + A identifierLocator is TODO + """ + issuing_authority: Optional[str] = None + """ + A issuingAuthority is TODO + """ + + def __init__( + self, + external_identifier_type: ExternalIdentifierType, + identifier: str, + comment: Optional[str] = None, + identifier_locator: List[str] = None, + issuing_authority: Optional[str] = None, + ): + identifier_locator = [] if identifier_locator is None else identifier_locator + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/external_identifier_type.py b/src/spdx_tools/spdx3/new_model/core/external_identifier_type.py new file mode 100644 index 000000000..4602e3149 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/external_identifier_type.py @@ -0,0 +1,121 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class ExternalIdentifierType(Enum): + """ + ExteralIdentifierType specifies the type of an external identifier. + """ + + CPE22 = auto() + """ + https://cpe.mitre.org/files/cpe-specification_2.2.pdf + """ + CPE23 = auto() + """ + https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf + """ + CVE = auto() + """ + An identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the CVE + specification as defined by https://csrc.nist.gov/glossary/term/cve_id. + """ + EMAIL = auto() + """ + https://datatracker.ietf.org/doc/html/rfc3696#section-3 + """ + GITOID = auto() + """ + https://www.iana.org/assignments/uri-schemes/prov/gitoid Gitoid stands for [Git Object + ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) and a gitoid of type blob is a unique hash of a binary + artifact. A gitoid may represent the software [Artifact + ID](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-id) or the [OmniBOR + Identifier](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-identifier) for the software artifact's + associated [OmniBOR Document](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-document); this + ambiguity exists because the OmniBOR Document is itself an artifact, and the gitoid of that artifact is its valid + identifier. Omnibor is a minimalistic schema to describe software [Artifact Dependency + Graphs](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-dependency-graph-adg). Gitoids calculated on + software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's + ContentIdentifier property. Gitoids calculated on the OmniBOR Document (OmniBOR Identifiers) should be recorded in + the SPDX 3.0 Element's ExternalIdentifier property. + """ + OTHER = auto() + """ + Used when the type doesn't match any of the other options. + """ + PKG_URL = auto() + """ + https://github.com/package-url/purl-spec + """ + SECURITY_OTHER = auto() + """ + Used when there is a security related identifier of unspecified type. + """ + SWHID = auto() + """ + https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html + """ + SWID = auto() + """ + https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-21.html#section-2.3 + """ + URL_SCHEME = auto() + """ + the scheme used in order to locate a resource https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml + """ + + def __str__(self) -> str: + if self == ExternalIdentifierType.CPE22: + return "cpe22" + if self == ExternalIdentifierType.CPE23: + return "cpe23" + if self == ExternalIdentifierType.CVE: + return "cve" + if self == ExternalIdentifierType.EMAIL: + return "email" + if self == ExternalIdentifierType.GITOID: + return "gitoid" + if self == ExternalIdentifierType.OTHER: + return "other" + if self == ExternalIdentifierType.PKG_URL: + return "pkgUrl" + if self == ExternalIdentifierType.SECURITY_OTHER: + return "securityOther" + if self == ExternalIdentifierType.SWHID: + return "swhid" + if self == ExternalIdentifierType.SWID: + return "swid" + if self == ExternalIdentifierType.URL_SCHEME: + return "urlScheme" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['ExternalIdentifierType']: + if value == "cpe22": + return ExternalIdentifierType.CPE22 + if value == "cpe23": + return ExternalIdentifierType.CPE23 + if value == "cve": + return ExternalIdentifierType.CVE + if value == "email": + return ExternalIdentifierType.EMAIL + if value == "gitoid": + return ExternalIdentifierType.GITOID + if value == "other": + return ExternalIdentifierType.OTHER + if value == "pkgUrl": + return ExternalIdentifierType.PKG_URL + if value == "securityOther": + return ExternalIdentifierType.SECURITY_OTHER + if value == "swhid": + return ExternalIdentifierType.SWHID + if value == "swid": + return ExternalIdentifierType.SWID + if value == "urlScheme": + return ExternalIdentifierType.URL_SCHEME + return None diff --git a/src/spdx_tools/spdx3/new_model/core/external_map.py b/src/spdx_tools/spdx3/new_model/core/external_map.py new file mode 100644 index 000000000..933249127 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/external_map.py @@ -0,0 +1,48 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import IntegrityMethod +from abc import ABC +from beartype.typing import List, Optional +from dataclasses import field +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class ExternalMap(ABC): + """ + An External Map is a map of Element identifiers that are used within a Document but defined external to that + Document. The external map provides details about the externally-defined Element such as its provenance, where to + retrieve it, and how to verify its integrity. + """ + external_id: str + """ + ExternalId identifies an external Element used within a Document but defined external to that Document. + """ + verified_using: List[IntegrityMethod] = field(default_factory=list) + """ + VerifiedUsing provides an IntegrityMethod with which the integrity of an Element can be asserted. + """ + location_hint: Optional[str] = None + """ + A locationHint provides an indication of where to retrieve an external Element. + """ + defining_document: Optional[str] = None + """ + A definingDocument property is used to link an Element identifier to an SpdxDocument which contains the definition + for the Element. + """ + + def __init__( + self, + external_id: str, + verified_using: List[IntegrityMethod] = None, + location_hint: Optional[str] = None, + defining_document: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/external_reference.py b/src/spdx_tools/spdx3/new_model/core/external_reference.py new file mode 100644 index 000000000..cd4260f70 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/external_reference.py @@ -0,0 +1,47 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import ExternalReferenceType, MediaType +from abc import ABC +from beartype.typing import List, Optional +from dataclasses import field +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class ExternalReference(ABC): + """ + An External Reference points to a resource outside the scope of the SPDX-3.0 content that provides additional + characteristics of an Element. + """ + external_reference_type: Optional[ExternalReferenceType] = None + """ + An externalReferenceType specifies the type of the external reference. + """ + locator: List[str] = field(default_factory=list) + """ + A locator provides the location of an external reference. + """ + content_type: Optional[MediaType] = None + """ + ContentType specifies the media type of an Element. + """ + comment: Optional[str] = None + """ + A comment is an optional field for creators of the Element to provide comments to the readers/reviewers of the + document. + """ + + def __init__( + self, + external_reference_type: Optional[ExternalReferenceType] = None, + locator: List[str] = None, + content_type: Optional[MediaType] = None, + comment: Optional[str] = None, + ): + locator = [] if locator is None else locator + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/external_reference_type.py b/src/spdx_tools/spdx3/new_model/core/external_reference_type.py new file mode 100644 index 000000000..7ac6491e7 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/external_reference_type.py @@ -0,0 +1,358 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class ExternalReferenceType(Enum): + """ + ExteralReferenceType specifies the type of an external reference. + """ + + ALT_DOWNLOAD_LOCATION = auto() + """ + A reference to an alternative download location. + """ + ALT_WEB_PAGE = auto() + """ + A reference to an alternative web page. + """ + BINARY_ARTIFACT = auto() + """ + A reference to binary artifacts related to a package. + """ + BUILD_META = auto() + """ + A reference build metadata related to a published package. + """ + BUILD_SYSTEM = auto() + """ + A reference build system used to create or publish the package. + """ + CHAT = auto() + """ + A reference to the instant messaging system used by the maintainer for a package. + """ + CERTIFICATION_REPORT = auto() + """ + A reference to a certification report for a package from an accredited/independent body. + """ + COMPONENT_ANALYSIS_REPORT = auto() + """ + A reference to a Software Composition Analysis (SCA) report. + """ + DOCUMENTATION = auto() + """ + A reference to the documentation for a package. + """ + DYNAMIC_ANALYSIS_REPORT = auto() + """ + A reference to a dynamic analysis report for a package. + """ + EOL_NOTICE = auto() + """ + A reference to the End Of Sale (EOS) and/or End Of Life (EOL) information related to a package. + """ + EXPORT_CONTROL_ASSESSMENT = auto() + """ + A reference to a export control assessment for a package. + """ + FUNDING = auto() + """ + A reference to funding information related to a package. + """ + ISSUE_TRACKER = auto() + """ + A reference to the issue tracker for a package. + """ + MAILING_LIST = auto() + """ + A reference to the mailing list used by the maintainer for a package. + """ + METRICS = auto() + """ + A reference to metrics related to package such as OpenSSF scorecards. + """ + LICENSE = auto() + """ + A reference to additional license information related to an artifact. + """ + OTHER = auto() + """ + Used when the type doesn't match any of the other options. + """ + PRIVACY_ASSESSMENT = auto() + """ + A reference to a privacy assessment for a package. + """ + PRODUCT_METADATA = auto() + """ + A reference to additional product metadata such as reference within organization's product catalog. + """ + PURCHASE_ORDER = auto() + """ + A reference to a purchase order for a package. + """ + RELEASE_NOTES = auto() + """ + A reference to the release notes for a package. + """ + RELEASE_HISTORY = auto() + """ + A reference to a published list of releases for a package. + """ + RISK_ASSESSMENT = auto() + """ + A reference to a risk assessment for a package. + """ + RUNTIME_ANALYSIS_REPORT = auto() + """ + A reference to a runtime analysis report for a package. + """ + SECURE_SOFTWARE_ATTESTATION = auto() + """ + A reference to information assuring that the software is developed using security practices as defined by [NIST SP + 800-218 Secure Software Development Framework (SSDF)](https://csrc.nist.gov/publications/detail/sp/800-218/final) or + [CISA Secure Software Development Attestation + Form](https://www.cisa.gov/sites/default/files/2023-04/secure-software-self-attestation_common-form_508.pdf). + """ + SECURITY_ADVISORY = auto() + """ + A reference to a published security advisory (where advisory as defined per ISO 29147:2018) that may affect one or + more elements, e.g., vendor advisories or specific NVD entries. + """ + SECURITY_ADVERSARY_MODEL = auto() + """ + A reference to the security adversary model for a package. + """ + SECURITY_FIX = auto() + """ + A reference to the patch or source code that fixes a vulnerability. + """ + SECURITY_OTHER = auto() + """ + A reference to related security information of unspecified type. + """ + SECURITY_PEN_TEST_REPORT = auto() + """ + A reference to a [penetration test](https://en.wikipedia.org/wiki/Penetration_test) report for a package. + """ + SECURITY_POLICY = auto() + """ + A reference to instructions for reporting newly discovered security vulnerabilities for a package. + """ + SECURITY_THREAT_MODEL = auto() + """ + A reference the [security threat model](https://en.wikipedia.org/wiki/Threat_model) for a package. + """ + SOCIAL_MEDIA = auto() + """ + A reference to a social media channel for a package. + """ + SOURCE_ARTIFACT = auto() + """ + A reference to an artifact containing the sources for a package. + """ + STATIC_ANALYSIS_REPORT = auto() + """ + A reference to a static analysis report for a package. + """ + SUPPORT = auto() + """ + A reference to the software support channel or other support information for a package. + """ + VCS = auto() + """ + A reference to a version control system related to a software artifact. + """ + VULNERABILITY_DISCLOSURE_REPORT = auto() + """ + A reference to a Vulnerability Disclosure Report (VDR) which provides the software supplier's analysis and findings + describing the impact (or lack of impact) that reported vulnerabilities have on packages or products in the + supplier's SBOM as defined in [NIST SP 800-161](https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final). + """ + VULNERABILITY_EXPLOITABILITY_ASSESSMENT = auto() + """ + A reference to a Vulnerability Exploitability eXchange (VEX) statement which provides information on whether a + product is impacted by a specific vulnerability in an included package and, if affected, whether there are actions + recommended to remediate. See also [NTIA VEX + one-page](https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf).. + """ + QUALITY_ASSESSMENT_REPORT = auto() + """ + A reference to a quality assessment for a package. + """ + + def __str__(self) -> str: + if self == ExternalReferenceType.ALT_DOWNLOAD_LOCATION: + return "altDownloadLocation" + if self == ExternalReferenceType.ALT_WEB_PAGE: + return "altWebPage" + if self == ExternalReferenceType.BINARY_ARTIFACT: + return "binaryArtifact" + if self == ExternalReferenceType.BUILD_META: + return "buildMeta" + if self == ExternalReferenceType.BUILD_SYSTEM: + return "buildSystem" + if self == ExternalReferenceType.CHAT: + return "chat" + if self == ExternalReferenceType.CERTIFICATION_REPORT: + return "certificationReport" + if self == ExternalReferenceType.COMPONENT_ANALYSIS_REPORT: + return "componentAnalysisReport" + if self == ExternalReferenceType.DOCUMENTATION: + return "documentation" + if self == ExternalReferenceType.DYNAMIC_ANALYSIS_REPORT: + return "dynamicAnalysisReport" + if self == ExternalReferenceType.EOL_NOTICE: + return "eolNotice" + if self == ExternalReferenceType.EXPORT_CONTROL_ASSESSMENT: + return "exportControlAssessment" + if self == ExternalReferenceType.FUNDING: + return "funding" + if self == ExternalReferenceType.ISSUE_TRACKER: + return "issueTracker" + if self == ExternalReferenceType.MAILING_LIST: + return "mailingList" + if self == ExternalReferenceType.METRICS: + return "metrics" + if self == ExternalReferenceType.LICENSE: + return "license" + if self == ExternalReferenceType.OTHER: + return "other" + if self == ExternalReferenceType.PRIVACY_ASSESSMENT: + return "privacyAssessment" + if self == ExternalReferenceType.PRODUCT_METADATA: + return "productMetadata" + if self == ExternalReferenceType.PURCHASE_ORDER: + return "purchaseOrder" + if self == ExternalReferenceType.RELEASE_NOTES: + return "releaseNotes" + if self == ExternalReferenceType.RELEASE_HISTORY: + return "releaseHistory" + if self == ExternalReferenceType.RISK_ASSESSMENT: + return "riskAssessment" + if self == ExternalReferenceType.RUNTIME_ANALYSIS_REPORT: + return "runtimeAnalysisReport" + if self == ExternalReferenceType.SECURE_SOFTWARE_ATTESTATION: + return "secureSoftwareAttestation" + if self == ExternalReferenceType.SECURITY_ADVISORY: + return "securityAdvisory" + if self == ExternalReferenceType.SECURITY_ADVERSARY_MODEL: + return "securityAdversaryModel" + if self == ExternalReferenceType.SECURITY_FIX: + return "securityFix" + if self == ExternalReferenceType.SECURITY_OTHER: + return "securityOther" + if self == ExternalReferenceType.SECURITY_PEN_TEST_REPORT: + return "securityPenTestReport" + if self == ExternalReferenceType.SECURITY_POLICY: + return "securityPolicy" + if self == ExternalReferenceType.SECURITY_THREAT_MODEL: + return "securityThreatModel" + if self == ExternalReferenceType.SOCIAL_MEDIA: + return "socialMedia" + if self == ExternalReferenceType.SOURCE_ARTIFACT: + return "sourceArtifact" + if self == ExternalReferenceType.STATIC_ANALYSIS_REPORT: + return "staticAnalysisReport" + if self == ExternalReferenceType.SUPPORT: + return "support" + if self == ExternalReferenceType.VCS: + return "vcs" + if self == ExternalReferenceType.VULNERABILITY_DISCLOSURE_REPORT: + return "vulnerabilityDisclosureReport" + if self == ExternalReferenceType.VULNERABILITY_EXPLOITABILITY_ASSESSMENT: + return "vulnerabilityExploitabilityAssessment" + if self == ExternalReferenceType.QUALITY_ASSESSMENT_REPORT: + return "qualityAssessmentReport" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['ExternalReferenceType']: + if value == "altDownloadLocation": + return ExternalReferenceType.ALT_DOWNLOAD_LOCATION + if value == "altWebPage": + return ExternalReferenceType.ALT_WEB_PAGE + if value == "binaryArtifact": + return ExternalReferenceType.BINARY_ARTIFACT + if value == "buildMeta": + return ExternalReferenceType.BUILD_META + if value == "buildSystem": + return ExternalReferenceType.BUILD_SYSTEM + if value == "chat": + return ExternalReferenceType.CHAT + if value == "certificationReport": + return ExternalReferenceType.CERTIFICATION_REPORT + if value == "componentAnalysisReport": + return ExternalReferenceType.COMPONENT_ANALYSIS_REPORT + if value == "documentation": + return ExternalReferenceType.DOCUMENTATION + if value == "dynamicAnalysisReport": + return ExternalReferenceType.DYNAMIC_ANALYSIS_REPORT + if value == "eolNotice": + return ExternalReferenceType.EOL_NOTICE + if value == "exportControlAssessment": + return ExternalReferenceType.EXPORT_CONTROL_ASSESSMENT + if value == "funding": + return ExternalReferenceType.FUNDING + if value == "issueTracker": + return ExternalReferenceType.ISSUE_TRACKER + if value == "mailingList": + return ExternalReferenceType.MAILING_LIST + if value == "metrics": + return ExternalReferenceType.METRICS + if value == "license": + return ExternalReferenceType.LICENSE + if value == "other": + return ExternalReferenceType.OTHER + if value == "privacyAssessment": + return ExternalReferenceType.PRIVACY_ASSESSMENT + if value == "productMetadata": + return ExternalReferenceType.PRODUCT_METADATA + if value == "purchaseOrder": + return ExternalReferenceType.PURCHASE_ORDER + if value == "releaseNotes": + return ExternalReferenceType.RELEASE_NOTES + if value == "releaseHistory": + return ExternalReferenceType.RELEASE_HISTORY + if value == "riskAssessment": + return ExternalReferenceType.RISK_ASSESSMENT + if value == "runtimeAnalysisReport": + return ExternalReferenceType.RUNTIME_ANALYSIS_REPORT + if value == "secureSoftwareAttestation": + return ExternalReferenceType.SECURE_SOFTWARE_ATTESTATION + if value == "securityAdvisory": + return ExternalReferenceType.SECURITY_ADVISORY + if value == "securityAdversaryModel": + return ExternalReferenceType.SECURITY_ADVERSARY_MODEL + if value == "securityFix": + return ExternalReferenceType.SECURITY_FIX + if value == "securityOther": + return ExternalReferenceType.SECURITY_OTHER + if value == "securityPenTestReport": + return ExternalReferenceType.SECURITY_PEN_TEST_REPORT + if value == "securityPolicy": + return ExternalReferenceType.SECURITY_POLICY + if value == "securityThreatModel": + return ExternalReferenceType.SECURITY_THREAT_MODEL + if value == "socialMedia": + return ExternalReferenceType.SOCIAL_MEDIA + if value == "sourceArtifact": + return ExternalReferenceType.SOURCE_ARTIFACT + if value == "staticAnalysisReport": + return ExternalReferenceType.STATIC_ANALYSIS_REPORT + if value == "support": + return ExternalReferenceType.SUPPORT + if value == "vcs": + return ExternalReferenceType.VCS + if value == "vulnerabilityDisclosureReport": + return ExternalReferenceType.VULNERABILITY_DISCLOSURE_REPORT + if value == "vulnerabilityExploitabilityAssessment": + return ExternalReferenceType.VULNERABILITY_EXPLOITABILITY_ASSESSMENT + if value == "qualityAssessmentReport": + return ExternalReferenceType.QUALITY_ASSESSMENT_REPORT + return None diff --git a/src/spdx_tools/spdx3/new_model/core/hash.py b/src/spdx_tools/spdx3/new_model/core/hash.py new file mode 100644 index 000000000..4e639b79c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/hash.py @@ -0,0 +1,35 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import HashAlgorithm, IntegrityMethod +from beartype.typing import Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Hash(IntegrityMethod): + """ + A hash is a grouping of characteristics unique to the result of applying a mathematical algorithm that maps data of + arbitrary size to a bit string (the hash) and is a one-way function, that is, a function which is practically + infeasible to invert. This is commonly used for integrity checking of data. + """ + algorithm: HashAlgorithm + """ + An algorithm specifies the algorithm that was used for calculating the hash value. + """ + hash_value: str + """ + HashValue is the result of applying a hash algorithm to an Element. + """ + + def __init__( + self, + algorithm: HashAlgorithm, + hash_value: str, + comment: Optional[str] = None, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/hash_algorithm.py b/src/spdx_tools/spdx3/new_model/core/hash_algorithm.py new file mode 100644 index 000000000..b6354c835 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/hash_algorithm.py @@ -0,0 +1,214 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class HashAlgorithm(Enum): + """ + A HashAlgorithm is a mathematical algorithm that maps data of arbitrary size to a bit string (the hash) and is a + one-way function, that is, a function which is practically infeasible to invert. + """ + + BLAKE2B256 = auto() + """ + blake2b algorithm with a digest size of 256 https://datatracker.ietf.org/doc/html/rfc7693#section-4 + """ + BLAKE2B384 = auto() + """ + blake2b algorithm with a digest size of 384 https://datatracker.ietf.org/doc/html/rfc7693#section-4 + """ + BLAKE2B512 = auto() + """ + blake2b algorithm with a digest size of 512 https://datatracker.ietf.org/doc/html/rfc7693#section-4 + """ + BLAKE3 = auto() + """ + https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf + """ + CRYSTALS_KYBER = auto() + """ + https://pq-crystals.org/kyber/index.shtml + """ + CRYSTALS_DILITHIUM = auto() + """ + https://pq-crystals.org/dilithium/index.shtml + """ + FALCON = auto() + """ + https://falcon-sign.info/falcon.pdf + """ + MD2 = auto() + """ + https://datatracker.ietf.org/doc/rfc1319/ + """ + MD4 = auto() + """ + https://datatracker.ietf.org/doc/html/rfc1186 + """ + MD5 = auto() + """ + https://datatracker.ietf.org/doc/html/rfc1321 + """ + MD6 = auto() + """ + https://people.csail.mit.edu/rivest/pubs/RABCx08.pdf + """ + OTHER = auto() + """ + any hashing algorithm that does not exist in this list of entries + """ + SHA1 = auto() + """ + https://datatracker.ietf.org/doc/html/rfc3174 + """ + SHA224 = auto() + """ + secure hashing algorithm with a digest length of 224 https://datatracker.ietf.org/doc/html/draft-ietf-pkix-sha224-01 + """ + SHA256 = auto() + """ + secure hashing algorithm with a digest length of 256 https://www.rfc-editor.org/rfc/rfc4634 + """ + SHA3_224 = auto() + """ + sha3 with a digest length of 224 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf + """ + SHA3_256 = auto() + """ + sha3 with a digest length of 256 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf + """ + SHA3_384 = auto() + """ + sha3 with a digest length of 384 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf + """ + SHA3_512 = auto() + """ + sha3 with a digest length of 512 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf + """ + SHA384 = auto() + """ + secure hashing algorithm with a digest length of 384 https://www.rfc-editor.org/rfc/rfc4634 + """ + SHA512 = auto() + """ + secure hashing algorithm with a digest length of 512 https://www.rfc-editor.org/rfc/rfc4634 + """ + SPDX_PVC_SHA1 = auto() + """ + TODOdescription + """ + SPDX_PVC_SHA256 = auto() + """ + TODOdescription + """ + SPHINCS_PLUS = auto() + """ + TODOdescription + """ + + def __str__(self) -> str: + if self == HashAlgorithm.BLAKE2B256: + return "blake2b256" + if self == HashAlgorithm.BLAKE2B384: + return "blake2b384" + if self == HashAlgorithm.BLAKE2B512: + return "blake2b512" + if self == HashAlgorithm.BLAKE3: + return "blake3" + if self == HashAlgorithm.CRYSTALS_KYBER: + return "crystalsKyber" + if self == HashAlgorithm.CRYSTALS_DILITHIUM: + return "crystalsDilithium" + if self == HashAlgorithm.FALCON: + return "falcon" + if self == HashAlgorithm.MD2: + return "md2" + if self == HashAlgorithm.MD4: + return "md4" + if self == HashAlgorithm.MD5: + return "md5" + if self == HashAlgorithm.MD6: + return "md6" + if self == HashAlgorithm.OTHER: + return "other" + if self == HashAlgorithm.SHA1: + return "sha1" + if self == HashAlgorithm.SHA224: + return "sha224" + if self == HashAlgorithm.SHA256: + return "sha256" + if self == HashAlgorithm.SHA3_224: + return "sha3_224" + if self == HashAlgorithm.SHA3_256: + return "sha3_256" + if self == HashAlgorithm.SHA3_384: + return "sha3_384" + if self == HashAlgorithm.SHA3_512: + return "sha3_512" + if self == HashAlgorithm.SHA384: + return "sha384" + if self == HashAlgorithm.SHA512: + return "sha512" + if self == HashAlgorithm.SPDX_PVC_SHA1: + return "spdxPvcSha1" + if self == HashAlgorithm.SPDX_PVC_SHA256: + return "spdxPvcSha256" + if self == HashAlgorithm.SPHINCS_PLUS: + return "sphincsPlus" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['HashAlgorithm']: + if value == "blake2b256": + return HashAlgorithm.BLAKE2B256 + if value == "blake2b384": + return HashAlgorithm.BLAKE2B384 + if value == "blake2b512": + return HashAlgorithm.BLAKE2B512 + if value == "blake3": + return HashAlgorithm.BLAKE3 + if value == "crystalsKyber": + return HashAlgorithm.CRYSTALS_KYBER + if value == "crystalsDilithium": + return HashAlgorithm.CRYSTALS_DILITHIUM + if value == "falcon": + return HashAlgorithm.FALCON + if value == "md2": + return HashAlgorithm.MD2 + if value == "md4": + return HashAlgorithm.MD4 + if value == "md5": + return HashAlgorithm.MD5 + if value == "md6": + return HashAlgorithm.MD6 + if value == "other": + return HashAlgorithm.OTHER + if value == "sha1": + return HashAlgorithm.SHA1 + if value == "sha224": + return HashAlgorithm.SHA224 + if value == "sha256": + return HashAlgorithm.SHA256 + if value == "sha3_224": + return HashAlgorithm.SHA3_224 + if value == "sha3_256": + return HashAlgorithm.SHA3_256 + if value == "sha3_384": + return HashAlgorithm.SHA3_384 + if value == "sha3_512": + return HashAlgorithm.SHA3_512 + if value == "sha384": + return HashAlgorithm.SHA384 + if value == "sha512": + return HashAlgorithm.SHA512 + if value == "spdxPvcSha1": + return HashAlgorithm.SPDX_PVC_SHA1 + if value == "spdxPvcSha256": + return HashAlgorithm.SPDX_PVC_SHA256 + if value == "sphincsPlus": + return HashAlgorithm.SPHINCS_PLUS + return None diff --git a/src/spdx_tools/spdx3/new_model/core/integrity_method.py b/src/spdx_tools/spdx3/new_model/core/integrity_method.py new file mode 100644 index 000000000..066950839 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/integrity_method.py @@ -0,0 +1,28 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from abc import ABC, abstractmethod +from beartype.typing import Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class IntegrityMethod(ABC): + """ + An IntegrityMethod provides an independently reproducible mechanism that permits verification of a specific Element + that correlates to the data in this SPDX document. This identifier enables a recipient to determine if anything in + the original Element has been changed and eliminates confusion over which version or modification of a specific + Element is referenced. + """ + comment: Optional[str] = None + """ + A comment is an optional field for creators of the Element to provide comments to the readers/reviewers of the + document. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/core/lifecycle_scope_type.py b/src/spdx_tools/spdx3/new_model/core/lifecycle_scope_type.py new file mode 100644 index 000000000..be88f89a2 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/lifecycle_scope_type.py @@ -0,0 +1,69 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class LifecycleScopeType(Enum): + """ + TODO + """ + + DESIGN = auto() + """ + TODOdescription + """ + BUILD = auto() + """ + TODOdescription + """ + DEVELOPMENT = auto() + """ + TODOdescription + """ + TEST = auto() + """ + TODOdescription + """ + RUNTIME = auto() + """ + TODOdescription + """ + OTHER = auto() + """ + TODOdescription + """ + + def __str__(self) -> str: + if self == LifecycleScopeType.DESIGN: + return "design" + if self == LifecycleScopeType.BUILD: + return "build" + if self == LifecycleScopeType.DEVELOPMENT: + return "development" + if self == LifecycleScopeType.TEST: + return "test" + if self == LifecycleScopeType.RUNTIME: + return "runtime" + if self == LifecycleScopeType.OTHER: + return "other" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['LifecycleScopeType']: + if value == "design": + return LifecycleScopeType.DESIGN + if value == "build": + return LifecycleScopeType.BUILD + if value == "development": + return LifecycleScopeType.DEVELOPMENT + if value == "test": + return LifecycleScopeType.TEST + if value == "runtime": + return LifecycleScopeType.RUNTIME + if value == "other": + return LifecycleScopeType.OTHER + return None diff --git a/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py b/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py new file mode 100644 index 000000000..f32c7f6c8 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py @@ -0,0 +1,48 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, LifecycleScopeType, Relationship, RelationshipCompleteness, RelationshipType +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class LifecycleScopedRelationship(Relationship): + """ + TODO + """ + scope: Optional[LifecycleScopeType] = None + """ + A scope is TODO + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: Element, + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + to: List[Element] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + scope: Optional[LifecycleScopeType] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/media_type.py b/src/spdx_tools/spdx3/new_model/core/media_type.py new file mode 100644 index 000000000..bdb265c42 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/media_type.py @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class MediaType(str): + """ + The MediaType is a String constrained to the RFC 2046 specification. It provides a standardized way of indicating + the type of content of an Element. A list of all possible media types is available at + https://www.iana.org/assignments/media-types/media-types.xhtml. + """ + + def __init__( + self, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/namespace_map.py b/src/spdx_tools/spdx3/new_model/core/namespace_map.py new file mode 100644 index 000000000..2b5feb544 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/namespace_map.py @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from abc import ABC +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class NamespaceMap(ABC): + """ + A namespace map allows the creator of a collection of Elements to use shorter identifiers ("prefixes") instead of + URIs to provide a more human-readable and smaller serialized representation of the Elements. + """ + prefix: str + """ + A prefix is a substitute for a URI. + """ + namespace: str + """ + A namespace provides an unambiguous mechanism for other documents to reference Elements within this document. + """ + + def __init__( + self, + prefix: str, + namespace: str, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/organization.py b/src/spdx_tools/spdx3/new_model/core/organization.py new file mode 100644 index 000000000..bf4b60e5b --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/organization.py @@ -0,0 +1,35 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from beartype.typing import List, Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Organization(Agent): + """ + An Organization is a group of people who work together in an organized way for a shared purpose. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/person.py b/src/spdx_tools/spdx3/new_model/core/person.py new file mode 100644 index 000000000..159e1cb6d --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/person.py @@ -0,0 +1,35 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from beartype.typing import List, Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Person(Agent): + """ + A Person is an individual human being. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py b/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py new file mode 100644 index 000000000..a2bcdcfc9 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from abc import ABC +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class PositiveIntegerRange(ABC): + """ + PositiveIntegerRange is a tuple of two positive integers that define a range. "begin" must be less than or equal to + "end". + """ + begin: str + """ + begin is a positive integer that defines the beginning of a range. + """ + end: str + """ + end is a positive integer that defines the end of a range. + """ + + def __init__( + self, + begin: str, + end: str, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py b/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py new file mode 100644 index 000000000..e5405ac94 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py @@ -0,0 +1,94 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class ProfileIdentifierType(Enum): + """ + There are a set of profiles that have been defined to be valid for a specific release This file enumerates the + values that have been agreed on, and may be applied to the creation information for an an element. + """ + + CORE = auto() + """ + the element follows the Core profile specification + """ + SOFTWARE = auto() + """ + the element follows the Software profile specification + """ + LICENSING = auto() + """ + the element follows the Licensing profile specification + """ + SECURITY = auto() + """ + the element follows the Security profile specification + """ + BUILD = auto() + """ + the element follows the Build profile specification + """ + AI = auto() + """ + the element follows the AI profile specification + """ + DATASET = auto() + """ + the element follows the Dataset profile specification + """ + USAGE = auto() + """ + the element follows the Usage profile specification + """ + EXTENSION = auto() + """ + the element follows the Extension profile specification + """ + + def __str__(self) -> str: + if self == ProfileIdentifierType.CORE: + return "core" + if self == ProfileIdentifierType.SOFTWARE: + return "software" + if self == ProfileIdentifierType.LICENSING: + return "licensing" + if self == ProfileIdentifierType.SECURITY: + return "security" + if self == ProfileIdentifierType.BUILD: + return "build" + if self == ProfileIdentifierType.AI: + return "ai" + if self == ProfileIdentifierType.DATASET: + return "dataset" + if self == ProfileIdentifierType.USAGE: + return "usage" + if self == ProfileIdentifierType.EXTENSION: + return "extension" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['ProfileIdentifierType']: + if value == "core": + return ProfileIdentifierType.CORE + if value == "software": + return ProfileIdentifierType.SOFTWARE + if value == "licensing": + return ProfileIdentifierType.LICENSING + if value == "security": + return ProfileIdentifierType.SECURITY + if value == "build": + return ProfileIdentifierType.BUILD + if value == "ai": + return ProfileIdentifierType.AI + if value == "dataset": + return ProfileIdentifierType.DATASET + if value == "usage": + return ProfileIdentifierType.USAGE + if value == "extension": + return ProfileIdentifierType.EXTENSION + return None diff --git a/src/spdx_tools/spdx3/new_model/core/relationship.py b/src/spdx_tools/spdx3/new_model/core/relationship.py new file mode 100644 index 000000000..98b93df31 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/relationship.py @@ -0,0 +1,72 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType +from beartype.typing import List, Optional +from dataclasses import field +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Relationship(Element): + """ + A Relationship is a grouping of characteristics unique to an assertion that one Element is related to one or more + other Elements in some way. + """ + from_element: Element + """ + This field references the Element on the left-hand side of a relationship. + """ + to: List[Element] = field(default_factory=list) + """ + This field references an Element on the right-hand side of a relationship. + """ + relationship_type: RelationshipType + """ + This field provides information about the relationship between two Elements. For example, you can represent a + relationship between two different Files, between a Package and a File, between two Packages, or between one + SPDXDocument and another SPDXDocument. + """ + completeness: Optional[RelationshipCompleteness] = None + """ + Completeness gives information about whether the provided relationships are complete, known to be incomplete or if + no assertion is made either way. + """ + start_time: Optional[datetime] = None + """ + A startTime specifies the time from which element is applicable / valid. + """ + end_time: Optional[datetime] = None + """ + A endTime specifies the time from which element is no applicable / valid. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: Element, + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + to: List[Element] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/relationship_completeness.py b/src/spdx_tools/spdx3/new_model/core/relationship_completeness.py new file mode 100644 index 000000000..ed0e5f83d --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/relationship_completeness.py @@ -0,0 +1,46 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class RelationshipCompleteness(Enum): + """ + RelationshipCompleteness indicates whether a relationship is complete or known to be incomplete or if there is made + no assertion either way. + """ + + INCOMPLETE = auto() + """ + The relationship is known not to be exhaustive. + """ + COMPLETE = auto() + """ + The relationship is known to be exhaustive. + """ + NO_ASSERTION = auto() + """ + There can be made no assertion about the completeness of the relationship. + """ + + def __str__(self) -> str: + if self == RelationshipCompleteness.INCOMPLETE: + return "incomplete" + if self == RelationshipCompleteness.COMPLETE: + return "complete" + if self == RelationshipCompleteness.NO_ASSERTION: + return "noAssertion" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['RelationshipCompleteness']: + if value == "incomplete": + return RelationshipCompleteness.INCOMPLETE + if value == "complete": + return RelationshipCompleteness.COMPLETE + if value == "noAssertion": + return RelationshipCompleteness.NO_ASSERTION + return None diff --git a/src/spdx_tools/spdx3/new_model/core/relationship_type.py b/src/spdx_tools/spdx3/new_model/core/relationship_type.py new file mode 100644 index 000000000..f4095e430 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/relationship_type.py @@ -0,0 +1,529 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class RelationshipType(Enum): + """ + Provides information about the relationship between two Elements. For example, you can represent a relationship + between two different Files, between a Package and a File, between two Packages, or between one SPDXDocument and + another SPDXDocument. + """ + + AFFECTS = auto() + """ + (Security/VEX) Designates one or more elements as affected by a vulnerability + """ + AMENDS = auto() + """ + Every `to` Element amends the `from` Element + """ + ANCESTOR = auto() + """ + Every `to` Element is an ancestor of the `from` Element + """ + AVAILABLE_FROM = auto() + """ + This relationship is used to identify additional suppliers where an artifact is available from. + """ + BUILD_DEPENDENCY = auto() + """ + Every `to` Element is a build dependency of the `from` Element + """ + BUILD_TOOL = auto() + """ + Build tool used to build an Element. This may be used to describe the build tool of a Build instance + """ + COORDINATED_BY = auto() + """ + (Security) Used to identify the vendor, researcher, or consumer agent performing coordination for a vulnerability + """ + CONTAINS = auto() + """ + Every `to` Element is contained by the `from` Element + """ + CONFIG_OF = auto() + """ + (Build) Configuration information applied to an Element instance during a LifeycleScopeType period. Example: Build + configuration of the build instance + """ + COPY = auto() + """ + Every `to` Element is a copy of the `from` Element + """ + DATA_FILE = auto() + """ + Every `to` Element is a data file related to the the `from` Element + """ + DEPENDENCY_MANIFEST = auto() + """ + Every `to` Element is manifest file containing dependency information related to the `from` Element + """ + DEPENDS_ON = auto() + """ + Every `to` Element is a dependecy of the `from` Element + """ + DESCENDANT = auto() + """ + This relationship may be used to describe child builds of a Build instance. + """ + DESCRIBES = auto() + """ + Every `to` Element is described by the `from` Element. This can be used to denote the root(s) of a tree of elements + contained in an SBOM. + """ + DEV_DEPENDENCY = auto() + """ + Every `to` Element is a development dependency for the `from` Element + """ + DEV_TOOL = auto() + """ + Every `to` Element is a development tool for the `from` Element + """ + DISTRIBUTION_ARTIFACT = auto() + """ + Every `to` Element is an artifact intended for distribution of the `from` Element (e.g. an RPM or archive file) + """ + DOCUMENTATION = auto() + """ + Every `to` Element is documentation for the `from` Element + """ + DOES_NOT_AFFECT = auto() + """ + (Security/VEX) Specifies a vulnerability has no impact on one or more elements + """ + DYNAMIC_LINK = auto() + """ + Every `to` Element is dynamically linked to the `from` Element + """ + EXAMPLE = auto() + """ + Every `to` Element is an example for the `from` Element + """ + EVIDENCE_FOR = auto() + """ + (Dataset) Every `to` Element is can be considered as evidence for the `from` Element + """ + EXPANDED_FROM_ARCHIVE = auto() + """ + Every `to` Element is an artifact expanded from the `from` archive file + """ + EXPLOIT_CREATED_BY = auto() + """ + (Security) Designates an agent has created an exploit against a vulnerability + """ + FILE_ADDED = auto() + """ + Every `to` Element is is a file added to the `from` Element + """ + FILE_DELETED = auto() + """ + Every `to` Element is a file deleted from the `from` Element + """ + FILE_MODIFIED = auto() + """ + Every `to` Element is a modification of the `from` Element + """ + FIXED_BY = auto() + """ + (Security) Designates a vulnerability has been fixed by an agent + """ + FIXED_IN = auto() + """ + (Security/VEX) A vulnerability has been fixed in one or more elements + """ + FOUND_BY = auto() + """ + (Security) Designates an agent was the original discoverer of a security vulnerability + """ + GENERATES = auto() + """ + Every `to` Element is generated from the `from` Element + """ + HAS_ASSESSMENT_FOR = auto() + """ + (Security) Relates a Vulnerability and an Element with a security assessment. + """ + HAS_ASSOCIATED_VULNERABILITY = auto() + """ + (Security) Used to associate a security vulnerability with a software artifact + """ + HOST_OF = auto() + """ + (Build) The`from` Element in which every instance of the `to` Element during a LifecycleScopeType period runs on. + Example: host that the build runs on for an element. + """ + INPUT_OF = auto() + """ + (Build) Input to the Element instance during a LifecycleScopeType period. Example: input to the build instance for + an element. + """ + INVOKED_BY = auto() + """ + (Build) Every`to` Agent that invoked a `from` Element instance during a LifecycleScopeType period. Example: Agent + that invoked the build for an element + """ + METAFILE = auto() + """ + Every `to` Element is is a file containing metadata about the `from` Element + """ + ON_BEHALF_OF = auto() + """ + (Build) Every `to` Agent acting on behalf of another `from` Agent during a LifecycleScopeType period + """ + OPTIONAL_COMPONENT = auto() + """ + Every `to` Element is an optional component of the `from` Element + """ + OPTIONAL_DEPENDENCY = auto() + """ + Every `to` Element is an optional dependency of the `from` Element + """ + OTHER = auto() + """ + Every `to` Element is related to the `from` Element where the relationship type is not described by any of the SPDX + relationhip types + """ + OUTPUT_OF = auto() + """ + (Build) `from` Element that is output `to` the Element instance during a LifecycleScopeType period. Example: output + of the build instance + """ + PACKAGES = auto() + """ + Every `to` Element is a packaged form of the `from` Element + """ + PATCH = auto() + """ + Every `to` Element is a patch for the `from` Element + """ + PREREQUISITE = auto() + """ + Every `to` Element is a prerequisite of the `from` Element + """ + PROVIDED_DEPENDENCY = auto() + """ + Every `to` Element is a dependency not included in the distributed artifact but is assumed to be provided the `from` + Element + """ + PUBLISHED_BY = auto() + """ + (Security) Designates the agent that made a vulnerability record available for public use or reference + """ + REPORTED_BY = auto() + """ + (Security) Designates the agent that first reported a vulnerability to the project, vendor, or tracking database for + formal identification + """ + REPUBLISHED_BY = auto() + """ + (Security) Designates the agent that tracked, aggregated, and/or enriched vulnerability details to improve context + (i.e. NVD) + """ + REQUIREMENT_FOR = auto() + """ + Every `to` Element is required for the `from` Element + """ + RUNTIME_DEPENDENCY = auto() + """ + Every `to` Element is a runtime dependency for the `from` Element + """ + SPECIFICATION_FOR = auto() + """ + Every `to` Element is a specification for the `from` Element + """ + STATIC_LINK = auto() + """ + Every `to` Element is statically linked to the `from` Element + """ + TEST = auto() + """ + Every `to` Element is a test artifact for the `from` Element + """ + TEST_CASE = auto() + """ + Every `to` Element is a test case for the `from` Element + """ + TEST_DEPENDENCY = auto() + """ + Every `to` Element is a test dependency for the `from` Element + """ + TEST_TOOL = auto() + """ + Every `to` Element is a test tool for the `from` Element + """ + TESTED_ON = auto() + """ + (AI, Dataset) The `from` Element has been tested on the `to` Element + """ + TRAINED_ON = auto() + """ + (AI, Dataset) The `from` Element has been trained by the `to` Element(s) + """ + UNDER_INVESTIGATION_FOR = auto() + """ + (Security/VEX) The impact of a vulnerability is being investigated + """ + VARIANT = auto() + """ + Every `to` Element is a variant the `from` Element + """ + + def __str__(self) -> str: + if self == RelationshipType.AFFECTS: + return "affects" + if self == RelationshipType.AMENDS: + return "amends" + if self == RelationshipType.ANCESTOR: + return "ancestor" + if self == RelationshipType.AVAILABLE_FROM: + return "availableFrom" + if self == RelationshipType.BUILD_DEPENDENCY: + return "buildDependency" + if self == RelationshipType.BUILD_TOOL: + return "buildTool" + if self == RelationshipType.COORDINATED_BY: + return "coordinatedBy" + if self == RelationshipType.CONTAINS: + return "contains" + if self == RelationshipType.CONFIG_OF: + return "configOf" + if self == RelationshipType.COPY: + return "copy" + if self == RelationshipType.DATA_FILE: + return "dataFile" + if self == RelationshipType.DEPENDENCY_MANIFEST: + return "dependencyManifest" + if self == RelationshipType.DEPENDS_ON: + return "dependsOn" + if self == RelationshipType.DESCENDANT: + return "descendant" + if self == RelationshipType.DESCRIBES: + return "describes" + if self == RelationshipType.DEV_DEPENDENCY: + return "devDependency" + if self == RelationshipType.DEV_TOOL: + return "devTool" + if self == RelationshipType.DISTRIBUTION_ARTIFACT: + return "distributionArtifact" + if self == RelationshipType.DOCUMENTATION: + return "documentation" + if self == RelationshipType.DOES_NOT_AFFECT: + return "doesNotAffect" + if self == RelationshipType.DYNAMIC_LINK: + return "dynamicLink" + if self == RelationshipType.EXAMPLE: + return "example" + if self == RelationshipType.EVIDENCE_FOR: + return "evidenceFor" + if self == RelationshipType.EXPANDED_FROM_ARCHIVE: + return "expandedFromArchive" + if self == RelationshipType.EXPLOIT_CREATED_BY: + return "exploitCreatedBy" + if self == RelationshipType.FILE_ADDED: + return "fileAdded" + if self == RelationshipType.FILE_DELETED: + return "fileDeleted" + if self == RelationshipType.FILE_MODIFIED: + return "fileModified" + if self == RelationshipType.FIXED_BY: + return "fixedBy" + if self == RelationshipType.FIXED_IN: + return "fixedIn" + if self == RelationshipType.FOUND_BY: + return "foundBy" + if self == RelationshipType.GENERATES: + return "generates" + if self == RelationshipType.HAS_ASSESSMENT_FOR: + return "hasAssessmentFor" + if self == RelationshipType.HAS_ASSOCIATED_VULNERABILITY: + return "hasAssociatedVulnerability" + if self == RelationshipType.HOST_OF: + return "hostOf" + if self == RelationshipType.INPUT_OF: + return "inputOf" + if self == RelationshipType.INVOKED_BY: + return "invokedBy" + if self == RelationshipType.METAFILE: + return "metafile" + if self == RelationshipType.ON_BEHALF_OF: + return "onBehalfOf" + if self == RelationshipType.OPTIONAL_COMPONENT: + return "optionalComponent" + if self == RelationshipType.OPTIONAL_DEPENDENCY: + return "optionalDependency" + if self == RelationshipType.OTHER: + return "other" + if self == RelationshipType.OUTPUT_OF: + return "outputOf" + if self == RelationshipType.PACKAGES: + return "packages" + if self == RelationshipType.PATCH: + return "patch" + if self == RelationshipType.PREREQUISITE: + return "prerequisite" + if self == RelationshipType.PROVIDED_DEPENDENCY: + return "providedDependency" + if self == RelationshipType.PUBLISHED_BY: + return "publishedBy" + if self == RelationshipType.REPORTED_BY: + return "reportedBy" + if self == RelationshipType.REPUBLISHED_BY: + return "republishedBy" + if self == RelationshipType.REQUIREMENT_FOR: + return "requirementFor" + if self == RelationshipType.RUNTIME_DEPENDENCY: + return "runtimeDependency" + if self == RelationshipType.SPECIFICATION_FOR: + return "specificationFor" + if self == RelationshipType.STATIC_LINK: + return "staticLink" + if self == RelationshipType.TEST: + return "test" + if self == RelationshipType.TEST_CASE: + return "testCase" + if self == RelationshipType.TEST_DEPENDENCY: + return "testDependency" + if self == RelationshipType.TEST_TOOL: + return "testTool" + if self == RelationshipType.TESTED_ON: + return "testedOn" + if self == RelationshipType.TRAINED_ON: + return "trainedOn" + if self == RelationshipType.UNDER_INVESTIGATION_FOR: + return "underInvestigationFor" + if self == RelationshipType.VARIANT: + return "variant" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['RelationshipType']: + if value == "affects": + return RelationshipType.AFFECTS + if value == "amends": + return RelationshipType.AMENDS + if value == "ancestor": + return RelationshipType.ANCESTOR + if value == "availableFrom": + return RelationshipType.AVAILABLE_FROM + if value == "buildDependency": + return RelationshipType.BUILD_DEPENDENCY + if value == "buildTool": + return RelationshipType.BUILD_TOOL + if value == "coordinatedBy": + return RelationshipType.COORDINATED_BY + if value == "contains": + return RelationshipType.CONTAINS + if value == "configOf": + return RelationshipType.CONFIG_OF + if value == "copy": + return RelationshipType.COPY + if value == "dataFile": + return RelationshipType.DATA_FILE + if value == "dependencyManifest": + return RelationshipType.DEPENDENCY_MANIFEST + if value == "dependsOn": + return RelationshipType.DEPENDS_ON + if value == "descendant": + return RelationshipType.DESCENDANT + if value == "describes": + return RelationshipType.DESCRIBES + if value == "devDependency": + return RelationshipType.DEV_DEPENDENCY + if value == "devTool": + return RelationshipType.DEV_TOOL + if value == "distributionArtifact": + return RelationshipType.DISTRIBUTION_ARTIFACT + if value == "documentation": + return RelationshipType.DOCUMENTATION + if value == "doesNotAffect": + return RelationshipType.DOES_NOT_AFFECT + if value == "dynamicLink": + return RelationshipType.DYNAMIC_LINK + if value == "example": + return RelationshipType.EXAMPLE + if value == "evidenceFor": + return RelationshipType.EVIDENCE_FOR + if value == "expandedFromArchive": + return RelationshipType.EXPANDED_FROM_ARCHIVE + if value == "exploitCreatedBy": + return RelationshipType.EXPLOIT_CREATED_BY + if value == "fileAdded": + return RelationshipType.FILE_ADDED + if value == "fileDeleted": + return RelationshipType.FILE_DELETED + if value == "fileModified": + return RelationshipType.FILE_MODIFIED + if value == "fixedBy": + return RelationshipType.FIXED_BY + if value == "fixedIn": + return RelationshipType.FIXED_IN + if value == "foundBy": + return RelationshipType.FOUND_BY + if value == "generates": + return RelationshipType.GENERATES + if value == "hasAssessmentFor": + return RelationshipType.HAS_ASSESSMENT_FOR + if value == "hasAssociatedVulnerability": + return RelationshipType.HAS_ASSOCIATED_VULNERABILITY + if value == "hostOf": + return RelationshipType.HOST_OF + if value == "inputOf": + return RelationshipType.INPUT_OF + if value == "invokedBy": + return RelationshipType.INVOKED_BY + if value == "metafile": + return RelationshipType.METAFILE + if value == "onBehalfOf": + return RelationshipType.ON_BEHALF_OF + if value == "optionalComponent": + return RelationshipType.OPTIONAL_COMPONENT + if value == "optionalDependency": + return RelationshipType.OPTIONAL_DEPENDENCY + if value == "other": + return RelationshipType.OTHER + if value == "outputOf": + return RelationshipType.OUTPUT_OF + if value == "packages": + return RelationshipType.PACKAGES + if value == "patch": + return RelationshipType.PATCH + if value == "prerequisite": + return RelationshipType.PREREQUISITE + if value == "providedDependency": + return RelationshipType.PROVIDED_DEPENDENCY + if value == "publishedBy": + return RelationshipType.PUBLISHED_BY + if value == "reportedBy": + return RelationshipType.REPORTED_BY + if value == "republishedBy": + return RelationshipType.REPUBLISHED_BY + if value == "requirementFor": + return RelationshipType.REQUIREMENT_FOR + if value == "runtimeDependency": + return RelationshipType.RUNTIME_DEPENDENCY + if value == "specificationFor": + return RelationshipType.SPECIFICATION_FOR + if value == "staticLink": + return RelationshipType.STATIC_LINK + if value == "test": + return RelationshipType.TEST + if value == "testCase": + return RelationshipType.TEST_CASE + if value == "testDependency": + return RelationshipType.TEST_DEPENDENCY + if value == "testTool": + return RelationshipType.TEST_TOOL + if value == "testedOn": + return RelationshipType.TESTED_ON + if value == "trainedOn": + return RelationshipType.TRAINED_ON + if value == "underInvestigationFor": + return RelationshipType.UNDER_INVESTIGATION_FOR + if value == "variant": + return RelationshipType.VARIANT + return None diff --git a/src/spdx_tools/spdx3/new_model/core/sem_ver.py b/src/spdx_tools/spdx3/new_model/core/sem_ver.py new file mode 100644 index 000000000..a7fcbf031 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/sem_ver.py @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class SemVer(str): + """ + The semantic version is a string that is following the specification of [Semantic Versioning + 2.0.0](https://semver.org/). Format restriction: pattern: + ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ + """ + + def __init__( + self, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/software_agent.py b/src/spdx_tools/spdx3/new_model/core/software_agent.py new file mode 100644 index 000000000..b839eeae8 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/software_agent.py @@ -0,0 +1,36 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from beartype.typing import List, Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class SoftwareAgent(Agent): + """ + A SoftwareAgent is a software program that is given the authority (similar to a user's authority) to act on a + system. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/spdx_document.py b/src/spdx_tools/spdx3/new_model/core/spdx_document.py new file mode 100644 index 000000000..eaecd2a43 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/spdx_document.py @@ -0,0 +1,50 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Bundle, CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod, NamespaceMap +from beartype.typing import List, Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class SpdxDocument(Bundle): + """ + An SpdxDocument assembles a collection of Elements under a common string, the name of the document. Commonly used + when representing a unit of transfer of SPDX Elements. External property restriction on /Core/Element/name: + minCount: 1 + """ + name: str + """ + This field identifies the name of an Element as designated by the creator. The name of an Element is an important + convention and easier to refer to than the URI. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + element: List[Element], + root_element: List[Element], + name: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + namespaces: List[NamespaceMap] = None, + imports: List[ExternalMap] = None, + context: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + namespaces = [] if namespaces is None else namespaces + imports = [] if imports is None else imports + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/tool.py b/src/spdx_tools/spdx3/new_model/core/tool.py new file mode 100644 index 000000000..3d8918260 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/core/tool.py @@ -0,0 +1,35 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod +from beartype.typing import List, Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Tool(Element): + """ + A Tool is an element of hardware and/or software utilized to carry out a particular function. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/dataset/__init__.py b/src/spdx_tools/spdx3/new_model/dataset/__init__.py new file mode 100644 index 000000000..232b007b2 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/dataset/__init__.py @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from .confidentiality_level_type import ConfidentialityLevelType +from .dataset import Dataset +from .dataset_availability_type import DatasetAvailabilityType +from .dataset_type import DatasetType diff --git a/src/spdx_tools/spdx3/new_model/dataset/confidentiality_level_type.py b/src/spdx_tools/spdx3/new_model/dataset/confidentiality_level_type.py new file mode 100644 index 000000000..33a4f91f6 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/dataset/confidentiality_level_type.py @@ -0,0 +1,54 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class ConfidentialityLevelType(Enum): + """ + Describes the different confidentiality levels as given by the [Traffic Light + Protocol](https://en.wikipedia.org/wiki/Traffic_Light_Protocol). + """ + + RED = auto() + """ + Data points in the dataset are highly confidential and can only be shared with named recipients. + """ + AMBER = auto() + """ + Data points in the dataset can be shared only with specific organizations and their clients on a need to know basis. + """ + GREEN = auto() + """ + Dataset can be shared within a community of peers and partners. + """ + CLEAR = auto() + """ + Dataset may be distributed freely, without restriction. + """ + + def __str__(self) -> str: + if self == ConfidentialityLevelType.RED: + return "Red" + if self == ConfidentialityLevelType.AMBER: + return "Amber" + if self == ConfidentialityLevelType.GREEN: + return "Green" + if self == ConfidentialityLevelType.CLEAR: + return "Clear" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['ConfidentialityLevelType']: + if value == "Red": + return ConfidentialityLevelType.RED + if value == "Amber": + return ConfidentialityLevelType.AMBER + if value == "Green": + return ConfidentialityLevelType.GREEN + if value == "Clear": + return ConfidentialityLevelType.CLEAR + return None diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset.py b/src/spdx_tools/spdx3/new_model/dataset/dataset.py new file mode 100644 index 000000000..a06b03842 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset.py @@ -0,0 +1,147 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, DictionaryEntry, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..dataset import ConfidentialityLevelType, DatasetAvailabilityType, DatasetType, PresenceType +from ..licensing import AnyLicenseInfo +from ..software import Package, SoftwarePurpose +from beartype.typing import List, Optional +from dataclasses import field +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Dataset(Package): + """ + Metadata information that can be added to a dataset that may be used in a software or to train/test an AI package. + External property restriction on /Core/Artifact/originatedBy: minCount: 1 External property restriction on + /Software/Package/downloadLocation: minCount: 1 External property restriction on + /Software/SoftwareArtifact/primaryPurpose: minCount: 1 External property restriction on /Core/Artifact/releaseTime: + minCount: 1 External property restriction on /Core/Artifact/builtTime: minCount: 1 + """ + dataset_type: List[DatasetType] = field(default_factory=list) + """ + Type describes the datatype contained in the dataset. For example a dataset can be an image dataset for computer + vision applications, a text dataset such as the contents of a book or Wikipedia article, or sometimes a multimodal + dataset that contains multiple types of data. + """ + data_collection_process: Optional[str] = None + """ + DataCollectionProcess describes how a dataset was collected. Examples include the sources from which a dataset was + scrapped or the interview protocol that was used for data collection. + """ + intended_use: Optional[str] = None + """ + IntendedUse describes what the given dataset should be used for. Some datasets are collected to be used only for + particular purposes. For example, medical data collected from a specific demography might only be applicable for + training machine learning models to make predictions for that demography. In such a case, the intendedUse field + would capture this information. Similarly, if a dataset is collected for building a facial recognition model, the + intendedUse field would specify that. + """ + dataset_size: Optional[str] = None + """ + DatasetSize Captures how large a dataset is. The size is to be measured in bytes. + """ + dataset_noise: Optional[str] = None + """ + DatasetNoise describes what kinds of noises a dataset might encompass. The field uses free form text to specify the + fields or the samples that might be noisy. Alternatively, it can also be used to describe various noises that could + impact the whole dataset. + """ + data_preprocessing: List[str] = field(default_factory=list) + """ + DataPreprocessing describes the various preprocessing steps that were applied to the raw data to create the dataset. + """ + sensor: List[DictionaryEntry] = field(default_factory=list) + """ + Sensor describes a sensor that was used for collecting the data and its calibration value as a key-value pair. + """ + known_bias: List[str] = field(default_factory=list) + """ + KnownBias is a free form text field that describes the different biases that the dataset encompasses. + """ + sensitive_personal_information: Optional[PresenceType] = None + """ + SensitivePersonalInformation indicates the presence of sensitive personal data or information that allows drawing + conclusions about a person's identity. + """ + anonymization_method_used: List[str] = field(default_factory=list) + """ + AnonymizationMethodUsed describes the methods used to anonymize the dataset (of fields in the dataset). + """ + confidentiality_level: Optional[ConfidentialityLevelType] = None + """ + ConfidentialityLevel describes the levels of confidentiality of the data points contained in the dataset. + """ + dataset_update_mechanism: Optional[str] = None + """ + DatasetUpdateMechanism describes a mechanism to update the dataset. + """ + dataset_availability: Optional[DatasetAvailabilityType] = None + """ + Some datasets are publicly available and can be downloaded directly. Others are only accessible behind a + clickthrough, or after filling a registration form. This field will describe the dataset availability from that + perspective. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + dataset_type: List[DatasetType], + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + originated_by: List[Agent] = None, + supplied_by: List[Agent] = None, + built_time: Optional[datetime] = None, + release_time: Optional[datetime] = None, + valid_until_time: Optional[datetime] = None, + standard: List[str] = None, + content_identifier: Optional[str] = None, + primary_purpose: Optional[SoftwarePurpose] = None, + additional_purpose: List[SoftwarePurpose] = None, + concluded_license: Optional[AnyLicenseInfo] = None, + declared_license: Optional[AnyLicenseInfo] = None, + copyright_text: Optional[str] = None, + attribution_text: Optional[str] = None, + package_version: Optional[str] = None, + download_location: Optional[str] = None, + package_url: Optional[str] = None, + homepage: Optional[str] = None, + source_info: Optional[str] = None, + data_collection_process: Optional[str] = None, + intended_use: Optional[str] = None, + dataset_size: Optional[str] = None, + dataset_noise: Optional[str] = None, + data_preprocessing: List[str] = None, + sensor: List[DictionaryEntry] = None, + known_bias: List[str] = None, + sensitive_personal_information: Optional[PresenceType] = None, + anonymization_method_used: List[str] = None, + confidentiality_level: Optional[ConfidentialityLevelType] = None, + dataset_update_mechanism: Optional[str] = None, + dataset_availability: Optional[DatasetAvailabilityType] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + originated_by = [] if originated_by is None else originated_by + supplied_by = [] if supplied_by is None else supplied_by + standard = [] if standard is None else standard + additional_purpose = [] if additional_purpose is None else additional_purpose + data_preprocessing = [] if data_preprocessing is None else data_preprocessing + sensor = [] if sensor is None else sensor + known_bias = [] if known_bias is None else known_bias + anonymization_method_used = [] if anonymization_method_used is None else anonymization_method_used + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py b/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py new file mode 100644 index 000000000..60ee807a6 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py @@ -0,0 +1,67 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class DatasetAvailabilityType(Enum): + """ + Describes the possible types of availability of a dataset, indicating whether the dataset can be directly + downloaded, can be assembled using a script for scraping the data, is only available after a clickthrough or a + registration form. + """ + + DIRECT-_DOWNLOAD = auto() + """ + the dataset is publicly available and can be downloaded directly. + """ + SCRAPING-_SCRIPT = auto() + """ + the dataset provider is not making available the underlying data and the dataset must be reassembled, typically + using the provided script for scraping the data. + """ + QUERY = auto() + """ + the dataset is publicly available, but not all at once, and can only be accessed through queries which return parts + of the dataset. + """ + CLICKTHROUGH = auto() + """ + the dataset is not publicly available and can only be accessed after affirmatively accepting terms on a clickthrough + webpage. + """ + REGISTRATION = auto() + """ + the dataset is not publicly available and an email registration is required before accessing the dataset, although + without an affirmative acceptance of terms. + """ + + def __str__(self) -> str: + if self == DatasetAvailabilityType.DIRECT-_DOWNLOAD: + return "Direct-Download" + if self == DatasetAvailabilityType.SCRAPING-_SCRIPT: + return "Scraping-Script" + if self == DatasetAvailabilityType.QUERY: + return "Query" + if self == DatasetAvailabilityType.CLICKTHROUGH: + return "Clickthrough" + if self == DatasetAvailabilityType.REGISTRATION: + return "Registration" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['DatasetAvailabilityType']: + if value == "Direct-Download": + return DatasetAvailabilityType.DIRECT-_DOWNLOAD + if value == "Scraping-Script": + return DatasetAvailabilityType.SCRAPING-_SCRIPT + if value == "Query": + return DatasetAvailabilityType.QUERY + if value == "Clickthrough": + return DatasetAvailabilityType.CLICKTHROUGH + if value == "Registration": + return DatasetAvailabilityType.REGISTRATION + return None diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset_type.py b/src/spdx_tools/spdx3/new_model/dataset/dataset_type.py new file mode 100644 index 000000000..c459e39a4 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset_type.py @@ -0,0 +1,139 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class DatasetType(Enum): + """ + Describes the different structures of data within a given dataset. A dataset can have multiple types of data, or + even a single type of data but still match multiple types, for example sensor data could also be timeseries or + labeled image data could also be considered categorical. + """ + + STRUCTURED = auto() + """ + data is stored in tabular format or retrieved from a relational database. + """ + NUMERIC = auto() + """ + data consists only of numeric entries. + """ + TEXT = auto() + """ + data consists of unstructured text, such as a book, wikipedia article (without images), or transcript. + """ + CATEGORICAL = auto() + """ + data that is classified into a discrete number of categories, such as the eye color of a population of people. + """ + GRAPH = auto() + """ + data is in the form of a graph where entries are somehow related to each other through edges, such a social network + of friends. + """ + TIMESERIES = auto() + """ + data is recorded in an ordered sequence of timestamped entries, such as the price of a stock over the course of a + day. + """ + TIMESTAMP = auto() + """ + data is recorded with a timestamp for each entry, but not necessarily ordered or at specific intervals, such as when + a taxi ride starts and ends. + """ + SENSOR = auto() + """ + data is recorded from a physical sensor, such as a thermometer reading or biometric device. + """ + IMAGE = auto() + """ + data is a collection of images such as pictures of animals. + """ + SYNTACTIC = auto() + """ + data describes the syntax or semantics of a language or text, such as a parse tree used for natural language + processing. + """ + AUDIO = auto() + """ + data is audio based, such as a collection of music from the 80s. + """ + VIDEO = auto() + """ + data is video based, such as a collection of movie clips featuring Tom Hanks. + """ + OTHER = auto() + """ + data is of a type not included in this list. + """ + NO_ASSERTION = auto() + """ + data type is not known. + """ + + def __str__(self) -> str: + if self == DatasetType.STRUCTURED: + return "structured" + if self == DatasetType.NUMERIC: + return "numeric" + if self == DatasetType.TEXT: + return "text" + if self == DatasetType.CATEGORICAL: + return "categorical" + if self == DatasetType.GRAPH: + return "graph" + if self == DatasetType.TIMESERIES: + return "timeseries" + if self == DatasetType.TIMESTAMP: + return "timestamp" + if self == DatasetType.SENSOR: + return "sensor" + if self == DatasetType.IMAGE: + return "image" + if self == DatasetType.SYNTACTIC: + return "syntactic" + if self == DatasetType.AUDIO: + return "audio" + if self == DatasetType.VIDEO: + return "video" + if self == DatasetType.OTHER: + return "other" + if self == DatasetType.NO_ASSERTION: + return "noAssertion" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['DatasetType']: + if value == "structured": + return DatasetType.STRUCTURED + if value == "numeric": + return DatasetType.NUMERIC + if value == "text": + return DatasetType.TEXT + if value == "categorical": + return DatasetType.CATEGORICAL + if value == "graph": + return DatasetType.GRAPH + if value == "timeseries": + return DatasetType.TIMESERIES + if value == "timestamp": + return DatasetType.TIMESTAMP + if value == "sensor": + return DatasetType.SENSOR + if value == "image": + return DatasetType.IMAGE + if value == "syntactic": + return DatasetType.SYNTACTIC + if value == "audio": + return DatasetType.AUDIO + if value == "video": + return DatasetType.VIDEO + if value == "other": + return DatasetType.OTHER + if value == "noAssertion": + return DatasetType.NO_ASSERTION + return None diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/__init__.py b/src/spdx_tools/spdx3/new_model/expanded_license/__init__.py new file mode 100644 index 000000000..a61d27bcb --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_license/__init__.py @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from .conjunctive_license_set import ConjunctiveLicenseSet +from .disjunctive_license_set import DisjunctiveLicenseSet +from .extendable_license import ExtendableLicense diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py b/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py new file mode 100644 index 000000000..6f5336ecd --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py @@ -0,0 +1,50 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo +from beartype.typing import List, Optional +from dataclasses import field +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class ConjunctiveLicenseSet(AnyLicenseInfo): + """ + A ConjunctiveLicenseSet indicates that _each_ of its subsidiary AnyLicenseInfos apply. In other words, a + ConjunctiveLicenseSet of two or more licenses represents a licensing situation where _all_ of the specified licenses + are to be complied with. It is represented in the SPDX License Expression Syntax by the `AND` operator. + + It is syntactically correct to specify a ConjunctiveLicenseSet where the subsidiary AnyLicenseInfos may be + "incompatible" according to a particular interpretation of the corresponding Licenses. The SPDX License Expression + Syntax does not take into account interpretation of license texts, which is left to the consumer of SPDX data to + determine for themselves. + """ + member: List[AnyLicenseInfo] = field(default_factory=list) + """ + A member is a license expression participating in a conjuctive (of type ConjunctiveLicenseSet) or a disjunctive (of + type DisjunctiveLicenseSet) license set. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + member: List[AnyLicenseInfo], + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py b/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py new file mode 100644 index 000000000..5ad153403 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py @@ -0,0 +1,47 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo +from beartype.typing import List, Optional +from dataclasses import field +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class DisjunctiveLicenseSet(AnyLicenseInfo): + """ + A DisjunctiveLicenseSet indicates that _only one_ of its subsidiary AnyLicenseInfos is required to apply. In other + words, a DisjunctiveLicenseSet of two or more licenses represents a licensing situation where _only one_ of the + specified licenses are to be complied with. A consumer of SPDX data would typically understand this to permit the + recipient of the licensed content to choose which of the corresponding license they would prefer to use. It is + represented in the SPDX License Expression Syntax by the `OR` operator. + """ + member: List[AnyLicenseInfo] = field(default_factory=list) + """ + A member is a license expression participating in a conjuctive (of type ConjunctiveLicenseSet) or a disjunctive (of + type DisjunctiveLicenseSet) license set. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + member: List[AnyLicenseInfo], + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py b/src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py new file mode 100644 index 000000000..16f92c3ef --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo +from abc import abstractmethod +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class ExtendableLicense(AnyLicenseInfo): + """ + The WithAdditionOperator can have a License or an OrLaterOperator as the license property value. This class is used + for the value. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/licensing/__init__.py b/src/spdx_tools/spdx3/new_model/licensing/__init__.py new file mode 100644 index 000000000..dd4399973 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/licensing/__init__.py @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from .any_license_info import AnyLicenseInfo +from .custom_license import CustomLicense +from .custom_license_addition import CustomLicenseAddition +from .license import License +from .license_addition import LicenseAddition +from .license_expression import LicenseExpression +from .listed_license import ListedLicense +from .listed_license_exception import ListedLicenseException +from .or_later_operator import OrLaterOperator +from .with_addition_operator import WithAdditionOperator diff --git a/src/spdx_tools/spdx3/new_model/licensing/any_license_info.py b/src/spdx_tools/spdx3/new_model/licensing/any_license_info.py new file mode 100644 index 000000000..53218cf78 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/licensing/any_license_info.py @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod +from abc import abstractmethod +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class AnyLicenseInfo(Element): + """ + An AnyLicenseInfo is used by licensing properties of software artifacts. It can be a NoneLicense, a + NoAssertionLicense, single license (either on the SPDX License List or a custom-defined license); a single license + with an "or later" operator applied; the foregoing with additional text applied; or a set of licenses combined by + applying "AND" and "OR" operators recursively. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/licensing/custom_license.py b/src/spdx_tools/spdx3/new_model/licensing/custom_license.py new file mode 100644 index 000000000..a3c133cb0 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/licensing/custom_license.py @@ -0,0 +1,30 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..licensing import License +from beartype.typing import Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class CustomLicense(License): + """ + A CustomLicense represents a License that is not listed on the SPDX License List at https://spdx.org/licenses, and + is therefore defined by an SPDX data creator. + """ + + def __init__( + self, + license_text: str, + is_osi_approved: Optional[str] = None, + is_fsf_libre: Optional[str] = None, + standard_license_header: Optional[str] = None, + standard_license_template: Optional[str] = None, + is_deprecated_license_id: Optional[str] = None, + obsoleted_by: Optional[str] = None, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py b/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py new file mode 100644 index 000000000..e81087ffc --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py @@ -0,0 +1,44 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import LicenseAddition +from beartype.typing import List, Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class CustomLicenseAddition(LicenseAddition): + """ + A CustomLicenseAddition represents an addition to a License that is not listed on the SPDX Exceptions List at + https://spdx.org/licenses/exceptions-index.html, and is therefore defined by an SPDX data creator. + + It is intended to represent additional language which is meant to be added to a License, but which is not itself a + standalone License. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + addition_text: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + standard_addition_template: Optional[str] = None, + is_deprecated_addition_id: Optional[str] = None, + obsoleted_by: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/license.py b/src/spdx_tools/spdx3/new_model/licensing/license.py new file mode 100644 index 000000000..444eaf170 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/licensing/license.py @@ -0,0 +1,88 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..licensing import ExtendableLicense +from abc import abstractmethod +from beartype.typing import Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class License(ExtendableLicense): + """ + A License represents a license text, whether listed on the SPDX License List (ListedLicense) or defined by an SPDX + data creator (CustomLicense). + """ + license_text: str + """ + A licenseText contains the plain text of the License, without templating or other similar markup. + + Users of the licenseText for a License can apply the SPDX Matching Guidelines when comparing it to another text for + matching purposes. + """ + is_osi_approved: Optional[str] = None + """ + isOsiApproved specifies whether the [Open Source Initiative (OSI)](https://opensource.org) has listed this License + as "approved" in their list of OSI Approved Licenses, located at the time of this writing at + https://opensource.org/licenses/. + + A value of "true" indicates that the OSI has listed this License as approved. + + A value of "false" indicates that the OSI has not listed this License as approved. + + If the isOsiApproved field is not specified, the SPDX data creator makes no assertions about whether the License is + approved by the OSI. + """ + is_fsf_libre: Optional[str] = None + """ + isFsfLibre specifies whether the [Free Software Foundation FSF](https://fsf.org) has listed this License as "free" + in their commentary on licenses, located at the time of this writing at + https://www.gnu.org/licenses/license-list.en.html. + + A value of "true" indicates that the FSF has listed this License as _free_. + + A value of "false" indicates that the FSF has listed this License as _not free_. + + If the isFsfLibre field is not specified, the SPDX data creator makes no assertions about whether the License is + listed in the FSF's commentary. + """ + standard_license_header: Optional[str] = None + """ + A standardLicenseHeader contains the plain text of the License author's preferred wording to be used, typically in a + source code file's header comments or similar location, to indicate that the file is subject to the specified + License. + """ + standard_license_template: Optional[str] = None + """ + A standardLicenseTemplate contains a license template which describes sections of the License text which can be + varied. See the Legacy Text Template format section of the SPDX specification for format information. + """ + is_deprecated_license_id: Optional[str] = None + """ + The isDeprecatedLicenseId property specifies whether an identifier for a License or LicenseAddition has been marked + as deprecated. If the property is not defined, then it is presumed to be false (i.e., not deprecated). + + If the License or LicenseAddition is included on the SPDX License List, then the `deprecatedVersion` property + indicates on which version release of the License List it was first marked as deprecated. + + "Deprecated" in this context refers to deprecating the use of the _identifier_, not the underlying license. In other + words, even if a License's author or steward has stated that a particular License generally should not be used, that + would _not_ mean that the License's identifier is "deprecated." Rather, a License or LicenseAddition operator is + typically marked as "deprecated" when it is determined that use of another identifier is preferable. + """ + obsoleted_by: Optional[str] = None + """ + An obsoletedBy value for a deprecated License or LicenseAddition specifies the licenseId of the replacement License + or LicenseAddition that is preferred to be used in its place. It should use the same format as specified for a + licenseId. + + The License's or LicenseAddition's comment value may include more information about the reason why the licenseId + specified in the obsoletedBy value is preferred. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/licensing/license_addition.py b/src/spdx_tools/spdx3/new_model/licensing/license_addition.py new file mode 100644 index 000000000..6e135586c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/licensing/license_addition.py @@ -0,0 +1,60 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod +from abc import abstractmethod +from beartype.typing import List, Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class LicenseAddition(Element): + """ + A LicenseAddition represents text which is intended to be added to a License as additional text, but which is not + itself intended to be a standalone License. + + It may be an exception which is listed on the SPDX Exceptions List (ListedLicenseException), or may be any other + additional text (as an exception or otherwise) which is defined by an SPDX data creator (CustomLicenseAddition). + """ + addition_text: str + """ + An additionText contains the plain text of the LicenseAddition, without templating or other similar markup. + + Users of the additionText for a License can apply the SPDX Matching Guidelines when comparing it to another text for + matching purposes. + """ + standard_addition_template: Optional[str] = None + """ + A standardAdditionTemplate contains a license addition template which describes sections of the LicenseAddition text + which can be varied. See the Legacy Text Template format section of the SPDX specification for format information. + """ + is_deprecated_addition_id: Optional[str] = None + """ + The isDeprecatedAdditionId property specifies whether an identifier for a LicenseAddition has been marked as + deprecated. If the property is not defined, then it is presumed to be false (i.e., not deprecated). + + If the LicenseAddition is included on the SPDX Exceptions List, then the `deprecatedVersion` property indicates on + which version release of the Exceptions List it was first marked as deprecated. + + "Deprecated" in this context refers to deprecating the use of the _identifier_, not the underlying license addition. + In other words, even if a LicenseAddition's author or steward has stated that a particular LicenseAddition generally + should not be used, that would _not_ mean that the LicenseAddition's identifier is "deprecated." Rather, a + LicenseAddition operator is typically marked as "deprecated" when it is determined that use of another identifier is + preferable. + """ + obsoleted_by: Optional[str] = None + """ + An obsoletedBy value for a deprecated License or LicenseAddition specifies the licenseId of the replacement License + or LicenseAddition that is preferred to be used in its place. It should use the same format as specified for a + licenseId. + + The License's or LicenseAddition's comment value may include more information about the reason why the licenseId + specified in the obsoletedBy value is preferred. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/licensing/license_expression.py b/src/spdx_tools/spdx3/new_model/licensing/license_expression.py new file mode 100644 index 000000000..d93761b45 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/licensing/license_expression.py @@ -0,0 +1,63 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo +from beartype.typing import List, Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class LicenseExpression(AnyLicenseInfo): + """ + Often a single license can be used to represent the licensing terms of a source code or binary file, but there are + situations where a single license identifier is not sufficient. A common example is when software is offered under a + choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is + needed to represent a binary program constructed by compiling and linking two (or more) different source files each + governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause). + + SPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing + terms typically found in open source software source code. A license expression could be a single license identifier + found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license + identifier combined with an SPDX exception; or some combination of license identifiers, license references and + exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition + of what constitutes a valid an SPDX License Expression in this section. + """ + license_expression: str + """ + Often a single license can be used to represent the licensing terms of a source code or binary file, but there are + situations where a single license identifier is not sufficient. A common example is when software is offered under a + choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is + needed to represent a binary program constructed by compiling and linking two (or more) different source files each + governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause). + + SPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing + terms typically found in open source software source code. A license expression could be a single license identifier + found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license + identifier combined with an SPDX exception; or some combination of license identifiers, license references and + exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition + of what constitutes a valid an SPDX License Expression in this section. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + license_expression: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/listed_license.py b/src/spdx_tools/spdx3/new_model/licensing/listed_license.py new file mode 100644 index 000000000..bd17e1302 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/licensing/listed_license.py @@ -0,0 +1,41 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..licensing import License +from beartype.typing import Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class ListedLicense(License): + """ + A ListedLicense represents a License that is listed on the SPDX License List at https://spdx.org/licenses. + """ + list_version_added: Optional[str] = None + """ + A listVersionAdded for a ListedLicense or ListedLicenseException on the SPDX License List specifies which version + release of the License List was the first one in which it was included. + """ + deprecated_version: Optional[str] = None + """ + A deprecatedVersion for a ListedLicense or ListedLicenseException on the SPDX License List specifies which version + release of the License List was the first one in which it was marked as deprecated. + """ + + def __init__( + self, + license_text: str, + is_osi_approved: Optional[str] = None, + is_fsf_libre: Optional[str] = None, + standard_license_header: Optional[str] = None, + standard_license_template: Optional[str] = None, + is_deprecated_license_id: Optional[str] = None, + obsoleted_by: Optional[str] = None, + list_version_added: Optional[str] = None, + deprecated_version: Optional[str] = None, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py b/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py new file mode 100644 index 000000000..35cc87346 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py @@ -0,0 +1,54 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import LicenseAddition +from beartype.typing import List, Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class ListedLicenseException(LicenseAddition): + """ + A ListedLicenseException represents an exception to a License (in other words, an exception to a license condition + or an additional permission beyond those granted in a License) which is listed on the SPDX Exceptions List at + https://spdx.org/licenses/exceptions-index.html. + """ + list_version_added: Optional[str] = None + """ + A listVersionAdded for a ListedLicense or ListedLicenseException on the SPDX License List specifies which version + release of the License List was the first one in which it was included. + """ + deprecated_version: Optional[str] = None + """ + A deprecatedVersion for a ListedLicense or ListedLicenseException on the SPDX License List specifies which version + release of the License List was the first one in which it was marked as deprecated. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + addition_text: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + standard_addition_template: Optional[str] = None, + is_deprecated_addition_id: Optional[str] = None, + obsoleted_by: Optional[str] = None, + list_version_added: Optional[str] = None, + deprecated_version: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py b/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py new file mode 100644 index 000000000..5b4e22040 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py @@ -0,0 +1,34 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..licensing import ExtendableLicense, License +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class OrLaterOperator(ExtendableLicense): + """ + An OrLaterOperator indicates that this portion of the AnyLicenseInfo represents either (1) the specified version of + the corresponding License, or (2) any later version of that License. It is represented in the SPDX License + Expression Syntax by the `+` operator. + + It is context-dependent, and unspecified by SPDX, as to what constitutes a "later version" of any particular + License. Some Licenses may not be versioned, or may not have clearly-defined ordering for versions. The consumer of + SPDX data will need to determine for themselves what meaning to attribute to a "later version" operator for a + particular License. + """ + subject_license: License + """ + A subjectLicense is a License which is subject to either an 'or later' effect (OrLaterOperator) or a 'with + additional text' effect (WithAdditionOperator). + """ + + def __init__( + self, + subject_license: License, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py b/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py new file mode 100644 index 000000000..d3c16cbe4 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py @@ -0,0 +1,49 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo, ExtendableLicense, LicenseAddition +from beartype.typing import List, Optional +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class WithAdditionOperator(AnyLicenseInfo): + """ + A WithAdditionOperator indicates that the designated License is subject to the designated LicenseAddition, which + might be a license exception on the SPDX Exceptions List (ListedLicenseException) or may be other additional text + (CustomLicenseAddition). It is represented in the SPDX License Expression Syntax by the `WITH` operator. + """ + subject_license: ExtendableLicense + """ + A subjectLicense is a License which is subject to either an 'or later' effect (OrLaterOperator) or a 'with + additional text' effect (WithAdditionOperator). + """ + subject_addition: LicenseAddition + """ + A subjectAddition is a LicenseAddition which is subject to a 'with additional text' effect (WithAdditionOperator). + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + subject_license: ExtendableLicense, + subject_addition: LicenseAddition, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/__init__.py b/src/spdx_tools/spdx3/new_model/security/__init__.py new file mode 100644 index 000000000..6bf9817fd --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/__init__.py @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from .cvss_v2_vuln_assessment_relationship import CvssV2VulnAssessmentRelationship +from .cvss_v3_vuln_assessment_relationship import CvssV3VulnAssessmentRelationship +from .epss_vuln_assessment_relationship import EpssVulnAssessmentRelationship +from .exploit_catalog_type import ExploitCatalogType +from .exploit_catalog_vuln_assessment_relationship import ExploitCatalogVulnAssessmentRelationship +from .ssvc_decision_type import SsvcDecisionType +from .ssvc_vuln_assessment_relationship import SsvcVulnAssessmentRelationship +from .vex_affected_vuln_assessment_relationship import VexAffectedVulnAssessmentRelationship +from .vex_fixed_vuln_assessment_relationship import VexFixedVulnAssessmentRelationship +from .vex_justification_type import VexJustificationType +from .vex_not_affected_vuln_assessment_relationship import VexNotAffectedVulnAssessmentRelationship +from .vex_under_investigation_vuln_assessment_relationship import VexUnderInvestigationVulnAssessmentRelationship +from .vex_vuln_assessment_relationship import VexVulnAssessmentRelationship +from .vuln_assessment_relationship import VulnAssessmentRelationship +from .vulnerability import Vulnerability diff --git a/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py new file mode 100644 index 000000000..7b92a8b4c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py @@ -0,0 +1,117 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType +from ..security import VulnAssessmentRelationship +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class CvssV2VulnAssessmentRelationship(VulnAssessmentRelationship): + """ + A CvssV2VulnAssessmentRelationship relationship describes the determined score and vector of a vulnerability using + version 2.0 of the Common Vulnerability Scoring System (CVSS) as defined on + [https://www.first.org/cvss/v2/guide](https://www.first.org/cvss/v2/guide). It is intented to communicate the + results of using a CVSS calculator. + + **Constraints** + + - The value of severity must be one of 'low', 'medium' or 'high' + - The relationship type must be set to hasAssessmentFor. + + **Syntax** + + ```json + { + "@type": "CvssV2VulnAssessmentRelationship", + "@id": "urn:spdx.dev:cvssv2-cve-2020-28498", + "relationshipType": "hasAssessmentFor", + "score": 4.3, + "vector": "(AV:N/AC:M/Au:N/C:P/I:N/A:N)", + "severity": "low", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.2", + "externalReferences": [ + { + "@type": "ExternalReference", + "externalReferenceType": "securityAdvisory", + "locator": "https://nvd.nist.gov/vuln/detail/CVE-2020-28498" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityAdvisory", + "locator": "https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityFix", + "locator": "https://github.com/indutny/elliptic/commit/441b742" + } + ], + "suppliedBy": ["urn:spdx.dev:agent-my-security-vendor"], + "publishedTime": "2023-05-06T10:06:13Z" + }, + { + "@type": "Relationship", + "@id": "urn:spdx.dev:vulnAgentRel-1", + "relationshipType": "publishedBy", + "from": "urn:spdx.dev:cvssv2-cve-2020-28498", + "to": ["urn:spdx.dev:agent-snyk"], + "startTime": "2021-03-08T16:06:50Z" + } + ``` + """ + score: str + """ + The score provides information on the severity of a vulnerability per the Common Vulnerability Scoring System as + defined on [https://www.first.org/cvss](https://www.first.org/cvss/). + """ + severity: Optional[str] = None + """ + The severity field provides a human readable string, a label that can be used as an English adjective that qualifies + its numerical score. + """ + vector: Optional[str] = None + """ + Sepcifies the vector string of a vulnerability, a string combining metrics from an assessment of its severity. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: Element, + relationship_type: RelationshipType, + score: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + to: List[Element] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[Element] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[Agent] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + severity: Optional[str] = None, + vector: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py new file mode 100644 index 000000000..d3736ce43 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py @@ -0,0 +1,118 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType +from ..security import VulnAssessmentRelationship +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class CvssV3VulnAssessmentRelationship(VulnAssessmentRelationship): + """ + A CvssV3VulnAssessmentRelationship relationship describes the determined score, severity, and vector of a + vulnerability using version 3.1 of the Common Vulnerability Scoring System (CVSS) as defined on + [https://www.first.org/cvss/v3.1/specification-document](https://www.first.org/cvss/v3.1/specification-document). It + is intented to communicate the results of using a CVSS calculator. + + **Constraints** + + - The value of severity must be one of 'none', 'low', 'medium', 'high' or 'critical'. + - Absence of the property shall be interpreted as 'none'. + - The relationship type must be set to hasAssessmentFor. + + **Syntax** + + ```json + { + "@type": "CvssV3VulnAssessmentRelationship", + "@id": "urn:spdx.dev:cvssv3-cve-2020-28498", + "relationshipType": "hasAssessmentFor", + "severity": "medium", + "score": 6.8, + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.2", + "externalReferences": [ + { + "@type": "ExternalReference", + "externalReferenceType": "securityAdvisory", + "locator": "https://nvd.nist.gov/vuln/detail/CVE-2020-28498" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityAdvisory", + "locator": "https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityFix", + "locator": "https://github.com/indutny/elliptic/commit/441b742" + } + ], + "suppliedBy": ["urn:spdx.dev:agent-my-security-vendor"], + "publishedTime": "2023-05-06T10:06:13Z" + }, + { + "@type": "Relationship", + "@id": "urn:spdx.dev:vulnAgentRel-1", + "relationshipType": "publishedBy", + "from": "urn:spdx.dev:cvssv3-cve-2020-28498", + "to": "urn:spdx.dev:agent-snyk", + "startTime": "2021-03-08T16:06:50Z" + } + ``` + """ + score: str + """ + The score provides information on the severity of a vulnerability per the Common Vulnerability Scoring System as + defined on [https://www.first.org/cvss](https://www.first.org/cvss/). + """ + severity: Optional[str] = None + """ + The severity field provides a human readable string, a label that can be used as an English adjective that qualifies + its numerical score. + """ + vector: Optional[str] = None + """ + Sepcifies the vector string of a vulnerability, a string combining metrics from an assessment of its severity. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: Element, + relationship_type: RelationshipType, + score: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + to: List[Element] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[Element] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[Agent] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + severity: Optional[str] = None, + vector: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py new file mode 100644 index 000000000..cc4971226 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py @@ -0,0 +1,82 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType +from ..security import VulnAssessmentRelationship +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class EpssVulnAssessmentRelationship(VulnAssessmentRelationship): + """ + An EpssVulnAssessmentRelationship relationship describes the likelihood or probability that a vulnerability will be + exploited in the wild using the Exploit Prediction Scoring System (EPSS) as defined on + [https://www.first.org/epss/model](https://www.first.org/epss/model). + + **Constraints** + + - The relationship type must be set to hasAssessmentFor. + + **Syntax** + + ```json + { + "@type": "EpssVulnAssessmentRelationship", + "@id": "urn:spdx.dev:epss-1", + "relationshipType": "hasAssessmentFor", + "probability": 80, + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + probability: str + """ + The probability score between 0 and 1 (0 and 100%) estimating the likelihood that a vulnerability will be exploited + in the next 12 months. + """ + severity: Optional[str] = None + """ + The severity field provides a human readable string, a label that can be used as an English adjective that qualifies + its numerical score. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: Element, + relationship_type: RelationshipType, + probability: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + to: List[Element] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[Element] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[Agent] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + severity: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_type.py b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_type.py new file mode 100644 index 000000000..0dee7832d --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_type.py @@ -0,0 +1,37 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class ExploitCatalogType(Enum): + """ + ExploitCatalogType specifies the type of exploit catalog that a vulnerability is listed in. + """ + + KEV = auto() + """ + CISA's Known Exploited Vulnerability (KEV) Catalog + """ + OTHER = auto() + """ + Other exploit catalogs + """ + + def __str__(self) -> str: + if self == ExploitCatalogType.KEV: + return "kev" + if self == ExploitCatalogType.OTHER: + return "other" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['ExploitCatalogType']: + if value == "kev": + return ExploitCatalogType.KEV + if value == "other": + return ExploitCatalogType.OTHER + return None diff --git a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py new file mode 100644 index 000000000..4cbe8481c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py @@ -0,0 +1,87 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType +from ..security import ExploitCatalogType, VulnAssessmentRelationship +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class ExploitCatalogVulnAssessmentRelationship(VulnAssessmentRelationship): + """ + An ExploitCatalogVulnAssessmentRelationship describes if a vulnerability is listed in any exploit catalog such as + the CISA Known Exploited Vulnerabilities Catalog (KEV) + [https://www.cisa.gov/known-exploited-vulnerabilities-catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog). + + **Constraints** + + - The relationship type must be set to hasAssessmentFor. + + **Syntax** + + ```json + { + "@type": "ExploitCatalogVulnAssessmentRelationship", + "@id": "urn:spdx.dev:exploit-catalog-1", + "relationshipType": "hasAssessmentFor", + "catalogType": "kev", + "locator": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "exploited": "true", + "from": "urn:spdx.dev:vuln-cve-2023-2136", + "to": ["urn:product-google-chrome-112.0.5615.136"], + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + catalog_type: ExploitCatalogType + """ + A catalogType is a mandatory value and must select one of the two entries in the `ExploitCatalogType.md` vocabulary. + """ + exploited: str + """ + This field is set when a CVE is listed in an exploit catalog. + """ + locator: str + """ + A locator provides the location of an exploit catalog. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: Element, + relationship_type: RelationshipType, + catalog_type: ExploitCatalogType, + exploited: str, + locator: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + to: List[Element] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[Element] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[Agent] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/ssvc_decision_type.py b/src/spdx_tools/spdx3/new_model/security/ssvc_decision_type.py new file mode 100644 index 000000000..1c00a4eb8 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/ssvc_decision_type.py @@ -0,0 +1,65 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class SsvcDecisionType(Enum): + """ + SsvcDecisionType specifies the type of decision that's been made according to the Stakeholder-Specific Vulnerability + Categorization (SSVC) system + [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc) + """ + + ACT = auto() + """ + The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level + individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as + publishing a notification either internally and/or externally. Typically, internal groups would meet to determine + the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon + as possible. + """ + ATTEND = auto() + """ + The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary + actions include requesting assistance or information about the vulnerability, and may involve publishing a + notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than + standard update timelines. + """ + TRACK = auto() + """ + The vulnerability does not require action at this time. The organization would continue to track the vulnerability + and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within + standard update timelines. + """ + TRACK_STAR = auto() + """ + (Track* in the SSVC spec) The vulnerability contains specific characteristics that may require closer monitoring for + changes. CISA recommends remediating Track* vulnerabilities within standard update timelines. + """ + + def __str__(self) -> str: + if self == SsvcDecisionType.ACT: + return "act" + if self == SsvcDecisionType.ATTEND: + return "attend" + if self == SsvcDecisionType.TRACK: + return "track" + if self == SsvcDecisionType.TRACK_STAR: + return "trackStar" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['SsvcDecisionType']: + if value == "act": + return SsvcDecisionType.ACT + if value == "attend": + return SsvcDecisionType.ATTEND + if value == "track": + return SsvcDecisionType.TRACK + if value == "trackStar": + return SsvcDecisionType.TRACK_STAR + return None diff --git a/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py new file mode 100644 index 000000000..b48a9d88e --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py @@ -0,0 +1,77 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType +from ..security import SsvcDecisionType, VulnAssessmentRelationship +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class SsvcVulnAssessmentRelationship(VulnAssessmentRelationship): + """ + An SsvcVulnAssessmentRelationship describes the decision made using the Stakeholder-Specific Vulnerability + Categorization (SSVC) decision tree as defined on + [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc). + It is intended to communicate the results of using the CISA SSVC Calculator. + + **Constraints** + + - The relationship type must be set to hasAssessmentFor. + + **Syntax** + + ```json + { + "@type": "SsvcVulnAssessmentRelationship", + "@id": "urn:spdx.dev:ssvc-1", + "relationshipType": "hasAssessmentFor", + "decisionType": "act", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.2", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + decision_type: SsvcDecisionType + """ + A decisionType is a mandatory value and must select one of the four entries in the `SsvcDecisionType.md` vocabulary. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: Element, + relationship_type: RelationshipType, + decision_type: SsvcDecisionType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + to: List[Element] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[Element] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[Agent] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py new file mode 100644 index 000000000..8c9f347ea --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py @@ -0,0 +1,89 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType +from ..security import VexVulnAssessmentRelationship +from beartype.typing import List, Optional +from dataclasses import field +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class VexAffectedVulnAssessmentRelationship(VexVulnAssessmentRelationship): + """ + VexAffectedVulnAssessmentRelationship connects a vulnerability and a number of elements. The relationship marks + these elements as products affected by the vulnerability. This relationship corresponds to the VEX affected status. + + **Constraints** + + When linking elements using a VexAffectedVulnAssessmentRelationship, the following requirements must be observed: + + - Elements linked with a VulnVexAffectedAssessmentRelationship are constrained to the affects relationship type. + + **Syntax** + + ```json + { + "@type": "VexAffectedVulnAssessmentRelationship", + "@id": "urn:spdx.dev:vex-affected-1", + "relationshipType": "affects", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.2", + "actionStatement": "Upgrade to version 1.4 of ACME application.", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + action_statement: Optional[str] = None + """ + When an element is referenced with a VexAffectedVulnAssessmentRelationship, the relationship MUST include one + actionStatement that SHOULD describe actions to remediate or mitigate the vulnerability. + """ + action_statement_time: List[datetime] = field(default_factory=list) + """ + When a VEX statement communicates an affected status, the author MUST include an action statement with a recommended + action to help mitigate the vulnerability's impact. The actionStatementTime property records the time when the + action statement was first communicated. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: Element, + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + to: List[Element] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[Element] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[Agent] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + vex_version: Optional[str] = None, + status_notes: Optional[str] = None, + action_statement: Optional[str] = None, + action_statement_time: List[datetime] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + to = [] if to is None else to + action_statement_time = [] if action_statement_time is None else action_statement_time + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py new file mode 100644 index 000000000..96f0f64bd --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py @@ -0,0 +1,74 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType +from ..security import VexVulnAssessmentRelationship +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class VexFixedVulnAssessmentRelationship(VexVulnAssessmentRelationship): + """ + VexFixedVulnAssessmentRelationship links a vulnerability to a number of elements representing VEX products where a + vulnerability has been fixed and are no longer affected. It represents the VEX fixed status. + + **Constraints** + + When linking elements using a VexFixedVulnAssessmentRelationship, the following requirements must be observed: + + - Elements linked with a VulnVexFixedAssessmentRelationship are constrained to using the fixedIn relationship type. + - The from: end of the relationship must ve a /Security/Vulnerability classed element. + + **Syntax** + + ```json + { + "@type": "VexFixedVulnAssessmentRelationship", + "@id": "urn:spdx.dev:vex-fixed-in-1", + "relationshipType": "fixedIn", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.4", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: Element, + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + to: List[Element] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[Element] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[Agent] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + vex_version: Optional[str] = None, + status_notes: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_justification_type.py b/src/spdx_tools/spdx3/new_model/security/vex_justification_type.py new file mode 100644 index 000000000..1e68424fe --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vex_justification_type.py @@ -0,0 +1,63 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class VexJustificationType(Enum): + """ + VexJustificationType specifies the type of Vulnerability Exploitability eXchange (VEX) justification. + """ + + COMPONENT_NOT_PRESENT = auto() + """ + The software is not affected because the vulnerable component is not in the product. + """ + VULNERABLE_CODE_NOT_PRESENT = auto() + """ + The product is not affected because the code underlying the vulnerability is not present in the product. + """ + VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY = auto() + """ + The vulnerable component is present, and the component contains the vulnerable code. However, vulnerable code is + used in such a way that an attacker cannot mount any anticipated attack. + """ + VULNERABLE_CODE_NOT_IN_EXECUTE_PATH = auto() + """ + The affected code is not reachable through the execution of the code, including non-anticipated states of the + product. + """ + INLINE_MITIGATIONS_ALREADY_EXIST = auto() + """ + Built-in inline controls or mitigations prevent an adversary from leveraging the vulnerability. + """ + + def __str__(self) -> str: + if self == VexJustificationType.COMPONENT_NOT_PRESENT: + return "componentNotPresent" + if self == VexJustificationType.VULNERABLE_CODE_NOT_PRESENT: + return "vulnerableCodeNotPresent" + if self == VexJustificationType.VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY: + return "vulnerableCodeCannotBeControlledByAdversary" + if self == VexJustificationType.VULNERABLE_CODE_NOT_IN_EXECUTE_PATH: + return "vulnerableCodeNotInExecutePath" + if self == VexJustificationType.INLINE_MITIGATIONS_ALREADY_EXIST: + return "inlineMitigationsAlreadyExist" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['VexJustificationType']: + if value == "componentNotPresent": + return VexJustificationType.COMPONENT_NOT_PRESENT + if value == "vulnerableCodeNotPresent": + return VexJustificationType.VULNERABLE_CODE_NOT_PRESENT + if value == "vulnerableCodeCannotBeControlledByAdversary": + return VexJustificationType.VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY + if value == "vulnerableCodeNotInExecutePath": + return VexJustificationType.VULNERABLE_CODE_NOT_IN_EXECUTE_PATH + if value == "inlineMitigationsAlreadyExist": + return VexJustificationType.INLINE_MITIGATIONS_ALREADY_EXIST + return None diff --git a/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py new file mode 100644 index 000000000..3c0b1b4bc --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py @@ -0,0 +1,101 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType +from ..security import VexJustificationType, VexVulnAssessmentRelationship +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class VexNotAffectedVulnAssessmentRelationship(VexVulnAssessmentRelationship): + """ + VexNotAffectedVulnAssessmentRelationship connects a vulnerability and a number of elements designating them as + products not affected by the vulnerability. This relationship corresponds to the VEX not_affected status. + + **Constraints** + + When linking elements using a VexNotVulnAffectedAssessmentRelationship, the following requirements must be observed: + + * Relating elements with a VexNotAffectedVulnAssessmentRelationship is restricted to the doesNotAffect relationship + type. + * The from: end of the relationship must be a /Security/Vulnerability classed element. + * Both impactStatement and justificationType properties have a cardinality of 0..1 making them optional. + Nevertheless, to produce a valid VEX not_affected statement, one of them MUST be defined. This is specified in the + Minimum Elements for VEX. + + **Syntax** + + ```json + { + "@type": "VexNotAffectedVulnAssessmentRelationship", + "@id": "urn:spdx.dev:vex-not-affected-1", + "relationshipType": "doesNotAffect", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.2", + "justificationType": "componentNotPresent", + "impactStatement": "Not using this vulnerable part of this library.", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + justification_type: Optional[VexJustificationType] = None + """ + When stating that an element is not affected by a vulnerability, the VexNotAffectedVulnAssessmentRelationship must + include a justification from the machine-readable labels catalog informing the reason the element is not impacted. + + impactStatement which is a string with English prose can be used instead or as complementary to the justification + label, but one of both MUST be defined. + """ + impact_statement: Optional[str] = None + """ + When a VEX product element is related with a VexNotAffectedVulnAssessmentRelationship and a machine readable + justification label is not provided, then an impactStatement that further explains how or why the prouct(s) are not + affected by the vulnerability must be provided. + """ + impact_statement_time: Optional[datetime] = None + """ + TODO + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: Element, + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + to: List[Element] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[Element] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[Agent] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + vex_version: Optional[str] = None, + status_notes: Optional[str] = None, + justification_type: Optional[VexJustificationType] = None, + impact_statement: Optional[str] = None, + impact_statement_time: Optional[datetime] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py new file mode 100644 index 000000000..9090f8f0c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py @@ -0,0 +1,76 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType +from ..security import VexVulnAssessmentRelationship +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class VexUnderInvestigationVulnAssessmentRelationship(VexVulnAssessmentRelationship): + """ + VexUnderInvestigationVulnAssessmentRelationship links a vulnerability to a number of products stating the + vulnerability's impact on them is being investigated. It represents the VEX under_investigation status. + + **Constraints** + + When linking elements using a VexUnderInvestigationVulnAssessmentRelationship the following requirements must be + observed: + + - Elements linked with a VexUnderInvestigationVulnAssessmentRelationship are constrained to using the + underInvestigationFor relationship type. + - The from: end of the relationship must ve a /Security/Vulnerability classed element. + + **Syntax** + + ```json + { + "@type": "VexUnderInvestigationVulnAssessmentRelationship", + "@id": "urn:spdx.dev:vex-underInvestigation-1", + "relationshipType": "underInvestigationFor", + "from": "urn:spdx.dev:vuln-cve-2020-28498", + "to": ["urn:product-acme-application-1.3"], + "assessedElement": "urn:npm-elliptic-6.5.2", + "suppliedBy": ["urn:spdx.dev:agent-jane-doe"], + "publishedTime": "2021-03-09T11:04:53Z" + } + ``` + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: Element, + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + to: List[Element] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + assessed_element: Optional[Element] = None, + published_time: Optional[datetime] = None, + supplied_by: Optional[Agent] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + vex_version: Optional[str] = None, + status_notes: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py new file mode 100644 index 000000000..7741cca59 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py @@ -0,0 +1,47 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType +from ..security import VulnAssessmentRelationship +from abc import abstractmethod +from beartype.typing import List, Optional +from datetime import datetime + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class VexVulnAssessmentRelationship(VulnAssessmentRelationship): + """ + VexVulnAssessmentRelationship is an abstract subclass that defined the common properties shared by all the SPDX-VEX + status relationships. + + **Constraints** + + When linking elements using a VexVulnAssessmentRelationship, the following requirements must be observed: + + - The from: end must be a /Security/Vulnerability classed element + - The to: end must point to elements representing the VEX _products_. To specify a different element where the + vulnerability was detected, the VEX relationship can optionally specify _subcomponents_ using the assessedElement + property. + + VEX inherits information from the document level down to its statements. When a statement is missing information it + can be completed by reading the equivalent field from the containing document. For example, if a VEX relationship is + missing data in its createdBy property, tools must consider the entity listed in the CreationInfo section of the + document as the VEX author. In the same way, when a VEX relationship does not have a created property, the + document's date must be considered as authoritative. + """ + vex_version: Optional[str] = None + """ + TODO + """ + status_notes: Optional[str] = None + """ + TODO + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py new file mode 100644 index 000000000..a27e2b295 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py @@ -0,0 +1,44 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, Relationship, RelationshipCompleteness, RelationshipType +from abc import abstractmethod +from beartype.typing import List, Optional +from datetime import datetime + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class VulnAssessmentRelationship(Relationship): + """ + VulnAssessmentRelationship is the ancestor class common to all vulnerability assessment relationships. It factors + out the common properties shared by them. External property restriction on /Core/Relationship/to: minCount: 1 + """ + assessed_element: Optional[Element] = None + """ + Specifies subpackages, files or snippets referenced by a security assessment to specify the precise location where a + vulnerability was found. + """ + published_time: Optional[datetime] = None + """ + Specifies the time when a vulnerability was first published. + """ + supplied_by: Optional[Agent] = None + """ + Identify the actual distribution source for the vulnerability assessment relationship being referenced. + """ + modified_time: Optional[datetime] = None + """ + Specifies a time when a vulnerability assessment was last modified. + """ + withdrawn_time: Optional[datetime] = None + """ + Specified the time and date when a vulnerability was withdrawn. + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/security/vulnerability.py b/src/spdx_tools/spdx3/new_model/security/vulnerability.py new file mode 100644 index 000000000..8e8260d9d --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/security/vulnerability.py @@ -0,0 +1,126 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Vulnerability(Element): + """ + Specifies a vulnerability and its associated information. + + **Syntax** + + ```json + { + "@type": "Vulnerability", + "@id": "urn:spdx.dev:vuln-1", + "summary": "Use of a Broken or Risky Cryptographic Algorithm", + "description": "The npm package `elliptic` before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.", + "modified": "2021-03-08T16:02:43Z", + "published": "2021-03-08T16:06:50Z", + "externalIdentifiers": [ + { + "@type": "ExternalIdentifier", + "externalIdentifierType": "cve", + "identifier": "CVE-2020-2849", + "identifierLocator": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498", + "https://www.cve.org/CVERecord?id=CVE-2020-28498" + ], + "issuingAuthority": "urn:spdx.dev:agent-cve.org" + }, + { + "type": "ExternalIdentifier", + "externalIdentifierType": "securityOther", + "identifier": "GHSA-r9p9-mrjm-926w", + "identifierLocator": "https://github.com/advisories/GHSA-r9p9-mrjm-926w" + }, + { + "type": "ExternalIdentifier", + "externalIdentifierType": "securityOther", + "identifier": "SNYK-JS-ELLIPTIC-1064899", + "identifierLocator": "https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899" + } + ], + "externalReferences": [ + { + "@type": "ExternalReference", + "externalReferenceType": "securityAdvisory", + "locator": "https://nvd.nist.gov/vuln/detail/CVE-2020-28498" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityAdvisory", + "locator": "https://ubuntu.com/security/CVE-2020-28498" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityOther", + "locator": "https://github.com/indutny/elliptic/pull/244/commits" + }, + { + "@type": "ExternalReference", + "externalReferenceType": "securityOther", + "locator": "https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md" + } + ] + }, + { + "@type": "Relationship", + "@id": "urn:spdx.dev:vulnRelationship-1", + "relationshipType": "hasAssociatedVulnerability", + "from": "urn:npm-elliptic-6.5.2", + "to": ["urn:spdx.dev:vuln-1"], + "startTime": "2021-03-08T16:06:50Z" + }, + { + "@type": "Relationship", + "@id": "urn:spdx.dev:vulnAgentRel-1", + "relationshipType": "publishedBy", + "from": "urn:spdx.dev:vuln-1", + "to": ["urn:spdx.dev:agent-snyk"], + "startTime": "2021-03-08T16:06:50Z" + } + ``` + """ + published_time: Optional[datetime] = None + """ + Specifies the time when a vulnerability was first published. + """ + modified_time: Optional[datetime] = None + """ + Specifies a time when a vulnerability assessment was last modified. + """ + withdrawn_time: Optional[datetime] = None + """ + Specified the time and date when a vulnerability was withdrawn. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + published_time: Optional[datetime] = None, + modified_time: Optional[datetime] = None, + withdrawn_time: Optional[datetime] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/__init__.py b/src/spdx_tools/spdx3/new_model/software/__init__.py new file mode 100644 index 000000000..0e31820ad --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/__init__.py @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from .dependency_conditionality_type import DependencyConditionalityType +from .file import File +from .package import Package +from .sbom import Sbom +from .sbom_type import SbomType +from .snippet import Snippet +from .software_artifact import SoftwareArtifact +from .software_dependency_link_type import SoftwareDependencyLinkType +from .software_dependency_relationship import SoftwareDependencyRelationship +from .software_purpose import SoftwarePurpose diff --git a/src/spdx_tools/spdx3/new_model/software/dependency_conditionality_type.py b/src/spdx_tools/spdx3/new_model/software/dependency_conditionality_type.py new file mode 100644 index 000000000..7f842120b --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/dependency_conditionality_type.py @@ -0,0 +1,61 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class DependencyConditionalityType(Enum): + """ + TODO + """ + + OPTIONAL = auto() + """ + TODOdescription + """ + REQUIRED = auto() + """ + TODOdescription + """ + PROVIDED = auto() + """ + TODOdescription + """ + PREREQUISITE = auto() + """ + TODOdescription + """ + OTHER = auto() + """ + TODOdescription + """ + + def __str__(self) -> str: + if self == DependencyConditionalityType.OPTIONAL: + return "optional" + if self == DependencyConditionalityType.REQUIRED: + return "required" + if self == DependencyConditionalityType.PROVIDED: + return "provided" + if self == DependencyConditionalityType.PREREQUISITE: + return "prerequisite" + if self == DependencyConditionalityType.OTHER: + return "other" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['DependencyConditionalityType']: + if value == "optional": + return DependencyConditionalityType.OPTIONAL + if value == "required": + return DependencyConditionalityType.REQUIRED + if value == "provided": + return DependencyConditionalityType.PROVIDED + if value == "prerequisite": + return DependencyConditionalityType.PREREQUISITE + if value == "other": + return DependencyConditionalityType.OTHER + return None diff --git a/src/spdx_tools/spdx3/new_model/software/file.py b/src/spdx_tools/spdx3/new_model/software/file.py new file mode 100644 index 000000000..1236196d3 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/file.py @@ -0,0 +1,62 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod, MediaType +from ..licensing import AnyLicenseInfo +from ..software import SoftwareArtifact, SoftwarePurpose +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class File(SoftwareArtifact): + """ + Refers to any object that stores content on a computer. The type of content can optionally be provided in the + contentType property. External property restriction on /Core/Element/name: minCount: 1 + """ + content_type: Optional[MediaType] = None + """ + This field is a reasonable estimation of the content type of the Element, from a creator perspective. Content type + is intrinsic to the Element, independent of how the Element is being used. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + originated_by: List[Agent] = None, + supplied_by: List[Agent] = None, + built_time: Optional[datetime] = None, + release_time: Optional[datetime] = None, + valid_until_time: Optional[datetime] = None, + standard: List[str] = None, + content_identifier: Optional[str] = None, + primary_purpose: Optional[SoftwarePurpose] = None, + additional_purpose: List[SoftwarePurpose] = None, + concluded_license: Optional[AnyLicenseInfo] = None, + declared_license: Optional[AnyLicenseInfo] = None, + copyright_text: Optional[str] = None, + attribution_text: Optional[str] = None, + content_type: Optional[MediaType] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + originated_by = [] if originated_by is None else originated_by + supplied_by = [] if supplied_by is None else supplied_by + standard = [] if standard is None else standard + additional_purpose = [] if additional_purpose is None else additional_purpose + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/package.py b/src/spdx_tools/spdx3/new_model/software/package.py new file mode 100644 index 000000000..ded99881c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/package.py @@ -0,0 +1,118 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo +from ..software import SoftwareArtifact, SoftwarePurpose +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Package(SoftwareArtifact): + """ + A package refers to any unit of content that can be associated with a distribution of software. Typically, a package + is composed of one or more files. + Any of the following non-limiting examples may be (but are not required to be) represented in SPDX as a package: + + - a tarball, zip file or other archive + - a directory or sub-directory + - a separately distributed piece of software which another Package or File uses or depends upon (e.g., a Python + package, a Go module, ...) + - a container image, and/or each image layer within a container image + - a collection of one or more sub-packages + - a Git repository snapshot from a particular point in time + + Note that some of these could be represented in SPDX as a file as well. External property restriction on + /Core/Element/name: minCount: 1 + """ + package_version: Optional[str] = None + """ + A packageVersion is useful for identification purposes and for indicating later changes of the package version. + """ + download_location: Optional[str] = None + """ + DownloadLocation identifies the download Uniform Resource Identifier for the package at the time that the document + was created. Where and how to download the exact package being referenced is critical for verification and tracking + data. + """ + package_url: Optional[str] = None + """ + A packageUrl (commonly pronounced and referred to as "purl") is an attempt to standardize package representations in + order to reliably identify and locate software packages. A purl is a URL string which represents a package in a + mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs + and databases. + + the purl URL string is defined by seven components: + ``` + scheme:type/namespace/name@version?qualifiers#subpath + ``` + + The definition for each component can be found in the [purl + specification](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst). Components are designed + such that they form a hierarchy from the most significant on the left to the least significant components on the + right. + + Parsing a purl string into its components works from left to right. Some extra type-specific normalizations are + required. For more information, see [How to parse a purl string in its + components](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#how-to-parse-a-purl-string-in-its-components). + """ + homepage: Optional[str] = None + """ + HomePage is a place for the SPDX document creator to record a website that serves as the package's home page. This + saves the recipient of the SPDX document who is looking for more info from having to search for and verify a match + between the package and the associated project home page. This link can also be used to reference further + information about the package referenced by the SPDX document creator. + """ + source_info: Optional[str] = None + """ + SourceInfo records any relevant background information or additional comments about the origin of the package. For + example, this field might include comments indicating whether the package was pulled from a source code management + system or has been repackaged. The creator can provide additional information to describe any anomalies or + discoveries in the determination of the origin of the package. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + originated_by: List[Agent] = None, + supplied_by: List[Agent] = None, + built_time: Optional[datetime] = None, + release_time: Optional[datetime] = None, + valid_until_time: Optional[datetime] = None, + standard: List[str] = None, + content_identifier: Optional[str] = None, + primary_purpose: Optional[SoftwarePurpose] = None, + additional_purpose: List[SoftwarePurpose] = None, + concluded_license: Optional[AnyLicenseInfo] = None, + declared_license: Optional[AnyLicenseInfo] = None, + copyright_text: Optional[str] = None, + attribution_text: Optional[str] = None, + package_version: Optional[str] = None, + download_location: Optional[str] = None, + package_url: Optional[str] = None, + homepage: Optional[str] = None, + source_info: Optional[str] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + originated_by = [] if originated_by is None else originated_by + supplied_by = [] if supplied_by is None else supplied_by + standard = [] if standard is None else standard + additional_purpose = [] if additional_purpose is None else additional_purpose + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/sbom.py b/src/spdx_tools/spdx3/new_model/software/sbom.py new file mode 100644 index 000000000..a1ca3f2cb --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/sbom.py @@ -0,0 +1,55 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Bom, CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod, NamespaceMap +from ..software import SbomType +from beartype.typing import List, Optional +from dataclasses import field +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Sbom(Bom): + """ + A Software Bill of Materials (SBOM) is a collection of SPDX Elements describing a single package. This could include + details of the content and composition of the product, provenance details of the product and/or its composition, + licensing information, known quality or security issues, etc. + """ + sbom_type: List[SbomType] = field(default_factory=list) + """ + This field is a reasonable estimation of the type of SBOM created from a creator perspective. It is intended to be + used to give guidance on the elements that may be contained within it. Aligning with the guidance produced in [Types + of Software Bill of Material (SBOM) + Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf). + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + element: List[Element], + root_element: List[Element], + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + namespaces: List[NamespaceMap] = None, + imports: List[ExternalMap] = None, + context: Optional[str] = None, + sbom_type: List[SbomType] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + namespaces = [] if namespaces is None else namespaces + imports = [] if imports is None else imports + sbom_type = [] if sbom_type is None else sbom_type + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/sbom_type.py b/src/spdx_tools/spdx3/new_model/software/sbom_type.py new file mode 100644 index 000000000..a1e59a81d --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/sbom_type.py @@ -0,0 +1,83 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class SbomType(Enum): + """ + The set of SBOM types with definitions as defined in [Types of Software Bill of Material (SBOM) + Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf), published on April 21, + 2023. An SBOM type describes the most likely type of an SBOM from the producer perspective, so that consumers can + draw conclusions about the data inside an SBOM. A single SBOM can have multiple SBOM document types associated with + it. + """ + + DESIGN = auto() + """ + SBOM of intended, planned software project or product with included components (some of which may not yet exist) for + a new software artifact. + """ + SOURCE = auto() + """ + SBOM created directly from the development environment, source files, and included dependencies used to build an + product artifact. + """ + BUILD = auto() + """ + SBOM generated as part of the process of building the software to create a releasable artifact (e.g., executable or + package) from data such as source files, dependencies, built components, build process ephemeral data, and other + SBOMs. + """ + DEPLOYED = auto() + """ + SBOM provides an inventory of software that is present on a system. This may be an assembly of other SBOMs that + combines analysis of configuration options, and examination of execution behavior in a (potentially simulated) + deployment environment. + """ + RUNTIME = auto() + """ + SBOM generated through instrumenting the system running the software, to capture only components present in the + system, as well as external call-outs or dynamically loaded components. In some contexts, this may also be referred + to as an “Instrumented” or “Dynamic” SBOM. + """ + ANALYZED = auto() + """ + SBOM generated through analysis of artifacts (e.g., executables, packages, containers, and virtual machine images) + after its build. Such analysis generally requires a variety of heuristics. In some contexts, this may also be + referred to as a “3rd party” SBOM. + """ + + def __str__(self) -> str: + if self == SbomType.DESIGN: + return "design" + if self == SbomType.SOURCE: + return "source" + if self == SbomType.BUILD: + return "build" + if self == SbomType.DEPLOYED: + return "deployed" + if self == SbomType.RUNTIME: + return "runtime" + if self == SbomType.ANALYZED: + return "analyzed" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['SbomType']: + if value == "design": + return SbomType.DESIGN + if value == "source": + return SbomType.SOURCE + if value == "build": + return SbomType.BUILD + if value == "deployed": + return SbomType.DEPLOYED + if value == "runtime": + return SbomType.RUNTIME + if value == "analyzed": + return SbomType.ANALYZED + return None diff --git a/src/spdx_tools/spdx3/new_model/software/snippet.py b/src/spdx_tools/spdx3/new_model/software/snippet.py new file mode 100644 index 000000000..679a5307e --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/snippet.py @@ -0,0 +1,73 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod, PositiveIntegerRange +from ..licensing import AnyLicenseInfo +from ..software import SoftwareArtifact, SoftwarePurpose +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class Snippet(SoftwareArtifact): + """ + A Snippet describes a certain part of a file and can be used when the file is known to have some content that has + been included from another original source. Snippets are useful for denoting when part of a file may have been + originally created under another license or copied from a place with a known vulnerability. + """ + byte_range: Optional[PositiveIntegerRange] = None + """ + This field defines the byte range in the original host file that the snippet information applies to. A range of + bytes is independent of various formatting concerns, and the most accurate way of referring to the differences. The + choice was made to start the numbering of the byte range at 1 to be consistent with the W3C pointer method + vocabulary. + """ + line_range: Optional[PositiveIntegerRange] = None + """ + This field defines the line range in the original host file that the snippet information applies to. If there is a + disagreement between the byte range and line range, the byte range values will take precedence. A range of lines is + a convenient reference for those files where there is a known line delimiter. The choice was made to start the + numbering of the lines at 1 to be consistent with the W3C pointer method vocabulary. + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + originated_by: List[Agent] = None, + supplied_by: List[Agent] = None, + built_time: Optional[datetime] = None, + release_time: Optional[datetime] = None, + valid_until_time: Optional[datetime] = None, + standard: List[str] = None, + content_identifier: Optional[str] = None, + primary_purpose: Optional[SoftwarePurpose] = None, + additional_purpose: List[SoftwarePurpose] = None, + concluded_license: Optional[AnyLicenseInfo] = None, + declared_license: Optional[AnyLicenseInfo] = None, + copyright_text: Optional[str] = None, + attribution_text: Optional[str] = None, + byte_range: Optional[PositiveIntegerRange] = None, + line_range: Optional[PositiveIntegerRange] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + originated_by = [] if originated_by is None else originated_by + supplied_by = [] if supplied_by is None else supplied_by + standard = [] if standard is None else standard + additional_purpose = [] if additional_purpose is None else additional_purpose + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/software_artifact.py b/src/spdx_tools/spdx3/new_model/software/software_artifact.py new file mode 100644 index 000000000..cbdb08f01 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/software_artifact.py @@ -0,0 +1,147 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import Agent, Artifact, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo +from ..software import SoftwarePurpose +from abc import abstractmethod +from beartype.typing import List, Optional +from dataclasses import field +from datetime import datetime + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class SoftwareArtifact(Artifact): + """ + A software artifact is a distinct article or unit related to software such as a package, a file, or a snippet. + """ + content_identifier: Optional[str] = None + """ + The contentIdentifier provides a canonical, unique, immutable artifact identifier for each software artifact. SPDX + 3.0 describes software artifacts as Snippet, File, or Package Elements. The ContentIdentifier can be calculated for + any software artifact and can be recorded for any of these SPDX 3.0 Elements using Omnibor, an attempt to + standardize how software artifacts are identified independent of which programming language, version control system, + build tool, package manager, or software distribution mechanism is in use. + + The contentIdentifier is defined as the [Git Object + Identifier](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) (gitoid) of type `blob` of the software + artifact. The use of a git-based version control system is not necessary to calculate a contentIdentifier for any + software artifact. + + The gitoid is expressed in the ContentIdentifier property by using the IANA [gitoid URI + scheme](https://www.iana.org/assignments/uri-schemes/prov/gitoid). + + ``` + Scheme syntax: gitoid":"":"":" + ``` + + The OmniBOR ID for the OmniBOR Document associated with a software artifact should not be recorded in this field. + Rather, OmniBOR IDs should be recorded in the SPDX Element's ExternalIdentifier property. See + [https://omnibor.io](https://omnibor.io) for more details. + """ + primary_purpose: Optional[SoftwarePurpose] = None + """ + primaryPurpose provides information about the primary purpose of the software artifact. + """ + additional_purpose: List[SoftwarePurpose] = field(default_factory=list) + """ + Additional purpose provides information about the additional purposes of the software artifact in addition to the + primaryPurpose. + """ + concluded_license: Optional[AnyLicenseInfo] = None + """ + A concludedLicense is the license identified by the SPDX data creator, based on analyzing the license information in + the software Package, File or Snippet and other information to arrive at a reasonably objective conclusion as to + what license governs it. + + If a concludedLicense has a NONE value (NoneLicense), this indicates that the SPDX data creator has looked and did + not find any license information for this software Package, File or Snippet. + + If a concludedLicense has a NOASSERTION value (NoAssertionLicense), this indicates that one of the following + applies: + * the SPDX data creator has attempted to but cannot reach a reasonable objective determination; + * the SPDX data creator has made no attempt to determine this field; or + * the SPDX data creator has intentionally provided no information (no meaning should be implied by doing so). + + A written explanation of a NOASSERTION value (NoAssertionLicense) MAY be provided in the licenseComment field. + + If the concludedLicense for a software Package, File or Snippet is not the same as its declaredLicense, a written + explanation SHOULD be provided in the licenseComment field. + + If the declaredLicense for a software Package, File or Snippet is a choice of more than one license (e.g. a license + expression combining two licenses through use of the `OR` operator), then the concludedLicense may either retain the + license choice or identify which license was chosen. + """ + declared_license: Optional[AnyLicenseInfo] = None + """ + A declaredLicense is the license identified in text in the software package, file or snippet as the license declared + by its authors. + + This field is not intended to capture license information obtained from an external source, such as a package's + website. Such information can be included, as needed, in a concludedLicense field. + + A declaredLicense may be expressed differently in practice for different types of artifacts. For example: + + * for Packages: + * would include license info describing the license of the Package as a whole, when it is found in the Package + itself (e.g., LICENSE file, README file, metadata in the repository, etc.) + * would not include any license information that is not in the Package itself (e.g., license information from the + project’s website or from a third party repository or website) + * for Files: + * would include license info found in the File itself (e.g., license header or notice, comments, + SPDX-License-Identifier expression) + * would not include license info found in a different file (e.g., LICENSE file in the top directory of a + repository) + * for Snippets: + * would include license info found in the Snippet itself (e.g., license notice, comments, SPDX-License-Identifier + expression) + * would not include license info found elsewhere in the File or in a different File (e.g., comment at top of File + if it is not within the Snippet, LICENSE file in the top directory of a repository) + + If a declaredLicense has a NONE value (NoneLicense), this indicates that the corresponding Package, File or Snippet + contains no license information whatsoever. + + If a declaredLicense has a NOASSERTION value (NoAssertionLicense), this indicates that one of the following applies: + * the SPDX data creator has attempted to but cannot reach a reasonable objective determination; + * the SPDX data creator has made no attempt to determine this field; or + * the SPDX data creator has intentionally provided no information (no meaning should be implied by doing so). + """ + copyright_text: Optional[str] = None + """ + A copyrightText consists of the text(s) of the copyright notice(s) found for a software Package, File or Snippet, if + any. + + If a copyrightText contains text, then it may contain any text related to one or more copyright notices (even if not + complete) for that software Package, File or Snippet. + + If a copyrightText has a "NONE" value, this indicates that the software Package, File or Snippet contains no + copyright notice whatsoever. + + If a copyrightText has a "NOASSERTION" value, this indicates that one of the following applies: + * the SPDX data creator has attempted to but cannot reach a reasonable objective determination; + * the SPDX data creator has made no attempt to determine this field; or + * the SPDX data creator has intentionally provided no information (no meaning should be implied by doing so). + """ + attribution_text: Optional[str] = None + """ + An attributionText for a software Package, File or Snippet provides a consumer of SPDX data with acknowledgement + content, to assist redistributors of the Package, File or Snippet with reproducing those acknowledgements. + + For example, this field may include a statement that is required by a particular license to be reproduced in + end-user documentation, advertising materials, or another form. + + This field may describe where, or in which contexts, the acknowledgements need to be reproduced, but it is not + required to do so. The SPDX data creator may also explain elsewhere (such as in a licenseComment field) how they + intend for data in this field to be used. + + An attributionText is is not meant to include the software Package, File or Snippet’s actual complete license text + (see concludedLicense to identify the corresponding license). + """ + + @abstractmethod + def __init__(self): + pass diff --git a/src/spdx_tools/spdx3/new_model/software/software_dependency_link_type.py b/src/spdx_tools/spdx3/new_model/software/software_dependency_link_type.py new file mode 100644 index 000000000..e2ae2048c --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/software_dependency_link_type.py @@ -0,0 +1,53 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class SoftwareDependencyLinkType(Enum): + """ + TODO + """ + + STATIC = auto() + """ + TODOdescription + """ + DYNAMIC = auto() + """ + TODOdescription + """ + TOOL = auto() + """ + TODOdescription + """ + OTHER = auto() + """ + TODOdescription + """ + + def __str__(self) -> str: + if self == SoftwareDependencyLinkType.STATIC: + return "static" + if self == SoftwareDependencyLinkType.DYNAMIC: + return "dynamic" + if self == SoftwareDependencyLinkType.TOOL: + return "tool" + if self == SoftwareDependencyLinkType.OTHER: + return "other" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['SoftwareDependencyLinkType']: + if value == "static": + return SoftwareDependencyLinkType.STATIC + if value == "dynamic": + return SoftwareDependencyLinkType.DYNAMIC + if value == "tool": + return SoftwareDependencyLinkType.TOOL + if value == "other": + return SoftwareDependencyLinkType.OTHER + return None diff --git a/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py b/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py new file mode 100644 index 000000000..18fdfb9e1 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py @@ -0,0 +1,55 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, LifecycleScopeType, LifecycleScopedRelationship, RelationshipCompleteness, RelationshipType +from ..software import DependencyConditionalityType, SoftwareDependencyLinkType +from beartype.typing import List, Optional +from datetime import datetime +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class SoftwareDependencyRelationship(LifecycleScopedRelationship): + """ + TODO + """ + software_linkage: Optional[SoftwareDependencyLinkType] = None + """ + A softwareLinkage is TODO + """ + conditionality: Optional[DependencyConditionalityType] = None + """ + A conditionality is TODO + """ + + def __init__( + self, + spdx_id: str, + creation_info: CreationInfo, + from_element: Element, + relationship_type: RelationshipType, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: Optional[str] = None, + to: List[Element] = None, + completeness: Optional[RelationshipCompleteness] = None, + start_time: Optional[datetime] = None, + end_time: Optional[datetime] = None, + scope: Optional[LifecycleScopeType] = None, + software_linkage: Optional[SoftwareDependencyLinkType] = None, + conditionality: Optional[DependencyConditionalityType] = None, + ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + to = [] if to is None else to + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/software_purpose.py b/src/spdx_tools/spdx3/new_model/software/software_purpose.py new file mode 100644 index 000000000..33ad883fc --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/software/software_purpose.py @@ -0,0 +1,225 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! + +from beartype.typing import Optional +from enum import Enum, auto + + +class SoftwarePurpose(Enum): + """ + This field provides information about the primary purpose of an Element. Software Purpose is intrinsic to how the + Element is being used rather than the content of the Element. This field is a reasonable estimate of the most likely + usage of the Element from the producer and consumer perspective from which both parties can draw conclusions about + the context in which the Element exists. + """ + + APPLICATION = auto() + """ + the Element is a software application + """ + ARCHIVE = auto() + """ + the Element is an archived collection of one or more files (.tar, .zip, etc) + """ + BOM = auto() + """ + Element is a bill of materials + """ + CONFIGURATION = auto() + """ + Element is configuration data + """ + CONTAINER = auto() + """ + the Element is a container image which can be used by a container runtime application + """ + DATA = auto() + """ + Element is data + """ + DEVICE = auto() + """ + the Element refers to a chipset, processor, or electronic board + """ + DOCUMENTATION = auto() + """ + Element is documentation + """ + EVIDENCE = auto() + """ + the Element is the evidence that a specification or requirement has been fulfilled + """ + EXECUTABLE = auto() + """ + Element is an Artifact that can be run on a computer + """ + FILE = auto() + """ + the Element is a single file which can be independently distributed (configuration file, statically linked binary, + Kubernetes deployment, etc) + """ + FIRMWARE = auto() + """ + the Element provides low level control over a device's hardware + """ + FRAMEWORK = auto() + """ + the Element is a software framework + """ + INSTALL = auto() + """ + the Element is used to install software on disk + """ + LIBRARY = auto() + """ + the Element is a software library + """ + MANIFEST = auto() + """ + the Element is a software manifest + """ + MODEL = auto() + """ + the Element is a machine learning or artificial intelligence model + """ + MODULE = auto() + """ + the Element is a module of a piece of software + """ + OPERATING_SYSTEM = auto() + """ + the Element is an operating system + """ + OTHER = auto() + """ + the Element doesn't fit into any of the other categories + """ + PATCH = auto() + """ + Element contains a set of changes to update, fix, or improve another Element + """ + REQUIREMENT = auto() + """ + the Element provides a requirement needed as input for another Element + """ + SOURCE = auto() + """ + the Element is a single or a collection of source files + """ + SPECIFICATION = auto() + """ + the Element is a plan, guideline or strategy how to create, perform or analyse an application + """ + TEST = auto() + """ + The Element is a test used to verify functionality on an software element + """ + + def __str__(self) -> str: + if self == SoftwarePurpose.APPLICATION: + return "application" + if self == SoftwarePurpose.ARCHIVE: + return "archive" + if self == SoftwarePurpose.BOM: + return "bom" + if self == SoftwarePurpose.CONFIGURATION: + return "configuration" + if self == SoftwarePurpose.CONTAINER: + return "container" + if self == SoftwarePurpose.DATA: + return "data" + if self == SoftwarePurpose.DEVICE: + return "device" + if self == SoftwarePurpose.DOCUMENTATION: + return "documentation" + if self == SoftwarePurpose.EVIDENCE: + return "evidence" + if self == SoftwarePurpose.EXECUTABLE: + return "executable" + if self == SoftwarePurpose.FILE: + return "file" + if self == SoftwarePurpose.FIRMWARE: + return "firmware" + if self == SoftwarePurpose.FRAMEWORK: + return "framework" + if self == SoftwarePurpose.INSTALL: + return "install" + if self == SoftwarePurpose.LIBRARY: + return "library" + if self == SoftwarePurpose.MANIFEST: + return "manifest" + if self == SoftwarePurpose.MODEL: + return "model" + if self == SoftwarePurpose.MODULE: + return "module" + if self == SoftwarePurpose.OPERATING_SYSTEM: + return "operatingSystem" + if self == SoftwarePurpose.OTHER: + return "other" + if self == SoftwarePurpose.PATCH: + return "patch" + if self == SoftwarePurpose.REQUIREMENT: + return "requirement" + if self == SoftwarePurpose.SOURCE: + return "source" + if self == SoftwarePurpose.SPECIFICATION: + return "specification" + if self == SoftwarePurpose.TEST: + return "test" + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['SoftwarePurpose']: + if value == "application": + return SoftwarePurpose.APPLICATION + if value == "archive": + return SoftwarePurpose.ARCHIVE + if value == "bom": + return SoftwarePurpose.BOM + if value == "configuration": + return SoftwarePurpose.CONFIGURATION + if value == "container": + return SoftwarePurpose.CONTAINER + if value == "data": + return SoftwarePurpose.DATA + if value == "device": + return SoftwarePurpose.DEVICE + if value == "documentation": + return SoftwarePurpose.DOCUMENTATION + if value == "evidence": + return SoftwarePurpose.EVIDENCE + if value == "executable": + return SoftwarePurpose.EXECUTABLE + if value == "file": + return SoftwarePurpose.FILE + if value == "firmware": + return SoftwarePurpose.FIRMWARE + if value == "framework": + return SoftwarePurpose.FRAMEWORK + if value == "install": + return SoftwarePurpose.INSTALL + if value == "library": + return SoftwarePurpose.LIBRARY + if value == "manifest": + return SoftwarePurpose.MANIFEST + if value == "model": + return SoftwarePurpose.MODEL + if value == "module": + return SoftwarePurpose.MODULE + if value == "operatingSystem": + return SoftwarePurpose.OPERATING_SYSTEM + if value == "other": + return SoftwarePurpose.OTHER + if value == "patch": + return SoftwarePurpose.PATCH + if value == "requirement": + return SoftwarePurpose.REQUIREMENT + if value == "source": + return SoftwarePurpose.SOURCE + if value == "specification": + return SoftwarePurpose.SPECIFICATION + if value == "test": + return SoftwarePurpose.TEST + return None From 3fba351159c0ef5396238fe4559ad2a8d176f908 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Wed, 26 Jul 2023 14:00:42 +0200 Subject: [PATCH 16/33] Properly map core datatypes and xsd types to Python types Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 46 +++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index cdf2cbaf1..38388fc30 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -91,6 +91,33 @@ def __init__(self): pass """ +SPECIAL_TYPE_MAPPINGS: dict[str, tuple[str, Optional[str]]] = { + "Core/DateTime": ("datetime", "datetime"), + "Core/Extension": ("str", None), + "Core/MediaType": ("str", None), + "Core/SemVer": ("Version", "semantic_version"), + "xsd:anyURI": ("str", None), + "xsd:boolean": ("bool", None), + "xsd:datetime": ("datetime", "datetime"), + "xsd:decimal": ("float", None), + "xsd:double": ("float", None), + "xsd:float": ("float", None), + "xsd:int": ("int", None), + "xsd:integer": ("int", None), + "xsd:negativeInteger": ("int", None), + "xsd:nonNegativeInteger": ("int", None), + "xsd:nonPositiveInteger": ("int", None), + "xsd:positiveInteger": ("int", None), + "xsd:string": ("str", None), +} + +SPECIAL_PROPTYPE_MAPPINGS: dict[str, tuple[str, Optional[str]]] = { + # for the moment, we replace Element and Agent references with string references to their ID + # otherwise, there is a cyclic dependency between CreationInfo and Agent that is problematic to deal with + "Core/Agent": ("str", None), + "Core/Element": ("str", None), +} + # TODO: use the actual model package path rather than a separate path output_dir = os.path.join(os.path.dirname(__file__), "../src/spdx_tools/spdx3/new_model") @@ -145,10 +172,8 @@ def split_qualified_name(typename: str) -> tuple[str, str]: def to_python_type(typename: str) -> str: - if typename == "xsd:datetime" or typename == "Core/DateTime": - return "datetime" - if typename == "Core/SemVer" or typename == "Core/Extension": - return "str" + if typename in SPECIAL_TYPE_MAPPINGS: + return SPECIAL_TYPE_MAPPINGS[typename][0] if typename.startswith("xsd:"): return "str" _, typename = split_qualified_name(typename) @@ -171,7 +196,10 @@ class Property: inherited: bool def get_python_type(self) -> str: - prop_type = to_python_type(self.type) + if self.type in SPECIAL_PROPTYPE_MAPPINGS: + prop_type = SPECIAL_PROPTYPE_MAPPINGS[self.type][0] + else: + prop_type = to_python_type(self.type) if self.is_list: prop_type = f"List[{prop_type}]" elif self.optional: @@ -220,10 +248,10 @@ def _add_import(self, module: str, typename: str): self.imports[module].add(typename) def _import_spdx_type(self, typename: str): - if typename == "Core/DateTime": - self._add_import("datetime", "datetime") - return - if typename == "Core/SemVer" or typename == "Core/Extension": + if typename in SPECIAL_TYPE_MAPPINGS: + import_type, import_module = SPECIAL_TYPE_MAPPINGS[typename] + if import_module: + self._add_import(import_module, import_type) return if typename.startswith("xsd:"): return From 070830337f977cb0fe66c0b0a60f72806e401a31 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Wed, 26 Jul 2023 14:36:07 +0200 Subject: [PATCH 17/33] Properly map lists of DictionaryEntry to python dicts Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 38388fc30..92b9f3e75 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -84,7 +84,7 @@ class {typename}({parent}):{docstring} """ CLS_INIT_ARG = "\n {prop_name}: {prop_type}," CLS_INIT_ARG_OPT = "\n {prop_name}: {prop_type} = None," -CLS_INIT_REMAP = "\n {prop_name} = [] if {prop_name} is None else {prop_name}" +CLS_INIT_REMAP = "\n {prop_name} = {default} if {prop_name} is None else {prop_name}" CLS_INIT_ABSTRACT = """ @abstractmethod def __init__(self): @@ -196,6 +196,8 @@ class Property: inherited: bool def get_python_type(self) -> str: + if self.type == "Core/DictionaryEntry": + return "Dict[str, Optional[str]]" if self.type in SPECIAL_PROPTYPE_MAPPINGS: prop_type = SPECIAL_PROPTYPE_MAPPINGS[self.type][0] else: @@ -275,7 +277,10 @@ def _collect_props(self, cls: dict, namespace: str, is_parent: bool): self.props.append(prop) self._import_spdx_type(proptype) - if is_list: + if proptype == "Core/DictionaryEntry": + self._add_import("beartype.typing", "Dict") + self._add_import("beartype.typing", "Optional") + elif is_list: self._add_import("beartype.typing", "List") elif optional: self._add_import("beartype.typing", "Optional") @@ -303,7 +308,10 @@ def _gen_props(self) -> str: name = prop_name_to_python(prop.name) proptype = prop.get_python_type() docstring = self._get_prop_docstring(prop.name) - if prop.is_list: + if prop.type == "Core/DictionaryType": + default = " = field(default_factory=dict)" + self._add_import("dataclasses", "field") + elif prop.is_list: default = " = field(default_factory=list)" self._add_import("dataclasses", "field") elif prop.optional: @@ -335,8 +343,10 @@ def _gen_constructor(self) -> str: for prop in optional_props: prop_name = prop_name_to_python(prop.name) args += CLS_INIT_ARG_OPT.format(prop_name=prop_name, prop_type=prop.get_python_type()) - if prop.is_list: - remaps += CLS_INIT_REMAP.format(prop_name=prop_name) + if prop.type == "Core/DictionaryEntry": + remaps += CLS_INIT_REMAP.format(prop_name=prop_name, default="{}") + elif prop.is_list: + remaps += CLS_INIT_REMAP.format(prop_name=prop_name, default="[]") return CLS_INIT.format(arguments=args, remaps=remaps) From 9bcbfc922384febdfc7a65c370e700b5f32b1c35 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Wed, 26 Jul 2023 14:40:01 +0200 Subject: [PATCH 18/33] Exclude classes from being generated if we have a custom type mapping in place for them Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 92b9f3e75..789f9b95b 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -93,6 +93,7 @@ def __init__(self): SPECIAL_TYPE_MAPPINGS: dict[str, tuple[str, Optional[str]]] = { "Core/DateTime": ("datetime", "datetime"), + "Core/DictionaryEntry": ("Dict[str, Optional[str]]", None), "Core/Extension": ("str", None), "Core/MediaType": ("str", None), "Core/SemVer": ("Version", "semantic_version"), @@ -364,6 +365,11 @@ def create_namespace_import(self, model: dict): self.namespace_imports = "from . import " + ", ".join(namespaces) def handle_class(self, clazz: dict, namespace_name: str, model: dict): + qualified_name = get_qualified_name(clazz["metadata"]["name"], namespace_name) + if qualified_name in SPECIAL_TYPE_MAPPINGS: + # do not generate Python classes for types we are mapping differently + return + clsinfo = GenClassFromSpec(clazz, namespace_name, model) clsinfo.gen_file() From 36516c07820f46ea019f0e8cd9b097edc274cecd Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Wed, 26 Jul 2023 14:54:15 +0200 Subject: [PATCH 19/33] Add the model dump from which the classes were generated for reference Signed-off-by: Holger Frydrych --- dev/model_dump.json | 1 + 1 file changed, 1 insertion(+) create mode 100644 dev/model_dump.json diff --git a/dev/model_dump.json b/dev/model_dump.json new file mode 100644 index 000000000..4296500d2 --- /dev/null +++ b/dev/model_dump.json @@ -0,0 +1 @@ +{"ExpandedLicense": {"name": "ExpandedLicense", "classes": {"ConjunctiveLicenseSet": {"summary": "Portion of an AnyLicenseInfo representing a set of licensing information\nwhere all elements apply.", "description": "A ConjunctiveLicenseSet indicates that _each_ of its subsidiary\nAnyLicenseInfos apply. In other words, a ConjunctiveLicenseSet of two or\nmore licenses represents a licensing situation where _all_ of the specified\nlicenses are to be complied with. It is represented in the SPDX License\nExpression Syntax by the `AND` operator.\n\nIt is syntactically correct to specify a ConjunctiveLicenseSet where the\nsubsidiary AnyLicenseInfos may be \"incompatible\" according to a particular\ninterpretation of the corresponding Licenses. The SPDX License Expression\nSyntax does not take into account interpretation of license texts, which is\nleft to the consumer of SPDX data to determine for themselves.", "metadata": {"name": "ConjunctiveLicenseSet", "SubclassOf": "Licensing/AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/ExpandedLicense/ConjunctiveLicenseSet"}, "properties": {"member": {"type": "Licensing/AnyLicenseInfo", "minCount": "2", "maxCount": "*"}}}, "DisjunctiveLicenseSet": {"summary": "Portion of an AnyLicenseInfo representing a set of licensing information\nwhere only any one of the elements applies.", "description": "A DisjunctiveLicenseSet indicates that _only one_ of its subsidiary\nAnyLicenseInfos is required to apply. In other words, a\nDisjunctiveLicenseSet of two or more licenses represents a licensing\nsituation where _only one_ of the specified licenses are to be complied with.\nA consumer of SPDX data would typically understand this to permit the recipient\nof the licensed content to choose which of the corresponding license they\nwould prefer to use. It is represented in the SPDX License Expression Syntax\nby the `OR` operator.", "metadata": {"name": "DisjunctiveLicenseSet", "SubclassOf": "Licensing/AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/ExpandedLicense/DisjunctiveLicenseSet"}, "properties": {"member": {"type": "Licensing/AnyLicenseInfo", "minCount": "2", "maxCount": "*"}}}, "ExtendableLicense": {"summary": "Abstract class representing a License or an OrLaterOperator.", "description": "The WithAdditionOperator can have a License or an OrLaterOperator as the license property value. This class is used for the value.", "metadata": {"name": "ExtendableLicense", "SubclassOf": "Licensing/AnyLicenseInfo", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/ExpandedLicense/ExtendableLicense"}, "properties": {}}}, "properties": {"subjectLicense": {"summary": "A License participating in a 'with addition' or 'or later' model.", "description": "A subjectLicense is a License which is subject to either an 'or later' effect\n(OrLaterOperator) or a 'with additional text' effect (WithAdditionOperator).", "metadata": {"name": "subjectLicense", "Nature": "ObjectProperty", "Range": "Licensing/License", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/ExpandedLicense/subjectLicense"}}, "subjectAddition": {"summary": "A LicenseAddition participating in a 'with addition' model.", "description": "A subjectAddition is a LicenseAddition which is subject to a 'with additional\ntext' effect (WithAdditionOperator).", "metadata": {"name": "subjectAddition", "Nature": "ObjectProperty", "Range": "LicenseAddition", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/ExpandedLicense/subjectAddition"}}, "member": {"summary": "A license expression participating in a license set.", "description": "A member is a license expression participating in a conjuctive (of type\nConjunctiveLicenseSet) or a disjunctive (of type DisjunctiveLicenseSet)\nlicense set.", "metadata": {"name": "member", "Nature": "ObjectProperty", "Range": "Licensing/AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/ExpandedLicense/member", "Domain": ["ConjunctiveLicenseSet", "DisjunctiveLicenseSet"]}}}, "vocabs": {}}, "Core": {"name": "Core", "classes": {"PositiveIntegerRange": {"summary": "A tuple of two positive integers that define a range.", "description": "PositiveIntegerRange is a tuple of two positive integers that define a range.\n\"begin\" must be less than or equal to \"end\".", "metadata": {"name": "PositiveIntegerRange", "SubclassOf": "none", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/PositiveIntegerRange"}, "properties": {"begin": {"type": "xsd:positiveInteger", "minCount": "1", "maxCount": "1"}, "end": {"type": "xsd:positiveInteger", "minCount": "1", "maxCount": "1"}}}, "ElementCollection": {"summary": "A collection of Elements, not necessarily with unifying context.", "description": "An SpdxCollection is a collection of Elements, not necessarily with unifying context.", "metadata": {"name": "ElementCollection", "SubclassOf": "Element", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ElementCollection"}, "properties": {"element": {"type": "Element", "minCount": "1", "maxCount": "*"}, "rootElement": {"type": "Element", "minCount": "1", "maxCount": "*"}, "imports": {"type": "ExternalMap", "minCount": "0", "maxCount": "*"}}}, "ExternalReference": {"summary": "A reference to a resource outside the scope of SPDX-3.0 content.", "description": "An External Reference points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", "metadata": {"name": "ExternalReference", "SubclassOf": "none", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ExternalReference"}, "properties": {"externalReferenceType": {"type": "ExternalReferenceType", "maxCount": "1", "minCount": "0"}, "locator": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "*"}, "contentType": {"type": "MediaType", "maxCount": "1", "minCount": "0"}, "comment": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}}}, "ExternalIdentifier": {"summary": "A reference to a resource outside the scope of SPDX-3.0 content that uniquely identifies an Element.", "description": "An ExternalIdentifier is a reference to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", "metadata": {"name": "ExternalIdentifier", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ExternalIdentifier"}, "properties": {"externalIdentifierType": {"type": "ExternalIdentifierType", "minCount": "1", "maxCount": "1"}, "identifier": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}, "comment": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "identifierLocator": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "*"}, "issuingAuthority": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "1"}}}, "Bom": {"summary": "A container for a grouping of SPDX-3.0 content characterizing details\n(provenence, composition, licensing, etc.) about a product.", "description": "A Bill Of Materials (BOM) is a container for a grouping of SPDX-3.0 content\ncharacterizing details about a product.\nThis could include details of the content and composition of the product,\nprovenence details of the product and/or\nits composition, licensing information, known quality or security issues, etc.", "metadata": {"name": "Bom", "SubclassOf": "Bundle", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Bom"}, "properties": {}}, "SpdxDocument": {"summary": "Assembles a collection of Elements under a common string, the name of the document.", "description": "An SpdxDocument assembles a collection of Elements under a common string, the name of the document.\nCommonly used when representing a unit of transfer of SPDX Elements.\nExternal property restriction on /Core/Element/name: minCount: 1", "metadata": {"name": "SpdxDocument", "SubclassOf": "Bundle", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/SpdxDocument"}, "properties": {"name": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}}}, "Tool": {"summary": "An element of hardware and/or software utilized to carry out a particular function.", "description": "A Tool is an element of hardware and/or software utilized to carry out a particular function.", "metadata": {"name": "Tool", "SubclassOf": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Tool"}, "properties": {}}, "CreationInfo": {"summary": "Provides information about the creation of the Element.", "description": "The CreationInfo provides information about who created the Element, and when and how it was created. \n\nThe dateTime created is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", "metadata": {"name": "CreationInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/CreationInfo"}, "properties": {"specVersion": {"type": "SemVer", "minCount": "1", "maxCount": "1"}, "comment": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "created": {"type": "DateTime", "maxCount": "1", "minCount": "0"}, "createdBy": {"type": "Agent", "minCount": "1", "maxCount": "*"}, "createdUsing": {"type": "Tool", "minCount": "0", "maxCount": "*"}, "profile": {"type": "ProfileIdentifierType", "minCount": "1", "maxCount": "*"}, "dataLicense": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}}}, "Organization": {"summary": "A group of people who work together in an organized way for a shared purpose.", "description": "An Organization is a group of people who work together in an organized way for a shared purpose.", "metadata": {"name": "Organization", "SubclassOf": "Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Organization"}, "properties": {}}, "LifecycleScopedRelationship": {"summary": "", "description": "TODO", "metadata": {"name": "LifecycleScopedRelationship", "SubclassOf": "Relationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/LifecycleScopedRelationship"}, "properties": {"scope": {"type": "LifecycleScopeType", "minCount": "0", "maxCount": "1"}}}, "SoftwareAgent": {"summary": "A software agent.", "description": "A SoftwareAgent is a software program that is given the authority (similar to a user's authority) to act on a system.", "metadata": {"name": "SoftwareAgent", "SubclassOf": "Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/SoftwareAgent"}, "properties": {}}, "IntegrityMethod": {"summary": "Provides an independently reproducible mechanism that permits verification of a specific Element.", "description": "An IntegrityMethod provides an independently reproducible mechanism that permits verification\nof a specific Element that correlates to the data in this SPDX document. This identifier enables\na recipient to determine if anything in the original Element has been changed and eliminates\nconfusion over which version or modification of a specific Element is referenced.", "metadata": {"name": "IntegrityMethod", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/IntegrityMethod"}, "properties": {"comment": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}}}, "Relationship": {"summary": "Describes a relationship between one or more elements.", "description": "A Relationship is a grouping of characteristics unique to an assertion\nthat one Element is related to one or more other Elements in some way.", "metadata": {"name": "Relationship", "SubclassOf": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Relationship"}, "properties": {"from": {"type": "Element", "minCount": "1", "maxCount": "1"}, "to": {"type": "Element", "minCount": "0", "maxCount": "*"}, "relationshipType": {"type": "RelationshipType", "minCount": "1", "maxCount": "1"}, "completeness": {"type": "RelationshipCompleteness", "minCount": "0", "maxCount": "1"}, "startTime": {"type": "DateTime", "minCount": "0", "maxCount": "1"}, "endTime": {"type": "DateTime", "minCount": "0", "maxCount": "1"}}}, "Element": {"summary": "Base domain class from which all other SPDX-3.0 domain classes derive.", "description": "An Element is a representation of a fundamental concept either directly inherent\nto the Bill of Materials (BOM) domain or indirectly related to the BOM domain\nand necessary for contextually characterizing BOM concepts and relationships.\nWithin SPDX-3.0 structure this is the base class acting as a consistent,\nunifying, and interoperable foundation for all explicit\nand inter-relatable content objects.", "metadata": {"name": "Element", "SubclassOf": "none", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Element"}, "properties": {"spdxId": {"type": "xsd:anyURI", "minCount": "1", "maxCount": "1"}, "name": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}, "summary": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}, "description": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}, "comment": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}, "creationInfo": {"type": "CreationInfo", "minCount": "1", "maxCount": "1"}, "verifiedUsing": {"type": "IntegrityMethod", "minCount": "0", "maxCount": "*"}, "externalReference": {"type": "ExternalReference", "minCount": "0", "maxCount": "*"}, "externalIdentifier": {"type": "ExternalIdentifier", "minCount": "0", "maxCount": "*"}, "extension": {"type": "Extension", "minCount": "0", "maxCount": "*"}}}, "Agent": {"summary": "Agent represents anything with the potential to act on a system.", "description": "The Agent class represents anything that has the potential to act on a system. This could be a person, organization, software agent, etc. This is not to be confused with tools that are used to perform tasks.", "metadata": {"name": "Agent", "SubclassOf": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Agent"}, "properties": {}}, "Hash": {"summary": "A mathematically calculated representation of a grouping of data.", "description": "A hash is a grouping of characteristics unique to the result\nof applying a mathematical algorithm\nthat maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is,\na function which is practically infeasible to invert.\nThis is commonly used for integrity checking of data.", "metadata": {"name": "Hash", "SubclassOf": "IntegrityMethod", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Hash"}, "properties": {"algorithm": {"type": "HashAlgorithm", "minCount": "1", "maxCount": "1"}, "hashValue": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}}}, "DictionaryEntry": {"summary": "A key with an associated value.", "description": "The class used for implementing a generic string mapping (also known as associative array, dictionary, or hash map) in SPDX. Each DictionaryEntry contains a key-value pair which maps the key to its associated value. To implement a dictionary, this class is to be used in a collection with unique keys.", "metadata": {"name": "DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/DictionaryEntry"}, "properties": {"key": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}, "value": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}}}, "Person": {"summary": "An individual human being.", "description": "A Person is an individual human being.", "metadata": {"name": "Person", "SubclassOf": "Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Person"}, "properties": {}}, "Bundle": {"summary": "A collection of Elements that have a shared context.", "description": "A bundle is a collection of Elements that have a shared context.", "metadata": {"name": "Bundle", "SubclassOf": "ElementCollection", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Bundle"}, "properties": {"context": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}}}, "Artifact": {"summary": "A distinct article or unit within the digital domain.", "description": "An artifact is a distinct article or unit within the digital domain,\nsuch as an electronic file, a software package, a device or an element of data.", "metadata": {"name": "Artifact", "SubclassOf": "Element", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Artifact"}, "properties": {"originatedBy": {"type": "Agent", "minCount": "0", "maxCount": "*"}, "suppliedBy": {"type": "Agent", "minCount": "0", "maxCount": "*"}, "builtTime": {"type": "DateTime", "minCount": "0", "maxCount": "1"}, "releaseTime": {"type": "DateTime", "minCount": "0", "maxCount": "1"}, "validUntilTime": {"type": "DateTime", "minCount": "0", "maxCount": "1"}, "standard": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}}}, "Annotation": {"summary": "An assertion made in relation to one or more elements.", "description": "An Annotation is an assertion made in relation to one or more elements.", "metadata": {"name": "Annotation", "SubclassOf": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Annotation"}, "properties": {"annotationType": {"type": "AnnotationType", "minCount": "1", "maxCount": "1"}, "contentType": {"type": "MediaType", "minCount": "0", "maxCount": "*"}, "statement": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "subject": {"type": "Element", "minCount": "1", "maxCount": "1"}}}, "ExternalMap": {"summary": "A map of Element identifiers that are used within a Document but defined external to that Document.", "description": "An External Map is a map of Element identifiers that are used within a Document\nbut defined external to that Document.\nThe external map provides details about the externally-defined Element\nsuch as its provenance, where to retrieve it, and how to verify its integrity.", "metadata": {"name": "ExternalMap", "SubclassOf": "none", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ExternalMap"}, "properties": {"externalId": {"type": "xsd:anyURI", "minCount": "1", "maxCount": "1"}, "verifiedUsing": {"type": "IntegrityMethod", "minCount": "0", "maxCount": "*"}, "locationHint": {"type": "xsd:anyURI", "maxCount": "1", "minCount": "0"}, "definingDocument": {"type": "xsd:anyURI", "maxCount": "1", "minCount": "0"}}}}, "properties": {"begin": {"summary": "Defines the beginning of a range.", "description": "begin is a positive integer that defines the beginning of a range.", "metadata": {"name": "begin", "Nature": "DataProperty", "Range": "xsd:positiveInteger", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/begin", "Domain": ["PositiveIntegerRange"]}}, "createdUsing": {"summary": "Identifies the tooling that was used during the creation of the Element.", "description": "CreatedUsing identifies the tooling that was used during the creation of the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", "metadata": {"name": "createdUsing", "Nature": "ObjectProperty", "Range": "Tool", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/createdUsing", "Domain": ["CreationInfo"]}}, "statement": {"summary": "Commentary on an assertion that an annotator has made.", "description": "A statement is a commentary on an assertion that an annotator has made.", "metadata": {"name": "statement", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/statement", "Domain": ["Annotation"]}}, "creationInfo": {"summary": "Provides information about the creation of the Element.", "description": "CreationInfo provides information about the creation of the Element.", "metadata": {"name": "creationInfo", "Nature": "ObjectProperty", "Range": "CreationInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/creationInfo", "Domain": ["Element"]}}, "locationHint": {"summary": "Provides an indication of where to retrieve an external Element.", "description": "A locationHint provides an indication of where to retrieve an external Element.", "metadata": {"name": "locationHint", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/locationHint", "Domain": ["ExternalMap"]}}, "identifierLocator": {"summary": "TODO", "description": "A identifierLocator is TODO", "metadata": {"name": "identifierLocator", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/identifierLocator", "Domain": ["ExternalIdentifier"]}}, "subject": {"summary": "An Element an annotator has made an assertion about.", "description": "A subject is an Element an annotator has made an assertion about.", "metadata": {"name": "subject", "Nature": "ObjectProperty", "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/subject", "Domain": ["Annotation"]}}, "validUntilTime": {"summary": "Specifies until when the artifact can be used before its usage needs to be reassessed.", "description": "A validUntilTime specifies until when the artifact can be used before its usage needs to be reassessed.", "metadata": {"name": "validUntilTime", "Nature": "DataProperty", "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/validUntilTime", "Domain": ["Artifact"]}}, "definingDocument": {"summary": "URI for an SPDX document which defines an SPDX element.", "description": "A definingDocument property is used to link an Element identifier to an SpdxDocument which contains the definition for the Element.", "metadata": {"name": "definingDocument", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/definingDocument", "Domain": ["ExternalMap"]}}, "suppliedBy": {"summary": "Identifies who or what supplied the Artifact.", "description": "Identify the actual distribution source for the Artifact being referenced.\nThis might or might not be different from the originating distribution source for the artifact.", "metadata": {"name": "suppliedBy", "Nature": "ObjectProperty", "Range": "Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/suppliedBy", "Domain": ["Artifact"]}}, "value": {"summary": "A value used in a generic key-value pair.", "description": "A value used in a generic key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", "metadata": {"name": "value", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/value", "Domain": ["DictionaryEntry"]}}, "to": {"summary": "References an Element on the right-hand side of a relationship.", "description": "This field references an Element on the right-hand side of a relationship.", "metadata": {"name": "to", "Nature": "ObjectProperty", "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/to", "Domain": ["Relationship"]}}, "extension": {"summary": "TODO", "description": "TODO", "metadata": {"name": "extension", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/extension", "Domain": ["Element"]}}, "externalId": {"summary": "Identifies an external Element used within a Document but defined external to that Document.", "description": "ExternalId identifies an external Element used within a Document but defined external to that Document.", "metadata": {"name": "externalId", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/externalId", "Domain": ["ExternalMap"]}}, "externalReference": {"summary": "Points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", "description": "This field points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", "metadata": {"name": "externalReference", "Nature": "ObjectProperty", "Range": "ExternalReference", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/externalReference", "Domain": ["Element"]}}, "from": {"summary": "References the Element on the left-hand side of a relationship.", "description": "This field references the Element on the left-hand side of a relationship.", "metadata": {"name": "from", "Nature": "ObjectProperty", "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/from", "Domain": ["Relationship"]}}, "created": {"summary": "Identifies when the Element was originally created.", "description": "Created is a date that identifies when the Element was originally created.\nThe time stamp can serve as an indication as to whether the analysis needs to be updated. This is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", "metadata": {"name": "created", "Nature": "DataProperty", "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/created", "Domain": ["CreationInfo"]}}, "releaseTime": {"summary": "Specifies the time an artifact was released.", "description": "A releaseTime specifies the time an artifact was released.", "metadata": {"name": "releaseTime", "Nature": "DataProperty", "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/releaseTime", "Domain": ["Artifact"]}}, "startTime": {"summary": "Specifies the time from which an element is applicable / valid.", "description": "A startTime specifies the time from which element is applicable / valid.", "metadata": {"name": "startTime", "Nature": "DataProperty", "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/startTime", "Domain": ["Relationship"]}}, "rootElement": {"summary": "Top level Element from which all other Elements are reached via relationships.", "description": "A rootElement of a collection is the top level Element from which all other Elements are reached via relationships.", "metadata": {"name": "rootElement", "Nature": "ObjectProperty", "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/rootElement", "Domain": ["ElementCollection"]}}, "prefix": {"summary": "A substitute for a URI.", "description": "A prefix is a substitute for a URI.", "metadata": {"name": "prefix", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/prefix"}}, "externalIdentifierType": {"summary": "Specifies the type of the external identifier.", "description": "An externalIdentifierType specifies the type of the external identifier.", "metadata": {"name": "externalIdentifierType", "Nature": "ObjectProperty", "Range": "ExternalIdentifierType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/externalIdentifierType", "Domain": ["ExternalIdentifier"]}}, "contentType": {"summary": "Specifies the media type of an Element.", "description": "ContentType specifies the media type of an Element.", "metadata": {"name": "contentType", "Nature": "DataProperty", "Range": "MediaType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/contentType", "Domain": ["ExternalReference", "Annotation"]}}, "element": {"summary": "Refers to one or more Elements that are part of an ElementCollection.", "description": "This field refers to one or more Elements that are part of an ElementCollection.", "metadata": {"name": "element", "Nature": "ObjectProperty", "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/element", "Domain": ["ElementCollection"]}}, "relationshipType": {"summary": "Information about the relationship between two Elements.", "description": "This field provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.", "metadata": {"name": "relationshipType", "Nature": "ObjectProperty", "Range": "RelationshipType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/relationshipType", "Domain": ["Relationship"]}}, "specVersion": {"summary": "Provides a reference number that can be used to understand how to parse and interpret an Element.", "description": "The specVersion provides a reference number that can be used to understand how to parse and interpret an Element.\nIt will enable both future changes to the specification and to support backward compatibility.\nThe major version number shall be incremented when incompatible changes between versions are made\n(one or more sections are created, modified or deleted).\nThe minor version number shall be incremented when backwards compatible changes are made.\n\nHere, parties exchanging information in accordance with the SPDX specification need to provide \n100% transparency as to which SPDX specification version such information is conforming to.", "metadata": {"name": "specVersion", "Nature": "DataProperty", "Range": "SemVer", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/specVersion", "Domain": ["CreationInfo"]}}, "originatedBy": {"summary": "Identifies from where or whom the Element originally came.", "description": "OriginatedBy identifies from where or whom the Element originally came.", "metadata": {"name": "originatedBy", "Nature": "ObjectProperty", "Range": "Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/originatedBy", "Domain": ["Artifact"]}}, "verifiedUsing": {"summary": "Provides an IntegrityMethod with which the integrity of an Element can be asserted.", "description": "VerifiedUsing provides an IntegrityMethod with which the integrity of an Element can be asserted.", "metadata": {"name": "verifiedUsing", "Nature": "ObjectProperty", "Range": "IntegrityMethod", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/verifiedUsing", "Domain": ["Element", "ExternalMap"]}}, "dataLicense": {"summary": "Provides the license under which the SPDX documentation of the Element can be used.", "description": "The data license provides the license under which the SPDX documentation of the Element can be used.\nThis is to alleviate any concern that content (the data or database) in an SPDX file\nis subject to any form of intellectual property right that could restrict the re-use\nof the information or the creation of another SPDX file for the same project(s).\nThis approach avoids intellectual property and related restrictions over the SPDX file,\nhowever individuals can still contract with each other to restrict release\nof specific collections of SPDX files (which map to software bill of materials)\nand the identification of the supplier of SPDX files.\nCompliance with this document includes populating the SPDX fields therein\nwith data related to such fields (\"SPDX-Metadata\"). \nThis document contains numerous fields where an SPDX file creator may provide\nrelevant explanatory text in SPDX-Metadata. Without opining on the lawfulness\nof \"database rights\" (in jurisdictions where applicable),\nsuch explanatory text is copyrightable subject matter in most Berne Convention countries.\nBy using the SPDX specification, or any portion hereof,\nyou hereby agree that any copyright rights (as determined by your jurisdiction)\nin any SPDX-Metadata, including without limitation explanatory text,\nshall be subject to the terms of the Creative Commons CC0 1.0 Universal license. \nFor SPDX-Metadata not containing any copyright rights, \nyou hereby agree and acknowledge that the SPDX-Metadata is provided to you \u201cas-is\u201d\nand without any representations or warranties of any kind concerning the SPDX-Metadata,\nexpress, implied, statutory or otherwise, including without limitation warranties\nof title, merchantability, fitness for a particular purpose, non-infringement,\nor the absence of latent or other defects, accuracy, or the presence or absence of errors,\nwhether or not discoverable, all to the greatest extent permissible under applicable law.", "metadata": {"name": "dataLicense", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/dataLicense", "Domain": ["CreationInfo"]}}, "algorithm": {"summary": "Specifies the algorithm used for calculating the hash value.", "description": "An algorithm specifies the algorithm that was used for calculating the hash value.", "metadata": {"name": "algorithm", "Nature": "ObjectProperty", "Range": "HashAlgorithm", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/algorithm", "Domain": ["Hash"]}}, "summary": {"summary": "A short description of an Element.", "description": "A summary is a short description of an Element. Here, the intent is to allow the Element creator to \nprovide concise information about the function or use of the Element.", "metadata": {"name": "summary", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/summary", "Domain": ["Element"]}}, "end": {"summary": "Defines the end of a range.", "description": "end is a positive integer that defines the end of a range.", "metadata": {"name": "end", "Nature": "DataProperty", "Range": "xsd:positiveInteger", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/end", "Domain": ["PositiveIntegerRange"]}}, "hashValue": {"summary": "The result of applying a hash algorithm to an Element.", "description": "HashValue is the result of applying a hash algorithm to an Element.", "metadata": {"name": "hashValue", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/hashValue", "Domain": ["Hash"]}}, "externalIdentifier": {"summary": "Provides a reference to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", "description": "ExternalIdentifier points to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", "metadata": {"name": "externalIdentifier", "Nature": "ObjectProperty", "Range": "ExternalIdentifier", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/externalIdentifier", "Domain": ["Element"]}}, "spdxId": {"summary": "Identifies an Element to be referenced by other Elements.", "description": "SpdxId uniquely identifies an Element which may thereby be referenced by other Elements.\nThese references may be internal or external.\nWhile there may be several versions of the same Element, each one needs to be able to be referred to uniquely\nso that relationships between Elements can be clearly articulated.", "metadata": {"name": "spdxId", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/spdxId", "Domain": ["Element"]}}, "description": {"summary": "Provides a detailed description of the Element.", "description": "This field is a detailed description of the Element. It may also be extracted from the Element itself.\nThe intent is to provide recipients of the SPDX file with a detailed technical explanation\nof the functionality, anticipated use, and anticipated implementation of the Element.\nThis field may also include a description of improvements over prior versions of the Element.", "metadata": {"name": "description", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/description", "Domain": ["Element"]}}, "locator": {"summary": "Provides the location of an external reference.", "description": "A locator provides the location of an external reference.", "metadata": {"name": "locator", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/locator", "Domain": ["ExternalReference"]}}, "annotationType": {"summary": "Describes the type of annotation.", "description": "An annotationType describes the type of an annotation.", "metadata": {"name": "annotationType", "Nature": "ObjectProperty", "Range": "AnnotationType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/annotationType", "Domain": ["Annotation"]}}, "issuingAuthority": {"summary": "TODO", "description": "A issuingAuthority is TODO", "metadata": {"name": "issuingAuthority", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/issuingAuthority", "Domain": ["ExternalIdentifier"]}}, "builtTime": {"summary": "Specifies the time an artifact was built.", "description": "A builtTime specifies the time an artifact was built.", "metadata": {"name": "builtTime", "Nature": "DataProperty", "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/builtTime", "Domain": ["Artifact"]}}, "profile": {"summary": "Provides information about which profiles the Element belongs to.", "description": "This field provides information about which profiles the Element belongs to.", "metadata": {"name": "profile", "Nature": "ObjectProperty", "Range": "ProfileIdentifierType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/profile", "Domain": ["CreationInfo"]}}, "context": {"summary": "Gives information about the circumstances or unifying properties\nthat Elements of the bundle have been assembled under.", "description": "A context gives information about the circumstances or unifying properties\nthat Elements of the bundle have been assembled under.", "metadata": {"name": "context", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/context", "Domain": ["Bundle"]}}, "comment": {"summary": "Provide consumers with comments by the creator of the Element about the Element.", "description": "A comment is an optional field for creators of the Element to provide comments\nto the readers/reviewers of the document.", "metadata": {"name": "comment", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/comment", "Domain": ["ExternalReference", "ExternalIdentifier", "CreationInfo", "IntegrityMethod", "Element"]}}, "imports": {"summary": "Provides an ExternalMap of Element identifiers.", "description": "Imports provides an ExternalMap of Element identifiers that are used within a document\nbut defined external to that document.", "metadata": {"name": "imports", "Nature": "ObjectProperty", "Range": "ExternalMap", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/imports", "Domain": ["ElementCollection"]}}, "name": {"summary": "Identifies the name of an Element as designated by the creator.", "description": "This field identifies the name of an Element as designated by the creator. \nThe name of an Element is an important convention and easier to refer to than the URI.", "metadata": {"name": "name", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/name", "Domain": ["SpdxDocument", "Element"]}}, "standard": {"summary": "The relevant standards that may apply to an artifact.", "description": "Various standards may be relevant to useful to capture for specific artifacts.", "metadata": {"name": "standard", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/standard", "Domain": ["Artifact"]}}, "endTime": {"summary": "Specifies the time from which an element is no longer applicable / valid.", "description": "A endTime specifies the time from which element is no applicable / valid.", "metadata": {"name": "endTime", "Nature": "DataProperty", "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/endTime", "Domain": ["Relationship"]}}, "scope": {"summary": "TODO", "description": "A scope is TODO", "metadata": {"name": "scope", "Nature": "ObjectProperty", "Range": "LifecycleScopeType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/scope", "Domain": ["LifecycleScopedRelationship"]}}, "key": {"summary": "A key used in a generic key-value pair.", "description": "A key used in generic a key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", "metadata": {"name": "key", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/key", "Domain": ["DictionaryEntry"]}}, "identifier": {"summary": "Uniquely identifies an external element.", "description": "An identifier uniquely identifies an external element.", "metadata": {"name": "identifier", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/identifier", "Domain": ["ExternalIdentifier"]}}, "completeness": {"summary": "Provides information about the completeness of relationships.", "description": "Completeness gives information about whether the provided relationships are\ncomplete, known to be incomplete or if no assertion is made either way.", "metadata": {"name": "completeness", "Nature": "ObjectProperty", "Range": "RelationshipCompleteness", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/completeness", "Domain": ["Relationship"]}}, "externalReferenceType": {"summary": "Specifies the type of the external reference.", "description": "An externalReferenceType specifies the type of the external reference.", "metadata": {"name": "externalReferenceType", "Nature": "ObjectProperty", "Range": "ExternalReferenceType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/externalReferenceType", "Domain": ["ExternalReference"]}}, "createdBy": {"summary": "Identifies who or what created the Element.", "description": "CreatedBy identifies who or what created the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", "metadata": {"name": "createdBy", "Nature": "ObjectProperty", "Range": "Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/createdBy", "Domain": ["CreationInfo"]}}}, "vocabs": {"RelationshipCompleteness": {"summary": "Indicates whether a relationship is complete or known to be incomplete or if there\nis made no assertion either way.", "description": "RelationshipCompleteness indicates whether a relationship is complete or \nknown to be incomplete or if there is made no assertion either way.", "metadata": {"name": "RelationshipCompleteness", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/RelationshipCompleteness"}, "entries": {"incomplete": "The relationship is known not to be exhaustive.", "complete": "The relationship is known to be exhaustive.", "noAssertion": "There can be made no assertion about the completeness of the relationship."}}, "ProfileIdentifierType": {"summary": "Enumeration of the valid profiles that an element can be specified to be part of.", "description": "There are a set of profiles that have been defined to be valid for a specific release This file enumerates the values that have been agreed on, and may be applied to the creation information for an an element.", "metadata": {"name": "ProfileIdentifierType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType"}, "entries": {"core": "the element follows the Core profile specification", "software": "the element follows the Software profile specification", "licensing": "the element follows the Licensing profile specification", "security": "the element follows the Security profile specification", "build": "the element follows the Build profile specification", "ai": "the element follows the AI profile specification", "dataset": "the element follows the Dataset profile specification", "usage": "the element follows the Usage profile specification", "extension": "the element follows the Extension profile specification"}}, "ExternalIdentifierType": {"summary": "Specifies the type of an external identifier.", "description": "ExteralIdentifierType specifies the type of an external identifier.", "metadata": {"name": "ExternalIdentifierType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType"}, "entries": {"cpe22": "https://cpe.mitre.org/files/cpe-specification_2.2.pdf", "cpe23": "https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf", "cve": "An identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the CVE specification as defined by https://csrc.nist.gov/glossary/term/cve_id.", "email": "https://datatracker.ietf.org/doc/html/rfc3696#section-3", "gitoid": "https://www.iana.org/assignments/uri-schemes/prov/gitoid Gitoid stands for [Git Object ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) and a gitoid of type blob is a unique hash of a binary artifact. A gitoid may represent the software [Artifact ID](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-id) or the [OmniBOR Identifier](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-identifier) for the software artifact's associated [OmniBOR Document](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-document); this ambiguity exists because the OmniBOR Document is itself an artifact, and the gitoid of that artifact is its valid identifier. Omnibor is a minimalistic schema to describe software [Artifact Dependency Graphs](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-dependency-graph-adg). Gitoids calculated on software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's ContentIdentifier property. Gitoids calculated on the OmniBOR Document (OmniBOR Identifiers) should be recorded in the SPDX 3.0 Element's ExternalIdentifier property.", "other": "Used when the type doesn't match any of the other options.", "pkgUrl": "https://github.com/package-url/purl-spec", "securityOther": "Used when there is a security related identifier of unspecified type.", "swhid": "https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html", "swid": "https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-21.html#section-2.3", "urlScheme": "the scheme used in order to locate a resource https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml"}}, "ExternalReferenceType": {"summary": "Specifies the type of an external reference.", "description": "ExteralReferenceType specifies the type of an external reference.", "metadata": {"name": "ExternalReferenceType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ExternalReferenceType"}, "entries": {"altDownloadLocation": "A reference to an alternative download location.", "altWebPage": "A reference to an alternative web page.", "binaryArtifact": "A reference to binary artifacts related to a package.", "buildMeta": "A reference build metadata related to a published package.", "buildSystem": "A reference build system used to create or publish the package.", "chat": "A reference to the instant messaging system used by the maintainer for a package.", "certificationReport": "A reference to a certification report for a package from an accredited/independent body.", "componentAnalysisReport": "A reference to a Software Composition Analysis (SCA) report.", "documentation": "A reference to the documentation for a package.", "dynamicAnalysisReport": "A reference to a dynamic analysis report for a package.", "eolNotice": "A reference to the End Of Sale (EOS) and/or End Of Life (EOL) information related to a package.", "exportControlAssessment": "A reference to a export control assessment for a package.", "funding": "A reference to funding information related to a package.", "issueTracker": "A reference to the issue tracker for a package.", "mailingList": "A reference to the mailing list used by the maintainer for a package.", "metrics": "A reference to metrics related to package such as OpenSSF scorecards.", "license": "A reference to additional license information related to an artifact.", "other": "Used when the type doesn't match any of the other options.", "privacyAssessment": "A reference to a privacy assessment for a package.", "productMetadata": "A reference to additional product metadata such as reference within organization's product catalog.", "purchaseOrder": "A reference to a purchase order for a package.", "releaseNotes": "A reference to the release notes for a package.", "releaseHistory": "A reference to a published list of releases for a package.", "riskAssessment": "A reference to a risk assessment for a package.", "runtimeAnalysisReport": "A reference to a runtime analysis report for a package.", "secureSoftwareAttestation": "A reference to information assuring that the software is developed using security practices as defined by [NIST SP 800-218 Secure Software Development Framework (SSDF)](https://csrc.nist.gov/publications/detail/sp/800-218/final) or [CISA Secure Software Development Attestation Form](https://www.cisa.gov/sites/default/files/2023-04/secure-software-self-attestation_common-form_508.pdf).", "securityAdvisory": "A reference to a published security advisory (where advisory as defined per ISO 29147:2018) that may affect one or more elements, e.g., vendor advisories or specific NVD entries.", "securityAdversaryModel": "A reference to the security adversary model for a package.", "securityFix": "A reference to the patch or source code that fixes a vulnerability.", "securityOther": "A reference to related security information of unspecified type.", "securityPenTestReport": "A reference to a [penetration test](https://en.wikipedia.org/wiki/Penetration_test) report for a package.", "securityPolicy": "A reference to instructions for reporting newly discovered security vulnerabilities for a package.", "securityThreatModel": "A reference the [security threat model](https://en.wikipedia.org/wiki/Threat_model) for a package.", "socialMedia": "A reference to a social media channel for a package.", "sourceArtifact": "A reference to an artifact containing the sources for a package.", "staticAnalysisReport": "A reference to a static analysis report for a package.", "support": "A reference to the software support channel or other support information for a package.", "vcs": "A reference to a version control system related to a software artifact.", "vulnerabilityDisclosureReport": "A reference to a Vulnerability Disclosure Report (VDR) which provides the software supplier's analysis and findings describing the impact (or lack of impact) that reported vulnerabilities have on packages or products in the supplier's SBOM as defined in [NIST SP 800-161](https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final).", "vulnerabilityExploitabilityAssessment": "A reference to a Vulnerability Exploitability eXchange (VEX) statement which provides information on whether a product is impacted by a specific vulnerability in an included package and, if affected, whether there are actions recommended to remediate. See also [NTIA VEX one-page](https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf)..", "qualityAssessmentReport": "A reference to a quality assessment for a package."}}, "LifecycleScopeType": {"summary": "TODO", "description": "TODO", "metadata": {"name": "LifecycleScopeType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType"}, "entries": {"design": "TODOdescription", "build": "TODOdescription", "development": "TODOdescription", "test": "TODOdescription", "runtime": "TODOdescription", "other": "TODOdescription"}}, "AnnotationType": {"summary": "Specifies the type of an annotation.", "description": "AnnotationType specifies the type of an annotation.", "metadata": {"name": "AnnotationType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/AnnotationType"}, "entries": {"other": "Used to store extra information about an Element which is not part of a Review (e.g. extra information provided during the creation of the Element).", "review": "Used when someone reviews the Element."}}, "HashAlgorithm": {"summary": "A mathematical algorithm that maps data of arbitrary size to a bit string.", "description": "A HashAlgorithm is a mathematical algorithm that maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is, a function which is practically infeasible to invert.", "metadata": {"name": "HashAlgorithm", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/HashAlgorithm"}, "entries": {"blake2b256": "blake2b algorithm with a digest size of 256 https://datatracker.ietf.org/doc/html/rfc7693#section-4", "blake2b384": "blake2b algorithm with a digest size of 384 https://datatracker.ietf.org/doc/html/rfc7693#section-4", "blake2b512": "blake2b algorithm with a digest size of 512 https://datatracker.ietf.org/doc/html/rfc7693#section-4", "blake3": "https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf", "crystalsKyber": "https://pq-crystals.org/kyber/index.shtml", "crystalsDilithium": "https://pq-crystals.org/dilithium/index.shtml", "falcon": "https://falcon-sign.info/falcon.pdf", "md2": "https://datatracker.ietf.org/doc/rfc1319/", "md4": "https://datatracker.ietf.org/doc/html/rfc1186", "md5": "https://datatracker.ietf.org/doc/html/rfc1321", "md6": "https://people.csail.mit.edu/rivest/pubs/RABCx08.pdf", "other": "any hashing algorithm that does not exist in this list of entries", "sha1": "https://datatracker.ietf.org/doc/html/rfc3174", "sha224": "secure hashing algorithm with a digest length of 224 https://datatracker.ietf.org/doc/html/draft-ietf-pkix-sha224-01", "sha256": "secure hashing algorithm with a digest length of 256 https://www.rfc-editor.org/rfc/rfc4634", "sha3_224": "sha3 with a digest length of 224 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", "sha3_256": "sha3 with a digest length of 256 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", "sha3_384": "sha3 with a digest length of 384 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", "sha3_512": "sha3 with a digest length of 512 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", "sha384": "secure hashing algorithm with a digest length of 384 https://www.rfc-editor.org/rfc/rfc4634", "sha512": "secure hashing algorithm with a digest length of 512 https://www.rfc-editor.org/rfc/rfc4634", "spdxPvcSha1": "TODOdescription", "spdxPvcSha256": "TODOdescription", "sphincsPlus": "TODOdescription"}}, "RelationshipType": {"summary": "Information about the relationship between two Elements.", "description": "Provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.", "metadata": {"name": "RelationshipType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/RelationshipType"}, "entries": {"affects": "(Security/VEX) Designates one or more elements as affected by a vulnerability", "amends": "Every `to` Element amends the `from` Element", "ancestor": "Every `to` Element is an ancestor of the `from` Element", "availableFrom": "This relationship is used to identify additional suppliers where an artifact is available from.", "buildDependency": "Every `to` Element is a build dependency of the `from` Element", "buildTool": "Build tool used to build an Element. This may be used to describe the build tool of a Build instance", "coordinatedBy": "(Security) Used to identify the vendor, researcher, or consumer agent performing coordination for a vulnerability", "contains": "Every `to` Element is contained by the `from` Element", "configOf": "(Build) Configuration information applied to an Element instance during a LifeycleScopeType period. Example: Build configuration of the build instance", "copy": "Every `to` Element is a copy of the `from` Element", "dataFile": "Every `to` Element is a data file related to the the `from` Element", "dependencyManifest": "Every `to` Element is manifest file containing dependency information related to the `from` Element", "dependsOn": "Every `to` Element is a dependecy of the `from` Element", "descendant": "This relationship may be used to describe child builds of a Build instance.", "describes": "Every `to` Element is described by the `from` Element. This can be used to denote the root(s) of a tree of elements contained in an SBOM.", "devDependency": "Every `to` Element is a development dependency for the `from` Element", "devTool": "Every `to` Element is a development tool for the `from` Element", "distributionArtifact": "Every `to` Element is an artifact intended for distribution of the `from` Element (e.g. an RPM or archive file)", "documentation": "Every `to` Element is documentation for the `from` Element", "doesNotAffect": "(Security/VEX) Specifies a vulnerability has no impact on one or more elements", "dynamicLink": "Every `to` Element is dynamically linked to the `from` Element", "example": "Every `to` Element is an example for the `from` Element", "evidenceFor": "(Dataset) Every `to` Element is can be considered as evidence for the `from` Element", "expandedFromArchive": "Every `to` Element is an artifact expanded from the `from` archive file", "exploitCreatedBy": "(Security) Designates an agent has created an exploit against a vulnerability", "fileAdded": "Every `to` Element is is a file added to the `from` Element", "fileDeleted": "Every `to` Element is a file deleted from the `from` Element", "fileModified": "Every `to` Element is a modification of the `from` Element", "fixedBy": "(Security) Designates a vulnerability has been fixed by an agent", "fixedIn": "(Security/VEX) A vulnerability has been fixed in one or more elements", "foundBy": "(Security) Designates an agent was the original discoverer of a security vulnerability", "generates": "Every `to` Element is generated from the `from` Element", "hasAssessmentFor": "(Security) Relates a Vulnerability and an Element with a security assessment.", "hasAssociatedVulnerability": "(Security) Used to associate a security vulnerability with a software artifact", "hostOf": "(Build) The`from` Element in which every instance of the `to` Element during a LifecycleScopeType period runs on. Example: host that the build runs on for an element.", "inputOf": "(Build) Input to the Element instance during a LifecycleScopeType period. Example: input to the build instance for an element.", "invokedBy": "(Build) Every`to` Agent that invoked a `from` Element instance during a LifecycleScopeType period. Example: Agent that invoked the build for an element", "metafile": "Every `to` Element is is a file containing metadata about the `from` Element", "onBehalfOf": "(Build) Every `to` Agent acting on behalf of another `from` Agent during a LifecycleScopeType period", "optionalComponent": "Every `to` Element is an optional component of the `from` Element", "optionalDependency": "Every `to` Element is an optional dependency of the `from` Element", "other": "Every `to` Element is related to the `from` Element where the relationship type is not described by any of the SPDX relationhip types", "outputOf": "(Build) `from` Element that is output `to` the Element instance during a LifecycleScopeType period. Example: output of the build instance", "packages": "Every `to` Element is a packaged form of the `from` Element", "patch": "Every `to` Element is a patch for the `from` Element", "prerequisite": "Every `to` Element is a prerequisite of the `from` Element", "providedDependency": "Every `to` Element is a dependency not included in the distributed artifact but is assumed to be provided the `from` Element", "publishedBy": "(Security) Designates the agent that made a vulnerability record available for public use or reference", "reportedBy": "(Security) Designates the agent that first reported a vulnerability to the project, vendor, or tracking database for formal identification", "republishedBy": "(Security) Designates the agent that tracked, aggregated, and/or enriched vulnerability details to improve context (i.e. NVD)", "requirementFor": "Every `to` Element is required for the `from` Element", "runtimeDependency": "Every `to` Element is a runtime dependency for the `from` Element", "specificationFor": "Every `to` Element is a specification for the `from` Element", "staticLink": "Every `to` Element is statically linked to the `from` Element", "test": "Every `to` Element is a test artifact for the `from` Element", "testCase": "Every `to` Element is a test case for the `from` Element", "testDependency": "Every `to` Element is a test dependency for the `from` Element", "testTool": "Every `to` Element is a test tool for the `from` Element", "testedOn": "(AI, Dataset) The `from` Element has been tested on the `to` Element", "trainedOn": "(AI, Dataset) The `from` Element has been trained by the `to` Element(s)", "underInvestigationFor": "(Security/VEX) The impact of a vulnerability is being investigated", "variant": "Every `to` Element is a variant the `from` Element"}}}}, "Dataset": {"name": "Dataset", "classes": {"Dataset": {"summary": "Provides information about the fields in the Dataset profile.", "description": "Metadata information that can be added to a dataset that may be used in a software or to train/test an AI package.\nExternal property restriction on /Core/Artifact/originatedBy: minCount: 1\nExternal property restriction on /Software/Package/downloadLocation: minCount: 1\nExternal property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1\nExternal property restriction on /Core/Artifact/releaseTime: minCount: 1\nExternal property restriction on /Core/Artifact/builtTime: minCount: 1", "metadata": {"name": "Dataset", "SubclassOf": "/Software/Package", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/Dataset"}, "properties": {"datasetType": {"type": "DatasetType", "minCount": "1", "maxCount": "*"}, "dataCollectionProcess": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "intendedUse": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "datasetSize": {"type": "xsd:nonNegativeInteger", "minCount": "0", "maxCount": "1"}, "datasetNoise": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "dataPreprocessing": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "sensor": {"type": "/Core/DictionaryEntry", "minCount": "0", "maxCount": "*"}, "knownBias": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "sensitivePersonalInformation": {"type": "PresenceType", "minCount": "0", "maxCount": "1"}, "anonymizationMethodUsed": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "confidentialityLevel": {"type": "ConfidentialityLevelType", "minCount": "0", "maxCount": "1"}, "datasetUpdateMechanism": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "datasetAvailability": {"type": "DatasetAvailabilityType", "minCount": "0", "maxCount": "1"}}}}, "properties": {"knownBias": {"summary": "Records the biases that the dataset is known to encompass.", "description": "KnownBias is a free form text field that describes the different biases that the dataset encompasses.", "metadata": {"name": "knownBias", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/knownBias", "Domain": ["Dataset"]}}, "dataPreprocessing": {"summary": "Describes the preprocessing steps that were applied to the raw data to create the given dataset.", "description": "DataPreprocessing describes the various preprocessing steps\nthat were applied to the raw data to create the dataset.", "metadata": {"name": "dataPreprocessing", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/dataPreprocessing", "Domain": ["Dataset"]}}, "datasetNoise": {"summary": "Describes potentially noisy elements of the dataset.", "description": "DatasetNoise describes what kinds of noises a dataset might encompass.\nThe field uses free form text to specify the fields or the samples that might be noisy.\nAlternatively, it can also be used to describe various noises that could impact the whole dataset.", "metadata": {"name": "datasetNoise", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/datasetNoise", "Domain": ["Dataset"]}}, "datasetUpdateMechanism": {"summary": "Describes a mechanism to update the dataset.", "description": "DatasetUpdateMechanism describes a mechanism to update the dataset.", "metadata": {"name": "datasetUpdateMechanism", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/datasetUpdateMechanism", "Domain": ["Dataset"]}}, "datasetSize": {"summary": "Captures the size of the dataset.", "description": "DatasetSize Captures how large a dataset is.\nThe size is to be measured in bytes.", "metadata": {"name": "datasetSize", "Nature": "DataProperty", "Range": "xsd:nonNegativeInteger", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/datasetSize", "Domain": ["Dataset"]}}, "sensitivePersonalInformation": {"summary": "Describes if any sensitive personal information is present in the dataset.", "description": "SensitivePersonalInformation indicates the presence of sensitive personal data\nor information that allows drawing conclusions about a person's identity.", "metadata": {"name": "sensitivePersonalInformation", "Nature": "ObjectProperty", "Range": "PresenceType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/sensitivePersonalInformation", "Domain": ["Dataset"]}}, "confidentialityLevel": {"summary": "Describes the confidentiality level of the data points contained in the dataset.", "description": "ConfidentialityLevel describes the levels of confidentiality of the data points contained in the dataset.", "metadata": {"name": "confidentialityLevel", "Nature": "ObjectProperty", "Range": "ConfidentialityLevelType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/confidentialityLevel", "Domain": ["Dataset"]}}, "dataCollectionProcess": {"summary": "Describes how the dataset was collected.", "description": "DataCollectionProcess describes how a dataset was collected.\nExamples include the sources from which a dataset was scrapped or\nthe interview protocol that was used for data collection.", "metadata": {"name": "dataCollectionProcess", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/dataCollectionProcess", "Domain": ["Dataset"]}}, "anonymizationMethodUsed": {"summary": "Describes the anonymization methods used.", "description": "AnonymizationMethodUsed describes the methods used to anonymize the dataset (of fields in the dataset).", "metadata": {"name": "anonymizationMethodUsed", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/anonymizationMethodUsed", "Domain": ["Dataset"]}}, "datasetAvailability": {"summary": "The field describes the availability of a dataset.", "description": "Some datasets are publicly available and can be downloaded directly. Others are only accessible behind a clickthrough, or after filling a registration form. This field will describe the dataset availability from that perspective.", "metadata": {"name": "datasetAvailability", "Nature": "DataProperty", "Range": "DatasetAvailabilityType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/datasetAvailability", "Domain": ["Dataset"]}}, "intendedUse": {"summary": "Describes what the given dataset should be used for.", "description": "IntendedUse describes what the given dataset should be used for.\nSome datasets are collected to be used only for particular purposes. \nFor example, medical data collected from a specific demography might only be applicable\nfor training machine learning models to make predictions for that demography.\nIn such a case, the intendedUse field would capture this information.\nSimilarly, if a dataset is collected for building a facial recognition model,\nthe intendedUse field would specify that.", "metadata": {"name": "intendedUse", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/intendedUse", "Domain": ["Dataset"]}}, "sensor": {"summary": "Describes a sensor used for collecting the data.", "description": "Sensor describes a sensor that was used for collecting the data\nand its calibration value as a key-value pair.", "metadata": {"name": "sensors", "Nature": "ObjectProperty", "Range": "/Core/DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/sensor", "Domain": ["Dataset"]}}, "datasetType": {"summary": "Describes the type of the given dataset.", "description": "Type describes the datatype contained in the dataset. For example a dataset can be an image dataset for computer vision applications, a text dataset such as the contents of a book or Wikipedia article, or sometimes a multimodal dataset that contains multiple types of data.", "metadata": {"name": "datasetType", "Nature": "DataProperty", "Range": "DatasetType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/datasetType", "Domain": ["Dataset"]}}}, "vocabs": {"DatasetType": {"summary": "Enumeration of dataset types.", "description": "Describes the different structures of data within a given dataset. A dataset can have multiple types of data, or even a single type of data but still match multiple types, for example sensor data could also be timeseries or labeled image data could also be considered categorical.", "metadata": {"name": "DatasetType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/DatasetType"}, "entries": {"structured": "data is stored in tabular format or retrieved from a relational database.", "numeric": "data consists only of numeric entries.", "text": "data consists of unstructured text, such as a book, wikipedia article (without images), or transcript.", "categorical": "data that is classified into a discrete number of categories, such as the eye color of a population of people.", "graph": "data is in the form of a graph where entries are somehow related to each other through edges, such a social network of friends.", "timeseries": "data is recorded in an ordered sequence of timestamped entries, such as the price of a stock over the course of a day.", "timestamp": "data is recorded with a timestamp for each entry, but not necessarily ordered or at specific intervals, such as when a taxi ride starts and ends.", "sensor": "data is recorded from a physical sensor, such as a thermometer reading or biometric device.", "image": "data is a collection of images such as pictures of animals.", "syntactic": "data describes the syntax or semantics of a language or text, such as a parse tree used for natural language processing.", "audio": "data is audio based, such as a collection of music from the 80s.", "video": "data is video based, such as a collection of movie clips featuring Tom Hanks.", "other": "data is of a type not included in this list.", "noAssertion": "data type is not known."}}, "DatasetAvailabilityType": {"summary": "Availability of dataset", "description": "Describes the possible types of availability of a dataset, indicating whether the dataset can be directly downloaded, can be assembled using a script for scraping the data, is only available after a clickthrough or a registration form.", "metadata": {"name": "DatasetAvailabilityType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType"}, "entries": {"Direct-Download": "the dataset is publicly available and can be downloaded directly.", "Scraping-Script": "the dataset provider is not making available the underlying data and the dataset must be reassembled, typically using the provided script for scraping the data.", "Query": "the dataset is publicly available, but not all at once, and can only be accessed through queries which return parts of the dataset.", "Clickthrough": "the dataset is not publicly available and can only be accessed after affirmatively accepting terms on a clickthrough webpage.", "Registration": "the dataset is not publicly available and an email registration is required before accessing the dataset, although without an affirmative acceptance of terms."}}, "ConfidentialityLevelType": {"summary": "Categories of confidentiality level.", "description": "Describes the different confidentiality levels as given by the [Traffic Light Protocol](https://en.wikipedia.org/wiki/Traffic_Light_Protocol).", "metadata": {"name": "ConfidentialityLevelType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType"}, "entries": {"Red": "Data points in the dataset are highly confidential and can only be shared with named recipients.", "Amber": "Data points in the dataset can be shared only with specific organizations and their clients on a need to know basis.", "Green": "Dataset can be shared within a community of peers and partners.", "Clear": "Dataset may be distributed freely, without restriction."}}}}, "Licensing": {"name": "Licensing", "classes": {"ListedLicense": {"summary": "A license that is listed on the SPDX License List.", "description": "A ListedLicense represents a License that is listed on the SPDX License List\nat https://spdx.org/licenses.", "metadata": {"name": "ListedLicense", "SubclassOf": "License", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/ListedLicense"}, "properties": {"listVersionAdded": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "deprecatedVersion": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "WithAdditionOperator": {"summary": "Portion of an AnyLicenseInfo representing a License which has additional\ntext applied to it", "description": "A WithAdditionOperator indicates that the designated License is subject to the\ndesignated LicenseAddition, which might be a license exception on the SPDX\nExceptions List (ListedLicenseException) or may be other additional text\n(CustomLicenseAddition). It is represented in the SPDX License Expression\nSyntax by the `WITH` operator.", "metadata": {"name": "WithAdditionOperator", "SubclassOf": "AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/WithAdditionOperator"}, "properties": {"subjectLicense": {"type": "ExtendableLicense", "minCount": "1", "maxCount": "1"}, "subjectAddition": {"type": "LicenseAddition", "minCount": "1", "maxCount": "1"}}}, "License": {"summary": "Abstract class for the portion of an AnyLicenseInfo representing a license.", "description": "A License represents a license text, whether listed on the SPDX License List\n(ListedLicense) or defined by an SPDX data creator (CustomLicense).", "metadata": {"name": "License", "SubclassOf": "ExtendableLicense", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/License"}, "properties": {"licenseText": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}, "isOsiApproved": {"type": "xsd:boolean", "minCount": "0", "maxCount": "1"}, "isFsfLibre": {"type": "xsd:boolean", "minCount": "0", "maxCount": "1"}, "standardLicenseHeader": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "standardLicenseTemplate": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "isDeprecatedLicenseId": {"type": "xsd:boolean", "minCount": "0", "maxCount": "1"}, "obsoletedBy": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "CustomLicenseAddition": {"summary": "A license addition that is not listed on the SPDX Exceptions List.", "description": "A CustomLicenseAddition represents an addition to a License that is not listed\non the SPDX Exceptions List at https://spdx.org/licenses/exceptions-index.html,\nand is therefore defined by an SPDX data creator.\n\nIt is intended to represent additional language which is meant to be added to\na License, but which is not itself a standalone License.", "metadata": {"name": "CustomLicenseAddition", "SubclassOf": "LicenseAddition", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/CustomLicenseAddition"}, "properties": {}}, "LicenseAddition": {"summary": "Abstract class for additional text intended to be added to a License, but\nwhich is not itself a standalone License.", "description": "A LicenseAddition represents text which is intended to be added to a License\nas additional text, but which is not itself intended to be a standalone\nLicense.\n\nIt may be an exception which is listed on the SPDX Exceptions List\n(ListedLicenseException), or may be any other additional text (as an exception\nor otherwise) which is defined by an SPDX data creator (CustomLicenseAddition).", "metadata": {"name": "LicenseAddition", "SubclassOf": "/Core/Element", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/LicenseAddition"}, "properties": {"additionText": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}, "standardAdditionTemplate": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "isDeprecatedAdditionId": {"type": "xsd:boolean", "minCount": "0", "maxCount": "1"}, "obsoletedBy": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "OrLaterOperator": {"summary": "Portion of an AnyLicenseInfo representing this version, or any later version,\nof the indicated License.", "description": "An OrLaterOperator indicates that this portion of the AnyLicenseInfo\nrepresents either (1) the specified version of the corresponding License, or\n(2) any later version of that License. It is represented in the SPDX License\nExpression Syntax by the `+` operator.\n\nIt is context-dependent, and unspecified by SPDX, as to what constitutes a\n\"later version\" of any particular License. Some Licenses may not be versioned,\nor may not have clearly-defined ordering for versions. The consumer of SPDX\ndata will need to determine for themselves what meaning to attribute to a\n\"later version\" operator for a particular License.", "metadata": {"name": "OrLaterOperator", "SubclassOf": "ExtendableLicense", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/OrLaterOperator"}, "properties": {"subjectLicense": {"type": "License", "minCount": "1", "maxCount": "1"}}}, "CustomLicense": {"summary": "A license that is not listed on the SPDX License List.", "description": "A CustomLicense represents a License that is not listed on the SPDX License\nList at https://spdx.org/licenses, and is therefore defined by an SPDX data\ncreator.", "metadata": {"name": "CustomLicense", "SubclassOf": "License", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/CustomLicense"}, "properties": {}}, "LicenseExpression": {"summary": "An SPDX Element containing an SPDX license expression string.", "description": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", "metadata": {"name": "LicenseExpression", "SubclassOf": "AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/LicenseExpression"}, "properties": {"licenseExpression": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}}}, "ListedLicenseException": {"summary": "A license exception that is listed on the SPDX Exceptions list.", "description": "A ListedLicenseException represents an exception to a License (in other words,\nan exception to a license condition or an additional permission beyond those\ngranted in a License) which is listed on the SPDX Exceptions List at\nhttps://spdx.org/licenses/exceptions-index.html.", "metadata": {"name": "ListedLicenseException", "SubclassOf": "LicenseAddition", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/ListedLicenseException"}, "properties": {"listVersionAdded": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "deprecatedVersion": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "AnyLicenseInfo": {"summary": "Abstract class representing a license combination consisting of one or more\nlicenses (optionally including additional text), which may be combined\naccording to the SPDX license expression syntax.", "description": "An AnyLicenseInfo is used by licensing properties of software artifacts.\nIt can be a NoneLicense, a NoAssertionLicense,\nsingle license (either on the SPDX License List or a custom-defined license);\na single license with an \"or later\" operator applied; the foregoing with\nadditional text applied; or a set of licenses combined by applying \"AND\" and\n\"OR\" operators recursively.", "metadata": {"name": "AnyLicenseInfo", "SubclassOf": "/Core/Element", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/AnyLicenseInfo"}, "properties": {}}}, "properties": {"seeAlso": {"summary": "Contains a URL where the License or LicenseAddition can be found in use.", "description": "A seeAlso defines a cross-reference with a URL where the License or\nLicenseAddition can be found in use by one or a few projects.\n\nIf applicable, it should include a URL where the license text is posted by\nthe license steward, particularly if the license steward has made available a\n\"canonical\" primary URL for the license text.\n\nIf the license is OSI approved, a seeAlso should be included with the URL for\nthe license's listing on the OSI website.\n\nThe seeAlso URL may refer to a previously-available URL for the License or\nLicenseAddition which is no longer active.\n\nWhere applicable, the seeAlso URL should include the license text in its\nnative language. seeAlso URLs to English or other translations may be included\nwhere multiple, equivalent official translations exist.", "metadata": {"name": "seeAlso", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/seeAlso"}}, "standardLicenseHeader": {"summary": "Provides a License author's preferred text to indicate that a file is covered\nby the License.", "description": "A standardLicenseHeader contains the plain text of the License author's\npreferred wording to be used, typically in a source code file's header\ncomments or similar location, to indicate that the file is subject to\nthe specified License.", "metadata": {"name": "standardLicenseHeader", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/standardLicenseHeader", "Domain": ["License"]}}, "licenseName": {"summary": "Identifies the full name of a License.", "description": "A licenseName contains the full name of a License, preferably using the title found\nin the applicable license text or file, or as otherwise specified by the\nLicense's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the License from other Licenses.", "metadata": {"name": "licenseName", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/licenseName"}}, "licenseText": {"summary": "Identifies the full text of a License.", "description": "A licenseText contains the plain text of the License, without templating\nor other similar markup.\n\nUsers of the licenseText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", "metadata": {"name": "licenseText", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/licenseText", "Domain": ["License"]}}, "isDeprecatedLicenseId": {"summary": "Specifies whether a license or additional text identifier has been marked as\ndeprecated.", "description": "The isDeprecatedLicenseId property specifies whether an identifier for a\nLicense or LicenseAddition has been marked as deprecated. If the property\nis not defined, then it is presumed to be false (i.e., not deprecated).\n\nIf the License or LicenseAddition is included on the SPDX License List, then\nthe `deprecatedVersion` property indicates on which version release of the\nLicense List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license. In other words, even if a License's\nauthor or steward has stated that a particular License generally should not be\nused, that would _not_ mean that the License's identifier is \"deprecated.\"\nRather, a License or LicenseAddition operator is typically marked as\n\"deprecated\" when it is determined that use of another identifier is\npreferable.", "metadata": {"name": "isDeprecatedLicenseId", "Nature": "DataProperty", "Range": "xsd:boolean", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/isDeprecatedLicenseId", "Domain": ["License"]}}, "isDeprecatedAdditionId": {"summary": "Specifies whether an additional text identifier has been marked as deprecated.", "description": "The isDeprecatedAdditionId property specifies whether an identifier for a\nLicenseAddition has been marked as deprecated. If the property is not defined,\nthen it is presumed to be false (i.e., not deprecated).\n\nIf the LicenseAddition is included on the SPDX Exceptions List, then\nthe `deprecatedVersion` property indicates on which version release of the\nExceptions List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license addition. In other words, even if a\nLicenseAddition's author or steward has stated that a particular\nLicenseAddition generally should not be used, that would _not_ mean that the\nLicenseAddition's identifier is \"deprecated.\" Rather, a LicenseAddition\noperator is typically marked as \"deprecated\" when it is determined that use of\nanother identifier is preferable.", "metadata": {"name": "isDeprecatedAdditionId", "Nature": "DataProperty", "Range": "xsd:boolean", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/isDeprecatedAdditionId", "Domain": ["LicenseAddition"]}}, "additionText": {"summary": "Identifies the full text of a LicenseAddition.", "description": "An additionText contains the plain text of the LicenseAddition, without\ntemplating or other similar markup.\n\nUsers of the additionText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", "metadata": {"name": "additionText", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/additionText", "Domain": ["LicenseAddition"]}}, "isFsfLibre": {"summary": "Specifies whether the License is listed as free by the\n[Free Software Foundation (FSF)](https://fsf.org).", "description": "isFsfLibre specifies whether the [Free Software Foundation FSF](https://fsf.org)\nhas listed this License as \"free\" in their commentary on licenses, located at\nthe time of this writing at https://www.gnu.org/licenses/license-list.en.html.\n\nA value of \"true\" indicates that the FSF has listed this License as _free_.\n\nA value of \"false\" indicates that the FSF has listed this License as _not free_.\n\nIf the isFsfLibre field is not specified, the SPDX data creator makes no\nassertions about whether the License is listed in the FSF's commentary.", "metadata": {"name": "isFsfLibre", "Nature": "DataProperty", "Range": "xsd:boolean", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/isFsfLibre", "Domain": ["License"]}}, "listVersionAdded": {"summary": "Specifies the SPDX License List version in which this ListedLicense or\nListedLicenseException identifier was first added.", "description": "A listVersionAdded for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was included.", "metadata": {"name": "listVersionAdded", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/listVersionAdded", "Domain": ["ListedLicense", "ListedLicenseException"]}}, "licenseExpression": {"summary": "A string in the license expression format.", "description": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", "metadata": {"name": "licenseExpression", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/licenseExpression", "Domain": ["LicenseExpression"]}}, "obsoletedBy": {"summary": "Specifies the licenseId that is preferred to be used in place of a deprecated\nLicense or LicenseAddition.", "description": "An obsoletedBy value for a deprecated License or LicenseAddition specifies\nthe licenseId of the replacement License or LicenseAddition that is preferred\nto be used in its place. It should use the same format as specified for a\nlicenseId.\n\nThe License's or LicenseAddition's comment value may include more information\nabout the reason why the licenseId specified in the obsoletedBy value is\npreferred.", "metadata": {"name": "obsoletedBy", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/obsoletedBy", "Domain": ["License", "LicenseAddition"]}}, "standardLicenseTemplate": {"summary": "Identifies the full text of a License, in SPDX templating format.", "description": "A standardLicenseTemplate contains a license template which describes\nsections of the License text which can be varied. See the Legacy Text Template\nformat section of the SPDX specification for format information.", "metadata": {"name": "standardLicenseTemplate", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/standardLicenseTemplate", "Domain": ["License"]}}, "additionName": {"summary": "Identifies the full name of a LicenseAddition.", "description": "An additionName contains the full name of a LicenseAddition, preferably using\nthe title found in the applicable license addition text or file, or as\notherwise specified by the LicenseAddition's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses additions (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the LicenseAddition from other LicenseAdditions.", "metadata": {"name": "additionName", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/additionName"}}, "standardAdditionTemplate": {"summary": "Identifies the full text of a LicenseAddition, in SPDX templating format.", "description": "A standardAdditionTemplate contains a license addition template which describes\nsections of the LicenseAddition text which can be varied. See the Legacy Text\nTemplate format section of the SPDX specification for format information.", "metadata": {"name": "standardAdditionTemplate", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/standardAdditionTemplate", "Domain": ["LicenseAddition"]}}, "licenseComment": {"summary": "Identifies general comments about the License.", "description": "A licenseComment describes general factual information about the License. It\nshould not contain information (or links to information) that includes any kind\nof interpretation about the meaning or effect of the License, even if written\nby the license's author.\n\nExamples of information for a licenseComment may include the following:\n\n* If the License's identifier is deprecated, it may briefly explain the reason\n for deprecation.\n* It may include the date of release, if identified, for Licenses with multiple\n versions.\n* It may include links to other official language translations for the License.\n* For LicenseAdditions, it may include a reference to the License(s) with\n which this additional text is typically used.", "metadata": {"name": "licenseComment", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/licenseComment"}}, "deprecatedVersion": {"summary": "Specifies the SPDX License List version in which this license or exception\nidentifier was deprecated.", "description": "A deprecatedVersion for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was marked as deprecated.", "metadata": {"name": "deprecatedVersion", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/deprecatedVersion", "Domain": ["ListedLicense", "ListedLicenseException"]}}, "licenseId": {"summary": "Provides a short, unique identifier to refer to a License.", "description": "A licenseId contains a human-readable, short-form license identifier for a\nLicense. It may only include letters, numbers, period (\".\") and hyphen (\"-\")\ncharacters.\n\nFor a ListedLicense, the licenseId will be as specified on the\n[SPDX License List](https://spdx.org/licenses) for the particular license.\n\nFor a CustomLicense, the short-form license identifer must begin with the\nprefix `LicenseRef-` and must be unique within the applicable SPDX namespace.\nThe short-form license ID may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", "metadata": {"name": "licenseId", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/licenseId"}}, "additionId": {"summary": "Provides a short, unique identifier to refer to a LicenseAddition.", "description": "An additionId contains a human-readable, short-form identifier for a\nLicenseAddition. It may only include letters, numbers, period (\".\") and\nhyphen (\"-\") characters.\n\nFor a ListedLicenseException, the licenseId will be as specified on the\n[SPDX Exceptions List](https://spdx.org/licenses/exceptions-index.html) for the\nparticular exception.\n\nFor a CustomLicenseAddition, the short-form identifier must begin with the\nprefix `AdditionRef-` and must be unique within the applicable SPDX namespace.\nThe short-form identifier may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", "metadata": {"name": "additionId", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/additionId"}}, "isOsiApproved": {"summary": "Specifies whether the License is listed as approved by the\n[Open Source Initiative (OSI)](https://opensource.org).", "description": "isOsiApproved specifies whether the [Open Source Initiative (OSI)](https://opensource.org)\nhas listed this License as \"approved\" in their list of OSI Approved Licenses,\nlocated at the time of this writing at https://opensource.org/licenses/.\n\nA value of \"true\" indicates that the OSI has listed this License as approved.\n\nA value of \"false\" indicates that the OSI has not listed this License as\napproved.\n\nIf the isOsiApproved field is not specified, the SPDX data creator makes no\nassertions about whether the License is approved by the OSI.", "metadata": {"name": "isOsiApproved", "Nature": "DataProperty", "Range": "xsd:boolean", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/isOsiApproved", "Domain": ["License"]}}, "additionComment": {"summary": "Identifies general comments about the LicenseAddition.", "description": "An additionComment for a LicenseAddition describes general factual information\nabout the LicenseAddition. It should not contain information (or links to\ninformation) that includes any kind of interpretation about the meaning or\neffect of the License, even if written by the license addition's author.\n\nExamples of information for an additionComment may include the following:\n\n* If the LicenseAddition's identifier is deprecated, it may briefly explain the\n reason for deprecation.\n* It may include the date of release, if identified, for LicenseAdditions with\n multiple versions.\n* It may include links to other official language translations for the\n LicenseAddition.\n* It may include a reference to the License(s) with which this LicenseAddition\n is typically used.", "metadata": {"name": "additionComment", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/additionComment"}}}, "vocabs": {}}, "AI": {"name": "AI", "classes": {"AIPackage": {"summary": "Provides information about the fields in the AI package profile.", "description": "Metadata information that can be added to a package to describe an AI application or trained AI model.\nExternal property restriction on /Core/Artifact/suppliedBy: minCount: 1\nExternal property restriction on /Software/Package/downloadLocation: minCount: 1\nExternal property restriction on /Software/Package/packageVersion: minCount: 1\nExternal property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1\nExternal property restriction on /Core/Artifact/releaseTime: minCount: 1", "metadata": {"name": "AIPackage", "SubclassOf": "/Software/Package", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/AIPackage"}, "properties": {"energyConsumption": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "standardCompliance": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "limitation": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "typeOfModel": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "informationAboutTraining": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "informationAboutApplication": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "hyperparameter": {"type": "/Core/DictionaryEntry", "minCount": "0", "maxCount": "*"}, "modelDataPreprocessing": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "modelExplainability": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "sensitivePersonalInformation": {"type": "PresenceType", "minCount": "0", "maxCount": "1"}, "metricDecisionThreshold": {"type": "/Core/DictionaryEntry", "minCount": "0", "maxCount": "*"}, "metric": {"type": "/Core/DictionaryEntry", "minCount": "0", "maxCount": "*"}, "domain": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "autonomyType": {"type": "PresenceType", "minCount": "0", "maxCount": "1"}, "safetyRiskAssessment": {"type": "SafetyRiskAssessmentType", "minCount": "0", "maxCount": "1"}}}}, "properties": {"safetyRiskAssessment": {"summary": "Categorizes safety risk impact of AI software.", "description": "SafetyRiskAssessment categorizes the safety risk impact of the AI software\nin accordance with Article 20 of [EC Regulation No 765/2008](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf).", "metadata": {"name": "safetyRiskAssessment", "Nature": "ObjectProperty", "Range": "SafetyRiskAssessmentType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/safetyRiskAssessment", "Domain": ["AIPackage"]}}, "typeOfModel": {"summary": "Records the type of the model used in the AI software.", "description": "TypeOfModel records the type of the AI model(s) used in the software. \nFor instance, if it is a supervised model, unsupervised model, reinforcement learning model or a combination of those.", "metadata": {"name": "typeOfModel", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/typeOfModel", "Domain": ["AIPackage"]}}, "hyperparameter": {"summary": "Records a hyperparameter used to build the AI model contained in the AI package.", "description": "This field records a hyperparameter value.\nHyperparameters are parameters of the machine learning model that are used to control the learning process,\nfor example the optimization and learning rate used during the training of the model.", "metadata": {"name": "hyperparameter", "Nature": "ObjectProperty", "Range": "/Core/DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/hyperparameter", "Domain": ["AIPackage"]}}, "informationAboutTraining": {"summary": "Describes relevant information about different steps of the training process.", "description": "InformationAboutTraining describes the specific steps involved in the training of the AI model.\nFor example, it can be specified whether supervised fine-tuning \nor active learning is used as part of training the model.", "metadata": {"name": "informationAboutTraining", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/informationAboutTraining", "Domain": ["AIPackage"]}}, "sensitivePersonalInformation": {"summary": "Records if sensitive personal information is used during model training.", "description": "SensitivePersonalInformation notes if sensitive personal information\nis used in the training or inference of the AI models.\nThis might include biometric data, addresses or other data that can be used to infer a person's identity.", "metadata": {"name": "sensitivePersonalInformation", "Nature": "ObjectProperty", "Range": "PresenceType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/sensitivePersonalInformation", "Domain": ["AIPackage"]}}, "modelDataPreprocessing": {"summary": "Describes all the preprocessing steps applied to the training data before the model training.", "description": "ModelDataPreprocessing is a free form text that describes the preprocessing steps\napplied to the training data before training of the model(s) contained in the AI software.", "metadata": {"name": "modelDataPreprocessing", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/modelDataPreprocessing", "Domain": ["AIPackage"]}}, "energyConsumption": {"summary": "Indicates the amount of energy consumed to build the AI package.", "description": "EnergyConsumption captures the amount of energy needed to train and operate the AI model. \nThis value is also known as training energy consumption or inference energy consumption.", "metadata": {"name": "energyConsumption", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/energyConsumption", "Domain": ["AIPackage"]}}, "domain": {"summary": "Captures the domain in which the AI package can be used.", "description": "Domain describes the domain in which the AI model contained in the AI software\ncan be expected to operate successfully. Examples include computer vision, natural language etc.", "metadata": {"name": "domain", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/domain", "Domain": ["AIPackage"]}}, "standardCompliance": {"summary": "Captures a standard that is being complied with.", "description": "StandardCompliance captures a standard that the AI software complies with. \nThis includes both published and unpublished standards, for example ISO, IEEE, ETSI etc. \nThe standard could (but not necessarily have to) be used to satisfy a legal or regulatory requirement.", "metadata": {"name": "standardCompliance", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/standardCompliance", "Domain": ["AIPackage"]}}, "metric": {"summary": "Records the measurement of prediction quality of the AI model.", "description": "Metric records the measurement with which the AI model was evaluated. \nThis makes statements about the prediction quality including uncertainty,\naccuracy, characteristics of the tested population, quality, fairness, explainability, robustness etc.", "metadata": {"name": "metric", "Nature": "ObjectProperty", "Range": "/Core/DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/metric", "Domain": ["AIPackage"]}}, "metricDecisionThreshold": {"summary": "Captures the threshold that was used for computation of a metric described in the metric field.", "description": "Each metric might be computed based on a decision threshold. \nFor instance, precision or recall is typically computed by checking\nif the probability of the outcome is larger than 0.5.\nEach decision threshold should match with a metric field defined in the AI Package.", "metadata": {"name": "metricDecisionThreshold", "Nature": "ObjectProperty", "Range": "/Core/DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/metricDecisionThreshold", "Domain": ["AIPackage"]}}, "modelExplainability": {"summary": "Describes methods that can be used to explain the model.", "description": "ModelExplainability is a free form text that lists the different explainability mechanisms\n(such as SHAP, or other model specific explainability mechanisms) that can be used to explain the model.", "metadata": {"name": "modelExplainability", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/modelExplainability", "Domain": ["AIPackage"]}}, "autonomyType": {"summary": "States if a human is involved in the decisions of the AI software.", "description": "AutonomyType indicates if a human is involved in any of the decisions of the AI software\nor if that software is fully automatic.", "metadata": {"name": "autonomyType", "Nature": "ObjectProperty", "Range": "PresenceType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/autonomyType", "Domain": ["AIPackage"]}}, "informationAboutApplication": {"summary": "Provides relevant information about the AI software, not including the model description.", "description": "InformationAboutApplication describes any relevant information in free form text about \nhow the AI model is used inside the software, as well as any relevant pre-processing steps, third party APIs etc.", "metadata": {"name": "informationAboutApplication", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/informationAboutApplication", "Domain": ["AIPackage"]}}, "limitation": {"summary": "Captures a limitation of the AI software.", "description": "Limitation captures a limitation of the AI Package (or of the AI models present in the AI package),\nexpressed as free form text. Note that this is not guaranteed to be exhaustive.\nFor instance, a limitation might be that the AI package cannot be used on datasets from a certain demography.", "metadata": {"name": "limitation", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/limitation", "Domain": ["AIPackage"]}}}, "vocabs": {"SafetyRiskAssessmentType": {"summary": "Categories of safety risk impact of the application.", "description": "Lists the different safety risk type values that can be used to describe the safety risk of AI software\naccording to [Article 20 of Regulation 765/2008/EC](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf).", "metadata": {"name": "SafetyRiskAssessmentType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/SafetyRiskAssessmentType"}, "entries": {"serious": "The highest level of risk posed by an AI software.", "high": "The second-highest level of risk posed by an AI software.", "medium": "The third-highest level of risk posed by an AI software.", "low": "Low/no risk is posed by the AI software."}}, "PresenceType": {"summary": "Categories of presence or absence.", "description": "This type is used to indicate if a given field is present or absent or unknown.", "metadata": {"name": "PresenceType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/PresenceType"}, "entries": {"yes": "Indicates presence of the field.", "no": "Indicates absence of the field.", "noAssertion": "Makes no assertion about the field."}}}}, "Security": {"name": "Security", "classes": {"VexNotAffectedVulnAssessmentRelationship": {"summary": "Links a vulnerability and one or more elements designating the latter as products\nnot affected by the vulnerability.", "description": "VexNotAffectedVulnAssessmentRelationship connects a vulnerability and a number\nof elements designating them as products not affected by the vulnerability.\nThis relationship corresponds to the VEX not_affected status.\n\n**Constraints**\n\nWhen linking elements using a VexNotVulnAffectedAssessmentRelationship, the\nfollowing requirements must be observed:\n\n* Relating elements with a VexNotAffectedVulnAssessmentRelationship is restricted\nto the doesNotAffect relationship type.\n* The from: end of the relationship must be a /Security/Vulnerability classed\nelement.\n* Both impactStatement and justificationType properties have a cardinality of\n0..1 making them optional. Nevertheless, to produce a valid VEX not_affected\nstatement, one of them MUST be defined. This is specified in the Minimum Elements\nfor VEX.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexNotAffectedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-not-affected-1\",\n \"relationshipType\": \"doesNotAffect\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"justificationType\": \"componentNotPresent\",\n \"impactStatement\": \"Not using this vulnerable part of this library.\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "VexNotAffectedVulnAssessmentRelationship", "SubclassOf": "VexVulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VexNotAffectedVulnAssessmentRelationship"}, "properties": {"justificationType": {"type": "VexJustificationType", "minCount": "0", "maxCount": "1"}, "impactStatement": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "impactStatementTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}}}, "SsvcVulnAssessmentRelationship": {"summary": "Provides an SSVC assessment for a vulnerability.", "description": "An SsvcVulnAssessmentRelationship describes the decision made using the\nStakeholder-Specific Vulnerability Categorization (SSVC) decision tree as\ndefined on [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc).\nIt is intended to communicate the results of using the CISA SSVC Calculator.\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"SsvcVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:ssvc-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"decisionType\": \"act\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "SsvcVulnAssessmentRelationship", "SubclassOf": "VulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/SsvcVulnAssessmentRelationship"}, "properties": {"decisionType": {"type": "SsvcDecisionType", "minCount": "1", "maxCount": "1"}}}, "VexFixedVulnAssessmentRelationship": {"summary": "Links a vulnerability and elements representing products (in the VEX sense) where\na fix has been applied and are no longer affected.", "description": "VexFixedVulnAssessmentRelationship links a vulnerability to a number of elements\nrepresenting VEX products where a vulnerability has been fixed and are no longer\naffected. It represents the VEX fixed status.\n\n**Constraints**\n\nWhen linking elements using a VexFixedVulnAssessmentRelationship, the following\nrequirements must be observed:\n\n- Elements linked with a VulnVexFixedAssessmentRelationship are constrained to\nusing the fixedIn relationship type.\n- The from: end of the relationship must ve a /Security/Vulnerability classed\nelement.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexFixedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-fixed-in-1\",\n \"relationshipType\": \"fixedIn\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.4\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "VexFixedVulnAssessmentRelationship", "SubclassOf": "VexVulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VexFixedVulnAssessmentRelationship"}, "properties": {}}, "VexVulnAssessmentRelationship": {"summary": "Asbtract ancestor class for all VEX relationships", "description": "VexVulnAssessmentRelationship is an abstract subclass that defined the common\nproperties shared by all the SPDX-VEX status relationships. \n\n**Constraints**\n\nWhen linking elements using a VexVulnAssessmentRelationship, the following\nrequirements must be observed:\n\n- The from: end must be a /Security/Vulnerability classed element\n- The to: end must point to elements representing the VEX _products_. To\nspecify a different element where the vulnerability was detected, the VEX\nrelationship can optionally specify _subcomponents_ using the assessedElement\nproperty.\n\nVEX inherits information from the document level down to its statements. When a\nstatement is missing information it can be completed by reading the equivalent \nfield from the containing document. For example, if a VEX relationship is\nmissing data in its createdBy property, tools must consider the entity\nlisted in the CreationInfo section of the document as the VEX author.\nIn the same way, when a VEX relationship does not have a created property,\nthe document's date must be considered as authoritative.", "metadata": {"name": "VexVulnAssessmentRelationship", "SubclassOf": "VulnAssessmentRelationship", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VexVulnAssessmentRelationship"}, "properties": {"vexVersion": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "statusNotes": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "CvssV3VulnAssessmentRelationship": {"summary": "Provides a CVSS version 3.x assessment for a vulnerability.", "description": "A CvssV3VulnAssessmentRelationship relationship describes the determined score,\nseverity, and vector of a vulnerability using version 3.1 of the Common\nVulnerability Scoring System (CVSS) as defined on \n[https://www.first.org/cvss/v3.1/specification-document](https://www.first.org/cvss/v3.1/specification-document). It is intented to communicate the results of using a CVSS calculator.\n\n**Constraints**\n\n- The value of severity must be one of 'none', 'low', 'medium', 'high' or 'critical'.\n- Absence of the property shall be interpreted as 'none'.\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"CvssV3VulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:cvssv3-cve-2020-28498\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"severity\": \"medium\",\n \"score\": 6.8,\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"externalReferences\": [\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityFix\",\n \"locator\": \"https://github.com/indutny/elliptic/commit/441b742\"\n }\n ],\n \"suppliedBy\": [\"urn:spdx.dev:agent-my-security-vendor\"],\n \"publishedTime\": \"2023-05-06T10:06:13Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\",\n \"relationshipType\": \"publishedBy\",\n \"from\": \"urn:spdx.dev:cvssv3-cve-2020-28498\",\n \"to\": \"urn:spdx.dev:agent-snyk\",\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", "metadata": {"name": "CvssV3VulnAssessmentRelationship", "SubclassOf": "VulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/CvssV3VulnAssessmentRelationship"}, "properties": {"score": {"type": "xsd:decimal", "minCount": "1", "maxCount": "1"}, "severity": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "vector": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "VulnAssessmentRelationship": {"summary": "Abstract ancestor class for all vulnerability assessments", "description": "VulnAssessmentRelationship is the ancestor class common to all vulnerability\nassessment relationships. It factors out the common properties shared by them.\nExternal property restriction on /Core/Relationship/to: minCount: 1", "metadata": {"name": "VulnAssessmentRelationship", "SubclassOf": "/Core/Relationship", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VulnAssessmentRelationship"}, "properties": {"assessedElement": {"type": "/Core/Element", "minCount": "0", "maxCount": "1"}, "publishedTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}, "suppliedBy": {"type": "/Core/Agent", "minCount": "0", "maxCount": "1"}, "modifiedTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}, "withdrawnTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}}}, "Vulnerability": {"summary": "Specifies a vulnerability and its associated information.", "description": "Specifies a vulnerability and its associated information.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"Vulnerability\",\n \"@id\": \"urn:spdx.dev:vuln-1\",\n \"summary\": \"Use of a Broken or Risky Cryptographic Algorithm\",\n \"description\": \"The npm package `elliptic` before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.\", \n \"modified\": \"2021-03-08T16:02:43Z\",\n \"published\": \"2021-03-08T16:06:50Z\",\n \"externalIdentifiers\": [\n {\n \"@type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"cve\",\n \"identifier\": \"CVE-2020-2849\",\n \"identifierLocator\": [\n \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498\",\n \"https://www.cve.org/CVERecord?id=CVE-2020-28498\"\n ],\n \"issuingAuthority\": \"urn:spdx.dev:agent-cve.org\"\n },\n {\n \"type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"securityOther\",\n \"identifier\": \"GHSA-r9p9-mrjm-926w\",\n \"identifierLocator\": \"https://github.com/advisories/GHSA-r9p9-mrjm-926w\"\n },\n {\n \"type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"securityOther\",\n \"identifier\": \"SNYK-JS-ELLIPTIC-1064899\",\n \"identifierLocator\": \"https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n }\n ],\n \"externalReferences\": [\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://ubuntu.com/security/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityOther\",\n \"locator\": \"https://github.com/indutny/elliptic/pull/244/commits\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityOther\",\n \"locator\": \"https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md\"\n }\n ]\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnRelationship-1\",\n \"relationshipType\": \"hasAssociatedVulnerability\",\n \"from\": \"urn:npm-elliptic-6.5.2\",\n \"to\": [\"urn:spdx.dev:vuln-1\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\", \n \"relationshipType\": \"publishedBy\", \n \"from\": \"urn:spdx.dev:vuln-1\",\n \"to\": [\"urn:spdx.dev:agent-snyk\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", "metadata": {"name": "Vulnerability", "SubclassOf": "/Core/Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/Vulnerability"}, "properties": {"publishedTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}, "modifiedTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}, "withdrawnTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}}}, "CvssV2VulnAssessmentRelationship": {"summary": "Provides a CVSS version 2.0 assessment for a vulnerability.", "description": "A CvssV2VulnAssessmentRelationship relationship describes the determined score and vector of a vulnerability using version 2.0 of the Common Vulnerability Scoring System\n(CVSS) as defined on [https://www.first.org/cvss/v2/guide](https://www.first.org/cvss/v2/guide). It is intented to communicate the results of using a CVSS calculator.\n\n**Constraints**\n\n- The value of severity must be one of 'low', 'medium' or 'high'\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"CvssV2VulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:cvssv2-cve-2020-28498\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"score\": 4.3,\n \"vector\": \"(AV:N/AC:M/Au:N/C:P/I:N/A:N)\",\n \"severity\": \"low\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"externalReferences\": [\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityFix\",\n \"locator\": \"https://github.com/indutny/elliptic/commit/441b742\"\n }\n ],\n \"suppliedBy\": [\"urn:spdx.dev:agent-my-security-vendor\"],\n \"publishedTime\": \"2023-05-06T10:06:13Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\", \n \"relationshipType\": \"publishedBy\", \n \"from\": \"urn:spdx.dev:cvssv2-cve-2020-28498\",\n \"to\": [\"urn:spdx.dev:agent-snyk\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", "metadata": {"name": "CvssV2VulnAssessmentRelationship", "SubclassOf": "VulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/CvssV2VulnAssessmentRelationship"}, "properties": {"score": {"type": "xsd:decimal", "minCount": "1", "maxCount": "1"}, "severity": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "vector": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "VexAffectedVulnAssessmentRelationship": {"summary": "Connects a vulnerability and an element designating the element as a product\naffected by the vulnerability.", "description": "VexAffectedVulnAssessmentRelationship connects a vulnerability and a number\nof elements. The relationship marks these elements as products affected by the\nvulnerability. This relationship corresponds to the VEX affected status.\n\n**Constraints**\n\nWhen linking elements using a VexAffectedVulnAssessmentRelationship, the\nfollowing requirements must be observed:\n\n- Elements linked with a VulnVexAffectedAssessmentRelationship are constrained\nto the affects relationship type.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexAffectedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-affected-1\",\n \"relationshipType\": \"affects\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"actionStatement\": \"Upgrade to version 1.4 of ACME application.\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "VexAffectedVulnAssessmentRelationship", "SubclassOf": "VexVulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VexAffectedVulnAssessmentRelationship"}, "properties": {"actionStatement": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "actionStatementTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "*"}}}, "ExploitCatalogVulnAssessmentRelationship": {"summary": "Provides an exploit assessment of a vulnerability.", "description": "An ExploitCatalogVulnAssessmentRelationship describes if a vulnerability is\nlisted in any exploit catalog such as the CISA Known Exploited Vulnerabilities\nCatalog (KEV) \n[https://www.cisa.gov/known-exploited-vulnerabilities-catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"ExploitCatalogVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:exploit-catalog-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"catalogType\": \"kev\",\n \"locator\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n \"exploited\": \"true\",\n \"from\": \"urn:spdx.dev:vuln-cve-2023-2136\",\n \"to\": [\"urn:product-google-chrome-112.0.5615.136\"],\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "ExploitCatalogVulnAssessmentRelationship", "SubclassOf": "VulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/ExploitCatalogVulnAssessmentRelationship"}, "properties": {"catalogType": {"type": "ExploitCatalogType", "minCount": "1", "maxCount": "1"}, "exploited": {"type": "xsd:boolean", "minCount": "1", "maxCount": "1"}, "locator": {"type": "xsd:anyURI", "minCount": "1", "maxCount": "1"}}}, "EpssVulnAssessmentRelationship": {"summary": "Provides an EPSS assessment for a vulnerability.", "description": "An EpssVulnAssessmentRelationship relationship describes the likelihood or\nprobability that a vulnerability will be exploited in the wild using the Exploit\nPrediction Scoring System (EPSS) as defined on \n[https://www.first.org/epss/model](https://www.first.org/epss/model).\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"EpssVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:epss-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"probability\": 80,\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "EpssVulnAssessmentRelationship", "SubclassOf": "VulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/EpssVulnAssessmentRelationship"}, "properties": {"probability": {"type": "xsd:nonNegativeInteger", "minCount": "1", "maxCount": "1"}, "severity": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "VexUnderInvestigationVulnAssessmentRelationship": {"summary": "Designates elements as products where the impact of a vulnerability is being\ninvestigated.", "description": "VexUnderInvestigationVulnAssessmentRelationship links a vulnerability to a\nnumber of products stating the vulnerability's impact on them is being\ninvestigated. It represents the VEX under_investigation status.\n\n**Constraints**\n\nWhen linking elements using a VexUnderInvestigationVulnAssessmentRelationship\nthe following requirements must be observed:\n\n- Elements linked with a VexUnderInvestigationVulnAssessmentRelationship are\nconstrained to using the underInvestigationFor relationship type.\n- The from: end of the relationship must ve a /Security/Vulnerability classed\nelement.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexUnderInvestigationVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-underInvestigation-1\",\n \"relationshipType\": \"underInvestigationFor\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "VexUnderInvestigationVulnAssessmentRelationship", "SubclassOf": "VexVulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VexUnderInvestigationVulnAssessmentRelationship"}, "properties": {}}}, "properties": {"justificationType": {"summary": "Impact justification label to be used when linking a vulnerability to an element\nrepresenting a VEX product with a VexNotAffectedVulnAssessmentRelationship\nrelationship.", "description": "When stating that an element is not affected by a vulnerability, the\nVexNotAffectedVulnAssessmentRelationship must include a justification from the\nmachine-readable labels catalog informing the reason the element is not impacted.\n\nimpactStatement which is a string with English prose can be used instead or as\ncomplementary to the justification label, but one of both MUST be defined.", "metadata": {"name": "justificationType", "Nature": "ObjectProperty", "Range": "VexJustificationType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/justificationType", "Domain": ["VexNotAffectedVulnAssessmentRelationship"]}}, "actionStatementTime": {"summary": "Records the time when a recommended action was communicated in a VEX statement \nto mitigate a vulnerability.", "description": "When a VEX statement communicates an affected status, the author MUST\ninclude an action statement with a recommended action to help mitigate the\nvulnerability's impact. The actionStatementTime property records the time\nwhen the action statement was first communicated.", "metadata": {"name": "actionStatementTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/actionStatementTime", "Domain": ["VexAffectedVulnAssessmentRelationship"]}}, "assessedElement": {"summary": "Specifies an element contained in a piece of software where a vulnerability was\nfound.", "description": "Specifies subpackages, files or snippets referenced by a security assessment\nto specify the precise location where a vulnerability was found.", "metadata": {"name": "assessedElement", "Nature": "ObjectProperty", "Range": "/Core/Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/assessedElement", "Domain": ["VulnAssessmentRelationship"]}}, "suppliedBy": {"summary": "Identifies who or what supplied the vulnerability assessment relationship.", "description": "Identify the actual distribution source for the vulnerability assessment relationship being referenced.", "metadata": {"name": "suppliedBy", "Nature": "ObjectProperty", "Range": "/Core/Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/suppliedBy", "Domain": ["VulnAssessmentRelationship"]}}, "decisionType": {"summary": "Provide the enumeration of possible decisions in the Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree [https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf](https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf)", "description": "A decisionType is a mandatory value and must select one of the four entries in the `SsvcDecisionType.md` vocabulary.", "metadata": {"name": "decisionType", "Nature": "ObjectProperty", "Range": "SsvcDecisionType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/decisionType", "Domain": ["SsvcVulnAssessmentRelationship"]}}, "exploited": {"summary": "Describe that a CVE is known to have an exploit because it's been listed in an exploit catalog.", "description": "This field is set when a CVE is listed in an exploit catalog.", "metadata": {"name": "exploited", "Nature": "DataProperty", "Range": "xsd:boolean", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/exploited", "Domain": ["ExploitCatalogVulnAssessmentRelationship"]}}, "catalogType": {"summary": "TODO", "description": "A catalogType is a mandatory value and must select one of the two entries in the `ExploitCatalogType.md` vocabulary.", "metadata": {"name": "catalogType", "Nature": "ObjectProperty", "Range": "ExploitCatalogType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/catalogType", "Domain": ["ExploitCatalogVulnAssessmentRelationship"]}}, "probability": {"summary": "A probability score between 0 and 1 of a vulnerability being exploited.", "description": "The probability score between 0 and 1 (0 and 100%) estimating the likelihood\nthat a vulnerability will be exploited in the next 12 months.", "metadata": {"name": "probability", "Nature": "DataProperty", "Range": "xsd:decimal", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/probability", "Domain": ["EpssVulnAssessmentRelationship"]}}, "statusNotes": {"summary": "TODO", "description": "TODO", "metadata": {"name": "statusNotes", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/statusNotes", "Domain": ["VexVulnAssessmentRelationship"]}}, "publishedTime": {"summary": "Specifies the time when a vulnerability was published.", "description": "Specifies the time when a vulnerability was first published.", "metadata": {"name": "publishedTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/publishedTime", "Domain": ["VulnAssessmentRelationship", "Vulnerability"]}}, "vexVersion": {"summary": "TODO", "description": "TODO", "metadata": {"name": "vexVersion", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/vexVersion", "Domain": ["VexVulnAssessmentRelationship"]}}, "actionStatement": {"summary": "Provides advise on how to mitigate or remediate a vulnerability when a VEX product\nis affected by it.", "description": "When an element is referenced with a VexAffectedVulnAssessmentRelationship,\nthe relationship MUST include one actionStatement that SHOULD describe actions\nto remediate or mitigate the vulnerability.", "metadata": {"name": "actionStatement", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/actionStatement", "Domain": ["VexAffectedVulnAssessmentRelationship"]}}, "locator": {"summary": "Provides the location of an exploit catalog.", "description": "A locator provides the location of an exploit catalog.", "metadata": {"name": "locator", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/locator", "Domain": ["ExploitCatalogVulnAssessmentRelationship"]}}, "vector": {"summary": "Specifies the vector string of a vulnerability.", "description": "Sepcifies the vector string of a vulnerability, a string combining metrics\nfrom an assessment of its severity.", "metadata": {"name": "vector", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/vector", "Domain": ["CvssV3VulnAssessmentRelationship", "CvssV2VulnAssessmentRelationship"]}}, "impactStatementTime": {"summary": "TODO", "description": "TODO", "metadata": {"name": "impactStatementTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/impactStatementTime", "Domain": ["VexNotAffectedVulnAssessmentRelationship"]}}, "withdrawnTime": {"summary": "Specified the time and date when a vulnerability was withdrawn.", "description": "Specified the time and date when a vulnerability was withdrawn.", "metadata": {"name": "withdrawnTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/withdrawnTime", "Domain": ["VulnAssessmentRelationship", "Vulnerability"]}}, "impactStatement": {"summary": "Explains why a VEX product is not affected by a vulnerability. It is an\nalternative in VexNotAffectedVulnAssessmentRelationship to the machine-readable\njustification label.", "description": "When a VEX product element is related with a VexNotAffectedVulnAssessmentRelationship\nand a machine readable justification label is not provided, then an impactStatement\nthat further explains how or why the prouct(s) are not affected by the vulnerability\nmust be provided.", "metadata": {"name": "impactStatement", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/impactStatement", "Domain": ["VexNotAffectedVulnAssessmentRelationship"]}}, "score": {"summary": "Provides a numerical (0-10) representation of the severity of a vulnerability.", "description": "The score provides information on the severity of a vulnerability per the\nCommon Vulnerability Scoring System as defined on [https://www.first.org/cvss](https://www.first.org/cvss/).", "metadata": {"name": "score", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/score", "Domain": ["CvssV3VulnAssessmentRelationship", "CvssV2VulnAssessmentRelationship"]}}, "severity": {"summary": "The severity of a vulnerability in relation to a piece of software.", "description": "The severity field provides a human readable string, a label that can be used\nas an English adjective that qualifies its numerical score.", "metadata": {"name": "severity", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/severity", "Domain": ["CvssV3VulnAssessmentRelationship", "CvssV2VulnAssessmentRelationship", "EpssVulnAssessmentRelationship"]}}, "modifiedTime": {"summary": "Specifies a time when a vulnerability assessment was modified", "description": "Specifies a time when a vulnerability assessment was last modified.", "metadata": {"name": "modifiedTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/modifiedTime", "Domain": ["VulnAssessmentRelationship", "Vulnerability"]}}}, "vocabs": {"VexJustificationType": {"summary": "Specifies the VEX justification type.", "description": "VexJustificationType specifies the type of Vulnerability Exploitability eXchange (VEX) justification.", "metadata": {"name": "VexJustificationType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VexJustificationType"}, "entries": {"componentNotPresent": "The software is not affected because the vulnerable component is not in the product.", "vulnerableCodeNotPresent": "The product is not affected because the code underlying the vulnerability is not present in the product.", "vulnerableCodeCannotBeControlledByAdversary": "The vulnerable component is present, and the component contains the vulnerable code. However, vulnerable code is used in such a way that an attacker cannot mount any anticipated attack.", "vulnerableCodeNotInExecutePath": "The affected code is not reachable through the execution of the code, including non-anticipated states of the product.", "inlineMitigationsAlreadyExist": "Built-in inline controls or mitigations prevent an adversary from leveraging the vulnerability."}}, "ExploitCatalogType": {"summary": "Specifies the exploit catalog type.", "description": "ExploitCatalogType specifies the type of exploit catalog that a vulnerability is listed in.", "metadata": {"name": "ExploitCatalogType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/ExploitCatalogType"}, "entries": {"kev": "CISA's Known Exploited Vulnerability (KEV) Catalog", "other": "Other exploit catalogs"}}, "SsvcDecisionType": {"summary": "Specifies the SSVC decision type.", "description": "SsvcDecisionType specifies the type of decision that's been made according to the Stakeholder-Specific Vulnerability Categorization (SSVC) system [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc)", "metadata": {"name": "SsvcDecisionType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/SsvcDecisionType"}, "entries": {"act": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible.", "attend": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability, and may involve publishing a notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.", "track": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines.", "trackStar": "(Track* in the SSVC spec) The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."}}}}, "Build": {"name": "Build", "classes": {"Build": {"summary": "Class that describes a build instance of software/artifacts.", "description": "A build is a representation of the process in which a piece of software or artifact is built. It encapsulates information related to a build process and\nprovides an element from which relationships can be created to describe the build's inputs, outputs, and related entities (e.g. builders, identities, etc.).\n\nDefinitions of \"BuildType\", \"ConfigSource\", \"Parameters\" and \"Environment\" follow\nthose defined in [SLSA provenance](https://slsa.dev/provenance/v0.2).\n\nExternalIdentifier of type \"urlScheme\" may be used to identify build logs. In this case, the comment of the ExternalIdentifier should be \"LogReference\".\n\nNote that buildStart and buildEnd are optional, and may be omitted to simplify creating reproducible builds.", "metadata": {"name": "Build", "SubclassOf": "/Core/Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/Build"}, "properties": {"buildType": {"type": "xsd:anyURI", "minCount": "1", "maxCount": "1"}, "buildId": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "configSourceEntrypoint": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "configSourceUri": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "*"}, "configSourceDigest": {"type": "/Core/Hash", "minCount": "0", "maxCount": "*"}, "parameters": {"type": "/Core/DictionaryEntry", "minCount": "0", "maxCount": "*"}, "buildStartTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}, "buildEndTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}, "environment": {"type": "/Core/DictionaryEntry", "minCount": "0", "maxCount": "*"}}}}, "properties": {"buildStartTime": {"summary": "Property describing the start time of a build.", "description": "buildStartTime is the time at which a build is triggered. The builder typically records this value.", "metadata": {"name": "buildStartTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/buildStartTime", "Domain": ["Build"]}}, "configSourceUri": {"summary": "Property that describes the URI of the build configuration source file.", "description": "If a build configuration exists for the toolchain or platform performing the build, the configSourceUri of a build is the URI of that build configuration. For example, a build triggered by a GitHub action is defined by a build configuration YAML file. In this case, the configSourceUri is the URL of that YAML file. \nm", "metadata": {"name": "configSourceUri", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/configSourceUri", "Domain": ["Build"]}}, "buildEndTime": {"summary": "Property that describes the time at which a build stops.", "description": "buildEndTime describes the time at which a build stops or finishes. This value is typically recorded by the builder.", "metadata": {"name": "buildEndTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/buildEndTime", "Domain": ["Build"]}}, "parameters": {"summary": "Property describing the parameters used in an instance of a build.", "description": "parameters is a key-value map of all build parameters and their values that were provided to the builder for a build instance. This is different from the [environment](environment.md) property in that the keys and values are provided as command line arguments or a configuration file to the builder.", "metadata": {"name": "parameters", "Nature": "ObjectProperty", "Range": "/Core/DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/parameters", "Domain": ["Build"]}}, "environment": {"summary": "Property describing the session in which a build is invoked.", "description": "environment is a map of environment variables and values that are set during a build session. This is different from the [parameters](parameters.md) property in that it describes the environment variables set before a build is invoked rather than the variables provided to the builder.", "metadata": {"name": "environment", "Nature": "ObjectProperty", "Range": "/Core/DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/environment", "Domain": ["Build"]}}, "configSourceDigest": {"summary": "Property that describes the digest of the build configuration file used to invoke a build.", "description": "configSourceDigest is the checksum of the build configuration file used by a builder to execute a build. This Property uses the Core model's [Hash](../../Core/Classes/Hash.md) class.", "metadata": {"name": "configSourceDigest", "Nature": "ObjectProperty", "Range": "/Core/Hash", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/configSourceDigest", "Domain": ["Build"]}}, "configSourceEntrypoint": {"summary": "Property describes the invocation entrypoint of a build.", "description": "A build entrypoint is the invoked executable of a build which always runs when the build is triggered. For example, when a build is triggered by running a shell script, the entrypoint is `script.sh`. In terms of a declared build, the entrypoint is the position in a configuration file or a build declaration which is always run when the build is triggered. For example, in the following configuration file, the entrypoint of the build is `publish`.\n\n```\nname: Publish packages to PyPI\n\non:\ncreate:\ntags: \"*\"\n\njobs:\npublish:\nruns-on: ubuntu-latest\nif: startsWith(github.ref, 'refs/tags/')\nsteps:\n\n...\n```", "metadata": {"name": "configSourceEntrypoint", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/configSourceEntrypoint", "Domain": ["Build"]}}, "buildId": {"summary": "A buildId is a locally unique identifier used by a builder to identify a unique instance of a build produced by it.", "description": "A buildId is a locally unique identifier to identify a unique instance of a build. This identifier differs based on build toolchain, platform, or naming convention used by an organization or standard.", "metadata": {"name": "buildId", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/buildId", "Domain": ["Build"]}}, "buildType": {"summary": "A buildType is a hint that is used to indicate the toolchain, platform, or infrastructure that the build was invoked on.", "description": "A buildType is a URI expressing the toolchain, platform, or infrastructure that the build was invoked on. For example, if the build was invoked on GitHub's CI platform using github actions, the buildType can be expressed as `https://github.com/actions`. In contrast, if the build was invoked on a local machine, the buildType can be expressed as `file://username@host/path/to/build`.", "metadata": {"name": "buildType", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/buildType", "Domain": ["Build"]}}}, "vocabs": {}}, "Software": {"name": "Software", "classes": {"Package": {"summary": "Refers to any unit of content that can be associated with a distribution of software.", "description": "A package refers to any unit of content that can be associated with a distribution of software.\nTypically, a package is composed of one or more files. \nAny of the following non-limiting examples may be (but are not required to be) represented in SPDX as a package:\n\n - a tarball, zip file or other archive\n - a directory or sub-directory\n - a separately distributed piece of software which another Package or File uses or depends upon (e.g., a Python package, a Go module, ...)\n - a container image, and/or each image layer within a container image\n - a collection of one or more sub-packages\n - a Git repository snapshot from a particular point in time\n\nNote that some of these could be represented in SPDX as a file as well.\nExternal property restriction on /Core/Element/name: minCount: 1", "metadata": {"name": "Package", "SubclassOf": "/Software/SoftwareArtifact", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/Package"}, "properties": {"packageVersion": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "downloadLocation": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "1"}, "packageUrl": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "1"}, "homePage": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "1"}, "sourceInfo": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "File": {"summary": "Refers to any object that stores content on a computer.", "description": "Refers to any object that stores content on a computer.\nThe type of content can optionally be provided in the contentType property.\nExternal property restriction on /Core/Element/name: minCount: 1", "metadata": {"name": "File", "SubclassOf": "/Software/SoftwareArtifact", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/File"}, "properties": {"contentType": {"type": "/Core/MediaType", "minCount": "0", "maxCount": "1"}}}, "Snippet": {"summary": "Describes a certain part of a file.", "description": "A Snippet describes a certain part of a file and can be used when the file is known to have some content\nthat has been included from another original source. Snippets are useful for denoting when part of a file\nmay have been originally created under another license or copied from a place with a known vulnerability.", "metadata": {"name": "Snippet", "SubclassOf": "/Software/SoftwareArtifact", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/Snippet"}, "properties": {"byteRange": {"type": "/Core/PositiveIntegerRange", "minCount": "0", "maxCount": "1"}, "lineRange": {"type": "/Core/PositiveIntegerRange", "minCount": "0", "maxCount": "1"}}}, "Sbom": {"summary": "A collection of SPDX Elements describing a single package.", "description": "A Software Bill of Materials (SBOM) is a collection of SPDX Elements describing a single package.\nThis could include details of the content and composition of the product,\nprovenance details of the product and/or\nits composition, licensing information, known quality or security issues, etc.", "metadata": {"name": "Sbom", "SubclassOf": "/Core/Bom", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/Sbom"}, "properties": {"sbomType": {"type": "SbomType", "minCount": "0", "maxCount": "*"}}}, "SoftwareArtifact": {"summary": "A distinct article or unit related to Software.", "description": "A software artifact is a distinct article or unit related to software\nsuch as a package, a file, or a snippet.", "metadata": {"name": "SoftwareArtifact", "SubclassOf": "/Core/Artifact", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/SoftwareArtifact"}, "properties": {"contentIdentifier": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "1"}, "primaryPurpose": {"type": "SoftwarePurpose", "minCount": "0", "maxCount": "1"}, "additionalPurpose": {"type": "SoftwarePurpose", "minCount": "0", "maxCount": "*"}, "concludedLicense": {"type": "/Licensing/AnyLicenseInfo", "minCount": "0", "maxCount": "1"}, "declaredLicense": {"type": "/Licensing/AnyLicenseInfo", "minCount": "0", "maxCount": "1"}, "copyrightText": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "attributionText": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "SoftwareDependencyRelationship": {"summary": "", "description": "TODO", "metadata": {"name": "SoftwareDependencyRelationship", "SubclassOf": "/Core/LifecycleScopedRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/SoftwareDependencyRelationship"}, "properties": {"softwareLinkage": {"type": "SoftwareDependencyLinkType", "minCount": "0", "maxCount": "1"}, "conditionality": {"type": "DependencyConditionalityType", "minCount": "0", "maxCount": "1"}}}}, "properties": {"lineRange": {"summary": "Defines the line range in the original host file that the snippet information applies to.", "description": "This field defines the line range in the original host file that the snippet information applies to.\nIf there is a disagreement between the byte range and line range, the byte range values will take precedence.\nA range of lines is a convenient reference for those files where there is a known line delimiter. \nThe choice was made to start the numbering of the lines at 1 to be consistent with the W3C pointer method vocabulary.", "metadata": {"name": "lineRange", "Nature": "DataProperty", "Range": "/Core/PositiveIntegerRange", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/lineRange", "Domain": ["Snippet"]}}, "primaryPurpose": {"summary": "Provides information about the primary purpose of the software artifact.", "description": "primaryPurpose provides information about the primary purpose of the software artifact.", "metadata": {"name": "primaryPurpose", "Nature": "ObjectProperty", "Range": "SoftwarePurpose", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/primaryPurpose", "Domain": ["SoftwareArtifact"]}}, "packageVersion": {"summary": "Identify the version of a package.", "description": "A packageVersion is useful for identification purposes and for indicating later changes of the package version.", "metadata": {"name": "packageVersion", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/packageVersion", "Domain": ["Package"]}}, "conditionality": {"summary": "TODO", "description": "A conditionality is TODO", "metadata": {"name": "conditionality", "Nature": "ObjectProperty", "Range": "DependencyConditionalityType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/conditionality", "Domain": ["SoftwareDependencyRelationship"]}}, "sbomType": {"summary": "Provides information about the type of an SBOM.", "description": "This field is a reasonable estimation of the type of SBOM created from a creator perspective.\nIt is intended to be used to give guidance on the elements that may be contained within it.\nAligning with the guidance produced in [Types of Software Bill of Material (SBOM) Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf).", "metadata": {"name": "sbomType", "Nature": "ObjectProperty", "Range": "SbomType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/sbomType", "Domain": ["Sbom"]}}, "concludedLicense": {"summary": "Identifies the license that that SPDX data creator has concluded as governing\nthe software Package, File or Snippet.", "description": "A concludedLicense is the license identified by the SPDX data creator,\nbased on analyzing the license information in the software Package, File\nor Snippet and other information to arrive at a reasonably objective\nconclusion as to what license governs it.\n\nIf a concludedLicense has a NONE value (NoneLicense), this indicates that the\nSPDX data creator has looked and did not find any license information for this\nsoftware Package, File or Snippet.\n\nIf a concludedLicense has a NOASSERTION value (NoAssertionLicense), this\nindicates that one of the following applies:\n* the SPDX data creator has attempted to but cannot reach a reasonable\n objective determination;\n* the SPDX data creator has made no attempt to determine this field; or\n* the SPDX data creator has intentionally provided no information (no\n meaning should be implied by doing so).\n\nA written explanation of a NOASSERTION value (NoAssertionLicense) MAY be\nprovided in the licenseComment field.\n\nIf the concludedLicense for a software Package, File or Snippet is not the\nsame as its declaredLicense, a written explanation SHOULD be provided in\nthe licenseComment field.\n\nIf the declaredLicense for a software Package, File or Snippet is a choice\nof more than one license (e.g. a license expression combining two licenses\nthrough use of the `OR` operator), then the concludedLicense may either\nretain the license choice or identify which license was chosen.", "metadata": {"name": "concludedLicense", "Nature": "ObjectProperty", "Range": "/Licensing/AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/concludedLicense", "Domain": ["SoftwareArtifact"]}}, "sourceInfo": {"summary": "Records any relevant background information or additional comments\nabout the origin of the package.", "description": "SourceInfo records any relevant background information or additional comments\nabout the origin of the package. For example, this field might include comments \nindicating whether the package was pulled from a source code management system \nor has been repackaged. The creator can provide additional information to describe\nany anomalies or discoveries in the determination of the origin of the package.", "metadata": {"name": "sourceInfo", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/sourceInfo", "Domain": ["Package"]}}, "contentType": {"summary": "Provides information about the content type of an Element.", "description": "This field is a reasonable estimation of the content type of the Element, from a creator perspective.\nContent type is intrinsic to the Element, independent of how the Element is being used.", "metadata": {"name": "contentType", "Nature": "DataProperty", "Range": "/Core/MediaType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/contentType", "Domain": ["File"]}}, "declaredLicense": {"summary": "Identifies the license information actually found in the software Package,\nFile or Snippet, for example as detected by use of automated tooling.", "description": "A declaredLicense is the license identified in text in the software package,\nfile or snippet as the license declared by its authors.\n\nThis field is not intended to capture license information obtained from an\nexternal source, such as a package's website. Such information can be\nincluded, as needed, in a concludedLicense field.\n\nA declaredLicense may be expressed differently in practice for different\ntypes of artifacts. For example:\n\n* for Packages:\n * would include license info describing the license of the Package as a\n whole, when it is found in the Package itself (e.g., LICENSE file,\n README file, metadata in the repository, etc.)\n * would not include any license information that is not in the Package\n itself (e.g., license information from the project\u2019s website or from a\n third party repository or website)\n* for Files:\n * would include license info found in the File itself (e.g., license\n header or notice, comments, SPDX-License-Identifier expression)\n * would not include license info found in a different file (e.g., LICENSE\n file in the top directory of a repository)\n* for Snippets:\n * would include license info found in the Snippet itself (e.g., license\n notice, comments, SPDX-License-Identifier expression)\n * would not include license info found elsewhere in the File or in a\n different File (e.g., comment at top of File if it is not within the\n Snippet, LICENSE file in the top directory of a repository)\n\nIf a declaredLicense has a NONE value (NoneLicense), this indicates that the\ncorresponding Package, File or Snippet contains no license information\nwhatsoever.\n\nIf a declaredLicense has a NOASSERTION value (NoAssertionLicense), this\nindicates that one of the following applies:\n* the SPDX data creator has attempted to but cannot reach a reasonable\n objective determination;\n* the SPDX data creator has made no attempt to determine this field; or\n* the SPDX data creator has intentionally provided no information (no meaning\n should be implied by doing so).", "metadata": {"name": "declaredLicense", "Nature": "ObjectProperty", "Range": "/Licensing/AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/declaredLicense", "Domain": ["SoftwareArtifact"]}}, "additionalPurpose": {"summary": "Provides additional purpose information of the software artifact.", "description": "Additional purpose provides information about the additional purposes of the software artifact in addition to the primaryPurpose.", "metadata": {"name": "additionalPurpose", "Nature": "ObjectProperty", "Range": "SoftwarePurpose", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/additionalPurpose", "Domain": ["SoftwareArtifact"]}}, "attributionText": {"summary": "Provides a place for the SPDX data creator to record acknowledgement text for\na software Package, File or Snippet.", "description": "An attributionText for a software Package, File or Snippet provides a consumer\nof SPDX data with acknowledgement content, to assist redistributors of the\nPackage, File or Snippet with reproducing those acknowledgements.\n\nFor example, this field may include a statement that is required by a\nparticular license to be reproduced in end-user documentation, advertising\nmaterials, or another form.\n\nThis field may describe where, or in which contexts, the acknowledgements\nneed to be reproduced, but it is not required to do so. The SPDX data creator\nmay also explain elsewhere (such as in a licenseComment field) how they intend\nfor data in this field to be used.\n\nAn attributionText is is not meant to include the software Package, File or\nSnippet\u2019s actual complete license text (see concludedLicense to identify the\ncorresponding license).", "metadata": {"name": "attributionText", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/attributionText", "Domain": ["SoftwareArtifact"]}}, "homePage": {"summary": "A place for the SPDX document creator to record a website that serves as the package's home page.", "description": "HomePage is a place for the SPDX document creator to record a website that serves as the package's home page.\nThis saves the recipient of the SPDX document who is looking for more info from\nhaving to search for and verify a match between the package and the associated project home page.\nThis link can also be used to reference further information about the package\nreferenced by the SPDX document creator.", "metadata": {"name": "homePage", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/homePage", "Domain": ["Package"]}}, "contentIdentifier": {"summary": "Provides a place to record the canonical, unique, immutable identifier for each software artifact using the artifact's gitoid.", "description": "The contentIdentifier provides a canonical, unique, immutable artifact identifier for each software artifact. SPDX 3.0 describes software artifacts as Snippet, File, or Package Elements. The ContentIdentifier can be calculated for any software artifact and can be recorded for any of these SPDX 3.0 Elements using Omnibor, an attempt to standardize how software artifacts are identified independent of which programming language, version control system, build tool, package manager, or software distribution mechanism is in use. \n\nThe contentIdentifier is defined as the [Git Object Identifier](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) (gitoid) of type `blob` of the software artifact. The use of a git-based version control system is not necessary to calculate a contentIdentifier for any software artifact.\n\nThe gitoid is expressed in the ContentIdentifier property by using the IANA [gitoid URI scheme](https://www.iana.org/assignments/uri-schemes/prov/gitoid).\n\n```\nScheme syntax: gitoid\":\"\":\"\":\"\n```\n\nThe OmniBOR ID for the OmniBOR Document associated with a software artifact should not be recorded in this field. Rather, OmniBOR IDs should be recorded in the SPDX Element's ExternalIdentifier property. See [https://omnibor.io](https://omnibor.io) for more details.", "metadata": {"name": "contentIdentifier", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/contentIdentifier", "Domain": ["SoftwareArtifact"]}}, "copyrightText": {"summary": "Identifies the text of one or more copyright notices for a software Package,\nFile or Snippet, if any.", "description": "A copyrightText consists of the text(s) of the copyright notice(s) found\nfor a software Package, File or Snippet, if any.\n\nIf a copyrightText contains text, then it may contain any text related to\none or more copyright notices (even if not complete) for that software\nPackage, File or Snippet.\n\nIf a copyrightText has a \"NONE\" value, this indicates that the software\nPackage, File or Snippet contains no copyright notice whatsoever.\n\nIf a copyrightText has a \"NOASSERTION\" value, this indicates that one of the\nfollowing applies:\n* the SPDX data creator has attempted to but cannot reach a reasonable\n objective determination;\n* the SPDX data creator has made no attempt to determine this field; or\n* the SPDX data creator has intentionally provided no information (no\n meaning should be implied by doing so).", "metadata": {"name": "copyrightText", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/copyrightText", "Domain": ["SoftwareArtifact"]}}, "packageUrl": {"summary": "Provides a place for the SPDX data creator to record the package URL string (in accordance with the [package URL spec](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst)) for a software Package.", "description": "A packageUrl (commonly pronounced and referred to as \"purl\") is an attempt to standardize package representations in order to reliably identify and locate software packages. A purl is a URL string which represents a package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.\n\nthe purl URL string is defined by seven components:\n```\nscheme:type/namespace/name@version?qualifiers#subpath\n```\n\nThe definition for each component can be found in the [purl specification](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst). Components are designed such that they form a hierarchy from the most significant on the left to the least significant components on the right. \n\nParsing a purl string into its components works from left to right. Some extra type-specific normalizations are required. For more information, see [How to parse a purl string in its components](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#how-to-parse-a-purl-string-in-its-components).", "metadata": {"name": "packageUrl", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/packageUrl", "Domain": ["Package"]}}, "byteRange": {"summary": "Defines the byte range in the original host file that the snippet information applies to.", "description": "This field defines the byte range in the original host file that the snippet information applies to.\nA range of bytes is independent of various formatting concerns, and the most accurate way \nof referring to the differences. The choice was made to start the numbering of \nthe byte range at 1 to be consistent with the W3C pointer method vocabulary.", "metadata": {"name": "byteRange", "Nature": "DataProperty", "Range": "/Core/PositiveIntegerRange", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/byteRange", "Domain": ["Snippet"]}}, "softwareLinkage": {"summary": "TODO", "description": "A softwareLinkage is TODO", "metadata": {"name": "softwareLinkage", "Nature": "ObjectProperty", "Range": "SoftwareDependencyLinkType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/softwareLinkage", "Domain": ["SoftwareDependencyRelationship"]}}, "downloadLocation": {"summary": "Identifies the download Uniform Resource Identifier for the package at the time that the document was created.", "description": "DownloadLocation identifies the download Uniform Resource Identifier \nfor the package at the time that the document was created.\nWhere and how to download the exact package being referenced \nis critical for verification and tracking data.", "metadata": {"name": "downloadLocation", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/downloadLocation", "Domain": ["Package"]}}}, "vocabs": {"DependencyConditionalityType": {"summary": "TODO", "description": "TODO", "metadata": {"name": "DependencyConditionalityType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/DependencyConditionalityType"}, "entries": {"optional": "TODOdescription", "required": "TODOdescription", "provided": "TODOdescription", "prerequisite": "TODOdescription", "other": "TODOdescription"}}, "SoftwarePurpose": {"summary": "Provides information about the primary purpose of an Element.", "description": "This field provides information about the primary purpose of an Element.\nSoftware Purpose is intrinsic to how the Element is being used rather than the content of the Element.\nThis field is a reasonable estimate of the most likely usage of the Element\nfrom the producer and consumer perspective from which both parties can draw conclusions\nabout the context in which the Element exists.", "metadata": {"name": "SoftwarePurpose", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose"}, "entries": {"application": "the Element is a software application", "archive": "the Element is an archived collection of one or more files (.tar, .zip, etc)", "bom": "Element is a bill of materials", "configuration": "Element is configuration data", "container": "the Element is a container image which can be used by a container runtime application", "data": "Element is data", "device": "the Element refers to a chipset, processor, or electronic board", "documentation": "Element is documentation", "evidence": "the Element is the evidence that a specification or requirement has been fulfilled", "executable": "Element is an Artifact that can be run on a computer", "file": "the Element is a single file which can be independently distributed (configuration file, statically linked binary, Kubernetes deployment, etc)", "firmware": "the Element provides low level control over a device's hardware", "framework": "the Element is a software framework", "install": "the Element is used to install software on disk", "library": "the Element is a software library", "manifest": "the Element is a software manifest", "model": "the Element is a machine learning or artificial intelligence model", "module": "the Element is a module of a piece of software", "operatingSystem": "the Element is an operating system", "other": "the Element doesn't fit into any of the other categories", "patch": "Element contains a set of changes to update, fix, or improve another Element", "requirement": "the Element provides a requirement needed as input for another Element", "source": "the Element is a single or a collection of source files", "specification": "the Element is a plan, guideline or strategy how to create, perform or analyse an application", "test": "The Element is a test used to verify functionality on an software element"}}, "SoftwareDependencyLinkType": {"summary": "TODO", "description": "TODO", "metadata": {"name": "SoftwareDependencyLinkType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/SoftwareDependencyLinkType"}, "entries": {"static": "TODOdescription", "dynamic": "TODOdescription", "tool": "TODOdescription", "other": "TODOdescription"}}, "SbomType": {"summary": "Provides a set of values to be used to describe the common types of SBOMs that tools may create.", "description": "The set of SBOM types with definitions as defined in [Types of Software Bill of Material (SBOM) Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf), published on April 21, 2023. \nAn SBOM type describes the most likely type of an SBOM from the producer perspective, so that consumers can draw conclusions about the data inside an SBOM. A single SBOM can have multiple SBOM document types associated with it.", "metadata": {"name": "SbomType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/SbomType"}, "entries": {"design": "SBOM of intended, planned software project or product with included components (some of which may not yet exist) for a new software artifact.", "source": "SBOM created directly from the development environment, source files, and included dependencies used to build an product artifact.", "build": "SBOM generated as part of the process of building the software to create a releasable artifact (e.g., executable or package) from data such as source files, dependencies, built components, build process ephemeral data, and other SBOMs.", "deployed": "SBOM provides an inventory of software that is present on a system. This may be an assembly of other SBOMs that combines analysis of configuration options, and examination of execution behavior in a (potentially simulated) deployment environment.", "runtime": "SBOM generated through instrumenting the system running the software, to capture only components present in the system, as well as external call-outs or dynamically loaded components. In some contexts, this may also be referred to as an \u201cInstrumented\u201d or \u201cDynamic\u201d SBOM.", "analyzed": "SBOM generated through analysis of artifacts (e.g., executables, packages, containers, and virtual machine images) after its build. Such analysis generally requires a variety of heuristics. In some contexts, this may also be referred to as a \u201c3rd party\u201d SBOM."}}}}} \ No newline at end of file From 7e0c088f0d2480cec2f310e1a6e4fab71a60054f Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Wed, 26 Jul 2023 15:01:21 +0200 Subject: [PATCH 20/33] Deal with dashes in camel case names during conversion to snake case to fix output for DatsetAvailabilityType Signed-off-by: Holger Frydrych --- src/spdx_tools/spdx/casing_tools.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/spdx_tools/spdx/casing_tools.py b/src/spdx_tools/spdx/casing_tools.py index c143cfd45..24a8b92e4 100644 --- a/src/spdx_tools/spdx/casing_tools.py +++ b/src/spdx_tools/spdx/casing_tools.py @@ -10,5 +10,5 @@ def snake_case_to_camel_case(snake_case_string: str) -> str: def camel_case_to_snake_case(camel_case_string: str) -> str: - snake_case_string = sub("(?!^)([A-Z]+)", r"_\1", camel_case_string).lower() + snake_case_string = sub("(?!^)-?([A-Z]+)", r"_\1", camel_case_string).lower() return snake_case_string From 130570446c5d6ee6292107676f5b1c29743d783c Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Wed, 26 Jul 2023 15:01:56 +0200 Subject: [PATCH 21/33] Update generated model files Signed-off-by: Holger Frydrych --- .../spdx3/new_model/ai/ai_package.py | 29 +++++++-------- src/spdx_tools/spdx3/new_model/build/build.py | 19 +++++----- .../spdx3/new_model/core/__init__.py | 5 --- src/spdx_tools/spdx3/new_model/core/agent.py | 3 +- .../spdx3/new_model/core/annotation.py | 13 +++---- .../spdx3/new_model/core/artifact.py | 4 +-- src/spdx_tools/spdx3/new_model/core/bom.py | 11 +++--- src/spdx_tools/spdx3/new_model/core/bundle.py | 11 +++--- .../spdx3/new_model/core/creation_info.py | 9 ++--- .../spdx3/new_model/core/date_time.py | 22 ------------ .../spdx3/new_model/core/dictionary_entry.py | 36 ------------------- .../spdx3/new_model/core/element.py | 2 +- .../new_model/core/element_collection.py | 10 ++---- .../new_model/core/external_reference.py | 6 ++-- .../core/lifecycle_scoped_relationship.py | 7 ++-- .../spdx3/new_model/core/media_type.py | 22 ------------ .../spdx3/new_model/core/namespace_map.py | 32 ----------------- .../spdx3/new_model/core/organization.py | 3 +- src/spdx_tools/spdx3/new_model/core/person.py | 3 +- .../new_model/core/positive_integer_range.py | 8 ++--- .../spdx3/new_model/core/relationship.py | 11 +++--- .../spdx3/new_model/core/sem_ver.py | 22 ------------ .../spdx3/new_model/core/software_agent.py | 3 +- .../spdx3/new_model/core/spdx_document.py | 11 +++--- src/spdx_tools/spdx3/new_model/core/tool.py | 3 +- .../spdx3/new_model/dataset/dataset.py | 21 +++++------ .../dataset/dataset_availability_type.py | 12 +++---- .../conjunctive_license_set.py | 3 +- .../disjunctive_license_set.py | 3 +- .../new_model/licensing/custom_license.py | 6 ++-- .../licensing/custom_license_addition.py | 5 +-- .../spdx3/new_model/licensing/license.py | 6 ++-- .../new_model/licensing/license_addition.py | 2 +- .../new_model/licensing/license_expression.py | 3 +- .../new_model/licensing/listed_license.py | 6 ++-- .../licensing/listed_license_exception.py | 5 +-- .../new_model/licensing/or_later_operator.py | 4 --- .../licensing/with_addition_operator.py | 10 ++---- .../cvss_v2_vuln_assessment_relationship.py | 15 ++++---- .../cvss_v3_vuln_assessment_relationship.py | 15 ++++---- .../epss_vuln_assessment_relationship.py | 15 ++++---- ...it_catalog_vuln_assessment_relationship.py | 15 ++++---- .../ssvc_vuln_assessment_relationship.py | 11 +++--- ...x_affected_vuln_assessment_relationship.py | 11 +++--- .../vex_fixed_vuln_assessment_relationship.py | 11 +++--- ...t_affected_vuln_assessment_relationship.py | 11 +++--- ...estigation_vuln_assessment_relationship.py | 11 +++--- .../security/vuln_assessment_relationship.py | 4 +-- .../spdx3/new_model/security/vulnerability.py | 3 +- .../spdx3/new_model/software/file.py | 13 +++---- .../spdx3/new_model/software/package.py | 7 ++-- .../spdx3/new_model/software/sbom.py | 11 +++--- .../spdx3/new_model/software/snippet.py | 7 ++-- .../software_dependency_relationship.py | 7 ++-- 54 files changed, 216 insertions(+), 342 deletions(-) delete mode 100644 src/spdx_tools/spdx3/new_model/core/date_time.py delete mode 100644 src/spdx_tools/spdx3/new_model/core/dictionary_entry.py delete mode 100644 src/spdx_tools/spdx3/new_model/core/media_type.py delete mode 100644 src/spdx_tools/spdx3/new_model/core/namespace_map.py delete mode 100644 src/spdx_tools/spdx3/new_model/core/sem_ver.py diff --git a/src/spdx_tools/spdx3/new_model/ai/ai_package.py b/src/spdx_tools/spdx3/new_model/ai/ai_package.py index 2b0996d81..901528eeb 100644 --- a/src/spdx_tools/spdx3/new_model/ai/ai_package.py +++ b/src/spdx_tools/spdx3/new_model/ai/ai_package.py @@ -4,10 +4,10 @@ # Do not manually edit! from ..ai import PresenceType, SafetyRiskAssessmentType -from ..core import Agent, CreationInfo, DictionaryEntry, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod from ..licensing import AnyLicenseInfo from ..software import Package, SoftwarePurpose -from beartype.typing import List, Optional +from beartype.typing import Dict, List, Optional from dataclasses import field from datetime import datetime from spdx_tools.common.typing.type_checks import check_types_and_set_values @@ -56,7 +56,7 @@ class AIPackage(Package): InformationAboutApplication describes any relevant information in free form text about how the AI model is used inside the software, as well as any relevant pre-processing steps, third party APIs etc. """ - hyperparameter: List[DictionaryEntry] = field(default_factory=list) + hyperparameter: Dict[str, Optional[str]] = field(default_factory=list) """ This field records a hyperparameter value. Hyperparameters are parameters of the machine learning model that are used to control the learning process, for example the optimization and learning rate used during the training of the @@ -77,13 +77,13 @@ class AIPackage(Package): SensitivePersonalInformation notes if sensitive personal information is used in the training or inference of the AI models. This might include biometric data, addresses or other data that can be used to infer a person's identity. """ - metric_decision_threshold: List[DictionaryEntry] = field(default_factory=list) + metric_decision_threshold: Dict[str, Optional[str]] = field(default_factory=list) """ Each metric might be computed based on a decision threshold. For instance, precision or recall is typically computed by checking if the probability of the outcome is larger than 0.5. Each decision threshold should match with a metric field defined in the AI Package. """ - metric: List[DictionaryEntry] = field(default_factory=list) + metric: Dict[str, Optional[str]] = field(default_factory=list) """ Metric records the measurement with which the AI model was evaluated. This makes statements about the prediction quality including uncertainty, accuracy, characteristics of the tested population, quality, fairness, @@ -116,9 +116,9 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - originated_by: List[Agent] = None, - supplied_by: List[Agent] = None, + extension: List[str] = None, + originated_by: List[str] = None, + supplied_by: List[str] = None, built_time: Optional[datetime] = None, release_time: Optional[datetime] = None, valid_until_time: Optional[datetime] = None, @@ -141,12 +141,12 @@ def __init__( type_of_model: List[str] = None, information_about_training: Optional[str] = None, information_about_application: Optional[str] = None, - hyperparameter: List[DictionaryEntry] = None, + hyperparameter: Dict[str, Optional[str]] = None, model_data_preprocessing: List[str] = None, model_explainability: List[str] = None, sensitive_personal_information: Optional[PresenceType] = None, - metric_decision_threshold: List[DictionaryEntry] = None, - metric: List[DictionaryEntry] = None, + metric_decision_threshold: Dict[str, Optional[str]] = None, + metric: Dict[str, Optional[str]] = None, domain: List[str] = None, autonomy_type: Optional[PresenceType] = None, safety_risk_assessment: Optional[SafetyRiskAssessmentType] = None, @@ -154,16 +154,17 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension originated_by = [] if originated_by is None else originated_by supplied_by = [] if supplied_by is None else supplied_by standard = [] if standard is None else standard additional_purpose = [] if additional_purpose is None else additional_purpose standard_compliance = [] if standard_compliance is None else standard_compliance type_of_model = [] if type_of_model is None else type_of_model - hyperparameter = [] if hyperparameter is None else hyperparameter + hyperparameter = {} if hyperparameter is None else hyperparameter model_data_preprocessing = [] if model_data_preprocessing is None else model_data_preprocessing model_explainability = [] if model_explainability is None else model_explainability - metric_decision_threshold = [] if metric_decision_threshold is None else metric_decision_threshold - metric = [] if metric is None else metric + metric_decision_threshold = {} if metric_decision_threshold is None else metric_decision_threshold + metric = {} if metric is None else metric domain = [] if domain is None else domain check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/build/build.py b/src/spdx_tools/spdx3/new_model/build/build.py index 78bbc5421..c51f38b47 100644 --- a/src/spdx_tools/spdx3/new_model/build/build.py +++ b/src/spdx_tools/spdx3/new_model/build/build.py @@ -3,8 +3,8 @@ # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! -from ..core import CreationInfo, DictionaryEntry, Element, ExternalIdentifier, ExternalReference, Hash, IntegrityMethod -from beartype.typing import List, Optional +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, Hash, IntegrityMethod +from beartype.typing import Dict, List, Optional from dataclasses import field from datetime import datetime from spdx_tools.common.typing.type_checks import check_types_and_set_values @@ -73,7 +73,7 @@ class Build(Element): configSourceDigest is the checksum of the build configuration file used by a builder to execute a build. This Property uses the Core model's [Hash](../../Core/Classes/Hash.md) class. """ - parameters: List[DictionaryEntry] = field(default_factory=list) + parameters: Dict[str, Optional[str]] = field(default_factory=list) """ parameters is a key-value map of all build parameters and their values that were provided to the builder for a build instance. This is different from the [environment](environment.md) property in that the keys and values are provided @@ -87,7 +87,7 @@ class Build(Element): """ buildEndTime describes the time at which a build stops or finishes. This value is typically recorded by the builder. """ - environment: List[DictionaryEntry] = field(default_factory=list) + environment: Dict[str, Optional[str]] = field(default_factory=list) """ environment is a map of environment variables and values that are set during a build session. This is different from the [parameters](parameters.md) property in that it describes the environment variables set before a build is @@ -106,22 +106,23 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, + extension: List[str] = None, build_id: Optional[str] = None, config_source_entrypoint: List[str] = None, config_source_uri: List[str] = None, config_source_digest: List[Hash] = None, - parameters: List[DictionaryEntry] = None, + parameters: Dict[str, Optional[str]] = None, build_start_time: Optional[datetime] = None, build_end_time: Optional[datetime] = None, - environment: List[DictionaryEntry] = None, + environment: Dict[str, Optional[str]] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension config_source_entrypoint = [] if config_source_entrypoint is None else config_source_entrypoint config_source_uri = [] if config_source_uri is None else config_source_uri config_source_digest = [] if config_source_digest is None else config_source_digest - parameters = [] if parameters is None else parameters - environment = [] if environment is None else environment + parameters = {} if parameters is None else parameters + environment = {} if environment is None else environment check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/__init__.py b/src/spdx_tools/spdx3/new_model/core/__init__.py index b682c9784..00d33021f 100644 --- a/src/spdx_tools/spdx3/new_model/core/__init__.py +++ b/src/spdx_tools/spdx3/new_model/core/__init__.py @@ -10,8 +10,6 @@ from .bom import Bom from .bundle import Bundle from .creation_info import CreationInfo -from .date_time import DateTime -from .dictionary_entry import DictionaryEntry from .element import Element from .element_collection import ElementCollection from .external_identifier import ExternalIdentifier @@ -24,8 +22,6 @@ from .integrity_method import IntegrityMethod from .lifecycle_scope_type import LifecycleScopeType from .lifecycle_scoped_relationship import LifecycleScopedRelationship -from .media_type import MediaType -from .namespace_map import NamespaceMap from .organization import Organization from .person import Person from .positive_integer_range import PositiveIntegerRange @@ -33,7 +29,6 @@ from .relationship import Relationship from .relationship_completeness import RelationshipCompleteness from .relationship_type import RelationshipType -from .sem_ver import SemVer from .software_agent import SoftwareAgent from .spdx_document import SpdxDocument from .tool import Tool diff --git a/src/spdx_tools/spdx3/new_model/core/agent.py b/src/spdx_tools/spdx3/new_model/core/agent.py index 166f5d097..877dea01c 100644 --- a/src/spdx_tools/spdx3/new_model/core/agent.py +++ b/src/spdx_tools/spdx3/new_model/core/agent.py @@ -28,9 +28,10 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, + extension: List[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/annotation.py b/src/spdx_tools/spdx3/new_model/core/annotation.py index 4a3add41a..1fb307c75 100644 --- a/src/spdx_tools/spdx3/new_model/core/annotation.py +++ b/src/spdx_tools/spdx3/new_model/core/annotation.py @@ -3,7 +3,7 @@ # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! -from ..core import AnnotationType, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, MediaType +from ..core import AnnotationType, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod from beartype.typing import List, Optional from dataclasses import field from spdx_tools.common.typing.type_checks import check_types_and_set_values @@ -20,7 +20,7 @@ class Annotation(Element): """ An annotationType describes the type of an annotation. """ - content_type: List[MediaType] = field(default_factory=list) + content_type: List[str] = field(default_factory=list) """ ContentType specifies the media type of an Element. """ @@ -28,7 +28,7 @@ class Annotation(Element): """ A statement is a commentary on an assertion that an annotator has made. """ - subject: Element + subject: str """ A subject is an Element an annotator has made an assertion about. """ @@ -38,7 +38,7 @@ def __init__( spdx_id: str, creation_info: CreationInfo, annotation_type: AnnotationType, - subject: Element, + subject: str, name: Optional[str] = None, summary: Optional[str] = None, description: Optional[str] = None, @@ -46,12 +46,13 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - content_type: List[MediaType] = None, + extension: List[str] = None, + content_type: List[str] = None, statement: Optional[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension content_type = [] if content_type is None else content_type check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/artifact.py b/src/spdx_tools/spdx3/new_model/core/artifact.py index 30eed93ba..197eb3f4f 100644 --- a/src/spdx_tools/spdx3/new_model/core/artifact.py +++ b/src/spdx_tools/spdx3/new_model/core/artifact.py @@ -18,11 +18,11 @@ class Artifact(Element): An artifact is a distinct article or unit within the digital domain, such as an electronic file, a software package, a device or an element of data. """ - originated_by: List[Agent] = field(default_factory=list) + originated_by: List[str] = field(default_factory=list) """ OriginatedBy identifies from where or whom the Element originally came. """ - supplied_by: List[Agent] = field(default_factory=list) + supplied_by: List[str] = field(default_factory=list) """ Identify the actual distribution source for the Artifact being referenced. This might or might not be different from the originating distribution source for the artifact. diff --git a/src/spdx_tools/spdx3/new_model/core/bom.py b/src/spdx_tools/spdx3/new_model/core/bom.py index 708f04e31..976b4c7ef 100644 --- a/src/spdx_tools/spdx3/new_model/core/bom.py +++ b/src/spdx_tools/spdx3/new_model/core/bom.py @@ -3,7 +3,7 @@ # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! -from ..core import Bundle, CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod, NamespaceMap +from ..core import Bundle, CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod from beartype.typing import List, Optional from spdx_tools.common.typing.type_checks import check_types_and_set_values @@ -22,8 +22,8 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - element: List[Element], - root_element: List[Element], + element: List[str], + root_element: List[str], name: Optional[str] = None, summary: Optional[str] = None, description: Optional[str] = None, @@ -31,14 +31,13 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - namespaces: List[NamespaceMap] = None, + extension: List[str] = None, imports: List[ExternalMap] = None, context: Optional[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier - namespaces = [] if namespaces is None else namespaces + extension = [] if extension is None else extension imports = [] if imports is None else imports check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/bundle.py b/src/spdx_tools/spdx3/new_model/core/bundle.py index 4c79fa8c7..d2e68c087 100644 --- a/src/spdx_tools/spdx3/new_model/core/bundle.py +++ b/src/spdx_tools/spdx3/new_model/core/bundle.py @@ -3,7 +3,7 @@ # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! -from ..core import CreationInfo, Element, ElementCollection, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod, NamespaceMap +from ..core import CreationInfo, Element, ElementCollection, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod from beartype.typing import List, Optional from spdx_tools.common.typing.type_checks import check_types_and_set_values @@ -25,8 +25,8 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - element: List[Element], - root_element: List[Element], + element: List[str], + root_element: List[str], name: Optional[str] = None, summary: Optional[str] = None, description: Optional[str] = None, @@ -34,14 +34,13 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - namespaces: List[NamespaceMap] = None, + extension: List[str] = None, imports: List[ExternalMap] = None, context: Optional[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier - namespaces = [] if namespaces is None else namespaces + extension = [] if extension is None else extension imports = [] if imports is None else imports check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/creation_info.py b/src/spdx_tools/spdx3/new_model/core/creation_info.py index 859328698..8f65ba542 100644 --- a/src/spdx_tools/spdx3/new_model/core/creation_info.py +++ b/src/spdx_tools/spdx3/new_model/core/creation_info.py @@ -8,6 +8,7 @@ from beartype.typing import List, Optional from dataclasses import field from datetime import datetime +from semantic_version import Version from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties @@ -21,7 +22,7 @@ class CreationInfo(ABC): The dateTime created is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds. """ - spec_version: Optional[str] = None + spec_version: Version """ The specVersion provides a reference number that can be used to understand how to parse and interpret an Element. It will enable both future changes to the specification and to support backward compatibility. The major version number @@ -42,7 +43,7 @@ class CreationInfo(ABC): as to whether the analysis needs to be updated. This is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds. """ - created_by: List[Agent] = field(default_factory=list) + created_by: List[str] = field(default_factory=list) """ CreatedBy identifies who or what created the Element. The generation method will assist the recipient of the Element in assessing the general reliability/accuracy of the analysis information. @@ -80,9 +81,9 @@ class CreationInfo(ABC): def __init__( self, - created_by: List[Agent], + spec_version: Version, + created_by: List[str], profile: List[ProfileIdentifierType], - spec_version: Optional[str] = None, comment: Optional[str] = None, created: Optional[datetime] = None, created_using: List[Tool] = None, diff --git a/src/spdx_tools/spdx3/new_model/core/date_time.py b/src/spdx_tools/spdx3/new_model/core/date_time.py deleted file mode 100644 index cee364688..000000000 --- a/src/spdx_tools/spdx3/new_model/core/date_time.py +++ /dev/null @@ -1,22 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# -# This file was auto-generated by dev/gen_python_model_from_spec.py -# Do not manually edit! - -from spdx_tools.common.typing.type_checks import check_types_and_set_values - -from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties - - -@dataclass_with_properties -class DateTime(str): - """ - A Datetime is a string representation of a specific date and time. It has resolution of seconds and is always - expressed in UTC timezone. The specific format is one of the most commonly used ISO-8601 formats. Format - restriction: pattern: ^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$ - """ - - def __init__( - self, - ): - check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/dictionary_entry.py b/src/spdx_tools/spdx3/new_model/core/dictionary_entry.py deleted file mode 100644 index a587acb1e..000000000 --- a/src/spdx_tools/spdx3/new_model/core/dictionary_entry.py +++ /dev/null @@ -1,36 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# -# This file was auto-generated by dev/gen_python_model_from_spec.py -# Do not manually edit! - -from abc import ABC -from beartype.typing import Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values - -from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties - - -@dataclass_with_properties -class DictionaryEntry(ABC): - """ - The class used for implementing a generic string mapping (also known as associative array, dictionary, or hash map) - in SPDX. Each DictionaryEntry contains a key-value pair which maps the key to its associated value. To implement a - dictionary, this class is to be used in a collection with unique keys. - """ - key: str - """ - A key used in generic a key-value pair. A key-value pair can be used to implement a dictionary which associates a - key with a value. - """ - value: Optional[str] = None - """ - A value used in a generic key-value pair. A key-value pair can be used to implement a dictionary which associates a - key with a value. - """ - - def __init__( - self, - key: str, - value: Optional[str] = None, - ): - check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/element.py b/src/spdx_tools/spdx3/new_model/core/element.py index 59f6d111c..caafce8ed 100644 --- a/src/spdx_tools/spdx3/new_model/core/element.py +++ b/src/spdx_tools/spdx3/new_model/core/element.py @@ -64,7 +64,7 @@ class Element(ABC): """ ExternalIdentifier points to a resource outside the scope of SPDX-3.0 content that uniquely identifies an Element. """ - extension: Optional[str] = None + extension: List[str] = field(default_factory=list) """ TODO """ diff --git a/src/spdx_tools/spdx3/new_model/core/element_collection.py b/src/spdx_tools/spdx3/new_model/core/element_collection.py index 9ac482fb8..fd272c107 100644 --- a/src/spdx_tools/spdx3/new_model/core/element_collection.py +++ b/src/spdx_tools/spdx3/new_model/core/element_collection.py @@ -3,7 +3,7 @@ # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod, NamespaceMap +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod from abc import abstractmethod from beartype.typing import List, Optional from dataclasses import field @@ -16,18 +16,14 @@ class ElementCollection(Element): """ An SpdxCollection is a collection of Elements, not necessarily with unifying context. """ - element: List[Element] = field(default_factory=list) + element: List[str] = field(default_factory=list) """ This field refers to one or more Elements that are part of an ElementCollection. """ - root_element: List[Element] = field(default_factory=list) + root_element: List[str] = field(default_factory=list) """ A rootElement of a collection is the top level Element from which all other Elements are reached via relationships. """ - namespaces: List[NamespaceMap] = field(default_factory=list) - """ - This field provides a NamespaceMap applicable to an ElementCollection. - """ imports: List[ExternalMap] = field(default_factory=list) """ Imports provides an ExternalMap of Element identifiers that are used within a document but defined external to that diff --git a/src/spdx_tools/spdx3/new_model/core/external_reference.py b/src/spdx_tools/spdx3/new_model/core/external_reference.py index cd4260f70..fbd718a79 100644 --- a/src/spdx_tools/spdx3/new_model/core/external_reference.py +++ b/src/spdx_tools/spdx3/new_model/core/external_reference.py @@ -3,7 +3,7 @@ # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! -from ..core import ExternalReferenceType, MediaType +from ..core import ExternalReferenceType from abc import ABC from beartype.typing import List, Optional from dataclasses import field @@ -26,7 +26,7 @@ class ExternalReference(ABC): """ A locator provides the location of an external reference. """ - content_type: Optional[MediaType] = None + content_type: Optional[str] = None """ ContentType specifies the media type of an Element. """ @@ -40,7 +40,7 @@ def __init__( self, external_reference_type: Optional[ExternalReferenceType] = None, locator: List[str] = None, - content_type: Optional[MediaType] = None, + content_type: Optional[str] = None, comment: Optional[str] = None, ): locator = [] if locator is None else locator diff --git a/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py b/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py index f32c7f6c8..034f0eda8 100644 --- a/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py +++ b/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py @@ -25,7 +25,7 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - from_element: Element, + from_element: str, relationship_type: RelationshipType, name: Optional[str] = None, summary: Optional[str] = None, @@ -34,8 +34,8 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - to: List[Element] = None, + extension: List[str] = None, + to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, @@ -44,5 +44,6 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/media_type.py b/src/spdx_tools/spdx3/new_model/core/media_type.py deleted file mode 100644 index bdb265c42..000000000 --- a/src/spdx_tools/spdx3/new_model/core/media_type.py +++ /dev/null @@ -1,22 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# -# This file was auto-generated by dev/gen_python_model_from_spec.py -# Do not manually edit! - -from spdx_tools.common.typing.type_checks import check_types_and_set_values - -from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties - - -@dataclass_with_properties -class MediaType(str): - """ - The MediaType is a String constrained to the RFC 2046 specification. It provides a standardized way of indicating - the type of content of an Element. A list of all possible media types is available at - https://www.iana.org/assignments/media-types/media-types.xhtml. - """ - - def __init__( - self, - ): - check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/namespace_map.py b/src/spdx_tools/spdx3/new_model/core/namespace_map.py deleted file mode 100644 index 2b5feb544..000000000 --- a/src/spdx_tools/spdx3/new_model/core/namespace_map.py +++ /dev/null @@ -1,32 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# -# This file was auto-generated by dev/gen_python_model_from_spec.py -# Do not manually edit! - -from abc import ABC -from spdx_tools.common.typing.type_checks import check_types_and_set_values - -from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties - - -@dataclass_with_properties -class NamespaceMap(ABC): - """ - A namespace map allows the creator of a collection of Elements to use shorter identifiers ("prefixes") instead of - URIs to provide a more human-readable and smaller serialized representation of the Elements. - """ - prefix: str - """ - A prefix is a substitute for a URI. - """ - namespace: str - """ - A namespace provides an unambiguous mechanism for other documents to reference Elements within this document. - """ - - def __init__( - self, - prefix: str, - namespace: str, - ): - check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/organization.py b/src/spdx_tools/spdx3/new_model/core/organization.py index bf4b60e5b..64f9d90ac 100644 --- a/src/spdx_tools/spdx3/new_model/core/organization.py +++ b/src/spdx_tools/spdx3/new_model/core/organization.py @@ -27,9 +27,10 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, + extension: List[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/person.py b/src/spdx_tools/spdx3/new_model/core/person.py index 159e1cb6d..dd7af2710 100644 --- a/src/spdx_tools/spdx3/new_model/core/person.py +++ b/src/spdx_tools/spdx3/new_model/core/person.py @@ -27,9 +27,10 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, + extension: List[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py b/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py index a2bcdcfc9..38c301efa 100644 --- a/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py +++ b/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py @@ -15,18 +15,18 @@ class PositiveIntegerRange(ABC): PositiveIntegerRange is a tuple of two positive integers that define a range. "begin" must be less than or equal to "end". """ - begin: str + begin: int """ begin is a positive integer that defines the beginning of a range. """ - end: str + end: int """ end is a positive integer that defines the end of a range. """ def __init__( self, - begin: str, - end: str, + begin: int, + end: int, ): check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/relationship.py b/src/spdx_tools/spdx3/new_model/core/relationship.py index 98b93df31..96adecb7d 100644 --- a/src/spdx_tools/spdx3/new_model/core/relationship.py +++ b/src/spdx_tools/spdx3/new_model/core/relationship.py @@ -18,11 +18,11 @@ class Relationship(Element): A Relationship is a grouping of characteristics unique to an assertion that one Element is related to one or more other Elements in some way. """ - from_element: Element + from_element: str """ This field references the Element on the left-hand side of a relationship. """ - to: List[Element] = field(default_factory=list) + to: List[str] = field(default_factory=list) """ This field references an Element on the right-hand side of a relationship. """ @@ -50,7 +50,7 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - from_element: Element, + from_element: str, relationship_type: RelationshipType, name: Optional[str] = None, summary: Optional[str] = None, @@ -59,8 +59,8 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - to: List[Element] = None, + extension: List[str] = None, + to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, @@ -68,5 +68,6 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/sem_ver.py b/src/spdx_tools/spdx3/new_model/core/sem_ver.py deleted file mode 100644 index a7fcbf031..000000000 --- a/src/spdx_tools/spdx3/new_model/core/sem_ver.py +++ /dev/null @@ -1,22 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# -# This file was auto-generated by dev/gen_python_model_from_spec.py -# Do not manually edit! - -from spdx_tools.common.typing.type_checks import check_types_and_set_values - -from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties - - -@dataclass_with_properties -class SemVer(str): - """ - The semantic version is a string that is following the specification of [Semantic Versioning - 2.0.0](https://semver.org/). Format restriction: pattern: - ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$ - """ - - def __init__( - self, - ): - check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/software_agent.py b/src/spdx_tools/spdx3/new_model/core/software_agent.py index b839eeae8..3144af0af 100644 --- a/src/spdx_tools/spdx3/new_model/core/software_agent.py +++ b/src/spdx_tools/spdx3/new_model/core/software_agent.py @@ -28,9 +28,10 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, + extension: List[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/spdx_document.py b/src/spdx_tools/spdx3/new_model/core/spdx_document.py index eaecd2a43..6a4064208 100644 --- a/src/spdx_tools/spdx3/new_model/core/spdx_document.py +++ b/src/spdx_tools/spdx3/new_model/core/spdx_document.py @@ -3,7 +3,7 @@ # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! -from ..core import Bundle, CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod, NamespaceMap +from ..core import Bundle, CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod from beartype.typing import List, Optional from spdx_tools.common.typing.type_checks import check_types_and_set_values @@ -27,8 +27,8 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - element: List[Element], - root_element: List[Element], + element: List[str], + root_element: List[str], name: str, name: Optional[str] = None, summary: Optional[str] = None, @@ -37,14 +37,13 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - namespaces: List[NamespaceMap] = None, + extension: List[str] = None, imports: List[ExternalMap] = None, context: Optional[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier - namespaces = [] if namespaces is None else namespaces + extension = [] if extension is None else extension imports = [] if imports is None else imports check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/core/tool.py b/src/spdx_tools/spdx3/new_model/core/tool.py index 3d8918260..969def930 100644 --- a/src/spdx_tools/spdx3/new_model/core/tool.py +++ b/src/spdx_tools/spdx3/new_model/core/tool.py @@ -27,9 +27,10 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, + extension: List[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset.py b/src/spdx_tools/spdx3/new_model/dataset/dataset.py index a06b03842..695816ebe 100644 --- a/src/spdx_tools/spdx3/new_model/dataset/dataset.py +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset.py @@ -3,11 +3,11 @@ # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! -from ..core import Agent, CreationInfo, DictionaryEntry, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod from ..dataset import ConfidentialityLevelType, DatasetAvailabilityType, DatasetType, PresenceType from ..licensing import AnyLicenseInfo from ..software import Package, SoftwarePurpose -from beartype.typing import List, Optional +from beartype.typing import Dict, List, Optional from dataclasses import field from datetime import datetime from spdx_tools.common.typing.type_checks import check_types_and_set_values @@ -43,7 +43,7 @@ class Dataset(Package): would capture this information. Similarly, if a dataset is collected for building a facial recognition model, the intendedUse field would specify that. """ - dataset_size: Optional[str] = None + dataset_size: Optional[int] = None """ DatasetSize Captures how large a dataset is. The size is to be measured in bytes. """ @@ -57,7 +57,7 @@ class Dataset(Package): """ DataPreprocessing describes the various preprocessing steps that were applied to the raw data to create the dataset. """ - sensor: List[DictionaryEntry] = field(default_factory=list) + sensor: Dict[str, Optional[str]] = field(default_factory=list) """ Sensor describes a sensor that was used for collecting the data and its calibration value as a key-value pair. """ @@ -101,9 +101,9 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - originated_by: List[Agent] = None, - supplied_by: List[Agent] = None, + extension: List[str] = None, + originated_by: List[str] = None, + supplied_by: List[str] = None, built_time: Optional[datetime] = None, release_time: Optional[datetime] = None, valid_until_time: Optional[datetime] = None, @@ -122,10 +122,10 @@ def __init__( source_info: Optional[str] = None, data_collection_process: Optional[str] = None, intended_use: Optional[str] = None, - dataset_size: Optional[str] = None, + dataset_size: Optional[int] = None, dataset_noise: Optional[str] = None, data_preprocessing: List[str] = None, - sensor: List[DictionaryEntry] = None, + sensor: Dict[str, Optional[str]] = None, known_bias: List[str] = None, sensitive_personal_information: Optional[PresenceType] = None, anonymization_method_used: List[str] = None, @@ -136,12 +136,13 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension originated_by = [] if originated_by is None else originated_by supplied_by = [] if supplied_by is None else supplied_by standard = [] if standard is None else standard additional_purpose = [] if additional_purpose is None else additional_purpose data_preprocessing = [] if data_preprocessing is None else data_preprocessing - sensor = [] if sensor is None else sensor + sensor = {} if sensor is None else sensor known_bias = [] if known_bias is None else known_bias anonymization_method_used = [] if anonymization_method_used is None else anonymization_method_used check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py b/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py index 60ee807a6..a0da1bb5b 100644 --- a/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py @@ -14,11 +14,11 @@ class DatasetAvailabilityType(Enum): registration form. """ - DIRECT-_DOWNLOAD = auto() + DIRECT_DOWNLOAD = auto() """ the dataset is publicly available and can be downloaded directly. """ - SCRAPING-_SCRIPT = auto() + SCRAPING_SCRIPT = auto() """ the dataset provider is not making available the underlying data and the dataset must be reassembled, typically using the provided script for scraping the data. @@ -40,9 +40,9 @@ class DatasetAvailabilityType(Enum): """ def __str__(self) -> str: - if self == DatasetAvailabilityType.DIRECT-_DOWNLOAD: + if self == DatasetAvailabilityType.DIRECT_DOWNLOAD: return "Direct-Download" - if self == DatasetAvailabilityType.SCRAPING-_SCRIPT: + if self == DatasetAvailabilityType.SCRAPING_SCRIPT: return "Scraping-Script" if self == DatasetAvailabilityType.QUERY: return "Query" @@ -55,9 +55,9 @@ def __str__(self) -> str: @staticmethod def from_str(value: str) -> Optional['DatasetAvailabilityType']: if value == "Direct-Download": - return DatasetAvailabilityType.DIRECT-_DOWNLOAD + return DatasetAvailabilityType.DIRECT_DOWNLOAD if value == "Scraping-Script": - return DatasetAvailabilityType.SCRAPING-_SCRIPT + return DatasetAvailabilityType.SCRAPING_SCRIPT if value == "Query": return DatasetAvailabilityType.QUERY if value == "Clickthrough": diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py b/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py index 6f5336ecd..5f91bdb13 100644 --- a/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py +++ b/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py @@ -42,9 +42,10 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, + extension: List[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py b/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py index 5ad153403..4b7e0d2e3 100644 --- a/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py +++ b/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py @@ -39,9 +39,10 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, + extension: List[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/custom_license.py b/src/spdx_tools/spdx3/new_model/licensing/custom_license.py index a3c133cb0..dc76a7d9c 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/custom_license.py +++ b/src/spdx_tools/spdx3/new_model/licensing/custom_license.py @@ -20,11 +20,11 @@ class CustomLicense(License): def __init__( self, license_text: str, - is_osi_approved: Optional[str] = None, - is_fsf_libre: Optional[str] = None, + is_osi_approved: Optional[bool] = None, + is_fsf_libre: Optional[bool] = None, standard_license_header: Optional[str] = None, standard_license_template: Optional[str] = None, - is_deprecated_license_id: Optional[str] = None, + is_deprecated_license_id: Optional[bool] = None, obsoleted_by: Optional[str] = None, ): check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py b/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py index e81087ffc..e1dd251a5 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py +++ b/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py @@ -33,12 +33,13 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, + extension: List[str] = None, standard_addition_template: Optional[str] = None, - is_deprecated_addition_id: Optional[str] = None, + is_deprecated_addition_id: Optional[bool] = None, obsoleted_by: Optional[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/license.py b/src/spdx_tools/spdx3/new_model/licensing/license.py index 444eaf170..9b84b4b38 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/license.py +++ b/src/spdx_tools/spdx3/new_model/licensing/license.py @@ -23,7 +23,7 @@ class License(ExtendableLicense): Users of the licenseText for a License can apply the SPDX Matching Guidelines when comparing it to another text for matching purposes. """ - is_osi_approved: Optional[str] = None + is_osi_approved: Optional[bool] = None """ isOsiApproved specifies whether the [Open Source Initiative (OSI)](https://opensource.org) has listed this License as "approved" in their list of OSI Approved Licenses, located at the time of this writing at @@ -36,7 +36,7 @@ class License(ExtendableLicense): If the isOsiApproved field is not specified, the SPDX data creator makes no assertions about whether the License is approved by the OSI. """ - is_fsf_libre: Optional[str] = None + is_fsf_libre: Optional[bool] = None """ isFsfLibre specifies whether the [Free Software Foundation FSF](https://fsf.org) has listed this License as "free" in their commentary on licenses, located at the time of this writing at @@ -60,7 +60,7 @@ class License(ExtendableLicense): A standardLicenseTemplate contains a license template which describes sections of the License text which can be varied. See the Legacy Text Template format section of the SPDX specification for format information. """ - is_deprecated_license_id: Optional[str] = None + is_deprecated_license_id: Optional[bool] = None """ The isDeprecatedLicenseId property specifies whether an identifier for a License or LicenseAddition has been marked as deprecated. If the property is not defined, then it is presumed to be false (i.e., not deprecated). diff --git a/src/spdx_tools/spdx3/new_model/licensing/license_addition.py b/src/spdx_tools/spdx3/new_model/licensing/license_addition.py index 6e135586c..c8af0f684 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/license_addition.py +++ b/src/spdx_tools/spdx3/new_model/licensing/license_addition.py @@ -31,7 +31,7 @@ class LicenseAddition(Element): A standardAdditionTemplate contains a license addition template which describes sections of the LicenseAddition text which can be varied. See the Legacy Text Template format section of the SPDX specification for format information. """ - is_deprecated_addition_id: Optional[str] = None + is_deprecated_addition_id: Optional[bool] = None """ The isDeprecatedAdditionId property specifies whether an identifier for a LicenseAddition has been marked as deprecated. If the property is not defined, then it is presumed to be false (i.e., not deprecated). diff --git a/src/spdx_tools/spdx3/new_model/licensing/license_expression.py b/src/spdx_tools/spdx3/new_model/licensing/license_expression.py index d93761b45..fdf381853 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/license_expression.py +++ b/src/spdx_tools/spdx3/new_model/licensing/license_expression.py @@ -55,9 +55,10 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, + extension: List[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/listed_license.py b/src/spdx_tools/spdx3/new_model/licensing/listed_license.py index bd17e1302..3139dca07 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/listed_license.py +++ b/src/spdx_tools/spdx3/new_model/licensing/listed_license.py @@ -29,11 +29,11 @@ class ListedLicense(License): def __init__( self, license_text: str, - is_osi_approved: Optional[str] = None, - is_fsf_libre: Optional[str] = None, + is_osi_approved: Optional[bool] = None, + is_fsf_libre: Optional[bool] = None, standard_license_header: Optional[str] = None, standard_license_template: Optional[str] = None, - is_deprecated_license_id: Optional[str] = None, + is_deprecated_license_id: Optional[bool] = None, obsoleted_by: Optional[str] = None, list_version_added: Optional[str] = None, deprecated_version: Optional[str] = None, diff --git a/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py b/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py index 35cc87346..0d10687ae 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py +++ b/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py @@ -41,9 +41,9 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, + extension: List[str] = None, standard_addition_template: Optional[str] = None, - is_deprecated_addition_id: Optional[str] = None, + is_deprecated_addition_id: Optional[bool] = None, obsoleted_by: Optional[str] = None, list_version_added: Optional[str] = None, deprecated_version: Optional[str] = None, @@ -51,4 +51,5 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py b/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py index 5b4e22040..f77eff5f5 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py +++ b/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py @@ -22,10 +22,6 @@ class OrLaterOperator(ExtendableLicense): particular License. """ subject_license: License - """ - A subjectLicense is a License which is subject to either an 'or later' effect (OrLaterOperator) or a 'with - additional text' effect (WithAdditionOperator). - """ def __init__( self, diff --git a/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py b/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py index d3c16cbe4..a89d632ab 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py +++ b/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py @@ -19,14 +19,7 @@ class WithAdditionOperator(AnyLicenseInfo): (CustomLicenseAddition). It is represented in the SPDX License Expression Syntax by the `WITH` operator. """ subject_license: ExtendableLicense - """ - A subjectLicense is a License which is subject to either an 'or later' effect (OrLaterOperator) or a 'with - additional text' effect (WithAdditionOperator). - """ subject_addition: LicenseAddition - """ - A subjectAddition is a LicenseAddition which is subject to a 'with additional text' effect (WithAdditionOperator). - """ def __init__( self, @@ -41,9 +34,10 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, + extension: List[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py index 7b92a8b4c..4a48f3ad8 100644 --- a/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py @@ -68,7 +68,7 @@ class CvssV2VulnAssessmentRelationship(VulnAssessmentRelationship): } ``` """ - score: str + score: float """ The score provides information on the severity of a vulnerability per the Common Vulnerability Scoring System as defined on [https://www.first.org/cvss](https://www.first.org/cvss/). @@ -87,9 +87,9 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - from_element: Element, + from_element: str, relationship_type: RelationshipType, - score: str, + score: float, name: Optional[str] = None, summary: Optional[str] = None, description: Optional[str] = None, @@ -97,14 +97,14 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - to: List[Element] = None, + extension: List[str] = None, + to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, - assessed_element: Optional[Element] = None, + assessed_element: Optional[str] = None, published_time: Optional[datetime] = None, - supplied_by: Optional[Agent] = None, + supplied_by: Optional[str] = None, modified_time: Optional[datetime] = None, withdrawn_time: Optional[datetime] = None, severity: Optional[str] = None, @@ -113,5 +113,6 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py index d3736ce43..087f92764 100644 --- a/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py @@ -69,7 +69,7 @@ class CvssV3VulnAssessmentRelationship(VulnAssessmentRelationship): } ``` """ - score: str + score: float """ The score provides information on the severity of a vulnerability per the Common Vulnerability Scoring System as defined on [https://www.first.org/cvss](https://www.first.org/cvss/). @@ -88,9 +88,9 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - from_element: Element, + from_element: str, relationship_type: RelationshipType, - score: str, + score: float, name: Optional[str] = None, summary: Optional[str] = None, description: Optional[str] = None, @@ -98,14 +98,14 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - to: List[Element] = None, + extension: List[str] = None, + to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, - assessed_element: Optional[Element] = None, + assessed_element: Optional[str] = None, published_time: Optional[datetime] = None, - supplied_by: Optional[Agent] = None, + supplied_by: Optional[str] = None, modified_time: Optional[datetime] = None, withdrawn_time: Optional[datetime] = None, severity: Optional[str] = None, @@ -114,5 +114,6 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py index cc4971226..c3f7d2c85 100644 --- a/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py @@ -38,7 +38,7 @@ class EpssVulnAssessmentRelationship(VulnAssessmentRelationship): } ``` """ - probability: str + probability: int """ The probability score between 0 and 1 (0 and 100%) estimating the likelihood that a vulnerability will be exploited in the next 12 months. @@ -53,9 +53,9 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - from_element: Element, + from_element: str, relationship_type: RelationshipType, - probability: str, + probability: int, name: Optional[str] = None, summary: Optional[str] = None, description: Optional[str] = None, @@ -63,14 +63,14 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - to: List[Element] = None, + extension: List[str] = None, + to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, - assessed_element: Optional[Element] = None, + assessed_element: Optional[str] = None, published_time: Optional[datetime] = None, - supplied_by: Optional[Agent] = None, + supplied_by: Optional[str] = None, modified_time: Optional[datetime] = None, withdrawn_time: Optional[datetime] = None, severity: Optional[str] = None, @@ -78,5 +78,6 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py index 4cbe8481c..044338bfb 100644 --- a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py @@ -44,7 +44,7 @@ class ExploitCatalogVulnAssessmentRelationship(VulnAssessmentRelationship): """ A catalogType is a mandatory value and must select one of the two entries in the `ExploitCatalogType.md` vocabulary. """ - exploited: str + exploited: bool """ This field is set when a CVE is listed in an exploit catalog. """ @@ -57,10 +57,10 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - from_element: Element, + from_element: str, relationship_type: RelationshipType, catalog_type: ExploitCatalogType, - exploited: str, + exploited: bool, locator: str, name: Optional[str] = None, summary: Optional[str] = None, @@ -69,19 +69,20 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - to: List[Element] = None, + extension: List[str] = None, + to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, - assessed_element: Optional[Element] = None, + assessed_element: Optional[str] = None, published_time: Optional[datetime] = None, - supplied_by: Optional[Agent] = None, + supplied_by: Optional[str] = None, modified_time: Optional[datetime] = None, withdrawn_time: Optional[datetime] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py index b48a9d88e..44ea5203a 100644 --- a/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py @@ -49,7 +49,7 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - from_element: Element, + from_element: str, relationship_type: RelationshipType, decision_type: SsvcDecisionType, name: Optional[str] = None, @@ -59,19 +59,20 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - to: List[Element] = None, + extension: List[str] = None, + to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, - assessed_element: Optional[Element] = None, + assessed_element: Optional[str] = None, published_time: Optional[datetime] = None, - supplied_by: Optional[Agent] = None, + supplied_by: Optional[str] = None, modified_time: Optional[datetime] = None, withdrawn_time: Optional[datetime] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py index 8c9f347ea..3f881721d 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py @@ -57,7 +57,7 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - from_element: Element, + from_element: str, relationship_type: RelationshipType, name: Optional[str] = None, summary: Optional[str] = None, @@ -66,14 +66,14 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - to: List[Element] = None, + extension: List[str] = None, + to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, - assessed_element: Optional[Element] = None, + assessed_element: Optional[str] = None, published_time: Optional[datetime] = None, - supplied_by: Optional[Agent] = None, + supplied_by: Optional[str] = None, modified_time: Optional[datetime] = None, withdrawn_time: Optional[datetime] = None, vex_version: Optional[str] = None, @@ -84,6 +84,7 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension to = [] if to is None else to action_statement_time = [] if action_statement_time is None else action_statement_time check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py index 96f0f64bd..385956a73 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py @@ -45,7 +45,7 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - from_element: Element, + from_element: str, relationship_type: RelationshipType, name: Optional[str] = None, summary: Optional[str] = None, @@ -54,14 +54,14 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - to: List[Element] = None, + extension: List[str] = None, + to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, - assessed_element: Optional[Element] = None, + assessed_element: Optional[str] = None, published_time: Optional[datetime] = None, - supplied_by: Optional[Agent] = None, + supplied_by: Optional[str] = None, modified_time: Optional[datetime] = None, withdrawn_time: Optional[datetime] = None, vex_version: Optional[str] = None, @@ -70,5 +70,6 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py index 3c0b1b4bc..c57f2f415 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py @@ -69,7 +69,7 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - from_element: Element, + from_element: str, relationship_type: RelationshipType, name: Optional[str] = None, summary: Optional[str] = None, @@ -78,14 +78,14 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - to: List[Element] = None, + extension: List[str] = None, + to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, - assessed_element: Optional[Element] = None, + assessed_element: Optional[str] = None, published_time: Optional[datetime] = None, - supplied_by: Optional[Agent] = None, + supplied_by: Optional[str] = None, modified_time: Optional[datetime] = None, withdrawn_time: Optional[datetime] = None, vex_version: Optional[str] = None, @@ -97,5 +97,6 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py index 9090f8f0c..1ee37f649 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py @@ -47,7 +47,7 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - from_element: Element, + from_element: str, relationship_type: RelationshipType, name: Optional[str] = None, summary: Optional[str] = None, @@ -56,14 +56,14 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - to: List[Element] = None, + extension: List[str] = None, + to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, - assessed_element: Optional[Element] = None, + assessed_element: Optional[str] = None, published_time: Optional[datetime] = None, - supplied_by: Optional[Agent] = None, + supplied_by: Optional[str] = None, modified_time: Optional[datetime] = None, withdrawn_time: Optional[datetime] = None, vex_version: Optional[str] = None, @@ -72,5 +72,6 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py index a27e2b295..d50153555 100644 --- a/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py @@ -17,7 +17,7 @@ class VulnAssessmentRelationship(Relationship): VulnAssessmentRelationship is the ancestor class common to all vulnerability assessment relationships. It factors out the common properties shared by them. External property restriction on /Core/Relationship/to: minCount: 1 """ - assessed_element: Optional[Element] = None + assessed_element: Optional[str] = None """ Specifies subpackages, files or snippets referenced by a security assessment to specify the precise location where a vulnerability was found. @@ -26,7 +26,7 @@ class VulnAssessmentRelationship(Relationship): """ Specifies the time when a vulnerability was first published. """ - supplied_by: Optional[Agent] = None + supplied_by: Optional[str] = None """ Identify the actual distribution source for the vulnerability assessment relationship being referenced. """ diff --git a/src/spdx_tools/spdx3/new_model/security/vulnerability.py b/src/spdx_tools/spdx3/new_model/security/vulnerability.py index 8e8260d9d..abb066781 100644 --- a/src/spdx_tools/spdx3/new_model/security/vulnerability.py +++ b/src/spdx_tools/spdx3/new_model/security/vulnerability.py @@ -115,7 +115,7 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, + extension: List[str] = None, published_time: Optional[datetime] = None, modified_time: Optional[datetime] = None, withdrawn_time: Optional[datetime] = None, @@ -123,4 +123,5 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/file.py b/src/spdx_tools/spdx3/new_model/software/file.py index 1236196d3..853d8c5e9 100644 --- a/src/spdx_tools/spdx3/new_model/software/file.py +++ b/src/spdx_tools/spdx3/new_model/software/file.py @@ -3,7 +3,7 @@ # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! -from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod, MediaType +from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod from ..licensing import AnyLicenseInfo from ..software import SoftwareArtifact, SoftwarePurpose from beartype.typing import List, Optional @@ -19,7 +19,7 @@ class File(SoftwareArtifact): Refers to any object that stores content on a computer. The type of content can optionally be provided in the contentType property. External property restriction on /Core/Element/name: minCount: 1 """ - content_type: Optional[MediaType] = None + content_type: Optional[str] = None """ This field is a reasonable estimation of the content type of the Element, from a creator perspective. Content type is intrinsic to the Element, independent of how the Element is being used. @@ -36,9 +36,9 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - originated_by: List[Agent] = None, - supplied_by: List[Agent] = None, + extension: List[str] = None, + originated_by: List[str] = None, + supplied_by: List[str] = None, built_time: Optional[datetime] = None, release_time: Optional[datetime] = None, valid_until_time: Optional[datetime] = None, @@ -50,11 +50,12 @@ def __init__( declared_license: Optional[AnyLicenseInfo] = None, copyright_text: Optional[str] = None, attribution_text: Optional[str] = None, - content_type: Optional[MediaType] = None, + content_type: Optional[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension originated_by = [] if originated_by is None else originated_by supplied_by = [] if supplied_by is None else supplied_by standard = [] if standard is None else standard diff --git a/src/spdx_tools/spdx3/new_model/software/package.py b/src/spdx_tools/spdx3/new_model/software/package.py index ded99881c..96600a8bb 100644 --- a/src/spdx_tools/spdx3/new_model/software/package.py +++ b/src/spdx_tools/spdx3/new_model/software/package.py @@ -88,9 +88,9 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - originated_by: List[Agent] = None, - supplied_by: List[Agent] = None, + extension: List[str] = None, + originated_by: List[str] = None, + supplied_by: List[str] = None, built_time: Optional[datetime] = None, release_time: Optional[datetime] = None, valid_until_time: Optional[datetime] = None, @@ -111,6 +111,7 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension originated_by = [] if originated_by is None else originated_by supplied_by = [] if supplied_by is None else supplied_by standard = [] if standard is None else standard diff --git a/src/spdx_tools/spdx3/new_model/software/sbom.py b/src/spdx_tools/spdx3/new_model/software/sbom.py index a1ca3f2cb..f89c41e97 100644 --- a/src/spdx_tools/spdx3/new_model/software/sbom.py +++ b/src/spdx_tools/spdx3/new_model/software/sbom.py @@ -3,7 +3,7 @@ # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! -from ..core import Bom, CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod, NamespaceMap +from ..core import Bom, CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod from ..software import SbomType from beartype.typing import List, Optional from dataclasses import field @@ -31,8 +31,8 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - element: List[Element], - root_element: List[Element], + element: List[str], + root_element: List[str], name: Optional[str] = None, summary: Optional[str] = None, description: Optional[str] = None, @@ -40,8 +40,7 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - namespaces: List[NamespaceMap] = None, + extension: List[str] = None, imports: List[ExternalMap] = None, context: Optional[str] = None, sbom_type: List[SbomType] = None, @@ -49,7 +48,7 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier - namespaces = [] if namespaces is None else namespaces + extension = [] if extension is None else extension imports = [] if imports is None else imports sbom_type = [] if sbom_type is None else sbom_type check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/snippet.py b/src/spdx_tools/spdx3/new_model/software/snippet.py index 679a5307e..63bbd282b 100644 --- a/src/spdx_tools/spdx3/new_model/software/snippet.py +++ b/src/spdx_tools/spdx3/new_model/software/snippet.py @@ -46,9 +46,9 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - originated_by: List[Agent] = None, - supplied_by: List[Agent] = None, + extension: List[str] = None, + originated_by: List[str] = None, + supplied_by: List[str] = None, built_time: Optional[datetime] = None, release_time: Optional[datetime] = None, valid_until_time: Optional[datetime] = None, @@ -66,6 +66,7 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension originated_by = [] if originated_by is None else originated_by supplied_by = [] if supplied_by is None else supplied_by standard = [] if standard is None else standard diff --git a/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py b/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py index 18fdfb9e1..94e59c85c 100644 --- a/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py +++ b/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py @@ -30,7 +30,7 @@ def __init__( self, spdx_id: str, creation_info: CreationInfo, - from_element: Element, + from_element: str, relationship_type: RelationshipType, name: Optional[str] = None, summary: Optional[str] = None, @@ -39,8 +39,8 @@ def __init__( verified_using: List[IntegrityMethod] = None, external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, - extension: Optional[str] = None, - to: List[Element] = None, + extension: List[str] = None, + to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, @@ -51,5 +51,6 @@ def __init__( verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension to = [] if to is None else to check_types_and_set_values(self, locals()) From 20eb9f07381a41c73e9261ab1c567e9334630d2e Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Thu, 27 Jul 2023 08:57:55 +0200 Subject: [PATCH 22/33] Parse and obey property restrictions in the model dump when generating classes Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 789f9b95b..544f8b8ce 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -188,6 +188,12 @@ def extract_parent_type(cls: dict, namespace: str) -> Optional[str]: return get_qualified_name(parent_class, namespace) +def get_short_prop_name(qualified_name: str) -> str: + if '/' not in qualified_name: + return qualified_name + return qualified_name[qualified_name.rindex('/')+1:] + + @dataclass class Property: name: str @@ -286,6 +292,18 @@ def _collect_props(self, cls: dict, namespace: str, is_parent: bool): elif optional: self._add_import("beartype.typing", "Optional") + if "externalPropertyRestrictions" not in cls: + return + for propname, propinfo in cls["externalPropertyRestrictions"].items(): + propname = get_short_prop_name(propname) + prop = next(filter(lambda p: get_short_prop_name(p.name) == propname, self.props), None) + if not prop: + continue + if "minCount" in propinfo: + prop.optional = prop.optional and propinfo["minCount"] == "0" + if "maxCount" in propinfo: + prop.is_list = prop.is_list and propinfo["maxCount"] != "1" + def gen_file(self): properties = self._gen_props() constructor = self._gen_constructor() From fddedfb33dee0631687f0de514768748c8db8f75 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Thu, 27 Jul 2023 08:58:18 +0200 Subject: [PATCH 23/33] Update model dump and generated model classes Signed-off-by: Holger Frydrych --- dev/model_dump.json | 4442 ++++++++++++++++- .../spdx3/new_model/ai/ai_package.py | 13 +- .../spdx3/new_model/core/spdx_document.py | 2 +- .../spdx3/new_model/dataset/dataset.py | 13 +- .../cvss_v2_vuln_assessment_relationship.py | 3 +- .../cvss_v3_vuln_assessment_relationship.py | 3 +- .../epss_vuln_assessment_relationship.py | 3 +- ...it_catalog_vuln_assessment_relationship.py | 3 +- .../ssvc_vuln_assessment_relationship.py | 3 +- ...x_affected_vuln_assessment_relationship.py | 3 +- .../vex_fixed_vuln_assessment_relationship.py | 3 +- ...t_affected_vuln_assessment_relationship.py | 3 +- ...estigation_vuln_assessment_relationship.py | 3 +- .../spdx3/new_model/software/file.py | 2 +- .../spdx3/new_model/software/package.py | 2 +- 15 files changed, 4465 insertions(+), 36 deletions(-) diff --git a/dev/model_dump.json b/dev/model_dump.json index 4296500d2..5e57b99c1 100644 --- a/dev/model_dump.json +++ b/dev/model_dump.json @@ -1 +1,4441 @@ -{"ExpandedLicense": {"name": "ExpandedLicense", "classes": {"ConjunctiveLicenseSet": {"summary": "Portion of an AnyLicenseInfo representing a set of licensing information\nwhere all elements apply.", "description": "A ConjunctiveLicenseSet indicates that _each_ of its subsidiary\nAnyLicenseInfos apply. In other words, a ConjunctiveLicenseSet of two or\nmore licenses represents a licensing situation where _all_ of the specified\nlicenses are to be complied with. It is represented in the SPDX License\nExpression Syntax by the `AND` operator.\n\nIt is syntactically correct to specify a ConjunctiveLicenseSet where the\nsubsidiary AnyLicenseInfos may be \"incompatible\" according to a particular\ninterpretation of the corresponding Licenses. The SPDX License Expression\nSyntax does not take into account interpretation of license texts, which is\nleft to the consumer of SPDX data to determine for themselves.", "metadata": {"name": "ConjunctiveLicenseSet", "SubclassOf": "Licensing/AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/ExpandedLicense/ConjunctiveLicenseSet"}, "properties": {"member": {"type": "Licensing/AnyLicenseInfo", "minCount": "2", "maxCount": "*"}}}, "DisjunctiveLicenseSet": {"summary": "Portion of an AnyLicenseInfo representing a set of licensing information\nwhere only any one of the elements applies.", "description": "A DisjunctiveLicenseSet indicates that _only one_ of its subsidiary\nAnyLicenseInfos is required to apply. In other words, a\nDisjunctiveLicenseSet of two or more licenses represents a licensing\nsituation where _only one_ of the specified licenses are to be complied with.\nA consumer of SPDX data would typically understand this to permit the recipient\nof the licensed content to choose which of the corresponding license they\nwould prefer to use. It is represented in the SPDX License Expression Syntax\nby the `OR` operator.", "metadata": {"name": "DisjunctiveLicenseSet", "SubclassOf": "Licensing/AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/ExpandedLicense/DisjunctiveLicenseSet"}, "properties": {"member": {"type": "Licensing/AnyLicenseInfo", "minCount": "2", "maxCount": "*"}}}, "ExtendableLicense": {"summary": "Abstract class representing a License or an OrLaterOperator.", "description": "The WithAdditionOperator can have a License or an OrLaterOperator as the license property value. This class is used for the value.", "metadata": {"name": "ExtendableLicense", "SubclassOf": "Licensing/AnyLicenseInfo", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/ExpandedLicense/ExtendableLicense"}, "properties": {}}}, "properties": {"subjectLicense": {"summary": "A License participating in a 'with addition' or 'or later' model.", "description": "A subjectLicense is a License which is subject to either an 'or later' effect\n(OrLaterOperator) or a 'with additional text' effect (WithAdditionOperator).", "metadata": {"name": "subjectLicense", "Nature": "ObjectProperty", "Range": "Licensing/License", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/ExpandedLicense/subjectLicense"}}, "subjectAddition": {"summary": "A LicenseAddition participating in a 'with addition' model.", "description": "A subjectAddition is a LicenseAddition which is subject to a 'with additional\ntext' effect (WithAdditionOperator).", "metadata": {"name": "subjectAddition", "Nature": "ObjectProperty", "Range": "LicenseAddition", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/ExpandedLicense/subjectAddition"}}, "member": {"summary": "A license expression participating in a license set.", "description": "A member is a license expression participating in a conjuctive (of type\nConjunctiveLicenseSet) or a disjunctive (of type DisjunctiveLicenseSet)\nlicense set.", "metadata": {"name": "member", "Nature": "ObjectProperty", "Range": "Licensing/AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/ExpandedLicense/member", "Domain": ["ConjunctiveLicenseSet", "DisjunctiveLicenseSet"]}}}, "vocabs": {}}, "Core": {"name": "Core", "classes": {"PositiveIntegerRange": {"summary": "A tuple of two positive integers that define a range.", "description": "PositiveIntegerRange is a tuple of two positive integers that define a range.\n\"begin\" must be less than or equal to \"end\".", "metadata": {"name": "PositiveIntegerRange", "SubclassOf": "none", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/PositiveIntegerRange"}, "properties": {"begin": {"type": "xsd:positiveInteger", "minCount": "1", "maxCount": "1"}, "end": {"type": "xsd:positiveInteger", "minCount": "1", "maxCount": "1"}}}, "ElementCollection": {"summary": "A collection of Elements, not necessarily with unifying context.", "description": "An SpdxCollection is a collection of Elements, not necessarily with unifying context.", "metadata": {"name": "ElementCollection", "SubclassOf": "Element", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ElementCollection"}, "properties": {"element": {"type": "Element", "minCount": "1", "maxCount": "*"}, "rootElement": {"type": "Element", "minCount": "1", "maxCount": "*"}, "imports": {"type": "ExternalMap", "minCount": "0", "maxCount": "*"}}}, "ExternalReference": {"summary": "A reference to a resource outside the scope of SPDX-3.0 content.", "description": "An External Reference points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", "metadata": {"name": "ExternalReference", "SubclassOf": "none", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ExternalReference"}, "properties": {"externalReferenceType": {"type": "ExternalReferenceType", "maxCount": "1", "minCount": "0"}, "locator": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "*"}, "contentType": {"type": "MediaType", "maxCount": "1", "minCount": "0"}, "comment": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}}}, "ExternalIdentifier": {"summary": "A reference to a resource outside the scope of SPDX-3.0 content that uniquely identifies an Element.", "description": "An ExternalIdentifier is a reference to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", "metadata": {"name": "ExternalIdentifier", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ExternalIdentifier"}, "properties": {"externalIdentifierType": {"type": "ExternalIdentifierType", "minCount": "1", "maxCount": "1"}, "identifier": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}, "comment": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "identifierLocator": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "*"}, "issuingAuthority": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "1"}}}, "Bom": {"summary": "A container for a grouping of SPDX-3.0 content characterizing details\n(provenence, composition, licensing, etc.) about a product.", "description": "A Bill Of Materials (BOM) is a container for a grouping of SPDX-3.0 content\ncharacterizing details about a product.\nThis could include details of the content and composition of the product,\nprovenence details of the product and/or\nits composition, licensing information, known quality or security issues, etc.", "metadata": {"name": "Bom", "SubclassOf": "Bundle", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Bom"}, "properties": {}}, "SpdxDocument": {"summary": "Assembles a collection of Elements under a common string, the name of the document.", "description": "An SpdxDocument assembles a collection of Elements under a common string, the name of the document.\nCommonly used when representing a unit of transfer of SPDX Elements.\nExternal property restriction on /Core/Element/name: minCount: 1", "metadata": {"name": "SpdxDocument", "SubclassOf": "Bundle", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/SpdxDocument"}, "properties": {"name": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}}}, "Tool": {"summary": "An element of hardware and/or software utilized to carry out a particular function.", "description": "A Tool is an element of hardware and/or software utilized to carry out a particular function.", "metadata": {"name": "Tool", "SubclassOf": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Tool"}, "properties": {}}, "CreationInfo": {"summary": "Provides information about the creation of the Element.", "description": "The CreationInfo provides information about who created the Element, and when and how it was created. \n\nThe dateTime created is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", "metadata": {"name": "CreationInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/CreationInfo"}, "properties": {"specVersion": {"type": "SemVer", "minCount": "1", "maxCount": "1"}, "comment": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "created": {"type": "DateTime", "maxCount": "1", "minCount": "0"}, "createdBy": {"type": "Agent", "minCount": "1", "maxCount": "*"}, "createdUsing": {"type": "Tool", "minCount": "0", "maxCount": "*"}, "profile": {"type": "ProfileIdentifierType", "minCount": "1", "maxCount": "*"}, "dataLicense": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}}}, "Organization": {"summary": "A group of people who work together in an organized way for a shared purpose.", "description": "An Organization is a group of people who work together in an organized way for a shared purpose.", "metadata": {"name": "Organization", "SubclassOf": "Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Organization"}, "properties": {}}, "LifecycleScopedRelationship": {"summary": "", "description": "TODO", "metadata": {"name": "LifecycleScopedRelationship", "SubclassOf": "Relationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/LifecycleScopedRelationship"}, "properties": {"scope": {"type": "LifecycleScopeType", "minCount": "0", "maxCount": "1"}}}, "SoftwareAgent": {"summary": "A software agent.", "description": "A SoftwareAgent is a software program that is given the authority (similar to a user's authority) to act on a system.", "metadata": {"name": "SoftwareAgent", "SubclassOf": "Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/SoftwareAgent"}, "properties": {}}, "IntegrityMethod": {"summary": "Provides an independently reproducible mechanism that permits verification of a specific Element.", "description": "An IntegrityMethod provides an independently reproducible mechanism that permits verification\nof a specific Element that correlates to the data in this SPDX document. This identifier enables\na recipient to determine if anything in the original Element has been changed and eliminates\nconfusion over which version or modification of a specific Element is referenced.", "metadata": {"name": "IntegrityMethod", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/IntegrityMethod"}, "properties": {"comment": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}}}, "Relationship": {"summary": "Describes a relationship between one or more elements.", "description": "A Relationship is a grouping of characteristics unique to an assertion\nthat one Element is related to one or more other Elements in some way.", "metadata": {"name": "Relationship", "SubclassOf": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Relationship"}, "properties": {"from": {"type": "Element", "minCount": "1", "maxCount": "1"}, "to": {"type": "Element", "minCount": "0", "maxCount": "*"}, "relationshipType": {"type": "RelationshipType", "minCount": "1", "maxCount": "1"}, "completeness": {"type": "RelationshipCompleteness", "minCount": "0", "maxCount": "1"}, "startTime": {"type": "DateTime", "minCount": "0", "maxCount": "1"}, "endTime": {"type": "DateTime", "minCount": "0", "maxCount": "1"}}}, "Element": {"summary": "Base domain class from which all other SPDX-3.0 domain classes derive.", "description": "An Element is a representation of a fundamental concept either directly inherent\nto the Bill of Materials (BOM) domain or indirectly related to the BOM domain\nand necessary for contextually characterizing BOM concepts and relationships.\nWithin SPDX-3.0 structure this is the base class acting as a consistent,\nunifying, and interoperable foundation for all explicit\nand inter-relatable content objects.", "metadata": {"name": "Element", "SubclassOf": "none", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Element"}, "properties": {"spdxId": {"type": "xsd:anyURI", "minCount": "1", "maxCount": "1"}, "name": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}, "summary": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}, "description": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}, "comment": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}, "creationInfo": {"type": "CreationInfo", "minCount": "1", "maxCount": "1"}, "verifiedUsing": {"type": "IntegrityMethod", "minCount": "0", "maxCount": "*"}, "externalReference": {"type": "ExternalReference", "minCount": "0", "maxCount": "*"}, "externalIdentifier": {"type": "ExternalIdentifier", "minCount": "0", "maxCount": "*"}, "extension": {"type": "Extension", "minCount": "0", "maxCount": "*"}}}, "Agent": {"summary": "Agent represents anything with the potential to act on a system.", "description": "The Agent class represents anything that has the potential to act on a system. This could be a person, organization, software agent, etc. This is not to be confused with tools that are used to perform tasks.", "metadata": {"name": "Agent", "SubclassOf": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Agent"}, "properties": {}}, "Hash": {"summary": "A mathematically calculated representation of a grouping of data.", "description": "A hash is a grouping of characteristics unique to the result\nof applying a mathematical algorithm\nthat maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is,\na function which is practically infeasible to invert.\nThis is commonly used for integrity checking of data.", "metadata": {"name": "Hash", "SubclassOf": "IntegrityMethod", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Hash"}, "properties": {"algorithm": {"type": "HashAlgorithm", "minCount": "1", "maxCount": "1"}, "hashValue": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}}}, "DictionaryEntry": {"summary": "A key with an associated value.", "description": "The class used for implementing a generic string mapping (also known as associative array, dictionary, or hash map) in SPDX. Each DictionaryEntry contains a key-value pair which maps the key to its associated value. To implement a dictionary, this class is to be used in a collection with unique keys.", "metadata": {"name": "DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/DictionaryEntry"}, "properties": {"key": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}, "value": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}}}, "Person": {"summary": "An individual human being.", "description": "A Person is an individual human being.", "metadata": {"name": "Person", "SubclassOf": "Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Person"}, "properties": {}}, "Bundle": {"summary": "A collection of Elements that have a shared context.", "description": "A bundle is a collection of Elements that have a shared context.", "metadata": {"name": "Bundle", "SubclassOf": "ElementCollection", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Bundle"}, "properties": {"context": {"type": "xsd:string", "maxCount": "1", "minCount": "0"}}}, "Artifact": {"summary": "A distinct article or unit within the digital domain.", "description": "An artifact is a distinct article or unit within the digital domain,\nsuch as an electronic file, a software package, a device or an element of data.", "metadata": {"name": "Artifact", "SubclassOf": "Element", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Artifact"}, "properties": {"originatedBy": {"type": "Agent", "minCount": "0", "maxCount": "*"}, "suppliedBy": {"type": "Agent", "minCount": "0", "maxCount": "*"}, "builtTime": {"type": "DateTime", "minCount": "0", "maxCount": "1"}, "releaseTime": {"type": "DateTime", "minCount": "0", "maxCount": "1"}, "validUntilTime": {"type": "DateTime", "minCount": "0", "maxCount": "1"}, "standard": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}}}, "Annotation": {"summary": "An assertion made in relation to one or more elements.", "description": "An Annotation is an assertion made in relation to one or more elements.", "metadata": {"name": "Annotation", "SubclassOf": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Annotation"}, "properties": {"annotationType": {"type": "AnnotationType", "minCount": "1", "maxCount": "1"}, "contentType": {"type": "MediaType", "minCount": "0", "maxCount": "*"}, "statement": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "subject": {"type": "Element", "minCount": "1", "maxCount": "1"}}}, "ExternalMap": {"summary": "A map of Element identifiers that are used within a Document but defined external to that Document.", "description": "An External Map is a map of Element identifiers that are used within a Document\nbut defined external to that Document.\nThe external map provides details about the externally-defined Element\nsuch as its provenance, where to retrieve it, and how to verify its integrity.", "metadata": {"name": "ExternalMap", "SubclassOf": "none", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ExternalMap"}, "properties": {"externalId": {"type": "xsd:anyURI", "minCount": "1", "maxCount": "1"}, "verifiedUsing": {"type": "IntegrityMethod", "minCount": "0", "maxCount": "*"}, "locationHint": {"type": "xsd:anyURI", "maxCount": "1", "minCount": "0"}, "definingDocument": {"type": "xsd:anyURI", "maxCount": "1", "minCount": "0"}}}}, "properties": {"begin": {"summary": "Defines the beginning of a range.", "description": "begin is a positive integer that defines the beginning of a range.", "metadata": {"name": "begin", "Nature": "DataProperty", "Range": "xsd:positiveInteger", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/begin", "Domain": ["PositiveIntegerRange"]}}, "createdUsing": {"summary": "Identifies the tooling that was used during the creation of the Element.", "description": "CreatedUsing identifies the tooling that was used during the creation of the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", "metadata": {"name": "createdUsing", "Nature": "ObjectProperty", "Range": "Tool", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/createdUsing", "Domain": ["CreationInfo"]}}, "statement": {"summary": "Commentary on an assertion that an annotator has made.", "description": "A statement is a commentary on an assertion that an annotator has made.", "metadata": {"name": "statement", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/statement", "Domain": ["Annotation"]}}, "creationInfo": {"summary": "Provides information about the creation of the Element.", "description": "CreationInfo provides information about the creation of the Element.", "metadata": {"name": "creationInfo", "Nature": "ObjectProperty", "Range": "CreationInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/creationInfo", "Domain": ["Element"]}}, "locationHint": {"summary": "Provides an indication of where to retrieve an external Element.", "description": "A locationHint provides an indication of where to retrieve an external Element.", "metadata": {"name": "locationHint", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/locationHint", "Domain": ["ExternalMap"]}}, "identifierLocator": {"summary": "TODO", "description": "A identifierLocator is TODO", "metadata": {"name": "identifierLocator", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/identifierLocator", "Domain": ["ExternalIdentifier"]}}, "subject": {"summary": "An Element an annotator has made an assertion about.", "description": "A subject is an Element an annotator has made an assertion about.", "metadata": {"name": "subject", "Nature": "ObjectProperty", "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/subject", "Domain": ["Annotation"]}}, "validUntilTime": {"summary": "Specifies until when the artifact can be used before its usage needs to be reassessed.", "description": "A validUntilTime specifies until when the artifact can be used before its usage needs to be reassessed.", "metadata": {"name": "validUntilTime", "Nature": "DataProperty", "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/validUntilTime", "Domain": ["Artifact"]}}, "definingDocument": {"summary": "URI for an SPDX document which defines an SPDX element.", "description": "A definingDocument property is used to link an Element identifier to an SpdxDocument which contains the definition for the Element.", "metadata": {"name": "definingDocument", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/definingDocument", "Domain": ["ExternalMap"]}}, "suppliedBy": {"summary": "Identifies who or what supplied the Artifact.", "description": "Identify the actual distribution source for the Artifact being referenced.\nThis might or might not be different from the originating distribution source for the artifact.", "metadata": {"name": "suppliedBy", "Nature": "ObjectProperty", "Range": "Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/suppliedBy", "Domain": ["Artifact"]}}, "value": {"summary": "A value used in a generic key-value pair.", "description": "A value used in a generic key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", "metadata": {"name": "value", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/value", "Domain": ["DictionaryEntry"]}}, "to": {"summary": "References an Element on the right-hand side of a relationship.", "description": "This field references an Element on the right-hand side of a relationship.", "metadata": {"name": "to", "Nature": "ObjectProperty", "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/to", "Domain": ["Relationship"]}}, "extension": {"summary": "TODO", "description": "TODO", "metadata": {"name": "extension", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/extension", "Domain": ["Element"]}}, "externalId": {"summary": "Identifies an external Element used within a Document but defined external to that Document.", "description": "ExternalId identifies an external Element used within a Document but defined external to that Document.", "metadata": {"name": "externalId", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/externalId", "Domain": ["ExternalMap"]}}, "externalReference": {"summary": "Points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", "description": "This field points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", "metadata": {"name": "externalReference", "Nature": "ObjectProperty", "Range": "ExternalReference", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/externalReference", "Domain": ["Element"]}}, "from": {"summary": "References the Element on the left-hand side of a relationship.", "description": "This field references the Element on the left-hand side of a relationship.", "metadata": {"name": "from", "Nature": "ObjectProperty", "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/from", "Domain": ["Relationship"]}}, "created": {"summary": "Identifies when the Element was originally created.", "description": "Created is a date that identifies when the Element was originally created.\nThe time stamp can serve as an indication as to whether the analysis needs to be updated. This is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", "metadata": {"name": "created", "Nature": "DataProperty", "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/created", "Domain": ["CreationInfo"]}}, "releaseTime": {"summary": "Specifies the time an artifact was released.", "description": "A releaseTime specifies the time an artifact was released.", "metadata": {"name": "releaseTime", "Nature": "DataProperty", "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/releaseTime", "Domain": ["Artifact"]}}, "startTime": {"summary": "Specifies the time from which an element is applicable / valid.", "description": "A startTime specifies the time from which element is applicable / valid.", "metadata": {"name": "startTime", "Nature": "DataProperty", "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/startTime", "Domain": ["Relationship"]}}, "rootElement": {"summary": "Top level Element from which all other Elements are reached via relationships.", "description": "A rootElement of a collection is the top level Element from which all other Elements are reached via relationships.", "metadata": {"name": "rootElement", "Nature": "ObjectProperty", "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/rootElement", "Domain": ["ElementCollection"]}}, "prefix": {"summary": "A substitute for a URI.", "description": "A prefix is a substitute for a URI.", "metadata": {"name": "prefix", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/prefix"}}, "externalIdentifierType": {"summary": "Specifies the type of the external identifier.", "description": "An externalIdentifierType specifies the type of the external identifier.", "metadata": {"name": "externalIdentifierType", "Nature": "ObjectProperty", "Range": "ExternalIdentifierType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/externalIdentifierType", "Domain": ["ExternalIdentifier"]}}, "contentType": {"summary": "Specifies the media type of an Element.", "description": "ContentType specifies the media type of an Element.", "metadata": {"name": "contentType", "Nature": "DataProperty", "Range": "MediaType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/contentType", "Domain": ["ExternalReference", "Annotation"]}}, "element": {"summary": "Refers to one or more Elements that are part of an ElementCollection.", "description": "This field refers to one or more Elements that are part of an ElementCollection.", "metadata": {"name": "element", "Nature": "ObjectProperty", "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/element", "Domain": ["ElementCollection"]}}, "relationshipType": {"summary": "Information about the relationship between two Elements.", "description": "This field provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.", "metadata": {"name": "relationshipType", "Nature": "ObjectProperty", "Range": "RelationshipType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/relationshipType", "Domain": ["Relationship"]}}, "specVersion": {"summary": "Provides a reference number that can be used to understand how to parse and interpret an Element.", "description": "The specVersion provides a reference number that can be used to understand how to parse and interpret an Element.\nIt will enable both future changes to the specification and to support backward compatibility.\nThe major version number shall be incremented when incompatible changes between versions are made\n(one or more sections are created, modified or deleted).\nThe minor version number shall be incremented when backwards compatible changes are made.\n\nHere, parties exchanging information in accordance with the SPDX specification need to provide \n100% transparency as to which SPDX specification version such information is conforming to.", "metadata": {"name": "specVersion", "Nature": "DataProperty", "Range": "SemVer", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/specVersion", "Domain": ["CreationInfo"]}}, "originatedBy": {"summary": "Identifies from where or whom the Element originally came.", "description": "OriginatedBy identifies from where or whom the Element originally came.", "metadata": {"name": "originatedBy", "Nature": "ObjectProperty", "Range": "Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/originatedBy", "Domain": ["Artifact"]}}, "verifiedUsing": {"summary": "Provides an IntegrityMethod with which the integrity of an Element can be asserted.", "description": "VerifiedUsing provides an IntegrityMethod with which the integrity of an Element can be asserted.", "metadata": {"name": "verifiedUsing", "Nature": "ObjectProperty", "Range": "IntegrityMethod", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/verifiedUsing", "Domain": ["Element", "ExternalMap"]}}, "dataLicense": {"summary": "Provides the license under which the SPDX documentation of the Element can be used.", "description": "The data license provides the license under which the SPDX documentation of the Element can be used.\nThis is to alleviate any concern that content (the data or database) in an SPDX file\nis subject to any form of intellectual property right that could restrict the re-use\nof the information or the creation of another SPDX file for the same project(s).\nThis approach avoids intellectual property and related restrictions over the SPDX file,\nhowever individuals can still contract with each other to restrict release\nof specific collections of SPDX files (which map to software bill of materials)\nand the identification of the supplier of SPDX files.\nCompliance with this document includes populating the SPDX fields therein\nwith data related to such fields (\"SPDX-Metadata\"). \nThis document contains numerous fields where an SPDX file creator may provide\nrelevant explanatory text in SPDX-Metadata. Without opining on the lawfulness\nof \"database rights\" (in jurisdictions where applicable),\nsuch explanatory text is copyrightable subject matter in most Berne Convention countries.\nBy using the SPDX specification, or any portion hereof,\nyou hereby agree that any copyright rights (as determined by your jurisdiction)\nin any SPDX-Metadata, including without limitation explanatory text,\nshall be subject to the terms of the Creative Commons CC0 1.0 Universal license. \nFor SPDX-Metadata not containing any copyright rights, \nyou hereby agree and acknowledge that the SPDX-Metadata is provided to you \u201cas-is\u201d\nand without any representations or warranties of any kind concerning the SPDX-Metadata,\nexpress, implied, statutory or otherwise, including without limitation warranties\nof title, merchantability, fitness for a particular purpose, non-infringement,\nor the absence of latent or other defects, accuracy, or the presence or absence of errors,\nwhether or not discoverable, all to the greatest extent permissible under applicable law.", "metadata": {"name": "dataLicense", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/dataLicense", "Domain": ["CreationInfo"]}}, "algorithm": {"summary": "Specifies the algorithm used for calculating the hash value.", "description": "An algorithm specifies the algorithm that was used for calculating the hash value.", "metadata": {"name": "algorithm", "Nature": "ObjectProperty", "Range": "HashAlgorithm", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/algorithm", "Domain": ["Hash"]}}, "summary": {"summary": "A short description of an Element.", "description": "A summary is a short description of an Element. Here, the intent is to allow the Element creator to \nprovide concise information about the function or use of the Element.", "metadata": {"name": "summary", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/summary", "Domain": ["Element"]}}, "end": {"summary": "Defines the end of a range.", "description": "end is a positive integer that defines the end of a range.", "metadata": {"name": "end", "Nature": "DataProperty", "Range": "xsd:positiveInteger", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/end", "Domain": ["PositiveIntegerRange"]}}, "hashValue": {"summary": "The result of applying a hash algorithm to an Element.", "description": "HashValue is the result of applying a hash algorithm to an Element.", "metadata": {"name": "hashValue", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/hashValue", "Domain": ["Hash"]}}, "externalIdentifier": {"summary": "Provides a reference to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", "description": "ExternalIdentifier points to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", "metadata": {"name": "externalIdentifier", "Nature": "ObjectProperty", "Range": "ExternalIdentifier", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/externalIdentifier", "Domain": ["Element"]}}, "spdxId": {"summary": "Identifies an Element to be referenced by other Elements.", "description": "SpdxId uniquely identifies an Element which may thereby be referenced by other Elements.\nThese references may be internal or external.\nWhile there may be several versions of the same Element, each one needs to be able to be referred to uniquely\nso that relationships between Elements can be clearly articulated.", "metadata": {"name": "spdxId", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/spdxId", "Domain": ["Element"]}}, "description": {"summary": "Provides a detailed description of the Element.", "description": "This field is a detailed description of the Element. It may also be extracted from the Element itself.\nThe intent is to provide recipients of the SPDX file with a detailed technical explanation\nof the functionality, anticipated use, and anticipated implementation of the Element.\nThis field may also include a description of improvements over prior versions of the Element.", "metadata": {"name": "description", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/description", "Domain": ["Element"]}}, "locator": {"summary": "Provides the location of an external reference.", "description": "A locator provides the location of an external reference.", "metadata": {"name": "locator", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/locator", "Domain": ["ExternalReference"]}}, "annotationType": {"summary": "Describes the type of annotation.", "description": "An annotationType describes the type of an annotation.", "metadata": {"name": "annotationType", "Nature": "ObjectProperty", "Range": "AnnotationType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/annotationType", "Domain": ["Annotation"]}}, "issuingAuthority": {"summary": "TODO", "description": "A issuingAuthority is TODO", "metadata": {"name": "issuingAuthority", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/issuingAuthority", "Domain": ["ExternalIdentifier"]}}, "builtTime": {"summary": "Specifies the time an artifact was built.", "description": "A builtTime specifies the time an artifact was built.", "metadata": {"name": "builtTime", "Nature": "DataProperty", "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/builtTime", "Domain": ["Artifact"]}}, "profile": {"summary": "Provides information about which profiles the Element belongs to.", "description": "This field provides information about which profiles the Element belongs to.", "metadata": {"name": "profile", "Nature": "ObjectProperty", "Range": "ProfileIdentifierType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/profile", "Domain": ["CreationInfo"]}}, "context": {"summary": "Gives information about the circumstances or unifying properties\nthat Elements of the bundle have been assembled under.", "description": "A context gives information about the circumstances or unifying properties\nthat Elements of the bundle have been assembled under.", "metadata": {"name": "context", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/context", "Domain": ["Bundle"]}}, "comment": {"summary": "Provide consumers with comments by the creator of the Element about the Element.", "description": "A comment is an optional field for creators of the Element to provide comments\nto the readers/reviewers of the document.", "metadata": {"name": "comment", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/comment", "Domain": ["ExternalReference", "ExternalIdentifier", "CreationInfo", "IntegrityMethod", "Element"]}}, "imports": {"summary": "Provides an ExternalMap of Element identifiers.", "description": "Imports provides an ExternalMap of Element identifiers that are used within a document\nbut defined external to that document.", "metadata": {"name": "imports", "Nature": "ObjectProperty", "Range": "ExternalMap", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/imports", "Domain": ["ElementCollection"]}}, "name": {"summary": "Identifies the name of an Element as designated by the creator.", "description": "This field identifies the name of an Element as designated by the creator. \nThe name of an Element is an important convention and easier to refer to than the URI.", "metadata": {"name": "name", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/name", "Domain": ["SpdxDocument", "Element"]}}, "standard": {"summary": "The relevant standards that may apply to an artifact.", "description": "Various standards may be relevant to useful to capture for specific artifacts.", "metadata": {"name": "standard", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/standard", "Domain": ["Artifact"]}}, "endTime": {"summary": "Specifies the time from which an element is no longer applicable / valid.", "description": "A endTime specifies the time from which element is no applicable / valid.", "metadata": {"name": "endTime", "Nature": "DataProperty", "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/endTime", "Domain": ["Relationship"]}}, "scope": {"summary": "TODO", "description": "A scope is TODO", "metadata": {"name": "scope", "Nature": "ObjectProperty", "Range": "LifecycleScopeType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/scope", "Domain": ["LifecycleScopedRelationship"]}}, "key": {"summary": "A key used in a generic key-value pair.", "description": "A key used in generic a key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", "metadata": {"name": "key", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/key", "Domain": ["DictionaryEntry"]}}, "identifier": {"summary": "Uniquely identifies an external element.", "description": "An identifier uniquely identifies an external element.", "metadata": {"name": "identifier", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/identifier", "Domain": ["ExternalIdentifier"]}}, "completeness": {"summary": "Provides information about the completeness of relationships.", "description": "Completeness gives information about whether the provided relationships are\ncomplete, known to be incomplete or if no assertion is made either way.", "metadata": {"name": "completeness", "Nature": "ObjectProperty", "Range": "RelationshipCompleteness", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/completeness", "Domain": ["Relationship"]}}, "externalReferenceType": {"summary": "Specifies the type of the external reference.", "description": "An externalReferenceType specifies the type of the external reference.", "metadata": {"name": "externalReferenceType", "Nature": "ObjectProperty", "Range": "ExternalReferenceType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/externalReferenceType", "Domain": ["ExternalReference"]}}, "createdBy": {"summary": "Identifies who or what created the Element.", "description": "CreatedBy identifies who or what created the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", "metadata": {"name": "createdBy", "Nature": "ObjectProperty", "Range": "Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/createdBy", "Domain": ["CreationInfo"]}}}, "vocabs": {"RelationshipCompleteness": {"summary": "Indicates whether a relationship is complete or known to be incomplete or if there\nis made no assertion either way.", "description": "RelationshipCompleteness indicates whether a relationship is complete or \nknown to be incomplete or if there is made no assertion either way.", "metadata": {"name": "RelationshipCompleteness", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/RelationshipCompleteness"}, "entries": {"incomplete": "The relationship is known not to be exhaustive.", "complete": "The relationship is known to be exhaustive.", "noAssertion": "There can be made no assertion about the completeness of the relationship."}}, "ProfileIdentifierType": {"summary": "Enumeration of the valid profiles that an element can be specified to be part of.", "description": "There are a set of profiles that have been defined to be valid for a specific release This file enumerates the values that have been agreed on, and may be applied to the creation information for an an element.", "metadata": {"name": "ProfileIdentifierType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType"}, "entries": {"core": "the element follows the Core profile specification", "software": "the element follows the Software profile specification", "licensing": "the element follows the Licensing profile specification", "security": "the element follows the Security profile specification", "build": "the element follows the Build profile specification", "ai": "the element follows the AI profile specification", "dataset": "the element follows the Dataset profile specification", "usage": "the element follows the Usage profile specification", "extension": "the element follows the Extension profile specification"}}, "ExternalIdentifierType": {"summary": "Specifies the type of an external identifier.", "description": "ExteralIdentifierType specifies the type of an external identifier.", "metadata": {"name": "ExternalIdentifierType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType"}, "entries": {"cpe22": "https://cpe.mitre.org/files/cpe-specification_2.2.pdf", "cpe23": "https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf", "cve": "An identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the CVE specification as defined by https://csrc.nist.gov/glossary/term/cve_id.", "email": "https://datatracker.ietf.org/doc/html/rfc3696#section-3", "gitoid": "https://www.iana.org/assignments/uri-schemes/prov/gitoid Gitoid stands for [Git Object ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) and a gitoid of type blob is a unique hash of a binary artifact. A gitoid may represent the software [Artifact ID](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-id) or the [OmniBOR Identifier](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-identifier) for the software artifact's associated [OmniBOR Document](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-document); this ambiguity exists because the OmniBOR Document is itself an artifact, and the gitoid of that artifact is its valid identifier. Omnibor is a minimalistic schema to describe software [Artifact Dependency Graphs](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-dependency-graph-adg). Gitoids calculated on software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's ContentIdentifier property. Gitoids calculated on the OmniBOR Document (OmniBOR Identifiers) should be recorded in the SPDX 3.0 Element's ExternalIdentifier property.", "other": "Used when the type doesn't match any of the other options.", "pkgUrl": "https://github.com/package-url/purl-spec", "securityOther": "Used when there is a security related identifier of unspecified type.", "swhid": "https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html", "swid": "https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-21.html#section-2.3", "urlScheme": "the scheme used in order to locate a resource https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml"}}, "ExternalReferenceType": {"summary": "Specifies the type of an external reference.", "description": "ExteralReferenceType specifies the type of an external reference.", "metadata": {"name": "ExternalReferenceType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ExternalReferenceType"}, "entries": {"altDownloadLocation": "A reference to an alternative download location.", "altWebPage": "A reference to an alternative web page.", "binaryArtifact": "A reference to binary artifacts related to a package.", "buildMeta": "A reference build metadata related to a published package.", "buildSystem": "A reference build system used to create or publish the package.", "chat": "A reference to the instant messaging system used by the maintainer for a package.", "certificationReport": "A reference to a certification report for a package from an accredited/independent body.", "componentAnalysisReport": "A reference to a Software Composition Analysis (SCA) report.", "documentation": "A reference to the documentation for a package.", "dynamicAnalysisReport": "A reference to a dynamic analysis report for a package.", "eolNotice": "A reference to the End Of Sale (EOS) and/or End Of Life (EOL) information related to a package.", "exportControlAssessment": "A reference to a export control assessment for a package.", "funding": "A reference to funding information related to a package.", "issueTracker": "A reference to the issue tracker for a package.", "mailingList": "A reference to the mailing list used by the maintainer for a package.", "metrics": "A reference to metrics related to package such as OpenSSF scorecards.", "license": "A reference to additional license information related to an artifact.", "other": "Used when the type doesn't match any of the other options.", "privacyAssessment": "A reference to a privacy assessment for a package.", "productMetadata": "A reference to additional product metadata such as reference within organization's product catalog.", "purchaseOrder": "A reference to a purchase order for a package.", "releaseNotes": "A reference to the release notes for a package.", "releaseHistory": "A reference to a published list of releases for a package.", "riskAssessment": "A reference to a risk assessment for a package.", "runtimeAnalysisReport": "A reference to a runtime analysis report for a package.", "secureSoftwareAttestation": "A reference to information assuring that the software is developed using security practices as defined by [NIST SP 800-218 Secure Software Development Framework (SSDF)](https://csrc.nist.gov/publications/detail/sp/800-218/final) or [CISA Secure Software Development Attestation Form](https://www.cisa.gov/sites/default/files/2023-04/secure-software-self-attestation_common-form_508.pdf).", "securityAdvisory": "A reference to a published security advisory (where advisory as defined per ISO 29147:2018) that may affect one or more elements, e.g., vendor advisories or specific NVD entries.", "securityAdversaryModel": "A reference to the security adversary model for a package.", "securityFix": "A reference to the patch or source code that fixes a vulnerability.", "securityOther": "A reference to related security information of unspecified type.", "securityPenTestReport": "A reference to a [penetration test](https://en.wikipedia.org/wiki/Penetration_test) report for a package.", "securityPolicy": "A reference to instructions for reporting newly discovered security vulnerabilities for a package.", "securityThreatModel": "A reference the [security threat model](https://en.wikipedia.org/wiki/Threat_model) for a package.", "socialMedia": "A reference to a social media channel for a package.", "sourceArtifact": "A reference to an artifact containing the sources for a package.", "staticAnalysisReport": "A reference to a static analysis report for a package.", "support": "A reference to the software support channel or other support information for a package.", "vcs": "A reference to a version control system related to a software artifact.", "vulnerabilityDisclosureReport": "A reference to a Vulnerability Disclosure Report (VDR) which provides the software supplier's analysis and findings describing the impact (or lack of impact) that reported vulnerabilities have on packages or products in the supplier's SBOM as defined in [NIST SP 800-161](https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final).", "vulnerabilityExploitabilityAssessment": "A reference to a Vulnerability Exploitability eXchange (VEX) statement which provides information on whether a product is impacted by a specific vulnerability in an included package and, if affected, whether there are actions recommended to remediate. See also [NTIA VEX one-page](https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf)..", "qualityAssessmentReport": "A reference to a quality assessment for a package."}}, "LifecycleScopeType": {"summary": "TODO", "description": "TODO", "metadata": {"name": "LifecycleScopeType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType"}, "entries": {"design": "TODOdescription", "build": "TODOdescription", "development": "TODOdescription", "test": "TODOdescription", "runtime": "TODOdescription", "other": "TODOdescription"}}, "AnnotationType": {"summary": "Specifies the type of an annotation.", "description": "AnnotationType specifies the type of an annotation.", "metadata": {"name": "AnnotationType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/AnnotationType"}, "entries": {"other": "Used to store extra information about an Element which is not part of a Review (e.g. extra information provided during the creation of the Element).", "review": "Used when someone reviews the Element."}}, "HashAlgorithm": {"summary": "A mathematical algorithm that maps data of arbitrary size to a bit string.", "description": "A HashAlgorithm is a mathematical algorithm that maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is, a function which is practically infeasible to invert.", "metadata": {"name": "HashAlgorithm", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/HashAlgorithm"}, "entries": {"blake2b256": "blake2b algorithm with a digest size of 256 https://datatracker.ietf.org/doc/html/rfc7693#section-4", "blake2b384": "blake2b algorithm with a digest size of 384 https://datatracker.ietf.org/doc/html/rfc7693#section-4", "blake2b512": "blake2b algorithm with a digest size of 512 https://datatracker.ietf.org/doc/html/rfc7693#section-4", "blake3": "https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf", "crystalsKyber": "https://pq-crystals.org/kyber/index.shtml", "crystalsDilithium": "https://pq-crystals.org/dilithium/index.shtml", "falcon": "https://falcon-sign.info/falcon.pdf", "md2": "https://datatracker.ietf.org/doc/rfc1319/", "md4": "https://datatracker.ietf.org/doc/html/rfc1186", "md5": "https://datatracker.ietf.org/doc/html/rfc1321", "md6": "https://people.csail.mit.edu/rivest/pubs/RABCx08.pdf", "other": "any hashing algorithm that does not exist in this list of entries", "sha1": "https://datatracker.ietf.org/doc/html/rfc3174", "sha224": "secure hashing algorithm with a digest length of 224 https://datatracker.ietf.org/doc/html/draft-ietf-pkix-sha224-01", "sha256": "secure hashing algorithm with a digest length of 256 https://www.rfc-editor.org/rfc/rfc4634", "sha3_224": "sha3 with a digest length of 224 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", "sha3_256": "sha3 with a digest length of 256 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", "sha3_384": "sha3 with a digest length of 384 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", "sha3_512": "sha3 with a digest length of 512 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", "sha384": "secure hashing algorithm with a digest length of 384 https://www.rfc-editor.org/rfc/rfc4634", "sha512": "secure hashing algorithm with a digest length of 512 https://www.rfc-editor.org/rfc/rfc4634", "spdxPvcSha1": "TODOdescription", "spdxPvcSha256": "TODOdescription", "sphincsPlus": "TODOdescription"}}, "RelationshipType": {"summary": "Information about the relationship between two Elements.", "description": "Provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.", "metadata": {"name": "RelationshipType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/RelationshipType"}, "entries": {"affects": "(Security/VEX) Designates one or more elements as affected by a vulnerability", "amends": "Every `to` Element amends the `from` Element", "ancestor": "Every `to` Element is an ancestor of the `from` Element", "availableFrom": "This relationship is used to identify additional suppliers where an artifact is available from.", "buildDependency": "Every `to` Element is a build dependency of the `from` Element", "buildTool": "Build tool used to build an Element. This may be used to describe the build tool of a Build instance", "coordinatedBy": "(Security) Used to identify the vendor, researcher, or consumer agent performing coordination for a vulnerability", "contains": "Every `to` Element is contained by the `from` Element", "configOf": "(Build) Configuration information applied to an Element instance during a LifeycleScopeType period. Example: Build configuration of the build instance", "copy": "Every `to` Element is a copy of the `from` Element", "dataFile": "Every `to` Element is a data file related to the the `from` Element", "dependencyManifest": "Every `to` Element is manifest file containing dependency information related to the `from` Element", "dependsOn": "Every `to` Element is a dependecy of the `from` Element", "descendant": "This relationship may be used to describe child builds of a Build instance.", "describes": "Every `to` Element is described by the `from` Element. This can be used to denote the root(s) of a tree of elements contained in an SBOM.", "devDependency": "Every `to` Element is a development dependency for the `from` Element", "devTool": "Every `to` Element is a development tool for the `from` Element", "distributionArtifact": "Every `to` Element is an artifact intended for distribution of the `from` Element (e.g. an RPM or archive file)", "documentation": "Every `to` Element is documentation for the `from` Element", "doesNotAffect": "(Security/VEX) Specifies a vulnerability has no impact on one or more elements", "dynamicLink": "Every `to` Element is dynamically linked to the `from` Element", "example": "Every `to` Element is an example for the `from` Element", "evidenceFor": "(Dataset) Every `to` Element is can be considered as evidence for the `from` Element", "expandedFromArchive": "Every `to` Element is an artifact expanded from the `from` archive file", "exploitCreatedBy": "(Security) Designates an agent has created an exploit against a vulnerability", "fileAdded": "Every `to` Element is is a file added to the `from` Element", "fileDeleted": "Every `to` Element is a file deleted from the `from` Element", "fileModified": "Every `to` Element is a modification of the `from` Element", "fixedBy": "(Security) Designates a vulnerability has been fixed by an agent", "fixedIn": "(Security/VEX) A vulnerability has been fixed in one or more elements", "foundBy": "(Security) Designates an agent was the original discoverer of a security vulnerability", "generates": "Every `to` Element is generated from the `from` Element", "hasAssessmentFor": "(Security) Relates a Vulnerability and an Element with a security assessment.", "hasAssociatedVulnerability": "(Security) Used to associate a security vulnerability with a software artifact", "hostOf": "(Build) The`from` Element in which every instance of the `to` Element during a LifecycleScopeType period runs on. Example: host that the build runs on for an element.", "inputOf": "(Build) Input to the Element instance during a LifecycleScopeType period. Example: input to the build instance for an element.", "invokedBy": "(Build) Every`to` Agent that invoked a `from` Element instance during a LifecycleScopeType period. Example: Agent that invoked the build for an element", "metafile": "Every `to` Element is is a file containing metadata about the `from` Element", "onBehalfOf": "(Build) Every `to` Agent acting on behalf of another `from` Agent during a LifecycleScopeType period", "optionalComponent": "Every `to` Element is an optional component of the `from` Element", "optionalDependency": "Every `to` Element is an optional dependency of the `from` Element", "other": "Every `to` Element is related to the `from` Element where the relationship type is not described by any of the SPDX relationhip types", "outputOf": "(Build) `from` Element that is output `to` the Element instance during a LifecycleScopeType period. Example: output of the build instance", "packages": "Every `to` Element is a packaged form of the `from` Element", "patch": "Every `to` Element is a patch for the `from` Element", "prerequisite": "Every `to` Element is a prerequisite of the `from` Element", "providedDependency": "Every `to` Element is a dependency not included in the distributed artifact but is assumed to be provided the `from` Element", "publishedBy": "(Security) Designates the agent that made a vulnerability record available for public use or reference", "reportedBy": "(Security) Designates the agent that first reported a vulnerability to the project, vendor, or tracking database for formal identification", "republishedBy": "(Security) Designates the agent that tracked, aggregated, and/or enriched vulnerability details to improve context (i.e. NVD)", "requirementFor": "Every `to` Element is required for the `from` Element", "runtimeDependency": "Every `to` Element is a runtime dependency for the `from` Element", "specificationFor": "Every `to` Element is a specification for the `from` Element", "staticLink": "Every `to` Element is statically linked to the `from` Element", "test": "Every `to` Element is a test artifact for the `from` Element", "testCase": "Every `to` Element is a test case for the `from` Element", "testDependency": "Every `to` Element is a test dependency for the `from` Element", "testTool": "Every `to` Element is a test tool for the `from` Element", "testedOn": "(AI, Dataset) The `from` Element has been tested on the `to` Element", "trainedOn": "(AI, Dataset) The `from` Element has been trained by the `to` Element(s)", "underInvestigationFor": "(Security/VEX) The impact of a vulnerability is being investigated", "variant": "Every `to` Element is a variant the `from` Element"}}}}, "Dataset": {"name": "Dataset", "classes": {"Dataset": {"summary": "Provides information about the fields in the Dataset profile.", "description": "Metadata information that can be added to a dataset that may be used in a software or to train/test an AI package.\nExternal property restriction on /Core/Artifact/originatedBy: minCount: 1\nExternal property restriction on /Software/Package/downloadLocation: minCount: 1\nExternal property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1\nExternal property restriction on /Core/Artifact/releaseTime: minCount: 1\nExternal property restriction on /Core/Artifact/builtTime: minCount: 1", "metadata": {"name": "Dataset", "SubclassOf": "/Software/Package", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/Dataset"}, "properties": {"datasetType": {"type": "DatasetType", "minCount": "1", "maxCount": "*"}, "dataCollectionProcess": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "intendedUse": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "datasetSize": {"type": "xsd:nonNegativeInteger", "minCount": "0", "maxCount": "1"}, "datasetNoise": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "dataPreprocessing": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "sensor": {"type": "/Core/DictionaryEntry", "minCount": "0", "maxCount": "*"}, "knownBias": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "sensitivePersonalInformation": {"type": "PresenceType", "minCount": "0", "maxCount": "1"}, "anonymizationMethodUsed": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "confidentialityLevel": {"type": "ConfidentialityLevelType", "minCount": "0", "maxCount": "1"}, "datasetUpdateMechanism": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "datasetAvailability": {"type": "DatasetAvailabilityType", "minCount": "0", "maxCount": "1"}}}}, "properties": {"knownBias": {"summary": "Records the biases that the dataset is known to encompass.", "description": "KnownBias is a free form text field that describes the different biases that the dataset encompasses.", "metadata": {"name": "knownBias", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/knownBias", "Domain": ["Dataset"]}}, "dataPreprocessing": {"summary": "Describes the preprocessing steps that were applied to the raw data to create the given dataset.", "description": "DataPreprocessing describes the various preprocessing steps\nthat were applied to the raw data to create the dataset.", "metadata": {"name": "dataPreprocessing", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/dataPreprocessing", "Domain": ["Dataset"]}}, "datasetNoise": {"summary": "Describes potentially noisy elements of the dataset.", "description": "DatasetNoise describes what kinds of noises a dataset might encompass.\nThe field uses free form text to specify the fields or the samples that might be noisy.\nAlternatively, it can also be used to describe various noises that could impact the whole dataset.", "metadata": {"name": "datasetNoise", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/datasetNoise", "Domain": ["Dataset"]}}, "datasetUpdateMechanism": {"summary": "Describes a mechanism to update the dataset.", "description": "DatasetUpdateMechanism describes a mechanism to update the dataset.", "metadata": {"name": "datasetUpdateMechanism", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/datasetUpdateMechanism", "Domain": ["Dataset"]}}, "datasetSize": {"summary": "Captures the size of the dataset.", "description": "DatasetSize Captures how large a dataset is.\nThe size is to be measured in bytes.", "metadata": {"name": "datasetSize", "Nature": "DataProperty", "Range": "xsd:nonNegativeInteger", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/datasetSize", "Domain": ["Dataset"]}}, "sensitivePersonalInformation": {"summary": "Describes if any sensitive personal information is present in the dataset.", "description": "SensitivePersonalInformation indicates the presence of sensitive personal data\nor information that allows drawing conclusions about a person's identity.", "metadata": {"name": "sensitivePersonalInformation", "Nature": "ObjectProperty", "Range": "PresenceType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/sensitivePersonalInformation", "Domain": ["Dataset"]}}, "confidentialityLevel": {"summary": "Describes the confidentiality level of the data points contained in the dataset.", "description": "ConfidentialityLevel describes the levels of confidentiality of the data points contained in the dataset.", "metadata": {"name": "confidentialityLevel", "Nature": "ObjectProperty", "Range": "ConfidentialityLevelType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/confidentialityLevel", "Domain": ["Dataset"]}}, "dataCollectionProcess": {"summary": "Describes how the dataset was collected.", "description": "DataCollectionProcess describes how a dataset was collected.\nExamples include the sources from which a dataset was scrapped or\nthe interview protocol that was used for data collection.", "metadata": {"name": "dataCollectionProcess", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/dataCollectionProcess", "Domain": ["Dataset"]}}, "anonymizationMethodUsed": {"summary": "Describes the anonymization methods used.", "description": "AnonymizationMethodUsed describes the methods used to anonymize the dataset (of fields in the dataset).", "metadata": {"name": "anonymizationMethodUsed", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/anonymizationMethodUsed", "Domain": ["Dataset"]}}, "datasetAvailability": {"summary": "The field describes the availability of a dataset.", "description": "Some datasets are publicly available and can be downloaded directly. Others are only accessible behind a clickthrough, or after filling a registration form. This field will describe the dataset availability from that perspective.", "metadata": {"name": "datasetAvailability", "Nature": "DataProperty", "Range": "DatasetAvailabilityType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/datasetAvailability", "Domain": ["Dataset"]}}, "intendedUse": {"summary": "Describes what the given dataset should be used for.", "description": "IntendedUse describes what the given dataset should be used for.\nSome datasets are collected to be used only for particular purposes. \nFor example, medical data collected from a specific demography might only be applicable\nfor training machine learning models to make predictions for that demography.\nIn such a case, the intendedUse field would capture this information.\nSimilarly, if a dataset is collected for building a facial recognition model,\nthe intendedUse field would specify that.", "metadata": {"name": "intendedUse", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/intendedUse", "Domain": ["Dataset"]}}, "sensor": {"summary": "Describes a sensor used for collecting the data.", "description": "Sensor describes a sensor that was used for collecting the data\nand its calibration value as a key-value pair.", "metadata": {"name": "sensors", "Nature": "ObjectProperty", "Range": "/Core/DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/sensor", "Domain": ["Dataset"]}}, "datasetType": {"summary": "Describes the type of the given dataset.", "description": "Type describes the datatype contained in the dataset. For example a dataset can be an image dataset for computer vision applications, a text dataset such as the contents of a book or Wikipedia article, or sometimes a multimodal dataset that contains multiple types of data.", "metadata": {"name": "datasetType", "Nature": "DataProperty", "Range": "DatasetType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/datasetType", "Domain": ["Dataset"]}}}, "vocabs": {"DatasetType": {"summary": "Enumeration of dataset types.", "description": "Describes the different structures of data within a given dataset. A dataset can have multiple types of data, or even a single type of data but still match multiple types, for example sensor data could also be timeseries or labeled image data could also be considered categorical.", "metadata": {"name": "DatasetType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/DatasetType"}, "entries": {"structured": "data is stored in tabular format or retrieved from a relational database.", "numeric": "data consists only of numeric entries.", "text": "data consists of unstructured text, such as a book, wikipedia article (without images), or transcript.", "categorical": "data that is classified into a discrete number of categories, such as the eye color of a population of people.", "graph": "data is in the form of a graph where entries are somehow related to each other through edges, such a social network of friends.", "timeseries": "data is recorded in an ordered sequence of timestamped entries, such as the price of a stock over the course of a day.", "timestamp": "data is recorded with a timestamp for each entry, but not necessarily ordered or at specific intervals, such as when a taxi ride starts and ends.", "sensor": "data is recorded from a physical sensor, such as a thermometer reading or biometric device.", "image": "data is a collection of images such as pictures of animals.", "syntactic": "data describes the syntax or semantics of a language or text, such as a parse tree used for natural language processing.", "audio": "data is audio based, such as a collection of music from the 80s.", "video": "data is video based, such as a collection of movie clips featuring Tom Hanks.", "other": "data is of a type not included in this list.", "noAssertion": "data type is not known."}}, "DatasetAvailabilityType": {"summary": "Availability of dataset", "description": "Describes the possible types of availability of a dataset, indicating whether the dataset can be directly downloaded, can be assembled using a script for scraping the data, is only available after a clickthrough or a registration form.", "metadata": {"name": "DatasetAvailabilityType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType"}, "entries": {"Direct-Download": "the dataset is publicly available and can be downloaded directly.", "Scraping-Script": "the dataset provider is not making available the underlying data and the dataset must be reassembled, typically using the provided script for scraping the data.", "Query": "the dataset is publicly available, but not all at once, and can only be accessed through queries which return parts of the dataset.", "Clickthrough": "the dataset is not publicly available and can only be accessed after affirmatively accepting terms on a clickthrough webpage.", "Registration": "the dataset is not publicly available and an email registration is required before accessing the dataset, although without an affirmative acceptance of terms."}}, "ConfidentialityLevelType": {"summary": "Categories of confidentiality level.", "description": "Describes the different confidentiality levels as given by the [Traffic Light Protocol](https://en.wikipedia.org/wiki/Traffic_Light_Protocol).", "metadata": {"name": "ConfidentialityLevelType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType"}, "entries": {"Red": "Data points in the dataset are highly confidential and can only be shared with named recipients.", "Amber": "Data points in the dataset can be shared only with specific organizations and their clients on a need to know basis.", "Green": "Dataset can be shared within a community of peers and partners.", "Clear": "Dataset may be distributed freely, without restriction."}}}}, "Licensing": {"name": "Licensing", "classes": {"ListedLicense": {"summary": "A license that is listed on the SPDX License List.", "description": "A ListedLicense represents a License that is listed on the SPDX License List\nat https://spdx.org/licenses.", "metadata": {"name": "ListedLicense", "SubclassOf": "License", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/ListedLicense"}, "properties": {"listVersionAdded": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "deprecatedVersion": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "WithAdditionOperator": {"summary": "Portion of an AnyLicenseInfo representing a License which has additional\ntext applied to it", "description": "A WithAdditionOperator indicates that the designated License is subject to the\ndesignated LicenseAddition, which might be a license exception on the SPDX\nExceptions List (ListedLicenseException) or may be other additional text\n(CustomLicenseAddition). It is represented in the SPDX License Expression\nSyntax by the `WITH` operator.", "metadata": {"name": "WithAdditionOperator", "SubclassOf": "AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/WithAdditionOperator"}, "properties": {"subjectLicense": {"type": "ExtendableLicense", "minCount": "1", "maxCount": "1"}, "subjectAddition": {"type": "LicenseAddition", "minCount": "1", "maxCount": "1"}}}, "License": {"summary": "Abstract class for the portion of an AnyLicenseInfo representing a license.", "description": "A License represents a license text, whether listed on the SPDX License List\n(ListedLicense) or defined by an SPDX data creator (CustomLicense).", "metadata": {"name": "License", "SubclassOf": "ExtendableLicense", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/License"}, "properties": {"licenseText": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}, "isOsiApproved": {"type": "xsd:boolean", "minCount": "0", "maxCount": "1"}, "isFsfLibre": {"type": "xsd:boolean", "minCount": "0", "maxCount": "1"}, "standardLicenseHeader": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "standardLicenseTemplate": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "isDeprecatedLicenseId": {"type": "xsd:boolean", "minCount": "0", "maxCount": "1"}, "obsoletedBy": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "CustomLicenseAddition": {"summary": "A license addition that is not listed on the SPDX Exceptions List.", "description": "A CustomLicenseAddition represents an addition to a License that is not listed\non the SPDX Exceptions List at https://spdx.org/licenses/exceptions-index.html,\nand is therefore defined by an SPDX data creator.\n\nIt is intended to represent additional language which is meant to be added to\na License, but which is not itself a standalone License.", "metadata": {"name": "CustomLicenseAddition", "SubclassOf": "LicenseAddition", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/CustomLicenseAddition"}, "properties": {}}, "LicenseAddition": {"summary": "Abstract class for additional text intended to be added to a License, but\nwhich is not itself a standalone License.", "description": "A LicenseAddition represents text which is intended to be added to a License\nas additional text, but which is not itself intended to be a standalone\nLicense.\n\nIt may be an exception which is listed on the SPDX Exceptions List\n(ListedLicenseException), or may be any other additional text (as an exception\nor otherwise) which is defined by an SPDX data creator (CustomLicenseAddition).", "metadata": {"name": "LicenseAddition", "SubclassOf": "/Core/Element", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/LicenseAddition"}, "properties": {"additionText": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}, "standardAdditionTemplate": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "isDeprecatedAdditionId": {"type": "xsd:boolean", "minCount": "0", "maxCount": "1"}, "obsoletedBy": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "OrLaterOperator": {"summary": "Portion of an AnyLicenseInfo representing this version, or any later version,\nof the indicated License.", "description": "An OrLaterOperator indicates that this portion of the AnyLicenseInfo\nrepresents either (1) the specified version of the corresponding License, or\n(2) any later version of that License. It is represented in the SPDX License\nExpression Syntax by the `+` operator.\n\nIt is context-dependent, and unspecified by SPDX, as to what constitutes a\n\"later version\" of any particular License. Some Licenses may not be versioned,\nor may not have clearly-defined ordering for versions. The consumer of SPDX\ndata will need to determine for themselves what meaning to attribute to a\n\"later version\" operator for a particular License.", "metadata": {"name": "OrLaterOperator", "SubclassOf": "ExtendableLicense", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/OrLaterOperator"}, "properties": {"subjectLicense": {"type": "License", "minCount": "1", "maxCount": "1"}}}, "CustomLicense": {"summary": "A license that is not listed on the SPDX License List.", "description": "A CustomLicense represents a License that is not listed on the SPDX License\nList at https://spdx.org/licenses, and is therefore defined by an SPDX data\ncreator.", "metadata": {"name": "CustomLicense", "SubclassOf": "License", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/CustomLicense"}, "properties": {}}, "LicenseExpression": {"summary": "An SPDX Element containing an SPDX license expression string.", "description": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", "metadata": {"name": "LicenseExpression", "SubclassOf": "AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/LicenseExpression"}, "properties": {"licenseExpression": {"type": "xsd:string", "minCount": "1", "maxCount": "1"}}}, "ListedLicenseException": {"summary": "A license exception that is listed on the SPDX Exceptions list.", "description": "A ListedLicenseException represents an exception to a License (in other words,\nan exception to a license condition or an additional permission beyond those\ngranted in a License) which is listed on the SPDX Exceptions List at\nhttps://spdx.org/licenses/exceptions-index.html.", "metadata": {"name": "ListedLicenseException", "SubclassOf": "LicenseAddition", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/ListedLicenseException"}, "properties": {"listVersionAdded": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "deprecatedVersion": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "AnyLicenseInfo": {"summary": "Abstract class representing a license combination consisting of one or more\nlicenses (optionally including additional text), which may be combined\naccording to the SPDX license expression syntax.", "description": "An AnyLicenseInfo is used by licensing properties of software artifacts.\nIt can be a NoneLicense, a NoAssertionLicense,\nsingle license (either on the SPDX License List or a custom-defined license);\na single license with an \"or later\" operator applied; the foregoing with\nadditional text applied; or a set of licenses combined by applying \"AND\" and\n\"OR\" operators recursively.", "metadata": {"name": "AnyLicenseInfo", "SubclassOf": "/Core/Element", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/AnyLicenseInfo"}, "properties": {}}}, "properties": {"seeAlso": {"summary": "Contains a URL where the License or LicenseAddition can be found in use.", "description": "A seeAlso defines a cross-reference with a URL where the License or\nLicenseAddition can be found in use by one or a few projects.\n\nIf applicable, it should include a URL where the license text is posted by\nthe license steward, particularly if the license steward has made available a\n\"canonical\" primary URL for the license text.\n\nIf the license is OSI approved, a seeAlso should be included with the URL for\nthe license's listing on the OSI website.\n\nThe seeAlso URL may refer to a previously-available URL for the License or\nLicenseAddition which is no longer active.\n\nWhere applicable, the seeAlso URL should include the license text in its\nnative language. seeAlso URLs to English or other translations may be included\nwhere multiple, equivalent official translations exist.", "metadata": {"name": "seeAlso", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/seeAlso"}}, "standardLicenseHeader": {"summary": "Provides a License author's preferred text to indicate that a file is covered\nby the License.", "description": "A standardLicenseHeader contains the plain text of the License author's\npreferred wording to be used, typically in a source code file's header\ncomments or similar location, to indicate that the file is subject to\nthe specified License.", "metadata": {"name": "standardLicenseHeader", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/standardLicenseHeader", "Domain": ["License"]}}, "licenseName": {"summary": "Identifies the full name of a License.", "description": "A licenseName contains the full name of a License, preferably using the title found\nin the applicable license text or file, or as otherwise specified by the\nLicense's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the License from other Licenses.", "metadata": {"name": "licenseName", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/licenseName"}}, "licenseText": {"summary": "Identifies the full text of a License.", "description": "A licenseText contains the plain text of the License, without templating\nor other similar markup.\n\nUsers of the licenseText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", "metadata": {"name": "licenseText", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/licenseText", "Domain": ["License"]}}, "isDeprecatedLicenseId": {"summary": "Specifies whether a license or additional text identifier has been marked as\ndeprecated.", "description": "The isDeprecatedLicenseId property specifies whether an identifier for a\nLicense or LicenseAddition has been marked as deprecated. If the property\nis not defined, then it is presumed to be false (i.e., not deprecated).\n\nIf the License or LicenseAddition is included on the SPDX License List, then\nthe `deprecatedVersion` property indicates on which version release of the\nLicense List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license. In other words, even if a License's\nauthor or steward has stated that a particular License generally should not be\nused, that would _not_ mean that the License's identifier is \"deprecated.\"\nRather, a License or LicenseAddition operator is typically marked as\n\"deprecated\" when it is determined that use of another identifier is\npreferable.", "metadata": {"name": "isDeprecatedLicenseId", "Nature": "DataProperty", "Range": "xsd:boolean", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/isDeprecatedLicenseId", "Domain": ["License"]}}, "isDeprecatedAdditionId": {"summary": "Specifies whether an additional text identifier has been marked as deprecated.", "description": "The isDeprecatedAdditionId property specifies whether an identifier for a\nLicenseAddition has been marked as deprecated. If the property is not defined,\nthen it is presumed to be false (i.e., not deprecated).\n\nIf the LicenseAddition is included on the SPDX Exceptions List, then\nthe `deprecatedVersion` property indicates on which version release of the\nExceptions List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license addition. In other words, even if a\nLicenseAddition's author or steward has stated that a particular\nLicenseAddition generally should not be used, that would _not_ mean that the\nLicenseAddition's identifier is \"deprecated.\" Rather, a LicenseAddition\noperator is typically marked as \"deprecated\" when it is determined that use of\nanother identifier is preferable.", "metadata": {"name": "isDeprecatedAdditionId", "Nature": "DataProperty", "Range": "xsd:boolean", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/isDeprecatedAdditionId", "Domain": ["LicenseAddition"]}}, "additionText": {"summary": "Identifies the full text of a LicenseAddition.", "description": "An additionText contains the plain text of the LicenseAddition, without\ntemplating or other similar markup.\n\nUsers of the additionText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", "metadata": {"name": "additionText", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/additionText", "Domain": ["LicenseAddition"]}}, "isFsfLibre": {"summary": "Specifies whether the License is listed as free by the\n[Free Software Foundation (FSF)](https://fsf.org).", "description": "isFsfLibre specifies whether the [Free Software Foundation FSF](https://fsf.org)\nhas listed this License as \"free\" in their commentary on licenses, located at\nthe time of this writing at https://www.gnu.org/licenses/license-list.en.html.\n\nA value of \"true\" indicates that the FSF has listed this License as _free_.\n\nA value of \"false\" indicates that the FSF has listed this License as _not free_.\n\nIf the isFsfLibre field is not specified, the SPDX data creator makes no\nassertions about whether the License is listed in the FSF's commentary.", "metadata": {"name": "isFsfLibre", "Nature": "DataProperty", "Range": "xsd:boolean", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/isFsfLibre", "Domain": ["License"]}}, "listVersionAdded": {"summary": "Specifies the SPDX License List version in which this ListedLicense or\nListedLicenseException identifier was first added.", "description": "A listVersionAdded for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was included.", "metadata": {"name": "listVersionAdded", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/listVersionAdded", "Domain": ["ListedLicense", "ListedLicenseException"]}}, "licenseExpression": {"summary": "A string in the license expression format.", "description": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", "metadata": {"name": "licenseExpression", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/licenseExpression", "Domain": ["LicenseExpression"]}}, "obsoletedBy": {"summary": "Specifies the licenseId that is preferred to be used in place of a deprecated\nLicense or LicenseAddition.", "description": "An obsoletedBy value for a deprecated License or LicenseAddition specifies\nthe licenseId of the replacement License or LicenseAddition that is preferred\nto be used in its place. It should use the same format as specified for a\nlicenseId.\n\nThe License's or LicenseAddition's comment value may include more information\nabout the reason why the licenseId specified in the obsoletedBy value is\npreferred.", "metadata": {"name": "obsoletedBy", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/obsoletedBy", "Domain": ["License", "LicenseAddition"]}}, "standardLicenseTemplate": {"summary": "Identifies the full text of a License, in SPDX templating format.", "description": "A standardLicenseTemplate contains a license template which describes\nsections of the License text which can be varied. See the Legacy Text Template\nformat section of the SPDX specification for format information.", "metadata": {"name": "standardLicenseTemplate", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/standardLicenseTemplate", "Domain": ["License"]}}, "additionName": {"summary": "Identifies the full name of a LicenseAddition.", "description": "An additionName contains the full name of a LicenseAddition, preferably using\nthe title found in the applicable license addition text or file, or as\notherwise specified by the LicenseAddition's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses additions (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the LicenseAddition from other LicenseAdditions.", "metadata": {"name": "additionName", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/additionName"}}, "standardAdditionTemplate": {"summary": "Identifies the full text of a LicenseAddition, in SPDX templating format.", "description": "A standardAdditionTemplate contains a license addition template which describes\nsections of the LicenseAddition text which can be varied. See the Legacy Text\nTemplate format section of the SPDX specification for format information.", "metadata": {"name": "standardAdditionTemplate", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/standardAdditionTemplate", "Domain": ["LicenseAddition"]}}, "licenseComment": {"summary": "Identifies general comments about the License.", "description": "A licenseComment describes general factual information about the License. It\nshould not contain information (or links to information) that includes any kind\nof interpretation about the meaning or effect of the License, even if written\nby the license's author.\n\nExamples of information for a licenseComment may include the following:\n\n* If the License's identifier is deprecated, it may briefly explain the reason\n for deprecation.\n* It may include the date of release, if identified, for Licenses with multiple\n versions.\n* It may include links to other official language translations for the License.\n* For LicenseAdditions, it may include a reference to the License(s) with\n which this additional text is typically used.", "metadata": {"name": "licenseComment", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/licenseComment"}}, "deprecatedVersion": {"summary": "Specifies the SPDX License List version in which this license or exception\nidentifier was deprecated.", "description": "A deprecatedVersion for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was marked as deprecated.", "metadata": {"name": "deprecatedVersion", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/deprecatedVersion", "Domain": ["ListedLicense", "ListedLicenseException"]}}, "licenseId": {"summary": "Provides a short, unique identifier to refer to a License.", "description": "A licenseId contains a human-readable, short-form license identifier for a\nLicense. It may only include letters, numbers, period (\".\") and hyphen (\"-\")\ncharacters.\n\nFor a ListedLicense, the licenseId will be as specified on the\n[SPDX License List](https://spdx.org/licenses) for the particular license.\n\nFor a CustomLicense, the short-form license identifer must begin with the\nprefix `LicenseRef-` and must be unique within the applicable SPDX namespace.\nThe short-form license ID may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", "metadata": {"name": "licenseId", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/licenseId"}}, "additionId": {"summary": "Provides a short, unique identifier to refer to a LicenseAddition.", "description": "An additionId contains a human-readable, short-form identifier for a\nLicenseAddition. It may only include letters, numbers, period (\".\") and\nhyphen (\"-\") characters.\n\nFor a ListedLicenseException, the licenseId will be as specified on the\n[SPDX Exceptions List](https://spdx.org/licenses/exceptions-index.html) for the\nparticular exception.\n\nFor a CustomLicenseAddition, the short-form identifier must begin with the\nprefix `AdditionRef-` and must be unique within the applicable SPDX namespace.\nThe short-form identifier may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", "metadata": {"name": "additionId", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/additionId"}}, "isOsiApproved": {"summary": "Specifies whether the License is listed as approved by the\n[Open Source Initiative (OSI)](https://opensource.org).", "description": "isOsiApproved specifies whether the [Open Source Initiative (OSI)](https://opensource.org)\nhas listed this License as \"approved\" in their list of OSI Approved Licenses,\nlocated at the time of this writing at https://opensource.org/licenses/.\n\nA value of \"true\" indicates that the OSI has listed this License as approved.\n\nA value of \"false\" indicates that the OSI has not listed this License as\napproved.\n\nIf the isOsiApproved field is not specified, the SPDX data creator makes no\nassertions about whether the License is approved by the OSI.", "metadata": {"name": "isOsiApproved", "Nature": "DataProperty", "Range": "xsd:boolean", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/isOsiApproved", "Domain": ["License"]}}, "additionComment": {"summary": "Identifies general comments about the LicenseAddition.", "description": "An additionComment for a LicenseAddition describes general factual information\nabout the LicenseAddition. It should not contain information (or links to\ninformation) that includes any kind of interpretation about the meaning or\neffect of the License, even if written by the license addition's author.\n\nExamples of information for an additionComment may include the following:\n\n* If the LicenseAddition's identifier is deprecated, it may briefly explain the\n reason for deprecation.\n* It may include the date of release, if identified, for LicenseAdditions with\n multiple versions.\n* It may include links to other official language translations for the\n LicenseAddition.\n* It may include a reference to the License(s) with which this LicenseAddition\n is typically used.", "metadata": {"name": "additionComment", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/additionComment"}}}, "vocabs": {}}, "AI": {"name": "AI", "classes": {"AIPackage": {"summary": "Provides information about the fields in the AI package profile.", "description": "Metadata information that can be added to a package to describe an AI application or trained AI model.\nExternal property restriction on /Core/Artifact/suppliedBy: minCount: 1\nExternal property restriction on /Software/Package/downloadLocation: minCount: 1\nExternal property restriction on /Software/Package/packageVersion: minCount: 1\nExternal property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1\nExternal property restriction on /Core/Artifact/releaseTime: minCount: 1", "metadata": {"name": "AIPackage", "SubclassOf": "/Software/Package", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/AIPackage"}, "properties": {"energyConsumption": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "standardCompliance": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "limitation": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "typeOfModel": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "informationAboutTraining": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "informationAboutApplication": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "hyperparameter": {"type": "/Core/DictionaryEntry", "minCount": "0", "maxCount": "*"}, "modelDataPreprocessing": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "modelExplainability": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "sensitivePersonalInformation": {"type": "PresenceType", "minCount": "0", "maxCount": "1"}, "metricDecisionThreshold": {"type": "/Core/DictionaryEntry", "minCount": "0", "maxCount": "*"}, "metric": {"type": "/Core/DictionaryEntry", "minCount": "0", "maxCount": "*"}, "domain": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "autonomyType": {"type": "PresenceType", "minCount": "0", "maxCount": "1"}, "safetyRiskAssessment": {"type": "SafetyRiskAssessmentType", "minCount": "0", "maxCount": "1"}}}}, "properties": {"safetyRiskAssessment": {"summary": "Categorizes safety risk impact of AI software.", "description": "SafetyRiskAssessment categorizes the safety risk impact of the AI software\nin accordance with Article 20 of [EC Regulation No 765/2008](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf).", "metadata": {"name": "safetyRiskAssessment", "Nature": "ObjectProperty", "Range": "SafetyRiskAssessmentType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/safetyRiskAssessment", "Domain": ["AIPackage"]}}, "typeOfModel": {"summary": "Records the type of the model used in the AI software.", "description": "TypeOfModel records the type of the AI model(s) used in the software. \nFor instance, if it is a supervised model, unsupervised model, reinforcement learning model or a combination of those.", "metadata": {"name": "typeOfModel", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/typeOfModel", "Domain": ["AIPackage"]}}, "hyperparameter": {"summary": "Records a hyperparameter used to build the AI model contained in the AI package.", "description": "This field records a hyperparameter value.\nHyperparameters are parameters of the machine learning model that are used to control the learning process,\nfor example the optimization and learning rate used during the training of the model.", "metadata": {"name": "hyperparameter", "Nature": "ObjectProperty", "Range": "/Core/DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/hyperparameter", "Domain": ["AIPackage"]}}, "informationAboutTraining": {"summary": "Describes relevant information about different steps of the training process.", "description": "InformationAboutTraining describes the specific steps involved in the training of the AI model.\nFor example, it can be specified whether supervised fine-tuning \nor active learning is used as part of training the model.", "metadata": {"name": "informationAboutTraining", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/informationAboutTraining", "Domain": ["AIPackage"]}}, "sensitivePersonalInformation": {"summary": "Records if sensitive personal information is used during model training.", "description": "SensitivePersonalInformation notes if sensitive personal information\nis used in the training or inference of the AI models.\nThis might include biometric data, addresses or other data that can be used to infer a person's identity.", "metadata": {"name": "sensitivePersonalInformation", "Nature": "ObjectProperty", "Range": "PresenceType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/sensitivePersonalInformation", "Domain": ["AIPackage"]}}, "modelDataPreprocessing": {"summary": "Describes all the preprocessing steps applied to the training data before the model training.", "description": "ModelDataPreprocessing is a free form text that describes the preprocessing steps\napplied to the training data before training of the model(s) contained in the AI software.", "metadata": {"name": "modelDataPreprocessing", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/modelDataPreprocessing", "Domain": ["AIPackage"]}}, "energyConsumption": {"summary": "Indicates the amount of energy consumed to build the AI package.", "description": "EnergyConsumption captures the amount of energy needed to train and operate the AI model. \nThis value is also known as training energy consumption or inference energy consumption.", "metadata": {"name": "energyConsumption", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/energyConsumption", "Domain": ["AIPackage"]}}, "domain": {"summary": "Captures the domain in which the AI package can be used.", "description": "Domain describes the domain in which the AI model contained in the AI software\ncan be expected to operate successfully. Examples include computer vision, natural language etc.", "metadata": {"name": "domain", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/domain", "Domain": ["AIPackage"]}}, "standardCompliance": {"summary": "Captures a standard that is being complied with.", "description": "StandardCompliance captures a standard that the AI software complies with. \nThis includes both published and unpublished standards, for example ISO, IEEE, ETSI etc. \nThe standard could (but not necessarily have to) be used to satisfy a legal or regulatory requirement.", "metadata": {"name": "standardCompliance", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/standardCompliance", "Domain": ["AIPackage"]}}, "metric": {"summary": "Records the measurement of prediction quality of the AI model.", "description": "Metric records the measurement with which the AI model was evaluated. \nThis makes statements about the prediction quality including uncertainty,\naccuracy, characteristics of the tested population, quality, fairness, explainability, robustness etc.", "metadata": {"name": "metric", "Nature": "ObjectProperty", "Range": "/Core/DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/metric", "Domain": ["AIPackage"]}}, "metricDecisionThreshold": {"summary": "Captures the threshold that was used for computation of a metric described in the metric field.", "description": "Each metric might be computed based on a decision threshold. \nFor instance, precision or recall is typically computed by checking\nif the probability of the outcome is larger than 0.5.\nEach decision threshold should match with a metric field defined in the AI Package.", "metadata": {"name": "metricDecisionThreshold", "Nature": "ObjectProperty", "Range": "/Core/DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/metricDecisionThreshold", "Domain": ["AIPackage"]}}, "modelExplainability": {"summary": "Describes methods that can be used to explain the model.", "description": "ModelExplainability is a free form text that lists the different explainability mechanisms\n(such as SHAP, or other model specific explainability mechanisms) that can be used to explain the model.", "metadata": {"name": "modelExplainability", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/modelExplainability", "Domain": ["AIPackage"]}}, "autonomyType": {"summary": "States if a human is involved in the decisions of the AI software.", "description": "AutonomyType indicates if a human is involved in any of the decisions of the AI software\nor if that software is fully automatic.", "metadata": {"name": "autonomyType", "Nature": "ObjectProperty", "Range": "PresenceType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/autonomyType", "Domain": ["AIPackage"]}}, "informationAboutApplication": {"summary": "Provides relevant information about the AI software, not including the model description.", "description": "InformationAboutApplication describes any relevant information in free form text about \nhow the AI model is used inside the software, as well as any relevant pre-processing steps, third party APIs etc.", "metadata": {"name": "informationAboutApplication", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/informationAboutApplication", "Domain": ["AIPackage"]}}, "limitation": {"summary": "Captures a limitation of the AI software.", "description": "Limitation captures a limitation of the AI Package (or of the AI models present in the AI package),\nexpressed as free form text. Note that this is not guaranteed to be exhaustive.\nFor instance, a limitation might be that the AI package cannot be used on datasets from a certain demography.", "metadata": {"name": "limitation", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/limitation", "Domain": ["AIPackage"]}}}, "vocabs": {"SafetyRiskAssessmentType": {"summary": "Categories of safety risk impact of the application.", "description": "Lists the different safety risk type values that can be used to describe the safety risk of AI software\naccording to [Article 20 of Regulation 765/2008/EC](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf).", "metadata": {"name": "SafetyRiskAssessmentType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/SafetyRiskAssessmentType"}, "entries": {"serious": "The highest level of risk posed by an AI software.", "high": "The second-highest level of risk posed by an AI software.", "medium": "The third-highest level of risk posed by an AI software.", "low": "Low/no risk is posed by the AI software."}}, "PresenceType": {"summary": "Categories of presence or absence.", "description": "This type is used to indicate if a given field is present or absent or unknown.", "metadata": {"name": "PresenceType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/AI/PresenceType"}, "entries": {"yes": "Indicates presence of the field.", "no": "Indicates absence of the field.", "noAssertion": "Makes no assertion about the field."}}}}, "Security": {"name": "Security", "classes": {"VexNotAffectedVulnAssessmentRelationship": {"summary": "Links a vulnerability and one or more elements designating the latter as products\nnot affected by the vulnerability.", "description": "VexNotAffectedVulnAssessmentRelationship connects a vulnerability and a number\nof elements designating them as products not affected by the vulnerability.\nThis relationship corresponds to the VEX not_affected status.\n\n**Constraints**\n\nWhen linking elements using a VexNotVulnAffectedAssessmentRelationship, the\nfollowing requirements must be observed:\n\n* Relating elements with a VexNotAffectedVulnAssessmentRelationship is restricted\nto the doesNotAffect relationship type.\n* The from: end of the relationship must be a /Security/Vulnerability classed\nelement.\n* Both impactStatement and justificationType properties have a cardinality of\n0..1 making them optional. Nevertheless, to produce a valid VEX not_affected\nstatement, one of them MUST be defined. This is specified in the Minimum Elements\nfor VEX.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexNotAffectedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-not-affected-1\",\n \"relationshipType\": \"doesNotAffect\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"justificationType\": \"componentNotPresent\",\n \"impactStatement\": \"Not using this vulnerable part of this library.\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "VexNotAffectedVulnAssessmentRelationship", "SubclassOf": "VexVulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VexNotAffectedVulnAssessmentRelationship"}, "properties": {"justificationType": {"type": "VexJustificationType", "minCount": "0", "maxCount": "1"}, "impactStatement": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "impactStatementTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}}}, "SsvcVulnAssessmentRelationship": {"summary": "Provides an SSVC assessment for a vulnerability.", "description": "An SsvcVulnAssessmentRelationship describes the decision made using the\nStakeholder-Specific Vulnerability Categorization (SSVC) decision tree as\ndefined on [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc).\nIt is intended to communicate the results of using the CISA SSVC Calculator.\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"SsvcVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:ssvc-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"decisionType\": \"act\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "SsvcVulnAssessmentRelationship", "SubclassOf": "VulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/SsvcVulnAssessmentRelationship"}, "properties": {"decisionType": {"type": "SsvcDecisionType", "minCount": "1", "maxCount": "1"}}}, "VexFixedVulnAssessmentRelationship": {"summary": "Links a vulnerability and elements representing products (in the VEX sense) where\na fix has been applied and are no longer affected.", "description": "VexFixedVulnAssessmentRelationship links a vulnerability to a number of elements\nrepresenting VEX products where a vulnerability has been fixed and are no longer\naffected. It represents the VEX fixed status.\n\n**Constraints**\n\nWhen linking elements using a VexFixedVulnAssessmentRelationship, the following\nrequirements must be observed:\n\n- Elements linked with a VulnVexFixedAssessmentRelationship are constrained to\nusing the fixedIn relationship type.\n- The from: end of the relationship must ve a /Security/Vulnerability classed\nelement.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexFixedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-fixed-in-1\",\n \"relationshipType\": \"fixedIn\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.4\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "VexFixedVulnAssessmentRelationship", "SubclassOf": "VexVulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VexFixedVulnAssessmentRelationship"}, "properties": {}}, "VexVulnAssessmentRelationship": {"summary": "Asbtract ancestor class for all VEX relationships", "description": "VexVulnAssessmentRelationship is an abstract subclass that defined the common\nproperties shared by all the SPDX-VEX status relationships. \n\n**Constraints**\n\nWhen linking elements using a VexVulnAssessmentRelationship, the following\nrequirements must be observed:\n\n- The from: end must be a /Security/Vulnerability classed element\n- The to: end must point to elements representing the VEX _products_. To\nspecify a different element where the vulnerability was detected, the VEX\nrelationship can optionally specify _subcomponents_ using the assessedElement\nproperty.\n\nVEX inherits information from the document level down to its statements. When a\nstatement is missing information it can be completed by reading the equivalent \nfield from the containing document. For example, if a VEX relationship is\nmissing data in its createdBy property, tools must consider the entity\nlisted in the CreationInfo section of the document as the VEX author.\nIn the same way, when a VEX relationship does not have a created property,\nthe document's date must be considered as authoritative.", "metadata": {"name": "VexVulnAssessmentRelationship", "SubclassOf": "VulnAssessmentRelationship", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VexVulnAssessmentRelationship"}, "properties": {"vexVersion": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "statusNotes": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "CvssV3VulnAssessmentRelationship": {"summary": "Provides a CVSS version 3.x assessment for a vulnerability.", "description": "A CvssV3VulnAssessmentRelationship relationship describes the determined score,\nseverity, and vector of a vulnerability using version 3.1 of the Common\nVulnerability Scoring System (CVSS) as defined on \n[https://www.first.org/cvss/v3.1/specification-document](https://www.first.org/cvss/v3.1/specification-document). It is intented to communicate the results of using a CVSS calculator.\n\n**Constraints**\n\n- The value of severity must be one of 'none', 'low', 'medium', 'high' or 'critical'.\n- Absence of the property shall be interpreted as 'none'.\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"CvssV3VulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:cvssv3-cve-2020-28498\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"severity\": \"medium\",\n \"score\": 6.8,\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"externalReferences\": [\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityFix\",\n \"locator\": \"https://github.com/indutny/elliptic/commit/441b742\"\n }\n ],\n \"suppliedBy\": [\"urn:spdx.dev:agent-my-security-vendor\"],\n \"publishedTime\": \"2023-05-06T10:06:13Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\",\n \"relationshipType\": \"publishedBy\",\n \"from\": \"urn:spdx.dev:cvssv3-cve-2020-28498\",\n \"to\": \"urn:spdx.dev:agent-snyk\",\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", "metadata": {"name": "CvssV3VulnAssessmentRelationship", "SubclassOf": "VulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/CvssV3VulnAssessmentRelationship"}, "properties": {"score": {"type": "xsd:decimal", "minCount": "1", "maxCount": "1"}, "severity": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "vector": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "VulnAssessmentRelationship": {"summary": "Abstract ancestor class for all vulnerability assessments", "description": "VulnAssessmentRelationship is the ancestor class common to all vulnerability\nassessment relationships. It factors out the common properties shared by them.\nExternal property restriction on /Core/Relationship/to: minCount: 1", "metadata": {"name": "VulnAssessmentRelationship", "SubclassOf": "/Core/Relationship", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VulnAssessmentRelationship"}, "properties": {"assessedElement": {"type": "/Core/Element", "minCount": "0", "maxCount": "1"}, "publishedTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}, "suppliedBy": {"type": "/Core/Agent", "minCount": "0", "maxCount": "1"}, "modifiedTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}, "withdrawnTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}}}, "Vulnerability": {"summary": "Specifies a vulnerability and its associated information.", "description": "Specifies a vulnerability and its associated information.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"Vulnerability\",\n \"@id\": \"urn:spdx.dev:vuln-1\",\n \"summary\": \"Use of a Broken or Risky Cryptographic Algorithm\",\n \"description\": \"The npm package `elliptic` before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.\", \n \"modified\": \"2021-03-08T16:02:43Z\",\n \"published\": \"2021-03-08T16:06:50Z\",\n \"externalIdentifiers\": [\n {\n \"@type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"cve\",\n \"identifier\": \"CVE-2020-2849\",\n \"identifierLocator\": [\n \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498\",\n \"https://www.cve.org/CVERecord?id=CVE-2020-28498\"\n ],\n \"issuingAuthority\": \"urn:spdx.dev:agent-cve.org\"\n },\n {\n \"type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"securityOther\",\n \"identifier\": \"GHSA-r9p9-mrjm-926w\",\n \"identifierLocator\": \"https://github.com/advisories/GHSA-r9p9-mrjm-926w\"\n },\n {\n \"type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"securityOther\",\n \"identifier\": \"SNYK-JS-ELLIPTIC-1064899\",\n \"identifierLocator\": \"https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n }\n ],\n \"externalReferences\": [\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://ubuntu.com/security/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityOther\",\n \"locator\": \"https://github.com/indutny/elliptic/pull/244/commits\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityOther\",\n \"locator\": \"https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md\"\n }\n ]\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnRelationship-1\",\n \"relationshipType\": \"hasAssociatedVulnerability\",\n \"from\": \"urn:npm-elliptic-6.5.2\",\n \"to\": [\"urn:spdx.dev:vuln-1\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\", \n \"relationshipType\": \"publishedBy\", \n \"from\": \"urn:spdx.dev:vuln-1\",\n \"to\": [\"urn:spdx.dev:agent-snyk\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", "metadata": {"name": "Vulnerability", "SubclassOf": "/Core/Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/Vulnerability"}, "properties": {"publishedTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}, "modifiedTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}, "withdrawnTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}}}, "CvssV2VulnAssessmentRelationship": {"summary": "Provides a CVSS version 2.0 assessment for a vulnerability.", "description": "A CvssV2VulnAssessmentRelationship relationship describes the determined score and vector of a vulnerability using version 2.0 of the Common Vulnerability Scoring System\n(CVSS) as defined on [https://www.first.org/cvss/v2/guide](https://www.first.org/cvss/v2/guide). It is intented to communicate the results of using a CVSS calculator.\n\n**Constraints**\n\n- The value of severity must be one of 'low', 'medium' or 'high'\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"CvssV2VulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:cvssv2-cve-2020-28498\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"score\": 4.3,\n \"vector\": \"(AV:N/AC:M/Au:N/C:P/I:N/A:N)\",\n \"severity\": \"low\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"externalReferences\": [\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityFix\",\n \"locator\": \"https://github.com/indutny/elliptic/commit/441b742\"\n }\n ],\n \"suppliedBy\": [\"urn:spdx.dev:agent-my-security-vendor\"],\n \"publishedTime\": \"2023-05-06T10:06:13Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\", \n \"relationshipType\": \"publishedBy\", \n \"from\": \"urn:spdx.dev:cvssv2-cve-2020-28498\",\n \"to\": [\"urn:spdx.dev:agent-snyk\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", "metadata": {"name": "CvssV2VulnAssessmentRelationship", "SubclassOf": "VulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/CvssV2VulnAssessmentRelationship"}, "properties": {"score": {"type": "xsd:decimal", "minCount": "1", "maxCount": "1"}, "severity": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "vector": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "VexAffectedVulnAssessmentRelationship": {"summary": "Connects a vulnerability and an element designating the element as a product\naffected by the vulnerability.", "description": "VexAffectedVulnAssessmentRelationship connects a vulnerability and a number\nof elements. The relationship marks these elements as products affected by the\nvulnerability. This relationship corresponds to the VEX affected status.\n\n**Constraints**\n\nWhen linking elements using a VexAffectedVulnAssessmentRelationship, the\nfollowing requirements must be observed:\n\n- Elements linked with a VulnVexAffectedAssessmentRelationship are constrained\nto the affects relationship type.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexAffectedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-affected-1\",\n \"relationshipType\": \"affects\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"actionStatement\": \"Upgrade to version 1.4 of ACME application.\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "VexAffectedVulnAssessmentRelationship", "SubclassOf": "VexVulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VexAffectedVulnAssessmentRelationship"}, "properties": {"actionStatement": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "actionStatementTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "*"}}}, "ExploitCatalogVulnAssessmentRelationship": {"summary": "Provides an exploit assessment of a vulnerability.", "description": "An ExploitCatalogVulnAssessmentRelationship describes if a vulnerability is\nlisted in any exploit catalog such as the CISA Known Exploited Vulnerabilities\nCatalog (KEV) \n[https://www.cisa.gov/known-exploited-vulnerabilities-catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"ExploitCatalogVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:exploit-catalog-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"catalogType\": \"kev\",\n \"locator\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n \"exploited\": \"true\",\n \"from\": \"urn:spdx.dev:vuln-cve-2023-2136\",\n \"to\": [\"urn:product-google-chrome-112.0.5615.136\"],\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "ExploitCatalogVulnAssessmentRelationship", "SubclassOf": "VulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/ExploitCatalogVulnAssessmentRelationship"}, "properties": {"catalogType": {"type": "ExploitCatalogType", "minCount": "1", "maxCount": "1"}, "exploited": {"type": "xsd:boolean", "minCount": "1", "maxCount": "1"}, "locator": {"type": "xsd:anyURI", "minCount": "1", "maxCount": "1"}}}, "EpssVulnAssessmentRelationship": {"summary": "Provides an EPSS assessment for a vulnerability.", "description": "An EpssVulnAssessmentRelationship relationship describes the likelihood or\nprobability that a vulnerability will be exploited in the wild using the Exploit\nPrediction Scoring System (EPSS) as defined on \n[https://www.first.org/epss/model](https://www.first.org/epss/model).\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"EpssVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:epss-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"probability\": 80,\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "EpssVulnAssessmentRelationship", "SubclassOf": "VulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/EpssVulnAssessmentRelationship"}, "properties": {"probability": {"type": "xsd:nonNegativeInteger", "minCount": "1", "maxCount": "1"}, "severity": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "VexUnderInvestigationVulnAssessmentRelationship": {"summary": "Designates elements as products where the impact of a vulnerability is being\ninvestigated.", "description": "VexUnderInvestigationVulnAssessmentRelationship links a vulnerability to a\nnumber of products stating the vulnerability's impact on them is being\ninvestigated. It represents the VEX under_investigation status.\n\n**Constraints**\n\nWhen linking elements using a VexUnderInvestigationVulnAssessmentRelationship\nthe following requirements must be observed:\n\n- Elements linked with a VexUnderInvestigationVulnAssessmentRelationship are\nconstrained to using the underInvestigationFor relationship type.\n- The from: end of the relationship must ve a /Security/Vulnerability classed\nelement.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexUnderInvestigationVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-underInvestigation-1\",\n \"relationshipType\": \"underInvestigationFor\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", "metadata": {"name": "VexUnderInvestigationVulnAssessmentRelationship", "SubclassOf": "VexVulnAssessmentRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VexUnderInvestigationVulnAssessmentRelationship"}, "properties": {}}}, "properties": {"justificationType": {"summary": "Impact justification label to be used when linking a vulnerability to an element\nrepresenting a VEX product with a VexNotAffectedVulnAssessmentRelationship\nrelationship.", "description": "When stating that an element is not affected by a vulnerability, the\nVexNotAffectedVulnAssessmentRelationship must include a justification from the\nmachine-readable labels catalog informing the reason the element is not impacted.\n\nimpactStatement which is a string with English prose can be used instead or as\ncomplementary to the justification label, but one of both MUST be defined.", "metadata": {"name": "justificationType", "Nature": "ObjectProperty", "Range": "VexJustificationType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/justificationType", "Domain": ["VexNotAffectedVulnAssessmentRelationship"]}}, "actionStatementTime": {"summary": "Records the time when a recommended action was communicated in a VEX statement \nto mitigate a vulnerability.", "description": "When a VEX statement communicates an affected status, the author MUST\ninclude an action statement with a recommended action to help mitigate the\nvulnerability's impact. The actionStatementTime property records the time\nwhen the action statement was first communicated.", "metadata": {"name": "actionStatementTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/actionStatementTime", "Domain": ["VexAffectedVulnAssessmentRelationship"]}}, "assessedElement": {"summary": "Specifies an element contained in a piece of software where a vulnerability was\nfound.", "description": "Specifies subpackages, files or snippets referenced by a security assessment\nto specify the precise location where a vulnerability was found.", "metadata": {"name": "assessedElement", "Nature": "ObjectProperty", "Range": "/Core/Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/assessedElement", "Domain": ["VulnAssessmentRelationship"]}}, "suppliedBy": {"summary": "Identifies who or what supplied the vulnerability assessment relationship.", "description": "Identify the actual distribution source for the vulnerability assessment relationship being referenced.", "metadata": {"name": "suppliedBy", "Nature": "ObjectProperty", "Range": "/Core/Agent", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/suppliedBy", "Domain": ["VulnAssessmentRelationship"]}}, "decisionType": {"summary": "Provide the enumeration of possible decisions in the Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree [https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf](https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf)", "description": "A decisionType is a mandatory value and must select one of the four entries in the `SsvcDecisionType.md` vocabulary.", "metadata": {"name": "decisionType", "Nature": "ObjectProperty", "Range": "SsvcDecisionType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/decisionType", "Domain": ["SsvcVulnAssessmentRelationship"]}}, "exploited": {"summary": "Describe that a CVE is known to have an exploit because it's been listed in an exploit catalog.", "description": "This field is set when a CVE is listed in an exploit catalog.", "metadata": {"name": "exploited", "Nature": "DataProperty", "Range": "xsd:boolean", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/exploited", "Domain": ["ExploitCatalogVulnAssessmentRelationship"]}}, "catalogType": {"summary": "TODO", "description": "A catalogType is a mandatory value and must select one of the two entries in the `ExploitCatalogType.md` vocabulary.", "metadata": {"name": "catalogType", "Nature": "ObjectProperty", "Range": "ExploitCatalogType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/catalogType", "Domain": ["ExploitCatalogVulnAssessmentRelationship"]}}, "probability": {"summary": "A probability score between 0 and 1 of a vulnerability being exploited.", "description": "The probability score between 0 and 1 (0 and 100%) estimating the likelihood\nthat a vulnerability will be exploited in the next 12 months.", "metadata": {"name": "probability", "Nature": "DataProperty", "Range": "xsd:decimal", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/probability", "Domain": ["EpssVulnAssessmentRelationship"]}}, "statusNotes": {"summary": "TODO", "description": "TODO", "metadata": {"name": "statusNotes", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/statusNotes", "Domain": ["VexVulnAssessmentRelationship"]}}, "publishedTime": {"summary": "Specifies the time when a vulnerability was published.", "description": "Specifies the time when a vulnerability was first published.", "metadata": {"name": "publishedTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/publishedTime", "Domain": ["VulnAssessmentRelationship", "Vulnerability"]}}, "vexVersion": {"summary": "TODO", "description": "TODO", "metadata": {"name": "vexVersion", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/vexVersion", "Domain": ["VexVulnAssessmentRelationship"]}}, "actionStatement": {"summary": "Provides advise on how to mitigate or remediate a vulnerability when a VEX product\nis affected by it.", "description": "When an element is referenced with a VexAffectedVulnAssessmentRelationship,\nthe relationship MUST include one actionStatement that SHOULD describe actions\nto remediate or mitigate the vulnerability.", "metadata": {"name": "actionStatement", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/actionStatement", "Domain": ["VexAffectedVulnAssessmentRelationship"]}}, "locator": {"summary": "Provides the location of an exploit catalog.", "description": "A locator provides the location of an exploit catalog.", "metadata": {"name": "locator", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/locator", "Domain": ["ExploitCatalogVulnAssessmentRelationship"]}}, "vector": {"summary": "Specifies the vector string of a vulnerability.", "description": "Sepcifies the vector string of a vulnerability, a string combining metrics\nfrom an assessment of its severity.", "metadata": {"name": "vector", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/vector", "Domain": ["CvssV3VulnAssessmentRelationship", "CvssV2VulnAssessmentRelationship"]}}, "impactStatementTime": {"summary": "TODO", "description": "TODO", "metadata": {"name": "impactStatementTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/impactStatementTime", "Domain": ["VexNotAffectedVulnAssessmentRelationship"]}}, "withdrawnTime": {"summary": "Specified the time and date when a vulnerability was withdrawn.", "description": "Specified the time and date when a vulnerability was withdrawn.", "metadata": {"name": "withdrawnTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/withdrawnTime", "Domain": ["VulnAssessmentRelationship", "Vulnerability"]}}, "impactStatement": {"summary": "Explains why a VEX product is not affected by a vulnerability. It is an\nalternative in VexNotAffectedVulnAssessmentRelationship to the machine-readable\njustification label.", "description": "When a VEX product element is related with a VexNotAffectedVulnAssessmentRelationship\nand a machine readable justification label is not provided, then an impactStatement\nthat further explains how or why the prouct(s) are not affected by the vulnerability\nmust be provided.", "metadata": {"name": "impactStatement", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/impactStatement", "Domain": ["VexNotAffectedVulnAssessmentRelationship"]}}, "score": {"summary": "Provides a numerical (0-10) representation of the severity of a vulnerability.", "description": "The score provides information on the severity of a vulnerability per the\nCommon Vulnerability Scoring System as defined on [https://www.first.org/cvss](https://www.first.org/cvss/).", "metadata": {"name": "score", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/score", "Domain": ["CvssV3VulnAssessmentRelationship", "CvssV2VulnAssessmentRelationship"]}}, "severity": {"summary": "The severity of a vulnerability in relation to a piece of software.", "description": "The severity field provides a human readable string, a label that can be used\nas an English adjective that qualifies its numerical score.", "metadata": {"name": "severity", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/severity", "Domain": ["CvssV3VulnAssessmentRelationship", "CvssV2VulnAssessmentRelationship", "EpssVulnAssessmentRelationship"]}}, "modifiedTime": {"summary": "Specifies a time when a vulnerability assessment was modified", "description": "Specifies a time when a vulnerability assessment was last modified.", "metadata": {"name": "modifiedTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/modifiedTime", "Domain": ["VulnAssessmentRelationship", "Vulnerability"]}}}, "vocabs": {"VexJustificationType": {"summary": "Specifies the VEX justification type.", "description": "VexJustificationType specifies the type of Vulnerability Exploitability eXchange (VEX) justification.", "metadata": {"name": "VexJustificationType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/VexJustificationType"}, "entries": {"componentNotPresent": "The software is not affected because the vulnerable component is not in the product.", "vulnerableCodeNotPresent": "The product is not affected because the code underlying the vulnerability is not present in the product.", "vulnerableCodeCannotBeControlledByAdversary": "The vulnerable component is present, and the component contains the vulnerable code. However, vulnerable code is used in such a way that an attacker cannot mount any anticipated attack.", "vulnerableCodeNotInExecutePath": "The affected code is not reachable through the execution of the code, including non-anticipated states of the product.", "inlineMitigationsAlreadyExist": "Built-in inline controls or mitigations prevent an adversary from leveraging the vulnerability."}}, "ExploitCatalogType": {"summary": "Specifies the exploit catalog type.", "description": "ExploitCatalogType specifies the type of exploit catalog that a vulnerability is listed in.", "metadata": {"name": "ExploitCatalogType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/ExploitCatalogType"}, "entries": {"kev": "CISA's Known Exploited Vulnerability (KEV) Catalog", "other": "Other exploit catalogs"}}, "SsvcDecisionType": {"summary": "Specifies the SSVC decision type.", "description": "SsvcDecisionType specifies the type of decision that's been made according to the Stakeholder-Specific Vulnerability Categorization (SSVC) system [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc)", "metadata": {"name": "SsvcDecisionType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Security/SsvcDecisionType"}, "entries": {"act": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible.", "attend": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability, and may involve publishing a notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.", "track": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines.", "trackStar": "(Track* in the SSVC spec) The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."}}}}, "Build": {"name": "Build", "classes": {"Build": {"summary": "Class that describes a build instance of software/artifacts.", "description": "A build is a representation of the process in which a piece of software or artifact is built. It encapsulates information related to a build process and\nprovides an element from which relationships can be created to describe the build's inputs, outputs, and related entities (e.g. builders, identities, etc.).\n\nDefinitions of \"BuildType\", \"ConfigSource\", \"Parameters\" and \"Environment\" follow\nthose defined in [SLSA provenance](https://slsa.dev/provenance/v0.2).\n\nExternalIdentifier of type \"urlScheme\" may be used to identify build logs. In this case, the comment of the ExternalIdentifier should be \"LogReference\".\n\nNote that buildStart and buildEnd are optional, and may be omitted to simplify creating reproducible builds.", "metadata": {"name": "Build", "SubclassOf": "/Core/Element", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/Build"}, "properties": {"buildType": {"type": "xsd:anyURI", "minCount": "1", "maxCount": "1"}, "buildId": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "configSourceEntrypoint": {"type": "xsd:string", "minCount": "0", "maxCount": "*"}, "configSourceUri": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "*"}, "configSourceDigest": {"type": "/Core/Hash", "minCount": "0", "maxCount": "*"}, "parameters": {"type": "/Core/DictionaryEntry", "minCount": "0", "maxCount": "*"}, "buildStartTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}, "buildEndTime": {"type": "/Core/DateTime", "minCount": "0", "maxCount": "1"}, "environment": {"type": "/Core/DictionaryEntry", "minCount": "0", "maxCount": "*"}}}}, "properties": {"buildStartTime": {"summary": "Property describing the start time of a build.", "description": "buildStartTime is the time at which a build is triggered. The builder typically records this value.", "metadata": {"name": "buildStartTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/buildStartTime", "Domain": ["Build"]}}, "configSourceUri": {"summary": "Property that describes the URI of the build configuration source file.", "description": "If a build configuration exists for the toolchain or platform performing the build, the configSourceUri of a build is the URI of that build configuration. For example, a build triggered by a GitHub action is defined by a build configuration YAML file. In this case, the configSourceUri is the URL of that YAML file. \nm", "metadata": {"name": "configSourceUri", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/configSourceUri", "Domain": ["Build"]}}, "buildEndTime": {"summary": "Property that describes the time at which a build stops.", "description": "buildEndTime describes the time at which a build stops or finishes. This value is typically recorded by the builder.", "metadata": {"name": "buildEndTime", "Nature": "DataProperty", "Range": "/Core/DateTime", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/buildEndTime", "Domain": ["Build"]}}, "parameters": {"summary": "Property describing the parameters used in an instance of a build.", "description": "parameters is a key-value map of all build parameters and their values that were provided to the builder for a build instance. This is different from the [environment](environment.md) property in that the keys and values are provided as command line arguments or a configuration file to the builder.", "metadata": {"name": "parameters", "Nature": "ObjectProperty", "Range": "/Core/DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/parameters", "Domain": ["Build"]}}, "environment": {"summary": "Property describing the session in which a build is invoked.", "description": "environment is a map of environment variables and values that are set during a build session. This is different from the [parameters](parameters.md) property in that it describes the environment variables set before a build is invoked rather than the variables provided to the builder.", "metadata": {"name": "environment", "Nature": "ObjectProperty", "Range": "/Core/DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/environment", "Domain": ["Build"]}}, "configSourceDigest": {"summary": "Property that describes the digest of the build configuration file used to invoke a build.", "description": "configSourceDigest is the checksum of the build configuration file used by a builder to execute a build. This Property uses the Core model's [Hash](../../Core/Classes/Hash.md) class.", "metadata": {"name": "configSourceDigest", "Nature": "ObjectProperty", "Range": "/Core/Hash", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/configSourceDigest", "Domain": ["Build"]}}, "configSourceEntrypoint": {"summary": "Property describes the invocation entrypoint of a build.", "description": "A build entrypoint is the invoked executable of a build which always runs when the build is triggered. For example, when a build is triggered by running a shell script, the entrypoint is `script.sh`. In terms of a declared build, the entrypoint is the position in a configuration file or a build declaration which is always run when the build is triggered. For example, in the following configuration file, the entrypoint of the build is `publish`.\n\n```\nname: Publish packages to PyPI\n\non:\ncreate:\ntags: \"*\"\n\njobs:\npublish:\nruns-on: ubuntu-latest\nif: startsWith(github.ref, 'refs/tags/')\nsteps:\n\n...\n```", "metadata": {"name": "configSourceEntrypoint", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/configSourceEntrypoint", "Domain": ["Build"]}}, "buildId": {"summary": "A buildId is a locally unique identifier used by a builder to identify a unique instance of a build produced by it.", "description": "A buildId is a locally unique identifier to identify a unique instance of a build. This identifier differs based on build toolchain, platform, or naming convention used by an organization or standard.", "metadata": {"name": "buildId", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/buildId", "Domain": ["Build"]}}, "buildType": {"summary": "A buildType is a hint that is used to indicate the toolchain, platform, or infrastructure that the build was invoked on.", "description": "A buildType is a URI expressing the toolchain, platform, or infrastructure that the build was invoked on. For example, if the build was invoked on GitHub's CI platform using github actions, the buildType can be expressed as `https://github.com/actions`. In contrast, if the build was invoked on a local machine, the buildType can be expressed as `file://username@host/path/to/build`.", "metadata": {"name": "buildType", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Build/buildType", "Domain": ["Build"]}}}, "vocabs": {}}, "Software": {"name": "Software", "classes": {"Package": {"summary": "Refers to any unit of content that can be associated with a distribution of software.", "description": "A package refers to any unit of content that can be associated with a distribution of software.\nTypically, a package is composed of one or more files. \nAny of the following non-limiting examples may be (but are not required to be) represented in SPDX as a package:\n\n - a tarball, zip file or other archive\n - a directory or sub-directory\n - a separately distributed piece of software which another Package or File uses or depends upon (e.g., a Python package, a Go module, ...)\n - a container image, and/or each image layer within a container image\n - a collection of one or more sub-packages\n - a Git repository snapshot from a particular point in time\n\nNote that some of these could be represented in SPDX as a file as well.\nExternal property restriction on /Core/Element/name: minCount: 1", "metadata": {"name": "Package", "SubclassOf": "/Software/SoftwareArtifact", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/Package"}, "properties": {"packageVersion": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "downloadLocation": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "1"}, "packageUrl": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "1"}, "homePage": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "1"}, "sourceInfo": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "File": {"summary": "Refers to any object that stores content on a computer.", "description": "Refers to any object that stores content on a computer.\nThe type of content can optionally be provided in the contentType property.\nExternal property restriction on /Core/Element/name: minCount: 1", "metadata": {"name": "File", "SubclassOf": "/Software/SoftwareArtifact", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/File"}, "properties": {"contentType": {"type": "/Core/MediaType", "minCount": "0", "maxCount": "1"}}}, "Snippet": {"summary": "Describes a certain part of a file.", "description": "A Snippet describes a certain part of a file and can be used when the file is known to have some content\nthat has been included from another original source. Snippets are useful for denoting when part of a file\nmay have been originally created under another license or copied from a place with a known vulnerability.", "metadata": {"name": "Snippet", "SubclassOf": "/Software/SoftwareArtifact", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/Snippet"}, "properties": {"byteRange": {"type": "/Core/PositiveIntegerRange", "minCount": "0", "maxCount": "1"}, "lineRange": {"type": "/Core/PositiveIntegerRange", "minCount": "0", "maxCount": "1"}}}, "Sbom": {"summary": "A collection of SPDX Elements describing a single package.", "description": "A Software Bill of Materials (SBOM) is a collection of SPDX Elements describing a single package.\nThis could include details of the content and composition of the product,\nprovenance details of the product and/or\nits composition, licensing information, known quality or security issues, etc.", "metadata": {"name": "Sbom", "SubclassOf": "/Core/Bom", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/Sbom"}, "properties": {"sbomType": {"type": "SbomType", "minCount": "0", "maxCount": "*"}}}, "SoftwareArtifact": {"summary": "A distinct article or unit related to Software.", "description": "A software artifact is a distinct article or unit related to software\nsuch as a package, a file, or a snippet.", "metadata": {"name": "SoftwareArtifact", "SubclassOf": "/Core/Artifact", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/SoftwareArtifact"}, "properties": {"contentIdentifier": {"type": "xsd:anyURI", "minCount": "0", "maxCount": "1"}, "primaryPurpose": {"type": "SoftwarePurpose", "minCount": "0", "maxCount": "1"}, "additionalPurpose": {"type": "SoftwarePurpose", "minCount": "0", "maxCount": "*"}, "concludedLicense": {"type": "/Licensing/AnyLicenseInfo", "minCount": "0", "maxCount": "1"}, "declaredLicense": {"type": "/Licensing/AnyLicenseInfo", "minCount": "0", "maxCount": "1"}, "copyrightText": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}, "attributionText": {"type": "xsd:string", "minCount": "0", "maxCount": "1"}}}, "SoftwareDependencyRelationship": {"summary": "", "description": "TODO", "metadata": {"name": "SoftwareDependencyRelationship", "SubclassOf": "/Core/LifecycleScopedRelationship", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/SoftwareDependencyRelationship"}, "properties": {"softwareLinkage": {"type": "SoftwareDependencyLinkType", "minCount": "0", "maxCount": "1"}, "conditionality": {"type": "DependencyConditionalityType", "minCount": "0", "maxCount": "1"}}}}, "properties": {"lineRange": {"summary": "Defines the line range in the original host file that the snippet information applies to.", "description": "This field defines the line range in the original host file that the snippet information applies to.\nIf there is a disagreement between the byte range and line range, the byte range values will take precedence.\nA range of lines is a convenient reference for those files where there is a known line delimiter. \nThe choice was made to start the numbering of the lines at 1 to be consistent with the W3C pointer method vocabulary.", "metadata": {"name": "lineRange", "Nature": "DataProperty", "Range": "/Core/PositiveIntegerRange", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/lineRange", "Domain": ["Snippet"]}}, "primaryPurpose": {"summary": "Provides information about the primary purpose of the software artifact.", "description": "primaryPurpose provides information about the primary purpose of the software artifact.", "metadata": {"name": "primaryPurpose", "Nature": "ObjectProperty", "Range": "SoftwarePurpose", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/primaryPurpose", "Domain": ["SoftwareArtifact"]}}, "packageVersion": {"summary": "Identify the version of a package.", "description": "A packageVersion is useful for identification purposes and for indicating later changes of the package version.", "metadata": {"name": "packageVersion", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/packageVersion", "Domain": ["Package"]}}, "conditionality": {"summary": "TODO", "description": "A conditionality is TODO", "metadata": {"name": "conditionality", "Nature": "ObjectProperty", "Range": "DependencyConditionalityType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/conditionality", "Domain": ["SoftwareDependencyRelationship"]}}, "sbomType": {"summary": "Provides information about the type of an SBOM.", "description": "This field is a reasonable estimation of the type of SBOM created from a creator perspective.\nIt is intended to be used to give guidance on the elements that may be contained within it.\nAligning with the guidance produced in [Types of Software Bill of Material (SBOM) Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf).", "metadata": {"name": "sbomType", "Nature": "ObjectProperty", "Range": "SbomType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/sbomType", "Domain": ["Sbom"]}}, "concludedLicense": {"summary": "Identifies the license that that SPDX data creator has concluded as governing\nthe software Package, File or Snippet.", "description": "A concludedLicense is the license identified by the SPDX data creator,\nbased on analyzing the license information in the software Package, File\nor Snippet and other information to arrive at a reasonably objective\nconclusion as to what license governs it.\n\nIf a concludedLicense has a NONE value (NoneLicense), this indicates that the\nSPDX data creator has looked and did not find any license information for this\nsoftware Package, File or Snippet.\n\nIf a concludedLicense has a NOASSERTION value (NoAssertionLicense), this\nindicates that one of the following applies:\n* the SPDX data creator has attempted to but cannot reach a reasonable\n objective determination;\n* the SPDX data creator has made no attempt to determine this field; or\n* the SPDX data creator has intentionally provided no information (no\n meaning should be implied by doing so).\n\nA written explanation of a NOASSERTION value (NoAssertionLicense) MAY be\nprovided in the licenseComment field.\n\nIf the concludedLicense for a software Package, File or Snippet is not the\nsame as its declaredLicense, a written explanation SHOULD be provided in\nthe licenseComment field.\n\nIf the declaredLicense for a software Package, File or Snippet is a choice\nof more than one license (e.g. a license expression combining two licenses\nthrough use of the `OR` operator), then the concludedLicense may either\nretain the license choice or identify which license was chosen.", "metadata": {"name": "concludedLicense", "Nature": "ObjectProperty", "Range": "/Licensing/AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/concludedLicense", "Domain": ["SoftwareArtifact"]}}, "sourceInfo": {"summary": "Records any relevant background information or additional comments\nabout the origin of the package.", "description": "SourceInfo records any relevant background information or additional comments\nabout the origin of the package. For example, this field might include comments \nindicating whether the package was pulled from a source code management system \nor has been repackaged. The creator can provide additional information to describe\nany anomalies or discoveries in the determination of the origin of the package.", "metadata": {"name": "sourceInfo", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/sourceInfo", "Domain": ["Package"]}}, "contentType": {"summary": "Provides information about the content type of an Element.", "description": "This field is a reasonable estimation of the content type of the Element, from a creator perspective.\nContent type is intrinsic to the Element, independent of how the Element is being used.", "metadata": {"name": "contentType", "Nature": "DataProperty", "Range": "/Core/MediaType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/contentType", "Domain": ["File"]}}, "declaredLicense": {"summary": "Identifies the license information actually found in the software Package,\nFile or Snippet, for example as detected by use of automated tooling.", "description": "A declaredLicense is the license identified in text in the software package,\nfile or snippet as the license declared by its authors.\n\nThis field is not intended to capture license information obtained from an\nexternal source, such as a package's website. Such information can be\nincluded, as needed, in a concludedLicense field.\n\nA declaredLicense may be expressed differently in practice for different\ntypes of artifacts. For example:\n\n* for Packages:\n * would include license info describing the license of the Package as a\n whole, when it is found in the Package itself (e.g., LICENSE file,\n README file, metadata in the repository, etc.)\n * would not include any license information that is not in the Package\n itself (e.g., license information from the project\u2019s website or from a\n third party repository or website)\n* for Files:\n * would include license info found in the File itself (e.g., license\n header or notice, comments, SPDX-License-Identifier expression)\n * would not include license info found in a different file (e.g., LICENSE\n file in the top directory of a repository)\n* for Snippets:\n * would include license info found in the Snippet itself (e.g., license\n notice, comments, SPDX-License-Identifier expression)\n * would not include license info found elsewhere in the File or in a\n different File (e.g., comment at top of File if it is not within the\n Snippet, LICENSE file in the top directory of a repository)\n\nIf a declaredLicense has a NONE value (NoneLicense), this indicates that the\ncorresponding Package, File or Snippet contains no license information\nwhatsoever.\n\nIf a declaredLicense has a NOASSERTION value (NoAssertionLicense), this\nindicates that one of the following applies:\n* the SPDX data creator has attempted to but cannot reach a reasonable\n objective determination;\n* the SPDX data creator has made no attempt to determine this field; or\n* the SPDX data creator has intentionally provided no information (no meaning\n should be implied by doing so).", "metadata": {"name": "declaredLicense", "Nature": "ObjectProperty", "Range": "/Licensing/AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/declaredLicense", "Domain": ["SoftwareArtifact"]}}, "additionalPurpose": {"summary": "Provides additional purpose information of the software artifact.", "description": "Additional purpose provides information about the additional purposes of the software artifact in addition to the primaryPurpose.", "metadata": {"name": "additionalPurpose", "Nature": "ObjectProperty", "Range": "SoftwarePurpose", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/additionalPurpose", "Domain": ["SoftwareArtifact"]}}, "attributionText": {"summary": "Provides a place for the SPDX data creator to record acknowledgement text for\na software Package, File or Snippet.", "description": "An attributionText for a software Package, File or Snippet provides a consumer\nof SPDX data with acknowledgement content, to assist redistributors of the\nPackage, File or Snippet with reproducing those acknowledgements.\n\nFor example, this field may include a statement that is required by a\nparticular license to be reproduced in end-user documentation, advertising\nmaterials, or another form.\n\nThis field may describe where, or in which contexts, the acknowledgements\nneed to be reproduced, but it is not required to do so. The SPDX data creator\nmay also explain elsewhere (such as in a licenseComment field) how they intend\nfor data in this field to be used.\n\nAn attributionText is is not meant to include the software Package, File or\nSnippet\u2019s actual complete license text (see concludedLicense to identify the\ncorresponding license).", "metadata": {"name": "attributionText", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/attributionText", "Domain": ["SoftwareArtifact"]}}, "homePage": {"summary": "A place for the SPDX document creator to record a website that serves as the package's home page.", "description": "HomePage is a place for the SPDX document creator to record a website that serves as the package's home page.\nThis saves the recipient of the SPDX document who is looking for more info from\nhaving to search for and verify a match between the package and the associated project home page.\nThis link can also be used to reference further information about the package\nreferenced by the SPDX document creator.", "metadata": {"name": "homePage", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/homePage", "Domain": ["Package"]}}, "contentIdentifier": {"summary": "Provides a place to record the canonical, unique, immutable identifier for each software artifact using the artifact's gitoid.", "description": "The contentIdentifier provides a canonical, unique, immutable artifact identifier for each software artifact. SPDX 3.0 describes software artifacts as Snippet, File, or Package Elements. The ContentIdentifier can be calculated for any software artifact and can be recorded for any of these SPDX 3.0 Elements using Omnibor, an attempt to standardize how software artifacts are identified independent of which programming language, version control system, build tool, package manager, or software distribution mechanism is in use. \n\nThe contentIdentifier is defined as the [Git Object Identifier](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) (gitoid) of type `blob` of the software artifact. The use of a git-based version control system is not necessary to calculate a contentIdentifier for any software artifact.\n\nThe gitoid is expressed in the ContentIdentifier property by using the IANA [gitoid URI scheme](https://www.iana.org/assignments/uri-schemes/prov/gitoid).\n\n```\nScheme syntax: gitoid\":\"\":\"\":\"\n```\n\nThe OmniBOR ID for the OmniBOR Document associated with a software artifact should not be recorded in this field. Rather, OmniBOR IDs should be recorded in the SPDX Element's ExternalIdentifier property. See [https://omnibor.io](https://omnibor.io) for more details.", "metadata": {"name": "contentIdentifier", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/contentIdentifier", "Domain": ["SoftwareArtifact"]}}, "copyrightText": {"summary": "Identifies the text of one or more copyright notices for a software Package,\nFile or Snippet, if any.", "description": "A copyrightText consists of the text(s) of the copyright notice(s) found\nfor a software Package, File or Snippet, if any.\n\nIf a copyrightText contains text, then it may contain any text related to\none or more copyright notices (even if not complete) for that software\nPackage, File or Snippet.\n\nIf a copyrightText has a \"NONE\" value, this indicates that the software\nPackage, File or Snippet contains no copyright notice whatsoever.\n\nIf a copyrightText has a \"NOASSERTION\" value, this indicates that one of the\nfollowing applies:\n* the SPDX data creator has attempted to but cannot reach a reasonable\n objective determination;\n* the SPDX data creator has made no attempt to determine this field; or\n* the SPDX data creator has intentionally provided no information (no\n meaning should be implied by doing so).", "metadata": {"name": "copyrightText", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/copyrightText", "Domain": ["SoftwareArtifact"]}}, "packageUrl": {"summary": "Provides a place for the SPDX data creator to record the package URL string (in accordance with the [package URL spec](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst)) for a software Package.", "description": "A packageUrl (commonly pronounced and referred to as \"purl\") is an attempt to standardize package representations in order to reliably identify and locate software packages. A purl is a URL string which represents a package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.\n\nthe purl URL string is defined by seven components:\n```\nscheme:type/namespace/name@version?qualifiers#subpath\n```\n\nThe definition for each component can be found in the [purl specification](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst). Components are designed such that they form a hierarchy from the most significant on the left to the least significant components on the right. \n\nParsing a purl string into its components works from left to right. Some extra type-specific normalizations are required. For more information, see [How to parse a purl string in its components](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#how-to-parse-a-purl-string-in-its-components).", "metadata": {"name": "packageUrl", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/packageUrl", "Domain": ["Package"]}}, "byteRange": {"summary": "Defines the byte range in the original host file that the snippet information applies to.", "description": "This field defines the byte range in the original host file that the snippet information applies to.\nA range of bytes is independent of various formatting concerns, and the most accurate way \nof referring to the differences. The choice was made to start the numbering of \nthe byte range at 1 to be consistent with the W3C pointer method vocabulary.", "metadata": {"name": "byteRange", "Nature": "DataProperty", "Range": "/Core/PositiveIntegerRange", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/byteRange", "Domain": ["Snippet"]}}, "softwareLinkage": {"summary": "TODO", "description": "A softwareLinkage is TODO", "metadata": {"name": "softwareLinkage", "Nature": "ObjectProperty", "Range": "SoftwareDependencyLinkType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/softwareLinkage", "Domain": ["SoftwareDependencyRelationship"]}}, "downloadLocation": {"summary": "Identifies the download Uniform Resource Identifier for the package at the time that the document was created.", "description": "DownloadLocation identifies the download Uniform Resource Identifier \nfor the package at the time that the document was created.\nWhere and how to download the exact package being referenced \nis critical for verification and tracking data.", "metadata": {"name": "downloadLocation", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/downloadLocation", "Domain": ["Package"]}}}, "vocabs": {"DependencyConditionalityType": {"summary": "TODO", "description": "TODO", "metadata": {"name": "DependencyConditionalityType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/DependencyConditionalityType"}, "entries": {"optional": "TODOdescription", "required": "TODOdescription", "provided": "TODOdescription", "prerequisite": "TODOdescription", "other": "TODOdescription"}}, "SoftwarePurpose": {"summary": "Provides information about the primary purpose of an Element.", "description": "This field provides information about the primary purpose of an Element.\nSoftware Purpose is intrinsic to how the Element is being used rather than the content of the Element.\nThis field is a reasonable estimate of the most likely usage of the Element\nfrom the producer and consumer perspective from which both parties can draw conclusions\nabout the context in which the Element exists.", "metadata": {"name": "SoftwarePurpose", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose"}, "entries": {"application": "the Element is a software application", "archive": "the Element is an archived collection of one or more files (.tar, .zip, etc)", "bom": "Element is a bill of materials", "configuration": "Element is configuration data", "container": "the Element is a container image which can be used by a container runtime application", "data": "Element is data", "device": "the Element refers to a chipset, processor, or electronic board", "documentation": "Element is documentation", "evidence": "the Element is the evidence that a specification or requirement has been fulfilled", "executable": "Element is an Artifact that can be run on a computer", "file": "the Element is a single file which can be independently distributed (configuration file, statically linked binary, Kubernetes deployment, etc)", "firmware": "the Element provides low level control over a device's hardware", "framework": "the Element is a software framework", "install": "the Element is used to install software on disk", "library": "the Element is a software library", "manifest": "the Element is a software manifest", "model": "the Element is a machine learning or artificial intelligence model", "module": "the Element is a module of a piece of software", "operatingSystem": "the Element is an operating system", "other": "the Element doesn't fit into any of the other categories", "patch": "Element contains a set of changes to update, fix, or improve another Element", "requirement": "the Element provides a requirement needed as input for another Element", "source": "the Element is a single or a collection of source files", "specification": "the Element is a plan, guideline or strategy how to create, perform or analyse an application", "test": "The Element is a test used to verify functionality on an software element"}}, "SoftwareDependencyLinkType": {"summary": "TODO", "description": "TODO", "metadata": {"name": "SoftwareDependencyLinkType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/SoftwareDependencyLinkType"}, "entries": {"static": "TODOdescription", "dynamic": "TODOdescription", "tool": "TODOdescription", "other": "TODOdescription"}}, "SbomType": {"summary": "Provides a set of values to be used to describe the common types of SBOMs that tools may create.", "description": "The set of SBOM types with definitions as defined in [Types of Software Bill of Material (SBOM) Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf), published on April 21, 2023. \nAn SBOM type describes the most likely type of an SBOM from the producer perspective, so that consumers can draw conclusions about the data inside an SBOM. A single SBOM can have multiple SBOM document types associated with it.", "metadata": {"name": "SbomType", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Software/SbomType"}, "entries": {"design": "SBOM of intended, planned software project or product with included components (some of which may not yet exist) for a new software artifact.", "source": "SBOM created directly from the development environment, source files, and included dependencies used to build an product artifact.", "build": "SBOM generated as part of the process of building the software to create a releasable artifact (e.g., executable or package) from data such as source files, dependencies, built components, build process ephemeral data, and other SBOMs.", "deployed": "SBOM provides an inventory of software that is present on a system. This may be an assembly of other SBOMs that combines analysis of configuration options, and examination of execution behavior in a (potentially simulated) deployment environment.", "runtime": "SBOM generated through instrumenting the system running the software, to capture only components present in the system, as well as external call-outs or dynamically loaded components. In some contexts, this may also be referred to as an \u201cInstrumented\u201d or \u201cDynamic\u201d SBOM.", "analyzed": "SBOM generated through analysis of artifacts (e.g., executables, packages, containers, and virtual machine images) after its build. Such analysis generally requires a variety of heuristics. In some contexts, this may also be referred to as a \u201c3rd party\u201d SBOM."}}}}} \ No newline at end of file +{ + "ExpandedLicense": { + "name": "ExpandedLicense", + "classes": { + "ConjunctiveLicenseSet": { + "summary": "Portion of an AnyLicenseInfo representing a set of licensing information\nwhere all elements apply.", + "description": "A ConjunctiveLicenseSet indicates that _each_ of its subsidiary\nAnyLicenseInfos apply. In other words, a ConjunctiveLicenseSet of two or\nmore licenses represents a licensing situation where _all_ of the specified\nlicenses are to be complied with. It is represented in the SPDX License\nExpression Syntax by the `AND` operator.\n\nIt is syntactically correct to specify a ConjunctiveLicenseSet where the\nsubsidiary AnyLicenseInfos may be \"incompatible\" according to a particular\ninterpretation of the corresponding Licenses. The SPDX License Expression\nSyntax does not take into account interpretation of license texts, which is\nleft to the consumer of SPDX data to determine for themselves.", + "metadata": { + "name": "ConjunctiveLicenseSet", + "SubclassOf": "Licensing/AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicense/ConjunctiveLicenseSet" + }, + "properties": { + "member": { + "type": "Licensing/AnyLicenseInfo", + "minCount": "2", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "DisjunctiveLicenseSet": { + "summary": "Portion of an AnyLicenseInfo representing a set of licensing information\nwhere only any one of the elements applies.", + "description": "A DisjunctiveLicenseSet indicates that _only one_ of its subsidiary\nAnyLicenseInfos is required to apply. In other words, a\nDisjunctiveLicenseSet of two or more licenses represents a licensing\nsituation where _only one_ of the specified licenses are to be complied with.\nA consumer of SPDX data would typically understand this to permit the recipient\nof the licensed content to choose which of the corresponding license they\nwould prefer to use. It is represented in the SPDX License Expression Syntax\nby the `OR` operator.", + "metadata": { + "name": "DisjunctiveLicenseSet", + "SubclassOf": "Licensing/AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicense/DisjunctiveLicenseSet" + }, + "properties": { + "member": { + "type": "Licensing/AnyLicenseInfo", + "minCount": "2", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "ExtendableLicense": { + "summary": "Abstract class representing a License or an OrLaterOperator.", + "description": "The WithAdditionOperator can have a License or an OrLaterOperator as the license property value. This class is used for the value.", + "metadata": { + "name": "ExtendableLicense", + "SubclassOf": "Licensing/AnyLicenseInfo", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicense/ExtendableLicense" + }, + "properties": {}, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "subjectLicense": { + "summary": "A License participating in a 'with addition' or 'or later' model.", + "description": "A subjectLicense is a License which is subject to either an 'or later' effect\n(OrLaterOperator) or a 'with additional text' effect (WithAdditionOperator).", + "metadata": { + "name": "subjectLicense", + "Nature": "ObjectProperty", + "Range": "Licensing/License", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicense/subjectLicense" + } + }, + "subjectAddition": { + "summary": "A LicenseAddition participating in a 'with addition' model.", + "description": "A subjectAddition is a LicenseAddition which is subject to a 'with additional\ntext' effect (WithAdditionOperator).", + "metadata": { + "name": "subjectAddition", + "Nature": "ObjectProperty", + "Range": "LicenseAddition", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicense/subjectAddition" + } + }, + "member": { + "summary": "A license expression participating in a license set.", + "description": "A member is a license expression participating in a conjuctive (of type\nConjunctiveLicenseSet) or a disjunctive (of type DisjunctiveLicenseSet)\nlicense set.", + "metadata": { + "name": "member", + "Nature": "ObjectProperty", + "Range": "Licensing/AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicense/member", + "Domain": [ + "ConjunctiveLicenseSet", + "DisjunctiveLicenseSet" + ] + } + } + }, + "vocabs": {} + }, + "Core": { + "name": "Core", + "classes": { + "PositiveIntegerRange": { + "summary": "A tuple of two positive integers that define a range.", + "description": "PositiveIntegerRange is a tuple of two positive integers that define a range.\n\"begin\" must be less than or equal to \"end\".", + "metadata": { + "name": "PositiveIntegerRange", + "SubclassOf": "none", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/PositiveIntegerRange" + }, + "properties": { + "begin": { + "type": "xsd:positiveInteger", + "minCount": "1", + "maxCount": "1" + }, + "end": { + "type": "xsd:positiveInteger", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "ElementCollection": { + "summary": "A collection of Elements, not necessarily with unifying context.", + "description": "An SpdxCollection is a collection of Elements, not necessarily with unifying context.", + "metadata": { + "name": "ElementCollection", + "SubclassOf": "Element", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ElementCollection" + }, + "properties": { + "element": { + "type": "Element", + "minCount": "1", + "maxCount": "*" + }, + "rootElement": { + "type": "Element", + "minCount": "1", + "maxCount": "*" + }, + "imports": { + "type": "ExternalMap", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "ExternalReference": { + "summary": "A reference to a resource outside the scope of SPDX-3.0 content.", + "description": "An External Reference points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", + "metadata": { + "name": "ExternalReference", + "SubclassOf": "none", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ExternalReference" + }, + "properties": { + "externalReferenceType": { + "type": "ExternalReferenceType", + "maxCount": "1", + "minCount": "0" + }, + "locator": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "*" + }, + "contentType": { + "type": "MediaType", + "maxCount": "1", + "minCount": "0" + }, + "comment": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} + }, + "ExternalIdentifier": { + "summary": "A reference to a resource outside the scope of SPDX-3.0 content that uniquely identifies an Element.", + "description": "An ExternalIdentifier is a reference to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", + "metadata": { + "name": "ExternalIdentifier", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ExternalIdentifier" + }, + "properties": { + "externalIdentifierType": { + "type": "ExternalIdentifierType", + "minCount": "1", + "maxCount": "1" + }, + "identifier": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + }, + "comment": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "identifierLocator": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "*" + }, + "issuingAuthority": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "Bom": { + "summary": "A container for a grouping of SPDX-3.0 content characterizing details\n(provenence, composition, licensing, etc.) about a product.", + "description": "A Bill Of Materials (BOM) is a container for a grouping of SPDX-3.0 content\ncharacterizing details about a product.\nThis could include details of the content and composition of the product,\nprovenence details of the product and/or\nits composition, licensing information, known quality or security issues, etc.", + "metadata": { + "name": "Bom", + "SubclassOf": "Bundle", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Bom" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "SpdxDocument": { + "summary": "Assembles a collection of Elements under a common string, the name of the document.", + "description": "An SpdxDocument assembles a collection of Elements under a common string, the name of the document.\nCommonly used when representing a unit of transfer of SPDX Elements.\nExternal property restriction on /Core/Element/name: minCount: 1", + "metadata": { + "name": "SpdxDocument", + "SubclassOf": "Bundle", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/SpdxDocument" + }, + "properties": { + "name": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": { + "/Core/Element/name": { + "minCount": "1", + "maxCount": "*" + } + } + }, + "Tool": { + "summary": "An element of hardware and/or software utilized to carry out a particular function.", + "description": "A Tool is an element of hardware and/or software utilized to carry out a particular function.", + "metadata": { + "name": "Tool", + "SubclassOf": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Tool" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "CreationInfo": { + "summary": "Provides information about the creation of the Element.", + "description": "The CreationInfo provides information about who created the Element, and when and how it was created. \n\nThe dateTime created is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", + "metadata": { + "name": "CreationInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/CreationInfo" + }, + "properties": { + "specVersion": { + "type": "SemVer", + "minCount": "1", + "maxCount": "1" + }, + "comment": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "created": { + "type": "DateTime", + "maxCount": "1", + "minCount": "0" + }, + "createdBy": { + "type": "Agent", + "minCount": "1", + "maxCount": "*" + }, + "createdUsing": { + "type": "Tool", + "minCount": "0", + "maxCount": "*" + }, + "profile": { + "type": "ProfileIdentifierType", + "minCount": "1", + "maxCount": "*" + }, + "dataLicense": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} + }, + "Organization": { + "summary": "A group of people who work together in an organized way for a shared purpose.", + "description": "An Organization is a group of people who work together in an organized way for a shared purpose.", + "metadata": { + "name": "Organization", + "SubclassOf": "Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Organization" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "LifecycleScopedRelationship": { + "summary": "", + "description": "TODO", + "metadata": { + "name": "LifecycleScopedRelationship", + "SubclassOf": "Relationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/LifecycleScopedRelationship" + }, + "properties": { + "scope": { + "type": "LifecycleScopeType", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "SoftwareAgent": { + "summary": "A software agent.", + "description": "A SoftwareAgent is a software program that is given the authority (similar to a user's authority) to act on a system.", + "metadata": { + "name": "SoftwareAgent", + "SubclassOf": "Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/SoftwareAgent" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "IntegrityMethod": { + "summary": "Provides an independently reproducible mechanism that permits verification of a specific Element.", + "description": "An IntegrityMethod provides an independently reproducible mechanism that permits verification\nof a specific Element that correlates to the data in this SPDX document. This identifier enables\na recipient to determine if anything in the original Element has been changed and eliminates\nconfusion over which version or modification of a specific Element is referenced.", + "metadata": { + "name": "IntegrityMethod", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/IntegrityMethod" + }, + "properties": { + "comment": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} + }, + "Relationship": { + "summary": "Describes a relationship between one or more elements.", + "description": "A Relationship is a grouping of characteristics unique to an assertion\nthat one Element is related to one or more other Elements in some way.", + "metadata": { + "name": "Relationship", + "SubclassOf": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Relationship" + }, + "properties": { + "from": { + "type": "Element", + "minCount": "1", + "maxCount": "1" + }, + "to": { + "type": "Element", + "minCount": "0", + "maxCount": "*" + }, + "relationshipType": { + "type": "RelationshipType", + "minCount": "1", + "maxCount": "1" + }, + "completeness": { + "type": "RelationshipCompleteness", + "minCount": "0", + "maxCount": "1" + }, + "startTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + }, + "endTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "Element": { + "summary": "Base domain class from which all other SPDX-3.0 domain classes derive.", + "description": "An Element is a representation of a fundamental concept either directly inherent\nto the Bill of Materials (BOM) domain or indirectly related to the BOM domain\nand necessary for contextually characterizing BOM concepts and relationships.\nWithin SPDX-3.0 structure this is the base class acting as a consistent,\nunifying, and interoperable foundation for all explicit\nand inter-relatable content objects.", + "metadata": { + "name": "Element", + "SubclassOf": "none", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Element" + }, + "properties": { + "spdxId": { + "type": "xsd:anyURI", + "minCount": "1", + "maxCount": "1" + }, + "name": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + }, + "summary": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + }, + "description": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + }, + "comment": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + }, + "creationInfo": { + "type": "CreationInfo", + "minCount": "1", + "maxCount": "1" + }, + "verifiedUsing": { + "type": "IntegrityMethod", + "minCount": "0", + "maxCount": "*" + }, + "externalReference": { + "type": "ExternalReference", + "minCount": "0", + "maxCount": "*" + }, + "externalIdentifier": { + "type": "ExternalIdentifier", + "minCount": "0", + "maxCount": "*" + }, + "extension": { + "type": "Extension", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "Agent": { + "summary": "Agent represents anything with the potential to act on a system.", + "description": "The Agent class represents anything that has the potential to act on a system. This could be a person, organization, software agent, etc. This is not to be confused with tools that are used to perform tasks.", + "metadata": { + "name": "Agent", + "SubclassOf": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Agent" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "Hash": { + "summary": "A mathematically calculated representation of a grouping of data.", + "description": "A hash is a grouping of characteristics unique to the result\nof applying a mathematical algorithm\nthat maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is,\na function which is practically infeasible to invert.\nThis is commonly used for integrity checking of data.", + "metadata": { + "name": "Hash", + "SubclassOf": "IntegrityMethod", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Hash" + }, + "properties": { + "algorithm": { + "type": "HashAlgorithm", + "minCount": "1", + "maxCount": "1" + }, + "hashValue": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "DictionaryEntry": { + "summary": "A key with an associated value.", + "description": "The class used for implementing a generic string mapping (also known as associative array, dictionary, or hash map) in SPDX. Each DictionaryEntry contains a key-value pair which maps the key to its associated value. To implement a dictionary, this class is to be used in a collection with unique keys.", + "metadata": { + "name": "DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/DictionaryEntry" + }, + "properties": { + "key": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + }, + "value": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} + }, + "Person": { + "summary": "An individual human being.", + "description": "A Person is an individual human being.", + "metadata": { + "name": "Person", + "SubclassOf": "Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Person" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "Bundle": { + "summary": "A collection of Elements that have a shared context.", + "description": "A bundle is a collection of Elements that have a shared context.", + "metadata": { + "name": "Bundle", + "SubclassOf": "ElementCollection", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Bundle" + }, + "properties": { + "context": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} + }, + "Artifact": { + "summary": "A distinct article or unit within the digital domain.", + "description": "An artifact is a distinct article or unit within the digital domain,\nsuch as an electronic file, a software package, a device or an element of data.", + "metadata": { + "name": "Artifact", + "SubclassOf": "Element", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Artifact" + }, + "properties": { + "originatedBy": { + "type": "Agent", + "minCount": "0", + "maxCount": "*" + }, + "suppliedBy": { + "type": "Agent", + "minCount": "0", + "maxCount": "*" + }, + "builtTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + }, + "releaseTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + }, + "validUntilTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + }, + "standard": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "Annotation": { + "summary": "An assertion made in relation to one or more elements.", + "description": "An Annotation is an assertion made in relation to one or more elements.", + "metadata": { + "name": "Annotation", + "SubclassOf": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/Annotation" + }, + "properties": { + "annotationType": { + "type": "AnnotationType", + "minCount": "1", + "maxCount": "1" + }, + "contentType": { + "type": "MediaType", + "minCount": "0", + "maxCount": "*" + }, + "statement": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "subject": { + "type": "Element", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "ExternalMap": { + "summary": "A map of Element identifiers that are used within a Document but defined external to that Document.", + "description": "An External Map is a map of Element identifiers that are used within a Document\nbut defined external to that Document.\nThe external map provides details about the externally-defined Element\nsuch as its provenance, where to retrieve it, and how to verify its integrity.", + "metadata": { + "name": "ExternalMap", + "SubclassOf": "none", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ExternalMap" + }, + "properties": { + "externalId": { + "type": "xsd:anyURI", + "minCount": "1", + "maxCount": "1" + }, + "verifiedUsing": { + "type": "IntegrityMethod", + "minCount": "0", + "maxCount": "*" + }, + "locationHint": { + "type": "xsd:anyURI", + "maxCount": "1", + "minCount": "0" + }, + "definingDocument": { + "type": "xsd:anyURI", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "begin": { + "summary": "Defines the beginning of a range.", + "description": "begin is a positive integer that defines the beginning of a range.", + "metadata": { + "name": "begin", + "Nature": "DataProperty", + "Range": "xsd:positiveInteger", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/begin", + "Domain": [ + "PositiveIntegerRange" + ] + } + }, + "createdUsing": { + "summary": "Identifies the tooling that was used during the creation of the Element.", + "description": "CreatedUsing identifies the tooling that was used during the creation of the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", + "metadata": { + "name": "createdUsing", + "Nature": "ObjectProperty", + "Range": "Tool", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/createdUsing", + "Domain": [ + "CreationInfo" + ] + } + }, + "statement": { + "summary": "Commentary on an assertion that an annotator has made.", + "description": "A statement is a commentary on an assertion that an annotator has made.", + "metadata": { + "name": "statement", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/statement", + "Domain": [ + "Annotation" + ] + } + }, + "creationInfo": { + "summary": "Provides information about the creation of the Element.", + "description": "CreationInfo provides information about the creation of the Element.", + "metadata": { + "name": "creationInfo", + "Nature": "ObjectProperty", + "Range": "CreationInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/creationInfo", + "Domain": [ + "Element" + ] + } + }, + "locationHint": { + "summary": "Provides an indication of where to retrieve an external Element.", + "description": "A locationHint provides an indication of where to retrieve an external Element.", + "metadata": { + "name": "locationHint", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/locationHint", + "Domain": [ + "ExternalMap" + ] + } + }, + "identifierLocator": { + "summary": "TODO", + "description": "A identifierLocator is TODO", + "metadata": { + "name": "identifierLocator", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/identifierLocator", + "Domain": [ + "ExternalIdentifier" + ] + } + }, + "subject": { + "summary": "An Element an annotator has made an assertion about.", + "description": "A subject is an Element an annotator has made an assertion about.", + "metadata": { + "name": "subject", + "Nature": "ObjectProperty", + "Range": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/subject", + "Domain": [ + "Annotation" + ] + } + }, + "validUntilTime": { + "summary": "Specifies until when the artifact can be used before its usage needs to be reassessed.", + "description": "A validUntilTime specifies until when the artifact can be used before its usage needs to be reassessed.", + "metadata": { + "name": "validUntilTime", + "Nature": "DataProperty", + "Range": "DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/validUntilTime", + "Domain": [ + "Artifact" + ] + } + }, + "definingDocument": { + "summary": "URI for an SPDX document which defines an SPDX element.", + "description": "A definingDocument property is used to link an Element identifier to an SpdxDocument which contains the definition for the Element.", + "metadata": { + "name": "definingDocument", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/definingDocument", + "Domain": [ + "ExternalMap" + ] + } + }, + "suppliedBy": { + "summary": "Identifies who or what supplied the Artifact.", + "description": "Identify the actual distribution source for the Artifact being referenced.\nThis might or might not be different from the originating distribution source for the artifact.", + "metadata": { + "name": "suppliedBy", + "Nature": "ObjectProperty", + "Range": "Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/suppliedBy", + "Domain": [ + "Artifact" + ] + } + }, + "value": { + "summary": "A value used in a generic key-value pair.", + "description": "A value used in a generic key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", + "metadata": { + "name": "value", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/value", + "Domain": [ + "DictionaryEntry" + ] + } + }, + "to": { + "summary": "References an Element on the right-hand side of a relationship.", + "description": "This field references an Element on the right-hand side of a relationship.", + "metadata": { + "name": "to", + "Nature": "ObjectProperty", + "Range": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/to", + "Domain": [ + "Relationship" + ] + } + }, + "extension": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "extension", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/extension", + "Domain": [ + "Element" + ] + } + }, + "externalId": { + "summary": "Identifies an external Element used within a Document but defined external to that Document.", + "description": "ExternalId identifies an external Element used within a Document but defined external to that Document.", + "metadata": { + "name": "externalId", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/externalId", + "Domain": [ + "ExternalMap" + ] + } + }, + "externalReference": { + "summary": "Points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", + "description": "This field points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", + "metadata": { + "name": "externalReference", + "Nature": "ObjectProperty", + "Range": "ExternalReference", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/externalReference", + "Domain": [ + "Element" + ] + } + }, + "from": { + "summary": "References the Element on the left-hand side of a relationship.", + "description": "This field references the Element on the left-hand side of a relationship.", + "metadata": { + "name": "from", + "Nature": "ObjectProperty", + "Range": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/from", + "Domain": [ + "Relationship" + ] + } + }, + "created": { + "summary": "Identifies when the Element was originally created.", + "description": "Created is a date that identifies when the Element was originally created.\nThe time stamp can serve as an indication as to whether the analysis needs to be updated. This is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", + "metadata": { + "name": "created", + "Nature": "DataProperty", + "Range": "DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/created", + "Domain": [ + "CreationInfo" + ] + } + }, + "releaseTime": { + "summary": "Specifies the time an artifact was released.", + "description": "A releaseTime specifies the time an artifact was released.", + "metadata": { + "name": "releaseTime", + "Nature": "DataProperty", + "Range": "DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/releaseTime", + "Domain": [ + "Artifact" + ] + } + }, + "startTime": { + "summary": "Specifies the time from which an element is applicable / valid.", + "description": "A startTime specifies the time from which element is applicable / valid.", + "metadata": { + "name": "startTime", + "Nature": "DataProperty", + "Range": "DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/startTime", + "Domain": [ + "Relationship" + ] + } + }, + "rootElement": { + "summary": "Top level Element from which all other Elements are reached via relationships.", + "description": "A rootElement of a collection is the top level Element from which all other Elements are reached via relationships.", + "metadata": { + "name": "rootElement", + "Nature": "ObjectProperty", + "Range": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/rootElement", + "Domain": [ + "ElementCollection" + ] + } + }, + "prefix": { + "summary": "A substitute for a URI.", + "description": "A prefix is a substitute for a URI.", + "metadata": { + "name": "prefix", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/prefix" + } + }, + "externalIdentifierType": { + "summary": "Specifies the type of the external identifier.", + "description": "An externalIdentifierType specifies the type of the external identifier.", + "metadata": { + "name": "externalIdentifierType", + "Nature": "ObjectProperty", + "Range": "ExternalIdentifierType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/externalIdentifierType", + "Domain": [ + "ExternalIdentifier" + ] + } + }, + "contentType": { + "summary": "Specifies the media type of an Element.", + "description": "ContentType specifies the media type of an Element.", + "metadata": { + "name": "contentType", + "Nature": "DataProperty", + "Range": "MediaType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/contentType", + "Domain": [ + "ExternalReference", + "Annotation" + ] + } + }, + "element": { + "summary": "Refers to one or more Elements that are part of an ElementCollection.", + "description": "This field refers to one or more Elements that are part of an ElementCollection.", + "metadata": { + "name": "element", + "Nature": "ObjectProperty", + "Range": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/element", + "Domain": [ + "ElementCollection" + ] + } + }, + "relationshipType": { + "summary": "Information about the relationship between two Elements.", + "description": "This field provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.", + "metadata": { + "name": "relationshipType", + "Nature": "ObjectProperty", + "Range": "RelationshipType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/relationshipType", + "Domain": [ + "Relationship" + ] + } + }, + "specVersion": { + "summary": "Provides a reference number that can be used to understand how to parse and interpret an Element.", + "description": "The specVersion provides a reference number that can be used to understand how to parse and interpret an Element.\nIt will enable both future changes to the specification and to support backward compatibility.\nThe major version number shall be incremented when incompatible changes between versions are made\n(one or more sections are created, modified or deleted).\nThe minor version number shall be incremented when backwards compatible changes are made.\n\nHere, parties exchanging information in accordance with the SPDX specification need to provide \n100% transparency as to which SPDX specification version such information is conforming to.", + "metadata": { + "name": "specVersion", + "Nature": "DataProperty", + "Range": "SemVer", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/specVersion", + "Domain": [ + "CreationInfo" + ] + } + }, + "originatedBy": { + "summary": "Identifies from where or whom the Element originally came.", + "description": "OriginatedBy identifies from where or whom the Element originally came.", + "metadata": { + "name": "originatedBy", + "Nature": "ObjectProperty", + "Range": "Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/originatedBy", + "Domain": [ + "Artifact" + ] + } + }, + "verifiedUsing": { + "summary": "Provides an IntegrityMethod with which the integrity of an Element can be asserted.", + "description": "VerifiedUsing provides an IntegrityMethod with which the integrity of an Element can be asserted.", + "metadata": { + "name": "verifiedUsing", + "Nature": "ObjectProperty", + "Range": "IntegrityMethod", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/verifiedUsing", + "Domain": [ + "Element", + "ExternalMap" + ] + } + }, + "dataLicense": { + "summary": "Provides the license under which the SPDX documentation of the Element can be used.", + "description": "The data license provides the license under which the SPDX documentation of the Element can be used.\nThis is to alleviate any concern that content (the data or database) in an SPDX file\nis subject to any form of intellectual property right that could restrict the re-use\nof the information or the creation of another SPDX file for the same project(s).\nThis approach avoids intellectual property and related restrictions over the SPDX file,\nhowever individuals can still contract with each other to restrict release\nof specific collections of SPDX files (which map to software bill of materials)\nand the identification of the supplier of SPDX files.\nCompliance with this document includes populating the SPDX fields therein\nwith data related to such fields (\"SPDX-Metadata\"). \nThis document contains numerous fields where an SPDX file creator may provide\nrelevant explanatory text in SPDX-Metadata. Without opining on the lawfulness\nof \"database rights\" (in jurisdictions where applicable),\nsuch explanatory text is copyrightable subject matter in most Berne Convention countries.\nBy using the SPDX specification, or any portion hereof,\nyou hereby agree that any copyright rights (as determined by your jurisdiction)\nin any SPDX-Metadata, including without limitation explanatory text,\nshall be subject to the terms of the Creative Commons CC0 1.0 Universal license. \nFor SPDX-Metadata not containing any copyright rights, \nyou hereby agree and acknowledge that the SPDX-Metadata is provided to you \u201cas-is\u201d\nand without any representations or warranties of any kind concerning the SPDX-Metadata,\nexpress, implied, statutory or otherwise, including without limitation warranties\nof title, merchantability, fitness for a particular purpose, non-infringement,\nor the absence of latent or other defects, accuracy, or the presence or absence of errors,\nwhether or not discoverable, all to the greatest extent permissible under applicable law.", + "metadata": { + "name": "dataLicense", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/dataLicense", + "Domain": [ + "CreationInfo" + ] + } + }, + "algorithm": { + "summary": "Specifies the algorithm used for calculating the hash value.", + "description": "An algorithm specifies the algorithm that was used for calculating the hash value.", + "metadata": { + "name": "algorithm", + "Nature": "ObjectProperty", + "Range": "HashAlgorithm", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/algorithm", + "Domain": [ + "Hash" + ] + } + }, + "summary": { + "summary": "A short description of an Element.", + "description": "A summary is a short description of an Element. Here, the intent is to allow the Element creator to \nprovide concise information about the function or use of the Element.", + "metadata": { + "name": "summary", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/summary", + "Domain": [ + "Element" + ] + } + }, + "end": { + "summary": "Defines the end of a range.", + "description": "end is a positive integer that defines the end of a range.", + "metadata": { + "name": "end", + "Nature": "DataProperty", + "Range": "xsd:positiveInteger", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/end", + "Domain": [ + "PositiveIntegerRange" + ] + } + }, + "hashValue": { + "summary": "The result of applying a hash algorithm to an Element.", + "description": "HashValue is the result of applying a hash algorithm to an Element.", + "metadata": { + "name": "hashValue", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/hashValue", + "Domain": [ + "Hash" + ] + } + }, + "externalIdentifier": { + "summary": "Provides a reference to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", + "description": "ExternalIdentifier points to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", + "metadata": { + "name": "externalIdentifier", + "Nature": "ObjectProperty", + "Range": "ExternalIdentifier", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/externalIdentifier", + "Domain": [ + "Element" + ] + } + }, + "spdxId": { + "summary": "Identifies an Element to be referenced by other Elements.", + "description": "SpdxId uniquely identifies an Element which may thereby be referenced by other Elements.\nThese references may be internal or external.\nWhile there may be several versions of the same Element, each one needs to be able to be referred to uniquely\nso that relationships between Elements can be clearly articulated.", + "metadata": { + "name": "spdxId", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/spdxId", + "Domain": [ + "Element" + ] + } + }, + "description": { + "summary": "Provides a detailed description of the Element.", + "description": "This field is a detailed description of the Element. It may also be extracted from the Element itself.\nThe intent is to provide recipients of the SPDX file with a detailed technical explanation\nof the functionality, anticipated use, and anticipated implementation of the Element.\nThis field may also include a description of improvements over prior versions of the Element.", + "metadata": { + "name": "description", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/description", + "Domain": [ + "Element" + ] + } + }, + "locator": { + "summary": "Provides the location of an external reference.", + "description": "A locator provides the location of an external reference.", + "metadata": { + "name": "locator", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/locator", + "Domain": [ + "ExternalReference" + ] + } + }, + "annotationType": { + "summary": "Describes the type of annotation.", + "description": "An annotationType describes the type of an annotation.", + "metadata": { + "name": "annotationType", + "Nature": "ObjectProperty", + "Range": "AnnotationType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/annotationType", + "Domain": [ + "Annotation" + ] + } + }, + "issuingAuthority": { + "summary": "TODO", + "description": "A issuingAuthority is TODO", + "metadata": { + "name": "issuingAuthority", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/issuingAuthority", + "Domain": [ + "ExternalIdentifier" + ] + } + }, + "builtTime": { + "summary": "Specifies the time an artifact was built.", + "description": "A builtTime specifies the time an artifact was built.", + "metadata": { + "name": "builtTime", + "Nature": "DataProperty", + "Range": "DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/builtTime", + "Domain": [ + "Artifact" + ] + } + }, + "profile": { + "summary": "Provides information about which profiles the Element belongs to.", + "description": "This field provides information about which profiles the Element belongs to.", + "metadata": { + "name": "profile", + "Nature": "ObjectProperty", + "Range": "ProfileIdentifierType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/profile", + "Domain": [ + "CreationInfo" + ] + } + }, + "context": { + "summary": "Gives information about the circumstances or unifying properties\nthat Elements of the bundle have been assembled under.", + "description": "A context gives information about the circumstances or unifying properties\nthat Elements of the bundle have been assembled under.", + "metadata": { + "name": "context", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/context", + "Domain": [ + "Bundle" + ] + } + }, + "comment": { + "summary": "Provide consumers with comments by the creator of the Element about the Element.", + "description": "A comment is an optional field for creators of the Element to provide comments\nto the readers/reviewers of the document.", + "metadata": { + "name": "comment", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/comment", + "Domain": [ + "ExternalReference", + "ExternalIdentifier", + "CreationInfo", + "IntegrityMethod", + "Element" + ] + } + }, + "imports": { + "summary": "Provides an ExternalMap of Element identifiers.", + "description": "Imports provides an ExternalMap of Element identifiers that are used within a document\nbut defined external to that document.", + "metadata": { + "name": "imports", + "Nature": "ObjectProperty", + "Range": "ExternalMap", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/imports", + "Domain": [ + "ElementCollection" + ] + } + }, + "name": { + "summary": "Identifies the name of an Element as designated by the creator.", + "description": "This field identifies the name of an Element as designated by the creator. \nThe name of an Element is an important convention and easier to refer to than the URI.", + "metadata": { + "name": "name", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/name", + "Domain": [ + "SpdxDocument", + "Element" + ] + } + }, + "standard": { + "summary": "The relevant standards that may apply to an artifact.", + "description": "Various standards may be relevant to useful to capture for specific artifacts.", + "metadata": { + "name": "standard", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/standard", + "Domain": [ + "Artifact" + ] + } + }, + "endTime": { + "summary": "Specifies the time from which an element is no longer applicable / valid.", + "description": "A endTime specifies the time from which element is no applicable / valid.", + "metadata": { + "name": "endTime", + "Nature": "DataProperty", + "Range": "DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/endTime", + "Domain": [ + "Relationship" + ] + } + }, + "scope": { + "summary": "TODO", + "description": "A scope is TODO", + "metadata": { + "name": "scope", + "Nature": "ObjectProperty", + "Range": "LifecycleScopeType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/scope", + "Domain": [ + "LifecycleScopedRelationship" + ] + } + }, + "key": { + "summary": "A key used in a generic key-value pair.", + "description": "A key used in generic a key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", + "metadata": { + "name": "key", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/key", + "Domain": [ + "DictionaryEntry" + ] + } + }, + "identifier": { + "summary": "Uniquely identifies an external element.", + "description": "An identifier uniquely identifies an external element.", + "metadata": { + "name": "identifier", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/identifier", + "Domain": [ + "ExternalIdentifier" + ] + } + }, + "completeness": { + "summary": "Provides information about the completeness of relationships.", + "description": "Completeness gives information about whether the provided relationships are\ncomplete, known to be incomplete or if no assertion is made either way.", + "metadata": { + "name": "completeness", + "Nature": "ObjectProperty", + "Range": "RelationshipCompleteness", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/completeness", + "Domain": [ + "Relationship" + ] + } + }, + "externalReferenceType": { + "summary": "Specifies the type of the external reference.", + "description": "An externalReferenceType specifies the type of the external reference.", + "metadata": { + "name": "externalReferenceType", + "Nature": "ObjectProperty", + "Range": "ExternalReferenceType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/externalReferenceType", + "Domain": [ + "ExternalReference" + ] + } + }, + "createdBy": { + "summary": "Identifies who or what created the Element.", + "description": "CreatedBy identifies who or what created the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", + "metadata": { + "name": "createdBy", + "Nature": "ObjectProperty", + "Range": "Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/createdBy", + "Domain": [ + "CreationInfo" + ] + } + } + }, + "vocabs": { + "RelationshipCompleteness": { + "summary": "Indicates whether a relationship is complete or known to be incomplete or if there\nis made no assertion either way.", + "description": "RelationshipCompleteness indicates whether a relationship is complete or \nknown to be incomplete or if there is made no assertion either way.", + "metadata": { + "name": "RelationshipCompleteness", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/RelationshipCompleteness" + }, + "entries": { + "incomplete": "The relationship is known not to be exhaustive.", + "complete": "The relationship is known to be exhaustive.", + "noAssertion": "There can be made no assertion about the completeness of the relationship." + } + }, + "ProfileIdentifierType": { + "summary": "Enumeration of the valid profiles that an element can be specified to be part of.", + "description": "There are a set of profiles that have been defined to be valid for a specific release This file enumerates the values that have been agreed on, and may be applied to the creation information for an an element.", + "metadata": { + "name": "ProfileIdentifierType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType" + }, + "entries": { + "core": "the element follows the Core profile specification", + "software": "the element follows the Software profile specification", + "licensing": "the element follows the Licensing profile specification", + "security": "the element follows the Security profile specification", + "build": "the element follows the Build profile specification", + "ai": "the element follows the AI profile specification", + "dataset": "the element follows the Dataset profile specification", + "usage": "the element follows the Usage profile specification", + "extension": "the element follows the Extension profile specification" + } + }, + "ExternalIdentifierType": { + "summary": "Specifies the type of an external identifier.", + "description": "ExteralIdentifierType specifies the type of an external identifier.", + "metadata": { + "name": "ExternalIdentifierType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType" + }, + "entries": { + "cpe22": "https://cpe.mitre.org/files/cpe-specification_2.2.pdf", + "cpe23": "https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf", + "cve": "An identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the CVE specification as defined by https://csrc.nist.gov/glossary/term/cve_id.", + "email": "https://datatracker.ietf.org/doc/html/rfc3696#section-3", + "gitoid": "https://www.iana.org/assignments/uri-schemes/prov/gitoid Gitoid stands for [Git Object ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) and a gitoid of type blob is a unique hash of a binary artifact. A gitoid may represent the software [Artifact ID](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-id) or the [OmniBOR Identifier](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-identifier) for the software artifact's associated [OmniBOR Document](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-document); this ambiguity exists because the OmniBOR Document is itself an artifact, and the gitoid of that artifact is its valid identifier. Omnibor is a minimalistic schema to describe software [Artifact Dependency Graphs](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-dependency-graph-adg). Gitoids calculated on software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's ContentIdentifier property. Gitoids calculated on the OmniBOR Document (OmniBOR Identifiers) should be recorded in the SPDX 3.0 Element's ExternalIdentifier property.", + "other": "Used when the type doesn't match any of the other options.", + "pkgUrl": "https://github.com/package-url/purl-spec", + "securityOther": "Used when there is a security related identifier of unspecified type.", + "swhid": "https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html", + "swid": "https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-21.html#section-2.3", + "urlScheme": "the scheme used in order to locate a resource https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml" + } + }, + "ExternalReferenceType": { + "summary": "Specifies the type of an external reference.", + "description": "ExteralReferenceType specifies the type of an external reference.", + "metadata": { + "name": "ExternalReferenceType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/ExternalReferenceType" + }, + "entries": { + "altDownloadLocation": "A reference to an alternative download location.", + "altWebPage": "A reference to an alternative web page.", + "binaryArtifact": "A reference to binary artifacts related to a package.", + "buildMeta": "A reference build metadata related to a published package.", + "buildSystem": "A reference build system used to create or publish the package.", + "chat": "A reference to the instant messaging system used by the maintainer for a package.", + "certificationReport": "A reference to a certification report for a package from an accredited/independent body.", + "componentAnalysisReport": "A reference to a Software Composition Analysis (SCA) report.", + "documentation": "A reference to the documentation for a package.", + "dynamicAnalysisReport": "A reference to a dynamic analysis report for a package.", + "eolNotice": "A reference to the End Of Sale (EOS) and/or End Of Life (EOL) information related to a package.", + "exportControlAssessment": "A reference to a export control assessment for a package.", + "funding": "A reference to funding information related to a package.", + "issueTracker": "A reference to the issue tracker for a package.", + "mailingList": "A reference to the mailing list used by the maintainer for a package.", + "metrics": "A reference to metrics related to package such as OpenSSF scorecards.", + "license": "A reference to additional license information related to an artifact.", + "other": "Used when the type doesn't match any of the other options.", + "privacyAssessment": "A reference to a privacy assessment for a package.", + "productMetadata": "A reference to additional product metadata such as reference within organization's product catalog.", + "purchaseOrder": "A reference to a purchase order for a package.", + "releaseNotes": "A reference to the release notes for a package.", + "releaseHistory": "A reference to a published list of releases for a package.", + "riskAssessment": "A reference to a risk assessment for a package.", + "runtimeAnalysisReport": "A reference to a runtime analysis report for a package.", + "secureSoftwareAttestation": "A reference to information assuring that the software is developed using security practices as defined by [NIST SP 800-218 Secure Software Development Framework (SSDF)](https://csrc.nist.gov/publications/detail/sp/800-218/final) or [CISA Secure Software Development Attestation Form](https://www.cisa.gov/sites/default/files/2023-04/secure-software-self-attestation_common-form_508.pdf).", + "securityAdvisory": "A reference to a published security advisory (where advisory as defined per ISO 29147:2018) that may affect one or more elements, e.g., vendor advisories or specific NVD entries.", + "securityAdversaryModel": "A reference to the security adversary model for a package.", + "securityFix": "A reference to the patch or source code that fixes a vulnerability.", + "securityOther": "A reference to related security information of unspecified type.", + "securityPenTestReport": "A reference to a [penetration test](https://en.wikipedia.org/wiki/Penetration_test) report for a package.", + "securityPolicy": "A reference to instructions for reporting newly discovered security vulnerabilities for a package.", + "securityThreatModel": "A reference the [security threat model](https://en.wikipedia.org/wiki/Threat_model) for a package.", + "socialMedia": "A reference to a social media channel for a package.", + "sourceArtifact": "A reference to an artifact containing the sources for a package.", + "staticAnalysisReport": "A reference to a static analysis report for a package.", + "support": "A reference to the software support channel or other support information for a package.", + "vcs": "A reference to a version control system related to a software artifact.", + "vulnerabilityDisclosureReport": "A reference to a Vulnerability Disclosure Report (VDR) which provides the software supplier's analysis and findings describing the impact (or lack of impact) that reported vulnerabilities have on packages or products in the supplier's SBOM as defined in [NIST SP 800-161](https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final).", + "vulnerabilityExploitabilityAssessment": "A reference to a Vulnerability Exploitability eXchange (VEX) statement which provides information on whether a product is impacted by a specific vulnerability in an included package and, if affected, whether there are actions recommended to remediate. See also [NTIA VEX one-page](https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf)..", + "qualityAssessmentReport": "A reference to a quality assessment for a package." + } + }, + "LifecycleScopeType": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "LifecycleScopeType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType" + }, + "entries": { + "design": "TODOdescription", + "build": "TODOdescription", + "development": "TODOdescription", + "test": "TODOdescription", + "runtime": "TODOdescription", + "other": "TODOdescription" + } + }, + "AnnotationType": { + "summary": "Specifies the type of an annotation.", + "description": "AnnotationType specifies the type of an annotation.", + "metadata": { + "name": "AnnotationType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/AnnotationType" + }, + "entries": { + "other": "Used to store extra information about an Element which is not part of a Review (e.g. extra information provided during the creation of the Element).", + "review": "Used when someone reviews the Element." + } + }, + "HashAlgorithm": { + "summary": "A mathematical algorithm that maps data of arbitrary size to a bit string.", + "description": "A HashAlgorithm is a mathematical algorithm that maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is, a function which is practically infeasible to invert.", + "metadata": { + "name": "HashAlgorithm", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/HashAlgorithm" + }, + "entries": { + "blake2b256": "blake2b algorithm with a digest size of 256 https://datatracker.ietf.org/doc/html/rfc7693#section-4", + "blake2b384": "blake2b algorithm with a digest size of 384 https://datatracker.ietf.org/doc/html/rfc7693#section-4", + "blake2b512": "blake2b algorithm with a digest size of 512 https://datatracker.ietf.org/doc/html/rfc7693#section-4", + "blake3": "https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf", + "crystalsKyber": "https://pq-crystals.org/kyber/index.shtml", + "crystalsDilithium": "https://pq-crystals.org/dilithium/index.shtml", + "falcon": "https://falcon-sign.info/falcon.pdf", + "md2": "https://datatracker.ietf.org/doc/rfc1319/", + "md4": "https://datatracker.ietf.org/doc/html/rfc1186", + "md5": "https://datatracker.ietf.org/doc/html/rfc1321", + "md6": "https://people.csail.mit.edu/rivest/pubs/RABCx08.pdf", + "other": "any hashing algorithm that does not exist in this list of entries", + "sha1": "https://datatracker.ietf.org/doc/html/rfc3174", + "sha224": "secure hashing algorithm with a digest length of 224 https://datatracker.ietf.org/doc/html/draft-ietf-pkix-sha224-01", + "sha256": "secure hashing algorithm with a digest length of 256 https://www.rfc-editor.org/rfc/rfc4634", + "sha3_224": "sha3 with a digest length of 224 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", + "sha3_256": "sha3 with a digest length of 256 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", + "sha3_384": "sha3 with a digest length of 384 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", + "sha3_512": "sha3 with a digest length of 512 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", + "sha384": "secure hashing algorithm with a digest length of 384 https://www.rfc-editor.org/rfc/rfc4634", + "sha512": "secure hashing algorithm with a digest length of 512 https://www.rfc-editor.org/rfc/rfc4634", + "spdxPvcSha1": "TODOdescription", + "spdxPvcSha256": "TODOdescription", + "sphincsPlus": "TODOdescription" + } + }, + "RelationshipType": { + "summary": "Information about the relationship between two Elements.", + "description": "Provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.", + "metadata": { + "name": "RelationshipType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/RelationshipType" + }, + "entries": { + "affects": "(Security/VEX) Designates one or more elements as affected by a vulnerability", + "amends": "Every `to` Element amends the `from` Element", + "ancestor": "Every `to` Element is an ancestor of the `from` Element", + "availableFrom": "This relationship is used to identify additional suppliers where an artifact is available from.", + "buildDependency": "Every `to` Element is a build dependency of the `from` Element", + "buildTool": "Build tool used to build an Element. This may be used to describe the build tool of a Build instance", + "coordinatedBy": "(Security) Used to identify the vendor, researcher, or consumer agent performing coordination for a vulnerability", + "contains": "Every `to` Element is contained by the `from` Element", + "configOf": "(Build) Configuration information applied to an Element instance during a LifeycleScopeType period. Example: Build configuration of the build instance", + "copy": "Every `to` Element is a copy of the `from` Element", + "dataFile": "Every `to` Element is a data file related to the the `from` Element", + "dependencyManifest": "Every `to` Element is manifest file containing dependency information related to the `from` Element", + "dependsOn": "Every `to` Element is a dependecy of the `from` Element", + "descendant": "This relationship may be used to describe child builds of a Build instance.", + "describes": "Every `to` Element is described by the `from` Element. This can be used to denote the root(s) of a tree of elements contained in an SBOM.", + "devDependency": "Every `to` Element is a development dependency for the `from` Element", + "devTool": "Every `to` Element is a development tool for the `from` Element", + "distributionArtifact": "Every `to` Element is an artifact intended for distribution of the `from` Element (e.g. an RPM or archive file)", + "documentation": "Every `to` Element is documentation for the `from` Element", + "doesNotAffect": "(Security/VEX) Specifies a vulnerability has no impact on one or more elements", + "dynamicLink": "Every `to` Element is dynamically linked to the `from` Element", + "example": "Every `to` Element is an example for the `from` Element", + "evidenceFor": "(Dataset) Every `to` Element is can be considered as evidence for the `from` Element", + "expandedFromArchive": "Every `to` Element is an artifact expanded from the `from` archive file", + "exploitCreatedBy": "(Security) Designates an agent has created an exploit against a vulnerability", + "fileAdded": "Every `to` Element is is a file added to the `from` Element", + "fileDeleted": "Every `to` Element is a file deleted from the `from` Element", + "fileModified": "Every `to` Element is a modification of the `from` Element", + "fixedBy": "(Security) Designates a vulnerability has been fixed by an agent", + "fixedIn": "(Security/VEX) A vulnerability has been fixed in one or more elements", + "foundBy": "(Security) Designates an agent was the original discoverer of a security vulnerability", + "generates": "Every `to` Element is generated from the `from` Element", + "hasAssessmentFor": "(Security) Relates a Vulnerability and an Element with a security assessment.", + "hasAssociatedVulnerability": "(Security) Used to associate a security vulnerability with a software artifact", + "hostOf": "(Build) The`from` Element in which every instance of the `to` Element during a LifecycleScopeType period runs on. Example: host that the build runs on for an element.", + "inputOf": "(Build) Input to the Element instance during a LifecycleScopeType period. Example: input to the build instance for an element.", + "invokedBy": "(Build) Every`to` Agent that invoked a `from` Element instance during a LifecycleScopeType period. Example: Agent that invoked the build for an element", + "metafile": "Every `to` Element is is a file containing metadata about the `from` Element", + "onBehalfOf": "(Build) Every `to` Agent acting on behalf of another `from` Agent during a LifecycleScopeType period", + "optionalComponent": "Every `to` Element is an optional component of the `from` Element", + "optionalDependency": "Every `to` Element is an optional dependency of the `from` Element", + "other": "Every `to` Element is related to the `from` Element where the relationship type is not described by any of the SPDX relationhip types", + "outputOf": "(Build) `from` Element that is output `to` the Element instance during a LifecycleScopeType period. Example: output of the build instance", + "packages": "Every `to` Element is a packaged form of the `from` Element", + "patch": "Every `to` Element is a patch for the `from` Element", + "prerequisite": "Every `to` Element is a prerequisite of the `from` Element", + "providedDependency": "Every `to` Element is a dependency not included in the distributed artifact but is assumed to be provided the `from` Element", + "publishedBy": "(Security) Designates the agent that made a vulnerability record available for public use or reference", + "reportedBy": "(Security) Designates the agent that first reported a vulnerability to the project, vendor, or tracking database for formal identification", + "republishedBy": "(Security) Designates the agent that tracked, aggregated, and/or enriched vulnerability details to improve context (i.e. NVD)", + "requirementFor": "Every `to` Element is required for the `from` Element", + "runtimeDependency": "Every `to` Element is a runtime dependency for the `from` Element", + "specificationFor": "Every `to` Element is a specification for the `from` Element", + "staticLink": "Every `to` Element is statically linked to the `from` Element", + "test": "Every `to` Element is a test artifact for the `from` Element", + "testCase": "Every `to` Element is a test case for the `from` Element", + "testDependency": "Every `to` Element is a test dependency for the `from` Element", + "testTool": "Every `to` Element is a test tool for the `from` Element", + "testedOn": "(AI, Dataset) The `from` Element has been tested on the `to` Element", + "trainedOn": "(AI, Dataset) The `from` Element has been trained by the `to` Element(s)", + "underInvestigationFor": "(Security/VEX) The impact of a vulnerability is being investigated", + "variant": "Every `to` Element is a variant the `from` Element" + } + } + } + }, + "Dataset": { + "name": "Dataset", + "classes": { + "Dataset": { + "summary": "Provides information about the fields in the Dataset profile.", + "description": "Metadata information that can be added to a dataset that may be used in a software or to train/test an AI package.\nExternal property restriction on /Core/Artifact/originatedBy: minCount: 1\nExternal property restriction on /Software/Package/downloadLocation: minCount: 1\nExternal property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1\nExternal property restriction on /Core/Artifact/releaseTime: minCount: 1\nExternal property restriction on /Core/Artifact/builtTime: minCount: 1", + "metadata": { + "name": "Dataset", + "SubclassOf": "/Software/Package", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/Dataset" + }, + "properties": { + "datasetType": { + "type": "DatasetType", + "minCount": "1", + "maxCount": "*" + }, + "dataCollectionProcess": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "intendedUse": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "datasetSize": { + "type": "xsd:nonNegativeInteger", + "minCount": "0", + "maxCount": "1" + }, + "datasetNoise": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "dataPreprocessing": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "sensor": { + "type": "/Core/DictionaryEntry", + "minCount": "0", + "maxCount": "*" + }, + "knownBias": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "sensitivePersonalInformation": { + "type": "PresenceType", + "minCount": "0", + "maxCount": "1" + }, + "anonymizationMethodUsed": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "confidentialityLevel": { + "type": "ConfidentialityLevelType", + "minCount": "0", + "maxCount": "1" + }, + "datasetUpdateMechanism": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "datasetAvailability": { + "type": "DatasetAvailabilityType", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": { + "/Core/Artifact/originatedBy": { + "minCount": "1", + "maxCount": "*" + }, + "/Software/Package/downloadLocation": { + "minCount": "1", + "maxCount": "*" + }, + "/Software/SoftwareArtifact/primaryPurpose": { + "minCount": "1", + "maxCount": "*" + }, + "/Core/Artifact/releaseTime": { + "minCount": "1", + "maxCount": "*" + }, + "/Core/Artifact/builtTime": { + "minCount": "1", + "maxCount": "*" + } + } + } + }, + "properties": { + "knownBias": { + "summary": "Records the biases that the dataset is known to encompass.", + "description": "KnownBias is a free form text field that describes the different biases that the dataset encompasses.", + "metadata": { + "name": "knownBias", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/knownBias", + "Domain": [ + "Dataset" + ] + } + }, + "dataPreprocessing": { + "summary": "Describes the preprocessing steps that were applied to the raw data to create the given dataset.", + "description": "DataPreprocessing describes the various preprocessing steps\nthat were applied to the raw data to create the dataset.", + "metadata": { + "name": "dataPreprocessing", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/dataPreprocessing", + "Domain": [ + "Dataset" + ] + } + }, + "datasetNoise": { + "summary": "Describes potentially noisy elements of the dataset.", + "description": "DatasetNoise describes what kinds of noises a dataset might encompass.\nThe field uses free form text to specify the fields or the samples that might be noisy.\nAlternatively, it can also be used to describe various noises that could impact the whole dataset.", + "metadata": { + "name": "datasetNoise", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/datasetNoise", + "Domain": [ + "Dataset" + ] + } + }, + "datasetUpdateMechanism": { + "summary": "Describes a mechanism to update the dataset.", + "description": "DatasetUpdateMechanism describes a mechanism to update the dataset.", + "metadata": { + "name": "datasetUpdateMechanism", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/datasetUpdateMechanism", + "Domain": [ + "Dataset" + ] + } + }, + "datasetSize": { + "summary": "Captures the size of the dataset.", + "description": "DatasetSize Captures how large a dataset is.\nThe size is to be measured in bytes.", + "metadata": { + "name": "datasetSize", + "Nature": "DataProperty", + "Range": "xsd:nonNegativeInteger", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/datasetSize", + "Domain": [ + "Dataset" + ] + } + }, + "sensitivePersonalInformation": { + "summary": "Describes if any sensitive personal information is present in the dataset.", + "description": "SensitivePersonalInformation indicates the presence of sensitive personal data\nor information that allows drawing conclusions about a person's identity.", + "metadata": { + "name": "sensitivePersonalInformation", + "Nature": "ObjectProperty", + "Range": "PresenceType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/sensitivePersonalInformation", + "Domain": [ + "Dataset" + ] + } + }, + "confidentialityLevel": { + "summary": "Describes the confidentiality level of the data points contained in the dataset.", + "description": "ConfidentialityLevel describes the levels of confidentiality of the data points contained in the dataset.", + "metadata": { + "name": "confidentialityLevel", + "Nature": "ObjectProperty", + "Range": "ConfidentialityLevelType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/confidentialityLevel", + "Domain": [ + "Dataset" + ] + } + }, + "dataCollectionProcess": { + "summary": "Describes how the dataset was collected.", + "description": "DataCollectionProcess describes how a dataset was collected.\nExamples include the sources from which a dataset was scrapped or\nthe interview protocol that was used for data collection.", + "metadata": { + "name": "dataCollectionProcess", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/dataCollectionProcess", + "Domain": [ + "Dataset" + ] + } + }, + "anonymizationMethodUsed": { + "summary": "Describes the anonymization methods used.", + "description": "AnonymizationMethodUsed describes the methods used to anonymize the dataset (of fields in the dataset).", + "metadata": { + "name": "anonymizationMethodUsed", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/anonymizationMethodUsed", + "Domain": [ + "Dataset" + ] + } + }, + "datasetAvailability": { + "summary": "The field describes the availability of a dataset.", + "description": "Some datasets are publicly available and can be downloaded directly. Others are only accessible behind a clickthrough, or after filling a registration form. This field will describe the dataset availability from that perspective.", + "metadata": { + "name": "datasetAvailability", + "Nature": "DataProperty", + "Range": "DatasetAvailabilityType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/datasetAvailability", + "Domain": [ + "Dataset" + ] + } + }, + "intendedUse": { + "summary": "Describes what the given dataset should be used for.", + "description": "IntendedUse describes what the given dataset should be used for.\nSome datasets are collected to be used only for particular purposes. \nFor example, medical data collected from a specific demography might only be applicable\nfor training machine learning models to make predictions for that demography.\nIn such a case, the intendedUse field would capture this information.\nSimilarly, if a dataset is collected for building a facial recognition model,\nthe intendedUse field would specify that.", + "metadata": { + "name": "intendedUse", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/intendedUse", + "Domain": [ + "Dataset" + ] + } + }, + "sensor": { + "summary": "Describes a sensor used for collecting the data.", + "description": "Sensor describes a sensor that was used for collecting the data\nand its calibration value as a key-value pair.", + "metadata": { + "name": "sensors", + "Nature": "ObjectProperty", + "Range": "/Core/DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/sensor", + "Domain": [ + "Dataset" + ] + } + }, + "datasetType": { + "summary": "Describes the type of the given dataset.", + "description": "Type describes the datatype contained in the dataset. For example a dataset can be an image dataset for computer vision applications, a text dataset such as the contents of a book or Wikipedia article, or sometimes a multimodal dataset that contains multiple types of data.", + "metadata": { + "name": "datasetType", + "Nature": "DataProperty", + "Range": "DatasetType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/datasetType", + "Domain": [ + "Dataset" + ] + } + } + }, + "vocabs": { + "DatasetType": { + "summary": "Enumeration of dataset types.", + "description": "Describes the different structures of data within a given dataset. A dataset can have multiple types of data, or even a single type of data but still match multiple types, for example sensor data could also be timeseries or labeled image data could also be considered categorical.", + "metadata": { + "name": "DatasetType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/DatasetType" + }, + "entries": { + "structured": "data is stored in tabular format or retrieved from a relational database.", + "numeric": "data consists only of numeric entries.", + "text": "data consists of unstructured text, such as a book, wikipedia article (without images), or transcript.", + "categorical": "data that is classified into a discrete number of categories, such as the eye color of a population of people.", + "graph": "data is in the form of a graph where entries are somehow related to each other through edges, such a social network of friends.", + "timeseries": "data is recorded in an ordered sequence of timestamped entries, such as the price of a stock over the course of a day.", + "timestamp": "data is recorded with a timestamp for each entry, but not necessarily ordered or at specific intervals, such as when a taxi ride starts and ends.", + "sensor": "data is recorded from a physical sensor, such as a thermometer reading or biometric device.", + "image": "data is a collection of images such as pictures of animals.", + "syntactic": "data describes the syntax or semantics of a language or text, such as a parse tree used for natural language processing.", + "audio": "data is audio based, such as a collection of music from the 80s.", + "video": "data is video based, such as a collection of movie clips featuring Tom Hanks.", + "other": "data is of a type not included in this list.", + "noAssertion": "data type is not known." + } + }, + "DatasetAvailabilityType": { + "summary": "Availability of dataset", + "description": "Describes the possible types of availability of a dataset, indicating whether the dataset can be directly downloaded, can be assembled using a script for scraping the data, is only available after a clickthrough or a registration form.", + "metadata": { + "name": "DatasetAvailabilityType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType" + }, + "entries": { + "Direct-Download": "the dataset is publicly available and can be downloaded directly.", + "Scraping-Script": "the dataset provider is not making available the underlying data and the dataset must be reassembled, typically using the provided script for scraping the data.", + "Query": "the dataset is publicly available, but not all at once, and can only be accessed through queries which return parts of the dataset.", + "Clickthrough": "the dataset is not publicly available and can only be accessed after affirmatively accepting terms on a clickthrough webpage.", + "Registration": "the dataset is not publicly available and an email registration is required before accessing the dataset, although without an affirmative acceptance of terms." + } + }, + "ConfidentialityLevelType": { + "summary": "Categories of confidentiality level.", + "description": "Describes the different confidentiality levels as given by the [Traffic Light Protocol](https://en.wikipedia.org/wiki/Traffic_Light_Protocol).", + "metadata": { + "name": "ConfidentialityLevelType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType" + }, + "entries": { + "Red": "Data points in the dataset are highly confidential and can only be shared with named recipients.", + "Amber": "Data points in the dataset can be shared only with specific organizations and their clients on a need to know basis.", + "Green": "Dataset can be shared within a community of peers and partners.", + "Clear": "Dataset may be distributed freely, without restriction." + } + } + } + }, + "Licensing": { + "name": "Licensing", + "classes": { + "ListedLicense": { + "summary": "A license that is listed on the SPDX License List.", + "description": "A ListedLicense represents a License that is listed on the SPDX License List\nat https://spdx.org/licenses.", + "metadata": { + "name": "ListedLicense", + "SubclassOf": "License", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/ListedLicense" + }, + "properties": { + "listVersionAdded": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "deprecatedVersion": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "WithAdditionOperator": { + "summary": "Portion of an AnyLicenseInfo representing a License which has additional\ntext applied to it", + "description": "A WithAdditionOperator indicates that the designated License is subject to the\ndesignated LicenseAddition, which might be a license exception on the SPDX\nExceptions List (ListedLicenseException) or may be other additional text\n(CustomLicenseAddition). It is represented in the SPDX License Expression\nSyntax by the `WITH` operator.", + "metadata": { + "name": "WithAdditionOperator", + "SubclassOf": "AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/WithAdditionOperator" + }, + "properties": { + "subjectLicense": { + "type": "ExtendableLicense", + "minCount": "1", + "maxCount": "1" + }, + "subjectAddition": { + "type": "LicenseAddition", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "License": { + "summary": "Abstract class for the portion of an AnyLicenseInfo representing a license.", + "description": "A License represents a license text, whether listed on the SPDX License List\n(ListedLicense) or defined by an SPDX data creator (CustomLicense).", + "metadata": { + "name": "License", + "SubclassOf": "ExtendableLicense", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/License" + }, + "properties": { + "licenseText": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + }, + "isOsiApproved": { + "type": "xsd:boolean", + "minCount": "0", + "maxCount": "1" + }, + "isFsfLibre": { + "type": "xsd:boolean", + "minCount": "0", + "maxCount": "1" + }, + "standardLicenseHeader": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "standardLicenseTemplate": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "isDeprecatedLicenseId": { + "type": "xsd:boolean", + "minCount": "0", + "maxCount": "1" + }, + "obsoletedBy": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "CustomLicenseAddition": { + "summary": "A license addition that is not listed on the SPDX Exceptions List.", + "description": "A CustomLicenseAddition represents an addition to a License that is not listed\non the SPDX Exceptions List at https://spdx.org/licenses/exceptions-index.html,\nand is therefore defined by an SPDX data creator.\n\nIt is intended to represent additional language which is meant to be added to\na License, but which is not itself a standalone License.", + "metadata": { + "name": "CustomLicenseAddition", + "SubclassOf": "LicenseAddition", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/CustomLicenseAddition" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "LicenseAddition": { + "summary": "Abstract class for additional text intended to be added to a License, but\nwhich is not itself a standalone License.", + "description": "A LicenseAddition represents text which is intended to be added to a License\nas additional text, but which is not itself intended to be a standalone\nLicense.\n\nIt may be an exception which is listed on the SPDX Exceptions List\n(ListedLicenseException), or may be any other additional text (as an exception\nor otherwise) which is defined by an SPDX data creator (CustomLicenseAddition).", + "metadata": { + "name": "LicenseAddition", + "SubclassOf": "/Core/Element", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/LicenseAddition" + }, + "properties": { + "additionText": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + }, + "standardAdditionTemplate": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "isDeprecatedAdditionId": { + "type": "xsd:boolean", + "minCount": "0", + "maxCount": "1" + }, + "obsoletedBy": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "OrLaterOperator": { + "summary": "Portion of an AnyLicenseInfo representing this version, or any later version,\nof the indicated License.", + "description": "An OrLaterOperator indicates that this portion of the AnyLicenseInfo\nrepresents either (1) the specified version of the corresponding License, or\n(2) any later version of that License. It is represented in the SPDX License\nExpression Syntax by the `+` operator.\n\nIt is context-dependent, and unspecified by SPDX, as to what constitutes a\n\"later version\" of any particular License. Some Licenses may not be versioned,\nor may not have clearly-defined ordering for versions. The consumer of SPDX\ndata will need to determine for themselves what meaning to attribute to a\n\"later version\" operator for a particular License.", + "metadata": { + "name": "OrLaterOperator", + "SubclassOf": "ExtendableLicense", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/OrLaterOperator" + }, + "properties": { + "subjectLicense": { + "type": "License", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "CustomLicense": { + "summary": "A license that is not listed on the SPDX License List.", + "description": "A CustomLicense represents a License that is not listed on the SPDX License\nList at https://spdx.org/licenses, and is therefore defined by an SPDX data\ncreator.", + "metadata": { + "name": "CustomLicense", + "SubclassOf": "License", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/CustomLicense" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "LicenseExpression": { + "summary": "An SPDX Element containing an SPDX license expression string.", + "description": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", + "metadata": { + "name": "LicenseExpression", + "SubclassOf": "AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/LicenseExpression" + }, + "properties": { + "licenseExpression": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "ListedLicenseException": { + "summary": "A license exception that is listed on the SPDX Exceptions list.", + "description": "A ListedLicenseException represents an exception to a License (in other words,\nan exception to a license condition or an additional permission beyond those\ngranted in a License) which is listed on the SPDX Exceptions List at\nhttps://spdx.org/licenses/exceptions-index.html.", + "metadata": { + "name": "ListedLicenseException", + "SubclassOf": "LicenseAddition", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/ListedLicenseException" + }, + "properties": { + "listVersionAdded": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "deprecatedVersion": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "AnyLicenseInfo": { + "summary": "Abstract class representing a license combination consisting of one or more\nlicenses (optionally including additional text), which may be combined\naccording to the SPDX license expression syntax.", + "description": "An AnyLicenseInfo is used by licensing properties of software artifacts.\nIt can be a NoneLicense, a NoAssertionLicense,\nsingle license (either on the SPDX License List or a custom-defined license);\na single license with an \"or later\" operator applied; the foregoing with\nadditional text applied; or a set of licenses combined by applying \"AND\" and\n\"OR\" operators recursively.", + "metadata": { + "name": "AnyLicenseInfo", + "SubclassOf": "/Core/Element", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/AnyLicenseInfo" + }, + "properties": {}, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "seeAlso": { + "summary": "Contains a URL where the License or LicenseAddition can be found in use.", + "description": "A seeAlso defines a cross-reference with a URL where the License or\nLicenseAddition can be found in use by one or a few projects.\n\nIf applicable, it should include a URL where the license text is posted by\nthe license steward, particularly if the license steward has made available a\n\"canonical\" primary URL for the license text.\n\nIf the license is OSI approved, a seeAlso should be included with the URL for\nthe license's listing on the OSI website.\n\nThe seeAlso URL may refer to a previously-available URL for the License or\nLicenseAddition which is no longer active.\n\nWhere applicable, the seeAlso URL should include the license text in its\nnative language. seeAlso URLs to English or other translations may be included\nwhere multiple, equivalent official translations exist.", + "metadata": { + "name": "seeAlso", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/seeAlso" + } + }, + "standardLicenseHeader": { + "summary": "Provides a License author's preferred text to indicate that a file is covered\nby the License.", + "description": "A standardLicenseHeader contains the plain text of the License author's\npreferred wording to be used, typically in a source code file's header\ncomments or similar location, to indicate that the file is subject to\nthe specified License.", + "metadata": { + "name": "standardLicenseHeader", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/standardLicenseHeader", + "Domain": [ + "License" + ] + } + }, + "licenseName": { + "summary": "Identifies the full name of a License.", + "description": "A licenseName contains the full name of a License, preferably using the title found\nin the applicable license text or file, or as otherwise specified by the\nLicense's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the License from other Licenses.", + "metadata": { + "name": "licenseName", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/licenseName" + } + }, + "licenseText": { + "summary": "Identifies the full text of a License.", + "description": "A licenseText contains the plain text of the License, without templating\nor other similar markup.\n\nUsers of the licenseText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", + "metadata": { + "name": "licenseText", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/licenseText", + "Domain": [ + "License" + ] + } + }, + "isDeprecatedLicenseId": { + "summary": "Specifies whether a license or additional text identifier has been marked as\ndeprecated.", + "description": "The isDeprecatedLicenseId property specifies whether an identifier for a\nLicense or LicenseAddition has been marked as deprecated. If the property\nis not defined, then it is presumed to be false (i.e., not deprecated).\n\nIf the License or LicenseAddition is included on the SPDX License List, then\nthe `deprecatedVersion` property indicates on which version release of the\nLicense List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license. In other words, even if a License's\nauthor or steward has stated that a particular License generally should not be\nused, that would _not_ mean that the License's identifier is \"deprecated.\"\nRather, a License or LicenseAddition operator is typically marked as\n\"deprecated\" when it is determined that use of another identifier is\npreferable.", + "metadata": { + "name": "isDeprecatedLicenseId", + "Nature": "DataProperty", + "Range": "xsd:boolean", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/isDeprecatedLicenseId", + "Domain": [ + "License" + ] + } + }, + "isDeprecatedAdditionId": { + "summary": "Specifies whether an additional text identifier has been marked as deprecated.", + "description": "The isDeprecatedAdditionId property specifies whether an identifier for a\nLicenseAddition has been marked as deprecated. If the property is not defined,\nthen it is presumed to be false (i.e., not deprecated).\n\nIf the LicenseAddition is included on the SPDX Exceptions List, then\nthe `deprecatedVersion` property indicates on which version release of the\nExceptions List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license addition. In other words, even if a\nLicenseAddition's author or steward has stated that a particular\nLicenseAddition generally should not be used, that would _not_ mean that the\nLicenseAddition's identifier is \"deprecated.\" Rather, a LicenseAddition\noperator is typically marked as \"deprecated\" when it is determined that use of\nanother identifier is preferable.", + "metadata": { + "name": "isDeprecatedAdditionId", + "Nature": "DataProperty", + "Range": "xsd:boolean", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/isDeprecatedAdditionId", + "Domain": [ + "LicenseAddition" + ] + } + }, + "additionText": { + "summary": "Identifies the full text of a LicenseAddition.", + "description": "An additionText contains the plain text of the LicenseAddition, without\ntemplating or other similar markup.\n\nUsers of the additionText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", + "metadata": { + "name": "additionText", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/additionText", + "Domain": [ + "LicenseAddition" + ] + } + }, + "isFsfLibre": { + "summary": "Specifies whether the License is listed as free by the\n[Free Software Foundation (FSF)](https://fsf.org).", + "description": "isFsfLibre specifies whether the [Free Software Foundation FSF](https://fsf.org)\nhas listed this License as \"free\" in their commentary on licenses, located at\nthe time of this writing at https://www.gnu.org/licenses/license-list.en.html.\n\nA value of \"true\" indicates that the FSF has listed this License as _free_.\n\nA value of \"false\" indicates that the FSF has listed this License as _not free_.\n\nIf the isFsfLibre field is not specified, the SPDX data creator makes no\nassertions about whether the License is listed in the FSF's commentary.", + "metadata": { + "name": "isFsfLibre", + "Nature": "DataProperty", + "Range": "xsd:boolean", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/isFsfLibre", + "Domain": [ + "License" + ] + } + }, + "listVersionAdded": { + "summary": "Specifies the SPDX License List version in which this ListedLicense or\nListedLicenseException identifier was first added.", + "description": "A listVersionAdded for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was included.", + "metadata": { + "name": "listVersionAdded", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/listVersionAdded", + "Domain": [ + "ListedLicense", + "ListedLicenseException" + ] + } + }, + "licenseExpression": { + "summary": "A string in the license expression format.", + "description": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", + "metadata": { + "name": "licenseExpression", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/licenseExpression", + "Domain": [ + "LicenseExpression" + ] + } + }, + "obsoletedBy": { + "summary": "Specifies the licenseId that is preferred to be used in place of a deprecated\nLicense or LicenseAddition.", + "description": "An obsoletedBy value for a deprecated License or LicenseAddition specifies\nthe licenseId of the replacement License or LicenseAddition that is preferred\nto be used in its place. It should use the same format as specified for a\nlicenseId.\n\nThe License's or LicenseAddition's comment value may include more information\nabout the reason why the licenseId specified in the obsoletedBy value is\npreferred.", + "metadata": { + "name": "obsoletedBy", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/obsoletedBy", + "Domain": [ + "License", + "LicenseAddition" + ] + } + }, + "standardLicenseTemplate": { + "summary": "Identifies the full text of a License, in SPDX templating format.", + "description": "A standardLicenseTemplate contains a license template which describes\nsections of the License text which can be varied. See the Legacy Text Template\nformat section of the SPDX specification for format information.", + "metadata": { + "name": "standardLicenseTemplate", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/standardLicenseTemplate", + "Domain": [ + "License" + ] + } + }, + "additionName": { + "summary": "Identifies the full name of a LicenseAddition.", + "description": "An additionName contains the full name of a LicenseAddition, preferably using\nthe title found in the applicable license addition text or file, or as\notherwise specified by the LicenseAddition's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses additions (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the LicenseAddition from other LicenseAdditions.", + "metadata": { + "name": "additionName", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/additionName" + } + }, + "standardAdditionTemplate": { + "summary": "Identifies the full text of a LicenseAddition, in SPDX templating format.", + "description": "A standardAdditionTemplate contains a license addition template which describes\nsections of the LicenseAddition text which can be varied. See the Legacy Text\nTemplate format section of the SPDX specification for format information.", + "metadata": { + "name": "standardAdditionTemplate", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/standardAdditionTemplate", + "Domain": [ + "LicenseAddition" + ] + } + }, + "licenseComment": { + "summary": "Identifies general comments about the License.", + "description": "A licenseComment describes general factual information about the License. It\nshould not contain information (or links to information) that includes any kind\nof interpretation about the meaning or effect of the License, even if written\nby the license's author.\n\nExamples of information for a licenseComment may include the following:\n\n* If the License's identifier is deprecated, it may briefly explain the reason\n for deprecation.\n* It may include the date of release, if identified, for Licenses with multiple\n versions.\n* It may include links to other official language translations for the License.\n* For LicenseAdditions, it may include a reference to the License(s) with\n which this additional text is typically used.", + "metadata": { + "name": "licenseComment", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/licenseComment" + } + }, + "deprecatedVersion": { + "summary": "Specifies the SPDX License List version in which this license or exception\nidentifier was deprecated.", + "description": "A deprecatedVersion for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was marked as deprecated.", + "metadata": { + "name": "deprecatedVersion", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/deprecatedVersion", + "Domain": [ + "ListedLicense", + "ListedLicenseException" + ] + } + }, + "licenseId": { + "summary": "Provides a short, unique identifier to refer to a License.", + "description": "A licenseId contains a human-readable, short-form license identifier for a\nLicense. It may only include letters, numbers, period (\".\") and hyphen (\"-\")\ncharacters.\n\nFor a ListedLicense, the licenseId will be as specified on the\n[SPDX License List](https://spdx.org/licenses) for the particular license.\n\nFor a CustomLicense, the short-form license identifer must begin with the\nprefix `LicenseRef-` and must be unique within the applicable SPDX namespace.\nThe short-form license ID may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", + "metadata": { + "name": "licenseId", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/licenseId" + } + }, + "additionId": { + "summary": "Provides a short, unique identifier to refer to a LicenseAddition.", + "description": "An additionId contains a human-readable, short-form identifier for a\nLicenseAddition. It may only include letters, numbers, period (\".\") and\nhyphen (\"-\") characters.\n\nFor a ListedLicenseException, the licenseId will be as specified on the\n[SPDX Exceptions List](https://spdx.org/licenses/exceptions-index.html) for the\nparticular exception.\n\nFor a CustomLicenseAddition, the short-form identifier must begin with the\nprefix `AdditionRef-` and must be unique within the applicable SPDX namespace.\nThe short-form identifier may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", + "metadata": { + "name": "additionId", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/additionId" + } + }, + "isOsiApproved": { + "summary": "Specifies whether the License is listed as approved by the\n[Open Source Initiative (OSI)](https://opensource.org).", + "description": "isOsiApproved specifies whether the [Open Source Initiative (OSI)](https://opensource.org)\nhas listed this License as \"approved\" in their list of OSI Approved Licenses,\nlocated at the time of this writing at https://opensource.org/licenses/.\n\nA value of \"true\" indicates that the OSI has listed this License as approved.\n\nA value of \"false\" indicates that the OSI has not listed this License as\napproved.\n\nIf the isOsiApproved field is not specified, the SPDX data creator makes no\nassertions about whether the License is approved by the OSI.", + "metadata": { + "name": "isOsiApproved", + "Nature": "DataProperty", + "Range": "xsd:boolean", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/isOsiApproved", + "Domain": [ + "License" + ] + } + }, + "additionComment": { + "summary": "Identifies general comments about the LicenseAddition.", + "description": "An additionComment for a LicenseAddition describes general factual information\nabout the LicenseAddition. It should not contain information (or links to\ninformation) that includes any kind of interpretation about the meaning or\neffect of the License, even if written by the license addition's author.\n\nExamples of information for an additionComment may include the following:\n\n* If the LicenseAddition's identifier is deprecated, it may briefly explain the\n reason for deprecation.\n* It may include the date of release, if identified, for LicenseAdditions with\n multiple versions.\n* It may include links to other official language translations for the\n LicenseAddition.\n* It may include a reference to the License(s) with which this LicenseAddition\n is typically used.", + "metadata": { + "name": "additionComment", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Licensing/additionComment" + } + } + }, + "vocabs": {} + }, + "AI": { + "name": "AI", + "classes": { + "AIPackage": { + "summary": "Provides information about the fields in the AI package profile.", + "description": "Metadata information that can be added to a package to describe an AI application or trained AI model.\nExternal property restriction on /Core/Artifact/suppliedBy: minCount: 1\nExternal property restriction on /Software/Package/downloadLocation: minCount: 1\nExternal property restriction on /Software/Package/packageVersion: minCount: 1\nExternal property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1\nExternal property restriction on /Core/Artifact/releaseTime: minCount: 1", + "metadata": { + "name": "AIPackage", + "SubclassOf": "/Software/Package", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/AIPackage" + }, + "properties": { + "energyConsumption": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "standardCompliance": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "limitation": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "typeOfModel": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "informationAboutTraining": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "informationAboutApplication": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "hyperparameter": { + "type": "/Core/DictionaryEntry", + "minCount": "0", + "maxCount": "*" + }, + "modelDataPreprocessing": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "modelExplainability": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "sensitivePersonalInformation": { + "type": "PresenceType", + "minCount": "0", + "maxCount": "1" + }, + "metricDecisionThreshold": { + "type": "/Core/DictionaryEntry", + "minCount": "0", + "maxCount": "*" + }, + "metric": { + "type": "/Core/DictionaryEntry", + "minCount": "0", + "maxCount": "*" + }, + "domain": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "autonomyType": { + "type": "PresenceType", + "minCount": "0", + "maxCount": "1" + }, + "safetyRiskAssessment": { + "type": "SafetyRiskAssessmentType", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": { + "/Core/Artifact/suppliedBy": { + "minCount": "1", + "maxCount": "*" + }, + "/Software/Package/downloadLocation": { + "minCount": "1", + "maxCount": "*" + }, + "/Software/Package/packageVersion": { + "minCount": "1", + "maxCount": "*" + }, + "/Software/SoftwareArtifact/primaryPurpose": { + "minCount": "1", + "maxCount": "*" + }, + "/Core/Artifact/releaseTime": { + "minCount": "1", + "maxCount": "*" + } + } + } + }, + "properties": { + "safetyRiskAssessment": { + "summary": "Categorizes safety risk impact of AI software.", + "description": "SafetyRiskAssessment categorizes the safety risk impact of the AI software\nin accordance with Article 20 of [EC Regulation No 765/2008](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf).", + "metadata": { + "name": "safetyRiskAssessment", + "Nature": "ObjectProperty", + "Range": "SafetyRiskAssessmentType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/safetyRiskAssessment", + "Domain": [ + "AIPackage" + ] + } + }, + "typeOfModel": { + "summary": "Records the type of the model used in the AI software.", + "description": "TypeOfModel records the type of the AI model(s) used in the software. \nFor instance, if it is a supervised model, unsupervised model, reinforcement learning model or a combination of those.", + "metadata": { + "name": "typeOfModel", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/typeOfModel", + "Domain": [ + "AIPackage" + ] + } + }, + "hyperparameter": { + "summary": "Records a hyperparameter used to build the AI model contained in the AI package.", + "description": "This field records a hyperparameter value.\nHyperparameters are parameters of the machine learning model that are used to control the learning process,\nfor example the optimization and learning rate used during the training of the model.", + "metadata": { + "name": "hyperparameter", + "Nature": "ObjectProperty", + "Range": "/Core/DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/hyperparameter", + "Domain": [ + "AIPackage" + ] + } + }, + "informationAboutTraining": { + "summary": "Describes relevant information about different steps of the training process.", + "description": "InformationAboutTraining describes the specific steps involved in the training of the AI model.\nFor example, it can be specified whether supervised fine-tuning \nor active learning is used as part of training the model.", + "metadata": { + "name": "informationAboutTraining", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/informationAboutTraining", + "Domain": [ + "AIPackage" + ] + } + }, + "sensitivePersonalInformation": { + "summary": "Records if sensitive personal information is used during model training.", + "description": "SensitivePersonalInformation notes if sensitive personal information\nis used in the training or inference of the AI models.\nThis might include biometric data, addresses or other data that can be used to infer a person's identity.", + "metadata": { + "name": "sensitivePersonalInformation", + "Nature": "ObjectProperty", + "Range": "PresenceType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/sensitivePersonalInformation", + "Domain": [ + "AIPackage" + ] + } + }, + "modelDataPreprocessing": { + "summary": "Describes all the preprocessing steps applied to the training data before the model training.", + "description": "ModelDataPreprocessing is a free form text that describes the preprocessing steps\napplied to the training data before training of the model(s) contained in the AI software.", + "metadata": { + "name": "modelDataPreprocessing", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/modelDataPreprocessing", + "Domain": [ + "AIPackage" + ] + } + }, + "energyConsumption": { + "summary": "Indicates the amount of energy consumed to build the AI package.", + "description": "EnergyConsumption captures the amount of energy needed to train and operate the AI model. \nThis value is also known as training energy consumption or inference energy consumption.", + "metadata": { + "name": "energyConsumption", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/energyConsumption", + "Domain": [ + "AIPackage" + ] + } + }, + "domain": { + "summary": "Captures the domain in which the AI package can be used.", + "description": "Domain describes the domain in which the AI model contained in the AI software\ncan be expected to operate successfully. Examples include computer vision, natural language etc.", + "metadata": { + "name": "domain", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/domain", + "Domain": [ + "AIPackage" + ] + } + }, + "standardCompliance": { + "summary": "Captures a standard that is being complied with.", + "description": "StandardCompliance captures a standard that the AI software complies with. \nThis includes both published and unpublished standards, for example ISO, IEEE, ETSI etc. \nThe standard could (but not necessarily have to) be used to satisfy a legal or regulatory requirement.", + "metadata": { + "name": "standardCompliance", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/standardCompliance", + "Domain": [ + "AIPackage" + ] + } + }, + "metric": { + "summary": "Records the measurement of prediction quality of the AI model.", + "description": "Metric records the measurement with which the AI model was evaluated. \nThis makes statements about the prediction quality including uncertainty,\naccuracy, characteristics of the tested population, quality, fairness, explainability, robustness etc.", + "metadata": { + "name": "metric", + "Nature": "ObjectProperty", + "Range": "/Core/DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/metric", + "Domain": [ + "AIPackage" + ] + } + }, + "metricDecisionThreshold": { + "summary": "Captures the threshold that was used for computation of a metric described in the metric field.", + "description": "Each metric might be computed based on a decision threshold. \nFor instance, precision or recall is typically computed by checking\nif the probability of the outcome is larger than 0.5.\nEach decision threshold should match with a metric field defined in the AI Package.", + "metadata": { + "name": "metricDecisionThreshold", + "Nature": "ObjectProperty", + "Range": "/Core/DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/metricDecisionThreshold", + "Domain": [ + "AIPackage" + ] + } + }, + "modelExplainability": { + "summary": "Describes methods that can be used to explain the model.", + "description": "ModelExplainability is a free form text that lists the different explainability mechanisms\n(such as SHAP, or other model specific explainability mechanisms) that can be used to explain the model.", + "metadata": { + "name": "modelExplainability", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/modelExplainability", + "Domain": [ + "AIPackage" + ] + } + }, + "autonomyType": { + "summary": "States if a human is involved in the decisions of the AI software.", + "description": "AutonomyType indicates if a human is involved in any of the decisions of the AI software\nor if that software is fully automatic.", + "metadata": { + "name": "autonomyType", + "Nature": "ObjectProperty", + "Range": "PresenceType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/autonomyType", + "Domain": [ + "AIPackage" + ] + } + }, + "informationAboutApplication": { + "summary": "Provides relevant information about the AI software, not including the model description.", + "description": "InformationAboutApplication describes any relevant information in free form text about \nhow the AI model is used inside the software, as well as any relevant pre-processing steps, third party APIs etc.", + "metadata": { + "name": "informationAboutApplication", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/informationAboutApplication", + "Domain": [ + "AIPackage" + ] + } + }, + "limitation": { + "summary": "Captures a limitation of the AI software.", + "description": "Limitation captures a limitation of the AI Package (or of the AI models present in the AI package),\nexpressed as free form text. Note that this is not guaranteed to be exhaustive.\nFor instance, a limitation might be that the AI package cannot be used on datasets from a certain demography.", + "metadata": { + "name": "limitation", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/limitation", + "Domain": [ + "AIPackage" + ] + } + } + }, + "vocabs": { + "SafetyRiskAssessmentType": { + "summary": "Categories of safety risk impact of the application.", + "description": "Lists the different safety risk type values that can be used to describe the safety risk of AI software\naccording to [Article 20 of Regulation 765/2008/EC](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf).", + "metadata": { + "name": "SafetyRiskAssessmentType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/SafetyRiskAssessmentType" + }, + "entries": { + "serious": "The highest level of risk posed by an AI software.", + "high": "The second-highest level of risk posed by an AI software.", + "medium": "The third-highest level of risk posed by an AI software.", + "low": "Low/no risk is posed by the AI software." + } + }, + "PresenceType": { + "summary": "Categories of presence or absence.", + "description": "This type is used to indicate if a given field is present or absent or unknown.", + "metadata": { + "name": "PresenceType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/AI/PresenceType" + }, + "entries": { + "yes": "Indicates presence of the field.", + "no": "Indicates absence of the field.", + "noAssertion": "Makes no assertion about the field." + } + } + } + }, + "Security": { + "name": "Security", + "classes": { + "VexNotAffectedVulnAssessmentRelationship": { + "summary": "Links a vulnerability and one or more elements designating the latter as products\nnot affected by the vulnerability.", + "description": "VexNotAffectedVulnAssessmentRelationship connects a vulnerability and a number\nof elements designating them as products not affected by the vulnerability.\nThis relationship corresponds to the VEX not_affected status.\n\n**Constraints**\n\nWhen linking elements using a VexNotVulnAffectedAssessmentRelationship, the\nfollowing requirements must be observed:\n\n* Relating elements with a VexNotAffectedVulnAssessmentRelationship is restricted\nto the doesNotAffect relationship type.\n* The from: end of the relationship must be a /Security/Vulnerability classed\nelement.\n* Both impactStatement and justificationType properties have a cardinality of\n0..1 making them optional. Nevertheless, to produce a valid VEX not_affected\nstatement, one of them MUST be defined. This is specified in the Minimum Elements\nfor VEX.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexNotAffectedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-not-affected-1\",\n \"relationshipType\": \"doesNotAffect\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"justificationType\": \"componentNotPresent\",\n \"impactStatement\": \"Not using this vulnerable part of this library.\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "VexNotAffectedVulnAssessmentRelationship", + "SubclassOf": "VexVulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VexNotAffectedVulnAssessmentRelationship" + }, + "properties": { + "justificationType": { + "type": "VexJustificationType", + "minCount": "0", + "maxCount": "1" + }, + "impactStatement": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "impactStatementTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "SsvcVulnAssessmentRelationship": { + "summary": "Provides an SSVC assessment for a vulnerability.", + "description": "An SsvcVulnAssessmentRelationship describes the decision made using the\nStakeholder-Specific Vulnerability Categorization (SSVC) decision tree as\ndefined on [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc).\nIt is intended to communicate the results of using the CISA SSVC Calculator.\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"SsvcVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:ssvc-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"decisionType\": \"act\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "SsvcVulnAssessmentRelationship", + "SubclassOf": "VulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/SsvcVulnAssessmentRelationship" + }, + "properties": { + "decisionType": { + "type": "SsvcDecisionType", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "VexFixedVulnAssessmentRelationship": { + "summary": "Links a vulnerability and elements representing products (in the VEX sense) where\na fix has been applied and are no longer affected.", + "description": "VexFixedVulnAssessmentRelationship links a vulnerability to a number of elements\nrepresenting VEX products where a vulnerability has been fixed and are no longer\naffected. It represents the VEX fixed status.\n\n**Constraints**\n\nWhen linking elements using a VexFixedVulnAssessmentRelationship, the following\nrequirements must be observed:\n\n- Elements linked with a VulnVexFixedAssessmentRelationship are constrained to\nusing the fixedIn relationship type.\n- The from: end of the relationship must ve a /Security/Vulnerability classed\nelement.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexFixedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-fixed-in-1\",\n \"relationshipType\": \"fixedIn\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.4\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "VexFixedVulnAssessmentRelationship", + "SubclassOf": "VexVulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VexFixedVulnAssessmentRelationship" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "VexVulnAssessmentRelationship": { + "summary": "Asbtract ancestor class for all VEX relationships", + "description": "VexVulnAssessmentRelationship is an abstract subclass that defined the common\nproperties shared by all the SPDX-VEX status relationships. \n\n**Constraints**\n\nWhen linking elements using a VexVulnAssessmentRelationship, the following\nrequirements must be observed:\n\n- The from: end must be a /Security/Vulnerability classed element\n- The to: end must point to elements representing the VEX _products_. To\nspecify a different element where the vulnerability was detected, the VEX\nrelationship can optionally specify _subcomponents_ using the assessedElement\nproperty.\n\nVEX inherits information from the document level down to its statements. When a\nstatement is missing information it can be completed by reading the equivalent \nfield from the containing document. For example, if a VEX relationship is\nmissing data in its createdBy property, tools must consider the entity\nlisted in the CreationInfo section of the document as the VEX author.\nIn the same way, when a VEX relationship does not have a created property,\nthe document's date must be considered as authoritative.", + "metadata": { + "name": "VexVulnAssessmentRelationship", + "SubclassOf": "VulnAssessmentRelationship", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VexVulnAssessmentRelationship" + }, + "properties": { + "vexVersion": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "statusNotes": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "CvssV3VulnAssessmentRelationship": { + "summary": "Provides a CVSS version 3.x assessment for a vulnerability.", + "description": "A CvssV3VulnAssessmentRelationship relationship describes the determined score,\nseverity, and vector of a vulnerability using version 3.1 of the Common\nVulnerability Scoring System (CVSS) as defined on \n[https://www.first.org/cvss/v3.1/specification-document](https://www.first.org/cvss/v3.1/specification-document). It is intented to communicate the results of using a CVSS calculator.\n\n**Constraints**\n\n- The value of severity must be one of 'none', 'low', 'medium', 'high' or 'critical'.\n- Absence of the property shall be interpreted as 'none'.\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"CvssV3VulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:cvssv3-cve-2020-28498\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"severity\": \"medium\",\n \"score\": 6.8,\n \"vector\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"externalReferences\": [\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityFix\",\n \"locator\": \"https://github.com/indutny/elliptic/commit/441b742\"\n }\n ],\n \"suppliedBy\": [\"urn:spdx.dev:agent-my-security-vendor\"],\n \"publishedTime\": \"2023-05-06T10:06:13Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\",\n \"relationshipType\": \"publishedBy\",\n \"from\": \"urn:spdx.dev:cvssv3-cve-2020-28498\",\n \"to\": \"urn:spdx.dev:agent-snyk\",\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", + "metadata": { + "name": "CvssV3VulnAssessmentRelationship", + "SubclassOf": "VulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/CvssV3VulnAssessmentRelationship" + }, + "properties": { + "score": { + "type": "xsd:decimal", + "minCount": "1", + "maxCount": "1" + }, + "severity": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "vector": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "VulnAssessmentRelationship": { + "summary": "Abstract ancestor class for all vulnerability assessments", + "description": "VulnAssessmentRelationship is the ancestor class common to all vulnerability\nassessment relationships. It factors out the common properties shared by them.\nExternal property restriction on /Core/Relationship/to: minCount: 1", + "metadata": { + "name": "VulnAssessmentRelationship", + "SubclassOf": "/Core/Relationship", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VulnAssessmentRelationship" + }, + "properties": { + "assessedElement": { + "type": "/Core/Element", + "minCount": "0", + "maxCount": "1" + }, + "publishedTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + }, + "suppliedBy": { + "type": "/Core/Agent", + "minCount": "0", + "maxCount": "1" + }, + "modifiedTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + }, + "withdrawnTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": { + "/Core/Relationship/to": { + "minCount": "1", + "maxCount": "*" + } + } + }, + "Vulnerability": { + "summary": "Specifies a vulnerability and its associated information.", + "description": "Specifies a vulnerability and its associated information.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"Vulnerability\",\n \"@id\": \"urn:spdx.dev:vuln-1\",\n \"summary\": \"Use of a Broken or Risky Cryptographic Algorithm\",\n \"description\": \"The npm package `elliptic` before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.\", \n \"modified\": \"2021-03-08T16:02:43Z\",\n \"published\": \"2021-03-08T16:06:50Z\",\n \"externalIdentifiers\": [\n {\n \"@type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"cve\",\n \"identifier\": \"CVE-2020-2849\",\n \"identifierLocator\": [\n \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498\",\n \"https://www.cve.org/CVERecord?id=CVE-2020-28498\"\n ],\n \"issuingAuthority\": \"urn:spdx.dev:agent-cve.org\"\n },\n {\n \"type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"securityOther\",\n \"identifier\": \"GHSA-r9p9-mrjm-926w\",\n \"identifierLocator\": \"https://github.com/advisories/GHSA-r9p9-mrjm-926w\"\n },\n {\n \"type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"securityOther\",\n \"identifier\": \"SNYK-JS-ELLIPTIC-1064899\",\n \"identifierLocator\": \"https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n }\n ],\n \"externalReferences\": [\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://ubuntu.com/security/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityOther\",\n \"locator\": \"https://github.com/indutny/elliptic/pull/244/commits\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityOther\",\n \"locator\": \"https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md\"\n }\n ]\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnRelationship-1\",\n \"relationshipType\": \"hasAssociatedVulnerability\",\n \"from\": \"urn:npm-elliptic-6.5.2\",\n \"to\": [\"urn:spdx.dev:vuln-1\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\", \n \"relationshipType\": \"publishedBy\", \n \"from\": \"urn:spdx.dev:vuln-1\",\n \"to\": [\"urn:spdx.dev:agent-snyk\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", + "metadata": { + "name": "Vulnerability", + "SubclassOf": "/Core/Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/Vulnerability" + }, + "properties": { + "publishedTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + }, + "modifiedTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + }, + "withdrawnTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "CvssV2VulnAssessmentRelationship": { + "summary": "Provides a CVSS version 2.0 assessment for a vulnerability.", + "description": "A CvssV2VulnAssessmentRelationship relationship describes the determined score and vector of a vulnerability using version 2.0 of the Common Vulnerability Scoring System\n(CVSS) as defined on [https://www.first.org/cvss/v2/guide](https://www.first.org/cvss/v2/guide). It is intented to communicate the results of using a CVSS calculator.\n\n**Constraints**\n\n- The value of severity must be one of 'low', 'medium' or 'high'\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"CvssV2VulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:cvssv2-cve-2020-28498\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"score\": 4.3,\n \"vector\": \"(AV:N/AC:M/Au:N/C:P/I:N/A:N)\",\n \"severity\": \"low\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"externalReferences\": [\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityAdvisory\",\n \"locator\": \"https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n },\n {\n \"@type\": \"ExternalReference\",\n \"externalReferenceType\": \"securityFix\",\n \"locator\": \"https://github.com/indutny/elliptic/commit/441b742\"\n }\n ],\n \"suppliedBy\": [\"urn:spdx.dev:agent-my-security-vendor\"],\n \"publishedTime\": \"2023-05-06T10:06:13Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\", \n \"relationshipType\": \"publishedBy\", \n \"from\": \"urn:spdx.dev:cvssv2-cve-2020-28498\",\n \"to\": [\"urn:spdx.dev:agent-snyk\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", + "metadata": { + "name": "CvssV2VulnAssessmentRelationship", + "SubclassOf": "VulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/CvssV2VulnAssessmentRelationship" + }, + "properties": { + "score": { + "type": "xsd:decimal", + "minCount": "1", + "maxCount": "1" + }, + "severity": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "vector": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "VexAffectedVulnAssessmentRelationship": { + "summary": "Connects a vulnerability and an element designating the element as a product\naffected by the vulnerability.", + "description": "VexAffectedVulnAssessmentRelationship connects a vulnerability and a number\nof elements. The relationship marks these elements as products affected by the\nvulnerability. This relationship corresponds to the VEX affected status.\n\n**Constraints**\n\nWhen linking elements using a VexAffectedVulnAssessmentRelationship, the\nfollowing requirements must be observed:\n\n- Elements linked with a VulnVexAffectedAssessmentRelationship are constrained\nto the affects relationship type.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexAffectedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-affected-1\",\n \"relationshipType\": \"affects\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"actionStatement\": \"Upgrade to version 1.4 of ACME application.\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "VexAffectedVulnAssessmentRelationship", + "SubclassOf": "VexVulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VexAffectedVulnAssessmentRelationship" + }, + "properties": { + "actionStatement": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "actionStatementTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "ExploitCatalogVulnAssessmentRelationship": { + "summary": "Provides an exploit assessment of a vulnerability.", + "description": "An ExploitCatalogVulnAssessmentRelationship describes if a vulnerability is\nlisted in any exploit catalog such as the CISA Known Exploited Vulnerabilities\nCatalog (KEV) \n[https://www.cisa.gov/known-exploited-vulnerabilities-catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"ExploitCatalogVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:exploit-catalog-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"catalogType\": \"kev\",\n \"locator\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n \"exploited\": \"true\",\n \"from\": \"urn:spdx.dev:vuln-cve-2023-2136\",\n \"to\": [\"urn:product-google-chrome-112.0.5615.136\"],\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "ExploitCatalogVulnAssessmentRelationship", + "SubclassOf": "VulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/ExploitCatalogVulnAssessmentRelationship" + }, + "properties": { + "catalogType": { + "type": "ExploitCatalogType", + "minCount": "1", + "maxCount": "1" + }, + "exploited": { + "type": "xsd:boolean", + "minCount": "1", + "maxCount": "1" + }, + "locator": { + "type": "xsd:anyURI", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "EpssVulnAssessmentRelationship": { + "summary": "Provides an EPSS assessment for a vulnerability.", + "description": "An EpssVulnAssessmentRelationship relationship describes the likelihood or\nprobability that a vulnerability will be exploited in the wild using the Exploit\nPrediction Scoring System (EPSS) as defined on \n[https://www.first.org/epss/model](https://www.first.org/epss/model).\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"EpssVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:epss-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"probability\": 80,\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "EpssVulnAssessmentRelationship", + "SubclassOf": "VulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/EpssVulnAssessmentRelationship" + }, + "properties": { + "probability": { + "type": "xsd:nonNegativeInteger", + "minCount": "1", + "maxCount": "1" + }, + "severity": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "VexUnderInvestigationVulnAssessmentRelationship": { + "summary": "Designates elements as products where the impact of a vulnerability is being\ninvestigated.", + "description": "VexUnderInvestigationVulnAssessmentRelationship links a vulnerability to a\nnumber of products stating the vulnerability's impact on them is being\ninvestigated. It represents the VEX under_investigation status.\n\n**Constraints**\n\nWhen linking elements using a VexUnderInvestigationVulnAssessmentRelationship\nthe following requirements must be observed:\n\n- Elements linked with a VexUnderInvestigationVulnAssessmentRelationship are\nconstrained to using the underInvestigationFor relationship type.\n- The from: end of the relationship must ve a /Security/Vulnerability classed\nelement.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexUnderInvestigationVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-underInvestigation-1\",\n \"relationshipType\": \"underInvestigationFor\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", + "metadata": { + "name": "VexUnderInvestigationVulnAssessmentRelationship", + "SubclassOf": "VexVulnAssessmentRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VexUnderInvestigationVulnAssessmentRelationship" + }, + "properties": {}, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "justificationType": { + "summary": "Impact justification label to be used when linking a vulnerability to an element\nrepresenting a VEX product with a VexNotAffectedVulnAssessmentRelationship\nrelationship.", + "description": "When stating that an element is not affected by a vulnerability, the\nVexNotAffectedVulnAssessmentRelationship must include a justification from the\nmachine-readable labels catalog informing the reason the element is not impacted.\n\nimpactStatement which is a string with English prose can be used instead or as\ncomplementary to the justification label, but one of both MUST be defined.", + "metadata": { + "name": "justificationType", + "Nature": "ObjectProperty", + "Range": "VexJustificationType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/justificationType", + "Domain": [ + "VexNotAffectedVulnAssessmentRelationship" + ] + } + }, + "actionStatementTime": { + "summary": "Records the time when a recommended action was communicated in a VEX statement \nto mitigate a vulnerability.", + "description": "When a VEX statement communicates an affected status, the author MUST\ninclude an action statement with a recommended action to help mitigate the\nvulnerability's impact. The actionStatementTime property records the time\nwhen the action statement was first communicated.", + "metadata": { + "name": "actionStatementTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/actionStatementTime", + "Domain": [ + "VexAffectedVulnAssessmentRelationship" + ] + } + }, + "assessedElement": { + "summary": "Specifies an element contained in a piece of software where a vulnerability was\nfound.", + "description": "Specifies subpackages, files or snippets referenced by a security assessment\nto specify the precise location where a vulnerability was found.", + "metadata": { + "name": "assessedElement", + "Nature": "ObjectProperty", + "Range": "/Core/Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/assessedElement", + "Domain": [ + "VulnAssessmentRelationship" + ] + } + }, + "suppliedBy": { + "summary": "Identifies who or what supplied the vulnerability assessment relationship.", + "description": "Identify the actual distribution source for the vulnerability assessment relationship being referenced.", + "metadata": { + "name": "suppliedBy", + "Nature": "ObjectProperty", + "Range": "/Core/Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/suppliedBy", + "Domain": [ + "VulnAssessmentRelationship" + ] + } + }, + "decisionType": { + "summary": "Provide the enumeration of possible decisions in the Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree [https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf](https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf)", + "description": "A decisionType is a mandatory value and must select one of the four entries in the `SsvcDecisionType.md` vocabulary.", + "metadata": { + "name": "decisionType", + "Nature": "ObjectProperty", + "Range": "SsvcDecisionType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/decisionType", + "Domain": [ + "SsvcVulnAssessmentRelationship" + ] + } + }, + "exploited": { + "summary": "Describe that a CVE is known to have an exploit because it's been listed in an exploit catalog.", + "description": "This field is set when a CVE is listed in an exploit catalog.", + "metadata": { + "name": "exploited", + "Nature": "DataProperty", + "Range": "xsd:boolean", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/exploited", + "Domain": [ + "ExploitCatalogVulnAssessmentRelationship" + ] + } + }, + "catalogType": { + "summary": "TODO", + "description": "A catalogType is a mandatory value and must select one of the two entries in the `ExploitCatalogType.md` vocabulary.", + "metadata": { + "name": "catalogType", + "Nature": "ObjectProperty", + "Range": "ExploitCatalogType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/catalogType", + "Domain": [ + "ExploitCatalogVulnAssessmentRelationship" + ] + } + }, + "probability": { + "summary": "A probability score between 0 and 1 of a vulnerability being exploited.", + "description": "The probability score between 0 and 1 (0 and 100%) estimating the likelihood\nthat a vulnerability will be exploited in the next 12 months.", + "metadata": { + "name": "probability", + "Nature": "DataProperty", + "Range": "xsd:decimal", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/probability", + "Domain": [ + "EpssVulnAssessmentRelationship" + ] + } + }, + "statusNotes": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "statusNotes", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/statusNotes", + "Domain": [ + "VexVulnAssessmentRelationship" + ] + } + }, + "publishedTime": { + "summary": "Specifies the time when a vulnerability was published.", + "description": "Specifies the time when a vulnerability was first published.", + "metadata": { + "name": "publishedTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/publishedTime", + "Domain": [ + "VulnAssessmentRelationship", + "Vulnerability" + ] + } + }, + "vexVersion": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "vexVersion", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/vexVersion", + "Domain": [ + "VexVulnAssessmentRelationship" + ] + } + }, + "actionStatement": { + "summary": "Provides advise on how to mitigate or remediate a vulnerability when a VEX product\nis affected by it.", + "description": "When an element is referenced with a VexAffectedVulnAssessmentRelationship,\nthe relationship MUST include one actionStatement that SHOULD describe actions\nto remediate or mitigate the vulnerability.", + "metadata": { + "name": "actionStatement", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/actionStatement", + "Domain": [ + "VexAffectedVulnAssessmentRelationship" + ] + } + }, + "locator": { + "summary": "Provides the location of an exploit catalog.", + "description": "A locator provides the location of an exploit catalog.", + "metadata": { + "name": "locator", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/locator", + "Domain": [ + "ExploitCatalogVulnAssessmentRelationship" + ] + } + }, + "vector": { + "summary": "Specifies the vector string of a vulnerability.", + "description": "Sepcifies the vector string of a vulnerability, a string combining metrics\nfrom an assessment of its severity.", + "metadata": { + "name": "vector", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/vector", + "Domain": [ + "CvssV3VulnAssessmentRelationship", + "CvssV2VulnAssessmentRelationship" + ] + } + }, + "impactStatementTime": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "impactStatementTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/impactStatementTime", + "Domain": [ + "VexNotAffectedVulnAssessmentRelationship" + ] + } + }, + "withdrawnTime": { + "summary": "Specified the time and date when a vulnerability was withdrawn.", + "description": "Specified the time and date when a vulnerability was withdrawn.", + "metadata": { + "name": "withdrawnTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/withdrawnTime", + "Domain": [ + "VulnAssessmentRelationship", + "Vulnerability" + ] + } + }, + "impactStatement": { + "summary": "Explains why a VEX product is not affected by a vulnerability. It is an\nalternative in VexNotAffectedVulnAssessmentRelationship to the machine-readable\njustification label.", + "description": "When a VEX product element is related with a VexNotAffectedVulnAssessmentRelationship\nand a machine readable justification label is not provided, then an impactStatement\nthat further explains how or why the prouct(s) are not affected by the vulnerability\nmust be provided.", + "metadata": { + "name": "impactStatement", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/impactStatement", + "Domain": [ + "VexNotAffectedVulnAssessmentRelationship" + ] + } + }, + "score": { + "summary": "Provides a numerical (0-10) representation of the severity of a vulnerability.", + "description": "The score provides information on the severity of a vulnerability per the\nCommon Vulnerability Scoring System as defined on [https://www.first.org/cvss](https://www.first.org/cvss/).", + "metadata": { + "name": "score", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/score", + "Domain": [ + "CvssV3VulnAssessmentRelationship", + "CvssV2VulnAssessmentRelationship" + ] + } + }, + "severity": { + "summary": "The severity of a vulnerability in relation to a piece of software.", + "description": "The severity field provides a human readable string, a label that can be used\nas an English adjective that qualifies its numerical score.", + "metadata": { + "name": "severity", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/severity", + "Domain": [ + "CvssV3VulnAssessmentRelationship", + "CvssV2VulnAssessmentRelationship", + "EpssVulnAssessmentRelationship" + ] + } + }, + "modifiedTime": { + "summary": "Specifies a time when a vulnerability assessment was modified", + "description": "Specifies a time when a vulnerability assessment was last modified.", + "metadata": { + "name": "modifiedTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/modifiedTime", + "Domain": [ + "VulnAssessmentRelationship", + "Vulnerability" + ] + } + } + }, + "vocabs": { + "VexJustificationType": { + "summary": "Specifies the VEX justification type.", + "description": "VexJustificationType specifies the type of Vulnerability Exploitability eXchange (VEX) justification.", + "metadata": { + "name": "VexJustificationType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/VexJustificationType" + }, + "entries": { + "componentNotPresent": "The software is not affected because the vulnerable component is not in the product.", + "vulnerableCodeNotPresent": "The product is not affected because the code underlying the vulnerability is not present in the product.", + "vulnerableCodeCannotBeControlledByAdversary": "The vulnerable component is present, and the component contains the vulnerable code. However, vulnerable code is used in such a way that an attacker cannot mount any anticipated attack.", + "vulnerableCodeNotInExecutePath": "The affected code is not reachable through the execution of the code, including non-anticipated states of the product.", + "inlineMitigationsAlreadyExist": "Built-in inline controls or mitigations prevent an adversary from leveraging the vulnerability." + } + }, + "ExploitCatalogType": { + "summary": "Specifies the exploit catalog type.", + "description": "ExploitCatalogType specifies the type of exploit catalog that a vulnerability is listed in.", + "metadata": { + "name": "ExploitCatalogType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/ExploitCatalogType" + }, + "entries": { + "kev": "CISA's Known Exploited Vulnerability (KEV) Catalog", + "other": "Other exploit catalogs" + } + }, + "SsvcDecisionType": { + "summary": "Specifies the SSVC decision type.", + "description": "SsvcDecisionType specifies the type of decision that's been made according to the Stakeholder-Specific Vulnerability Categorization (SSVC) system [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc)", + "metadata": { + "name": "SsvcDecisionType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Security/SsvcDecisionType" + }, + "entries": { + "act": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible.", + "attend": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability, and may involve publishing a notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.", + "track": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines.", + "trackStar": "(Track* in the SSVC spec) The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." + } + } + } + }, + "Build": { + "name": "Build", + "classes": { + "Build": { + "summary": "Class that describes a build instance of software/artifacts.", + "description": "A build is a representation of the process in which a piece of software or artifact is built. It encapsulates information related to a build process and\nprovides an element from which relationships can be created to describe the build's inputs, outputs, and related entities (e.g. builders, identities, etc.).\n\nDefinitions of \"BuildType\", \"ConfigSource\", \"Parameters\" and \"Environment\" follow\nthose defined in [SLSA provenance](https://slsa.dev/provenance/v0.2).\n\nExternalIdentifier of type \"urlScheme\" may be used to identify build logs. In this case, the comment of the ExternalIdentifier should be \"LogReference\".\n\nNote that buildStart and buildEnd are optional, and may be omitted to simplify creating reproducible builds.", + "metadata": { + "name": "Build", + "SubclassOf": "/Core/Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/Build" + }, + "properties": { + "buildType": { + "type": "xsd:anyURI", + "minCount": "1", + "maxCount": "1" + }, + "buildId": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "configSourceEntrypoint": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "configSourceUri": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "*" + }, + "configSourceDigest": { + "type": "/Core/Hash", + "minCount": "0", + "maxCount": "*" + }, + "parameters": { + "type": "/Core/DictionaryEntry", + "minCount": "0", + "maxCount": "*" + }, + "buildStartTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + }, + "buildEndTime": { + "type": "/Core/DateTime", + "minCount": "0", + "maxCount": "1" + }, + "environment": { + "type": "/Core/DictionaryEntry", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "buildStartTime": { + "summary": "Property describing the start time of a build.", + "description": "buildStartTime is the time at which a build is triggered. The builder typically records this value.", + "metadata": { + "name": "buildStartTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/buildStartTime", + "Domain": [ + "Build" + ] + } + }, + "configSourceUri": { + "summary": "Property that describes the URI of the build configuration source file.", + "description": "If a build configuration exists for the toolchain or platform performing the build, the configSourceUri of a build is the URI of that build configuration. For example, a build triggered by a GitHub action is defined by a build configuration YAML file. In this case, the configSourceUri is the URL of that YAML file. \nm", + "metadata": { + "name": "configSourceUri", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/configSourceUri", + "Domain": [ + "Build" + ] + } + }, + "buildEndTime": { + "summary": "Property that describes the time at which a build stops.", + "description": "buildEndTime describes the time at which a build stops or finishes. This value is typically recorded by the builder.", + "metadata": { + "name": "buildEndTime", + "Nature": "DataProperty", + "Range": "/Core/DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/buildEndTime", + "Domain": [ + "Build" + ] + } + }, + "parameters": { + "summary": "Property describing the parameters used in an instance of a build.", + "description": "parameters is a key-value map of all build parameters and their values that were provided to the builder for a build instance. This is different from the [environment](environment.md) property in that the keys and values are provided as command line arguments or a configuration file to the builder.", + "metadata": { + "name": "parameters", + "Nature": "ObjectProperty", + "Range": "/Core/DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/parameters", + "Domain": [ + "Build" + ] + } + }, + "environment": { + "summary": "Property describing the session in which a build is invoked.", + "description": "environment is a map of environment variables and values that are set during a build session. This is different from the [parameters](parameters.md) property in that it describes the environment variables set before a build is invoked rather than the variables provided to the builder.", + "metadata": { + "name": "environment", + "Nature": "ObjectProperty", + "Range": "/Core/DictionaryEntry", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/environment", + "Domain": [ + "Build" + ] + } + }, + "configSourceDigest": { + "summary": "Property that describes the digest of the build configuration file used to invoke a build.", + "description": "configSourceDigest is the checksum of the build configuration file used by a builder to execute a build. This Property uses the Core model's [Hash](../../Core/Classes/Hash.md) class.", + "metadata": { + "name": "configSourceDigest", + "Nature": "ObjectProperty", + "Range": "/Core/Hash", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/configSourceDigest", + "Domain": [ + "Build" + ] + } + }, + "configSourceEntrypoint": { + "summary": "Property describes the invocation entrypoint of a build.", + "description": "A build entrypoint is the invoked executable of a build which always runs when the build is triggered. For example, when a build is triggered by running a shell script, the entrypoint is `script.sh`. In terms of a declared build, the entrypoint is the position in a configuration file or a build declaration which is always run when the build is triggered. For example, in the following configuration file, the entrypoint of the build is `publish`.\n\n```\nname: Publish packages to PyPI\n\non:\ncreate:\ntags: \"*\"\n\njobs:\npublish:\nruns-on: ubuntu-latest\nif: startsWith(github.ref, 'refs/tags/')\nsteps:\n\n...\n```", + "metadata": { + "name": "configSourceEntrypoint", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/configSourceEntrypoint", + "Domain": [ + "Build" + ] + } + }, + "buildId": { + "summary": "A buildId is a locally unique identifier used by a builder to identify a unique instance of a build produced by it.", + "description": "A buildId is a locally unique identifier to identify a unique instance of a build. This identifier differs based on build toolchain, platform, or naming convention used by an organization or standard.", + "metadata": { + "name": "buildId", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/buildId", + "Domain": [ + "Build" + ] + } + }, + "buildType": { + "summary": "A buildType is a hint that is used to indicate the toolchain, platform, or infrastructure that the build was invoked on.", + "description": "A buildType is a URI expressing the toolchain, platform, or infrastructure that the build was invoked on. For example, if the build was invoked on GitHub's CI platform using github actions, the buildType can be expressed as `https://github.com/actions`. In contrast, if the build was invoked on a local machine, the buildType can be expressed as `file://username@host/path/to/build`.", + "metadata": { + "name": "buildType", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Build/buildType", + "Domain": [ + "Build" + ] + } + } + }, + "vocabs": {} + }, + "Software": { + "name": "Software", + "classes": { + "Package": { + "summary": "Refers to any unit of content that can be associated with a distribution of software.", + "description": "A package refers to any unit of content that can be associated with a distribution of software.\nTypically, a package is composed of one or more files. \nAny of the following non-limiting examples may be (but are not required to be) represented in SPDX as a package:\n\n - a tarball, zip file or other archive\n - a directory or sub-directory\n - a separately distributed piece of software which another Package or File uses or depends upon (e.g., a Python package, a Go module, ...)\n - a container image, and/or each image layer within a container image\n - a collection of one or more sub-packages\n - a Git repository snapshot from a particular point in time\n\nNote that some of these could be represented in SPDX as a file as well.\nExternal property restriction on /Core/Element/name: minCount: 1", + "metadata": { + "name": "Package", + "SubclassOf": "/Software/SoftwareArtifact", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/Package" + }, + "properties": { + "packageVersion": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "downloadLocation": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "1" + }, + "packageUrl": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "1" + }, + "homePage": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "1" + }, + "sourceInfo": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": { + "/Core/Element/name": { + "minCount": "1", + "maxCount": "*" + } + } + }, + "File": { + "summary": "Refers to any object that stores content on a computer.", + "description": "Refers to any object that stores content on a computer.\nThe type of content can optionally be provided in the contentType property.\nExternal property restriction on /Core/Element/name: minCount: 1", + "metadata": { + "name": "File", + "SubclassOf": "/Software/SoftwareArtifact", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/File" + }, + "properties": { + "contentType": { + "type": "/Core/MediaType", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": { + "/Core/Element/name": { + "minCount": "1", + "maxCount": "*" + } + } + }, + "Snippet": { + "summary": "Describes a certain part of a file.", + "description": "A Snippet describes a certain part of a file and can be used when the file is known to have some content\nthat has been included from another original source. Snippets are useful for denoting when part of a file\nmay have been originally created under another license or copied from a place with a known vulnerability.", + "metadata": { + "name": "Snippet", + "SubclassOf": "/Software/SoftwareArtifact", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/Snippet" + }, + "properties": { + "byteRange": { + "type": "/Core/PositiveIntegerRange", + "minCount": "0", + "maxCount": "1" + }, + "lineRange": { + "type": "/Core/PositiveIntegerRange", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "Sbom": { + "summary": "A collection of SPDX Elements describing a single package.", + "description": "A Software Bill of Materials (SBOM) is a collection of SPDX Elements describing a single package.\nThis could include details of the content and composition of the product,\nprovenance details of the product and/or\nits composition, licensing information, known quality or security issues, etc.", + "metadata": { + "name": "Sbom", + "SubclassOf": "/Core/Bom", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/Sbom" + }, + "properties": { + "sbomType": { + "type": "SbomType", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "SoftwareArtifact": { + "summary": "A distinct article or unit related to Software.", + "description": "A software artifact is a distinct article or unit related to software\nsuch as a package, a file, or a snippet.", + "metadata": { + "name": "SoftwareArtifact", + "SubclassOf": "/Core/Artifact", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/SoftwareArtifact" + }, + "properties": { + "contentIdentifier": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "1" + }, + "primaryPurpose": { + "type": "SoftwarePurpose", + "minCount": "0", + "maxCount": "1" + }, + "additionalPurpose": { + "type": "SoftwarePurpose", + "minCount": "0", + "maxCount": "*" + }, + "concludedLicense": { + "type": "/Licensing/AnyLicenseInfo", + "minCount": "0", + "maxCount": "1" + }, + "declaredLicense": { + "type": "/Licensing/AnyLicenseInfo", + "minCount": "0", + "maxCount": "1" + }, + "copyrightText": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "attributionText": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "SoftwareDependencyRelationship": { + "summary": "", + "description": "TODO", + "metadata": { + "name": "SoftwareDependencyRelationship", + "SubclassOf": "/Core/LifecycleScopedRelationship", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/SoftwareDependencyRelationship" + }, + "properties": { + "softwareLinkage": { + "type": "SoftwareDependencyLinkType", + "minCount": "0", + "maxCount": "1" + }, + "conditionality": { + "type": "DependencyConditionalityType", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "lineRange": { + "summary": "Defines the line range in the original host file that the snippet information applies to.", + "description": "This field defines the line range in the original host file that the snippet information applies to.\nIf there is a disagreement between the byte range and line range, the byte range values will take precedence.\nA range of lines is a convenient reference for those files where there is a known line delimiter. \nThe choice was made to start the numbering of the lines at 1 to be consistent with the W3C pointer method vocabulary.", + "metadata": { + "name": "lineRange", + "Nature": "DataProperty", + "Range": "/Core/PositiveIntegerRange", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/lineRange", + "Domain": [ + "Snippet" + ] + } + }, + "primaryPurpose": { + "summary": "Provides information about the primary purpose of the software artifact.", + "description": "primaryPurpose provides information about the primary purpose of the software artifact.", + "metadata": { + "name": "primaryPurpose", + "Nature": "ObjectProperty", + "Range": "SoftwarePurpose", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/primaryPurpose", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "packageVersion": { + "summary": "Identify the version of a package.", + "description": "A packageVersion is useful for identification purposes and for indicating later changes of the package version.", + "metadata": { + "name": "packageVersion", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/packageVersion", + "Domain": [ + "Package" + ] + } + }, + "conditionality": { + "summary": "TODO", + "description": "A conditionality is TODO", + "metadata": { + "name": "conditionality", + "Nature": "ObjectProperty", + "Range": "DependencyConditionalityType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/conditionality", + "Domain": [ + "SoftwareDependencyRelationship" + ] + } + }, + "sbomType": { + "summary": "Provides information about the type of an SBOM.", + "description": "This field is a reasonable estimation of the type of SBOM created from a creator perspective.\nIt is intended to be used to give guidance on the elements that may be contained within it.\nAligning with the guidance produced in [Types of Software Bill of Material (SBOM) Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf).", + "metadata": { + "name": "sbomType", + "Nature": "ObjectProperty", + "Range": "SbomType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/sbomType", + "Domain": [ + "Sbom" + ] + } + }, + "concludedLicense": { + "summary": "Identifies the license that that SPDX data creator has concluded as governing\nthe software Package, File or Snippet.", + "description": "A concludedLicense is the license identified by the SPDX data creator,\nbased on analyzing the license information in the software Package, File\nor Snippet and other information to arrive at a reasonably objective\nconclusion as to what license governs it.\n\nIf a concludedLicense has a NONE value (NoneLicense), this indicates that the\nSPDX data creator has looked and did not find any license information for this\nsoftware Package, File or Snippet.\n\nIf a concludedLicense has a NOASSERTION value (NoAssertionLicense), this\nindicates that one of the following applies:\n* the SPDX data creator has attempted to but cannot reach a reasonable\n objective determination;\n* the SPDX data creator has made no attempt to determine this field; or\n* the SPDX data creator has intentionally provided no information (no\n meaning should be implied by doing so).\n\nA written explanation of a NOASSERTION value (NoAssertionLicense) MAY be\nprovided in the licenseComment field.\n\nIf the concludedLicense for a software Package, File or Snippet is not the\nsame as its declaredLicense, a written explanation SHOULD be provided in\nthe licenseComment field.\n\nIf the declaredLicense for a software Package, File or Snippet is a choice\nof more than one license (e.g. a license expression combining two licenses\nthrough use of the `OR` operator), then the concludedLicense may either\nretain the license choice or identify which license was chosen.", + "metadata": { + "name": "concludedLicense", + "Nature": "ObjectProperty", + "Range": "/Licensing/AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/concludedLicense", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "sourceInfo": { + "summary": "Records any relevant background information or additional comments\nabout the origin of the package.", + "description": "SourceInfo records any relevant background information or additional comments\nabout the origin of the package. For example, this field might include comments \nindicating whether the package was pulled from a source code management system \nor has been repackaged. The creator can provide additional information to describe\nany anomalies or discoveries in the determination of the origin of the package.", + "metadata": { + "name": "sourceInfo", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/sourceInfo", + "Domain": [ + "Package" + ] + } + }, + "contentType": { + "summary": "Provides information about the content type of an Element.", + "description": "This field is a reasonable estimation of the content type of the Element, from a creator perspective.\nContent type is intrinsic to the Element, independent of how the Element is being used.", + "metadata": { + "name": "contentType", + "Nature": "DataProperty", + "Range": "/Core/MediaType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/contentType", + "Domain": [ + "File" + ] + } + }, + "declaredLicense": { + "summary": "Identifies the license information actually found in the software Package,\nFile or Snippet, for example as detected by use of automated tooling.", + "description": "A declaredLicense is the license identified in text in the software package,\nfile or snippet as the license declared by its authors.\n\nThis field is not intended to capture license information obtained from an\nexternal source, such as a package's website. Such information can be\nincluded, as needed, in a concludedLicense field.\n\nA declaredLicense may be expressed differently in practice for different\ntypes of artifacts. For example:\n\n* for Packages:\n * would include license info describing the license of the Package as a\n whole, when it is found in the Package itself (e.g., LICENSE file,\n README file, metadata in the repository, etc.)\n * would not include any license information that is not in the Package\n itself (e.g., license information from the project\u2019s website or from a\n third party repository or website)\n* for Files:\n * would include license info found in the File itself (e.g., license\n header or notice, comments, SPDX-License-Identifier expression)\n * would not include license info found in a different file (e.g., LICENSE\n file in the top directory of a repository)\n* for Snippets:\n * would include license info found in the Snippet itself (e.g., license\n notice, comments, SPDX-License-Identifier expression)\n * would not include license info found elsewhere in the File or in a\n different File (e.g., comment at top of File if it is not within the\n Snippet, LICENSE file in the top directory of a repository)\n\nIf a declaredLicense has a NONE value (NoneLicense), this indicates that the\ncorresponding Package, File or Snippet contains no license information\nwhatsoever.\n\nIf a declaredLicense has a NOASSERTION value (NoAssertionLicense), this\nindicates that one of the following applies:\n* the SPDX data creator has attempted to but cannot reach a reasonable\n objective determination;\n* the SPDX data creator has made no attempt to determine this field; or\n* the SPDX data creator has intentionally provided no information (no meaning\n should be implied by doing so).", + "metadata": { + "name": "declaredLicense", + "Nature": "ObjectProperty", + "Range": "/Licensing/AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/declaredLicense", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "additionalPurpose": { + "summary": "Provides additional purpose information of the software artifact.", + "description": "Additional purpose provides information about the additional purposes of the software artifact in addition to the primaryPurpose.", + "metadata": { + "name": "additionalPurpose", + "Nature": "ObjectProperty", + "Range": "SoftwarePurpose", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/additionalPurpose", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "attributionText": { + "summary": "Provides a place for the SPDX data creator to record acknowledgement text for\na software Package, File or Snippet.", + "description": "An attributionText for a software Package, File or Snippet provides a consumer\nof SPDX data with acknowledgement content, to assist redistributors of the\nPackage, File or Snippet with reproducing those acknowledgements.\n\nFor example, this field may include a statement that is required by a\nparticular license to be reproduced in end-user documentation, advertising\nmaterials, or another form.\n\nThis field may describe where, or in which contexts, the acknowledgements\nneed to be reproduced, but it is not required to do so. The SPDX data creator\nmay also explain elsewhere (such as in a licenseComment field) how they intend\nfor data in this field to be used.\n\nAn attributionText is is not meant to include the software Package, File or\nSnippet\u2019s actual complete license text (see concludedLicense to identify the\ncorresponding license).", + "metadata": { + "name": "attributionText", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/attributionText", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "homePage": { + "summary": "A place for the SPDX document creator to record a website that serves as the package's home page.", + "description": "HomePage is a place for the SPDX document creator to record a website that serves as the package's home page.\nThis saves the recipient of the SPDX document who is looking for more info from\nhaving to search for and verify a match between the package and the associated project home page.\nThis link can also be used to reference further information about the package\nreferenced by the SPDX document creator.", + "metadata": { + "name": "homePage", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/homePage", + "Domain": [ + "Package" + ] + } + }, + "contentIdentifier": { + "summary": "Provides a place to record the canonical, unique, immutable identifier for each software artifact using the artifact's gitoid.", + "description": "The contentIdentifier provides a canonical, unique, immutable artifact identifier for each software artifact. SPDX 3.0 describes software artifacts as Snippet, File, or Package Elements. The ContentIdentifier can be calculated for any software artifact and can be recorded for any of these SPDX 3.0 Elements using Omnibor, an attempt to standardize how software artifacts are identified independent of which programming language, version control system, build tool, package manager, or software distribution mechanism is in use. \n\nThe contentIdentifier is defined as the [Git Object Identifier](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) (gitoid) of type `blob` of the software artifact. The use of a git-based version control system is not necessary to calculate a contentIdentifier for any software artifact.\n\nThe gitoid is expressed in the ContentIdentifier property by using the IANA [gitoid URI scheme](https://www.iana.org/assignments/uri-schemes/prov/gitoid).\n\n```\nScheme syntax: gitoid\":\"\":\"\":\"\n```\n\nThe OmniBOR ID for the OmniBOR Document associated with a software artifact should not be recorded in this field. Rather, OmniBOR IDs should be recorded in the SPDX Element's ExternalIdentifier property. See [https://omnibor.io](https://omnibor.io) for more details.", + "metadata": { + "name": "contentIdentifier", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/contentIdentifier", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "copyrightText": { + "summary": "Identifies the text of one or more copyright notices for a software Package,\nFile or Snippet, if any.", + "description": "A copyrightText consists of the text(s) of the copyright notice(s) found\nfor a software Package, File or Snippet, if any.\n\nIf a copyrightText contains text, then it may contain any text related to\none or more copyright notices (even if not complete) for that software\nPackage, File or Snippet.\n\nIf a copyrightText has a \"NONE\" value, this indicates that the software\nPackage, File or Snippet contains no copyright notice whatsoever.\n\nIf a copyrightText has a \"NOASSERTION\" value, this indicates that one of the\nfollowing applies:\n* the SPDX data creator has attempted to but cannot reach a reasonable\n objective determination;\n* the SPDX data creator has made no attempt to determine this field; or\n* the SPDX data creator has intentionally provided no information (no\n meaning should be implied by doing so).", + "metadata": { + "name": "copyrightText", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/copyrightText", + "Domain": [ + "SoftwareArtifact" + ] + } + }, + "packageUrl": { + "summary": "Provides a place for the SPDX data creator to record the package URL string (in accordance with the [package URL spec](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst)) for a software Package.", + "description": "A packageUrl (commonly pronounced and referred to as \"purl\") is an attempt to standardize package representations in order to reliably identify and locate software packages. A purl is a URL string which represents a package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.\n\nthe purl URL string is defined by seven components:\n```\nscheme:type/namespace/name@version?qualifiers#subpath\n```\n\nThe definition for each component can be found in the [purl specification](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst). Components are designed such that they form a hierarchy from the most significant on the left to the least significant components on the right. \n\nParsing a purl string into its components works from left to right. Some extra type-specific normalizations are required. For more information, see [How to parse a purl string in its components](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#how-to-parse-a-purl-string-in-its-components).", + "metadata": { + "name": "packageUrl", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/packageUrl", + "Domain": [ + "Package" + ] + } + }, + "byteRange": { + "summary": "Defines the byte range in the original host file that the snippet information applies to.", + "description": "This field defines the byte range in the original host file that the snippet information applies to.\nA range of bytes is independent of various formatting concerns, and the most accurate way \nof referring to the differences. The choice was made to start the numbering of \nthe byte range at 1 to be consistent with the W3C pointer method vocabulary.", + "metadata": { + "name": "byteRange", + "Nature": "DataProperty", + "Range": "/Core/PositiveIntegerRange", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/byteRange", + "Domain": [ + "Snippet" + ] + } + }, + "softwareLinkage": { + "summary": "TODO", + "description": "A softwareLinkage is TODO", + "metadata": { + "name": "softwareLinkage", + "Nature": "ObjectProperty", + "Range": "SoftwareDependencyLinkType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/softwareLinkage", + "Domain": [ + "SoftwareDependencyRelationship" + ] + } + }, + "downloadLocation": { + "summary": "Identifies the download Uniform Resource Identifier for the package at the time that the document was created.", + "description": "DownloadLocation identifies the download Uniform Resource Identifier \nfor the package at the time that the document was created.\nWhere and how to download the exact package being referenced \nis critical for verification and tracking data.", + "metadata": { + "name": "downloadLocation", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/downloadLocation", + "Domain": [ + "Package" + ] + } + } + }, + "vocabs": { + "DependencyConditionalityType": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "DependencyConditionalityType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/DependencyConditionalityType" + }, + "entries": { + "optional": "TODOdescription", + "required": "TODOdescription", + "provided": "TODOdescription", + "prerequisite": "TODOdescription", + "other": "TODOdescription" + } + }, + "SoftwarePurpose": { + "summary": "Provides information about the primary purpose of an Element.", + "description": "This field provides information about the primary purpose of an Element.\nSoftware Purpose is intrinsic to how the Element is being used rather than the content of the Element.\nThis field is a reasonable estimate of the most likely usage of the Element\nfrom the producer and consumer perspective from which both parties can draw conclusions\nabout the context in which the Element exists.", + "metadata": { + "name": "SoftwarePurpose", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose" + }, + "entries": { + "application": "the Element is a software application", + "archive": "the Element is an archived collection of one or more files (.tar, .zip, etc)", + "bom": "Element is a bill of materials", + "configuration": "Element is configuration data", + "container": "the Element is a container image which can be used by a container runtime application", + "data": "Element is data", + "device": "the Element refers to a chipset, processor, or electronic board", + "documentation": "Element is documentation", + "evidence": "the Element is the evidence that a specification or requirement has been fulfilled", + "executable": "Element is an Artifact that can be run on a computer", + "file": "the Element is a single file which can be independently distributed (configuration file, statically linked binary, Kubernetes deployment, etc)", + "firmware": "the Element provides low level control over a device's hardware", + "framework": "the Element is a software framework", + "install": "the Element is used to install software on disk", + "library": "the Element is a software library", + "manifest": "the Element is a software manifest", + "model": "the Element is a machine learning or artificial intelligence model", + "module": "the Element is a module of a piece of software", + "operatingSystem": "the Element is an operating system", + "other": "the Element doesn't fit into any of the other categories", + "patch": "Element contains a set of changes to update, fix, or improve another Element", + "requirement": "the Element provides a requirement needed as input for another Element", + "source": "the Element is a single or a collection of source files", + "specification": "the Element is a plan, guideline or strategy how to create, perform or analyse an application", + "test": "The Element is a test used to verify functionality on an software element" + } + }, + "SoftwareDependencyLinkType": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "SoftwareDependencyLinkType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/SoftwareDependencyLinkType" + }, + "entries": { + "static": "TODOdescription", + "dynamic": "TODOdescription", + "tool": "TODOdescription", + "other": "TODOdescription" + } + }, + "SbomType": { + "summary": "Provides a set of values to be used to describe the common types of SBOMs that tools may create.", + "description": "The set of SBOM types with definitions as defined in [Types of Software Bill of Material (SBOM) Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf), published on April 21, 2023. \nAn SBOM type describes the most likely type of an SBOM from the producer perspective, so that consumers can draw conclusions about the data inside an SBOM. A single SBOM can have multiple SBOM document types associated with it.", + "metadata": { + "name": "SbomType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Software/SbomType" + }, + "entries": { + "design": "SBOM of intended, planned software project or product with included components (some of which may not yet exist) for a new software artifact.", + "source": "SBOM created directly from the development environment, source files, and included dependencies used to build an product artifact.", + "build": "SBOM generated as part of the process of building the software to create a releasable artifact (e.g., executable or package) from data such as source files, dependencies, built components, build process ephemeral data, and other SBOMs.", + "deployed": "SBOM provides an inventory of software that is present on a system. This may be an assembly of other SBOMs that combines analysis of configuration options, and examination of execution behavior in a (potentially simulated) deployment environment.", + "runtime": "SBOM generated through instrumenting the system running the software, to capture only components present in the system, as well as external call-outs or dynamically loaded components. In some contexts, this may also be referred to as an \u201cInstrumented\u201d or \u201cDynamic\u201d SBOM.", + "analyzed": "SBOM generated through analysis of artifacts (e.g., executables, packages, containers, and virtual machine images) after its build. Such analysis generally requires a variety of heuristics. In some contexts, this may also be referred to as a \u201c3rd party\u201d SBOM." + } + } + } + } +} \ No newline at end of file diff --git a/src/spdx_tools/spdx3/new_model/ai/ai_package.py b/src/spdx_tools/spdx3/new_model/ai/ai_package.py index 901528eeb..777ff732c 100644 --- a/src/spdx_tools/spdx3/new_model/ai/ai_package.py +++ b/src/spdx_tools/spdx3/new_model/ai/ai_package.py @@ -108,8 +108,13 @@ class AIPackage(Package): def __init__( self, spdx_id: str, + name: str, creation_info: CreationInfo, - name: Optional[str] = None, + supplied_by: List[str], + release_time: datetime, + primary_purpose: SoftwarePurpose, + package_version: str, + download_location: str, summary: Optional[str] = None, description: Optional[str] = None, comment: Optional[str] = None, @@ -118,20 +123,15 @@ def __init__( external_identifier: List[ExternalIdentifier] = None, extension: List[str] = None, originated_by: List[str] = None, - supplied_by: List[str] = None, built_time: Optional[datetime] = None, - release_time: Optional[datetime] = None, valid_until_time: Optional[datetime] = None, standard: List[str] = None, content_identifier: Optional[str] = None, - primary_purpose: Optional[SoftwarePurpose] = None, additional_purpose: List[SoftwarePurpose] = None, concluded_license: Optional[AnyLicenseInfo] = None, declared_license: Optional[AnyLicenseInfo] = None, copyright_text: Optional[str] = None, attribution_text: Optional[str] = None, - package_version: Optional[str] = None, - download_location: Optional[str] = None, package_url: Optional[str] = None, homepage: Optional[str] = None, source_info: Optional[str] = None, @@ -156,7 +156,6 @@ def __init__( external_identifier = [] if external_identifier is None else external_identifier extension = [] if extension is None else extension originated_by = [] if originated_by is None else originated_by - supplied_by = [] if supplied_by is None else supplied_by standard = [] if standard is None else standard additional_purpose = [] if additional_purpose is None else additional_purpose standard_compliance = [] if standard_compliance is None else standard_compliance diff --git a/src/spdx_tools/spdx3/new_model/core/spdx_document.py b/src/spdx_tools/spdx3/new_model/core/spdx_document.py index 6a4064208..babb89a92 100644 --- a/src/spdx_tools/spdx3/new_model/core/spdx_document.py +++ b/src/spdx_tools/spdx3/new_model/core/spdx_document.py @@ -26,11 +26,11 @@ class SpdxDocument(Bundle): def __init__( self, spdx_id: str, + name: str, creation_info: CreationInfo, element: List[str], root_element: List[str], name: str, - name: Optional[str] = None, summary: Optional[str] = None, description: Optional[str] = None, comment: Optional[str] = None, diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset.py b/src/spdx_tools/spdx3/new_model/dataset/dataset.py index 695816ebe..61ac109f5 100644 --- a/src/spdx_tools/spdx3/new_model/dataset/dataset.py +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset.py @@ -92,9 +92,14 @@ class Dataset(Package): def __init__( self, spdx_id: str, + name: str, creation_info: CreationInfo, + originated_by: List[str], + built_time: datetime, + release_time: datetime, + primary_purpose: SoftwarePurpose, + download_location: str, dataset_type: List[DatasetType], - name: Optional[str] = None, summary: Optional[str] = None, description: Optional[str] = None, comment: Optional[str] = None, @@ -102,21 +107,16 @@ def __init__( external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, extension: List[str] = None, - originated_by: List[str] = None, supplied_by: List[str] = None, - built_time: Optional[datetime] = None, - release_time: Optional[datetime] = None, valid_until_time: Optional[datetime] = None, standard: List[str] = None, content_identifier: Optional[str] = None, - primary_purpose: Optional[SoftwarePurpose] = None, additional_purpose: List[SoftwarePurpose] = None, concluded_license: Optional[AnyLicenseInfo] = None, declared_license: Optional[AnyLicenseInfo] = None, copyright_text: Optional[str] = None, attribution_text: Optional[str] = None, package_version: Optional[str] = None, - download_location: Optional[str] = None, package_url: Optional[str] = None, homepage: Optional[str] = None, source_info: Optional[str] = None, @@ -137,7 +137,6 @@ def __init__( external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier extension = [] if extension is None else extension - originated_by = [] if originated_by is None else originated_by supplied_by = [] if supplied_by is None else supplied_by standard = [] if standard is None else standard additional_purpose = [] if additional_purpose is None else additional_purpose diff --git a/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py index 4a48f3ad8..01f24c159 100644 --- a/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py @@ -88,6 +88,7 @@ def __init__( spdx_id: str, creation_info: CreationInfo, from_element: str, + to: List[str], relationship_type: RelationshipType, score: float, name: Optional[str] = None, @@ -98,7 +99,6 @@ def __init__( external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, extension: List[str] = None, - to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, @@ -114,5 +114,4 @@ def __init__( external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier extension = [] if extension is None else extension - to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py index 087f92764..5cbf6bddc 100644 --- a/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py @@ -89,6 +89,7 @@ def __init__( spdx_id: str, creation_info: CreationInfo, from_element: str, + to: List[str], relationship_type: RelationshipType, score: float, name: Optional[str] = None, @@ -99,7 +100,6 @@ def __init__( external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, extension: List[str] = None, - to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, @@ -115,5 +115,4 @@ def __init__( external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier extension = [] if extension is None else extension - to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py index c3f7d2c85..075902db8 100644 --- a/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py @@ -54,6 +54,7 @@ def __init__( spdx_id: str, creation_info: CreationInfo, from_element: str, + to: List[str], relationship_type: RelationshipType, probability: int, name: Optional[str] = None, @@ -64,7 +65,6 @@ def __init__( external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, extension: List[str] = None, - to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, @@ -79,5 +79,4 @@ def __init__( external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier extension = [] if extension is None else extension - to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py index 044338bfb..a83f171f9 100644 --- a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py @@ -58,6 +58,7 @@ def __init__( spdx_id: str, creation_info: CreationInfo, from_element: str, + to: List[str], relationship_type: RelationshipType, catalog_type: ExploitCatalogType, exploited: bool, @@ -70,7 +71,6 @@ def __init__( external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, extension: List[str] = None, - to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, @@ -84,5 +84,4 @@ def __init__( external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier extension = [] if extension is None else extension - to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py index 44ea5203a..447dabc80 100644 --- a/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py @@ -50,6 +50,7 @@ def __init__( spdx_id: str, creation_info: CreationInfo, from_element: str, + to: List[str], relationship_type: RelationshipType, decision_type: SsvcDecisionType, name: Optional[str] = None, @@ -60,7 +61,6 @@ def __init__( external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, extension: List[str] = None, - to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, @@ -74,5 +74,4 @@ def __init__( external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier extension = [] if extension is None else extension - to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py index 3f881721d..0c9d75053 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py @@ -58,6 +58,7 @@ def __init__( spdx_id: str, creation_info: CreationInfo, from_element: str, + to: List[str], relationship_type: RelationshipType, name: Optional[str] = None, summary: Optional[str] = None, @@ -67,7 +68,6 @@ def __init__( external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, extension: List[str] = None, - to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, @@ -85,6 +85,5 @@ def __init__( external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier extension = [] if extension is None else extension - to = [] if to is None else to action_statement_time = [] if action_statement_time is None else action_statement_time check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py index 385956a73..8d1a9e5f6 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py @@ -46,6 +46,7 @@ def __init__( spdx_id: str, creation_info: CreationInfo, from_element: str, + to: List[str], relationship_type: RelationshipType, name: Optional[str] = None, summary: Optional[str] = None, @@ -55,7 +56,6 @@ def __init__( external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, extension: List[str] = None, - to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, @@ -71,5 +71,4 @@ def __init__( external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier extension = [] if extension is None else extension - to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py index c57f2f415..7fe28fa49 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py @@ -70,6 +70,7 @@ def __init__( spdx_id: str, creation_info: CreationInfo, from_element: str, + to: List[str], relationship_type: RelationshipType, name: Optional[str] = None, summary: Optional[str] = None, @@ -79,7 +80,6 @@ def __init__( external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, extension: List[str] = None, - to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, @@ -98,5 +98,4 @@ def __init__( external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier extension = [] if extension is None else extension - to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py index 1ee37f649..bb592f46b 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py @@ -48,6 +48,7 @@ def __init__( spdx_id: str, creation_info: CreationInfo, from_element: str, + to: List[str], relationship_type: RelationshipType, name: Optional[str] = None, summary: Optional[str] = None, @@ -57,7 +58,6 @@ def __init__( external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, extension: List[str] = None, - to: List[str] = None, completeness: Optional[RelationshipCompleteness] = None, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, @@ -73,5 +73,4 @@ def __init__( external_reference = [] if external_reference is None else external_reference external_identifier = [] if external_identifier is None else external_identifier extension = [] if extension is None else extension - to = [] if to is None else to check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/software/file.py b/src/spdx_tools/spdx3/new_model/software/file.py index 853d8c5e9..bde332bfb 100644 --- a/src/spdx_tools/spdx3/new_model/software/file.py +++ b/src/spdx_tools/spdx3/new_model/software/file.py @@ -28,8 +28,8 @@ class File(SoftwareArtifact): def __init__( self, spdx_id: str, + name: str, creation_info: CreationInfo, - name: Optional[str] = None, summary: Optional[str] = None, description: Optional[str] = None, comment: Optional[str] = None, diff --git a/src/spdx_tools/spdx3/new_model/software/package.py b/src/spdx_tools/spdx3/new_model/software/package.py index 96600a8bb..bbf42e9c7 100644 --- a/src/spdx_tools/spdx3/new_model/software/package.py +++ b/src/spdx_tools/spdx3/new_model/software/package.py @@ -80,8 +80,8 @@ class Package(SoftwareArtifact): def __init__( self, spdx_id: str, + name: str, creation_info: CreationInfo, - name: Optional[str] = None, summary: Optional[str] = None, description: Optional[str] = None, comment: Optional[str] = None, From b151fc27a69871d42f57b765872c81420d0b5974 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Thu, 27 Jul 2023 11:25:35 +0200 Subject: [PATCH 24/33] Improve format of generated code by running black and isort on the output in the code generator Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 544f8b8ce..a6a95934e 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -148,7 +148,7 @@ def get_python_docstring(description: Optional[str], indent: int) -> str: if not description: return "" - line_length = 120 - indent + line_length = 119 - indent with MarkdownRenderer(max_line_length=line_length) as renderer: text = renderer.render(mistletoe.Document(description)) text = '\n"""\n' + text + '"""' @@ -443,6 +443,9 @@ def run(self): init_file.write(f"from . import {namespace_imports}\n") init_file.write("from .core import *\n") + os.system(f'black "{output_dir}"') + os.system(f'isort "{output_dir}"') + if __name__ == "__main__": GenPythonModelFromSpec().run() From 5e68d3ecc49cc76818ab7c36590c89e3cb9947a4 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Thu, 27 Jul 2023 11:42:16 +0200 Subject: [PATCH 25/33] Prevent redeclaration of existing properties during codegen Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index a6a95934e..7422a203a 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -22,6 +22,7 @@ """ import json +import logging import os.path import textwrap from dataclasses import dataclass @@ -125,7 +126,7 @@ def __init__(self): def prop_name_to_python(prop_name: str): special_cases = {"from": "from_element", "homePage": "homepage"} - _, prop_name = split_qualified_name(prop_name) + prop_name = get_short_prop_name(prop_name) if prop_name in special_cases: return special_cases[prop_name] return camel_case_to_snake_case(prop_name) @@ -268,6 +269,10 @@ def _import_spdx_type(self, typename: str): namespace = f"..{namespace_name_to_python(namespace)}" self._add_import(namespace, typename) + def _find_prop(self, propname: str) -> Optional[Property]: + propname = prop_name_to_python(propname) + return next(filter(lambda p: prop_name_to_python(p.name) == propname, self.props), None) + def _collect_props(self, cls: dict, namespace: str, is_parent: bool): parent = extract_parent_type(cls, namespace) if parent: @@ -276,6 +281,9 @@ def _collect_props(self, cls: dict, namespace: str, is_parent: bool): self._collect_props(self.model[parent_namespace]["classes"][parent_class], parent_namespace, True) for propname, propinfo in cls["properties"].items(): + if self._find_prop(propname): + logging.warning("Class %s is redefining property %s from a parent class, ignoring", cls["metadata"]["name"], propname) + continue propname = get_qualified_name(propname, namespace) proptype = get_qualified_name(propinfo["type"], namespace) optional = "minCount" not in propinfo or propinfo["minCount"] == "0" @@ -295,8 +303,7 @@ def _collect_props(self, cls: dict, namespace: str, is_parent: bool): if "externalPropertyRestrictions" not in cls: return for propname, propinfo in cls["externalPropertyRestrictions"].items(): - propname = get_short_prop_name(propname) - prop = next(filter(lambda p: get_short_prop_name(p.name) == propname, self.props), None) + prop = self._find_prop(propname) if not prop: continue if "minCount" in propinfo: From c104c400c8e9632e46258b3f78d3c22eb08b34bb Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Thu, 27 Jul 2023 14:31:49 +0200 Subject: [PATCH 26/33] Avoid unused imports in generated code Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 7422a203a..385e37a35 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -290,15 +290,6 @@ def _collect_props(self, cls: dict, namespace: str, is_parent: bool): is_list = "maxCount" not in propinfo or propinfo["maxCount"] != "1" prop = Property(propname, proptype, optional, is_list, is_parent) self.props.append(prop) - self._import_spdx_type(proptype) - - if proptype == "Core/DictionaryEntry": - self._add_import("beartype.typing", "Dict") - self._add_import("beartype.typing", "Optional") - elif is_list: - self._add_import("beartype.typing", "List") - elif optional: - self._add_import("beartype.typing", "Optional") if "externalPropertyRestrictions" not in cls: return @@ -326,6 +317,22 @@ def _gen_imports(self) -> str: imports += CLS_IMPORTS.format(module=module, types=types) return imports + def _import_prop_type(self, prop: Property): + if prop.type in SPECIAL_PROPTYPE_MAPPINGS: + import_type, import_module = SPECIAL_PROPTYPE_MAPPINGS[prop.type] + if import_module: + self._add_import(import_module, import_type) + else: + self._import_spdx_type(prop.type) + + if prop.type == "Core/DictionaryEntry": + self._add_import("beartype.typing", "Dict") + self._add_import("beartype.typing", "Optional") + elif prop.is_list: + self._add_import("beartype.typing", "List") + elif prop.optional: + self._add_import("beartype.typing", "Optional") + def _gen_props(self) -> str: code = "" own_props = (prop for prop in self.props if not prop.inherited) @@ -334,6 +341,7 @@ def _gen_props(self) -> str: name = prop_name_to_python(prop.name) proptype = prop.get_python_type() docstring = self._get_prop_docstring(prop.name) + self._import_prop_type(prop) if prop.type == "Core/DictionaryType": default = " = field(default_factory=dict)" self._add_import("dataclasses", "field") @@ -365,8 +373,10 @@ def _gen_constructor(self) -> str: required_props = (prop for prop in self.props if not prop.optional) optional_props = (prop for prop in self.props if prop.optional) for prop in required_props: + self._import_prop_type(prop) args += CLS_INIT_ARG.format(prop_name=prop_name_to_python(prop.name), prop_type=prop.get_python_type()) for prop in optional_props: + self._import_prop_type(prop) prop_name = prop_name_to_python(prop.name) args += CLS_INIT_ARG_OPT.format(prop_name=prop_name, prop_type=prop.get_python_type()) if prop.type == "Core/DictionaryEntry": From 311ac8bc0e46230c5a74bc02054228f2f703e315 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Thu, 27 Jul 2023 14:39:27 +0200 Subject: [PATCH 27/33] Exclude generated code from flake8 linting (even though it's mostly fine) Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 32 ++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index 385e37a35..fbf752bae 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -38,6 +38,7 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa """ @@ -192,7 +193,7 @@ def extract_parent_type(cls: dict, namespace: str) -> Optional[str]: def get_short_prop_name(qualified_name: str) -> str: if '/' not in qualified_name: return qualified_name - return qualified_name[qualified_name.rindex('/')+1:] + return qualified_name[qualified_name.rindex('/') + 1:] @dataclass @@ -282,7 +283,8 @@ def _collect_props(self, cls: dict, namespace: str, is_parent: bool): for propname, propinfo in cls["properties"].items(): if self._find_prop(propname): - logging.warning("Class %s is redefining property %s from a parent class, ignoring", cls["metadata"]["name"], propname) + logging.warning("Class %s is redefining property %s from a parent class, ignoring", + cls["metadata"]["name"], propname) continue propname = get_qualified_name(propname, namespace) proptype = get_qualified_name(propinfo["type"], namespace) @@ -308,7 +310,9 @@ def gen_file(self): # imports should be last, as we may add additional types to import during generation imports = self._gen_imports() with open(self.file_path, "w") as output_file: - output_file.write(CLS_FILE.format(typename=self.typename, parent=self.parent_class, docstring=self.docstring, properties=properties, imports=imports, constructor=constructor)) + output_file.write( + CLS_FILE.format(typename=self.typename, parent=self.parent_class, docstring=self.docstring, + properties=properties, imports=imports, constructor=constructor)) def _gen_imports(self) -> str: imports = "" @@ -415,13 +419,21 @@ def handle_class(self, clazz: dict, namespace_name: str, model: dict): def handle_vocab(self, vocab: dict, namespace_name: str): typename = vocab["metadata"]["name"] python_typename = camel_case_to_snake_case(typename) - values_text = "\n".join([VOCAB_ENTRY.format(value=camel_case_to_snake_case(value).upper(), docstring=get_python_docstring(description, 4)) for value, description in vocab["entries"].items()]) - values_to_str_text = "\n".join([VOCAB_VALUE_TO_STR.format(python_value=camel_case_to_snake_case(value).upper(), str_value=value, typename=typename) for value in vocab["entries"]]) - str_to_values_text = "\n".join([VOCAB_STR_TO_VALUE.format(python_value=camel_case_to_snake_case(value).upper(), str_value=value, typename=typename) for value in vocab["entries"]]) + values_text = "\n".join([VOCAB_ENTRY.format(value=camel_case_to_snake_case(value).upper(), + docstring=get_python_docstring(description, 4)) for + value, description in vocab["entries"].items()]) + values_to_str_text = "\n".join([VOCAB_VALUE_TO_STR.format(python_value=camel_case_to_snake_case(value).upper(), + str_value=value, typename=typename) for value in + vocab["entries"]]) + str_to_values_text = "\n".join([VOCAB_STR_TO_VALUE.format(python_value=camel_case_to_snake_case(value).upper(), + str_value=value, typename=typename) for value in + vocab["entries"]]) docstring = get_python_docstring(vocab["description"], 4) file_path = get_file_path(typename, namespace_name) with open(file_path, "w") as output_file: - output_file.write(VOCAB_FILE.format(typename=typename, values=values_text, values_to_str=values_to_str_text, str_to_values=str_to_values_text, python_typename=python_typename, docstring=docstring)) + output_file.write(VOCAB_FILE.format(typename=typename, values=values_text, values_to_str=values_to_str_text, + str_to_values=str_to_values_text, python_typename=python_typename, + docstring=docstring)) if not namespace_name in self.init_imports: self.init_imports[namespace_name] = dict() @@ -437,7 +449,8 @@ def handle_namespace(self, namespace: dict, model: dict): self.handle_vocab(vocab, namespace_name) if namespace_name in self.init_imports: - with open(os.path.join(output_dir, namespace_name_to_python(namespace_name), "__init__.py"), "w") as init_file: + with open(os.path.join(output_dir, namespace_name_to_python(namespace_name), "__init__.py"), + "w") as init_file: init_file.write(FILE_HEADER) for module, typename in sorted(self.init_imports[namespace_name].items()): init_file.write(f"from .{module} import {typename}\n") @@ -456,7 +469,8 @@ def run(self): with open(os.path.join(output_dir, "__init__.py"), "w") as init_file: init_file.write(FILE_HEADER) - namespace_imports = ", ".join([namespace_name_to_python(namespace) for namespace in self.init_imports.keys()]) + namespace_imports = ", ".join( + [namespace_name_to_python(namespace) for namespace in self.init_imports.keys()]) init_file.write(f"from . import {namespace_imports}\n") init_file.write("from .core import *\n") From 65b79e67d77825e30b745c974979715760126794 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Thu, 27 Jul 2023 14:42:24 +0200 Subject: [PATCH 28/33] Update generated model files Signed-off-by: Holger Frydrych --- dev/model_dump.json | 4 +- src/spdx_tools/spdx3/new_model/__init__.py | 1 + src/spdx_tools/spdx3/new_model/ai/__init__.py | 1 + .../spdx3/new_model/ai/ai_package.py | 29 +++++++------ .../spdx3/new_model/ai/presence_type.py | 6 ++- .../ai/safety_risk_assessment_type.py | 10 +++-- .../spdx3/new_model/build/__init__.py | 1 + src/spdx_tools/spdx3/new_model/build/build.py | 22 ++++++---- .../spdx3/new_model/core/__init__.py | 1 + src/spdx_tools/spdx3/new_model/core/agent.py | 10 +++-- .../spdx3/new_model/core/annotation.py | 10 +++-- .../spdx3/new_model/core/annotation_type.py | 6 ++- .../spdx3/new_model/core/artifact.py | 16 +++++--- src/spdx_tools/spdx3/new_model/core/bom.py | 6 ++- src/spdx_tools/spdx3/new_model/core/bundle.py | 7 +++- .../spdx3/new_model/core/creation_info.py | 32 ++++++++------- .../spdx3/new_model/core/element.py | 16 +++++--- .../new_model/core/element_collection.py | 8 +++- .../new_model/core/external_identifier.py | 14 ++++--- .../core/external_identifier_type.py | 14 ++++--- .../spdx3/new_model/core/external_map.py | 10 +++-- .../new_model/core/external_reference.py | 10 +++-- .../new_model/core/external_reference_type.py | 10 +++-- src/spdx_tools/spdx3/new_model/core/hash.py | 7 +++- .../spdx3/new_model/core/hash_algorithm.py | 9 ++-- .../spdx3/new_model/core/integrity_method.py | 3 ++ .../new_model/core/lifecycle_scope_type.py | 6 ++- .../core/lifecycle_scoped_relationship.py | 19 +++++++-- .../spdx3/new_model/core/organization.py | 6 ++- src/spdx_tools/spdx3/new_model/core/person.py | 6 ++- .../new_model/core/positive_integer_range.py | 4 +- .../new_model/core/profile_identifier_type.py | 6 ++- .../spdx3/new_model/core/relationship.py | 18 ++++++-- .../core/relationship_completeness.py | 6 ++- .../spdx3/new_model/core/relationship_type.py | 14 ++++--- .../spdx3/new_model/core/software_agent.py | 6 ++- .../spdx3/new_model/core/spdx_document.py | 12 ++---- src/spdx_tools/spdx3/new_model/core/tool.py | 6 ++- .../spdx3/new_model/dataset/__init__.py | 1 + .../dataset/confidentiality_level_type.py | 9 ++-- .../spdx3/new_model/dataset/dataset.py | 20 +++++---- .../dataset/dataset_availability_type.py | 10 +++-- .../spdx3/new_model/dataset/dataset_type.py | 10 +++-- .../new_model/expanded_license/__init__.py | 1 + .../conjunctive_license_set.py | 16 +++++--- .../disjunctive_license_set.py | 12 ++++-- .../expanded_license/extendable_license.py | 6 +-- .../spdx3/new_model/licensing/__init__.py | 1 + .../new_model/licensing/any_license_info.py | 5 ++- .../new_model/licensing/custom_license.py | 6 ++- .../licensing/custom_license_addition.py | 8 ++-- .../spdx3/new_model/licensing/license.py | 18 ++++---- .../new_model/licensing/license_addition.py | 27 +++++++----- .../new_model/licensing/license_expression.py | 41 ++++++++++--------- .../new_model/licensing/listed_license.py | 7 +++- .../licensing/listed_license_exception.py | 9 ++-- .../new_model/licensing/or_later_operator.py | 6 ++- .../licensing/with_addition_operator.py | 9 ++-- .../spdx3/new_model/security/__init__.py | 1 + .../cvss_v2_vuln_assessment_relationship.py | 27 ++++++++---- .../cvss_v3_vuln_assessment_relationship.py | 27 ++++++++---- .../epss_vuln_assessment_relationship.py | 23 ++++++++--- .../security/exploit_catalog_type.py | 6 ++- ...it_catalog_vuln_assessment_relationship.py | 22 +++++++--- .../new_model/security/ssvc_decision_type.py | 14 ++++--- .../ssvc_vuln_assessment_relationship.py | 22 +++++++--- ...x_affected_vuln_assessment_relationship.py | 25 +++++++---- .../vex_fixed_vuln_assessment_relationship.py | 18 ++++++-- .../security/vex_justification_type.py | 6 ++- ...t_affected_vuln_assessment_relationship.py | 26 ++++++++---- ...estigation_vuln_assessment_relationship.py | 18 ++++++-- .../vex_vuln_assessment_relationship.py | 14 ++++--- .../security/vuln_assessment_relationship.py | 12 ++++-- .../spdx3/new_model/security/vulnerability.py | 16 +++++--- .../spdx3/new_model/software/__init__.py | 1 + .../dependency_conditionality_type.py | 6 ++- .../spdx3/new_model/software/file.py | 14 ++++--- .../spdx3/new_model/software/package.py | 28 +++++++------ .../spdx3/new_model/software/sbom.py | 22 ++++++---- .../spdx3/new_model/software/sbom_type.py | 10 +++-- .../spdx3/new_model/software/snippet.py | 14 ++++--- .../new_model/software/software_artifact.py | 40 ++++++++++-------- .../software/software_dependency_link_type.py | 6 ++- .../software_dependency_relationship.py | 21 ++++++++-- .../new_model/software/software_purpose.py | 12 +++--- 85 files changed, 683 insertions(+), 362 deletions(-) diff --git a/dev/model_dump.json b/dev/model_dump.json index 5e57b99c1..fb17d2231 100644 --- a/dev/model_dump.json +++ b/dev/model_dump.json @@ -1811,7 +1811,7 @@ "maxCount": "*" }, "sensitivePersonalInformation": { - "type": "PresenceType", + "type": "/AI/PresenceType", "minCount": "0", "maxCount": "1" }, @@ -4438,4 +4438,4 @@ } } } -} \ No newline at end of file +} diff --git a/src/spdx_tools/spdx3/new_model/__init__.py b/src/spdx_tools/spdx3/new_model/__init__.py index 8784e760a..e8f012752 100644 --- a/src/spdx_tools/spdx3/new_model/__init__.py +++ b/src/spdx_tools/spdx3/new_model/__init__.py @@ -2,6 +2,7 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa from . import expanded_license, core, dataset, licensing, ai, security, build, software from .core import * diff --git a/src/spdx_tools/spdx3/new_model/ai/__init__.py b/src/spdx_tools/spdx3/new_model/ai/__init__.py index b7ffdec03..4523b3670 100644 --- a/src/spdx_tools/spdx3/new_model/ai/__init__.py +++ b/src/spdx_tools/spdx3/new_model/ai/__init__.py @@ -2,6 +2,7 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa from .a_ipackage import AIPackage from .presence_type import PresenceType diff --git a/src/spdx_tools/spdx3/new_model/ai/ai_package.py b/src/spdx_tools/spdx3/new_model/ai/ai_package.py index 777ff732c..cb55c0988 100644 --- a/src/spdx_tools/spdx3/new_model/ai/ai_package.py +++ b/src/spdx_tools/spdx3/new_model/ai/ai_package.py @@ -2,17 +2,20 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..ai import PresenceType, SafetyRiskAssessmentType -from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo -from ..software import Package, SoftwarePurpose -from beartype.typing import Dict, List, Optional from dataclasses import field from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import Dict, List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..ai import PresenceType, SafetyRiskAssessmentType +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo +from ..software import Package, SoftwarePurpose @dataclass_with_properties @@ -24,6 +27,7 @@ class AIPackage(Package): minCount: 1 External property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1 External property restriction on /Core/Artifact/releaseTime: minCount: 1 """ + energy_consumption: Optional[str] = None """ EnergyConsumption captures the amount of energy needed to train and operate the AI model. This value is also known @@ -59,8 +63,8 @@ class AIPackage(Package): hyperparameter: Dict[str, Optional[str]] = field(default_factory=list) """ This field records a hyperparameter value. Hyperparameters are parameters of the machine learning model that are - used to control the learning process, for example the optimization and learning rate used during the training of the - model. + used to control the learning process, for example the optimization and learning rate used during the training of + the model. """ model_data_preprocessing: List[str] = field(default_factory=list) """ @@ -79,9 +83,9 @@ class AIPackage(Package): """ metric_decision_threshold: Dict[str, Optional[str]] = field(default_factory=list) """ - Each metric might be computed based on a decision threshold. For instance, precision or recall is typically computed - by checking if the probability of the outcome is larger than 0.5. Each decision threshold should match with a metric - field defined in the AI Package. + Each metric might be computed based on a decision threshold. For instance, precision or recall is typically + computed by checking if the probability of the outcome is larger than 0.5. Each decision threshold should match + with a metric field defined in the AI Package. """ metric: Dict[str, Optional[str]] = field(default_factory=list) """ @@ -102,7 +106,8 @@ class AIPackage(Package): safety_risk_assessment: Optional[SafetyRiskAssessmentType] = None """ SafetyRiskAssessment categorizes the safety risk impact of the AI software in accordance with Article 20 of [EC - Regulation No 765/2008](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf). + Regulation No + 765/2008](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf). """ def __init__( diff --git a/src/spdx_tools/spdx3/new_model/ai/presence_type.py b/src/spdx_tools/spdx3/new_model/ai/presence_type.py index 99f97ffcb..c6fdb33ac 100644 --- a/src/spdx_tools/spdx3/new_model/ai/presence_type.py +++ b/src/spdx_tools/spdx3/new_model/ai/presence_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class PresenceType(Enum): """ @@ -35,7 +37,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['PresenceType']: + def from_str(value: str) -> Optional["PresenceType"]: if value == "yes": return PresenceType.YES if value == "no": diff --git a/src/spdx_tools/spdx3/new_model/ai/safety_risk_assessment_type.py b/src/spdx_tools/spdx3/new_model/ai/safety_risk_assessment_type.py index 348ec7c0f..7073c4bc0 100644 --- a/src/spdx_tools/spdx3/new_model/ai/safety_risk_assessment_type.py +++ b/src/spdx_tools/spdx3/new_model/ai/safety_risk_assessment_type.py @@ -2,15 +2,17 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class SafetyRiskAssessmentType(Enum): """ - Lists the different safety risk type values that can be used to describe the safety risk of AI software according to - [Article 20 of Regulation + Lists the different safety risk type values that can be used to describe the safety risk of AI software according + to [Article 20 of Regulation 765/2008/EC](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf). """ @@ -43,7 +45,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['SafetyRiskAssessmentType']: + def from_str(value: str) -> Optional["SafetyRiskAssessmentType"]: if value == "serious": return SafetyRiskAssessmentType.SERIOUS if value == "high": diff --git a/src/spdx_tools/spdx3/new_model/build/__init__.py b/src/spdx_tools/spdx3/new_model/build/__init__.py index 54564cf9f..71778e5e3 100644 --- a/src/spdx_tools/spdx3/new_model/build/__init__.py +++ b/src/spdx_tools/spdx3/new_model/build/__init__.py @@ -2,5 +2,6 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa from .build import Build diff --git a/src/spdx_tools/spdx3/new_model/build/build.py b/src/spdx_tools/spdx3/new_model/build/build.py index c51f38b47..7bfd077b2 100644 --- a/src/spdx_tools/spdx3/new_model/build/build.py +++ b/src/spdx_tools/spdx3/new_model/build/build.py @@ -2,14 +2,17 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, Hash, IntegrityMethod -from beartype.typing import Dict, List, Optional from dataclasses import field from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import Dict, List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, Hash, IntegrityMethod @dataclass_with_properties @@ -75,9 +78,9 @@ class Build(Element): """ parameters: Dict[str, Optional[str]] = field(default_factory=list) """ - parameters is a key-value map of all build parameters and their values that were provided to the builder for a build - instance. This is different from the [environment](environment.md) property in that the keys and values are provided - as command line arguments or a configuration file to the builder. + parameters is a key-value map of all build parameters and their values that were provided to the builder for a + build instance. This is different from the [environment](environment.md) property in that the keys and values are + provided as command line arguments or a configuration file to the builder. """ build_start_time: Optional[datetime] = None """ @@ -85,12 +88,13 @@ class Build(Element): """ build_end_time: Optional[datetime] = None """ - buildEndTime describes the time at which a build stops or finishes. This value is typically recorded by the builder. + buildEndTime describes the time at which a build stops or finishes. This value is typically recorded by the + builder. """ environment: Dict[str, Optional[str]] = field(default_factory=list) """ - environment is a map of environment variables and values that are set during a build session. This is different from - the [parameters](parameters.md) property in that it describes the environment variables set before a build is + environment is a map of environment variables and values that are set during a build session. This is different + from the [parameters](parameters.md) property in that it describes the environment variables set before a build is invoked rather than the variables provided to the builder. """ diff --git a/src/spdx_tools/spdx3/new_model/core/__init__.py b/src/spdx_tools/spdx3/new_model/core/__init__.py index 00d33021f..ccb03b42c 100644 --- a/src/spdx_tools/spdx3/new_model/core/__init__.py +++ b/src/spdx_tools/spdx3/new_model/core/__init__.py @@ -2,6 +2,7 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa from .agent import Agent from .annotation import Annotation diff --git a/src/spdx_tools/spdx3/new_model/core/agent.py b/src/spdx_tools/spdx3/new_model/core/agent.py index 877dea01c..92913a852 100644 --- a/src/spdx_tools/spdx3/new_model/core/agent.py +++ b/src/spdx_tools/spdx3/new_model/core/agent.py @@ -2,19 +2,21 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod from beartype.typing import List, Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod @dataclass_with_properties class Agent(Element): """ - The Agent class represents anything that has the potential to act on a system. This could be a person, organization, - software agent, etc. This is not to be confused with tools that are used to perform tasks. + The Agent class represents anything that has the potential to act on a system. This could be a person, + organization, software agent, etc. This is not to be confused with tools that are used to perform tasks. """ def __init__( diff --git a/src/spdx_tools/spdx3/new_model/core/annotation.py b/src/spdx_tools/spdx3/new_model/core/annotation.py index 1fb307c75..14d9ede9a 100644 --- a/src/spdx_tools/spdx3/new_model/core/annotation.py +++ b/src/spdx_tools/spdx3/new_model/core/annotation.py @@ -2,13 +2,16 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import AnnotationType, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod -from beartype.typing import List, Optional from dataclasses import field -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import AnnotationType, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod @dataclass_with_properties @@ -16,6 +19,7 @@ class Annotation(Element): """ An Annotation is an assertion made in relation to one or more elements. """ + annotation_type: AnnotationType """ An annotationType describes the type of an annotation. diff --git a/src/spdx_tools/spdx3/new_model/core/annotation_type.py b/src/spdx_tools/spdx3/new_model/core/annotation_type.py index a36e7dae4..d93324a09 100644 --- a/src/spdx_tools/spdx3/new_model/core/annotation_type.py +++ b/src/spdx_tools/spdx3/new_model/core/annotation_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class AnnotationType(Enum): """ @@ -30,7 +32,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['AnnotationType']: + def from_str(value: str) -> Optional["AnnotationType"]: if value == "other": return AnnotationType.OTHER if value == "review": diff --git a/src/spdx_tools/spdx3/new_model/core/artifact.py b/src/spdx_tools/spdx3/new_model/core/artifact.py index 197eb3f4f..83a810e13 100644 --- a/src/spdx_tools/spdx3/new_model/core/artifact.py +++ b/src/spdx_tools/spdx3/new_model/core/artifact.py @@ -2,30 +2,34 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod from abc import abstractmethod -from beartype.typing import List, Optional from dataclasses import field from datetime import datetime +from beartype.typing import List, Optional + from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from ..core import Element + @dataclass_with_properties class Artifact(Element): """ - An artifact is a distinct article or unit within the digital domain, such as an electronic file, a software package, - a device or an element of data. + An artifact is a distinct article or unit within the digital domain, such as an electronic file, a software + package, a device or an element of data. """ + originated_by: List[str] = field(default_factory=list) """ OriginatedBy identifies from where or whom the Element originally came. """ supplied_by: List[str] = field(default_factory=list) """ - Identify the actual distribution source for the Artifact being referenced. This might or might not be different from - the originating distribution source for the artifact. + Identify the actual distribution source for the Artifact being referenced. This might or might not be different + from the originating distribution source for the artifact. """ built_time: Optional[datetime] = None """ diff --git a/src/spdx_tools/spdx3/new_model/core/bom.py b/src/spdx_tools/spdx3/new_model/core/bom.py index 976b4c7ef..bcfc6bec1 100644 --- a/src/spdx_tools/spdx3/new_model/core/bom.py +++ b/src/spdx_tools/spdx3/new_model/core/bom.py @@ -2,12 +2,14 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Bundle, CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod from beartype.typing import List, Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import Bundle, CreationInfo, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/bundle.py b/src/spdx_tools/spdx3/new_model/core/bundle.py index d2e68c087..5eae176c6 100644 --- a/src/spdx_tools/spdx3/new_model/core/bundle.py +++ b/src/spdx_tools/spdx3/new_model/core/bundle.py @@ -2,12 +2,14 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, Element, ElementCollection, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod from beartype.typing import List, Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, ElementCollection, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod @dataclass_with_properties @@ -15,6 +17,7 @@ class Bundle(ElementCollection): """ A bundle is a collection of Elements that have a shared context. """ + context: Optional[str] = None """ A context gives information about the circumstances or unifying properties that Elements of the bundle have been diff --git a/src/spdx_tools/spdx3/new_model/core/creation_info.py b/src/spdx_tools/spdx3/new_model/core/creation_info.py index 8f65ba542..742e5bb0b 100644 --- a/src/spdx_tools/spdx3/new_model/core/creation_info.py +++ b/src/spdx_tools/spdx3/new_model/core/creation_info.py @@ -2,16 +2,19 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, ProfileIdentifierType, Tool from abc import ABC -from beartype.typing import List, Optional from dataclasses import field from datetime import datetime + +from beartype.typing import List, Optional from semantic_version import Version -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ProfileIdentifierType, Tool @dataclass_with_properties @@ -19,15 +22,16 @@ class CreationInfo(ABC): """ The CreationInfo provides information about who created the Element, and when and how it was created. - The dateTime created is often the date of last change (e.g., a git commit date), not the date when the SPDX data was - created, as doing so supports reproducible builds. + The dateTime created is often the date of last change (e.g., a git commit date), not the date when the SPDX data + was created, as doing so supports reproducible builds. """ + spec_version: Version """ - The specVersion provides a reference number that can be used to understand how to parse and interpret an Element. It - will enable both future changes to the specification and to support backward compatibility. The major version number - shall be incremented when incompatible changes between versions are made (one or more sections are created, modified - or deleted). The minor version number shall be incremented when backwards compatible changes are made. + The specVersion provides a reference number that can be used to understand how to parse and interpret an Element. + It will enable both future changes to the specification and to support backward compatibility. The major version + number shall be incremented when incompatible changes between versions are made (one or more sections are created, + modified or deleted). The minor version number shall be incremented when backwards compatible changes are made. Here, parties exchanging information in accordance with the SPDX specification need to provide 100% transparency as to which SPDX specification version such information is conforming to. @@ -39,14 +43,14 @@ class CreationInfo(ABC): """ created: Optional[datetime] = None """ - Created is a date that identifies when the Element was originally created. The time stamp can serve as an indication - as to whether the analysis needs to be updated. This is often the date of last change (e.g., a git commit date), not - the date when the SPDX data was created, as doing so supports reproducible builds. + Created is a date that identifies when the Element was originally created. The time stamp can serve as an + indication as to whether the analysis needs to be updated. This is often the date of last change (e.g., a git + commit date), not the date when the SPDX data was created, as doing so supports reproducible builds. """ created_by: List[str] = field(default_factory=list) """ - CreatedBy identifies who or what created the Element. The generation method will assist the recipient of the Element - in assessing the general reliability/accuracy of the analysis information. + CreatedBy identifies who or what created the Element. The generation method will assist the recipient of the + Element in assessing the general reliability/accuracy of the analysis information. """ created_using: List[Tool] = field(default_factory=list) """ diff --git a/src/spdx_tools/spdx3/new_model/core/element.py b/src/spdx_tools/spdx3/new_model/core/element.py index caafce8ed..75fe82083 100644 --- a/src/spdx_tools/spdx3/new_model/core/element.py +++ b/src/spdx_tools/spdx3/new_model/core/element.py @@ -2,14 +2,17 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod from abc import ABC, abstractmethod -from beartype.typing import List, Optional from dataclasses import field +from beartype.typing import List, Optional + from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod + @dataclass_with_properties class Element(ABC): @@ -19,6 +22,7 @@ class Element(ABC): relationships. Within SPDX-3.0 structure this is the base class acting as a consistent, unifying, and interoperable foundation for all explicit and inter-relatable content objects. """ + spdx_id: str """ SpdxId uniquely identifies an Element which may thereby be referenced by other Elements. These references may be @@ -37,10 +41,10 @@ class Element(ABC): """ description: Optional[str] = None """ - This field is a detailed description of the Element. It may also be extracted from the Element itself. The intent is - to provide recipients of the SPDX file with a detailed technical explanation of the functionality, anticipated use, - and anticipated implementation of the Element. This field may also include a description of improvements over prior - versions of the Element. + This field is a detailed description of the Element. It may also be extracted from the Element itself. The intent + is to provide recipients of the SPDX file with a detailed technical explanation of the functionality, anticipated + use, and anticipated implementation of the Element. This field may also include a description of improvements over + prior versions of the Element. """ comment: Optional[str] = None """ diff --git a/src/spdx_tools/spdx3/new_model/core/element_collection.py b/src/spdx_tools/spdx3/new_model/core/element_collection.py index fd272c107..719e2da51 100644 --- a/src/spdx_tools/spdx3/new_model/core/element_collection.py +++ b/src/spdx_tools/spdx3/new_model/core/element_collection.py @@ -2,20 +2,24 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod from abc import abstractmethod -from beartype.typing import List, Optional from dataclasses import field +from beartype.typing import List + from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from ..core import Element, ExternalMap + @dataclass_with_properties class ElementCollection(Element): """ An SpdxCollection is a collection of Elements, not necessarily with unifying context. """ + element: List[str] = field(default_factory=list) """ This field refers to one or more Elements that are part of an ElementCollection. diff --git a/src/spdx_tools/spdx3/new_model/core/external_identifier.py b/src/spdx_tools/spdx3/new_model/core/external_identifier.py index d5bd1c251..9523994c1 100644 --- a/src/spdx_tools/spdx3/new_model/core/external_identifier.py +++ b/src/spdx_tools/spdx3/new_model/core/external_identifier.py @@ -2,22 +2,26 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import ExternalIdentifierType from abc import ABC -from beartype.typing import List, Optional from dataclasses import field -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ExternalIdentifierType @dataclass_with_properties class ExternalIdentifier(ABC): """ - An ExternalIdentifier is a reference to a resource outside the scope of SPDX-3.0 content that uniquely identifies an - Element. + An ExternalIdentifier is a reference to a resource outside the scope of SPDX-3.0 content that uniquely identifies + an Element. """ + external_identifier_type: ExternalIdentifierType """ An externalIdentifierType specifies the type of the external identifier. diff --git a/src/spdx_tools/spdx3/new_model/core/external_identifier_type.py b/src/spdx_tools/spdx3/new_model/core/external_identifier_type.py index 4602e3149..a39ce2d41 100644 --- a/src/spdx_tools/spdx3/new_model/core/external_identifier_type.py +++ b/src/spdx_tools/spdx3/new_model/core/external_identifier_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class ExternalIdentifierType(Enum): """ @@ -32,15 +34,15 @@ class ExternalIdentifierType(Enum): GITOID = auto() """ https://www.iana.org/assignments/uri-schemes/prov/gitoid Gitoid stands for [Git Object - ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) and a gitoid of type blob is a unique hash of a binary - artifact. A gitoid may represent the software [Artifact + ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) and a gitoid of type blob is a unique hash of a + binary artifact. A gitoid may represent the software [Artifact ID](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-id) or the [OmniBOR Identifier](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-identifier) for the software artifact's associated [OmniBOR Document](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-document); this ambiguity exists because the OmniBOR Document is itself an artifact, and the gitoid of that artifact is its valid identifier. Omnibor is a minimalistic schema to describe software [Artifact Dependency - Graphs](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-dependency-graph-adg). Gitoids calculated on - software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's + Graphs](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-dependency-graph-adg). Gitoids calculated + on software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's ContentIdentifier property. Gitoids calculated on the OmniBOR Document (OmniBOR Identifiers) should be recorded in the SPDX 3.0 Element's ExternalIdentifier property. """ @@ -95,7 +97,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['ExternalIdentifierType']: + def from_str(value: str) -> Optional["ExternalIdentifierType"]: if value == "cpe22": return ExternalIdentifierType.CPE22 if value == "cpe23": diff --git a/src/spdx_tools/spdx3/new_model/core/external_map.py b/src/spdx_tools/spdx3/new_model/core/external_map.py index 933249127..385b73b7d 100644 --- a/src/spdx_tools/spdx3/new_model/core/external_map.py +++ b/src/spdx_tools/spdx3/new_model/core/external_map.py @@ -2,14 +2,17 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import IntegrityMethod from abc import ABC -from beartype.typing import List, Optional from dataclasses import field -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import IntegrityMethod @dataclass_with_properties @@ -19,6 +22,7 @@ class ExternalMap(ABC): Document. The external map provides details about the externally-defined Element such as its provenance, where to retrieve it, and how to verify its integrity. """ + external_id: str """ ExternalId identifies an external Element used within a Document but defined external to that Document. diff --git a/src/spdx_tools/spdx3/new_model/core/external_reference.py b/src/spdx_tools/spdx3/new_model/core/external_reference.py index fbd718a79..9da2528f5 100644 --- a/src/spdx_tools/spdx3/new_model/core/external_reference.py +++ b/src/spdx_tools/spdx3/new_model/core/external_reference.py @@ -2,14 +2,17 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import ExternalReferenceType from abc import ABC -from beartype.typing import List, Optional from dataclasses import field -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ExternalReferenceType @dataclass_with_properties @@ -18,6 +21,7 @@ class ExternalReference(ABC): An External Reference points to a resource outside the scope of the SPDX-3.0 content that provides additional characteristics of an Element. """ + external_reference_type: Optional[ExternalReferenceType] = None """ An externalReferenceType specifies the type of the external reference. diff --git a/src/spdx_tools/spdx3/new_model/core/external_reference_type.py b/src/spdx_tools/spdx3/new_model/core/external_reference_type.py index 7ac6491e7..e96545cd0 100644 --- a/src/spdx_tools/spdx3/new_model/core/external_reference_type.py +++ b/src/spdx_tools/spdx3/new_model/core/external_reference_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class ExternalReferenceType(Enum): """ @@ -115,8 +117,8 @@ class ExternalReferenceType(Enum): SECURE_SOFTWARE_ATTESTATION = auto() """ A reference to information assuring that the software is developed using security practices as defined by [NIST SP - 800-218 Secure Software Development Framework (SSDF)](https://csrc.nist.gov/publications/detail/sp/800-218/final) or - [CISA Secure Software Development Attestation + 800-218 Secure Software Development Framework (SSDF)](https://csrc.nist.gov/publications/detail/sp/800-218/final) + or [CISA Secure Software Development Attestation Form](https://www.cisa.gov/sites/default/files/2023-04/secure-software-self-attestation_common-form_508.pdf). """ SECURITY_ADVISORY = auto() @@ -272,7 +274,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['ExternalReferenceType']: + def from_str(value: str) -> Optional["ExternalReferenceType"]: if value == "altDownloadLocation": return ExternalReferenceType.ALT_DOWNLOAD_LOCATION if value == "altWebPage": diff --git a/src/spdx_tools/spdx3/new_model/core/hash.py b/src/spdx_tools/spdx3/new_model/core/hash.py index 4e639b79c..8b0e63b60 100644 --- a/src/spdx_tools/spdx3/new_model/core/hash.py +++ b/src/spdx_tools/spdx3/new_model/core/hash.py @@ -2,12 +2,14 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import HashAlgorithm, IntegrityMethod from beartype.typing import Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import HashAlgorithm, IntegrityMethod @dataclass_with_properties @@ -17,6 +19,7 @@ class Hash(IntegrityMethod): arbitrary size to a bit string (the hash) and is a one-way function, that is, a function which is practically infeasible to invert. This is commonly used for integrity checking of data. """ + algorithm: HashAlgorithm """ An algorithm specifies the algorithm that was used for calculating the hash value. diff --git a/src/spdx_tools/spdx3/new_model/core/hash_algorithm.py b/src/spdx_tools/spdx3/new_model/core/hash_algorithm.py index b6354c835..611ab3e09 100644 --- a/src/spdx_tools/spdx3/new_model/core/hash_algorithm.py +++ b/src/spdx_tools/spdx3/new_model/core/hash_algorithm.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class HashAlgorithm(Enum): """ @@ -67,7 +69,8 @@ class HashAlgorithm(Enum): """ SHA224 = auto() """ - secure hashing algorithm with a digest length of 224 https://datatracker.ietf.org/doc/html/draft-ietf-pkix-sha224-01 + secure hashing algorithm with a digest length of 224 + https://datatracker.ietf.org/doc/html/draft-ietf-pkix-sha224-01 """ SHA256 = auto() """ @@ -162,7 +165,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['HashAlgorithm']: + def from_str(value: str) -> Optional["HashAlgorithm"]: if value == "blake2b256": return HashAlgorithm.BLAKE2B256 if value == "blake2b384": diff --git a/src/spdx_tools/spdx3/new_model/core/integrity_method.py b/src/spdx_tools/spdx3/new_model/core/integrity_method.py index 066950839..c0dcca0ea 100644 --- a/src/spdx_tools/spdx3/new_model/core/integrity_method.py +++ b/src/spdx_tools/spdx3/new_model/core/integrity_method.py @@ -2,8 +2,10 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa from abc import ABC, abstractmethod + from beartype.typing import Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties @@ -17,6 +19,7 @@ class IntegrityMethod(ABC): the original Element has been changed and eliminates confusion over which version or modification of a specific Element is referenced. """ + comment: Optional[str] = None """ A comment is an optional field for creators of the Element to provide comments to the readers/reviewers of the diff --git a/src/spdx_tools/spdx3/new_model/core/lifecycle_scope_type.py b/src/spdx_tools/spdx3/new_model/core/lifecycle_scope_type.py index be88f89a2..9325e1aff 100644 --- a/src/spdx_tools/spdx3/new_model/core/lifecycle_scope_type.py +++ b/src/spdx_tools/spdx3/new_model/core/lifecycle_scope_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class LifecycleScopeType(Enum): """ @@ -53,7 +55,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['LifecycleScopeType']: + def from_str(value: str) -> Optional["LifecycleScopeType"]: if value == "design": return LifecycleScopeType.DESIGN if value == "build": diff --git a/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py b/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py index 034f0eda8..d7168c48a 100644 --- a/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py +++ b/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py @@ -2,13 +2,25 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, LifecycleScopeType, Relationship, RelationshipCompleteness, RelationshipType -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ( + CreationInfo, + ExternalIdentifier, + ExternalReference, + IntegrityMethod, + LifecycleScopeType, + Relationship, + RelationshipCompleteness, + RelationshipType, +) @dataclass_with_properties @@ -16,6 +28,7 @@ class LifecycleScopedRelationship(Relationship): """ TODO """ + scope: Optional[LifecycleScopeType] = None """ A scope is TODO diff --git a/src/spdx_tools/spdx3/new_model/core/organization.py b/src/spdx_tools/spdx3/new_model/core/organization.py index 64f9d90ac..f66fd1cab 100644 --- a/src/spdx_tools/spdx3/new_model/core/organization.py +++ b/src/spdx_tools/spdx3/new_model/core/organization.py @@ -2,12 +2,14 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod from beartype.typing import List, Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/person.py b/src/spdx_tools/spdx3/new_model/core/person.py index dd7af2710..6c6bf339c 100644 --- a/src/spdx_tools/spdx3/new_model/core/person.py +++ b/src/spdx_tools/spdx3/new_model/core/person.py @@ -2,12 +2,14 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod from beartype.typing import List, Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py b/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py index 38c301efa..11e82eba4 100644 --- a/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py +++ b/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py @@ -2,11 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa from abc import ABC -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values @dataclass_with_properties @@ -15,6 +16,7 @@ class PositiveIntegerRange(ABC): PositiveIntegerRange is a tuple of two positive integers that define a range. "begin" must be less than or equal to "end". """ + begin: int """ begin is a positive integer that defines the beginning of a range. diff --git a/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py b/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py index e5405ac94..47a1cdfe7 100644 --- a/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py +++ b/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class ProfileIdentifierType(Enum): """ @@ -72,7 +74,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['ProfileIdentifierType']: + def from_str(value: str) -> Optional["ProfileIdentifierType"]: if value == "core": return ProfileIdentifierType.CORE if value == "software": diff --git a/src/spdx_tools/spdx3/new_model/core/relationship.py b/src/spdx_tools/spdx3/new_model/core/relationship.py index 96adecb7d..1c7fd50be 100644 --- a/src/spdx_tools/spdx3/new_model/core/relationship.py +++ b/src/spdx_tools/spdx3/new_model/core/relationship.py @@ -2,14 +2,25 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType -from beartype.typing import List, Optional from dataclasses import field from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ( + CreationInfo, + Element, + ExternalIdentifier, + ExternalReference, + IntegrityMethod, + RelationshipCompleteness, + RelationshipType, +) @dataclass_with_properties @@ -18,6 +29,7 @@ class Relationship(Element): A Relationship is a grouping of characteristics unique to an assertion that one Element is related to one or more other Elements in some way. """ + from_element: str """ This field references the Element on the left-hand side of a relationship. diff --git a/src/spdx_tools/spdx3/new_model/core/relationship_completeness.py b/src/spdx_tools/spdx3/new_model/core/relationship_completeness.py index ed0e5f83d..60fda809d 100644 --- a/src/spdx_tools/spdx3/new_model/core/relationship_completeness.py +++ b/src/spdx_tools/spdx3/new_model/core/relationship_completeness.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class RelationshipCompleteness(Enum): """ @@ -36,7 +38,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['RelationshipCompleteness']: + def from_str(value: str) -> Optional["RelationshipCompleteness"]: if value == "incomplete": return RelationshipCompleteness.INCOMPLETE if value == "complete": diff --git a/src/spdx_tools/spdx3/new_model/core/relationship_type.py b/src/spdx_tools/spdx3/new_model/core/relationship_type.py index f4095e430..d1bde71de 100644 --- a/src/spdx_tools/spdx3/new_model/core/relationship_type.py +++ b/src/spdx_tools/spdx3/new_model/core/relationship_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class RelationshipType(Enum): """ @@ -207,8 +209,8 @@ class RelationshipType(Enum): """ PROVIDED_DEPENDENCY = auto() """ - Every `to` Element is a dependency not included in the distributed artifact but is assumed to be provided the `from` - Element + Every `to` Element is a dependency not included in the distributed artifact but is assumed to be provided the + `from` Element """ PUBLISHED_BY = auto() """ @@ -216,8 +218,8 @@ class RelationshipType(Enum): """ REPORTED_BY = auto() """ - (Security) Designates the agent that first reported a vulnerability to the project, vendor, or tracking database for - formal identification + (Security) Designates the agent that first reported a vulnerability to the project, vendor, or tracking database + for formal identification """ REPUBLISHED_BY = auto() """ @@ -401,7 +403,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['RelationshipType']: + def from_str(value: str) -> Optional["RelationshipType"]: if value == "affects": return RelationshipType.AFFECTS if value == "amends": diff --git a/src/spdx_tools/spdx3/new_model/core/software_agent.py b/src/spdx_tools/spdx3/new_model/core/software_agent.py index 3144af0af..e49db5f42 100644 --- a/src/spdx_tools/spdx3/new_model/core/software_agent.py +++ b/src/spdx_tools/spdx3/new_model/core/software_agent.py @@ -2,12 +2,14 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod from beartype.typing import List, Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/spdx_document.py b/src/spdx_tools/spdx3/new_model/core/spdx_document.py index babb89a92..ec8829a65 100644 --- a/src/spdx_tools/spdx3/new_model/core/spdx_document.py +++ b/src/spdx_tools/spdx3/new_model/core/spdx_document.py @@ -2,12 +2,14 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Bundle, CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod from beartype.typing import List, Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import Bundle, CreationInfo, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod @dataclass_with_properties @@ -17,11 +19,6 @@ class SpdxDocument(Bundle): when representing a unit of transfer of SPDX Elements. External property restriction on /Core/Element/name: minCount: 1 """ - name: str - """ - This field identifies the name of an Element as designated by the creator. The name of an Element is an important - convention and easier to refer to than the URI. - """ def __init__( self, @@ -30,7 +27,6 @@ def __init__( creation_info: CreationInfo, element: List[str], root_element: List[str], - name: str, summary: Optional[str] = None, description: Optional[str] = None, comment: Optional[str] = None, diff --git a/src/spdx_tools/spdx3/new_model/core/tool.py b/src/spdx_tools/spdx3/new_model/core/tool.py index 969def930..0d77634af 100644 --- a/src/spdx_tools/spdx3/new_model/core/tool.py +++ b/src/spdx_tools/spdx3/new_model/core/tool.py @@ -2,12 +2,14 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod from beartype.typing import List, Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/dataset/__init__.py b/src/spdx_tools/spdx3/new_model/dataset/__init__.py index 232b007b2..be53750c2 100644 --- a/src/spdx_tools/spdx3/new_model/dataset/__init__.py +++ b/src/spdx_tools/spdx3/new_model/dataset/__init__.py @@ -2,6 +2,7 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa from .confidentiality_level_type import ConfidentialityLevelType from .dataset import Dataset diff --git a/src/spdx_tools/spdx3/new_model/dataset/confidentiality_level_type.py b/src/spdx_tools/spdx3/new_model/dataset/confidentiality_level_type.py index 33a4f91f6..f271233de 100644 --- a/src/spdx_tools/spdx3/new_model/dataset/confidentiality_level_type.py +++ b/src/spdx_tools/spdx3/new_model/dataset/confidentiality_level_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class ConfidentialityLevelType(Enum): """ @@ -19,7 +21,8 @@ class ConfidentialityLevelType(Enum): """ AMBER = auto() """ - Data points in the dataset can be shared only with specific organizations and their clients on a need to know basis. + Data points in the dataset can be shared only with specific organizations and their clients on a need to know + basis. """ GREEN = auto() """ @@ -42,7 +45,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['ConfidentialityLevelType']: + def from_str(value: str) -> Optional["ConfidentialityLevelType"]: if value == "Red": return ConfidentialityLevelType.RED if value == "Amber": diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset.py b/src/spdx_tools/spdx3/new_model/dataset/dataset.py index 61ac109f5..059e22b94 100644 --- a/src/spdx_tools/spdx3/new_model/dataset/dataset.py +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset.py @@ -2,17 +2,21 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..dataset import ConfidentialityLevelType, DatasetAvailabilityType, DatasetType, PresenceType -from ..licensing import AnyLicenseInfo -from ..software import Package, SoftwarePurpose -from beartype.typing import Dict, List, Optional from dataclasses import field from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import Dict, List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..ai import PresenceType +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..dataset import ConfidentialityLevelType, DatasetAvailabilityType, DatasetType +from ..licensing import AnyLicenseInfo +from ..software import Package, SoftwarePurpose @dataclass_with_properties @@ -24,6 +28,7 @@ class Dataset(Package): /Software/SoftwareArtifact/primaryPurpose: minCount: 1 External property restriction on /Core/Artifact/releaseTime: minCount: 1 External property restriction on /Core/Artifact/builtTime: minCount: 1 """ + dataset_type: List[DatasetType] = field(default_factory=list) """ Type describes the datatype contained in the dataset. For example a dataset can be an image dataset for computer @@ -55,7 +60,8 @@ class Dataset(Package): """ data_preprocessing: List[str] = field(default_factory=list) """ - DataPreprocessing describes the various preprocessing steps that were applied to the raw data to create the dataset. + DataPreprocessing describes the various preprocessing steps that were applied to the raw data to create the + dataset. """ sensor: Dict[str, Optional[str]] = field(default_factory=list) """ diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py b/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py index a0da1bb5b..4547800ed 100644 --- a/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset_availability_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class DatasetAvailabilityType(Enum): """ @@ -30,8 +32,8 @@ class DatasetAvailabilityType(Enum): """ CLICKTHROUGH = auto() """ - the dataset is not publicly available and can only be accessed after affirmatively accepting terms on a clickthrough - webpage. + the dataset is not publicly available and can only be accessed after affirmatively accepting terms on a + clickthrough webpage. """ REGISTRATION = auto() """ @@ -53,7 +55,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['DatasetAvailabilityType']: + def from_str(value: str) -> Optional["DatasetAvailabilityType"]: if value == "Direct-Download": return DatasetAvailabilityType.DIRECT_DOWNLOAD if value == "Scraping-Script": diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset_type.py b/src/spdx_tools/spdx3/new_model/dataset/dataset_type.py index c459e39a4..1c2d643ec 100644 --- a/src/spdx_tools/spdx3/new_model/dataset/dataset_type.py +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class DatasetType(Enum): """ @@ -42,8 +44,8 @@ class DatasetType(Enum): """ TIMESTAMP = auto() """ - data is recorded with a timestamp for each entry, but not necessarily ordered or at specific intervals, such as when - a taxi ride starts and ends. + data is recorded with a timestamp for each entry, but not necessarily ordered or at specific intervals, such as + when a taxi ride starts and ends. """ SENSOR = auto() """ @@ -107,7 +109,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['DatasetType']: + def from_str(value: str) -> Optional["DatasetType"]: if value == "structured": return DatasetType.STRUCTURED if value == "numeric": diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/__init__.py b/src/spdx_tools/spdx3/new_model/expanded_license/__init__.py index a61d27bcb..e05b4baa5 100644 --- a/src/spdx_tools/spdx3/new_model/expanded_license/__init__.py +++ b/src/spdx_tools/spdx3/new_model/expanded_license/__init__.py @@ -2,6 +2,7 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa from .conjunctive_license_set import ConjunctiveLicenseSet from .disjunctive_license_set import DisjunctiveLicenseSet diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py b/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py index 5f91bdb13..ea7d5e98e 100644 --- a/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py +++ b/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py @@ -2,28 +2,32 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo -from beartype.typing import List, Optional from dataclasses import field -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo @dataclass_with_properties class ConjunctiveLicenseSet(AnyLicenseInfo): """ A ConjunctiveLicenseSet indicates that _each_ of its subsidiary AnyLicenseInfos apply. In other words, a - ConjunctiveLicenseSet of two or more licenses represents a licensing situation where _all_ of the specified licenses - are to be complied with. It is represented in the SPDX License Expression Syntax by the `AND` operator. + ConjunctiveLicenseSet of two or more licenses represents a licensing situation where _all_ of the specified + licenses are to be complied with. It is represented in the SPDX License Expression Syntax by the `AND` operator. It is syntactically correct to specify a ConjunctiveLicenseSet where the subsidiary AnyLicenseInfos may be "incompatible" according to a particular interpretation of the corresponding Licenses. The SPDX License Expression Syntax does not take into account interpretation of license texts, which is left to the consumer of SPDX data to determine for themselves. """ + member: List[AnyLicenseInfo] = field(default_factory=list) """ A member is a license expression participating in a conjuctive (of type ConjunctiveLicenseSet) or a disjunctive (of diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py b/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py index 4b7e0d2e3..0b67acdd3 100644 --- a/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py +++ b/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py @@ -2,14 +2,17 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo -from beartype.typing import List, Optional from dataclasses import field -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo @dataclass_with_properties @@ -21,6 +24,7 @@ class DisjunctiveLicenseSet(AnyLicenseInfo): recipient of the licensed content to choose which of the corresponding license they would prefer to use. It is represented in the SPDX License Expression Syntax by the `OR` operator. """ + member: List[AnyLicenseInfo] = field(default_factory=list) """ A member is a license expression participating in a conjuctive (of type ConjunctiveLicenseSet) or a disjunctive (of diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py b/src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py index 16f92c3ef..5690e2cf5 100644 --- a/src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py +++ b/src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py @@ -2,14 +2,14 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo from abc import abstractmethod -from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from ..licensing import AnyLicenseInfo + @dataclass_with_properties class ExtendableLicense(AnyLicenseInfo): diff --git a/src/spdx_tools/spdx3/new_model/licensing/__init__.py b/src/spdx_tools/spdx3/new_model/licensing/__init__.py index dd4399973..782338fd0 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/__init__.py +++ b/src/spdx_tools/spdx3/new_model/licensing/__init__.py @@ -2,6 +2,7 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa from .any_license_info import AnyLicenseInfo from .custom_license import CustomLicense diff --git a/src/spdx_tools/spdx3/new_model/licensing/any_license_info.py b/src/spdx_tools/spdx3/new_model/licensing/any_license_info.py index 53218cf78..c57125180 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/any_license_info.py +++ b/src/spdx_tools/spdx3/new_model/licensing/any_license_info.py @@ -2,13 +2,14 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod from abc import abstractmethod -from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from ..core import Element + @dataclass_with_properties class AnyLicenseInfo(Element): diff --git a/src/spdx_tools/spdx3/new_model/licensing/custom_license.py b/src/spdx_tools/spdx3/new_model/licensing/custom_license.py index dc76a7d9c..5a1d7b667 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/custom_license.py +++ b/src/spdx_tools/spdx3/new_model/licensing/custom_license.py @@ -2,12 +2,14 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..licensing import License from beartype.typing import Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..licensing import License @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py b/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py index e1dd251a5..a33782c37 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py +++ b/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py @@ -2,13 +2,15 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import LicenseAddition from beartype.typing import List, Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import LicenseAddition @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/licensing/license.py b/src/spdx_tools/spdx3/new_model/licensing/license.py index 9b84b4b38..5a1c07308 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/license.py +++ b/src/spdx_tools/spdx3/new_model/licensing/license.py @@ -2,13 +2,16 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..licensing import ExtendableLicense from abc import abstractmethod + from beartype.typing import Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from ..licensing import ExtendableLicense + @dataclass_with_properties class License(ExtendableLicense): @@ -16,6 +19,7 @@ class License(ExtendableLicense): A License represents a license text, whether listed on the SPDX License List (ListedLicense) or defined by an SPDX data creator (CustomLicense). """ + license_text: str """ A licenseText contains the plain text of the License, without templating or other similar markup. @@ -51,8 +55,8 @@ class License(ExtendableLicense): """ standard_license_header: Optional[str] = None """ - A standardLicenseHeader contains the plain text of the License author's preferred wording to be used, typically in a - source code file's header comments or similar location, to indicate that the file is subject to the specified + A standardLicenseHeader contains the plain text of the License author's preferred wording to be used, typically in + a source code file's header comments or similar location, to indicate that the file is subject to the specified License. """ standard_license_template: Optional[str] = None @@ -68,10 +72,10 @@ class License(ExtendableLicense): If the License or LicenseAddition is included on the SPDX License List, then the `deprecatedVersion` property indicates on which version release of the License List it was first marked as deprecated. - "Deprecated" in this context refers to deprecating the use of the _identifier_, not the underlying license. In other - words, even if a License's author or steward has stated that a particular License generally should not be used, that - would _not_ mean that the License's identifier is "deprecated." Rather, a License or LicenseAddition operator is - typically marked as "deprecated" when it is determined that use of another identifier is preferable. + "Deprecated" in this context refers to deprecating the use of the _identifier_, not the underlying license. In + other words, even if a License's author or steward has stated that a particular License generally should not be + used, that would _not_ mean that the License's identifier is "deprecated." Rather, a License or LicenseAddition + operator is typically marked as "deprecated" when it is determined that use of another identifier is preferable. """ obsoleted_by: Optional[str] = None """ diff --git a/src/spdx_tools/spdx3/new_model/licensing/license_addition.py b/src/spdx_tools/spdx3/new_model/licensing/license_addition.py index c8af0f684..ca903e985 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/license_addition.py +++ b/src/spdx_tools/spdx3/new_model/licensing/license_addition.py @@ -2,13 +2,16 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod from abc import abstractmethod -from beartype.typing import List, Optional + +from beartype.typing import Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from ..core import Element + @dataclass_with_properties class LicenseAddition(Element): @@ -19,17 +22,19 @@ class LicenseAddition(Element): It may be an exception which is listed on the SPDX Exceptions List (ListedLicenseException), or may be any other additional text (as an exception or otherwise) which is defined by an SPDX data creator (CustomLicenseAddition). """ + addition_text: str """ An additionText contains the plain text of the LicenseAddition, without templating or other similar markup. - Users of the additionText for a License can apply the SPDX Matching Guidelines when comparing it to another text for - matching purposes. + Users of the additionText for a License can apply the SPDX Matching Guidelines when comparing it to another text + for matching purposes. """ standard_addition_template: Optional[str] = None """ - A standardAdditionTemplate contains a license addition template which describes sections of the LicenseAddition text - which can be varied. See the Legacy Text Template format section of the SPDX specification for format information. + A standardAdditionTemplate contains a license addition template which describes sections of the LicenseAddition + text which can be varied. See the Legacy Text Template format section of the SPDX specification for format + information. """ is_deprecated_addition_id: Optional[bool] = None """ @@ -39,11 +44,11 @@ class LicenseAddition(Element): If the LicenseAddition is included on the SPDX Exceptions List, then the `deprecatedVersion` property indicates on which version release of the Exceptions List it was first marked as deprecated. - "Deprecated" in this context refers to deprecating the use of the _identifier_, not the underlying license addition. - In other words, even if a LicenseAddition's author or steward has stated that a particular LicenseAddition generally - should not be used, that would _not_ mean that the LicenseAddition's identifier is "deprecated." Rather, a - LicenseAddition operator is typically marked as "deprecated" when it is determined that use of another identifier is - preferable. + "Deprecated" in this context refers to deprecating the use of the _identifier_, not the underlying license + addition. In other words, even if a LicenseAddition's author or steward has stated that a particular + LicenseAddition generally should not be used, that would _not_ mean that the LicenseAddition's identifier is + "deprecated." Rather, a LicenseAddition operator is typically marked as "deprecated" when it is determined that use + of another identifier is preferable. """ obsoleted_by: Optional[str] = None """ diff --git a/src/spdx_tools/spdx3/new_model/licensing/license_expression.py b/src/spdx_tools/spdx3/new_model/licensing/license_expression.py index fdf381853..9e1619a9b 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/license_expression.py +++ b/src/spdx_tools/spdx3/new_model/licensing/license_expression.py @@ -2,45 +2,48 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo from beartype.typing import List, Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo @dataclass_with_properties class LicenseExpression(AnyLicenseInfo): """ Often a single license can be used to represent the licensing terms of a source code or binary file, but there are - situations where a single license identifier is not sufficient. A common example is when software is offered under a - choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is + situations where a single license identifier is not sufficient. A common example is when software is offered under + a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause). - SPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing - terms typically found in open source software source code. A license expression could be a single license identifier - found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license - identifier combined with an SPDX exception; or some combination of license identifiers, license references and - exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition - of what constitutes a valid an SPDX License Expression in this section. + SPDX License Expressions provide a way for one to construct expressions that more accurately represent the + licensing terms typically found in open source software source code. A license expression could be a single license + identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a + license identifier combined with an SPDX exception; or some combination of license identifiers, license references + and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the + definition of what constitutes a valid an SPDX License Expression in this section. """ + license_expression: str """ Often a single license can be used to represent the licensing terms of a source code or binary file, but there are - situations where a single license identifier is not sufficient. A common example is when software is offered under a - choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is + situations where a single license identifier is not sufficient. A common example is when software is offered under + a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause). - SPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing - terms typically found in open source software source code. A license expression could be a single license identifier - found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license - identifier combined with an SPDX exception; or some combination of license identifiers, license references and - exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition - of what constitutes a valid an SPDX License Expression in this section. + SPDX License Expressions provide a way for one to construct expressions that more accurately represent the + licensing terms typically found in open source software source code. A license expression could be a single license + identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a + license identifier combined with an SPDX exception; or some combination of license identifiers, license references + and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the + definition of what constitutes a valid an SPDX License Expression in this section. """ def __init__( diff --git a/src/spdx_tools/spdx3/new_model/licensing/listed_license.py b/src/spdx_tools/spdx3/new_model/licensing/listed_license.py index 3139dca07..413205773 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/listed_license.py +++ b/src/spdx_tools/spdx3/new_model/licensing/listed_license.py @@ -2,12 +2,14 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..licensing import License from beartype.typing import Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..licensing import License @dataclass_with_properties @@ -15,6 +17,7 @@ class ListedLicense(License): """ A ListedLicense represents a License that is listed on the SPDX License List at https://spdx.org/licenses. """ + list_version_added: Optional[str] = None """ A listVersionAdded for a ListedLicense or ListedLicenseException on the SPDX License List specifies which version diff --git a/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py b/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py index 0d10687ae..1c8b0c5d3 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py +++ b/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py @@ -2,13 +2,15 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import LicenseAddition from beartype.typing import List, Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import LicenseAddition @dataclass_with_properties @@ -18,6 +20,7 @@ class ListedLicenseException(LicenseAddition): or an additional permission beyond those granted in a License) which is listed on the SPDX Exceptions List at https://spdx.org/licenses/exceptions-index.html. """ + list_version_added: Optional[str] = None """ A listVersionAdded for a ListedLicense or ListedLicenseException on the SPDX License List specifies which version diff --git a/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py b/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py index f77eff5f5..096eef46f 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py +++ b/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py @@ -2,11 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..licensing import ExtendableLicense, License +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from ..licensing import ExtendableLicense, License @dataclass_with_properties @@ -21,6 +22,7 @@ class OrLaterOperator(ExtendableLicense): SPDX data will need to determine for themselves what meaning to attribute to a "later version" operator for a particular License. """ + subject_license: License def __init__( diff --git a/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py b/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py index a89d632ab..d4a087e5f 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py +++ b/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py @@ -2,13 +2,15 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo, ExtendableLicense, LicenseAddition from beartype.typing import List, Optional -from spdx_tools.common.typing.type_checks import check_types_and_set_values from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo, ExtendableLicense, LicenseAddition @dataclass_with_properties @@ -18,6 +20,7 @@ class WithAdditionOperator(AnyLicenseInfo): might be a license exception on the SPDX Exceptions List (ListedLicenseException) or may be other additional text (CustomLicenseAddition). It is represented in the SPDX License Expression Syntax by the `WITH` operator. """ + subject_license: ExtendableLicense subject_addition: LicenseAddition diff --git a/src/spdx_tools/spdx3/new_model/security/__init__.py b/src/spdx_tools/spdx3/new_model/security/__init__.py index 6bf9817fd..09a02d58b 100644 --- a/src/spdx_tools/spdx3/new_model/security/__init__.py +++ b/src/spdx_tools/spdx3/new_model/security/__init__.py @@ -2,6 +2,7 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa from .cvss_v2_vuln_assessment_relationship import CvssV2VulnAssessmentRelationship from .cvss_v3_vuln_assessment_relationship import CvssV3VulnAssessmentRelationship diff --git a/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py index 01f24c159..69ce5b69b 100644 --- a/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py @@ -2,14 +2,24 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType -from ..security import VulnAssessmentRelationship -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ( + CreationInfo, + ExternalIdentifier, + ExternalReference, + IntegrityMethod, + RelationshipCompleteness, + RelationshipType, +) +from ..security import VulnAssessmentRelationship @dataclass_with_properties @@ -60,14 +70,15 @@ class CvssV2VulnAssessmentRelationship(VulnAssessmentRelationship): }, { "@type": "Relationship", - "@id": "urn:spdx.dev:vulnAgentRel-1", - "relationshipType": "publishedBy", + "@id": "urn:spdx.dev:vulnAgentRel-1", + "relationshipType": "publishedBy", "from": "urn:spdx.dev:cvssv2-cve-2020-28498", "to": ["urn:spdx.dev:agent-snyk"], "startTime": "2021-03-08T16:06:50Z" } ``` """ + score: float """ The score provides information on the severity of a vulnerability per the Common Vulnerability Scoring System as @@ -75,8 +86,8 @@ class CvssV2VulnAssessmentRelationship(VulnAssessmentRelationship): """ severity: Optional[str] = None """ - The severity field provides a human readable string, a label that can be used as an English adjective that qualifies - its numerical score. + The severity field provides a human readable string, a label that can be used as an English adjective that + qualifies its numerical score. """ vector: Optional[str] = None """ diff --git a/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py index 5cbf6bddc..ada546cc7 100644 --- a/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py @@ -2,14 +2,24 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType -from ..security import VulnAssessmentRelationship -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ( + CreationInfo, + ExternalIdentifier, + ExternalReference, + IntegrityMethod, + RelationshipCompleteness, + RelationshipType, +) +from ..security import VulnAssessmentRelationship @dataclass_with_properties @@ -17,8 +27,8 @@ class CvssV3VulnAssessmentRelationship(VulnAssessmentRelationship): """ A CvssV3VulnAssessmentRelationship relationship describes the determined score, severity, and vector of a vulnerability using version 3.1 of the Common Vulnerability Scoring System (CVSS) as defined on - [https://www.first.org/cvss/v3.1/specification-document](https://www.first.org/cvss/v3.1/specification-document). It - is intented to communicate the results of using a CVSS calculator. + [https://www.first.org/cvss/v3.1/specification-document](https://www.first.org/cvss/v3.1/specification-document). + It is intented to communicate the results of using a CVSS calculator. **Constraints** @@ -69,6 +79,7 @@ class CvssV3VulnAssessmentRelationship(VulnAssessmentRelationship): } ``` """ + score: float """ The score provides information on the severity of a vulnerability per the Common Vulnerability Scoring System as @@ -76,8 +87,8 @@ class CvssV3VulnAssessmentRelationship(VulnAssessmentRelationship): """ severity: Optional[str] = None """ - The severity field provides a human readable string, a label that can be used as an English adjective that qualifies - its numerical score. + The severity field provides a human readable string, a label that can be used as an English adjective that + qualifies its numerical score. """ vector: Optional[str] = None """ diff --git a/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py index 075902db8..f8b37dfe6 100644 --- a/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py @@ -2,14 +2,24 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType -from ..security import VulnAssessmentRelationship -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ( + CreationInfo, + ExternalIdentifier, + ExternalReference, + IntegrityMethod, + RelationshipCompleteness, + RelationshipType, +) +from ..security import VulnAssessmentRelationship @dataclass_with_properties @@ -38,6 +48,7 @@ class EpssVulnAssessmentRelationship(VulnAssessmentRelationship): } ``` """ + probability: int """ The probability score between 0 and 1 (0 and 100%) estimating the likelihood that a vulnerability will be exploited @@ -45,8 +56,8 @@ class EpssVulnAssessmentRelationship(VulnAssessmentRelationship): """ severity: Optional[str] = None """ - The severity field provides a human readable string, a label that can be used as an English adjective that qualifies - its numerical score. + The severity field provides a human readable string, a label that can be used as an English adjective that + qualifies its numerical score. """ def __init__( diff --git a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_type.py b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_type.py index 0dee7832d..65de25290 100644 --- a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_type.py +++ b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class ExploitCatalogType(Enum): """ @@ -29,7 +31,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['ExploitCatalogType']: + def from_str(value: str) -> Optional["ExploitCatalogType"]: if value == "kev": return ExploitCatalogType.KEV if value == "other": diff --git a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py index a83f171f9..7b1938337 100644 --- a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py @@ -2,14 +2,24 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType -from ..security import ExploitCatalogType, VulnAssessmentRelationship -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ( + CreationInfo, + ExternalIdentifier, + ExternalReference, + IntegrityMethod, + RelationshipCompleteness, + RelationshipType, +) +from ..security import ExploitCatalogType, VulnAssessmentRelationship @dataclass_with_properties @@ -40,9 +50,11 @@ class ExploitCatalogVulnAssessmentRelationship(VulnAssessmentRelationship): } ``` """ + catalog_type: ExploitCatalogType """ - A catalogType is a mandatory value and must select one of the two entries in the `ExploitCatalogType.md` vocabulary. + A catalogType is a mandatory value and must select one of the two entries in the `ExploitCatalogType.md` + vocabulary. """ exploited: bool """ diff --git a/src/spdx_tools/spdx3/new_model/security/ssvc_decision_type.py b/src/spdx_tools/spdx3/new_model/security/ssvc_decision_type.py index 1c00a4eb8..c0c8edd7b 100644 --- a/src/spdx_tools/spdx3/new_model/security/ssvc_decision_type.py +++ b/src/spdx_tools/spdx3/new_model/security/ssvc_decision_type.py @@ -2,15 +2,17 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class SsvcDecisionType(Enum): """ - SsvcDecisionType specifies the type of decision that's been made according to the Stakeholder-Specific Vulnerability - Categorization (SSVC) system + SsvcDecisionType specifies the type of decision that's been made according to the Stakeholder-Specific + Vulnerability Categorization (SSVC) system [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc) """ @@ -37,8 +39,8 @@ class SsvcDecisionType(Enum): """ TRACK_STAR = auto() """ - (Track* in the SSVC spec) The vulnerability contains specific characteristics that may require closer monitoring for - changes. CISA recommends remediating Track* vulnerabilities within standard update timelines. + (Track* in the SSVC spec) The vulnerability contains specific characteristics that may require closer monitoring + for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines. """ def __str__(self) -> str: @@ -53,7 +55,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['SsvcDecisionType']: + def from_str(value: str) -> Optional["SsvcDecisionType"]: if value == "act": return SsvcDecisionType.ACT if value == "attend": diff --git a/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py index 447dabc80..81f261a36 100644 --- a/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py @@ -2,14 +2,24 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType -from ..security import SsvcDecisionType, VulnAssessmentRelationship -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ( + CreationInfo, + ExternalIdentifier, + ExternalReference, + IntegrityMethod, + RelationshipCompleteness, + RelationshipType, +) +from ..security import SsvcDecisionType, VulnAssessmentRelationship @dataclass_with_properties @@ -40,9 +50,11 @@ class SsvcVulnAssessmentRelationship(VulnAssessmentRelationship): } ``` """ + decision_type: SsvcDecisionType """ - A decisionType is a mandatory value and must select one of the four entries in the `SsvcDecisionType.md` vocabulary. + A decisionType is a mandatory value and must select one of the four entries in the `SsvcDecisionType.md` + vocabulary. """ def __init__( diff --git a/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py index 0c9d75053..e06fe8a54 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py @@ -2,15 +2,25 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType -from ..security import VexVulnAssessmentRelationship -from beartype.typing import List, Optional from dataclasses import field from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ( + CreationInfo, + ExternalIdentifier, + ExternalReference, + IntegrityMethod, + RelationshipCompleteness, + RelationshipType, +) +from ..security import VexVulnAssessmentRelationship @dataclass_with_properties @@ -41,6 +51,7 @@ class VexAffectedVulnAssessmentRelationship(VexVulnAssessmentRelationship): } ``` """ + action_statement: Optional[str] = None """ When an element is referenced with a VexAffectedVulnAssessmentRelationship, the relationship MUST include one @@ -48,9 +59,9 @@ class VexAffectedVulnAssessmentRelationship(VexVulnAssessmentRelationship): """ action_statement_time: List[datetime] = field(default_factory=list) """ - When a VEX statement communicates an affected status, the author MUST include an action statement with a recommended - action to help mitigate the vulnerability's impact. The actionStatementTime property records the time when the - action statement was first communicated. + When a VEX statement communicates an affected status, the author MUST include an action statement with a + recommended action to help mitigate the vulnerability's impact. The actionStatementTime property records the time + when the action statement was first communicated. """ def __init__( diff --git a/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py index 8d1a9e5f6..226fd108a 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py @@ -2,14 +2,24 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType -from ..security import VexVulnAssessmentRelationship -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ( + CreationInfo, + ExternalIdentifier, + ExternalReference, + IntegrityMethod, + RelationshipCompleteness, + RelationshipType, +) +from ..security import VexVulnAssessmentRelationship @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/security/vex_justification_type.py b/src/spdx_tools/spdx3/new_model/security/vex_justification_type.py index 1e68424fe..4864bb646 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_justification_type.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_justification_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class VexJustificationType(Enum): """ @@ -49,7 +51,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['VexJustificationType']: + def from_str(value: str) -> Optional["VexJustificationType"]: if value == "componentNotPresent": return VexJustificationType.COMPONENT_NOT_PRESENT if value == "vulnerableCodeNotPresent": diff --git a/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py index 7fe28fa49..e31a452d6 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py @@ -2,14 +2,24 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType -from ..security import VexJustificationType, VexVulnAssessmentRelationship -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ( + CreationInfo, + ExternalIdentifier, + ExternalReference, + IntegrityMethod, + RelationshipCompleteness, + RelationshipType, +) +from ..security import VexJustificationType, VexVulnAssessmentRelationship @dataclass_with_properties @@ -20,14 +30,15 @@ class VexNotAffectedVulnAssessmentRelationship(VexVulnAssessmentRelationship): **Constraints** - When linking elements using a VexNotVulnAffectedAssessmentRelationship, the following requirements must be observed: + When linking elements using a VexNotVulnAffectedAssessmentRelationship, the following requirements must be + observed: * Relating elements with a VexNotAffectedVulnAssessmentRelationship is restricted to the doesNotAffect relationship type. * The from: end of the relationship must be a /Security/Vulnerability classed element. * Both impactStatement and justificationType properties have a cardinality of 0..1 making them optional. - Nevertheless, to produce a valid VEX not_affected statement, one of them MUST be defined. This is specified in the - Minimum Elements for VEX. + Nevertheless, to produce a valid VEX not_affected statement, one of them MUST be defined. This is specified in + the Minimum Elements for VEX. **Syntax** @@ -46,6 +57,7 @@ class VexNotAffectedVulnAssessmentRelationship(VexVulnAssessmentRelationship): } ``` """ + justification_type: Optional[VexJustificationType] = None """ When stating that an element is not affected by a vulnerability, the VexNotAffectedVulnAssessmentRelationship must diff --git a/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py index bb592f46b..ff95163d7 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py @@ -2,14 +2,24 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType -from ..security import VexVulnAssessmentRelationship -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ( + CreationInfo, + ExternalIdentifier, + ExternalReference, + IntegrityMethod, + RelationshipCompleteness, + RelationshipType, +) +from ..security import VexVulnAssessmentRelationship @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py index 7741cca59..e95924566 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py @@ -2,15 +2,16 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, RelationshipCompleteness, RelationshipType -from ..security import VulnAssessmentRelationship from abc import abstractmethod -from beartype.typing import List, Optional -from datetime import datetime + +from beartype.typing import Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from ..security import VulnAssessmentRelationship + @dataclass_with_properties class VexVulnAssessmentRelationship(VulnAssessmentRelationship): @@ -28,11 +29,12 @@ class VexVulnAssessmentRelationship(VulnAssessmentRelationship): property. VEX inherits information from the document level down to its statements. When a statement is missing information it - can be completed by reading the equivalent field from the containing document. For example, if a VEX relationship is - missing data in its createdBy property, tools must consider the entity listed in the CreationInfo section of the + can be completed by reading the equivalent field from the containing document. For example, if a VEX relationship + is missing data in its createdBy property, tools must consider the entity listed in the CreationInfo section of the document as the VEX author. In the same way, when a VEX relationship does not have a created property, the document's date must be considered as authoritative. """ + vex_version: Optional[str] = None """ TODO diff --git a/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py index d50153555..978da7ee0 100644 --- a/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py @@ -2,14 +2,17 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, Relationship, RelationshipCompleteness, RelationshipType from abc import abstractmethod -from beartype.typing import List, Optional from datetime import datetime +from beartype.typing import Optional + from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from ..core import Relationship + @dataclass_with_properties class VulnAssessmentRelationship(Relationship): @@ -17,10 +20,11 @@ class VulnAssessmentRelationship(Relationship): VulnAssessmentRelationship is the ancestor class common to all vulnerability assessment relationships. It factors out the common properties shared by them. External property restriction on /Core/Relationship/to: minCount: 1 """ + assessed_element: Optional[str] = None """ - Specifies subpackages, files or snippets referenced by a security assessment to specify the precise location where a - vulnerability was found. + Specifies subpackages, files or snippets referenced by a security assessment to specify the precise location where + a vulnerability was found. """ published_time: Optional[datetime] = None """ diff --git a/src/spdx_tools/spdx3/new_model/security/vulnerability.py b/src/spdx_tools/spdx3/new_model/security/vulnerability.py index abb066781..6ea609249 100644 --- a/src/spdx_tools/spdx3/new_model/security/vulnerability.py +++ b/src/spdx_tools/spdx3/new_model/security/vulnerability.py @@ -2,13 +2,16 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod @dataclass_with_properties @@ -23,7 +26,7 @@ class Vulnerability(Element): "@type": "Vulnerability", "@id": "urn:spdx.dev:vuln-1", "summary": "Use of a Broken or Risky Cryptographic Algorithm", - "description": "The npm package `elliptic` before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.", + "description": "The npm package `elliptic` before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.", "modified": "2021-03-08T16:02:43Z", "published": "2021-03-08T16:06:50Z", "externalIdentifiers": [ @@ -83,14 +86,15 @@ class Vulnerability(Element): }, { "@type": "Relationship", - "@id": "urn:spdx.dev:vulnAgentRel-1", - "relationshipType": "publishedBy", + "@id": "urn:spdx.dev:vulnAgentRel-1", + "relationshipType": "publishedBy", "from": "urn:spdx.dev:vuln-1", "to": ["urn:spdx.dev:agent-snyk"], "startTime": "2021-03-08T16:06:50Z" } ``` """ + published_time: Optional[datetime] = None """ Specifies the time when a vulnerability was first published. diff --git a/src/spdx_tools/spdx3/new_model/software/__init__.py b/src/spdx_tools/spdx3/new_model/software/__init__.py index 0e31820ad..b4497a6fd 100644 --- a/src/spdx_tools/spdx3/new_model/software/__init__.py +++ b/src/spdx_tools/spdx3/new_model/software/__init__.py @@ -2,6 +2,7 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa from .dependency_conditionality_type import DependencyConditionalityType from .file import File diff --git a/src/spdx_tools/spdx3/new_model/software/dependency_conditionality_type.py b/src/spdx_tools/spdx3/new_model/software/dependency_conditionality_type.py index 7f842120b..427d65eab 100644 --- a/src/spdx_tools/spdx3/new_model/software/dependency_conditionality_type.py +++ b/src/spdx_tools/spdx3/new_model/software/dependency_conditionality_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class DependencyConditionalityType(Enum): """ @@ -47,7 +49,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['DependencyConditionalityType']: + def from_str(value: str) -> Optional["DependencyConditionalityType"]: if value == "optional": return DependencyConditionalityType.OPTIONAL if value == "required": diff --git a/src/spdx_tools/spdx3/new_model/software/file.py b/src/spdx_tools/spdx3/new_model/software/file.py index bde332bfb..217685f7e 100644 --- a/src/spdx_tools/spdx3/new_model/software/file.py +++ b/src/spdx_tools/spdx3/new_model/software/file.py @@ -2,15 +2,18 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo -from ..software import SoftwareArtifact, SoftwarePurpose -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo +from ..software import SoftwareArtifact, SoftwarePurpose @dataclass_with_properties @@ -19,6 +22,7 @@ class File(SoftwareArtifact): Refers to any object that stores content on a computer. The type of content can optionally be provided in the contentType property. External property restriction on /Core/Element/name: minCount: 1 """ + content_type: Optional[str] = None """ This field is a reasonable estimation of the content type of the Element, from a creator perspective. Content type diff --git a/src/spdx_tools/spdx3/new_model/software/package.py b/src/spdx_tools/spdx3/new_model/software/package.py index bbf42e9c7..f11cc0f5a 100644 --- a/src/spdx_tools/spdx3/new_model/software/package.py +++ b/src/spdx_tools/spdx3/new_model/software/package.py @@ -2,22 +2,25 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo -from ..software import SoftwareArtifact, SoftwarePurpose -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..licensing import AnyLicenseInfo +from ..software import SoftwareArtifact, SoftwarePurpose @dataclass_with_properties class Package(SoftwareArtifact): """ - A package refers to any unit of content that can be associated with a distribution of software. Typically, a package - is composed of one or more files. + A package refers to any unit of content that can be associated with a distribution of software. Typically, a + package is composed of one or more files. Any of the following non-limiting examples may be (but are not required to be) represented in SPDX as a package: - a tarball, zip file or other archive @@ -31,6 +34,7 @@ class Package(SoftwareArtifact): Note that some of these could be represented in SPDX as a file as well. External property restriction on /Core/Element/name: minCount: 1 """ + package_version: Optional[str] = None """ A packageVersion is useful for identification purposes and for indicating later changes of the package version. @@ -43,8 +47,8 @@ class Package(SoftwareArtifact): """ package_url: Optional[str] = None """ - A packageUrl (commonly pronounced and referred to as "purl") is an attempt to standardize package representations in - order to reliably identify and locate software packages. A purl is a URL string which represents a package in a + A packageUrl (commonly pronounced and referred to as "purl") is an attempt to standardize package representations + in order to reliably identify and locate software packages. A purl is a URL string which represents a package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases. @@ -54,9 +58,9 @@ class Package(SoftwareArtifact): ``` The definition for each component can be found in the [purl - specification](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst). Components are designed - such that they form a hierarchy from the most significant on the left to the least significant components on the - right. + specification](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst). Components are + designed such that they form a hierarchy from the most significant on the left to the least significant components + on the right. Parsing a purl string into its components works from left to right. Some extra type-specific normalizations are required. For more information, see [How to parse a purl string in its diff --git a/src/spdx_tools/spdx3/new_model/software/sbom.py b/src/spdx_tools/spdx3/new_model/software/sbom.py index f89c41e97..0b9b77c53 100644 --- a/src/spdx_tools/spdx3/new_model/software/sbom.py +++ b/src/spdx_tools/spdx3/new_model/software/sbom.py @@ -2,28 +2,32 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Bom, CreationInfo, Element, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod -from ..software import SbomType -from beartype.typing import List, Optional from dataclasses import field -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import Bom, CreationInfo, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod +from ..software import SbomType @dataclass_with_properties class Sbom(Bom): """ - A Software Bill of Materials (SBOM) is a collection of SPDX Elements describing a single package. This could include - details of the content and composition of the product, provenance details of the product and/or its composition, - licensing information, known quality or security issues, etc. + A Software Bill of Materials (SBOM) is a collection of SPDX Elements describing a single package. This could + include details of the content and composition of the product, provenance details of the product and/or its + composition, licensing information, known quality or security issues, etc. """ + sbom_type: List[SbomType] = field(default_factory=list) """ This field is a reasonable estimation of the type of SBOM created from a creator perspective. It is intended to be - used to give guidance on the elements that may be contained within it. Aligning with the guidance produced in [Types - of Software Bill of Material (SBOM) + used to give guidance on the elements that may be contained within it. Aligning with the guidance produced in + [Types of Software Bill of Material (SBOM) Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf). """ diff --git a/src/spdx_tools/spdx3/new_model/software/sbom_type.py b/src/spdx_tools/spdx3/new_model/software/sbom_type.py index a1e59a81d..5a3640bb7 100644 --- a/src/spdx_tools/spdx3/new_model/software/sbom_type.py +++ b/src/spdx_tools/spdx3/new_model/software/sbom_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class SbomType(Enum): """ @@ -18,8 +20,8 @@ class SbomType(Enum): DESIGN = auto() """ - SBOM of intended, planned software project or product with included components (some of which may not yet exist) for - a new software artifact. + SBOM of intended, planned software project or product with included components (some of which may not yet exist) + for a new software artifact. """ SOURCE = auto() """ @@ -67,7 +69,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['SbomType']: + def from_str(value: str) -> Optional["SbomType"]: if value == "design": return SbomType.DESIGN if value == "source": diff --git a/src/spdx_tools/spdx3/new_model/software/snippet.py b/src/spdx_tools/spdx3/new_model/software/snippet.py index 63bbd282b..12a594786 100644 --- a/src/spdx_tools/spdx3/new_model/software/snippet.py +++ b/src/spdx_tools/spdx3/new_model/software/snippet.py @@ -2,15 +2,18 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod, PositiveIntegerRange -from ..licensing import AnyLicenseInfo -from ..software import SoftwareArtifact, SoftwarePurpose -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod, PositiveIntegerRange +from ..licensing import AnyLicenseInfo +from ..software import SoftwareArtifact, SoftwarePurpose @dataclass_with_properties @@ -20,6 +23,7 @@ class Snippet(SoftwareArtifact): been included from another original source. Snippets are useful for denoting when part of a file may have been originally created under another license or copied from a place with a known vulnerability. """ + byte_range: Optional[PositiveIntegerRange] = None """ This field defines the byte range in the original host file that the snippet information applies to. A range of diff --git a/src/spdx_tools/spdx3/new_model/software/software_artifact.py b/src/spdx_tools/spdx3/new_model/software/software_artifact.py index cbdb08f01..e4d650704 100644 --- a/src/spdx_tools/spdx3/new_model/software/software_artifact.py +++ b/src/spdx_tools/spdx3/new_model/software/software_artifact.py @@ -2,30 +2,33 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import Agent, Artifact, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo -from ..software import SoftwarePurpose from abc import abstractmethod -from beartype.typing import List, Optional from dataclasses import field -from datetime import datetime + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from ..core import Artifact +from ..licensing import AnyLicenseInfo +from ..software import SoftwarePurpose + @dataclass_with_properties class SoftwareArtifact(Artifact): """ A software artifact is a distinct article or unit related to software such as a package, a file, or a snippet. """ + content_identifier: Optional[str] = None """ The contentIdentifier provides a canonical, unique, immutable artifact identifier for each software artifact. SPDX 3.0 describes software artifacts as Snippet, File, or Package Elements. The ContentIdentifier can be calculated for any software artifact and can be recorded for any of these SPDX 3.0 Elements using Omnibor, an attempt to - standardize how software artifacts are identified independent of which programming language, version control system, - build tool, package manager, or software distribution mechanism is in use. + standardize how software artifacts are identified independent of which programming language, version control + system, build tool, package manager, or software distribution mechanism is in use. The contentIdentifier is defined as the [Git Object Identifier](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) (gitoid) of type `blob` of the software @@ -54,8 +57,8 @@ class SoftwareArtifact(Artifact): """ concluded_license: Optional[AnyLicenseInfo] = None """ - A concludedLicense is the license identified by the SPDX data creator, based on analyzing the license information in - the software Package, File or Snippet and other information to arrive at a reasonably objective conclusion as to + A concludedLicense is the license identified by the SPDX data creator, based on analyzing the license information + in the software Package, File or Snippet and other information to arrive at a reasonably objective conclusion as to what license governs it. If a concludedLicense has a NONE value (NoneLicense), this indicates that the SPDX data creator has looked and did @@ -73,13 +76,13 @@ class SoftwareArtifact(Artifact): explanation SHOULD be provided in the licenseComment field. If the declaredLicense for a software Package, File or Snippet is a choice of more than one license (e.g. a license - expression combining two licenses through use of the `OR` operator), then the concludedLicense may either retain the - license choice or identify which license was chosen. + expression combining two licenses through use of the `OR` operator), then the concludedLicense may either retain + the license choice or identify which license was chosen. """ declared_license: Optional[AnyLicenseInfo] = None """ - A declaredLicense is the license identified in text in the software package, file or snippet as the license declared - by its authors. + A declaredLicense is the license identified in text in the software package, file or snippet as the license + declared by its authors. This field is not intended to capture license information obtained from an external source, such as a package's website. Such information can be included, as needed, in a concludedLicense field. @@ -105,18 +108,19 @@ class SoftwareArtifact(Artifact): If a declaredLicense has a NONE value (NoneLicense), this indicates that the corresponding Package, File or Snippet contains no license information whatsoever. - If a declaredLicense has a NOASSERTION value (NoAssertionLicense), this indicates that one of the following applies: + If a declaredLicense has a NOASSERTION value (NoAssertionLicense), this indicates that one of the following + applies: * the SPDX data creator has attempted to but cannot reach a reasonable objective determination; * the SPDX data creator has made no attempt to determine this field; or * the SPDX data creator has intentionally provided no information (no meaning should be implied by doing so). """ copyright_text: Optional[str] = None """ - A copyrightText consists of the text(s) of the copyright notice(s) found for a software Package, File or Snippet, if - any. + A copyrightText consists of the text(s) of the copyright notice(s) found for a software Package, File or Snippet, + if any. - If a copyrightText contains text, then it may contain any text related to one or more copyright notices (even if not - complete) for that software Package, File or Snippet. + If a copyrightText contains text, then it may contain any text related to one or more copyright notices (even if + not complete) for that software Package, File or Snippet. If a copyrightText has a "NONE" value, this indicates that the software Package, File or Snippet contains no copyright notice whatsoever. diff --git a/src/spdx_tools/spdx3/new_model/software/software_dependency_link_type.py b/src/spdx_tools/spdx3/new_model/software/software_dependency_link_type.py index e2ae2048c..f9c3a0852 100644 --- a/src/spdx_tools/spdx3/new_model/software/software_dependency_link_type.py +++ b/src/spdx_tools/spdx3/new_model/software/software_dependency_link_type.py @@ -2,10 +2,12 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class SoftwareDependencyLinkType(Enum): """ @@ -41,7 +43,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['SoftwareDependencyLinkType']: + def from_str(value: str) -> Optional["SoftwareDependencyLinkType"]: if value == "static": return SoftwareDependencyLinkType.STATIC if value == "dynamic": diff --git a/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py b/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py index 94e59c85c..23427c984 100644 --- a/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py +++ b/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py @@ -2,14 +2,26 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod, LifecycleScopeType, LifecycleScopedRelationship, RelationshipCompleteness, RelationshipType -from ..software import DependencyConditionalityType, SoftwareDependencyLinkType -from beartype.typing import List, Optional from datetime import datetime -from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..core import ( + CreationInfo, + ExternalIdentifier, + ExternalReference, + IntegrityMethod, + LifecycleScopedRelationship, + LifecycleScopeType, + RelationshipCompleteness, + RelationshipType, +) +from ..software import DependencyConditionalityType, SoftwareDependencyLinkType @dataclass_with_properties @@ -17,6 +29,7 @@ class SoftwareDependencyRelationship(LifecycleScopedRelationship): """ TODO """ + software_linkage: Optional[SoftwareDependencyLinkType] = None """ A softwareLinkage is TODO diff --git a/src/spdx_tools/spdx3/new_model/software/software_purpose.py b/src/spdx_tools/spdx3/new_model/software/software_purpose.py index 33ad883fc..5ddd44be8 100644 --- a/src/spdx_tools/spdx3/new_model/software/software_purpose.py +++ b/src/spdx_tools/spdx3/new_model/software/software_purpose.py @@ -2,17 +2,19 @@ # # This file was auto-generated by dev/gen_python_model_from_spec.py # Do not manually edit! +# flake8: noqa -from beartype.typing import Optional from enum import Enum, auto +from beartype.typing import Optional + class SoftwarePurpose(Enum): """ This field provides information about the primary purpose of an Element. Software Purpose is intrinsic to how the - Element is being used rather than the content of the Element. This field is a reasonable estimate of the most likely - usage of the Element from the producer and consumer perspective from which both parties can draw conclusions about - the context in which the Element exists. + Element is being used rather than the content of the Element. This field is a reasonable estimate of the most + likely usage of the Element from the producer and consumer perspective from which both parties can draw conclusions + about the context in which the Element exists. """ APPLICATION = auto() @@ -171,7 +173,7 @@ def __str__(self) -> str: return "unknown" @staticmethod - def from_str(value: str) -> Optional['SoftwarePurpose']: + def from_str(value: str) -> Optional["SoftwarePurpose"]: if value == "application": return SoftwarePurpose.APPLICATION if value == "archive": From 49e103e2eba5c526da650a6463d365a462ec5245 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Thu, 27 Jul 2023 16:19:36 +0200 Subject: [PATCH 29/33] Refactor code generator; split into multiple files Signed-off-by: Holger Frydrych --- dev/gen_python_model_from_spec.py | 380 ++--------------------------- dev/model_gen/__init__.py | 0 dev/model_gen/class_templates.py | 32 +++ dev/model_gen/gen_class.py | 232 ++++++++++++++++++ dev/model_gen/general_templates.py | 11 + dev/model_gen/utils.py | 103 ++++++++ dev/model_gen/vocab_templates.py | 27 ++ 7 files changed, 421 insertions(+), 364 deletions(-) create mode 100644 dev/model_gen/__init__.py create mode 100644 dev/model_gen/class_templates.py create mode 100644 dev/model_gen/gen_class.py create mode 100644 dev/model_gen/general_templates.py create mode 100644 dev/model_gen/utils.py create mode 100644 dev/model_gen/vocab_templates.py diff --git a/dev/gen_python_model_from_spec.py b/dev/gen_python_model_from_spec.py index fbf752bae..9b0a70946 100644 --- a/dev/gen_python_model_from_spec.py +++ b/dev/gen_python_model_from_spec.py @@ -22,374 +22,26 @@ """ import json -import logging import os.path -import textwrap -from dataclasses import dataclass from pathlib import Path -from typing import Optional -import mistletoe -from mistletoe.markdown_renderer import MarkdownRenderer +from model_gen.gen_class import GenClassFromSpec +from model_gen.general_templates import FILE_HEADER +from model_gen.utils import ( + SPECIAL_TYPE_MAPPINGS, + get_file_path, + get_python_docstring, + get_qualified_name, + namespace_name_to_python, +) +from model_gen.vocab_templates import VOCAB_ENTRY, VOCAB_FILE, VOCAB_STR_TO_VALUE, VOCAB_VALUE_TO_STR from spdx_tools.spdx.casing_tools import camel_case_to_snake_case -FILE_HEADER = """# SPDX-License-Identifier: Apache-2.0 -# -# This file was auto-generated by dev/gen_python_model_from_spec.py -# Do not manually edit! -# flake8: noqa - -""" - -VOCAB_FILE = FILE_HEADER + """from beartype.typing import Optional -from enum import Enum, auto - - -class {typename}(Enum):{docstring} - -{values} - - def __str__(self) -> str: -{values_to_str} - return "unknown" - - @staticmethod - def from_str(value: str) -> Optional['{typename}']: -{str_to_values} - return None -""" - -VOCAB_ENTRY = " {value} = auto(){docstring}" - -VOCAB_VALUE_TO_STR = " if self == {typename}.{python_value}:\n return \"{str_value}\"" - -VOCAB_STR_TO_VALUE = " if value == \"{str_value}\":\n return {typename}.{python_value}" - -CLS_FILE = FILE_HEADER + """{imports} -from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties - - -@dataclass_with_properties -class {typename}({parent}):{docstring} -{properties} -{constructor}""" - -CLS_IMPORTS = "from {module} import {types}\n" - -CLS_PROP = " {prop_name}: {prop_type}{default}{docstring}\n" - -CLS_INIT = """ def __init__( - self,{arguments} - ):{remaps} - check_types_and_set_values(self, locals()) -""" -CLS_INIT_ARG = "\n {prop_name}: {prop_type}," -CLS_INIT_ARG_OPT = "\n {prop_name}: {prop_type} = None," -CLS_INIT_REMAP = "\n {prop_name} = {default} if {prop_name} is None else {prop_name}" - -CLS_INIT_ABSTRACT = """ @abstractmethod - def __init__(self): - pass -""" - -SPECIAL_TYPE_MAPPINGS: dict[str, tuple[str, Optional[str]]] = { - "Core/DateTime": ("datetime", "datetime"), - "Core/DictionaryEntry": ("Dict[str, Optional[str]]", None), - "Core/Extension": ("str", None), - "Core/MediaType": ("str", None), - "Core/SemVer": ("Version", "semantic_version"), - "xsd:anyURI": ("str", None), - "xsd:boolean": ("bool", None), - "xsd:datetime": ("datetime", "datetime"), - "xsd:decimal": ("float", None), - "xsd:double": ("float", None), - "xsd:float": ("float", None), - "xsd:int": ("int", None), - "xsd:integer": ("int", None), - "xsd:negativeInteger": ("int", None), - "xsd:nonNegativeInteger": ("int", None), - "xsd:nonPositiveInteger": ("int", None), - "xsd:positiveInteger": ("int", None), - "xsd:string": ("str", None), -} - -SPECIAL_PROPTYPE_MAPPINGS: dict[str, tuple[str, Optional[str]]] = { - # for the moment, we replace Element and Agent references with string references to their ID - # otherwise, there is a cyclic dependency between CreationInfo and Agent that is problematic to deal with - "Core/Agent": ("str", None), - "Core/Element": ("str", None), -} - # TODO: use the actual model package path rather than a separate path output_dir = os.path.join(os.path.dirname(__file__), "../src/spdx_tools/spdx3/new_model") -def prop_name_to_python(prop_name: str): - special_cases = {"from": "from_element", "homePage": "homepage"} - prop_name = get_short_prop_name(prop_name) - if prop_name in special_cases: - return special_cases[prop_name] - return camel_case_to_snake_case(prop_name) - - -def namespace_name_to_python(namespace_name: str): - special_cases = {"AI": "ai"} - if namespace_name in special_cases: - return special_cases[namespace_name] - return camel_case_to_snake_case(namespace_name) - - -def get_file_path(typename: str, namespace: str) -> str: - namespace = namespace_name_to_python(namespace) - typename = camel_case_to_snake_case(typename) if typename != "AIPackage" else "ai_package" - return os.path.join(output_dir, namespace, f"{typename}.py") - - -def get_python_docstring(description: Optional[str], indent: int) -> str: - if not description: - return "" - - line_length = 119 - indent - with MarkdownRenderer(max_line_length=line_length) as renderer: - text = renderer.render(mistletoe.Document(description)) - text = '\n"""\n' + text + '"""' - return textwrap.indent(text, ' ' * indent) - - -def get_qualified_name(name: str, namespace: str): - if name.startswith('/'): - name = name[1:] - if name.startswith("xsd:"): - return name - if '/' in name: - return name - return f"{namespace}/{name}" - - -def split_qualified_name(typename: str) -> tuple[str, str]: - if '/' not in typename: - return "", typename - namespace, _, typename = typename.partition('/') - return namespace, typename - - -def to_python_type(typename: str) -> str: - if typename in SPECIAL_TYPE_MAPPINGS: - return SPECIAL_TYPE_MAPPINGS[typename][0] - if typename.startswith("xsd:"): - return "str" - _, typename = split_qualified_name(typename) - return typename - - -def extract_parent_type(cls: dict, namespace: str) -> Optional[str]: - parent_class = cls["metadata"].get("SubclassOf") or "none" - if parent_class == "none": - return None - return get_qualified_name(parent_class, namespace) - - -def get_short_prop_name(qualified_name: str) -> str: - if '/' not in qualified_name: - return qualified_name - return qualified_name[qualified_name.rindex('/') + 1:] - - -@dataclass -class Property: - name: str - type: str - optional: bool - is_list: bool - inherited: bool - - def get_python_type(self) -> str: - if self.type == "Core/DictionaryEntry": - return "Dict[str, Optional[str]]" - if self.type in SPECIAL_PROPTYPE_MAPPINGS: - prop_type = SPECIAL_PROPTYPE_MAPPINGS[self.type][0] - else: - prop_type = to_python_type(self.type) - if self.is_list: - prop_type = f"List[{prop_type}]" - elif self.optional: - prop_type = f"Optional[{prop_type}]" - return prop_type - - -class GenClassFromSpec: - cls: dict - model: dict - - typename: str - namespace: str - filename: str - file_path: str - parent_class: str - docstring: str - # module -> types - imports: dict[str, set[str]] - props: list[Property] - - def __init__(self, cls: dict, namespace: str, model: dict): - self.cls = cls - self.namespace = namespace - self.model = model - self.imports = dict() - self.props = list() - - self.typename = cls["metadata"]["name"] - self.filename = camel_case_to_snake_case(self.typename) - parent_class = extract_parent_type(cls, namespace) - if not parent_class: - self.parent_class = "ABC" - self._add_import("abc", "ABC") - else: - self.parent_class = to_python_type(parent_class) - self._import_spdx_type(parent_class) - self.docstring = get_python_docstring(cls["description"], 4) - self.file_path = get_file_path(self.typename, namespace) - - self._collect_props(self.cls, self.namespace, False) - - def _add_import(self, module: str, typename: str): - if module not in self.imports: - self.imports[module] = set() - self.imports[module].add(typename) - - def _import_spdx_type(self, typename: str): - if typename in SPECIAL_TYPE_MAPPINGS: - import_type, import_module = SPECIAL_TYPE_MAPPINGS[typename] - if import_module: - self._add_import(import_module, import_type) - return - if typename.startswith("xsd:"): - return - namespace, typename = split_qualified_name(typename) - namespace = f"..{namespace_name_to_python(namespace)}" - self._add_import(namespace, typename) - - def _find_prop(self, propname: str) -> Optional[Property]: - propname = prop_name_to_python(propname) - return next(filter(lambda p: prop_name_to_python(p.name) == propname, self.props), None) - - def _collect_props(self, cls: dict, namespace: str, is_parent: bool): - parent = extract_parent_type(cls, namespace) - if parent: - parent_namespace, parent_class = split_qualified_name(parent) - if parent_namespace in self.model and parent_class in self.model[parent_namespace]["classes"]: - self._collect_props(self.model[parent_namespace]["classes"][parent_class], parent_namespace, True) - - for propname, propinfo in cls["properties"].items(): - if self._find_prop(propname): - logging.warning("Class %s is redefining property %s from a parent class, ignoring", - cls["metadata"]["name"], propname) - continue - propname = get_qualified_name(propname, namespace) - proptype = get_qualified_name(propinfo["type"], namespace) - optional = "minCount" not in propinfo or propinfo["minCount"] == "0" - is_list = "maxCount" not in propinfo or propinfo["maxCount"] != "1" - prop = Property(propname, proptype, optional, is_list, is_parent) - self.props.append(prop) - - if "externalPropertyRestrictions" not in cls: - return - for propname, propinfo in cls["externalPropertyRestrictions"].items(): - prop = self._find_prop(propname) - if not prop: - continue - if "minCount" in propinfo: - prop.optional = prop.optional and propinfo["minCount"] == "0" - if "maxCount" in propinfo: - prop.is_list = prop.is_list and propinfo["maxCount"] != "1" - - def gen_file(self): - properties = self._gen_props() - constructor = self._gen_constructor() - # imports should be last, as we may add additional types to import during generation - imports = self._gen_imports() - with open(self.file_path, "w") as output_file: - output_file.write( - CLS_FILE.format(typename=self.typename, parent=self.parent_class, docstring=self.docstring, - properties=properties, imports=imports, constructor=constructor)) - - def _gen_imports(self) -> str: - imports = "" - for module in sorted(self.imports.keys()): - types = ", ".join(sorted(self.imports[module])) - imports += CLS_IMPORTS.format(module=module, types=types) - return imports - - def _import_prop_type(self, prop: Property): - if prop.type in SPECIAL_PROPTYPE_MAPPINGS: - import_type, import_module = SPECIAL_PROPTYPE_MAPPINGS[prop.type] - if import_module: - self._add_import(import_module, import_type) - else: - self._import_spdx_type(prop.type) - - if prop.type == "Core/DictionaryEntry": - self._add_import("beartype.typing", "Dict") - self._add_import("beartype.typing", "Optional") - elif prop.is_list: - self._add_import("beartype.typing", "List") - elif prop.optional: - self._add_import("beartype.typing", "Optional") - - def _gen_props(self) -> str: - code = "" - own_props = (prop for prop in self.props if not prop.inherited) - for prop in own_props: - default = "" - name = prop_name_to_python(prop.name) - proptype = prop.get_python_type() - docstring = self._get_prop_docstring(prop.name) - self._import_prop_type(prop) - if prop.type == "Core/DictionaryType": - default = " = field(default_factory=dict)" - self._add_import("dataclasses", "field") - elif prop.is_list: - default = " = field(default_factory=list)" - self._add_import("dataclasses", "field") - elif prop.optional: - default = " = None" - code += CLS_PROP.format(prop_name=name, prop_type=proptype, default=default, docstring=docstring) - return code - - def _get_prop_docstring(self, name: str) -> str: - namespace, propname = split_qualified_name(name) - if namespace not in self.model or "properties" not in self.model[namespace]: - return "" - prop = self.model[namespace]["properties"].get(propname) - if not prop: - return "" - return get_python_docstring(prop["description"], 4) - - def _gen_constructor(self) -> str: - if self.cls["metadata"].get("Instantiability") == "Abstract": - self._add_import("abc", "abstractmethod") - return CLS_INIT_ABSTRACT - - self._add_import("spdx_tools.common.typing.type_checks", "check_types_and_set_values") - args = "" - remaps = "" - required_props = (prop for prop in self.props if not prop.optional) - optional_props = (prop for prop in self.props if prop.optional) - for prop in required_props: - self._import_prop_type(prop) - args += CLS_INIT_ARG.format(prop_name=prop_name_to_python(prop.name), prop_type=prop.get_python_type()) - for prop in optional_props: - self._import_prop_type(prop) - prop_name = prop_name_to_python(prop.name) - args += CLS_INIT_ARG_OPT.format(prop_name=prop_name, prop_type=prop.get_python_type()) - if prop.type == "Core/DictionaryEntry": - remaps += CLS_INIT_REMAP.format(prop_name=prop_name, default="{}") - elif prop.is_list: - remaps += CLS_INIT_REMAP.format(prop_name=prop_name, default="[]") - return CLS_INIT.format(arguments=args, remaps=remaps) - - class GenPythonModelFromSpec: namespace_imports: str init_imports: dict[str, dict[str, str]] @@ -409,7 +61,7 @@ def handle_class(self, clazz: dict, namespace_name: str, model: dict): # do not generate Python classes for types we are mapping differently return - clsinfo = GenClassFromSpec(clazz, namespace_name, model) + clsinfo = GenClassFromSpec(clazz, namespace_name, model, output_dir) clsinfo.gen_file() if namespace_name not in self.init_imports: @@ -429,13 +81,13 @@ def handle_vocab(self, vocab: dict, namespace_name: str): str_value=value, typename=typename) for value in vocab["entries"]]) docstring = get_python_docstring(vocab["description"], 4) - file_path = get_file_path(typename, namespace_name) + file_path = get_file_path(typename, namespace_name, output_dir) with open(file_path, "w") as output_file: - output_file.write(VOCAB_FILE.format(typename=typename, values=values_text, values_to_str=values_to_str_text, - str_to_values=str_to_values_text, python_typename=python_typename, - docstring=docstring)) + output_file.write(VOCAB_FILE.format(typename=typename, values=values_text, + values_to_str=values_to_str_text, str_to_values=str_to_values_text, + python_typename=python_typename, docstring=docstring)) - if not namespace_name in self.init_imports: + if namespace_name not in self.init_imports: self.init_imports[namespace_name] = dict() self.init_imports[namespace_name][python_typename] = typename diff --git a/dev/model_gen/__init__.py b/dev/model_gen/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/dev/model_gen/class_templates.py b/dev/model_gen/class_templates.py new file mode 100644 index 000000000..e5f3c14ec --- /dev/null +++ b/dev/model_gen/class_templates.py @@ -0,0 +1,32 @@ +# SPDX-FileCopyrightText: 2023 spdx contributors +# +# SPDX-License-Identifier: Apache-2.0 + +from .general_templates import FILE_HEADER + +CLS_FILE = FILE_HEADER + """{imports} +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties + + +@dataclass_with_properties +class {typename}({parent}):{docstring} +{properties} +{constructor}""" + +CLS_IMPORTS = "from {module} import {types}\n" + +CLS_PROP = " {prop_name}: {prop_type}{default}{docstring}\n" + +CLS_INIT = """ def __init__( + self,{arguments} + ):{remaps} + check_types_and_set_values(self, locals()) +""" +CLS_INIT_ARG = "\n {prop_name}: {prop_type}," +CLS_INIT_ARG_OPT = "\n {prop_name}: {prop_type} = None," +CLS_INIT_REMAP = "\n {prop_name} = {default} if {prop_name} is None else {prop_name}" + +CLS_INIT_ABSTRACT = """ @abstractmethod + def __init__(self): + pass +""" diff --git a/dev/model_gen/gen_class.py b/dev/model_gen/gen_class.py new file mode 100644 index 000000000..7516f4e9a --- /dev/null +++ b/dev/model_gen/gen_class.py @@ -0,0 +1,232 @@ +# SPDX-FileCopyrightText: 2023 spdx contributors +# +# SPDX-License-Identifier: Apache-2.0 +import logging +from dataclasses import dataclass + +from beartype.typing import Optional + +from spdx_tools.spdx.casing_tools import camel_case_to_snake_case + +from .class_templates import ( + CLS_FILE, + CLS_IMPORTS, + CLS_INIT, + CLS_INIT_ABSTRACT, + CLS_INIT_ARG, + CLS_INIT_ARG_OPT, + CLS_INIT_REMAP, + CLS_PROP, +) +from .utils import ( + SPECIAL_TYPE_MAPPINGS, + extract_parent_type, + get_file_path, + get_python_docstring, + get_qualified_name, + namespace_name_to_python, + prop_name_to_python, + split_qualified_name, + to_python_type, +) + +SPECIAL_PROPTYPE_MAPPINGS: dict[str, tuple[str, Optional[str]]] = { + # for the moment, we replace Element and Agent references with string references to their ID + # otherwise, there is a cyclic dependency between CreationInfo and Agent that is problematic to deal with + "Core/Agent": ("str", None), + "Core/Element": ("str", None), +} + + +@dataclass +class Property: + name: str + type: str + optional: bool + is_list: bool + inherited: bool + + def get_python_type(self) -> str: + if self.type == "Core/DictionaryEntry": + return "Dict[str, Optional[str]]" + if self.type in SPECIAL_PROPTYPE_MAPPINGS: + prop_type = SPECIAL_PROPTYPE_MAPPINGS[self.type][0] + else: + prop_type = to_python_type(self.type) + if self.is_list: + prop_type = f"List[{prop_type}]" + elif self.optional: + prop_type = f"Optional[{prop_type}]" + return prop_type + + +class GenClassFromSpec: + cls: dict + model: dict + + typename: str + namespace: str + filename: str + file_path: str + parent_class: str + docstring: str + # module -> types + imports: dict[str, set[str]] + props: list[Property] + + def __init__(self, cls: dict, namespace: str, model: dict, output_dir: str): + self.cls = cls + self.namespace = namespace + self.model = model + self.imports = dict() + self.props = list() + + self.typename = cls["metadata"]["name"] + self.filename = camel_case_to_snake_case(self.typename) + parent_class = extract_parent_type(cls, namespace) + if not parent_class: + self.parent_class = "ABC" + self._add_import("abc", "ABC") + else: + self.parent_class = to_python_type(parent_class) + self._import_spdx_type(parent_class) + self.docstring = get_python_docstring(cls["description"], 4) + self.file_path = get_file_path(self.typename, namespace, output_dir) + + self._collect_props(self.cls, self.namespace, False) + + def _add_import(self, module: str, typename: str): + if module not in self.imports: + self.imports[module] = set() + self.imports[module].add(typename) + + def _import_spdx_type(self, typename: str): + if typename in SPECIAL_TYPE_MAPPINGS: + import_type, import_module = SPECIAL_TYPE_MAPPINGS[typename] + if import_module: + self._add_import(import_module, import_type) + return + if typename.startswith("xsd:"): + return + namespace, typename = split_qualified_name(typename) + namespace = f"..{namespace_name_to_python(namespace)}" + self._add_import(namespace, typename) + + def _find_prop(self, propname: str) -> Optional[Property]: + propname = prop_name_to_python(propname) + return next(filter(lambda p: prop_name_to_python(p.name) == propname, self.props), None) + + def _collect_props(self, cls: dict, namespace: str, is_parent: bool): + parent = extract_parent_type(cls, namespace) + if parent: + parent_namespace, parent_class = split_qualified_name(parent) + if parent_namespace in self.model and parent_class in self.model[parent_namespace]["classes"]: + self._collect_props(self.model[parent_namespace]["classes"][parent_class], parent_namespace, True) + + for propname, propinfo in cls["properties"].items(): + if self._find_prop(propname): + logging.warning("Class %s is redefining property %s from a parent class, ignoring", + cls["metadata"]["name"], propname) + continue + propname = get_qualified_name(propname, namespace) + proptype = get_qualified_name(propinfo["type"], namespace) + optional = "minCount" not in propinfo or propinfo["minCount"] == "0" + is_list = "maxCount" not in propinfo or propinfo["maxCount"] != "1" + prop = Property(propname, proptype, optional, is_list, is_parent) + self.props.append(prop) + + if "externalPropertyRestrictions" not in cls: + return + for propname, propinfo in cls["externalPropertyRestrictions"].items(): + prop = self._find_prop(propname) + if not prop: + continue + if "minCount" in propinfo: + prop.optional = prop.optional and propinfo["minCount"] == "0" + if "maxCount" in propinfo: + prop.is_list = prop.is_list and propinfo["maxCount"] != "1" + + def gen_file(self): + properties = self._gen_props() + constructor = self._gen_constructor() + # imports should be last, as we may add additional types to import during generation + imports = self._gen_imports() + with open(self.file_path, "w") as output_file: + output_file.write( + CLS_FILE.format(typename=self.typename, parent=self.parent_class, docstring=self.docstring, + properties=properties, imports=imports, constructor=constructor)) + + def _gen_imports(self) -> str: + imports = "" + for module in sorted(self.imports.keys()): + types = ", ".join(sorted(self.imports[module])) + imports += CLS_IMPORTS.format(module=module, types=types) + return imports + + def _import_prop_type(self, prop: Property): + if prop.type in SPECIAL_PROPTYPE_MAPPINGS: + import_type, import_module = SPECIAL_PROPTYPE_MAPPINGS[prop.type] + if import_module: + self._add_import(import_module, import_type) + else: + self._import_spdx_type(prop.type) + + if prop.type == "Core/DictionaryEntry": + self._add_import("beartype.typing", "Dict") + self._add_import("beartype.typing", "Optional") + elif prop.is_list: + self._add_import("beartype.typing", "List") + elif prop.optional: + self._add_import("beartype.typing", "Optional") + + def _gen_props(self) -> str: + code = "" + own_props = (prop for prop in self.props if not prop.inherited) + for prop in own_props: + default = "" + name = prop_name_to_python(prop.name) + proptype = prop.get_python_type() + docstring = self._get_prop_docstring(prop.name) + self._import_prop_type(prop) + if prop.type == "Core/DictionaryType": + default = " = field(default_factory=dict)" + self._add_import("dataclasses", "field") + elif prop.is_list: + default = " = field(default_factory=list)" + self._add_import("dataclasses", "field") + elif prop.optional: + default = " = None" + code += CLS_PROP.format(prop_name=name, prop_type=proptype, default=default, docstring=docstring) + return code + + def _get_prop_docstring(self, name: str) -> str: + namespace, propname = split_qualified_name(name) + if namespace not in self.model or "properties" not in self.model[namespace]: + return "" + prop = self.model[namespace]["properties"].get(propname) + if not prop: + return "" + return get_python_docstring(prop["description"], 4) + + def _gen_constructor(self) -> str: + if self.cls["metadata"].get("Instantiability") == "Abstract": + self._add_import("abc", "abstractmethod") + return CLS_INIT_ABSTRACT + + self._add_import("spdx_tools.common.typing.type_checks", "check_types_and_set_values") + args = "" + remaps = "" + required_props = (prop for prop in self.props if not prop.optional) + optional_props = (prop for prop in self.props if prop.optional) + for prop in required_props: + self._import_prop_type(prop) + args += CLS_INIT_ARG.format(prop_name=prop_name_to_python(prop.name), prop_type=prop.get_python_type()) + for prop in optional_props: + self._import_prop_type(prop) + prop_name = prop_name_to_python(prop.name) + args += CLS_INIT_ARG_OPT.format(prop_name=prop_name, prop_type=prop.get_python_type()) + if prop.type == "Core/DictionaryEntry": + remaps += CLS_INIT_REMAP.format(prop_name=prop_name, default="{}") + elif prop.is_list: + remaps += CLS_INIT_REMAP.format(prop_name=prop_name, default="[]") + return CLS_INIT.format(arguments=args, remaps=remaps) diff --git a/dev/model_gen/general_templates.py b/dev/model_gen/general_templates.py new file mode 100644 index 000000000..067d5d119 --- /dev/null +++ b/dev/model_gen/general_templates.py @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2023 spdx contributors +# +# SPDX-License-Identifier: Apache-2.0 + +FILE_HEADER = """# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +""" diff --git a/dev/model_gen/utils.py b/dev/model_gen/utils.py new file mode 100644 index 000000000..f97c129f8 --- /dev/null +++ b/dev/model_gen/utils.py @@ -0,0 +1,103 @@ +# SPDX-FileCopyrightText: 2023 spdx contributors +# +# SPDX-License-Identifier: Apache-2.0 +import os +import textwrap + +import mistletoe +from beartype.typing import Optional +from mistletoe.markdown_renderer import MarkdownRenderer + +from spdx_tools.spdx.casing_tools import camel_case_to_snake_case + +SPECIAL_TYPE_MAPPINGS: dict[str, tuple[str, Optional[str]]] = { + "Core/DateTime": ("datetime", "datetime"), + "Core/DictionaryEntry": ("Dict[str, Optional[str]]", None), + "Core/Extension": ("str", None), + "Core/MediaType": ("str", None), + "Core/SemVer": ("Version", "semantic_version"), + "xsd:anyURI": ("str", None), + "xsd:boolean": ("bool", None), + "xsd:datetime": ("datetime", "datetime"), + "xsd:decimal": ("float", None), + "xsd:double": ("float", None), + "xsd:float": ("float", None), + "xsd:int": ("int", None), + "xsd:integer": ("int", None), + "xsd:negativeInteger": ("int", None), + "xsd:nonNegativeInteger": ("int", None), + "xsd:nonPositiveInteger": ("int", None), + "xsd:positiveInteger": ("int", None), + "xsd:string": ("str", None), +} + + +def prop_name_to_python(prop_name: str): + special_cases = {"from": "from_element", "homePage": "homepage"} + prop_name = get_short_prop_name(prop_name) + if prop_name in special_cases: + return special_cases[prop_name] + return camel_case_to_snake_case(prop_name) + + +def namespace_name_to_python(namespace_name: str): + special_cases = {"AI": "ai"} + if namespace_name in special_cases: + return special_cases[namespace_name] + return camel_case_to_snake_case(namespace_name) + + +def get_file_path(typename: str, namespace: str, output_dir: str) -> str: + namespace = namespace_name_to_python(namespace) + typename = camel_case_to_snake_case(typename) if typename != "AIPackage" else "ai_package" + return os.path.join(output_dir, namespace, f"{typename}.py") + + +def get_python_docstring(description: Optional[str], indent: int) -> str: + if not description: + return "" + + line_length = 119 - indent + with MarkdownRenderer(max_line_length=line_length) as renderer: + text = renderer.render(mistletoe.Document(description)) + text = '\n"""\n' + text + '"""' + return textwrap.indent(text, ' ' * indent) + + +def get_qualified_name(name: str, namespace: str): + if name.startswith('/'): + name = name[1:] + if name.startswith("xsd:"): + return name + if '/' in name: + return name + return f"{namespace}/{name}" + + +def split_qualified_name(typename: str) -> tuple[str, str]: + if '/' not in typename: + return "", typename + namespace, _, typename = typename.partition('/') + return namespace, typename + + +def to_python_type(typename: str) -> str: + if typename in SPECIAL_TYPE_MAPPINGS: + return SPECIAL_TYPE_MAPPINGS[typename][0] + if typename.startswith("xsd:"): + return "str" + _, typename = split_qualified_name(typename) + return typename + + +def extract_parent_type(cls: dict, namespace: str) -> Optional[str]: + parent_class = cls["metadata"].get("SubclassOf") or "none" + if parent_class == "none": + return None + return get_qualified_name(parent_class, namespace) + + +def get_short_prop_name(qualified_name: str) -> str: + if '/' not in qualified_name: + return qualified_name + return qualified_name[qualified_name.rindex('/') + 1:] diff --git a/dev/model_gen/vocab_templates.py b/dev/model_gen/vocab_templates.py new file mode 100644 index 000000000..2d1214bc0 --- /dev/null +++ b/dev/model_gen/vocab_templates.py @@ -0,0 +1,27 @@ +# SPDX-FileCopyrightText: 2023 spdx contributors +# +# SPDX-License-Identifier: Apache-2.0 + +from .general_templates import FILE_HEADER + +VOCAB_FILE = FILE_HEADER + """from beartype.typing import Optional +from enum import Enum, auto + + +class {typename}(Enum):{docstring} + +{values} + + def __str__(self) -> str: +{values_to_str} + return "unknown" + + @staticmethod + def from_str(value: str) -> Optional['{typename}']: +{str_to_values} + return None +""" + +VOCAB_ENTRY = " {value} = auto(){docstring}" +VOCAB_VALUE_TO_STR = " if self == {typename}.{python_value}:\n return \"{str_value}\"" +VOCAB_STR_TO_VALUE = " if value == \"{str_value}\":\n return {typename}.{python_value}" From 8210958b0d588f554f6b5f4e747ba30a2b107c38 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Thu, 27 Jul 2023 17:07:24 +0200 Subject: [PATCH 30/33] Fix some more errors in generated code Signed-off-by: Holger Frydrych --- dev/model_gen/gen_class.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/dev/model_gen/gen_class.py b/dev/model_gen/gen_class.py index 7516f4e9a..51f709d07 100644 --- a/dev/model_gen/gen_class.py +++ b/dev/model_gen/gen_class.py @@ -32,9 +32,10 @@ SPECIAL_PROPTYPE_MAPPINGS: dict[str, tuple[str, Optional[str]]] = { # for the moment, we replace Element and Agent references with string references to their ID - # otherwise, there is a cyclic dependency between CreationInfo and Agent that is problematic to deal with + # otherwise, there is a cyclic dependency between CreationInfo and Agent/Tool that is problematic to deal with "Core/Agent": ("str", None), "Core/Element": ("str", None), + "Core/Tool": ("str", None), } @@ -82,7 +83,7 @@ def __init__(self, cls: dict, namespace: str, model: dict, output_dir: str): self.props = list() self.typename = cls["metadata"]["name"] - self.filename = camel_case_to_snake_case(self.typename) + self.filename = camel_case_to_snake_case(self.typename) if self.typename != "AIPackage" else "ai_package" parent_class = extract_parent_type(cls, namespace) if not parent_class: self.parent_class = "ABC" @@ -109,8 +110,9 @@ def _import_spdx_type(self, typename: str): if typename.startswith("xsd:"): return namespace, typename = split_qualified_name(typename) - namespace = f"..{namespace_name_to_python(namespace)}" - self._add_import(namespace, typename) + module = camel_case_to_snake_case(typename) if typename != "AIPackage" else "ai_package" + python_path = f"..{namespace_name_to_python(namespace)}.{module}" + self._add_import(python_path, typename) def _find_prop(self, propname: str) -> Optional[Property]: propname = prop_name_to_python(propname) @@ -183,7 +185,6 @@ def _gen_props(self) -> str: code = "" own_props = (prop for prop in self.props if not prop.inherited) for prop in own_props: - default = "" name = prop_name_to_python(prop.name) proptype = prop.get_python_type() docstring = self._get_prop_docstring(prop.name) @@ -194,7 +195,7 @@ def _gen_props(self) -> str: elif prop.is_list: default = " = field(default_factory=list)" self._add_import("dataclasses", "field") - elif prop.optional: + else: default = " = None" code += CLS_PROP.format(prop_name=name, prop_type=proptype, default=default, docstring=docstring) return code From 846759bab7c8978e3a318f708f13db642b9ac7f4 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Thu, 27 Jul 2023 17:08:00 +0200 Subject: [PATCH 31/33] Update generated classes Signed-off-by: Holger Frydrych --- dev/model_dump.json | 6 ++--- src/spdx_tools/spdx3/new_model/ai/__init__.py | 2 +- .../spdx3/new_model/ai/ai_package.py | 13 +++++++--- src/spdx_tools/spdx3/new_model/build/build.py | 9 +++++-- src/spdx_tools/spdx3/new_model/core/agent.py | 6 ++++- .../spdx3/new_model/core/annotation.py | 11 +++++--- .../spdx3/new_model/core/artifact.py | 2 +- src/spdx_tools/spdx3/new_model/core/bom.py | 7 +++++- src/spdx_tools/spdx3/new_model/core/bundle.py | 7 +++++- .../spdx3/new_model/core/creation_info.py | 8 +++--- .../spdx3/new_model/core/element.py | 9 ++++--- .../new_model/core/element_collection.py | 3 ++- .../new_model/core/external_identifier.py | 6 ++--- .../spdx3/new_model/core/external_map.py | 4 +-- .../new_model/core/external_reference.py | 2 +- src/spdx_tools/spdx3/new_model/core/hash.py | 7 +++--- .../core/lifecycle_scoped_relationship.py | 18 ++++++------- .../spdx3/new_model/core/organization.py | 6 ++++- src/spdx_tools/spdx3/new_model/core/person.py | 6 ++++- .../new_model/core/positive_integer_range.py | 4 +-- .../spdx3/new_model/core/relationship.py | 20 +++++++-------- .../spdx3/new_model/core/software_agent.py | 6 ++++- .../spdx3/new_model/core/spdx_document.py | 7 +++++- src/spdx_tools/spdx3/new_model/core/tool.py | 6 ++++- .../spdx3/new_model/dataset/dataset.py | 16 ++++++++---- .../conjunctive_license_set.py | 7 ++++-- .../disjunctive_license_set.py | 7 ++++-- .../expanded_license/extendable_license.py | 2 +- .../new_model/licensing/any_license_info.py | 2 +- .../new_model/licensing/custom_license.py | 22 ++++++++++++++-- .../licensing/custom_license_addition.py | 7 ++++-- .../spdx3/new_model/licensing/license.py | 4 +-- .../new_model/licensing/license_addition.py | 4 +-- .../new_model/licensing/license_expression.py | 9 ++++--- .../new_model/licensing/listed_license.py | 22 ++++++++++++++-- .../licensing/listed_license_exception.py | 7 ++++-- .../new_model/licensing/or_later_operator.py | 25 +++++++++++++++++-- .../licensing/with_addition_operator.py | 13 +++++++--- .../cvss_v2_vuln_assessment_relationship.py | 18 ++++++------- .../cvss_v3_vuln_assessment_relationship.py | 18 ++++++------- .../epss_vuln_assessment_relationship.py | 18 ++++++------- ...it_catalog_vuln_assessment_relationship.py | 23 ++++++++--------- .../ssvc_vuln_assessment_relationship.py | 19 +++++++------- ...x_affected_vuln_assessment_relationship.py | 16 ++++++------ .../vex_fixed_vuln_assessment_relationship.py | 16 ++++++------ ...t_affected_vuln_assessment_relationship.py | 17 ++++++------- ...estigation_vuln_assessment_relationship.py | 16 ++++++------ .../vex_vuln_assessment_relationship.py | 2 +- .../security/vuln_assessment_relationship.py | 2 +- .../spdx3/new_model/security/vulnerability.py | 6 ++++- .../spdx3/new_model/software/file.py | 10 +++++--- .../spdx3/new_model/software/package.py | 10 +++++--- .../spdx3/new_model/software/sbom.py | 9 +++++-- .../spdx3/new_model/software/snippet.py | 11 +++++--- .../new_model/software/software_artifact.py | 6 ++--- .../software_dependency_relationship.py | 21 ++++++++-------- 56 files changed, 350 insertions(+), 210 deletions(-) diff --git a/dev/model_dump.json b/dev/model_dump.json index fb17d2231..a94cce335 100644 --- a/dev/model_dump.json +++ b/dev/model_dump.json @@ -2158,7 +2158,7 @@ }, "properties": { "subjectLicense": { - "type": "ExtendableLicense", + "type": "ExpandedLicense/ExtendableLicense", "minCount": "1", "maxCount": "1" }, @@ -2175,7 +2175,7 @@ "description": "A License represents a license text, whether listed on the SPDX License List\n(ListedLicense) or defined by an SPDX data creator (CustomLicense).", "metadata": { "name": "License", - "SubclassOf": "ExtendableLicense", + "SubclassOf": "ExpandedLicense/ExtendableLicense", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/License" @@ -2271,7 +2271,7 @@ "description": "An OrLaterOperator indicates that this portion of the AnyLicenseInfo\nrepresents either (1) the specified version of the corresponding License, or\n(2) any later version of that License. It is represented in the SPDX License\nExpression Syntax by the `+` operator.\n\nIt is context-dependent, and unspecified by SPDX, as to what constitutes a\n\"later version\" of any particular License. Some Licenses may not be versioned,\nor may not have clearly-defined ordering for versions. The consumer of SPDX\ndata will need to determine for themselves what meaning to attribute to a\n\"later version\" operator for a particular License.", "metadata": { "name": "OrLaterOperator", - "SubclassOf": "ExtendableLicense", + "SubclassOf": "ExpandedLicense/ExtendableLicense", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Licensing/OrLaterOperator" diff --git a/src/spdx_tools/spdx3/new_model/ai/__init__.py b/src/spdx_tools/spdx3/new_model/ai/__init__.py index 4523b3670..b46705af6 100644 --- a/src/spdx_tools/spdx3/new_model/ai/__init__.py +++ b/src/spdx_tools/spdx3/new_model/ai/__init__.py @@ -4,6 +4,6 @@ # Do not manually edit! # flake8: noqa -from .a_ipackage import AIPackage +from .ai_package import AIPackage from .presence_type import PresenceType from .safety_risk_assessment_type import SafetyRiskAssessmentType diff --git a/src/spdx_tools/spdx3/new_model/ai/ai_package.py b/src/spdx_tools/spdx3/new_model/ai/ai_package.py index cb55c0988..d557a7523 100644 --- a/src/spdx_tools/spdx3/new_model/ai/ai_package.py +++ b/src/spdx_tools/spdx3/new_model/ai/ai_package.py @@ -12,10 +12,15 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..ai import PresenceType, SafetyRiskAssessmentType -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo -from ..software import Package, SoftwarePurpose +from ..ai.presence_type import PresenceType +from ..ai.safety_risk_assessment_type import SafetyRiskAssessmentType +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..licensing.any_license_info import AnyLicenseInfo +from ..software.package import Package +from ..software.software_purpose import SoftwarePurpose @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/build/build.py b/src/spdx_tools/spdx3/new_model/build/build.py index 7bfd077b2..f41d9ccb3 100644 --- a/src/spdx_tools/spdx3/new_model/build/build.py +++ b/src/spdx_tools/spdx3/new_model/build/build.py @@ -12,7 +12,12 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, Hash, IntegrityMethod +from ..core.creation_info import CreationInfo +from ..core.element import Element +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.hash import Hash +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties @@ -30,7 +35,7 @@ class Build(Element): Note that buildStart and buildEnd are optional, and may be omitted to simplify creating reproducible builds. """ - build_type: str + build_type: str = None """ A buildType is a URI expressing the toolchain, platform, or infrastructure that the build was invoked on. For example, if the build was invoked on GitHub's CI platform using github actions, the buildType can be expressed as diff --git a/src/spdx_tools/spdx3/new_model/core/agent.py b/src/spdx_tools/spdx3/new_model/core/agent.py index 92913a852..e40870cd1 100644 --- a/src/spdx_tools/spdx3/new_model/core/agent.py +++ b/src/spdx_tools/spdx3/new_model/core/agent.py @@ -9,7 +9,11 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..core.creation_info import CreationInfo +from ..core.element import Element +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/annotation.py b/src/spdx_tools/spdx3/new_model/core/annotation.py index 14d9ede9a..19019a21f 100644 --- a/src/spdx_tools/spdx3/new_model/core/annotation.py +++ b/src/spdx_tools/spdx3/new_model/core/annotation.py @@ -11,7 +11,12 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import AnnotationType, CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..core.annotation_type import AnnotationType +from ..core.creation_info import CreationInfo +from ..core.element import Element +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties @@ -20,7 +25,7 @@ class Annotation(Element): An Annotation is an assertion made in relation to one or more elements. """ - annotation_type: AnnotationType + annotation_type: AnnotationType = None """ An annotationType describes the type of an annotation. """ @@ -32,7 +37,7 @@ class Annotation(Element): """ A statement is a commentary on an assertion that an annotator has made. """ - subject: str + subject: str = None """ A subject is an Element an annotator has made an assertion about. """ diff --git a/src/spdx_tools/spdx3/new_model/core/artifact.py b/src/spdx_tools/spdx3/new_model/core/artifact.py index 83a810e13..02fccc15d 100644 --- a/src/spdx_tools/spdx3/new_model/core/artifact.py +++ b/src/spdx_tools/spdx3/new_model/core/artifact.py @@ -12,7 +12,7 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties -from ..core import Element +from ..core.element import Element @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/bom.py b/src/spdx_tools/spdx3/new_model/core/bom.py index bcfc6bec1..68de8f951 100644 --- a/src/spdx_tools/spdx3/new_model/core/bom.py +++ b/src/spdx_tools/spdx3/new_model/core/bom.py @@ -9,7 +9,12 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import Bundle, CreationInfo, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod +from ..core.bundle import Bundle +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_map import ExternalMap +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/bundle.py b/src/spdx_tools/spdx3/new_model/core/bundle.py index 5eae176c6..a8e4a215e 100644 --- a/src/spdx_tools/spdx3/new_model/core/bundle.py +++ b/src/spdx_tools/spdx3/new_model/core/bundle.py @@ -9,7 +9,12 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, ElementCollection, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod +from ..core.creation_info import CreationInfo +from ..core.element_collection import ElementCollection +from ..core.external_identifier import ExternalIdentifier +from ..core.external_map import ExternalMap +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/creation_info.py b/src/spdx_tools/spdx3/new_model/core/creation_info.py index 742e5bb0b..4a55a552c 100644 --- a/src/spdx_tools/spdx3/new_model/core/creation_info.py +++ b/src/spdx_tools/spdx3/new_model/core/creation_info.py @@ -14,7 +14,7 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ProfileIdentifierType, Tool +from ..core.profile_identifier_type import ProfileIdentifierType @dataclass_with_properties @@ -26,7 +26,7 @@ class CreationInfo(ABC): was created, as doing so supports reproducible builds. """ - spec_version: Version + spec_version: Version = None """ The specVersion provides a reference number that can be used to understand how to parse and interpret an Element. It will enable both future changes to the specification and to support backward compatibility. The major version @@ -52,7 +52,7 @@ class CreationInfo(ABC): CreatedBy identifies who or what created the Element. The generation method will assist the recipient of the Element in assessing the general reliability/accuracy of the analysis information. """ - created_using: List[Tool] = field(default_factory=list) + created_using: List[str] = field(default_factory=list) """ CreatedUsing identifies the tooling that was used during the creation of the Element. The generation method will assist the recipient of the Element in assessing the general reliability/accuracy of the analysis information. @@ -90,7 +90,7 @@ def __init__( profile: List[ProfileIdentifierType], comment: Optional[str] = None, created: Optional[datetime] = None, - created_using: List[Tool] = None, + created_using: List[str] = None, data_license: Optional[str] = None, ): created_using = [] if created_using is None else created_using diff --git a/src/spdx_tools/spdx3/new_model/core/element.py b/src/spdx_tools/spdx3/new_model/core/element.py index 75fe82083..3939adbdf 100644 --- a/src/spdx_tools/spdx3/new_model/core/element.py +++ b/src/spdx_tools/spdx3/new_model/core/element.py @@ -11,7 +11,10 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties @@ -23,7 +26,7 @@ class Element(ABC): foundation for all explicit and inter-relatable content objects. """ - spdx_id: str + spdx_id: str = None """ SpdxId uniquely identifies an Element which may thereby be referenced by other Elements. These references may be internal or external. While there may be several versions of the same Element, each one needs to be able to be @@ -51,7 +54,7 @@ class Element(ABC): A comment is an optional field for creators of the Element to provide comments to the readers/reviewers of the document. """ - creation_info: CreationInfo + creation_info: CreationInfo = None """ CreationInfo provides information about the creation of the Element. """ diff --git a/src/spdx_tools/spdx3/new_model/core/element_collection.py b/src/spdx_tools/spdx3/new_model/core/element_collection.py index 719e2da51..e1f874b51 100644 --- a/src/spdx_tools/spdx3/new_model/core/element_collection.py +++ b/src/spdx_tools/spdx3/new_model/core/element_collection.py @@ -11,7 +11,8 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties -from ..core import Element, ExternalMap +from ..core.element import Element +from ..core.external_map import ExternalMap @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/external_identifier.py b/src/spdx_tools/spdx3/new_model/core/external_identifier.py index 9523994c1..0e0e183c9 100644 --- a/src/spdx_tools/spdx3/new_model/core/external_identifier.py +++ b/src/spdx_tools/spdx3/new_model/core/external_identifier.py @@ -12,7 +12,7 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ExternalIdentifierType +from ..core.external_identifier_type import ExternalIdentifierType @dataclass_with_properties @@ -22,11 +22,11 @@ class ExternalIdentifier(ABC): an Element. """ - external_identifier_type: ExternalIdentifierType + external_identifier_type: ExternalIdentifierType = None """ An externalIdentifierType specifies the type of the external identifier. """ - identifier: str + identifier: str = None """ An identifier uniquely identifies an external element. """ diff --git a/src/spdx_tools/spdx3/new_model/core/external_map.py b/src/spdx_tools/spdx3/new_model/core/external_map.py index 385b73b7d..2045c661c 100644 --- a/src/spdx_tools/spdx3/new_model/core/external_map.py +++ b/src/spdx_tools/spdx3/new_model/core/external_map.py @@ -12,7 +12,7 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import IntegrityMethod +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties @@ -23,7 +23,7 @@ class ExternalMap(ABC): retrieve it, and how to verify its integrity. """ - external_id: str + external_id: str = None """ ExternalId identifies an external Element used within a Document but defined external to that Document. """ diff --git a/src/spdx_tools/spdx3/new_model/core/external_reference.py b/src/spdx_tools/spdx3/new_model/core/external_reference.py index 9da2528f5..2b5ae8775 100644 --- a/src/spdx_tools/spdx3/new_model/core/external_reference.py +++ b/src/spdx_tools/spdx3/new_model/core/external_reference.py @@ -12,7 +12,7 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ExternalReferenceType +from ..core.external_reference_type import ExternalReferenceType @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/hash.py b/src/spdx_tools/spdx3/new_model/core/hash.py index 8b0e63b60..1889b254c 100644 --- a/src/spdx_tools/spdx3/new_model/core/hash.py +++ b/src/spdx_tools/spdx3/new_model/core/hash.py @@ -9,7 +9,8 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import HashAlgorithm, IntegrityMethod +from ..core.hash_algorithm import HashAlgorithm +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties @@ -20,11 +21,11 @@ class Hash(IntegrityMethod): infeasible to invert. This is commonly used for integrity checking of data. """ - algorithm: HashAlgorithm + algorithm: HashAlgorithm = None """ An algorithm specifies the algorithm that was used for calculating the hash value. """ - hash_value: str + hash_value: str = None """ HashValue is the result of applying a hash algorithm to an Element. """ diff --git a/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py b/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py index d7168c48a..27cb1cc24 100644 --- a/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py +++ b/src/spdx_tools/spdx3/new_model/core/lifecycle_scoped_relationship.py @@ -11,16 +11,14 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ( - CreationInfo, - ExternalIdentifier, - ExternalReference, - IntegrityMethod, - LifecycleScopeType, - Relationship, - RelationshipCompleteness, - RelationshipType, -) +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.lifecycle_scope_type import LifecycleScopeType +from ..core.relationship import Relationship +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/organization.py b/src/spdx_tools/spdx3/new_model/core/organization.py index f66fd1cab..f9237dcab 100644 --- a/src/spdx_tools/spdx3/new_model/core/organization.py +++ b/src/spdx_tools/spdx3/new_model/core/organization.py @@ -9,7 +9,11 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..core.agent import Agent +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/person.py b/src/spdx_tools/spdx3/new_model/core/person.py index 6c6bf339c..5a729873c 100644 --- a/src/spdx_tools/spdx3/new_model/core/person.py +++ b/src/spdx_tools/spdx3/new_model/core/person.py @@ -9,7 +9,11 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..core.agent import Agent +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py b/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py index 11e82eba4..652eb3eb9 100644 --- a/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py +++ b/src/spdx_tools/spdx3/new_model/core/positive_integer_range.py @@ -17,11 +17,11 @@ class PositiveIntegerRange(ABC): "end". """ - begin: int + begin: int = None """ begin is a positive integer that defines the beginning of a range. """ - end: int + end: int = None """ end is a positive integer that defines the end of a range. """ diff --git a/src/spdx_tools/spdx3/new_model/core/relationship.py b/src/spdx_tools/spdx3/new_model/core/relationship.py index 1c7fd50be..7c8fc579e 100644 --- a/src/spdx_tools/spdx3/new_model/core/relationship.py +++ b/src/spdx_tools/spdx3/new_model/core/relationship.py @@ -12,15 +12,13 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ( - CreationInfo, - Element, - ExternalIdentifier, - ExternalReference, - IntegrityMethod, - RelationshipCompleteness, - RelationshipType, -) +from ..core.creation_info import CreationInfo +from ..core.element import Element +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType @dataclass_with_properties @@ -30,7 +28,7 @@ class Relationship(Element): other Elements in some way. """ - from_element: str + from_element: str = None """ This field references the Element on the left-hand side of a relationship. """ @@ -38,7 +36,7 @@ class Relationship(Element): """ This field references an Element on the right-hand side of a relationship. """ - relationship_type: RelationshipType + relationship_type: RelationshipType = None """ This field provides information about the relationship between two Elements. For example, you can represent a relationship between two different Files, between a Package and a File, between two Packages, or between one diff --git a/src/spdx_tools/spdx3/new_model/core/software_agent.py b/src/spdx_tools/spdx3/new_model/core/software_agent.py index e49db5f42..41a347860 100644 --- a/src/spdx_tools/spdx3/new_model/core/software_agent.py +++ b/src/spdx_tools/spdx3/new_model/core/software_agent.py @@ -9,7 +9,11 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import Agent, CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..core.agent import Agent +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/spdx_document.py b/src/spdx_tools/spdx3/new_model/core/spdx_document.py index ec8829a65..10927f714 100644 --- a/src/spdx_tools/spdx3/new_model/core/spdx_document.py +++ b/src/spdx_tools/spdx3/new_model/core/spdx_document.py @@ -9,7 +9,12 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import Bundle, CreationInfo, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod +from ..core.bundle import Bundle +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_map import ExternalMap +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/core/tool.py b/src/spdx_tools/spdx3/new_model/core/tool.py index 0d77634af..261ec0019 100644 --- a/src/spdx_tools/spdx3/new_model/core/tool.py +++ b/src/spdx_tools/spdx3/new_model/core/tool.py @@ -9,7 +9,11 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..core.creation_info import CreationInfo +from ..core.element import Element +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset.py b/src/spdx_tools/spdx3/new_model/dataset/dataset.py index 059e22b94..cc49bfd9a 100644 --- a/src/spdx_tools/spdx3/new_model/dataset/dataset.py +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset.py @@ -12,11 +12,17 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..ai import PresenceType -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..dataset import ConfidentialityLevelType, DatasetAvailabilityType, DatasetType -from ..licensing import AnyLicenseInfo -from ..software import Package, SoftwarePurpose +from ..ai.presence_type import PresenceType +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..dataset.confidentiality_level_type import ConfidentialityLevelType +from ..dataset.dataset_availability_type import DatasetAvailabilityType +from ..dataset.dataset_type import DatasetType +from ..licensing.any_license_info import AnyLicenseInfo +from ..software.package import Package +from ..software.software_purpose import SoftwarePurpose @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py b/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py index ea7d5e98e..c7898993e 100644 --- a/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py +++ b/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py @@ -11,8 +11,11 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..licensing.any_license_info import AnyLicenseInfo @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py b/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py index 0b67acdd3..39e2b9dda 100644 --- a/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py +++ b/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py @@ -11,8 +11,11 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..licensing.any_license_info import AnyLicenseInfo @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py b/src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py index 5690e2cf5..b911d9965 100644 --- a/src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py +++ b/src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py @@ -8,7 +8,7 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties -from ..licensing import AnyLicenseInfo +from ..licensing.any_license_info import AnyLicenseInfo @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/licensing/any_license_info.py b/src/spdx_tools/spdx3/new_model/licensing/any_license_info.py index c57125180..e2c70d258 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/any_license_info.py +++ b/src/spdx_tools/spdx3/new_model/licensing/any_license_info.py @@ -8,7 +8,7 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties -from ..core import Element +from ..core.element import Element @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/licensing/custom_license.py b/src/spdx_tools/spdx3/new_model/licensing/custom_license.py index 5a1d7b667..32d6b38d8 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/custom_license.py +++ b/src/spdx_tools/spdx3/new_model/licensing/custom_license.py @@ -4,12 +4,16 @@ # Do not manually edit! # flake8: noqa -from beartype.typing import Optional +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..licensing import License +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..licensing.license import License @dataclass_with_properties @@ -21,7 +25,17 @@ class CustomLicense(License): def __init__( self, + spdx_id: str, + creation_info: CreationInfo, license_text: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, is_osi_approved: Optional[bool] = None, is_fsf_libre: Optional[bool] = None, standard_license_header: Optional[str] = None, @@ -29,4 +43,8 @@ def __init__( is_deprecated_license_id: Optional[bool] = None, obsoleted_by: Optional[str] = None, ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py b/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py index a33782c37..d9978c43b 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py +++ b/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py @@ -9,8 +9,11 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import LicenseAddition +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..licensing.license_addition import LicenseAddition @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/licensing/license.py b/src/spdx_tools/spdx3/new_model/licensing/license.py index 5a1c07308..03b3e5e2f 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/license.py +++ b/src/spdx_tools/spdx3/new_model/licensing/license.py @@ -10,7 +10,7 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties -from ..licensing import ExtendableLicense +from ..expanded_license.extendable_license import ExtendableLicense @dataclass_with_properties @@ -20,7 +20,7 @@ class License(ExtendableLicense): data creator (CustomLicense). """ - license_text: str + license_text: str = None """ A licenseText contains the plain text of the License, without templating or other similar markup. diff --git a/src/spdx_tools/spdx3/new_model/licensing/license_addition.py b/src/spdx_tools/spdx3/new_model/licensing/license_addition.py index ca903e985..201e6448b 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/license_addition.py +++ b/src/spdx_tools/spdx3/new_model/licensing/license_addition.py @@ -10,7 +10,7 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties -from ..core import Element +from ..core.element import Element @dataclass_with_properties @@ -23,7 +23,7 @@ class LicenseAddition(Element): additional text (as an exception or otherwise) which is defined by an SPDX data creator (CustomLicenseAddition). """ - addition_text: str + addition_text: str = None """ An additionText contains the plain text of the LicenseAddition, without templating or other similar markup. diff --git a/src/spdx_tools/spdx3/new_model/licensing/license_expression.py b/src/spdx_tools/spdx3/new_model/licensing/license_expression.py index 9e1619a9b..0a6cd1d6a 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/license_expression.py +++ b/src/spdx_tools/spdx3/new_model/licensing/license_expression.py @@ -9,8 +9,11 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..licensing.any_license_info import AnyLicenseInfo @dataclass_with_properties @@ -30,7 +33,7 @@ class LicenseExpression(AnyLicenseInfo): definition of what constitutes a valid an SPDX License Expression in this section. """ - license_expression: str + license_expression: str = None """ Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under diff --git a/src/spdx_tools/spdx3/new_model/licensing/listed_license.py b/src/spdx_tools/spdx3/new_model/licensing/listed_license.py index 413205773..184b7e9a2 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/listed_license.py +++ b/src/spdx_tools/spdx3/new_model/licensing/listed_license.py @@ -4,12 +4,16 @@ # Do not manually edit! # flake8: noqa -from beartype.typing import Optional +from beartype.typing import List, Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..licensing import License +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..licensing.license import License @dataclass_with_properties @@ -31,7 +35,17 @@ class ListedLicense(License): def __init__( self, + spdx_id: str, + creation_info: CreationInfo, license_text: str, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, is_osi_approved: Optional[bool] = None, is_fsf_libre: Optional[bool] = None, standard_license_header: Optional[str] = None, @@ -41,4 +55,8 @@ def __init__( list_version_added: Optional[str] = None, deprecated_version: Optional[str] = None, ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py b/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py index 1c8b0c5d3..3cd1c3e99 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py +++ b/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py @@ -9,8 +9,11 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import LicenseAddition +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..licensing.license_addition import LicenseAddition @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py b/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py index 096eef46f..7668b6df1 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py +++ b/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py @@ -4,10 +4,17 @@ # Do not manually edit! # flake8: noqa +from beartype.typing import List, Optional + from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..licensing import ExtendableLicense, License +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..expanded_license.extendable_license import ExtendableLicense +from ..licensing.license import License @dataclass_with_properties @@ -23,10 +30,24 @@ class OrLaterOperator(ExtendableLicense): particular License. """ - subject_license: License + subject_license: License = None def __init__( self, + spdx_id: str, + creation_info: CreationInfo, subject_license: License, + name: Optional[str] = None, + summary: Optional[str] = None, + description: Optional[str] = None, + comment: Optional[str] = None, + verified_using: List[IntegrityMethod] = None, + external_reference: List[ExternalReference] = None, + external_identifier: List[ExternalIdentifier] = None, + extension: List[str] = None, ): + verified_using = [] if verified_using is None else verified_using + external_reference = [] if external_reference is None else external_reference + external_identifier = [] if external_identifier is None else external_identifier + extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py b/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py index d4a087e5f..32be86ca7 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py +++ b/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py @@ -9,8 +9,13 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo, ExtendableLicense, LicenseAddition +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..expanded_license.extendable_license import ExtendableLicense +from ..licensing.any_license_info import AnyLicenseInfo +from ..licensing.license_addition import LicenseAddition @dataclass_with_properties @@ -21,8 +26,8 @@ class WithAdditionOperator(AnyLicenseInfo): (CustomLicenseAddition). It is represented in the SPDX License Expression Syntax by the `WITH` operator. """ - subject_license: ExtendableLicense - subject_addition: LicenseAddition + subject_license: ExtendableLicense = None + subject_addition: LicenseAddition = None def __init__( self, diff --git a/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py index 69ce5b69b..5febc98b4 100644 --- a/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/cvss_v2_vuln_assessment_relationship.py @@ -11,15 +11,13 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ( - CreationInfo, - ExternalIdentifier, - ExternalReference, - IntegrityMethod, - RelationshipCompleteness, - RelationshipType, -) -from ..security import VulnAssessmentRelationship +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vuln_assessment_relationship import VulnAssessmentRelationship @dataclass_with_properties @@ -79,7 +77,7 @@ class CvssV2VulnAssessmentRelationship(VulnAssessmentRelationship): ``` """ - score: float + score: float = None """ The score provides information on the severity of a vulnerability per the Common Vulnerability Scoring System as defined on [https://www.first.org/cvss](https://www.first.org/cvss/). diff --git a/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py index ada546cc7..20711eb3b 100644 --- a/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/cvss_v3_vuln_assessment_relationship.py @@ -11,15 +11,13 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ( - CreationInfo, - ExternalIdentifier, - ExternalReference, - IntegrityMethod, - RelationshipCompleteness, - RelationshipType, -) -from ..security import VulnAssessmentRelationship +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vuln_assessment_relationship import VulnAssessmentRelationship @dataclass_with_properties @@ -80,7 +78,7 @@ class CvssV3VulnAssessmentRelationship(VulnAssessmentRelationship): ``` """ - score: float + score: float = None """ The score provides information on the severity of a vulnerability per the Common Vulnerability Scoring System as defined on [https://www.first.org/cvss](https://www.first.org/cvss/). diff --git a/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py index f8b37dfe6..f1fe01fbd 100644 --- a/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/epss_vuln_assessment_relationship.py @@ -11,15 +11,13 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ( - CreationInfo, - ExternalIdentifier, - ExternalReference, - IntegrityMethod, - RelationshipCompleteness, - RelationshipType, -) -from ..security import VulnAssessmentRelationship +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vuln_assessment_relationship import VulnAssessmentRelationship @dataclass_with_properties @@ -49,7 +47,7 @@ class EpssVulnAssessmentRelationship(VulnAssessmentRelationship): ``` """ - probability: int + probability: int = None """ The probability score between 0 and 1 (0 and 100%) estimating the likelihood that a vulnerability will be exploited in the next 12 months. diff --git a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py index 7b1938337..a33c11284 100644 --- a/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/exploit_catalog_vuln_assessment_relationship.py @@ -11,15 +11,14 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ( - CreationInfo, - ExternalIdentifier, - ExternalReference, - IntegrityMethod, - RelationshipCompleteness, - RelationshipType, -) -from ..security import ExploitCatalogType, VulnAssessmentRelationship +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.exploit_catalog_type import ExploitCatalogType +from ..security.vuln_assessment_relationship import VulnAssessmentRelationship @dataclass_with_properties @@ -51,16 +50,16 @@ class ExploitCatalogVulnAssessmentRelationship(VulnAssessmentRelationship): ``` """ - catalog_type: ExploitCatalogType + catalog_type: ExploitCatalogType = None """ A catalogType is a mandatory value and must select one of the two entries in the `ExploitCatalogType.md` vocabulary. """ - exploited: bool + exploited: bool = None """ This field is set when a CVE is listed in an exploit catalog. """ - locator: str + locator: str = None """ A locator provides the location of an exploit catalog. """ diff --git a/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py index 81f261a36..8431299f6 100644 --- a/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/ssvc_vuln_assessment_relationship.py @@ -11,15 +11,14 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ( - CreationInfo, - ExternalIdentifier, - ExternalReference, - IntegrityMethod, - RelationshipCompleteness, - RelationshipType, -) -from ..security import SsvcDecisionType, VulnAssessmentRelationship +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.ssvc_decision_type import SsvcDecisionType +from ..security.vuln_assessment_relationship import VulnAssessmentRelationship @dataclass_with_properties @@ -51,7 +50,7 @@ class SsvcVulnAssessmentRelationship(VulnAssessmentRelationship): ``` """ - decision_type: SsvcDecisionType + decision_type: SsvcDecisionType = None """ A decisionType is a mandatory value and must select one of the four entries in the `SsvcDecisionType.md` vocabulary. diff --git a/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py index e06fe8a54..4ec59b713 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_affected_vuln_assessment_relationship.py @@ -12,15 +12,13 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ( - CreationInfo, - ExternalIdentifier, - ExternalReference, - IntegrityMethod, - RelationshipCompleteness, - RelationshipType, -) -from ..security import VexVulnAssessmentRelationship +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vex_vuln_assessment_relationship import VexVulnAssessmentRelationship @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py index 226fd108a..2dc9d17b6 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_fixed_vuln_assessment_relationship.py @@ -11,15 +11,13 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ( - CreationInfo, - ExternalIdentifier, - ExternalReference, - IntegrityMethod, - RelationshipCompleteness, - RelationshipType, -) -from ..security import VexVulnAssessmentRelationship +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vex_vuln_assessment_relationship import VexVulnAssessmentRelationship @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py index e31a452d6..cba888597 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_not_affected_vuln_assessment_relationship.py @@ -11,15 +11,14 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ( - CreationInfo, - ExternalIdentifier, - ExternalReference, - IntegrityMethod, - RelationshipCompleteness, - RelationshipType, -) -from ..security import VexJustificationType, VexVulnAssessmentRelationship +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vex_justification_type import VexJustificationType +from ..security.vex_vuln_assessment_relationship import VexVulnAssessmentRelationship @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py index ff95163d7..7ad8181c7 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_under_investigation_vuln_assessment_relationship.py @@ -11,15 +11,13 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ( - CreationInfo, - ExternalIdentifier, - ExternalReference, - IntegrityMethod, - RelationshipCompleteness, - RelationshipType, -) -from ..security import VexVulnAssessmentRelationship +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..security.vex_vuln_assessment_relationship import VexVulnAssessmentRelationship @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py index e95924566..f60ef6b60 100644 --- a/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vex_vuln_assessment_relationship.py @@ -10,7 +10,7 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties -from ..security import VulnAssessmentRelationship +from ..security.vuln_assessment_relationship import VulnAssessmentRelationship @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py b/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py index 978da7ee0..d39ef852f 100644 --- a/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py +++ b/src/spdx_tools/spdx3/new_model/security/vuln_assessment_relationship.py @@ -11,7 +11,7 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties -from ..core import Relationship +from ..core.relationship import Relationship @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/security/vulnerability.py b/src/spdx_tools/spdx3/new_model/security/vulnerability.py index 6ea609249..fd50b6da5 100644 --- a/src/spdx_tools/spdx3/new_model/security/vulnerability.py +++ b/src/spdx_tools/spdx3/new_model/security/vulnerability.py @@ -11,7 +11,11 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, Element, ExternalIdentifier, ExternalReference, IntegrityMethod +from ..core.creation_info import CreationInfo +from ..core.element import Element +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/software/file.py b/src/spdx_tools/spdx3/new_model/software/file.py index 217685f7e..9ac18b2f9 100644 --- a/src/spdx_tools/spdx3/new_model/software/file.py +++ b/src/spdx_tools/spdx3/new_model/software/file.py @@ -11,9 +11,13 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo -from ..software import SoftwareArtifact, SoftwarePurpose +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..licensing.any_license_info import AnyLicenseInfo +from ..software.software_artifact import SoftwareArtifact +from ..software.software_purpose import SoftwarePurpose @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/software/package.py b/src/spdx_tools/spdx3/new_model/software/package.py index f11cc0f5a..7157a9b36 100644 --- a/src/spdx_tools/spdx3/new_model/software/package.py +++ b/src/spdx_tools/spdx3/new_model/software/package.py @@ -11,9 +11,13 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod -from ..licensing import AnyLicenseInfo -from ..software import SoftwareArtifact, SoftwarePurpose +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..licensing.any_license_info import AnyLicenseInfo +from ..software.software_artifact import SoftwareArtifact +from ..software.software_purpose import SoftwarePurpose @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/software/sbom.py b/src/spdx_tools/spdx3/new_model/software/sbom.py index 0b9b77c53..b85d9ff2e 100644 --- a/src/spdx_tools/spdx3/new_model/software/sbom.py +++ b/src/spdx_tools/spdx3/new_model/software/sbom.py @@ -11,8 +11,13 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import Bom, CreationInfo, ExternalIdentifier, ExternalMap, ExternalReference, IntegrityMethod -from ..software import SbomType +from ..core.bom import Bom +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_map import ExternalMap +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..software.sbom_type import SbomType @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/software/snippet.py b/src/spdx_tools/spdx3/new_model/software/snippet.py index 12a594786..958b53c2e 100644 --- a/src/spdx_tools/spdx3/new_model/software/snippet.py +++ b/src/spdx_tools/spdx3/new_model/software/snippet.py @@ -11,9 +11,14 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import CreationInfo, ExternalIdentifier, ExternalReference, IntegrityMethod, PositiveIntegerRange -from ..licensing import AnyLicenseInfo -from ..software import SoftwareArtifact, SoftwarePurpose +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.positive_integer_range import PositiveIntegerRange +from ..licensing.any_license_info import AnyLicenseInfo +from ..software.software_artifact import SoftwareArtifact +from ..software.software_purpose import SoftwarePurpose @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/software/software_artifact.py b/src/spdx_tools/spdx3/new_model/software/software_artifact.py index e4d650704..03e499d5d 100644 --- a/src/spdx_tools/spdx3/new_model/software/software_artifact.py +++ b/src/spdx_tools/spdx3/new_model/software/software_artifact.py @@ -11,9 +11,9 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties -from ..core import Artifact -from ..licensing import AnyLicenseInfo -from ..software import SoftwarePurpose +from ..core.artifact import Artifact +from ..licensing.any_license_info import AnyLicenseInfo +from ..software.software_purpose import SoftwarePurpose @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py b/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py index 23427c984..ef1e7783d 100644 --- a/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py +++ b/src/spdx_tools/spdx3/new_model/software/software_dependency_relationship.py @@ -11,17 +11,16 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core import ( - CreationInfo, - ExternalIdentifier, - ExternalReference, - IntegrityMethod, - LifecycleScopedRelationship, - LifecycleScopeType, - RelationshipCompleteness, - RelationshipType, -) -from ..software import DependencyConditionalityType, SoftwareDependencyLinkType +from ..core.creation_info import CreationInfo +from ..core.external_identifier import ExternalIdentifier +from ..core.external_reference import ExternalReference +from ..core.integrity_method import IntegrityMethod +from ..core.lifecycle_scope_type import LifecycleScopeType +from ..core.lifecycle_scoped_relationship import LifecycleScopedRelationship +from ..core.relationship_completeness import RelationshipCompleteness +from ..core.relationship_type import RelationshipType +from ..software.dependency_conditionality_type import DependencyConditionalityType +from ..software.software_dependency_link_type import SoftwareDependencyLinkType @dataclass_with_properties From 99d99dd4251ad70a4d7b53be2214fdbd53b95eca Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Fri, 28 Jul 2023 15:41:24 +0200 Subject: [PATCH 32/33] Update generated model after licensing changes in spec Signed-off-by: Holger Frydrych --- dev/model_dump.json | 3690 +++++++++-------- src/spdx_tools/spdx3/new_model/__init__.py | 2 +- .../new_model/core/profile_identifier_type.py | 20 +- .../spdx3/new_model/dataset/dataset.py | 2 +- .../new_model/expanded_license/__init__.py | 9 - .../__init__.py | 5 +- .../conjunctive_license_set.py | 6 +- .../expanded_licensing/custom_license.py | 32 + .../custom_license_addition.py | 2 +- .../disjunctive_license_set.py | 6 +- .../extendable_license.py | 0 .../license.py | 4 +- .../license_addition.py | 0 .../listed_license.py | 22 +- .../listed_license_exception.py | 2 +- .../or_later_operator.py | 28 +- .../with_addition_operator.py | 13 +- .../new_model/simple_licensing/__init__.py | 9 + .../any_license_info.py | 0 .../license_expression.py | 2 +- .../simple_licensing_text.py} | 22 +- 21 files changed, 1956 insertions(+), 1920 deletions(-) delete mode 100644 src/spdx_tools/spdx3/new_model/expanded_license/__init__.py rename src/spdx_tools/spdx3/new_model/{licensing => expanded_licensing}/__init__.py (75%) rename src/spdx_tools/spdx3/new_model/{expanded_license => expanded_licensing}/conjunctive_license_set.py (91%) create mode 100644 src/spdx_tools/spdx3/new_model/expanded_licensing/custom_license.py rename src/spdx_tools/spdx3/new_model/{licensing => expanded_licensing}/custom_license_addition.py (96%) rename src/spdx_tools/spdx3/new_model/{expanded_license => expanded_licensing}/disjunctive_license_set.py (90%) rename src/spdx_tools/spdx3/new_model/{expanded_license => expanded_licensing}/extendable_license.py (100%) rename src/spdx_tools/spdx3/new_model/{licensing => expanded_licensing}/license.py (95%) rename src/spdx_tools/spdx3/new_model/{licensing => expanded_licensing}/license_addition.py (100%) rename src/spdx_tools/spdx3/new_model/{licensing => expanded_licensing}/listed_license.py (60%) rename src/spdx_tools/spdx3/new_model/{licensing => expanded_licensing}/listed_license_exception.py (97%) rename src/spdx_tools/spdx3/new_model/{licensing => expanded_licensing}/or_later_operator.py (52%) rename src/spdx_tools/spdx3/new_model/{licensing => expanded_licensing}/with_addition_operator.py (79%) create mode 100644 src/spdx_tools/spdx3/new_model/simple_licensing/__init__.py rename src/spdx_tools/spdx3/new_model/{licensing => simple_licensing}/any_license_info.py (100%) rename src/spdx_tools/spdx3/new_model/{licensing => simple_licensing}/license_expression.py (98%) rename src/spdx_tools/spdx3/new_model/{licensing/custom_license.py => simple_licensing/simple_licensing_text.py} (72%) diff --git a/dev/model_dump.json b/dev/model_dump.json index a94cce335..4c8b33f80 100644 --- a/dev/model_dump.json +++ b/dev/model_dump.json @@ -1,2645 +1,2576 @@ { - "ExpandedLicense": { - "name": "ExpandedLicense", + "ExpandedLicensing": { + "name": "ExpandedLicensing", "classes": { - "ConjunctiveLicenseSet": { - "summary": "Portion of an AnyLicenseInfo representing a set of licensing information\nwhere all elements apply.", - "description": "A ConjunctiveLicenseSet indicates that _each_ of its subsidiary\nAnyLicenseInfos apply. In other words, a ConjunctiveLicenseSet of two or\nmore licenses represents a licensing situation where _all_ of the specified\nlicenses are to be complied with. It is represented in the SPDX License\nExpression Syntax by the `AND` operator.\n\nIt is syntactically correct to specify a ConjunctiveLicenseSet where the\nsubsidiary AnyLicenseInfos may be \"incompatible\" according to a particular\ninterpretation of the corresponding Licenses. The SPDX License Expression\nSyntax does not take into account interpretation of license texts, which is\nleft to the consumer of SPDX data to determine for themselves.", - "metadata": { - "name": "ConjunctiveLicenseSet", - "SubclassOf": "Licensing/AnyLicenseInfo", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/ExpandedLicense/ConjunctiveLicenseSet" - }, - "properties": { - "member": { - "type": "Licensing/AnyLicenseInfo", - "minCount": "2", - "maxCount": "*" - } - }, - "externalPropertyRestrictions": {} - }, - "DisjunctiveLicenseSet": { - "summary": "Portion of an AnyLicenseInfo representing a set of licensing information\nwhere only any one of the elements applies.", - "description": "A DisjunctiveLicenseSet indicates that _only one_ of its subsidiary\nAnyLicenseInfos is required to apply. In other words, a\nDisjunctiveLicenseSet of two or more licenses represents a licensing\nsituation where _only one_ of the specified licenses are to be complied with.\nA consumer of SPDX data would typically understand this to permit the recipient\nof the licensed content to choose which of the corresponding license they\nwould prefer to use. It is represented in the SPDX License Expression Syntax\nby the `OR` operator.", + "ListedLicense": { + "summary": "A license that is listed on the SPDX License List.", + "description": "A ListedLicense represents a License that is listed on the SPDX License List\nat https://spdx.org/licenses.", "metadata": { - "name": "DisjunctiveLicenseSet", - "SubclassOf": "Licensing/AnyLicenseInfo", + "name": "ListedLicense", + "SubclassOf": "License", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/ExpandedLicense/DisjunctiveLicenseSet" + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/ListedLicense" }, "properties": { - "member": { - "type": "Licensing/AnyLicenseInfo", - "minCount": "2", - "maxCount": "*" + "listVersionAdded": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "deprecatedVersion": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" } }, "externalPropertyRestrictions": {} }, - "ExtendableLicense": { - "summary": "Abstract class representing a License or an OrLaterOperator.", - "description": "The WithAdditionOperator can have a License or an OrLaterOperator as the license property value. This class is used for the value.", - "metadata": { - "name": "ExtendableLicense", - "SubclassOf": "Licensing/AnyLicenseInfo", - "Instantiability": "Abstract", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/ExpandedLicense/ExtendableLicense" - }, - "properties": {}, - "externalPropertyRestrictions": {} - } - }, - "properties": { - "subjectLicense": { - "summary": "A License participating in a 'with addition' or 'or later' model.", - "description": "A subjectLicense is a License which is subject to either an 'or later' effect\n(OrLaterOperator) or a 'with additional text' effect (WithAdditionOperator).", - "metadata": { - "name": "subjectLicense", - "Nature": "ObjectProperty", - "Range": "Licensing/License", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/ExpandedLicense/subjectLicense" - } - }, - "subjectAddition": { - "summary": "A LicenseAddition participating in a 'with addition' model.", - "description": "A subjectAddition is a LicenseAddition which is subject to a 'with additional\ntext' effect (WithAdditionOperator).", - "metadata": { - "name": "subjectAddition", - "Nature": "ObjectProperty", - "Range": "LicenseAddition", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/ExpandedLicense/subjectAddition" - } - }, - "member": { - "summary": "A license expression participating in a license set.", - "description": "A member is a license expression participating in a conjuctive (of type\nConjunctiveLicenseSet) or a disjunctive (of type DisjunctiveLicenseSet)\nlicense set.", - "metadata": { - "name": "member", - "Nature": "ObjectProperty", - "Range": "Licensing/AnyLicenseInfo", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/ExpandedLicense/member", - "Domain": [ - "ConjunctiveLicenseSet", - "DisjunctiveLicenseSet" - ] - } - } - }, - "vocabs": {} - }, - "Core": { - "name": "Core", - "classes": { - "PositiveIntegerRange": { - "summary": "A tuple of two positive integers that define a range.", - "description": "PositiveIntegerRange is a tuple of two positive integers that define a range.\n\"begin\" must be less than or equal to \"end\".", + "WithAdditionOperator": { + "summary": "Portion of an AnyLicenseInfo representing a License which has additional\ntext applied to it.", + "description": "A WithAdditionOperator indicates that the designated License is subject to the\ndesignated LicenseAddition, which might be a license exception on the SPDX\nExceptions List (ListedLicenseException) or may be other additional text\n(CustomLicenseAddition). It is represented in the SPDX License Expression\nSyntax by the `WITH` operator.", "metadata": { - "name": "PositiveIntegerRange", - "SubclassOf": "none", + "name": "WithAdditionOperator", + "SubclassOf": "/SimpleLicensing/AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/PositiveIntegerRange" + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/WithAdditionOperator" }, "properties": { - "begin": { - "type": "xsd:positiveInteger", + "subjectLicense": { + "type": "ExtendableLicense", "minCount": "1", "maxCount": "1" }, - "end": { - "type": "xsd:positiveInteger", + "subjectAddition": { + "type": "LicenseAddition", "minCount": "1", "maxCount": "1" } }, "externalPropertyRestrictions": {} }, - "ElementCollection": { - "summary": "A collection of Elements, not necessarily with unifying context.", - "description": "An SpdxCollection is a collection of Elements, not necessarily with unifying context.", + "License": { + "summary": "Abstract class for the portion of an AnyLicenseInfo representing a license.", + "description": "A License represents a license text, whether listed on the SPDX License List\n(ListedLicense) or defined by an SPDX data creator (CustomLicense).", "metadata": { - "name": "ElementCollection", - "SubclassOf": "Element", + "name": "License", + "SubclassOf": "ExtendableLicense", "Instantiability": "Abstract", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/ElementCollection" + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/License" }, "properties": { - "element": { - "type": "Element", + "/SimpleLicensing/licenseText": { + "type": "xsd:string", "minCount": "1", - "maxCount": "*" + "maxCount": "1" }, - "rootElement": { - "type": "Element", - "minCount": "1", - "maxCount": "*" + "isOsiApproved": { + "type": "xsd:boolean", + "minCount": "0", + "maxCount": "1" }, - "imports": { - "type": "ExternalMap", + "isFsfLibre": { + "type": "xsd:boolean", "minCount": "0", - "maxCount": "*" + "maxCount": "1" + }, + "standardLicenseHeader": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "standardLicenseTemplate": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "isDeprecatedLicenseId": { + "type": "xsd:boolean", + "minCount": "0", + "maxCount": "1" + }, + "obsoletedBy": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" } }, "externalPropertyRestrictions": {} }, - "ExternalReference": { - "summary": "A reference to a resource outside the scope of SPDX-3.0 content.", - "description": "An External Reference points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", + "CustomLicenseAddition": { + "summary": "A license addition that is not listed on the SPDX Exceptions List.", + "description": "A CustomLicenseAddition represents an addition to a License that is not listed\non the SPDX Exceptions List at https://spdx.org/licenses/exceptions-index.html,\nand is therefore defined by an SPDX data creator.\n\nIt is intended to represent additional language which is meant to be added to\na License, but which is not itself a standalone License.", "metadata": { - "name": "ExternalReference", - "SubclassOf": "none", + "name": "CustomLicenseAddition", + "SubclassOf": "LicenseAddition", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/ExternalReference" + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/CustomLicenseAddition" + }, + "properties": {}, + "externalPropertyRestrictions": {} + }, + "ConjunctiveLicenseSet": { + "summary": "Portion of an AnyLicenseInfo representing a set of licensing information\nwhere all elements apply.", + "description": "A ConjunctiveLicenseSet indicates that _each_ of its subsidiary\nAnyLicenseInfos apply. In other words, a ConjunctiveLicenseSet of two or\nmore licenses represents a licensing situation where _all_ of the specified\nlicenses are to be complied with. It is represented in the SPDX License\nExpression Syntax by the `AND` operator.\n\nIt is syntactically correct to specify a ConjunctiveLicenseSet where the\nsubsidiary AnyLicenseInfos may be \"incompatible\" according to a particular\ninterpretation of the corresponding Licenses. The SPDX License Expression\nSyntax does not take into account interpretation of license texts, which is\nleft to the consumer of SPDX data to determine for themselves.", + "metadata": { + "name": "ConjunctiveLicenseSet", + "SubclassOf": "/SimpleLicensing/AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/ConjunctiveLicenseSet" }, "properties": { - "externalReferenceType": { - "type": "ExternalReferenceType", - "maxCount": "1", - "minCount": "0" - }, - "locator": { - "type": "xsd:anyURI", - "minCount": "0", + "member": { + "type": "/SimpleLicensing/AnyLicenseInfo", + "minCount": "2", "maxCount": "*" - }, - "contentType": { - "type": "MediaType", - "maxCount": "1", - "minCount": "0" - }, - "comment": { - "type": "xsd:string", - "maxCount": "1", - "minCount": "0" } }, "externalPropertyRestrictions": {} }, - "ExternalIdentifier": { - "summary": "A reference to a resource outside the scope of SPDX-3.0 content that uniquely identifies an Element.", - "description": "An ExternalIdentifier is a reference to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", + "LicenseAddition": { + "summary": "Abstract class for additional text intended to be added to a License, but\nwhich is not itself a standalone License.", + "description": "A LicenseAddition represents text which is intended to be added to a License\nas additional text, but which is not itself intended to be a standalone\nLicense.\n\nIt may be an exception which is listed on the SPDX Exceptions List\n(ListedLicenseException), or may be any other additional text (as an exception\nor otherwise) which is defined by an SPDX data creator (CustomLicenseAddition).", "metadata": { - "name": "ExternalIdentifier", - "Instantiability": "Concrete", + "name": "LicenseAddition", + "SubclassOf": "/Core/Element", + "Instantiability": "Abstract", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/ExternalIdentifier" + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/LicenseAddition" }, "properties": { - "externalIdentifierType": { - "type": "ExternalIdentifierType", - "minCount": "1", - "maxCount": "1" - }, - "identifier": { + "additionText": { "type": "xsd:string", "minCount": "1", "maxCount": "1" }, - "comment": { + "standardAdditionTemplate": { "type": "xsd:string", "minCount": "0", "maxCount": "1" }, - "identifierLocator": { - "type": "xsd:anyURI", + "isDeprecatedAdditionId": { + "type": "xsd:boolean", "minCount": "0", - "maxCount": "*" + "maxCount": "1" }, - "issuingAuthority": { - "type": "xsd:anyURI", + "obsoletedBy": { + "type": "xsd:string", "minCount": "0", "maxCount": "1" } }, "externalPropertyRestrictions": {} }, - "Bom": { - "summary": "A container for a grouping of SPDX-3.0 content characterizing details\n(provenence, composition, licensing, etc.) about a product.", - "description": "A Bill Of Materials (BOM) is a container for a grouping of SPDX-3.0 content\ncharacterizing details about a product.\nThis could include details of the content and composition of the product,\nprovenence details of the product and/or\nits composition, licensing information, known quality or security issues, etc.", + "OrLaterOperator": { + "summary": "Portion of an AnyLicenseInfo representing this version, or any later version,\nof the indicated License.", + "description": "An OrLaterOperator indicates that this portion of the AnyLicenseInfo\nrepresents either (1) the specified version of the corresponding License, or\n(2) any later version of that License. It is represented in the SPDX License\nExpression Syntax by the `+` operator.\n\nIt is context-dependent, and unspecified by SPDX, as to what constitutes a\n\"later version\" of any particular License. Some Licenses may not be versioned,\nor may not have clearly-defined ordering for versions. The consumer of SPDX\ndata will need to determine for themselves what meaning to attribute to a\n\"later version\" operator for a particular License.", "metadata": { - "name": "Bom", - "SubclassOf": "Bundle", + "name": "OrLaterOperator", + "SubclassOf": "ExtendableLicense", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/Bom" + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/OrLaterOperator" + }, + "properties": { + "subjectLicense": { + "type": "License", + "minCount": "1", + "maxCount": "1" + } }, - "properties": {}, "externalPropertyRestrictions": {} }, - "SpdxDocument": { - "summary": "Assembles a collection of Elements under a common string, the name of the document.", - "description": "An SpdxDocument assembles a collection of Elements under a common string, the name of the document.\nCommonly used when representing a unit of transfer of SPDX Elements.\nExternal property restriction on /Core/Element/name: minCount: 1", + "DisjunctiveLicenseSet": { + "summary": "Portion of an AnyLicenseInfo representing a set of licensing information\nwhere only any one of the elements applies.", + "description": "A DisjunctiveLicenseSet indicates that _only one_ of its subsidiary\nAnyLicenseInfos is required to apply. In other words, a\nDisjunctiveLicenseSet of two or more licenses represents a licensing\nsituation where _only one_ of the specified licenses are to be complied with.\nA consumer of SPDX data would typically understand this to permit the recipient\nof the licensed content to choose which of the corresponding license they\nwould prefer to use. It is represented in the SPDX License Expression Syntax\nby the `OR` operator.", "metadata": { - "name": "SpdxDocument", - "SubclassOf": "Bundle", + "name": "DisjunctiveLicenseSet", + "SubclassOf": "/SimpleLicensing/AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/SpdxDocument" + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/DisjunctiveLicenseSet" }, "properties": { - "name": { - "type": "xsd:string", - "minCount": "1", - "maxCount": "1" - } - }, - "externalPropertyRestrictions": { - "/Core/Element/name": { - "minCount": "1", + "member": { + "type": "/SimpleLicensing/AnyLicenseInfo", + "minCount": "2", "maxCount": "*" } - } + }, + "externalPropertyRestrictions": {} }, - "Tool": { - "summary": "An element of hardware and/or software utilized to carry out a particular function.", - "description": "A Tool is an element of hardware and/or software utilized to carry out a particular function.", + "CustomLicense": { + "summary": "A license that is not listed on the SPDX License List.", + "description": "A CustomLicense represents a License that is not listed on the SPDX License\nList at https://spdx.org/licenses, and is therefore defined by an SPDX data\ncreator.", "metadata": { - "name": "Tool", - "SubclassOf": "Element", + "name": "CustomLicense", + "SubclassOf": "License", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/Tool" + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/CustomLicense" }, "properties": {}, "externalPropertyRestrictions": {} }, - "CreationInfo": { - "summary": "Provides information about the creation of the Element.", - "description": "The CreationInfo provides information about who created the Element, and when and how it was created. \n\nThe dateTime created is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", + "ListedLicenseException": { + "summary": "A license exception that is listed on the SPDX Exceptions list.", + "description": "A ListedLicenseException represents an exception to a License (in other words,\nan exception to a license condition or an additional permission beyond those\ngranted in a License) which is listed on the SPDX Exceptions List at\nhttps://spdx.org/licenses/exceptions-index.html.", "metadata": { - "name": "CreationInfo", + "name": "ListedLicenseException", + "SubclassOf": "LicenseAddition", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/CreationInfo" + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/ListedLicenseException" }, "properties": { - "specVersion": { - "type": "SemVer", - "minCount": "1", - "maxCount": "1" - }, - "comment": { + "listVersionAdded": { "type": "xsd:string", "minCount": "0", "maxCount": "1" }, - "created": { - "type": "DateTime", - "maxCount": "1", - "minCount": "0" - }, - "createdBy": { - "type": "Agent", - "minCount": "1", - "maxCount": "*" - }, - "createdUsing": { - "type": "Tool", - "minCount": "0", - "maxCount": "*" - }, - "profile": { - "type": "ProfileIdentifierType", - "minCount": "1", - "maxCount": "*" - }, - "dataLicense": { + "deprecatedVersion": { "type": "xsd:string", - "maxCount": "1", - "minCount": "0" + "minCount": "0", + "maxCount": "1" } }, "externalPropertyRestrictions": {} }, - "Organization": { - "summary": "A group of people who work together in an organized way for a shared purpose.", - "description": "An Organization is a group of people who work together in an organized way for a shared purpose.", + "ExtendableLicense": { + "summary": "Abstract class representing a License or an OrLaterOperator.", + "description": "The WithAdditionOperator can have a License or an OrLaterOperator as the license property value. This class is used for the value.", "metadata": { - "name": "Organization", - "SubclassOf": "Agent", - "Instantiability": "Concrete", + "name": "ExtendableLicense", + "SubclassOf": "/Licensing/AnyLicenseInfo", + "Instantiability": "Abstract", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/Organization" + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/ExtendableLicense" }, "properties": {}, "externalPropertyRestrictions": {} + } + }, + "properties": { + "seeAlso": { + "summary": "Contains a URL where the License or LicenseAddition can be found in use.", + "description": "A seeAlso defines a cross-reference with a URL where the License or\nLicenseAddition can be found in use by one or a few projects.\n\nIf applicable, it should include a URL where the license text is posted by\nthe license steward, particularly if the license steward has made available a\n\"canonical\" primary URL for the license text.\n\nIf the license is OSI approved, a seeAlso should be included with the URL for\nthe license's listing on the OSI website.\n\nThe seeAlso URL may refer to a previously-available URL for the License or\nLicenseAddition which is no longer active.\n\nWhere applicable, the seeAlso URL should include the license text in its\nnative language. seeAlso URLs to English or other translations may be included\nwhere multiple, equivalent official translations exist.", + "metadata": { + "name": "seeAlso", + "Nature": "DataProperty", + "Range": "xsd:anyURI", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/seeAlso" + } }, - "LifecycleScopedRelationship": { - "summary": "", - "description": "TODO", + "standardLicenseHeader": { + "summary": "Provides a License author's preferred text to indicate that a file is covered\nby the License.", + "description": "A standardLicenseHeader contains the plain text of the License author's\npreferred wording to be used, typically in a source code file's header\ncomments or similar location, to indicate that the file is subject to\nthe specified License.", "metadata": { - "name": "LifecycleScopedRelationship", - "SubclassOf": "Relationship", + "name": "standardLicenseHeader", + "Nature": "DataProperty", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/LifecycleScopedRelationship" - }, - "properties": { - "scope": { - "type": "LifecycleScopeType", - "minCount": "0", - "maxCount": "1" - } - }, - "externalPropertyRestrictions": {} + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/standardLicenseHeader", + "Domain": [ + "License" + ] + } }, - "SoftwareAgent": { - "summary": "A software agent.", - "description": "A SoftwareAgent is a software program that is given the authority (similar to a user's authority) to act on a system.", + "licenseName": { + "summary": "Identifies the full name of a License.", + "description": "A licenseName contains the full name of a License, preferably using the title found\nin the applicable license text or file, or as otherwise specified by the\nLicense's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the License from other Licenses.", "metadata": { - "name": "SoftwareAgent", - "SubclassOf": "Agent", + "name": "licenseName", + "Nature": "DataProperty", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/SoftwareAgent" - }, - "properties": {}, - "externalPropertyRestrictions": {} + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/licenseName" + } }, - "IntegrityMethod": { - "summary": "Provides an independently reproducible mechanism that permits verification of a specific Element.", - "description": "An IntegrityMethod provides an independently reproducible mechanism that permits verification\nof a specific Element that correlates to the data in this SPDX document. This identifier enables\na recipient to determine if anything in the original Element has been changed and eliminates\nconfusion over which version or modification of a specific Element is referenced.", + "isDeprecatedLicenseId": { + "summary": "Specifies whether a license or additional text identifier has been marked as\ndeprecated.", + "description": "The isDeprecatedLicenseId property specifies whether an identifier for a\nLicense or LicenseAddition has been marked as deprecated. If the property\nis not defined, then it is presumed to be false (i.e., not deprecated).\n\nIf the License or LicenseAddition is included on the SPDX License List, then\nthe `deprecatedVersion` property indicates on which version release of the\nLicense List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license. In other words, even if a License's\nauthor or steward has stated that a particular License generally should not be\nused, that would _not_ mean that the License's identifier is \"deprecated.\"\nRather, a License or LicenseAddition operator is typically marked as\n\"deprecated\" when it is determined that use of another identifier is\npreferable.", "metadata": { - "name": "IntegrityMethod", - "Instantiability": "Abstract", + "name": "isDeprecatedLicenseId", + "Nature": "DataProperty", + "Range": "xsd:boolean", + "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/IntegrityMethod" - }, - "properties": { - "comment": { - "type": "xsd:string", - "maxCount": "1", - "minCount": "0" - } - }, - "externalPropertyRestrictions": {} + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/isDeprecatedLicenseId", + "Domain": [ + "License" + ] + } }, - "Relationship": { - "summary": "Describes a relationship between one or more elements.", - "description": "A Relationship is a grouping of characteristics unique to an assertion\nthat one Element is related to one or more other Elements in some way.", + "isDeprecatedAdditionId": { + "summary": "Specifies whether an additional text identifier has been marked as deprecated.", + "description": "The isDeprecatedAdditionId property specifies whether an identifier for a\nLicenseAddition has been marked as deprecated. If the property is not defined,\nthen it is presumed to be false (i.e., not deprecated).\n\nIf the LicenseAddition is included on the SPDX Exceptions List, then\nthe `deprecatedVersion` property indicates on which version release of the\nExceptions List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license addition. In other words, even if a\nLicenseAddition's author or steward has stated that a particular\nLicenseAddition generally should not be used, that would _not_ mean that the\nLicenseAddition's identifier is \"deprecated.\" Rather, a LicenseAddition\noperator is typically marked as \"deprecated\" when it is determined that use of\nanother identifier is preferable.", "metadata": { - "name": "Relationship", - "SubclassOf": "Element", + "name": "isDeprecatedAdditionId", + "Nature": "DataProperty", + "Range": "xsd:boolean", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/Relationship" - }, - "properties": { - "from": { - "type": "Element", - "minCount": "1", - "maxCount": "1" - }, - "to": { - "type": "Element", - "minCount": "0", - "maxCount": "*" - }, - "relationshipType": { - "type": "RelationshipType", - "minCount": "1", - "maxCount": "1" - }, - "completeness": { - "type": "RelationshipCompleteness", - "minCount": "0", - "maxCount": "1" - }, - "startTime": { - "type": "DateTime", - "minCount": "0", - "maxCount": "1" - }, - "endTime": { - "type": "DateTime", - "minCount": "0", - "maxCount": "1" - } - }, - "externalPropertyRestrictions": {} + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/isDeprecatedAdditionId", + "Domain": [ + "LicenseAddition" + ] + } }, - "Element": { - "summary": "Base domain class from which all other SPDX-3.0 domain classes derive.", - "description": "An Element is a representation of a fundamental concept either directly inherent\nto the Bill of Materials (BOM) domain or indirectly related to the BOM domain\nand necessary for contextually characterizing BOM concepts and relationships.\nWithin SPDX-3.0 structure this is the base class acting as a consistent,\nunifying, and interoperable foundation for all explicit\nand inter-relatable content objects.", + "subjectLicense": { + "summary": "A License participating in a 'with addition' or 'or later' model.", + "description": "A subjectLicense is a License which is subject to either an 'or later' effect\n(OrLaterOperator) or a 'with additional text' effect (WithAdditionOperator).", "metadata": { - "name": "Element", - "SubclassOf": "none", - "Instantiability": "Abstract", + "name": "subjectLicense", + "Nature": "ObjectProperty", + "Range": "License", + "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/Element" - }, - "properties": { - "spdxId": { - "type": "xsd:anyURI", - "minCount": "1", - "maxCount": "1" - }, - "name": { - "type": "xsd:string", - "maxCount": "1", - "minCount": "0" - }, - "summary": { - "type": "xsd:string", - "maxCount": "1", - "minCount": "0" - }, - "description": { - "type": "xsd:string", - "maxCount": "1", - "minCount": "0" - }, - "comment": { - "type": "xsd:string", - "maxCount": "1", - "minCount": "0" - }, - "creationInfo": { - "type": "CreationInfo", - "minCount": "1", - "maxCount": "1" - }, - "verifiedUsing": { - "type": "IntegrityMethod", - "minCount": "0", - "maxCount": "*" - }, - "externalReference": { - "type": "ExternalReference", - "minCount": "0", - "maxCount": "*" - }, - "externalIdentifier": { - "type": "ExternalIdentifier", - "minCount": "0", - "maxCount": "*" - }, - "extension": { - "type": "Extension", - "minCount": "0", - "maxCount": "*" - } - }, - "externalPropertyRestrictions": {} + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/subjectLicense", + "Domain": [ + "WithAdditionOperator", + "OrLaterOperator" + ] + } }, - "Agent": { - "summary": "Agent represents anything with the potential to act on a system.", - "description": "The Agent class represents anything that has the potential to act on a system. This could be a person, organization, software agent, etc. This is not to be confused with tools that are used to perform tasks.", + "additionText": { + "summary": "Identifies the full text of a LicenseAddition.", + "description": "An additionText contains the plain text of the LicenseAddition, without\ntemplating or other similar markup.\n\nUsers of the additionText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", "metadata": { - "name": "Agent", - "SubclassOf": "Element", + "name": "additionText", + "Nature": "DataProperty", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/Agent" - }, - "properties": {}, - "externalPropertyRestrictions": {} + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/additionText", + "Domain": [ + "LicenseAddition" + ] + } }, - "Hash": { - "summary": "A mathematically calculated representation of a grouping of data.", - "description": "A hash is a grouping of characteristics unique to the result\nof applying a mathematical algorithm\nthat maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is,\na function which is practically infeasible to invert.\nThis is commonly used for integrity checking of data.", + "isFsfLibre": { + "summary": "Specifies whether the License is listed as free by the\n[Free Software Foundation (FSF)](https://fsf.org).", + "description": "isFsfLibre specifies whether the [Free Software Foundation FSF](https://fsf.org)\nhas listed this License as \"free\" in their commentary on licenses, located at\nthe time of this writing at https://www.gnu.org/licenses/license-list.en.html.\n\nA value of \"true\" indicates that the FSF has listed this License as _free_.\n\nA value of \"false\" indicates that the FSF has listed this License as _not free_.\n\nIf the isFsfLibre field is not specified, the SPDX data creator makes no\nassertions about whether the License is listed in the FSF's commentary.", "metadata": { - "name": "Hash", - "SubclassOf": "IntegrityMethod", + "name": "isFsfLibre", + "Nature": "DataProperty", + "Range": "xsd:boolean", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/Hash" - }, - "properties": { - "algorithm": { - "type": "HashAlgorithm", - "minCount": "1", - "maxCount": "1" - }, - "hashValue": { - "type": "xsd:string", - "minCount": "1", - "maxCount": "1" - } - }, - "externalPropertyRestrictions": {} + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/isFsfLibre", + "Domain": [ + "License" + ] + } }, - "DictionaryEntry": { - "summary": "A key with an associated value.", - "description": "The class used for implementing a generic string mapping (also known as associative array, dictionary, or hash map) in SPDX. Each DictionaryEntry contains a key-value pair which maps the key to its associated value. To implement a dictionary, this class is to be used in a collection with unique keys.", + "listVersionAdded": { + "summary": "Specifies the SPDX License List version in which this ListedLicense or\nListedLicenseException identifier was first added.", + "description": "A listVersionAdded for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was included.", "metadata": { - "name": "DictionaryEntry", + "name": "listVersionAdded", + "Nature": "DataProperty", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/DictionaryEntry" - }, - "properties": { - "key": { - "type": "xsd:string", - "minCount": "1", - "maxCount": "1" - }, - "value": { - "type": "xsd:string", - "maxCount": "1", - "minCount": "0" - } - }, - "externalPropertyRestrictions": {} + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/listVersionAdded", + "Domain": [ + "ListedLicense", + "ListedLicenseException" + ] + } }, - "Person": { - "summary": "An individual human being.", - "description": "A Person is an individual human being.", + "subjectAddition": { + "summary": "A LicenseAddition participating in a 'with addition' model.", + "description": "A subjectAddition is a LicenseAddition which is subject to a 'with additional\ntext' effect (WithAdditionOperator).", "metadata": { - "name": "Person", - "SubclassOf": "Agent", + "name": "subjectAddition", + "Nature": "ObjectProperty", + "Range": "LicenseAddition", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/Person" - }, - "properties": {}, - "externalPropertyRestrictions": {} + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/subjectAddition", + "Domain": [ + "WithAdditionOperator" + ] + } }, - "Bundle": { - "summary": "A collection of Elements that have a shared context.", - "description": "A bundle is a collection of Elements that have a shared context.", + "obsoletedBy": { + "summary": "Specifies the licenseId that is preferred to be used in place of a deprecated\nLicense or LicenseAddition.", + "description": "An obsoletedBy value for a deprecated License or LicenseAddition specifies\nthe licenseId of the replacement License or LicenseAddition that is preferred\nto be used in its place. It should use the same format as specified for a\nlicenseId.\n\nThe License's or LicenseAddition's comment value may include more information\nabout the reason why the licenseId specified in the obsoletedBy value is\npreferred.", "metadata": { - "name": "Bundle", - "SubclassOf": "ElementCollection", + "name": "obsoletedBy", + "Nature": "DataProperty", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/Bundle" - }, - "properties": { - "context": { - "type": "xsd:string", - "maxCount": "1", - "minCount": "0" - } - }, - "externalPropertyRestrictions": {} + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/obsoletedBy", + "Domain": [ + "License", + "LicenseAddition" + ] + } }, - "Artifact": { - "summary": "A distinct article or unit within the digital domain.", - "description": "An artifact is a distinct article or unit within the digital domain,\nsuch as an electronic file, a software package, a device or an element of data.", + "standardLicenseTemplate": { + "summary": "Identifies the full text of a License, in SPDX templating format.", + "description": "A standardLicenseTemplate contains a license template which describes\nsections of the License text which can be varied. See the Legacy Text Template\nformat section of the SPDX specification for format information.", "metadata": { - "name": "Artifact", - "SubclassOf": "Element", - "Instantiability": "Abstract", + "name": "standardLicenseTemplate", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/Artifact" - }, - "properties": { - "originatedBy": { - "type": "Agent", - "minCount": "0", - "maxCount": "*" - }, - "suppliedBy": { - "type": "Agent", - "minCount": "0", - "maxCount": "*" - }, - "builtTime": { - "type": "DateTime", - "minCount": "0", - "maxCount": "1" - }, - "releaseTime": { - "type": "DateTime", - "minCount": "0", - "maxCount": "1" - }, - "validUntilTime": { - "type": "DateTime", - "minCount": "0", - "maxCount": "1" - }, - "standard": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "*" - } - }, - "externalPropertyRestrictions": {} + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/standardLicenseTemplate", + "Domain": [ + "License" + ] + } }, - "Annotation": { - "summary": "An assertion made in relation to one or more elements.", - "description": "An Annotation is an assertion made in relation to one or more elements.", + "additionName": { + "summary": "Identifies the full name of a LicenseAddition.", + "description": "An additionName contains the full name of a LicenseAddition, preferably using\nthe title found in the applicable license addition text or file, or as\notherwise specified by the LicenseAddition's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses additions (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the LicenseAddition from other LicenseAdditions.", "metadata": { - "name": "Annotation", - "SubclassOf": "Element", + "name": "additionName", + "Nature": "DataProperty", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/Annotation" - }, - "properties": { - "annotationType": { - "type": "AnnotationType", - "minCount": "1", - "maxCount": "1" - }, - "contentType": { - "type": "MediaType", - "minCount": "0", - "maxCount": "*" - }, - "statement": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "1" - }, - "subject": { - "type": "Element", - "minCount": "1", - "maxCount": "1" - } - }, - "externalPropertyRestrictions": {} + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/additionName" + } }, - "ExternalMap": { - "summary": "A map of Element identifiers that are used within a Document but defined external to that Document.", - "description": "An External Map is a map of Element identifiers that are used within a Document\nbut defined external to that Document.\nThe external map provides details about the externally-defined Element\nsuch as its provenance, where to retrieve it, and how to verify its integrity.", + "standardAdditionTemplate": { + "summary": "Identifies the full text of a LicenseAddition, in SPDX templating format.", + "description": "A standardAdditionTemplate contains a license addition template which describes\nsections of the LicenseAddition text which can be varied. See the Legacy Text\nTemplate format section of the SPDX specification for format information.", "metadata": { - "name": "ExternalMap", - "SubclassOf": "none", + "name": "standardAdditionTemplate", + "Nature": "DataProperty", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/ExternalMap" - }, - "properties": { - "externalId": { - "type": "xsd:anyURI", - "minCount": "1", - "maxCount": "1" - }, - "verifiedUsing": { - "type": "IntegrityMethod", - "minCount": "0", - "maxCount": "*" - }, - "locationHint": { - "type": "xsd:anyURI", - "maxCount": "1", - "minCount": "0" - }, - "definingDocument": { - "type": "xsd:anyURI", - "maxCount": "1", - "minCount": "0" - } - }, - "externalPropertyRestrictions": {} - } - }, - "properties": { - "begin": { - "summary": "Defines the beginning of a range.", - "description": "begin is a positive integer that defines the beginning of a range.", - "metadata": { - "name": "begin", - "Nature": "DataProperty", - "Range": "xsd:positiveInteger", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/begin", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/standardAdditionTemplate", "Domain": [ - "PositiveIntegerRange" + "LicenseAddition" ] } }, - "createdUsing": { - "summary": "Identifies the tooling that was used during the creation of the Element.", - "description": "CreatedUsing identifies the tooling that was used during the creation of the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", + "licenseComment": { + "summary": "Identifies general comments about the License.", + "description": "A licenseComment describes general factual information about the License. It\nshould not contain information (or links to information) that includes any kind\nof interpretation about the meaning or effect of the License, even if written\nby the license's author.\n\nExamples of information for a licenseComment may include the following:\n\n* If the License's identifier is deprecated, it may briefly explain the reason\n for deprecation.\n* It may include the date of release, if identified, for Licenses with multiple\n versions.\n* It may include links to other official language translations for the License.\n* For LicenseAdditions, it may include a reference to the License(s) with\n which this additional text is typically used.", "metadata": { - "name": "createdUsing", - "Nature": "ObjectProperty", - "Range": "Tool", + "name": "licenseComment", + "Nature": "DataProperty", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/createdUsing", - "Domain": [ - "CreationInfo" - ] + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/licenseComment" } }, - "statement": { - "summary": "Commentary on an assertion that an annotator has made.", - "description": "A statement is a commentary on an assertion that an annotator has made.", + "deprecatedVersion": { + "summary": "Specifies the SPDX License List version in which this license or exception\nidentifier was deprecated.", + "description": "A deprecatedVersion for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was marked as deprecated.", "metadata": { - "name": "statement", + "name": "deprecatedVersion", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/statement", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/deprecatedVersion", "Domain": [ - "Annotation" + "ListedLicense", + "ListedLicenseException" ] } }, - "creationInfo": { - "summary": "Provides information about the creation of the Element.", - "description": "CreationInfo provides information about the creation of the Element.", + "member": { + "summary": "A license expression participating in a license set.", + "description": "A member is a license expression participating in a conjunctive (of type\nConjunctiveLicenseSet) or a disjunctive (of type DisjunctiveLicenseSet)\nlicense set.", "metadata": { - "name": "creationInfo", + "name": "member", "Nature": "ObjectProperty", - "Range": "CreationInfo", + "Range": "/SimpleLicensing/AnyLicenseInfo", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/creationInfo", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/member", "Domain": [ - "Element" + "ConjunctiveLicenseSet", + "DisjunctiveLicenseSet" ] } }, - "locationHint": { - "summary": "Provides an indication of where to retrieve an external Element.", - "description": "A locationHint provides an indication of where to retrieve an external Element.", + "licenseId": { + "summary": "Provides a short, unique identifier to refer to a License.", + "description": "A licenseId contains a human-readable, short-form license identifier for a\nLicense. It may only include letters, numbers, period (\".\") and hyphen (\"-\")\ncharacters.\n\nFor a ListedLicense, the licenseId will be as specified on the\n[SPDX License List](https://spdx.org/licenses) for the particular license.\n\nFor a CustomLicense, the short-form license identifier must begin with the\nprefix `LicenseRef-` and must be unique within the applicable SPDX namespace.\nThe short-form license ID may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", "metadata": { - "name": "locationHint", + "name": "licenseId", "Nature": "DataProperty", - "Range": "xsd:anyURI", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/locationHint", - "Domain": [ - "ExternalMap" - ] + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/licenseId" } }, - "identifierLocator": { - "summary": "TODO", - "description": "A identifierLocator is TODO", + "additionId": { + "summary": "Provides a short, unique identifier to refer to a LicenseAddition.", + "description": "An additionId contains a human-readable, short-form identifier for a\nLicenseAddition. It may only include letters, numbers, period (\".\") and\nhyphen (\"-\") characters.\n\nFor a ListedLicenseException, the licenseId will be as specified on the\n[SPDX Exceptions List](https://spdx.org/licenses/exceptions-index.html) for the\nparticular exception.\n\nFor a CustomLicenseAddition, the short-form identifier must begin with the\nprefix `AdditionRef-` and must be unique within the applicable SPDX namespace.\nThe short-form identifier may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", "metadata": { - "name": "identifierLocator", + "name": "additionId", "Nature": "DataProperty", - "Range": "xsd:anyURI", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/identifierLocator", - "Domain": [ - "ExternalIdentifier" - ] + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/additionId" } }, - "subject": { - "summary": "An Element an annotator has made an assertion about.", - "description": "A subject is an Element an annotator has made an assertion about.", + "isOsiApproved": { + "summary": "Specifies whether the License is listed as approved by the\n[Open Source Initiative (OSI)](https://opensource.org).", + "description": "isOsiApproved specifies whether the [Open Source Initiative (OSI)](https://opensource.org)\nhas listed this License as \"approved\" in their list of OSI Approved Licenses,\nlocated at the time of this writing at https://opensource.org/licenses/.\n\nA value of \"true\" indicates that the OSI has listed this License as approved.\n\nA value of \"false\" indicates that the OSI has not listed this License as\napproved.\n\nIf the isOsiApproved field is not specified, the SPDX data creator makes no\nassertions about whether the License is approved by the OSI.", "metadata": { - "name": "subject", - "Nature": "ObjectProperty", - "Range": "Element", + "name": "isOsiApproved", + "Nature": "DataProperty", + "Range": "xsd:boolean", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/subject", + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/isOsiApproved", "Domain": [ - "Annotation" + "License" ] } }, - "validUntilTime": { - "summary": "Specifies until when the artifact can be used before its usage needs to be reassessed.", - "description": "A validUntilTime specifies until when the artifact can be used before its usage needs to be reassessed.", + "additionComment": { + "summary": "Identifies general comments about the LicenseAddition.", + "description": "An additionComment for a LicenseAddition describes general factual information\nabout the LicenseAddition. It should not contain information (or links to\ninformation) that includes any kind of interpretation about the meaning or\neffect of the License, even if written by the license addition's author.\n\nExamples of information for an additionComment may include the following:\n\n* If the LicenseAddition's identifier is deprecated, it may briefly explain the\n reason for deprecation.\n* It may include the date of release, if identified, for LicenseAdditions with\n multiple versions.\n* It may include links to other official language translations for the\n LicenseAddition.\n* It may include a reference to the License(s) with which this LicenseAddition\n is typically used.", "metadata": { - "name": "validUntilTime", + "name": "additionComment", "Nature": "DataProperty", - "Range": "DateTime", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/validUntilTime", - "Domain": [ - "Artifact" - ] + "id": "https://spdx.org/rdf/v3/ExpandedLicensing/additionComment" } - }, - "definingDocument": { - "summary": "URI for an SPDX document which defines an SPDX element.", - "description": "A definingDocument property is used to link an Element identifier to an SpdxDocument which contains the definition for the Element.", + } + }, + "vocabs": {} + }, + "Core": { + "name": "Core", + "classes": { + "PositiveIntegerRange": { + "summary": "A tuple of two positive integers that define a range.", + "description": "PositiveIntegerRange is a tuple of two positive integers that define a range.\n\"begin\" must be less than or equal to \"end\".", "metadata": { - "name": "definingDocument", - "Nature": "DataProperty", - "Range": "xsd:anyURI", + "name": "PositiveIntegerRange", + "SubclassOf": "none", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/definingDocument", - "Domain": [ - "ExternalMap" - ] - } + "id": "https://spdx.org/rdf/v3/Core/PositiveIntegerRange" + }, + "properties": { + "begin": { + "type": "xsd:positiveInteger", + "minCount": "1", + "maxCount": "1" + }, + "end": { + "type": "xsd:positiveInteger", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} }, - "suppliedBy": { - "summary": "Identifies who or what supplied the Artifact.", - "description": "Identify the actual distribution source for the Artifact being referenced.\nThis might or might not be different from the originating distribution source for the artifact.", + "ElementCollection": { + "summary": "A collection of Elements, not necessarily with unifying context.", + "description": "An SpdxCollection is a collection of Elements, not necessarily with unifying context.", "metadata": { - "name": "suppliedBy", - "Nature": "ObjectProperty", - "Range": "Agent", - "Instantiability": "Concrete", + "name": "ElementCollection", + "SubclassOf": "Element", + "Instantiability": "Abstract", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/suppliedBy", - "Domain": [ - "Artifact" - ] - } + "id": "https://spdx.org/rdf/v3/Core/ElementCollection" + }, + "properties": { + "element": { + "type": "Element", + "minCount": "1", + "maxCount": "*" + }, + "rootElement": { + "type": "Element", + "minCount": "1", + "maxCount": "*" + }, + "imports": { + "type": "ExternalMap", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} }, - "value": { - "summary": "A value used in a generic key-value pair.", - "description": "A value used in a generic key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", + "ExternalReference": { + "summary": "A reference to a resource outside the scope of SPDX-3.0 content.", + "description": "An External Reference points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", "metadata": { - "name": "value", - "Nature": "DataProperty", - "Range": "xsd:string", + "name": "ExternalReference", + "SubclassOf": "none", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/value", - "Domain": [ - "DictionaryEntry" - ] - } + "id": "https://spdx.org/rdf/v3/Core/ExternalReference" + }, + "properties": { + "externalReferenceType": { + "type": "ExternalReferenceType", + "maxCount": "1", + "minCount": "0" + }, + "locator": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "*" + }, + "contentType": { + "type": "MediaType", + "maxCount": "1", + "minCount": "0" + }, + "comment": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} }, - "to": { - "summary": "References an Element on the right-hand side of a relationship.", - "description": "This field references an Element on the right-hand side of a relationship.", + "ExternalIdentifier": { + "summary": "A reference to a resource outside the scope of SPDX-3.0 content that uniquely identifies an Element.", + "description": "An ExternalIdentifier is a reference to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", "metadata": { - "name": "to", - "Nature": "ObjectProperty", - "Range": "Element", + "name": "ExternalIdentifier", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/to", - "Domain": [ - "Relationship" - ] - } + "id": "https://spdx.org/rdf/v3/Core/ExternalIdentifier" + }, + "properties": { + "externalIdentifierType": { + "type": "ExternalIdentifierType", + "minCount": "1", + "maxCount": "1" + }, + "identifier": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + }, + "comment": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "identifierLocator": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "*" + }, + "issuingAuthority": { + "type": "xsd:anyURI", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} }, - "extension": { - "summary": "TODO", - "description": "TODO", + "Bom": { + "summary": "A container for a grouping of SPDX-3.0 content characterizing details\n(provenence, composition, licensing, etc.) about a product.", + "description": "A Bill Of Materials (BOM) is a container for a grouping of SPDX-3.0 content\ncharacterizing details about a product.\nThis could include details of the content and composition of the product,\nprovenence details of the product and/or\nits composition, licensing information, known quality or security issues, etc.", "metadata": { - "name": "extension", + "name": "Bom", + "SubclassOf": "Bundle", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/extension", - "Domain": [ - "Element" - ] - } + "id": "https://spdx.org/rdf/v3/Core/Bom" + }, + "properties": {}, + "externalPropertyRestrictions": {} }, - "externalId": { - "summary": "Identifies an external Element used within a Document but defined external to that Document.", - "description": "ExternalId identifies an external Element used within a Document but defined external to that Document.", + "SpdxDocument": { + "summary": "Assembles a collection of Elements under a common string, the name of the document.", + "description": "An SpdxDocument assembles a collection of Elements under a common string, the name of the document.\nCommonly used when representing a unit of transfer of SPDX Elements.\nExternal property restriction on /Core/Element/name: minCount: 1", "metadata": { - "name": "externalId", - "Nature": "DataProperty", - "Range": "xsd:anyURI", + "name": "SpdxDocument", + "SubclassOf": "Bundle", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/externalId", - "Domain": [ - "ExternalMap" - ] + "id": "https://spdx.org/rdf/v3/Core/SpdxDocument" + }, + "properties": {}, + "externalPropertyRestrictions": { + "/Core/Element/name": { + "minCount": "1", + "maxCount": "*" + } } }, - "externalReference": { - "summary": "Points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", - "description": "This field points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", + "Tool": { + "summary": "An element of hardware and/or software utilized to carry out a particular function.", + "description": "A Tool is an element of hardware and/or software utilized to carry out a particular function.", "metadata": { - "name": "externalReference", - "Nature": "ObjectProperty", - "Range": "ExternalReference", + "name": "Tool", + "SubclassOf": "Element", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/externalReference", - "Domain": [ - "Element" - ] - } + "id": "https://spdx.org/rdf/v3/Core/Tool" + }, + "properties": {}, + "externalPropertyRestrictions": {} }, - "from": { - "summary": "References the Element on the left-hand side of a relationship.", - "description": "This field references the Element on the left-hand side of a relationship.", + "CreationInfo": { + "summary": "Provides information about the creation of the Element.", + "description": "The CreationInfo provides information about who created the Element, and when and how it was created. \n\nThe dateTime created is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", "metadata": { - "name": "from", - "Nature": "ObjectProperty", - "Range": "Element", + "name": "CreationInfo", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/from", - "Domain": [ - "Relationship" - ] - } + "id": "https://spdx.org/rdf/v3/Core/CreationInfo" + }, + "properties": { + "specVersion": { + "type": "SemVer", + "minCount": "1", + "maxCount": "1" + }, + "comment": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "created": { + "type": "DateTime", + "maxCount": "1", + "minCount": "0" + }, + "createdBy": { + "type": "Agent", + "minCount": "1", + "maxCount": "*" + }, + "createdUsing": { + "type": "Tool", + "minCount": "0", + "maxCount": "*" + }, + "profile": { + "type": "ProfileIdentifierType", + "minCount": "1", + "maxCount": "*" + }, + "dataLicense": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} }, - "created": { - "summary": "Identifies when the Element was originally created.", - "description": "Created is a date that identifies when the Element was originally created.\nThe time stamp can serve as an indication as to whether the analysis needs to be updated. This is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", + "Organization": { + "summary": "A group of people who work together in an organized way for a shared purpose.", + "description": "An Organization is a group of people who work together in an organized way for a shared purpose.", "metadata": { - "name": "created", - "Nature": "DataProperty", - "Range": "DateTime", + "name": "Organization", + "SubclassOf": "Agent", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/created", - "Domain": [ - "CreationInfo" - ] - } + "id": "https://spdx.org/rdf/v3/Core/Organization" + }, + "properties": {}, + "externalPropertyRestrictions": {} }, - "releaseTime": { - "summary": "Specifies the time an artifact was released.", - "description": "A releaseTime specifies the time an artifact was released.", + "LifecycleScopedRelationship": { + "summary": "", + "description": "TODO", "metadata": { - "name": "releaseTime", - "Nature": "DataProperty", - "Range": "DateTime", + "name": "LifecycleScopedRelationship", + "SubclassOf": "Relationship", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/releaseTime", - "Domain": [ - "Artifact" - ] - } + "id": "https://spdx.org/rdf/v3/Core/LifecycleScopedRelationship" + }, + "properties": { + "scope": { + "type": "LifecycleScopeType", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} }, - "startTime": { - "summary": "Specifies the time from which an element is applicable / valid.", - "description": "A startTime specifies the time from which element is applicable / valid.", + "SoftwareAgent": { + "summary": "A software agent.", + "description": "A SoftwareAgent is a software program that is given the authority (similar to a user's authority) to act on a system.", "metadata": { - "name": "startTime", - "Nature": "DataProperty", - "Range": "DateTime", + "name": "SoftwareAgent", + "SubclassOf": "Agent", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/startTime", - "Domain": [ - "Relationship" - ] - } + "id": "https://spdx.org/rdf/v3/Core/SoftwareAgent" + }, + "properties": {}, + "externalPropertyRestrictions": {} }, - "rootElement": { - "summary": "Top level Element from which all other Elements are reached via relationships.", - "description": "A rootElement of a collection is the top level Element from which all other Elements are reached via relationships.", + "IntegrityMethod": { + "summary": "Provides an independently reproducible mechanism that permits verification of a specific Element.", + "description": "An IntegrityMethod provides an independently reproducible mechanism that permits verification\nof a specific Element that correlates to the data in this SPDX document. This identifier enables\na recipient to determine if anything in the original Element has been changed and eliminates\nconfusion over which version or modification of a specific Element is referenced.", "metadata": { - "name": "rootElement", - "Nature": "ObjectProperty", - "Range": "Element", - "Instantiability": "Concrete", + "name": "IntegrityMethod", + "Instantiability": "Abstract", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/rootElement", - "Domain": [ - "ElementCollection" - ] - } + "id": "https://spdx.org/rdf/v3/Core/IntegrityMethod" + }, + "properties": { + "comment": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} }, - "prefix": { - "summary": "A substitute for a URI.", - "description": "A prefix is a substitute for a URI.", + "Relationship": { + "summary": "Describes a relationship between one or more elements.", + "description": "A Relationship is a grouping of characteristics unique to an assertion\nthat one Element is related to one or more other Elements in some way.", "metadata": { - "name": "prefix", - "Nature": "DataProperty", - "Range": "xsd:string", + "name": "Relationship", + "SubclassOf": "Element", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/prefix" - } + "id": "https://spdx.org/rdf/v3/Core/Relationship" + }, + "properties": { + "from": { + "type": "Element", + "minCount": "1", + "maxCount": "1" + }, + "to": { + "type": "Element", + "minCount": "0", + "maxCount": "*" + }, + "relationshipType": { + "type": "RelationshipType", + "minCount": "1", + "maxCount": "1" + }, + "completeness": { + "type": "RelationshipCompleteness", + "minCount": "0", + "maxCount": "1" + }, + "startTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + }, + "endTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} }, - "externalIdentifierType": { - "summary": "Specifies the type of the external identifier.", - "description": "An externalIdentifierType specifies the type of the external identifier.", + "Element": { + "summary": "Base domain class from which all other SPDX-3.0 domain classes derive.", + "description": "An Element is a representation of a fundamental concept either directly inherent\nto the Bill of Materials (BOM) domain or indirectly related to the BOM domain\nand necessary for contextually characterizing BOM concepts and relationships.\nWithin SPDX-3.0 structure this is the base class acting as a consistent,\nunifying, and interoperable foundation for all explicit\nand inter-relatable content objects.", "metadata": { - "name": "externalIdentifierType", - "Nature": "ObjectProperty", - "Range": "ExternalIdentifierType", - "Instantiability": "Concrete", + "name": "Element", + "SubclassOf": "none", + "Instantiability": "Abstract", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/externalIdentifierType", - "Domain": [ - "ExternalIdentifier" - ] - } + "id": "https://spdx.org/rdf/v3/Core/Element" + }, + "properties": { + "spdxId": { + "type": "xsd:anyURI", + "minCount": "1", + "maxCount": "1" + }, + "name": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + }, + "summary": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + }, + "description": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + }, + "comment": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + }, + "creationInfo": { + "type": "CreationInfo", + "minCount": "1", + "maxCount": "1" + }, + "verifiedUsing": { + "type": "IntegrityMethod", + "minCount": "0", + "maxCount": "*" + }, + "externalReference": { + "type": "ExternalReference", + "minCount": "0", + "maxCount": "*" + }, + "externalIdentifier": { + "type": "ExternalIdentifier", + "minCount": "0", + "maxCount": "*" + }, + "extension": { + "type": "Extension", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} }, - "contentType": { - "summary": "Specifies the media type of an Element.", - "description": "ContentType specifies the media type of an Element.", + "Agent": { + "summary": "Agent represents anything with the potential to act on a system.", + "description": "The Agent class represents anything that has the potential to act on a system. This could be a person, organization, software agent, etc. This is not to be confused with tools that are used to perform tasks.", "metadata": { - "name": "contentType", - "Nature": "DataProperty", - "Range": "MediaType", + "name": "Agent", + "SubclassOf": "Element", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/contentType", - "Domain": [ - "ExternalReference", - "Annotation" - ] - } + "id": "https://spdx.org/rdf/v3/Core/Agent" + }, + "properties": {}, + "externalPropertyRestrictions": {} }, - "element": { - "summary": "Refers to one or more Elements that are part of an ElementCollection.", - "description": "This field refers to one or more Elements that are part of an ElementCollection.", + "Hash": { + "summary": "A mathematically calculated representation of a grouping of data.", + "description": "A hash is a grouping of characteristics unique to the result\nof applying a mathematical algorithm\nthat maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is,\na function which is practically infeasible to invert.\nThis is commonly used for integrity checking of data.", "metadata": { - "name": "element", - "Nature": "ObjectProperty", - "Range": "Element", + "name": "Hash", + "SubclassOf": "IntegrityMethod", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/element", - "Domain": [ - "ElementCollection" - ] - } + "id": "https://spdx.org/rdf/v3/Core/Hash" + }, + "properties": { + "algorithm": { + "type": "HashAlgorithm", + "minCount": "1", + "maxCount": "1" + }, + "hashValue": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} }, - "relationshipType": { - "summary": "Information about the relationship between two Elements.", - "description": "This field provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.", + "DictionaryEntry": { + "summary": "A key with an associated value.", + "description": "The class used for implementing a generic string mapping (also known as associative array, dictionary, or hash map) in SPDX. Each DictionaryEntry contains a key-value pair which maps the key to its associated value. To implement a dictionary, this class is to be used in a collection with unique keys.", "metadata": { - "name": "relationshipType", - "Nature": "ObjectProperty", - "Range": "RelationshipType", + "name": "DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/relationshipType", - "Domain": [ - "Relationship" - ] - } + "id": "https://spdx.org/rdf/v3/Core/DictionaryEntry" + }, + "properties": { + "key": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + }, + "value": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} }, - "specVersion": { - "summary": "Provides a reference number that can be used to understand how to parse and interpret an Element.", - "description": "The specVersion provides a reference number that can be used to understand how to parse and interpret an Element.\nIt will enable both future changes to the specification and to support backward compatibility.\nThe major version number shall be incremented when incompatible changes between versions are made\n(one or more sections are created, modified or deleted).\nThe minor version number shall be incremented when backwards compatible changes are made.\n\nHere, parties exchanging information in accordance with the SPDX specification need to provide \n100% transparency as to which SPDX specification version such information is conforming to.", + "Person": { + "summary": "An individual human being.", + "description": "A Person is an individual human being.", "metadata": { - "name": "specVersion", - "Nature": "DataProperty", - "Range": "SemVer", + "name": "Person", + "SubclassOf": "Agent", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/specVersion", - "Domain": [ - "CreationInfo" - ] - } + "id": "https://spdx.org/rdf/v3/Core/Person" + }, + "properties": {}, + "externalPropertyRestrictions": {} }, - "originatedBy": { - "summary": "Identifies from where or whom the Element originally came.", - "description": "OriginatedBy identifies from where or whom the Element originally came.", + "Bundle": { + "summary": "A collection of Elements that have a shared context.", + "description": "A bundle is a collection of Elements that have a shared context.", "metadata": { - "name": "originatedBy", - "Nature": "ObjectProperty", - "Range": "Agent", + "name": "Bundle", + "SubclassOf": "ElementCollection", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/originatedBy", - "Domain": [ - "Artifact" - ] - } + "id": "https://spdx.org/rdf/v3/Core/Bundle" + }, + "properties": { + "context": { + "type": "xsd:string", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} }, - "verifiedUsing": { - "summary": "Provides an IntegrityMethod with which the integrity of an Element can be asserted.", - "description": "VerifiedUsing provides an IntegrityMethod with which the integrity of an Element can be asserted.", + "Artifact": { + "summary": "A distinct article or unit within the digital domain.", + "description": "An artifact is a distinct article or unit within the digital domain,\nsuch as an electronic file, a software package, a device or an element of data.", "metadata": { - "name": "verifiedUsing", - "Nature": "ObjectProperty", - "Range": "IntegrityMethod", - "Instantiability": "Concrete", + "name": "Artifact", + "SubclassOf": "Element", + "Instantiability": "Abstract", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/verifiedUsing", - "Domain": [ - "Element", - "ExternalMap" - ] - } - }, - "dataLicense": { - "summary": "Provides the license under which the SPDX documentation of the Element can be used.", - "description": "The data license provides the license under which the SPDX documentation of the Element can be used.\nThis is to alleviate any concern that content (the data or database) in an SPDX file\nis subject to any form of intellectual property right that could restrict the re-use\nof the information or the creation of another SPDX file for the same project(s).\nThis approach avoids intellectual property and related restrictions over the SPDX file,\nhowever individuals can still contract with each other to restrict release\nof specific collections of SPDX files (which map to software bill of materials)\nand the identification of the supplier of SPDX files.\nCompliance with this document includes populating the SPDX fields therein\nwith data related to such fields (\"SPDX-Metadata\"). \nThis document contains numerous fields where an SPDX file creator may provide\nrelevant explanatory text in SPDX-Metadata. Without opining on the lawfulness\nof \"database rights\" (in jurisdictions where applicable),\nsuch explanatory text is copyrightable subject matter in most Berne Convention countries.\nBy using the SPDX specification, or any portion hereof,\nyou hereby agree that any copyright rights (as determined by your jurisdiction)\nin any SPDX-Metadata, including without limitation explanatory text,\nshall be subject to the terms of the Creative Commons CC0 1.0 Universal license. \nFor SPDX-Metadata not containing any copyright rights, \nyou hereby agree and acknowledge that the SPDX-Metadata is provided to you \u201cas-is\u201d\nand without any representations or warranties of any kind concerning the SPDX-Metadata,\nexpress, implied, statutory or otherwise, including without limitation warranties\nof title, merchantability, fitness for a particular purpose, non-infringement,\nor the absence of latent or other defects, accuracy, or the presence or absence of errors,\nwhether or not discoverable, all to the greatest extent permissible under applicable law.", + "id": "https://spdx.org/rdf/v3/Core/Artifact" + }, + "properties": { + "originatedBy": { + "type": "Agent", + "minCount": "0", + "maxCount": "*" + }, + "suppliedBy": { + "type": "Agent", + "minCount": "0", + "maxCount": "*" + }, + "builtTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + }, + "releaseTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + }, + "validUntilTime": { + "type": "DateTime", + "minCount": "0", + "maxCount": "1" + }, + "standard": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + } + }, + "externalPropertyRestrictions": {} + }, + "Annotation": { + "summary": "An assertion made in relation to one or more elements.", + "description": "An Annotation is an assertion made in relation to one or more elements.", "metadata": { - "name": "dataLicense", - "Nature": "DataProperty", - "Range": "xsd:string", + "name": "Annotation", + "SubclassOf": "Element", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/dataLicense", - "Domain": [ - "CreationInfo" - ] - } + "id": "https://spdx.org/rdf/v3/Core/Annotation" + }, + "properties": { + "annotationType": { + "type": "AnnotationType", + "minCount": "1", + "maxCount": "1" + }, + "contentType": { + "type": "MediaType", + "minCount": "0", + "maxCount": "*" + }, + "statement": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "1" + }, + "subject": { + "type": "Element", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} }, - "algorithm": { - "summary": "Specifies the algorithm used for calculating the hash value.", - "description": "An algorithm specifies the algorithm that was used for calculating the hash value.", + "ExternalMap": { + "summary": "A map of Element identifiers that are used within a Document but defined external to that Document.", + "description": "An External Map is a map of Element identifiers that are used within a Document\nbut defined external to that Document.\nThe external map provides details about the externally-defined Element\nsuch as its provenance, where to retrieve it, and how to verify its integrity.", "metadata": { - "name": "algorithm", - "Nature": "ObjectProperty", - "Range": "HashAlgorithm", + "name": "ExternalMap", + "SubclassOf": "none", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/algorithm", - "Domain": [ - "Hash" - ] - } - }, - "summary": { - "summary": "A short description of an Element.", - "description": "A summary is a short description of an Element. Here, the intent is to allow the Element creator to \nprovide concise information about the function or use of the Element.", + "id": "https://spdx.org/rdf/v3/Core/ExternalMap" + }, + "properties": { + "externalId": { + "type": "xsd:anyURI", + "minCount": "1", + "maxCount": "1" + }, + "verifiedUsing": { + "type": "IntegrityMethod", + "minCount": "0", + "maxCount": "*" + }, + "locationHint": { + "type": "xsd:anyURI", + "maxCount": "1", + "minCount": "0" + }, + "definingDocument": { + "type": "xsd:anyURI", + "maxCount": "1", + "minCount": "0" + } + }, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "begin": { + "summary": "Defines the beginning of a range.", + "description": "begin is a positive integer that defines the beginning of a range.", "metadata": { - "name": "summary", + "name": "begin", "Nature": "DataProperty", - "Range": "xsd:string", + "Range": "xsd:positiveInteger", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/summary", + "id": "https://spdx.org/rdf/v3/Core/begin", "Domain": [ - "Element" + "PositiveIntegerRange" ] } }, - "end": { - "summary": "Defines the end of a range.", - "description": "end is a positive integer that defines the end of a range.", + "createdUsing": { + "summary": "Identifies the tooling that was used during the creation of the Element.", + "description": "CreatedUsing identifies the tooling that was used during the creation of the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", "metadata": { - "name": "end", - "Nature": "DataProperty", - "Range": "xsd:positiveInteger", + "name": "createdUsing", + "Nature": "ObjectProperty", + "Range": "Tool", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/end", + "id": "https://spdx.org/rdf/v3/Core/createdUsing", "Domain": [ - "PositiveIntegerRange" + "CreationInfo" ] } }, - "hashValue": { - "summary": "The result of applying a hash algorithm to an Element.", - "description": "HashValue is the result of applying a hash algorithm to an Element.", + "statement": { + "summary": "Commentary on an assertion that an annotator has made.", + "description": "A statement is a commentary on an assertion that an annotator has made.", "metadata": { - "name": "hashValue", + "name": "statement", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/hashValue", + "id": "https://spdx.org/rdf/v3/Core/statement", "Domain": [ - "Hash" + "Annotation" ] } }, - "externalIdentifier": { - "summary": "Provides a reference to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", - "description": "ExternalIdentifier points to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", + "creationInfo": { + "summary": "Provides information about the creation of the Element.", + "description": "CreationInfo provides information about the creation of the Element.", "metadata": { - "name": "externalIdentifier", + "name": "creationInfo", "Nature": "ObjectProperty", - "Range": "ExternalIdentifier", + "Range": "CreationInfo", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/externalIdentifier", + "id": "https://spdx.org/rdf/v3/Core/creationInfo", "Domain": [ "Element" ] } }, - "spdxId": { - "summary": "Identifies an Element to be referenced by other Elements.", - "description": "SpdxId uniquely identifies an Element which may thereby be referenced by other Elements.\nThese references may be internal or external.\nWhile there may be several versions of the same Element, each one needs to be able to be referred to uniquely\nso that relationships between Elements can be clearly articulated.", + "locationHint": { + "summary": "Provides an indication of where to retrieve an external Element.", + "description": "A locationHint provides an indication of where to retrieve an external Element.", "metadata": { - "name": "spdxId", + "name": "locationHint", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/spdxId", - "Domain": [ - "Element" - ] - } - }, - "description": { - "summary": "Provides a detailed description of the Element.", - "description": "This field is a detailed description of the Element. It may also be extracted from the Element itself.\nThe intent is to provide recipients of the SPDX file with a detailed technical explanation\nof the functionality, anticipated use, and anticipated implementation of the Element.\nThis field may also include a description of improvements over prior versions of the Element.", - "metadata": { - "name": "description", - "Nature": "DataProperty", - "Range": "xsd:string", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/description", + "id": "https://spdx.org/rdf/v3/Core/locationHint", "Domain": [ - "Element" + "ExternalMap" ] } }, - "locator": { - "summary": "Provides the location of an external reference.", - "description": "A locator provides the location of an external reference.", + "identifierLocator": { + "summary": "TODO", + "description": "A identifierLocator is TODO", "metadata": { - "name": "locator", + "name": "identifierLocator", "Nature": "DataProperty", "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/locator", + "id": "https://spdx.org/rdf/v3/Core/identifierLocator", "Domain": [ - "ExternalReference" + "ExternalIdentifier" ] } }, - "annotationType": { - "summary": "Describes the type of annotation.", - "description": "An annotationType describes the type of an annotation.", + "subject": { + "summary": "An Element an annotator has made an assertion about.", + "description": "A subject is an Element an annotator has made an assertion about.", "metadata": { - "name": "annotationType", + "name": "subject", "Nature": "ObjectProperty", - "Range": "AnnotationType", + "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/annotationType", + "id": "https://spdx.org/rdf/v3/Core/subject", "Domain": [ "Annotation" ] } }, - "issuingAuthority": { - "summary": "TODO", - "description": "A issuingAuthority is TODO", + "validUntilTime": { + "summary": "Specifies until when the artifact can be used before its usage needs to be reassessed.", + "description": "A validUntilTime specifies until when the artifact can be used before its usage needs to be reassessed.", "metadata": { - "name": "issuingAuthority", + "name": "validUntilTime", "Nature": "DataProperty", - "Range": "xsd:anyURI", + "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/issuingAuthority", + "id": "https://spdx.org/rdf/v3/Core/validUntilTime", "Domain": [ - "ExternalIdentifier" + "Artifact" ] } }, - "builtTime": { - "summary": "Specifies the time an artifact was built.", - "description": "A builtTime specifies the time an artifact was built.", + "definingDocument": { + "summary": "URI for an SPDX document which defines an SPDX element.", + "description": "A definingDocument property is used to link an Element identifier to an SpdxDocument which contains the definition for the Element.", "metadata": { - "name": "builtTime", + "name": "definingDocument", "Nature": "DataProperty", - "Range": "DateTime", + "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/builtTime", + "id": "https://spdx.org/rdf/v3/Core/definingDocument", "Domain": [ - "Artifact" + "ExternalMap" ] } }, - "profile": { - "summary": "Provides information about which profiles the Element belongs to.", - "description": "This field provides information about which profiles the Element belongs to.", + "suppliedBy": { + "summary": "Identifies who or what supplied the Artifact.", + "description": "Identify the actual distribution source for the Artifact being referenced.\nThis might or might not be different from the originating distribution source for the artifact.", "metadata": { - "name": "profile", + "name": "suppliedBy", "Nature": "ObjectProperty", - "Range": "ProfileIdentifierType", + "Range": "Agent", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/profile", + "id": "https://spdx.org/rdf/v3/Core/suppliedBy", "Domain": [ - "CreationInfo" + "Artifact" ] } }, - "context": { - "summary": "Gives information about the circumstances or unifying properties\nthat Elements of the bundle have been assembled under.", - "description": "A context gives information about the circumstances or unifying properties\nthat Elements of the bundle have been assembled under.", + "value": { + "summary": "A value used in a generic key-value pair.", + "description": "A value used in a generic key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", "metadata": { - "name": "context", + "name": "value", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/context", + "id": "https://spdx.org/rdf/v3/Core/value", "Domain": [ - "Bundle" + "DictionaryEntry" ] } }, - "comment": { - "summary": "Provide consumers with comments by the creator of the Element about the Element.", - "description": "A comment is an optional field for creators of the Element to provide comments\nto the readers/reviewers of the document.", + "to": { + "summary": "References an Element on the right-hand side of a relationship.", + "description": "This field references an Element on the right-hand side of a relationship.", "metadata": { - "name": "comment", + "name": "to", + "Nature": "ObjectProperty", + "Range": "Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/to", + "Domain": [ + "Relationship" + ] + } + }, + "extension": { + "summary": "TODO", + "description": "TODO", + "metadata": { + "name": "extension", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/extension", + "Domain": [ + "Element" + ] + } + }, + "externalId": { + "summary": "Identifies an external Element used within a Document but defined external to that Document.", + "description": "ExternalId identifies an external Element used within a Document but defined external to that Document.", + "metadata": { + "name": "externalId", "Nature": "DataProperty", - "Range": "xsd:string", + "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/comment", + "id": "https://spdx.org/rdf/v3/Core/externalId", + "Domain": [ + "ExternalMap" + ] + } + }, + "externalReference": { + "summary": "Points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", + "description": "This field points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", + "metadata": { + "name": "externalReference", + "Nature": "ObjectProperty", + "Range": "ExternalReference", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/externalReference", "Domain": [ - "ExternalReference", - "ExternalIdentifier", - "CreationInfo", - "IntegrityMethod", "Element" ] } }, - "imports": { - "summary": "Provides an ExternalMap of Element identifiers.", - "description": "Imports provides an ExternalMap of Element identifiers that are used within a document\nbut defined external to that document.", + "from": { + "summary": "References the Element on the left-hand side of a relationship.", + "description": "This field references the Element on the left-hand side of a relationship.", "metadata": { - "name": "imports", + "name": "from", "Nature": "ObjectProperty", - "Range": "ExternalMap", + "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/imports", + "id": "https://spdx.org/rdf/v3/Core/from", "Domain": [ - "ElementCollection" + "Relationship" ] } }, - "name": { - "summary": "Identifies the name of an Element as designated by the creator.", - "description": "This field identifies the name of an Element as designated by the creator. \nThe name of an Element is an important convention and easier to refer to than the URI.", + "created": { + "summary": "Identifies when the Element was originally created.", + "description": "Created is a date that identifies when the Element was originally created.\nThe time stamp can serve as an indication as to whether the analysis needs to be updated. This is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", "metadata": { - "name": "name", + "name": "created", "Nature": "DataProperty", - "Range": "xsd:string", + "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/name", + "id": "https://spdx.org/rdf/v3/Core/created", "Domain": [ - "SpdxDocument", - "Element" + "CreationInfo" ] } }, - "standard": { - "summary": "The relevant standards that may apply to an artifact.", - "description": "Various standards may be relevant to useful to capture for specific artifacts.", + "releaseTime": { + "summary": "Specifies the time an artifact was released.", + "description": "A releaseTime specifies the time an artifact was released.", "metadata": { - "name": "standard", + "name": "releaseTime", "Nature": "DataProperty", - "Range": "xsd:string", + "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/standard", + "id": "https://spdx.org/rdf/v3/Core/releaseTime", "Domain": [ "Artifact" ] } }, - "endTime": { - "summary": "Specifies the time from which an element is no longer applicable / valid.", - "description": "A endTime specifies the time from which element is no applicable / valid.", + "startTime": { + "summary": "Specifies the time from which an element is applicable / valid.", + "description": "A startTime specifies the time from which element is applicable / valid.", "metadata": { - "name": "endTime", + "name": "startTime", "Nature": "DataProperty", "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/endTime", + "id": "https://spdx.org/rdf/v3/Core/startTime", "Domain": [ "Relationship" ] } }, - "scope": { - "summary": "TODO", - "description": "A scope is TODO", + "rootElement": { + "summary": "Top level Element from which all other Elements are reached via relationships.", + "description": "A rootElement of a collection is the top level Element from which all other Elements are reached via relationships.", "metadata": { - "name": "scope", + "name": "rootElement", "Nature": "ObjectProperty", - "Range": "LifecycleScopeType", + "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/scope", + "id": "https://spdx.org/rdf/v3/Core/rootElement", "Domain": [ - "LifecycleScopedRelationship" + "ElementCollection" ] } }, - "key": { - "summary": "A key used in a generic key-value pair.", - "description": "A key used in generic a key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", + "prefix": { + "summary": "A substitute for a URI.", + "description": "A prefix is a substitute for a URI.", "metadata": { - "name": "key", + "name": "prefix", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/key", - "Domain": [ - "DictionaryEntry" - ] + "id": "https://spdx.org/rdf/v3/Core/prefix" } }, - "identifier": { - "summary": "Uniquely identifies an external element.", - "description": "An identifier uniquely identifies an external element.", + "externalIdentifierType": { + "summary": "Specifies the type of the external identifier.", + "description": "An externalIdentifierType specifies the type of the external identifier.", "metadata": { - "name": "identifier", - "Nature": "DataProperty", - "Range": "xsd:string", + "name": "externalIdentifierType", + "Nature": "ObjectProperty", + "Range": "ExternalIdentifierType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/identifier", + "id": "https://spdx.org/rdf/v3/Core/externalIdentifierType", "Domain": [ "ExternalIdentifier" ] } }, - "completeness": { - "summary": "Provides information about the completeness of relationships.", - "description": "Completeness gives information about whether the provided relationships are\ncomplete, known to be incomplete or if no assertion is made either way.", + "contentType": { + "summary": "Specifies the media type of an Element.", + "description": "ContentType specifies the media type of an Element.", "metadata": { - "name": "completeness", - "Nature": "ObjectProperty", - "Range": "RelationshipCompleteness", + "name": "contentType", + "Nature": "DataProperty", + "Range": "MediaType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/completeness", + "id": "https://spdx.org/rdf/v3/Core/contentType", "Domain": [ - "Relationship" + "ExternalReference", + "Annotation" ] } }, - "externalReferenceType": { - "summary": "Specifies the type of the external reference.", - "description": "An externalReferenceType specifies the type of the external reference.", + "element": { + "summary": "Refers to one or more Elements that are part of an ElementCollection.", + "description": "This field refers to one or more Elements that are part of an ElementCollection.", "metadata": { - "name": "externalReferenceType", + "name": "element", "Nature": "ObjectProperty", - "Range": "ExternalReferenceType", + "Range": "Element", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/externalReferenceType", + "id": "https://spdx.org/rdf/v3/Core/element", "Domain": [ - "ExternalReference" + "ElementCollection" ] } }, - "createdBy": { - "summary": "Identifies who or what created the Element.", - "description": "CreatedBy identifies who or what created the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", + "relationshipType": { + "summary": "Information about the relationship between two Elements.", + "description": "This field provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.", "metadata": { - "name": "createdBy", + "name": "relationshipType", "Nature": "ObjectProperty", - "Range": "Agent", + "Range": "RelationshipType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/createdBy", + "id": "https://spdx.org/rdf/v3/Core/relationshipType", "Domain": [ - "CreationInfo" + "Relationship" ] } - } - }, - "vocabs": { - "RelationshipCompleteness": { - "summary": "Indicates whether a relationship is complete or known to be incomplete or if there\nis made no assertion either way.", - "description": "RelationshipCompleteness indicates whether a relationship is complete or \nknown to be incomplete or if there is made no assertion either way.", + }, + "specVersion": { + "summary": "Provides a reference number that can be used to understand how to parse and interpret an Element.", + "description": "The specVersion provides a reference number that can be used to understand how to parse and interpret an Element.\nIt will enable both future changes to the specification and to support backward compatibility.\nThe major version number shall be incremented when incompatible changes between versions are made\n(one or more sections are created, modified or deleted).\nThe minor version number shall be incremented when backwards compatible changes are made.\n\nHere, parties exchanging information in accordance with the SPDX specification need to provide \n100% transparency as to which SPDX specification version such information is conforming to.", "metadata": { - "name": "RelationshipCompleteness", + "name": "specVersion", + "Nature": "DataProperty", + "Range": "SemVer", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/RelationshipCompleteness" - }, - "entries": { - "incomplete": "The relationship is known not to be exhaustive.", - "complete": "The relationship is known to be exhaustive.", - "noAssertion": "There can be made no assertion about the completeness of the relationship." + "id": "https://spdx.org/rdf/v3/Core/specVersion", + "Domain": [ + "CreationInfo" + ] } }, - "ProfileIdentifierType": { - "summary": "Enumeration of the valid profiles that an element can be specified to be part of.", - "description": "There are a set of profiles that have been defined to be valid for a specific release This file enumerates the values that have been agreed on, and may be applied to the creation information for an an element.", + "originatedBy": { + "summary": "Identifies from where or whom the Element originally came.", + "description": "OriginatedBy identifies from where or whom the Element originally came.", "metadata": { - "name": "ProfileIdentifierType", + "name": "originatedBy", + "Nature": "ObjectProperty", + "Range": "Agent", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType" - }, - "entries": { - "core": "the element follows the Core profile specification", - "software": "the element follows the Software profile specification", - "licensing": "the element follows the Licensing profile specification", - "security": "the element follows the Security profile specification", - "build": "the element follows the Build profile specification", - "ai": "the element follows the AI profile specification", - "dataset": "the element follows the Dataset profile specification", - "usage": "the element follows the Usage profile specification", - "extension": "the element follows the Extension profile specification" + "id": "https://spdx.org/rdf/v3/Core/originatedBy", + "Domain": [ + "Artifact" + ] } }, - "ExternalIdentifierType": { - "summary": "Specifies the type of an external identifier.", - "description": "ExteralIdentifierType specifies the type of an external identifier.", + "verifiedUsing": { + "summary": "Provides an IntegrityMethod with which the integrity of an Element can be asserted.", + "description": "VerifiedUsing provides an IntegrityMethod with which the integrity of an Element can be asserted.", "metadata": { - "name": "ExternalIdentifierType", + "name": "verifiedUsing", + "Nature": "ObjectProperty", + "Range": "IntegrityMethod", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType" - }, - "entries": { - "cpe22": "https://cpe.mitre.org/files/cpe-specification_2.2.pdf", - "cpe23": "https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf", - "cve": "An identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the CVE specification as defined by https://csrc.nist.gov/glossary/term/cve_id.", - "email": "https://datatracker.ietf.org/doc/html/rfc3696#section-3", - "gitoid": "https://www.iana.org/assignments/uri-schemes/prov/gitoid Gitoid stands for [Git Object ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) and a gitoid of type blob is a unique hash of a binary artifact. A gitoid may represent the software [Artifact ID](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-id) or the [OmniBOR Identifier](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-identifier) for the software artifact's associated [OmniBOR Document](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-document); this ambiguity exists because the OmniBOR Document is itself an artifact, and the gitoid of that artifact is its valid identifier. Omnibor is a minimalistic schema to describe software [Artifact Dependency Graphs](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-dependency-graph-adg). Gitoids calculated on software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's ContentIdentifier property. Gitoids calculated on the OmniBOR Document (OmniBOR Identifiers) should be recorded in the SPDX 3.0 Element's ExternalIdentifier property.", - "other": "Used when the type doesn't match any of the other options.", - "pkgUrl": "https://github.com/package-url/purl-spec", - "securityOther": "Used when there is a security related identifier of unspecified type.", - "swhid": "https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html", - "swid": "https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-21.html#section-2.3", - "urlScheme": "the scheme used in order to locate a resource https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml" + "id": "https://spdx.org/rdf/v3/Core/verifiedUsing", + "Domain": [ + "Element", + "ExternalMap" + ] } }, - "ExternalReferenceType": { - "summary": "Specifies the type of an external reference.", - "description": "ExteralReferenceType specifies the type of an external reference.", + "dataLicense": { + "summary": "Provides the license under which the SPDX documentation of the Element can be used.", + "description": "The data license provides the license under which the SPDX documentation of the Element can be used.\nThis is to alleviate any concern that content (the data or database) in an SPDX file\nis subject to any form of intellectual property right that could restrict the re-use\nof the information or the creation of another SPDX file for the same project(s).\nThis approach avoids intellectual property and related restrictions over the SPDX file,\nhowever individuals can still contract with each other to restrict release\nof specific collections of SPDX files (which map to software bill of materials)\nand the identification of the supplier of SPDX files.\nCompliance with this document includes populating the SPDX fields therein\nwith data related to such fields (\"SPDX-Metadata\"). \nThis document contains numerous fields where an SPDX file creator may provide\nrelevant explanatory text in SPDX-Metadata. Without opining on the lawfulness\nof \"database rights\" (in jurisdictions where applicable),\nsuch explanatory text is copyrightable subject matter in most Berne Convention countries.\nBy using the SPDX specification, or any portion hereof,\nyou hereby agree that any copyright rights (as determined by your jurisdiction)\nin any SPDX-Metadata, including without limitation explanatory text,\nshall be subject to the terms of the Creative Commons CC0 1.0 Universal license. \nFor SPDX-Metadata not containing any copyright rights, \nyou hereby agree and acknowledge that the SPDX-Metadata is provided to you \u201cas-is\u201d\nand without any representations or warranties of any kind concerning the SPDX-Metadata,\nexpress, implied, statutory or otherwise, including without limitation warranties\nof title, merchantability, fitness for a particular purpose, non-infringement,\nor the absence of latent or other defects, accuracy, or the presence or absence of errors,\nwhether or not discoverable, all to the greatest extent permissible under applicable law.", "metadata": { - "name": "ExternalReferenceType", + "name": "dataLicense", + "Nature": "DataProperty", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/ExternalReferenceType" - }, - "entries": { - "altDownloadLocation": "A reference to an alternative download location.", - "altWebPage": "A reference to an alternative web page.", - "binaryArtifact": "A reference to binary artifacts related to a package.", - "buildMeta": "A reference build metadata related to a published package.", - "buildSystem": "A reference build system used to create or publish the package.", - "chat": "A reference to the instant messaging system used by the maintainer for a package.", - "certificationReport": "A reference to a certification report for a package from an accredited/independent body.", - "componentAnalysisReport": "A reference to a Software Composition Analysis (SCA) report.", - "documentation": "A reference to the documentation for a package.", - "dynamicAnalysisReport": "A reference to a dynamic analysis report for a package.", - "eolNotice": "A reference to the End Of Sale (EOS) and/or End Of Life (EOL) information related to a package.", - "exportControlAssessment": "A reference to a export control assessment for a package.", - "funding": "A reference to funding information related to a package.", - "issueTracker": "A reference to the issue tracker for a package.", - "mailingList": "A reference to the mailing list used by the maintainer for a package.", - "metrics": "A reference to metrics related to package such as OpenSSF scorecards.", - "license": "A reference to additional license information related to an artifact.", - "other": "Used when the type doesn't match any of the other options.", - "privacyAssessment": "A reference to a privacy assessment for a package.", - "productMetadata": "A reference to additional product metadata such as reference within organization's product catalog.", - "purchaseOrder": "A reference to a purchase order for a package.", - "releaseNotes": "A reference to the release notes for a package.", - "releaseHistory": "A reference to a published list of releases for a package.", - "riskAssessment": "A reference to a risk assessment for a package.", - "runtimeAnalysisReport": "A reference to a runtime analysis report for a package.", - "secureSoftwareAttestation": "A reference to information assuring that the software is developed using security practices as defined by [NIST SP 800-218 Secure Software Development Framework (SSDF)](https://csrc.nist.gov/publications/detail/sp/800-218/final) or [CISA Secure Software Development Attestation Form](https://www.cisa.gov/sites/default/files/2023-04/secure-software-self-attestation_common-form_508.pdf).", - "securityAdvisory": "A reference to a published security advisory (where advisory as defined per ISO 29147:2018) that may affect one or more elements, e.g., vendor advisories or specific NVD entries.", - "securityAdversaryModel": "A reference to the security adversary model for a package.", - "securityFix": "A reference to the patch or source code that fixes a vulnerability.", - "securityOther": "A reference to related security information of unspecified type.", - "securityPenTestReport": "A reference to a [penetration test](https://en.wikipedia.org/wiki/Penetration_test) report for a package.", - "securityPolicy": "A reference to instructions for reporting newly discovered security vulnerabilities for a package.", - "securityThreatModel": "A reference the [security threat model](https://en.wikipedia.org/wiki/Threat_model) for a package.", - "socialMedia": "A reference to a social media channel for a package.", - "sourceArtifact": "A reference to an artifact containing the sources for a package.", - "staticAnalysisReport": "A reference to a static analysis report for a package.", - "support": "A reference to the software support channel or other support information for a package.", - "vcs": "A reference to a version control system related to a software artifact.", - "vulnerabilityDisclosureReport": "A reference to a Vulnerability Disclosure Report (VDR) which provides the software supplier's analysis and findings describing the impact (or lack of impact) that reported vulnerabilities have on packages or products in the supplier's SBOM as defined in [NIST SP 800-161](https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final).", - "vulnerabilityExploitabilityAssessment": "A reference to a Vulnerability Exploitability eXchange (VEX) statement which provides information on whether a product is impacted by a specific vulnerability in an included package and, if affected, whether there are actions recommended to remediate. See also [NTIA VEX one-page](https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf)..", - "qualityAssessmentReport": "A reference to a quality assessment for a package." + "id": "https://spdx.org/rdf/v3/Core/dataLicense", + "Domain": [ + "CreationInfo" + ] } }, - "LifecycleScopeType": { - "summary": "TODO", - "description": "TODO", + "algorithm": { + "summary": "Specifies the algorithm used for calculating the hash value.", + "description": "An algorithm specifies the algorithm that was used for calculating the hash value.", "metadata": { - "name": "LifecycleScopeType", + "name": "algorithm", + "Nature": "ObjectProperty", + "Range": "HashAlgorithm", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType" - }, - "entries": { - "design": "TODOdescription", - "build": "TODOdescription", - "development": "TODOdescription", - "test": "TODOdescription", - "runtime": "TODOdescription", - "other": "TODOdescription" + "id": "https://spdx.org/rdf/v3/Core/algorithm", + "Domain": [ + "Hash" + ] } }, - "AnnotationType": { - "summary": "Specifies the type of an annotation.", - "description": "AnnotationType specifies the type of an annotation.", + "summary": { + "summary": "A short description of an Element.", + "description": "A summary is a short description of an Element. Here, the intent is to allow the Element creator to \nprovide concise information about the function or use of the Element.", "metadata": { - "name": "AnnotationType", + "name": "summary", + "Nature": "DataProperty", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/AnnotationType" - }, - "entries": { - "other": "Used to store extra information about an Element which is not part of a Review (e.g. extra information provided during the creation of the Element).", - "review": "Used when someone reviews the Element." + "id": "https://spdx.org/rdf/v3/Core/summary", + "Domain": [ + "Element" + ] } }, - "HashAlgorithm": { - "summary": "A mathematical algorithm that maps data of arbitrary size to a bit string.", - "description": "A HashAlgorithm is a mathematical algorithm that maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is, a function which is practically infeasible to invert.", + "end": { + "summary": "Defines the end of a range.", + "description": "end is a positive integer that defines the end of a range.", "metadata": { - "name": "HashAlgorithm", + "name": "end", + "Nature": "DataProperty", + "Range": "xsd:positiveInteger", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/HashAlgorithm" - }, - "entries": { - "blake2b256": "blake2b algorithm with a digest size of 256 https://datatracker.ietf.org/doc/html/rfc7693#section-4", - "blake2b384": "blake2b algorithm with a digest size of 384 https://datatracker.ietf.org/doc/html/rfc7693#section-4", - "blake2b512": "blake2b algorithm with a digest size of 512 https://datatracker.ietf.org/doc/html/rfc7693#section-4", - "blake3": "https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf", - "crystalsKyber": "https://pq-crystals.org/kyber/index.shtml", - "crystalsDilithium": "https://pq-crystals.org/dilithium/index.shtml", - "falcon": "https://falcon-sign.info/falcon.pdf", - "md2": "https://datatracker.ietf.org/doc/rfc1319/", - "md4": "https://datatracker.ietf.org/doc/html/rfc1186", - "md5": "https://datatracker.ietf.org/doc/html/rfc1321", - "md6": "https://people.csail.mit.edu/rivest/pubs/RABCx08.pdf", - "other": "any hashing algorithm that does not exist in this list of entries", - "sha1": "https://datatracker.ietf.org/doc/html/rfc3174", - "sha224": "secure hashing algorithm with a digest length of 224 https://datatracker.ietf.org/doc/html/draft-ietf-pkix-sha224-01", - "sha256": "secure hashing algorithm with a digest length of 256 https://www.rfc-editor.org/rfc/rfc4634", - "sha3_224": "sha3 with a digest length of 224 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", - "sha3_256": "sha3 with a digest length of 256 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", - "sha3_384": "sha3 with a digest length of 384 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", - "sha3_512": "sha3 with a digest length of 512 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", - "sha384": "secure hashing algorithm with a digest length of 384 https://www.rfc-editor.org/rfc/rfc4634", - "sha512": "secure hashing algorithm with a digest length of 512 https://www.rfc-editor.org/rfc/rfc4634", - "spdxPvcSha1": "TODOdescription", - "spdxPvcSha256": "TODOdescription", - "sphincsPlus": "TODOdescription" + "id": "https://spdx.org/rdf/v3/Core/end", + "Domain": [ + "PositiveIntegerRange" + ] } }, - "RelationshipType": { - "summary": "Information about the relationship between two Elements.", - "description": "Provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.", + "hashValue": { + "summary": "The result of applying a hash algorithm to an Element.", + "description": "HashValue is the result of applying a hash algorithm to an Element.", "metadata": { - "name": "RelationshipType", + "name": "hashValue", + "Nature": "DataProperty", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Core/RelationshipType" - }, - "entries": { - "affects": "(Security/VEX) Designates one or more elements as affected by a vulnerability", - "amends": "Every `to` Element amends the `from` Element", - "ancestor": "Every `to` Element is an ancestor of the `from` Element", - "availableFrom": "This relationship is used to identify additional suppliers where an artifact is available from.", - "buildDependency": "Every `to` Element is a build dependency of the `from` Element", - "buildTool": "Build tool used to build an Element. This may be used to describe the build tool of a Build instance", - "coordinatedBy": "(Security) Used to identify the vendor, researcher, or consumer agent performing coordination for a vulnerability", - "contains": "Every `to` Element is contained by the `from` Element", - "configOf": "(Build) Configuration information applied to an Element instance during a LifeycleScopeType period. Example: Build configuration of the build instance", - "copy": "Every `to` Element is a copy of the `from` Element", - "dataFile": "Every `to` Element is a data file related to the the `from` Element", - "dependencyManifest": "Every `to` Element is manifest file containing dependency information related to the `from` Element", - "dependsOn": "Every `to` Element is a dependecy of the `from` Element", - "descendant": "This relationship may be used to describe child builds of a Build instance.", - "describes": "Every `to` Element is described by the `from` Element. This can be used to denote the root(s) of a tree of elements contained in an SBOM.", - "devDependency": "Every `to` Element is a development dependency for the `from` Element", - "devTool": "Every `to` Element is a development tool for the `from` Element", - "distributionArtifact": "Every `to` Element is an artifact intended for distribution of the `from` Element (e.g. an RPM or archive file)", - "documentation": "Every `to` Element is documentation for the `from` Element", - "doesNotAffect": "(Security/VEX) Specifies a vulnerability has no impact on one or more elements", - "dynamicLink": "Every `to` Element is dynamically linked to the `from` Element", - "example": "Every `to` Element is an example for the `from` Element", - "evidenceFor": "(Dataset) Every `to` Element is can be considered as evidence for the `from` Element", - "expandedFromArchive": "Every `to` Element is an artifact expanded from the `from` archive file", - "exploitCreatedBy": "(Security) Designates an agent has created an exploit against a vulnerability", - "fileAdded": "Every `to` Element is is a file added to the `from` Element", - "fileDeleted": "Every `to` Element is a file deleted from the `from` Element", - "fileModified": "Every `to` Element is a modification of the `from` Element", - "fixedBy": "(Security) Designates a vulnerability has been fixed by an agent", - "fixedIn": "(Security/VEX) A vulnerability has been fixed in one or more elements", - "foundBy": "(Security) Designates an agent was the original discoverer of a security vulnerability", - "generates": "Every `to` Element is generated from the `from` Element", - "hasAssessmentFor": "(Security) Relates a Vulnerability and an Element with a security assessment.", - "hasAssociatedVulnerability": "(Security) Used to associate a security vulnerability with a software artifact", - "hostOf": "(Build) The`from` Element in which every instance of the `to` Element during a LifecycleScopeType period runs on. Example: host that the build runs on for an element.", - "inputOf": "(Build) Input to the Element instance during a LifecycleScopeType period. Example: input to the build instance for an element.", - "invokedBy": "(Build) Every`to` Agent that invoked a `from` Element instance during a LifecycleScopeType period. Example: Agent that invoked the build for an element", - "metafile": "Every `to` Element is is a file containing metadata about the `from` Element", - "onBehalfOf": "(Build) Every `to` Agent acting on behalf of another `from` Agent during a LifecycleScopeType period", - "optionalComponent": "Every `to` Element is an optional component of the `from` Element", - "optionalDependency": "Every `to` Element is an optional dependency of the `from` Element", - "other": "Every `to` Element is related to the `from` Element where the relationship type is not described by any of the SPDX relationhip types", - "outputOf": "(Build) `from` Element that is output `to` the Element instance during a LifecycleScopeType period. Example: output of the build instance", - "packages": "Every `to` Element is a packaged form of the `from` Element", - "patch": "Every `to` Element is a patch for the `from` Element", - "prerequisite": "Every `to` Element is a prerequisite of the `from` Element", - "providedDependency": "Every `to` Element is a dependency not included in the distributed artifact but is assumed to be provided the `from` Element", - "publishedBy": "(Security) Designates the agent that made a vulnerability record available for public use or reference", - "reportedBy": "(Security) Designates the agent that first reported a vulnerability to the project, vendor, or tracking database for formal identification", - "republishedBy": "(Security) Designates the agent that tracked, aggregated, and/or enriched vulnerability details to improve context (i.e. NVD)", - "requirementFor": "Every `to` Element is required for the `from` Element", - "runtimeDependency": "Every `to` Element is a runtime dependency for the `from` Element", - "specificationFor": "Every `to` Element is a specification for the `from` Element", - "staticLink": "Every `to` Element is statically linked to the `from` Element", - "test": "Every `to` Element is a test artifact for the `from` Element", - "testCase": "Every `to` Element is a test case for the `from` Element", - "testDependency": "Every `to` Element is a test dependency for the `from` Element", - "testTool": "Every `to` Element is a test tool for the `from` Element", - "testedOn": "(AI, Dataset) The `from` Element has been tested on the `to` Element", - "trainedOn": "(AI, Dataset) The `from` Element has been trained by the `to` Element(s)", - "underInvestigationFor": "(Security/VEX) The impact of a vulnerability is being investigated", - "variant": "Every `to` Element is a variant the `from` Element" + "id": "https://spdx.org/rdf/v3/Core/hashValue", + "Domain": [ + "Hash" + ] } - } - } - }, - "Dataset": { - "name": "Dataset", - "classes": { - "Dataset": { - "summary": "Provides information about the fields in the Dataset profile.", - "description": "Metadata information that can be added to a dataset that may be used in a software or to train/test an AI package.\nExternal property restriction on /Core/Artifact/originatedBy: minCount: 1\nExternal property restriction on /Software/Package/downloadLocation: minCount: 1\nExternal property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1\nExternal property restriction on /Core/Artifact/releaseTime: minCount: 1\nExternal property restriction on /Core/Artifact/builtTime: minCount: 1", + }, + "externalIdentifier": { + "summary": "Provides a reference to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", + "description": "ExternalIdentifier points to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", "metadata": { - "name": "Dataset", - "SubclassOf": "/Software/Package", + "name": "externalIdentifier", + "Nature": "ObjectProperty", + "Range": "ExternalIdentifier", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/Dataset" - }, - "properties": { - "datasetType": { - "type": "DatasetType", - "minCount": "1", - "maxCount": "*" - }, - "dataCollectionProcess": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "1" - }, - "intendedUse": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "1" - }, - "datasetSize": { - "type": "xsd:nonNegativeInteger", - "minCount": "0", - "maxCount": "1" - }, - "datasetNoise": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "1" - }, - "dataPreprocessing": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "*" - }, - "sensor": { - "type": "/Core/DictionaryEntry", - "minCount": "0", - "maxCount": "*" - }, - "knownBias": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "*" - }, - "sensitivePersonalInformation": { - "type": "/AI/PresenceType", - "minCount": "0", - "maxCount": "1" - }, - "anonymizationMethodUsed": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "*" - }, - "confidentialityLevel": { - "type": "ConfidentialityLevelType", - "minCount": "0", - "maxCount": "1" - }, - "datasetUpdateMechanism": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "1" - }, - "datasetAvailability": { - "type": "DatasetAvailabilityType", - "minCount": "0", - "maxCount": "1" - } - }, - "externalPropertyRestrictions": { - "/Core/Artifact/originatedBy": { - "minCount": "1", - "maxCount": "*" - }, - "/Software/Package/downloadLocation": { - "minCount": "1", - "maxCount": "*" - }, - "/Software/SoftwareArtifact/primaryPurpose": { - "minCount": "1", - "maxCount": "*" - }, - "/Core/Artifact/releaseTime": { - "minCount": "1", - "maxCount": "*" - }, - "/Core/Artifact/builtTime": { - "minCount": "1", - "maxCount": "*" - } + "id": "https://spdx.org/rdf/v3/Core/externalIdentifier", + "Domain": [ + "Element" + ] } - } - }, - "properties": { - "knownBias": { - "summary": "Records the biases that the dataset is known to encompass.", - "description": "KnownBias is a free form text field that describes the different biases that the dataset encompasses.", + }, + "spdxId": { + "summary": "Identifies an Element to be referenced by other Elements.", + "description": "SpdxId uniquely identifies an Element which may thereby be referenced by other Elements.\nThese references may be internal or external.\nWhile there may be several versions of the same Element, each one needs to be able to be referred to uniquely\nso that relationships between Elements can be clearly articulated.", "metadata": { - "name": "knownBias", + "name": "spdxId", "Nature": "DataProperty", - "Range": "xsd:string", + "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/knownBias", + "id": "https://spdx.org/rdf/v3/Core/spdxId", "Domain": [ - "Dataset" + "Element" ] } }, - "dataPreprocessing": { - "summary": "Describes the preprocessing steps that were applied to the raw data to create the given dataset.", - "description": "DataPreprocessing describes the various preprocessing steps\nthat were applied to the raw data to create the dataset.", + "description": { + "summary": "Provides a detailed description of the Element.", + "description": "This field is a detailed description of the Element. It may also be extracted from the Element itself.\nThe intent is to provide recipients of the SPDX file with a detailed technical explanation\nof the functionality, anticipated use, and anticipated implementation of the Element.\nThis field may also include a description of improvements over prior versions of the Element.", "metadata": { - "name": "dataPreprocessing", + "name": "description", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/dataPreprocessing", + "id": "https://spdx.org/rdf/v3/Core/description", "Domain": [ - "Dataset" + "Element" ] } }, - "datasetNoise": { - "summary": "Describes potentially noisy elements of the dataset.", - "description": "DatasetNoise describes what kinds of noises a dataset might encompass.\nThe field uses free form text to specify the fields or the samples that might be noisy.\nAlternatively, it can also be used to describe various noises that could impact the whole dataset.", + "locator": { + "summary": "Provides the location of an external reference.", + "description": "A locator provides the location of an external reference.", "metadata": { - "name": "datasetNoise", + "name": "locator", "Nature": "DataProperty", - "Range": "xsd:string", + "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/datasetNoise", + "id": "https://spdx.org/rdf/v3/Core/locator", "Domain": [ - "Dataset" + "ExternalReference" ] } }, - "datasetUpdateMechanism": { - "summary": "Describes a mechanism to update the dataset.", - "description": "DatasetUpdateMechanism describes a mechanism to update the dataset.", + "annotationType": { + "summary": "Describes the type of annotation.", + "description": "An annotationType describes the type of an annotation.", "metadata": { - "name": "datasetUpdateMechanism", - "Nature": "DataProperty", - "Range": "xsd:string", + "name": "annotationType", + "Nature": "ObjectProperty", + "Range": "AnnotationType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/datasetUpdateMechanism", + "id": "https://spdx.org/rdf/v3/Core/annotationType", "Domain": [ - "Dataset" + "Annotation" ] } }, - "datasetSize": { - "summary": "Captures the size of the dataset.", - "description": "DatasetSize Captures how large a dataset is.\nThe size is to be measured in bytes.", + "issuingAuthority": { + "summary": "TODO", + "description": "A issuingAuthority is TODO", "metadata": { - "name": "datasetSize", + "name": "issuingAuthority", "Nature": "DataProperty", - "Range": "xsd:nonNegativeInteger", + "Range": "xsd:anyURI", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/datasetSize", + "id": "https://spdx.org/rdf/v3/Core/issuingAuthority", "Domain": [ - "Dataset" + "ExternalIdentifier" ] } }, - "sensitivePersonalInformation": { - "summary": "Describes if any sensitive personal information is present in the dataset.", - "description": "SensitivePersonalInformation indicates the presence of sensitive personal data\nor information that allows drawing conclusions about a person's identity.", + "builtTime": { + "summary": "Specifies the time an artifact was built.", + "description": "A builtTime specifies the time an artifact was built.", "metadata": { - "name": "sensitivePersonalInformation", - "Nature": "ObjectProperty", - "Range": "PresenceType", + "name": "builtTime", + "Nature": "DataProperty", + "Range": "DateTime", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/sensitivePersonalInformation", + "id": "https://spdx.org/rdf/v3/Core/builtTime", "Domain": [ - "Dataset" + "Artifact" ] } }, - "confidentialityLevel": { - "summary": "Describes the confidentiality level of the data points contained in the dataset.", - "description": "ConfidentialityLevel describes the levels of confidentiality of the data points contained in the dataset.", + "profile": { + "summary": "Provides information about which profiles the Element belongs to.", + "description": "This field provides information about which profiles the Element belongs to.", "metadata": { - "name": "confidentialityLevel", + "name": "profile", "Nature": "ObjectProperty", - "Range": "ConfidentialityLevelType", + "Range": "ProfileIdentifierType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/confidentialityLevel", + "id": "https://spdx.org/rdf/v3/Core/profile", "Domain": [ - "Dataset" + "CreationInfo" ] } }, - "dataCollectionProcess": { - "summary": "Describes how the dataset was collected.", - "description": "DataCollectionProcess describes how a dataset was collected.\nExamples include the sources from which a dataset was scrapped or\nthe interview protocol that was used for data collection.", + "context": { + "summary": "Gives information about the circumstances or unifying properties\nthat Elements of the bundle have been assembled under.", + "description": "A context gives information about the circumstances or unifying properties\nthat Elements of the bundle have been assembled under.", "metadata": { - "name": "dataCollectionProcess", + "name": "context", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/dataCollectionProcess", + "id": "https://spdx.org/rdf/v3/Core/context", "Domain": [ - "Dataset" + "Bundle" ] } }, - "anonymizationMethodUsed": { - "summary": "Describes the anonymization methods used.", - "description": "AnonymizationMethodUsed describes the methods used to anonymize the dataset (of fields in the dataset).", + "comment": { + "summary": "Provide consumers with comments by the creator of the Element about the Element.", + "description": "A comment is an optional field for creators of the Element to provide comments\nto the readers/reviewers of the document.", "metadata": { - "name": "anonymizationMethodUsed", + "name": "comment", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/anonymizationMethodUsed", + "id": "https://spdx.org/rdf/v3/Core/comment", "Domain": [ - "Dataset" + "ExternalReference", + "ExternalIdentifier", + "CreationInfo", + "IntegrityMethod", + "Element" ] } }, - "datasetAvailability": { - "summary": "The field describes the availability of a dataset.", - "description": "Some datasets are publicly available and can be downloaded directly. Others are only accessible behind a clickthrough, or after filling a registration form. This field will describe the dataset availability from that perspective.", + "imports": { + "summary": "Provides an ExternalMap of Element identifiers.", + "description": "Imports provides an ExternalMap of Element identifiers that are used within a document\nbut defined external to that document.", "metadata": { - "name": "datasetAvailability", + "name": "imports", + "Nature": "ObjectProperty", + "Range": "ExternalMap", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/imports", + "Domain": [ + "ElementCollection" + ] + } + }, + "name": { + "summary": "Identifies the name of an Element as designated by the creator.", + "description": "This field identifies the name of an Element as designated by the creator. \nThe name of an Element is an important convention and easier to refer to than the URI.", + "metadata": { + "name": "name", "Nature": "DataProperty", - "Range": "DatasetAvailabilityType", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/datasetAvailability", + "id": "https://spdx.org/rdf/v3/Core/name", "Domain": [ - "Dataset" + "Element" ] } }, - "intendedUse": { - "summary": "Describes what the given dataset should be used for.", - "description": "IntendedUse describes what the given dataset should be used for.\nSome datasets are collected to be used only for particular purposes. \nFor example, medical data collected from a specific demography might only be applicable\nfor training machine learning models to make predictions for that demography.\nIn such a case, the intendedUse field would capture this information.\nSimilarly, if a dataset is collected for building a facial recognition model,\nthe intendedUse field would specify that.", + "standard": { + "summary": "The relevant standards that may apply to an artifact.", + "description": "Various standards may be relevant to useful to capture for specific artifacts.", "metadata": { - "name": "intendedUse", + "name": "standard", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/intendedUse", + "id": "https://spdx.org/rdf/v3/Core/standard", "Domain": [ - "Dataset" + "Artifact" ] } }, - "sensor": { - "summary": "Describes a sensor used for collecting the data.", - "description": "Sensor describes a sensor that was used for collecting the data\nand its calibration value as a key-value pair.", + "endTime": { + "summary": "Specifies the time from which an element is no longer applicable / valid.", + "description": "A endTime specifies the time from which element is no applicable / valid.", "metadata": { - "name": "sensors", + "name": "endTime", + "Nature": "DataProperty", + "Range": "DateTime", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/endTime", + "Domain": [ + "Relationship" + ] + } + }, + "scope": { + "summary": "TODO", + "description": "A scope is TODO", + "metadata": { + "name": "scope", "Nature": "ObjectProperty", - "Range": "/Core/DictionaryEntry", + "Range": "LifecycleScopeType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/sensor", + "id": "https://spdx.org/rdf/v3/Core/scope", "Domain": [ - "Dataset" + "LifecycleScopedRelationship" ] } }, - "datasetType": { - "summary": "Describes the type of the given dataset.", - "description": "Type describes the datatype contained in the dataset. For example a dataset can be an image dataset for computer vision applications, a text dataset such as the contents of a book or Wikipedia article, or sometimes a multimodal dataset that contains multiple types of data.", + "key": { + "summary": "A key used in a generic key-value pair.", + "description": "A key used in generic a key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", "metadata": { - "name": "datasetType", + "name": "key", "Nature": "DataProperty", - "Range": "DatasetType", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/datasetType", + "id": "https://spdx.org/rdf/v3/Core/key", "Domain": [ - "Dataset" + "DictionaryEntry" + ] + } + }, + "identifier": { + "summary": "Uniquely identifies an external element.", + "description": "An identifier uniquely identifies an external element.", + "metadata": { + "name": "identifier", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/identifier", + "Domain": [ + "ExternalIdentifier" + ] + } + }, + "completeness": { + "summary": "Provides information about the completeness of relationships.", + "description": "Completeness gives information about whether the provided relationships are\ncomplete, known to be incomplete or if no assertion is made either way.", + "metadata": { + "name": "completeness", + "Nature": "ObjectProperty", + "Range": "RelationshipCompleteness", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/completeness", + "Domain": [ + "Relationship" + ] + } + }, + "externalReferenceType": { + "summary": "Specifies the type of the external reference.", + "description": "An externalReferenceType specifies the type of the external reference.", + "metadata": { + "name": "externalReferenceType", + "Nature": "ObjectProperty", + "Range": "ExternalReferenceType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/externalReferenceType", + "Domain": [ + "ExternalReference" + ] + } + }, + "createdBy": { + "summary": "Identifies who or what created the Element.", + "description": "CreatedBy identifies who or what created the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", + "metadata": { + "name": "createdBy", + "Nature": "ObjectProperty", + "Range": "Agent", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/createdBy", + "Domain": [ + "CreationInfo" ] } } }, "vocabs": { - "DatasetType": { - "summary": "Enumeration of dataset types.", - "description": "Describes the different structures of data within a given dataset. A dataset can have multiple types of data, or even a single type of data but still match multiple types, for example sensor data could also be timeseries or labeled image data could also be considered categorical.", + "RelationshipCompleteness": { + "summary": "Indicates whether a relationship is complete or known to be incomplete or if there\nis made no assertion either way.", + "description": "RelationshipCompleteness indicates whether a relationship is complete or \nknown to be incomplete or if there is made no assertion either way.", "metadata": { - "name": "DatasetType", + "name": "RelationshipCompleteness", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/DatasetType" + "id": "https://spdx.org/rdf/v3/Core/RelationshipCompleteness" }, "entries": { - "structured": "data is stored in tabular format or retrieved from a relational database.", - "numeric": "data consists only of numeric entries.", - "text": "data consists of unstructured text, such as a book, wikipedia article (without images), or transcript.", - "categorical": "data that is classified into a discrete number of categories, such as the eye color of a population of people.", - "graph": "data is in the form of a graph where entries are somehow related to each other through edges, such a social network of friends.", - "timeseries": "data is recorded in an ordered sequence of timestamped entries, such as the price of a stock over the course of a day.", - "timestamp": "data is recorded with a timestamp for each entry, but not necessarily ordered or at specific intervals, such as when a taxi ride starts and ends.", - "sensor": "data is recorded from a physical sensor, such as a thermometer reading or biometric device.", - "image": "data is a collection of images such as pictures of animals.", - "syntactic": "data describes the syntax or semantics of a language or text, such as a parse tree used for natural language processing.", - "audio": "data is audio based, such as a collection of music from the 80s.", - "video": "data is video based, such as a collection of movie clips featuring Tom Hanks.", - "other": "data is of a type not included in this list.", - "noAssertion": "data type is not known." + "incomplete": "The relationship is known not to be exhaustive.", + "complete": "The relationship is known to be exhaustive.", + "noAssertion": "There can be made no assertion about the completeness of the relationship." } }, - "DatasetAvailabilityType": { - "summary": "Availability of dataset", - "description": "Describes the possible types of availability of a dataset, indicating whether the dataset can be directly downloaded, can be assembled using a script for scraping the data, is only available after a clickthrough or a registration form.", + "ProfileIdentifierType": { + "summary": "Enumeration of the valid profiles that an element can be specified to be part of.", + "description": "There are a set of profiles that have been defined to be valid for a specific release This file enumerates the values that have been agreed on, and may be applied to the creation information for an an element.", "metadata": { - "name": "DatasetAvailabilityType", + "name": "ProfileIdentifierType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType" + "id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType" }, "entries": { - "Direct-Download": "the dataset is publicly available and can be downloaded directly.", - "Scraping-Script": "the dataset provider is not making available the underlying data and the dataset must be reassembled, typically using the provided script for scraping the data.", - "Query": "the dataset is publicly available, but not all at once, and can only be accessed through queries which return parts of the dataset.", - "Clickthrough": "the dataset is not publicly available and can only be accessed after affirmatively accepting terms on a clickthrough webpage.", - "Registration": "the dataset is not publicly available and an email registration is required before accessing the dataset, although without an affirmative acceptance of terms." + "core": "the element follows the Core profile specification", + "software": "the element follows the Software profile specification", + "simpleLicensing": "the element follows the simple Licensing profile specification", + "expandedLicensing": "the element follows the expanded Licensing profile specification", + "security": "the element follows the Security profile specification", + "build": "the element follows the Build profile specification", + "ai": "the element follows the AI profile specification", + "dataset": "the element follows the Dataset profile specification", + "usage": "the element follows the Usage profile specification", + "extension": "the element follows the Extension profile specification" } }, - "ConfidentialityLevelType": { - "summary": "Categories of confidentiality level.", - "description": "Describes the different confidentiality levels as given by the [Traffic Light Protocol](https://en.wikipedia.org/wiki/Traffic_Light_Protocol).", + "ExternalIdentifierType": { + "summary": "Specifies the type of an external identifier.", + "description": "ExteralIdentifierType specifies the type of an external identifier.", "metadata": { - "name": "ConfidentialityLevelType", + "name": "ExternalIdentifierType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType" + "id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType" }, "entries": { - "Red": "Data points in the dataset are highly confidential and can only be shared with named recipients.", - "Amber": "Data points in the dataset can be shared only with specific organizations and their clients on a need to know basis.", - "Green": "Dataset can be shared within a community of peers and partners.", - "Clear": "Dataset may be distributed freely, without restriction." + "cpe22": "https://cpe.mitre.org/files/cpe-specification_2.2.pdf", + "cpe23": "https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf", + "cve": "An identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the CVE specification as defined by https://csrc.nist.gov/glossary/term/cve_id.", + "email": "https://datatracker.ietf.org/doc/html/rfc3696#section-3", + "gitoid": "https://www.iana.org/assignments/uri-schemes/prov/gitoid Gitoid stands for [Git Object ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) and a gitoid of type blob is a unique hash of a binary artifact. A gitoid may represent the software [Artifact ID](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-id) or the [OmniBOR Identifier](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-identifier) for the software artifact's associated [OmniBOR Document](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-document); this ambiguity exists because the OmniBOR Document is itself an artifact, and the gitoid of that artifact is its valid identifier. Omnibor is a minimalistic schema to describe software [Artifact Dependency Graphs](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-dependency-graph-adg). Gitoids calculated on software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's ContentIdentifier property. Gitoids calculated on the OmniBOR Document (OmniBOR Identifiers) should be recorded in the SPDX 3.0 Element's ExternalIdentifier property.", + "other": "Used when the type doesn't match any of the other options.", + "pkgUrl": "https://github.com/package-url/purl-spec", + "securityOther": "Used when there is a security related identifier of unspecified type.", + "swhid": "https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html", + "swid": "https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-21.html#section-2.3", + "urlScheme": "the scheme used in order to locate a resource https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml" } - } - } - }, - "Licensing": { - "name": "Licensing", - "classes": { - "ListedLicense": { - "summary": "A license that is listed on the SPDX License List.", - "description": "A ListedLicense represents a License that is listed on the SPDX License List\nat https://spdx.org/licenses.", + }, + "ExternalReferenceType": { + "summary": "Specifies the type of an external reference.", + "description": "ExteralReferenceType specifies the type of an external reference.", "metadata": { - "name": "ListedLicense", - "SubclassOf": "License", + "name": "ExternalReferenceType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/ListedLicense" - }, - "properties": { - "listVersionAdded": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "1" - }, - "deprecatedVersion": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "1" - } + "id": "https://spdx.org/rdf/v3/Core/ExternalReferenceType" }, - "externalPropertyRestrictions": {} + "entries": { + "altDownloadLocation": "A reference to an alternative download location.", + "altWebPage": "A reference to an alternative web page.", + "binaryArtifact": "A reference to binary artifacts related to a package.", + "buildMeta": "A reference build metadata related to a published package.", + "buildSystem": "A reference build system used to create or publish the package.", + "chat": "A reference to the instant messaging system used by the maintainer for a package.", + "certificationReport": "A reference to a certification report for a package from an accredited/independent body.", + "componentAnalysisReport": "A reference to a Software Composition Analysis (SCA) report.", + "documentation": "A reference to the documentation for a package.", + "dynamicAnalysisReport": "A reference to a dynamic analysis report for a package.", + "eolNotice": "A reference to the End Of Sale (EOS) and/or End Of Life (EOL) information related to a package.", + "exportControlAssessment": "A reference to a export control assessment for a package.", + "funding": "A reference to funding information related to a package.", + "issueTracker": "A reference to the issue tracker for a package.", + "mailingList": "A reference to the mailing list used by the maintainer for a package.", + "metrics": "A reference to metrics related to package such as OpenSSF scorecards.", + "license": "A reference to additional license information related to an artifact.", + "other": "Used when the type doesn't match any of the other options.", + "privacyAssessment": "A reference to a privacy assessment for a package.", + "productMetadata": "A reference to additional product metadata such as reference within organization's product catalog.", + "purchaseOrder": "A reference to a purchase order for a package.", + "releaseNotes": "A reference to the release notes for a package.", + "releaseHistory": "A reference to a published list of releases for a package.", + "riskAssessment": "A reference to a risk assessment for a package.", + "runtimeAnalysisReport": "A reference to a runtime analysis report for a package.", + "secureSoftwareAttestation": "A reference to information assuring that the software is developed using security practices as defined by [NIST SP 800-218 Secure Software Development Framework (SSDF)](https://csrc.nist.gov/publications/detail/sp/800-218/final) or [CISA Secure Software Development Attestation Form](https://www.cisa.gov/sites/default/files/2023-04/secure-software-self-attestation_common-form_508.pdf).", + "securityAdvisory": "A reference to a published security advisory (where advisory as defined per ISO 29147:2018) that may affect one or more elements, e.g., vendor advisories or specific NVD entries.", + "securityAdversaryModel": "A reference to the security adversary model for a package.", + "securityFix": "A reference to the patch or source code that fixes a vulnerability.", + "securityOther": "A reference to related security information of unspecified type.", + "securityPenTestReport": "A reference to a [penetration test](https://en.wikipedia.org/wiki/Penetration_test) report for a package.", + "securityPolicy": "A reference to instructions for reporting newly discovered security vulnerabilities for a package.", + "securityThreatModel": "A reference the [security threat model](https://en.wikipedia.org/wiki/Threat_model) for a package.", + "socialMedia": "A reference to a social media channel for a package.", + "sourceArtifact": "A reference to an artifact containing the sources for a package.", + "staticAnalysisReport": "A reference to a static analysis report for a package.", + "support": "A reference to the software support channel or other support information for a package.", + "vcs": "A reference to a version control system related to a software artifact.", + "vulnerabilityDisclosureReport": "A reference to a Vulnerability Disclosure Report (VDR) which provides the software supplier's analysis and findings describing the impact (or lack of impact) that reported vulnerabilities have on packages or products in the supplier's SBOM as defined in [NIST SP 800-161](https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final).", + "vulnerabilityExploitabilityAssessment": "A reference to a Vulnerability Exploitability eXchange (VEX) statement which provides information on whether a product is impacted by a specific vulnerability in an included package and, if affected, whether there are actions recommended to remediate. See also [NTIA VEX one-page](https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf)..", + "qualityAssessmentReport": "A reference to a quality assessment for a package." + } }, - "WithAdditionOperator": { - "summary": "Portion of an AnyLicenseInfo representing a License which has additional\ntext applied to it", - "description": "A WithAdditionOperator indicates that the designated License is subject to the\ndesignated LicenseAddition, which might be a license exception on the SPDX\nExceptions List (ListedLicenseException) or may be other additional text\n(CustomLicenseAddition). It is represented in the SPDX License Expression\nSyntax by the `WITH` operator.", + "LifecycleScopeType": { + "summary": "TODO", + "description": "TODO", "metadata": { - "name": "WithAdditionOperator", - "SubclassOf": "AnyLicenseInfo", + "name": "LifecycleScopeType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/WithAdditionOperator" - }, - "properties": { - "subjectLicense": { - "type": "ExpandedLicense/ExtendableLicense", - "minCount": "1", - "maxCount": "1" - }, - "subjectAddition": { - "type": "LicenseAddition", - "minCount": "1", - "maxCount": "1" - } + "id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType" }, - "externalPropertyRestrictions": {} + "entries": { + "design": "TODOdescription", + "build": "TODOdescription", + "development": "TODOdescription", + "test": "TODOdescription", + "runtime": "TODOdescription", + "other": "TODOdescription" + } }, - "License": { - "summary": "Abstract class for the portion of an AnyLicenseInfo representing a license.", - "description": "A License represents a license text, whether listed on the SPDX License List\n(ListedLicense) or defined by an SPDX data creator (CustomLicense).", + "AnnotationType": { + "summary": "Specifies the type of an annotation.", + "description": "AnnotationType specifies the type of an annotation.", "metadata": { - "name": "License", - "SubclassOf": "ExpandedLicense/ExtendableLicense", - "Instantiability": "Abstract", + "name": "AnnotationType", + "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/License" - }, - "properties": { - "licenseText": { - "type": "xsd:string", - "minCount": "1", - "maxCount": "1" - }, - "isOsiApproved": { - "type": "xsd:boolean", - "minCount": "0", - "maxCount": "1" - }, - "isFsfLibre": { - "type": "xsd:boolean", - "minCount": "0", - "maxCount": "1" - }, - "standardLicenseHeader": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "1" - }, - "standardLicenseTemplate": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "1" - }, - "isDeprecatedLicenseId": { - "type": "xsd:boolean", - "minCount": "0", - "maxCount": "1" - }, - "obsoletedBy": { - "type": "xsd:string", - "minCount": "0", - "maxCount": "1" - } + "id": "https://spdx.org/rdf/v3/Core/AnnotationType" }, - "externalPropertyRestrictions": {} + "entries": { + "other": "Used to store extra information about an Element which is not part of a Review (e.g. extra information provided during the creation of the Element).", + "review": "Used when someone reviews the Element." + } }, - "CustomLicenseAddition": { - "summary": "A license addition that is not listed on the SPDX Exceptions List.", - "description": "A CustomLicenseAddition represents an addition to a License that is not listed\non the SPDX Exceptions List at https://spdx.org/licenses/exceptions-index.html,\nand is therefore defined by an SPDX data creator.\n\nIt is intended to represent additional language which is meant to be added to\na License, but which is not itself a standalone License.", + "HashAlgorithm": { + "summary": "A mathematical algorithm that maps data of arbitrary size to a bit string.", + "description": "A HashAlgorithm is a mathematical algorithm that maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is, a function which is practically infeasible to invert.", "metadata": { - "name": "CustomLicenseAddition", - "SubclassOf": "LicenseAddition", + "name": "HashAlgorithm", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/CustomLicenseAddition" + "id": "https://spdx.org/rdf/v3/Core/HashAlgorithm" }, - "properties": {}, - "externalPropertyRestrictions": {} + "entries": { + "blake2b256": "blake2b algorithm with a digest size of 256 https://datatracker.ietf.org/doc/html/rfc7693#section-4", + "blake2b384": "blake2b algorithm with a digest size of 384 https://datatracker.ietf.org/doc/html/rfc7693#section-4", + "blake2b512": "blake2b algorithm with a digest size of 512 https://datatracker.ietf.org/doc/html/rfc7693#section-4", + "blake3": "https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf", + "crystalsKyber": "https://pq-crystals.org/kyber/index.shtml", + "crystalsDilithium": "https://pq-crystals.org/dilithium/index.shtml", + "falcon": "https://falcon-sign.info/falcon.pdf", + "md2": "https://datatracker.ietf.org/doc/rfc1319/", + "md4": "https://datatracker.ietf.org/doc/html/rfc1186", + "md5": "https://datatracker.ietf.org/doc/html/rfc1321", + "md6": "https://people.csail.mit.edu/rivest/pubs/RABCx08.pdf", + "other": "any hashing algorithm that does not exist in this list of entries", + "sha1": "https://datatracker.ietf.org/doc/html/rfc3174", + "sha224": "secure hashing algorithm with a digest length of 224 https://datatracker.ietf.org/doc/html/draft-ietf-pkix-sha224-01", + "sha256": "secure hashing algorithm with a digest length of 256 https://www.rfc-editor.org/rfc/rfc4634", + "sha3_224": "sha3 with a digest length of 224 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", + "sha3_256": "sha3 with a digest length of 256 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", + "sha3_384": "sha3 with a digest length of 384 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", + "sha3_512": "sha3 with a digest length of 512 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf", + "sha384": "secure hashing algorithm with a digest length of 384 https://www.rfc-editor.org/rfc/rfc4634", + "sha512": "secure hashing algorithm with a digest length of 512 https://www.rfc-editor.org/rfc/rfc4634", + "spdxPvcSha1": "TODOdescription", + "spdxPvcSha256": "TODOdescription", + "sphincsPlus": "TODOdescription" + } }, - "LicenseAddition": { - "summary": "Abstract class for additional text intended to be added to a License, but\nwhich is not itself a standalone License.", - "description": "A LicenseAddition represents text which is intended to be added to a License\nas additional text, but which is not itself intended to be a standalone\nLicense.\n\nIt may be an exception which is listed on the SPDX Exceptions List\n(ListedLicenseException), or may be any other additional text (as an exception\nor otherwise) which is defined by an SPDX data creator (CustomLicenseAddition).", + "RelationshipType": { + "summary": "Information about the relationship between two Elements.", + "description": "Provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.", "metadata": { - "name": "LicenseAddition", - "SubclassOf": "/Core/Element", - "Instantiability": "Abstract", + "name": "RelationshipType", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/Core/RelationshipType" + }, + "entries": { + "affects": "(Security/VEX) Designates one or more elements as affected by a vulnerability", + "amends": "Every `to` Element amends the `from` Element", + "ancestor": "Every `to` Element is an ancestor of the `from` Element", + "availableFrom": "This relationship is used to identify additional suppliers where an artifact is available from.", + "buildDependency": "Every `to` Element is a build dependency of the `from` Element", + "buildTool": "Build tool used to build an Element. This may be used to describe the build tool of a Build instance", + "coordinatedBy": "(Security) Used to identify the vendor, researcher, or consumer agent performing coordination for a vulnerability", + "contains": "Every `to` Element is contained by the `from` Element", + "configOf": "(Build) Configuration information applied to an Element instance during a LifeycleScopeType period. Example: Build configuration of the build instance", + "copy": "Every `to` Element is a copy of the `from` Element", + "dataFile": "Every `to` Element is a data file related to the the `from` Element", + "dependencyManifest": "Every `to` Element is manifest file containing dependency information related to the `from` Element", + "dependsOn": "Every `to` Element is a dependecy of the `from` Element", + "descendant": "This relationship may be used to describe child builds of a Build instance.", + "describes": "Every `to` Element is described by the `from` Element. This can be used to denote the root(s) of a tree of elements contained in an SBOM.", + "devDependency": "Every `to` Element is a development dependency for the `from` Element", + "devTool": "Every `to` Element is a development tool for the `from` Element", + "distributionArtifact": "Every `to` Element is an artifact intended for distribution of the `from` Element (e.g. an RPM or archive file)", + "documentation": "Every `to` Element is documentation for the `from` Element", + "doesNotAffect": "(Security/VEX) Specifies a vulnerability has no impact on one or more elements", + "dynamicLink": "Every `to` Element is dynamically linked to the `from` Element", + "example": "Every `to` Element is an example for the `from` Element", + "evidenceFor": "(Dataset) Every `to` Element is can be considered as evidence for the `from` Element", + "expandedFromArchive": "Every `to` Element is an artifact expanded from the `from` archive file", + "exploitCreatedBy": "(Security) Designates an agent has created an exploit against a vulnerability", + "fileAdded": "Every `to` Element is is a file added to the `from` Element", + "fileDeleted": "Every `to` Element is a file deleted from the `from` Element", + "fileModified": "Every `to` Element is a modification of the `from` Element", + "fixedBy": "(Security) Designates a vulnerability has been fixed by an agent", + "fixedIn": "(Security/VEX) A vulnerability has been fixed in one or more elements", + "foundBy": "(Security) Designates an agent was the original discoverer of a security vulnerability", + "generates": "Every `to` Element is generated from the `from` Element", + "hasAssessmentFor": "(Security) Relates a Vulnerability and an Element with a security assessment.", + "hasAssociatedVulnerability": "(Security) Used to associate a security vulnerability with a software artifact", + "hostOf": "(Build) The`from` Element in which every instance of the `to` Element during a LifecycleScopeType period runs on. Example: host that the build runs on for an element.", + "inputOf": "(Build) Input to the Element instance during a LifecycleScopeType period. Example: input to the build instance for an element.", + "invokedBy": "(Build) Every`to` Agent that invoked a `from` Element instance during a LifecycleScopeType period. Example: Agent that invoked the build for an element", + "metafile": "Every `to` Element is is a file containing metadata about the `from` Element", + "onBehalfOf": "(Build) Every `to` Agent acting on behalf of another `from` Agent during a LifecycleScopeType period", + "optionalComponent": "Every `to` Element is an optional component of the `from` Element", + "optionalDependency": "Every `to` Element is an optional dependency of the `from` Element", + "other": "Every `to` Element is related to the `from` Element where the relationship type is not described by any of the SPDX relationhip types", + "outputOf": "(Build) `from` Element that is output `to` the Element instance during a LifecycleScopeType period. Example: output of the build instance", + "packages": "Every `to` Element is a packaged form of the `from` Element", + "patch": "Every `to` Element is a patch for the `from` Element", + "prerequisite": "Every `to` Element is a prerequisite of the `from` Element", + "providedDependency": "Every `to` Element is a dependency not included in the distributed artifact but is assumed to be provided the `from` Element", + "publishedBy": "(Security) Designates the agent that made a vulnerability record available for public use or reference", + "reportedBy": "(Security) Designates the agent that first reported a vulnerability to the project, vendor, or tracking database for formal identification", + "republishedBy": "(Security) Designates the agent that tracked, aggregated, and/or enriched vulnerability details to improve context (i.e. NVD)", + "requirementFor": "Every `to` Element is required for the `from` Element", + "runtimeDependency": "Every `to` Element is a runtime dependency for the `from` Element", + "specificationFor": "Every `to` Element is a specification for the `from` Element", + "staticLink": "Every `to` Element is statically linked to the `from` Element", + "test": "Every `to` Element is a test artifact for the `from` Element", + "testCase": "Every `to` Element is a test case for the `from` Element", + "testDependency": "Every `to` Element is a test dependency for the `from` Element", + "testTool": "Every `to` Element is a test tool for the `from` Element", + "testedOn": "(AI, Dataset) The `from` Element has been tested on the `to` Element", + "trainedOn": "(AI, Dataset) The `from` Element has been trained by the `to` Element(s)", + "underInvestigationFor": "(Security/VEX) The impact of a vulnerability is being investigated", + "variant": "Every `to` Element is a variant the `from` Element" + } + } + } + }, + "Dataset": { + "name": "Dataset", + "classes": { + "Dataset": { + "summary": "Provides information about the fields in the Dataset profile.", + "description": "Metadata information that can be added to a dataset that may be used in a software or to train/test an AI package.\nExternal property restriction on /Core/Artifact/originatedBy: minCount: 1\nExternal property restriction on /Software/Package/downloadLocation: minCount: 1\nExternal property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1\nExternal property restriction on /Core/Artifact/releaseTime: minCount: 1\nExternal property restriction on /Core/Artifact/builtTime: minCount: 1", + "metadata": { + "name": "Dataset", + "SubclassOf": "/Software/Package", + "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/LicenseAddition" + "id": "https://spdx.org/rdf/v3/Dataset/Dataset" }, "properties": { - "additionText": { - "type": "xsd:string", + "datasetType": { + "type": "DatasetType", "minCount": "1", + "maxCount": "*" + }, + "dataCollectionProcess": { + "type": "xsd:string", + "minCount": "0", "maxCount": "1" }, - "standardAdditionTemplate": { + "intendedUse": { "type": "xsd:string", "minCount": "0", "maxCount": "1" }, - "isDeprecatedAdditionId": { - "type": "xsd:boolean", + "datasetSize": { + "type": "xsd:nonNegativeInteger", "minCount": "0", "maxCount": "1" }, - "obsoletedBy": { + "datasetNoise": { "type": "xsd:string", "minCount": "0", "maxCount": "1" - } - }, - "externalPropertyRestrictions": {} - }, - "OrLaterOperator": { - "summary": "Portion of an AnyLicenseInfo representing this version, or any later version,\nof the indicated License.", - "description": "An OrLaterOperator indicates that this portion of the AnyLicenseInfo\nrepresents either (1) the specified version of the corresponding License, or\n(2) any later version of that License. It is represented in the SPDX License\nExpression Syntax by the `+` operator.\n\nIt is context-dependent, and unspecified by SPDX, as to what constitutes a\n\"later version\" of any particular License. Some Licenses may not be versioned,\nor may not have clearly-defined ordering for versions. The consumer of SPDX\ndata will need to determine for themselves what meaning to attribute to a\n\"later version\" operator for a particular License.", - "metadata": { - "name": "OrLaterOperator", - "SubclassOf": "ExpandedLicense/ExtendableLicense", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/OrLaterOperator" - }, - "properties": { - "subjectLicense": { - "type": "License", - "minCount": "1", - "maxCount": "1" - } - }, - "externalPropertyRestrictions": {} - }, - "CustomLicense": { - "summary": "A license that is not listed on the SPDX License List.", - "description": "A CustomLicense represents a License that is not listed on the SPDX License\nList at https://spdx.org/licenses, and is therefore defined by an SPDX data\ncreator.", - "metadata": { - "name": "CustomLicense", - "SubclassOf": "License", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/CustomLicense" - }, - "properties": {}, - "externalPropertyRestrictions": {} - }, - "LicenseExpression": { - "summary": "An SPDX Element containing an SPDX license expression string.", - "description": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", - "metadata": { - "name": "LicenseExpression", - "SubclassOf": "AnyLicenseInfo", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/LicenseExpression" - }, - "properties": { - "licenseExpression": { + }, + "dataPreprocessing": { "type": "xsd:string", - "minCount": "1", + "minCount": "0", + "maxCount": "*" + }, + "sensor": { + "type": "/Core/DictionaryEntry", + "minCount": "0", + "maxCount": "*" + }, + "knownBias": { + "type": "xsd:string", + "minCount": "0", + "maxCount": "*" + }, + "sensitivePersonalInformation": { + "type": "PresenceType", + "minCount": "0", "maxCount": "1" - } - }, - "externalPropertyRestrictions": {} - }, - "ListedLicenseException": { - "summary": "A license exception that is listed on the SPDX Exceptions list.", - "description": "A ListedLicenseException represents an exception to a License (in other words,\nan exception to a license condition or an additional permission beyond those\ngranted in a License) which is listed on the SPDX Exceptions List at\nhttps://spdx.org/licenses/exceptions-index.html.", - "metadata": { - "name": "ListedLicenseException", - "SubclassOf": "LicenseAddition", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/ListedLicenseException" - }, - "properties": { - "listVersionAdded": { + }, + "anonymizationMethodUsed": { "type": "xsd:string", "minCount": "0", + "maxCount": "*" + }, + "confidentialityLevel": { + "type": "ConfidentialityLevelType", + "minCount": "0", "maxCount": "1" }, - "deprecatedVersion": { + "datasetUpdateMechanism": { "type": "xsd:string", "minCount": "0", "maxCount": "1" + }, + "datasetAvailability": { + "type": "DatasetAvailabilityType", + "minCount": "0", + "maxCount": "1" } }, - "externalPropertyRestrictions": {} - }, - "AnyLicenseInfo": { - "summary": "Abstract class representing a license combination consisting of one or more\nlicenses (optionally including additional text), which may be combined\naccording to the SPDX license expression syntax.", - "description": "An AnyLicenseInfo is used by licensing properties of software artifacts.\nIt can be a NoneLicense, a NoAssertionLicense,\nsingle license (either on the SPDX License List or a custom-defined license);\na single license with an \"or later\" operator applied; the foregoing with\nadditional text applied; or a set of licenses combined by applying \"AND\" and\n\"OR\" operators recursively.", - "metadata": { - "name": "AnyLicenseInfo", - "SubclassOf": "/Core/Element", - "Instantiability": "Abstract", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/AnyLicenseInfo" - }, - "properties": {}, - "externalPropertyRestrictions": {} + "externalPropertyRestrictions": { + "/Core/Artifact/originatedBy": { + "minCount": "1", + "maxCount": "*" + }, + "/Software/Package/downloadLocation": { + "minCount": "1", + "maxCount": "*" + }, + "/Software/SoftwareArtifact/primaryPurpose": { + "minCount": "1", + "maxCount": "*" + }, + "/Core/Artifact/releaseTime": { + "minCount": "1", + "maxCount": "*" + }, + "/Core/Artifact/builtTime": { + "minCount": "1", + "maxCount": "*" + } + } } }, "properties": { - "seeAlso": { - "summary": "Contains a URL where the License or LicenseAddition can be found in use.", - "description": "A seeAlso defines a cross-reference with a URL where the License or\nLicenseAddition can be found in use by one or a few projects.\n\nIf applicable, it should include a URL where the license text is posted by\nthe license steward, particularly if the license steward has made available a\n\"canonical\" primary URL for the license text.\n\nIf the license is OSI approved, a seeAlso should be included with the URL for\nthe license's listing on the OSI website.\n\nThe seeAlso URL may refer to a previously-available URL for the License or\nLicenseAddition which is no longer active.\n\nWhere applicable, the seeAlso URL should include the license text in its\nnative language. seeAlso URLs to English or other translations may be included\nwhere multiple, equivalent official translations exist.", - "metadata": { - "name": "seeAlso", - "Nature": "DataProperty", - "Range": "xsd:anyURI", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/seeAlso" - } - }, - "standardLicenseHeader": { - "summary": "Provides a License author's preferred text to indicate that a file is covered\nby the License.", - "description": "A standardLicenseHeader contains the plain text of the License author's\npreferred wording to be used, typically in a source code file's header\ncomments or similar location, to indicate that the file is subject to\nthe specified License.", + "knownBias": { + "summary": "Records the biases that the dataset is known to encompass.", + "description": "KnownBias is a free form text field that describes the different biases that the dataset encompasses.", "metadata": { - "name": "standardLicenseHeader", + "name": "knownBias", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/standardLicenseHeader", + "id": "https://spdx.org/rdf/v3/Dataset/knownBias", "Domain": [ - "License" + "Dataset" ] } }, - "licenseName": { - "summary": "Identifies the full name of a License.", - "description": "A licenseName contains the full name of a License, preferably using the title found\nin the applicable license text or file, or as otherwise specified by the\nLicense's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the License from other Licenses.", - "metadata": { - "name": "licenseName", - "Nature": "DataProperty", - "Range": "xsd:string", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/licenseName" - } - }, - "licenseText": { - "summary": "Identifies the full text of a License.", - "description": "A licenseText contains the plain text of the License, without templating\nor other similar markup.\n\nUsers of the licenseText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", + "dataPreprocessing": { + "summary": "Describes the preprocessing steps that were applied to the raw data to create the given dataset.", + "description": "DataPreprocessing describes the various preprocessing steps\nthat were applied to the raw data to create the dataset.", "metadata": { - "name": "licenseText", + "name": "dataPreprocessing", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/licenseText", - "Domain": [ - "License" - ] - } - }, - "isDeprecatedLicenseId": { - "summary": "Specifies whether a license or additional text identifier has been marked as\ndeprecated.", - "description": "The isDeprecatedLicenseId property specifies whether an identifier for a\nLicense or LicenseAddition has been marked as deprecated. If the property\nis not defined, then it is presumed to be false (i.e., not deprecated).\n\nIf the License or LicenseAddition is included on the SPDX License List, then\nthe `deprecatedVersion` property indicates on which version release of the\nLicense List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license. In other words, even if a License's\nauthor or steward has stated that a particular License generally should not be\nused, that would _not_ mean that the License's identifier is \"deprecated.\"\nRather, a License or LicenseAddition operator is typically marked as\n\"deprecated\" when it is determined that use of another identifier is\npreferable.", - "metadata": { - "name": "isDeprecatedLicenseId", - "Nature": "DataProperty", - "Range": "xsd:boolean", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/isDeprecatedLicenseId", - "Domain": [ - "License" - ] - } - }, - "isDeprecatedAdditionId": { - "summary": "Specifies whether an additional text identifier has been marked as deprecated.", - "description": "The isDeprecatedAdditionId property specifies whether an identifier for a\nLicenseAddition has been marked as deprecated. If the property is not defined,\nthen it is presumed to be false (i.e., not deprecated).\n\nIf the LicenseAddition is included on the SPDX Exceptions List, then\nthe `deprecatedVersion` property indicates on which version release of the\nExceptions List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license addition. In other words, even if a\nLicenseAddition's author or steward has stated that a particular\nLicenseAddition generally should not be used, that would _not_ mean that the\nLicenseAddition's identifier is \"deprecated.\" Rather, a LicenseAddition\noperator is typically marked as \"deprecated\" when it is determined that use of\nanother identifier is preferable.", - "metadata": { - "name": "isDeprecatedAdditionId", - "Nature": "DataProperty", - "Range": "xsd:boolean", - "Instantiability": "Concrete", - "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/isDeprecatedAdditionId", + "id": "https://spdx.org/rdf/v3/Dataset/dataPreprocessing", "Domain": [ - "LicenseAddition" + "Dataset" ] } }, - "additionText": { - "summary": "Identifies the full text of a LicenseAddition.", - "description": "An additionText contains the plain text of the LicenseAddition, without\ntemplating or other similar markup.\n\nUsers of the additionText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", + "datasetNoise": { + "summary": "Describes potentially noisy elements of the dataset.", + "description": "DatasetNoise describes what kinds of noises a dataset might encompass.\nThe field uses free form text to specify the fields or the samples that might be noisy.\nAlternatively, it can also be used to describe various noises that could impact the whole dataset.", "metadata": { - "name": "additionText", + "name": "datasetNoise", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/additionText", + "id": "https://spdx.org/rdf/v3/Dataset/datasetNoise", "Domain": [ - "LicenseAddition" + "Dataset" ] } }, - "isFsfLibre": { - "summary": "Specifies whether the License is listed as free by the\n[Free Software Foundation (FSF)](https://fsf.org).", - "description": "isFsfLibre specifies whether the [Free Software Foundation FSF](https://fsf.org)\nhas listed this License as \"free\" in their commentary on licenses, located at\nthe time of this writing at https://www.gnu.org/licenses/license-list.en.html.\n\nA value of \"true\" indicates that the FSF has listed this License as _free_.\n\nA value of \"false\" indicates that the FSF has listed this License as _not free_.\n\nIf the isFsfLibre field is not specified, the SPDX data creator makes no\nassertions about whether the License is listed in the FSF's commentary.", + "datasetUpdateMechanism": { + "summary": "Describes a mechanism to update the dataset.", + "description": "DatasetUpdateMechanism describes a mechanism to update the dataset.", "metadata": { - "name": "isFsfLibre", + "name": "datasetUpdateMechanism", "Nature": "DataProperty", - "Range": "xsd:boolean", + "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/isFsfLibre", + "id": "https://spdx.org/rdf/v3/Dataset/datasetUpdateMechanism", "Domain": [ - "License" + "Dataset" ] } }, - "listVersionAdded": { - "summary": "Specifies the SPDX License List version in which this ListedLicense or\nListedLicenseException identifier was first added.", - "description": "A listVersionAdded for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was included.", + "datasetSize": { + "summary": "Captures the size of the dataset.", + "description": "DatasetSize Captures how large a dataset is.\nThe size is to be measured in bytes.", "metadata": { - "name": "listVersionAdded", + "name": "datasetSize", "Nature": "DataProperty", - "Range": "xsd:string", + "Range": "xsd:nonNegativeInteger", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/listVersionAdded", + "id": "https://spdx.org/rdf/v3/Dataset/datasetSize", "Domain": [ - "ListedLicense", - "ListedLicenseException" + "Dataset" ] } }, - "licenseExpression": { - "summary": "A string in the license expression format.", - "description": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", + "sensitivePersonalInformation": { + "summary": "Describes if any sensitive personal information is present in the dataset.", + "description": "SensitivePersonalInformation indicates the presence of sensitive personal data\nor information that allows drawing conclusions about a person's identity.", "metadata": { - "name": "licenseExpression", - "Nature": "DataProperty", - "Range": "xsd:string", + "name": "sensitivePersonalInformation", + "Nature": "ObjectProperty", + "Range": "PresenceType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/licenseExpression", + "id": "https://spdx.org/rdf/v3/Dataset/sensitivePersonalInformation", "Domain": [ - "LicenseExpression" + "Dataset" ] } }, - "obsoletedBy": { - "summary": "Specifies the licenseId that is preferred to be used in place of a deprecated\nLicense or LicenseAddition.", - "description": "An obsoletedBy value for a deprecated License or LicenseAddition specifies\nthe licenseId of the replacement License or LicenseAddition that is preferred\nto be used in its place. It should use the same format as specified for a\nlicenseId.\n\nThe License's or LicenseAddition's comment value may include more information\nabout the reason why the licenseId specified in the obsoletedBy value is\npreferred.", + "confidentialityLevel": { + "summary": "Describes the confidentiality level of the data points contained in the dataset.", + "description": "ConfidentialityLevel describes the levels of confidentiality of the data points contained in the dataset.", "metadata": { - "name": "obsoletedBy", - "Nature": "DataProperty", - "Range": "xsd:string", + "name": "confidentialityLevel", + "Nature": "ObjectProperty", + "Range": "ConfidentialityLevelType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/obsoletedBy", + "id": "https://spdx.org/rdf/v3/Dataset/confidentialityLevel", "Domain": [ - "License", - "LicenseAddition" + "Dataset" ] } }, - "standardLicenseTemplate": { - "summary": "Identifies the full text of a License, in SPDX templating format.", - "description": "A standardLicenseTemplate contains a license template which describes\nsections of the License text which can be varied. See the Legacy Text Template\nformat section of the SPDX specification for format information.", + "dataCollectionProcess": { + "summary": "Describes how the dataset was collected.", + "description": "DataCollectionProcess describes how a dataset was collected.\nExamples include the sources from which a dataset was scrapped or\nthe interview protocol that was used for data collection.", "metadata": { - "name": "standardLicenseTemplate", + "name": "dataCollectionProcess", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/standardLicenseTemplate", + "id": "https://spdx.org/rdf/v3/Dataset/dataCollectionProcess", "Domain": [ - "License" + "Dataset" ] } }, - "additionName": { - "summary": "Identifies the full name of a LicenseAddition.", - "description": "An additionName contains the full name of a LicenseAddition, preferably using\nthe title found in the applicable license addition text or file, or as\notherwise specified by the LicenseAddition's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses additions (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the LicenseAddition from other LicenseAdditions.", + "anonymizationMethodUsed": { + "summary": "Describes the anonymization methods used.", + "description": "AnonymizationMethodUsed describes the methods used to anonymize the dataset (of fields in the dataset).", "metadata": { - "name": "additionName", + "name": "anonymizationMethodUsed", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/additionName" + "id": "https://spdx.org/rdf/v3/Dataset/anonymizationMethodUsed", + "Domain": [ + "Dataset" + ] } }, - "standardAdditionTemplate": { - "summary": "Identifies the full text of a LicenseAddition, in SPDX templating format.", - "description": "A standardAdditionTemplate contains a license addition template which describes\nsections of the LicenseAddition text which can be varied. See the Legacy Text\nTemplate format section of the SPDX specification for format information.", + "datasetAvailability": { + "summary": "The field describes the availability of a dataset.", + "description": "Some datasets are publicly available and can be downloaded directly. Others are only accessible behind a clickthrough, or after filling a registration form. This field will describe the dataset availability from that perspective.", "metadata": { - "name": "standardAdditionTemplate", + "name": "datasetAvailability", "Nature": "DataProperty", - "Range": "xsd:string", + "Range": "DatasetAvailabilityType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/standardAdditionTemplate", + "id": "https://spdx.org/rdf/v3/Dataset/datasetAvailability", "Domain": [ - "LicenseAddition" + "Dataset" ] } }, - "licenseComment": { - "summary": "Identifies general comments about the License.", - "description": "A licenseComment describes general factual information about the License. It\nshould not contain information (or links to information) that includes any kind\nof interpretation about the meaning or effect of the License, even if written\nby the license's author.\n\nExamples of information for a licenseComment may include the following:\n\n* If the License's identifier is deprecated, it may briefly explain the reason\n for deprecation.\n* It may include the date of release, if identified, for Licenses with multiple\n versions.\n* It may include links to other official language translations for the License.\n* For LicenseAdditions, it may include a reference to the License(s) with\n which this additional text is typically used.", + "intendedUse": { + "summary": "Describes what the given dataset should be used for.", + "description": "IntendedUse describes what the given dataset should be used for.\nSome datasets are collected to be used only for particular purposes. \nFor example, medical data collected from a specific demography might only be applicable\nfor training machine learning models to make predictions for that demography.\nIn such a case, the intendedUse field would capture this information.\nSimilarly, if a dataset is collected for building a facial recognition model,\nthe intendedUse field would specify that.", "metadata": { - "name": "licenseComment", + "name": "intendedUse", "Nature": "DataProperty", "Range": "xsd:string", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/licenseComment" + "id": "https://spdx.org/rdf/v3/Dataset/intendedUse", + "Domain": [ + "Dataset" + ] } }, - "deprecatedVersion": { - "summary": "Specifies the SPDX License List version in which this license or exception\nidentifier was deprecated.", - "description": "A deprecatedVersion for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was marked as deprecated.", + "sensor": { + "summary": "Describes a sensor used for collecting the data.", + "description": "Sensor describes a sensor that was used for collecting the data\nand its calibration value as a key-value pair.", "metadata": { - "name": "deprecatedVersion", - "Nature": "DataProperty", - "Range": "xsd:string", + "name": "sensors", + "Nature": "ObjectProperty", + "Range": "/Core/DictionaryEntry", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/deprecatedVersion", + "id": "https://spdx.org/rdf/v3/Dataset/sensor", "Domain": [ - "ListedLicense", - "ListedLicenseException" + "Dataset" ] } }, - "licenseId": { - "summary": "Provides a short, unique identifier to refer to a License.", - "description": "A licenseId contains a human-readable, short-form license identifier for a\nLicense. It may only include letters, numbers, period (\".\") and hyphen (\"-\")\ncharacters.\n\nFor a ListedLicense, the licenseId will be as specified on the\n[SPDX License List](https://spdx.org/licenses) for the particular license.\n\nFor a CustomLicense, the short-form license identifer must begin with the\nprefix `LicenseRef-` and must be unique within the applicable SPDX namespace.\nThe short-form license ID may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", + "datasetType": { + "summary": "Describes the type of the given dataset.", + "description": "Type describes the datatype contained in the dataset. For example a dataset can be an image dataset for computer vision applications, a text dataset such as the contents of a book or Wikipedia article, or sometimes a multimodal dataset that contains multiple types of data.", "metadata": { - "name": "licenseId", + "name": "datasetType", "Nature": "DataProperty", - "Range": "xsd:string", + "Range": "DatasetType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/licenseId" + "id": "https://spdx.org/rdf/v3/Dataset/datasetType", + "Domain": [ + "Dataset" + ] } - }, - "additionId": { - "summary": "Provides a short, unique identifier to refer to a LicenseAddition.", - "description": "An additionId contains a human-readable, short-form identifier for a\nLicenseAddition. It may only include letters, numbers, period (\".\") and\nhyphen (\"-\") characters.\n\nFor a ListedLicenseException, the licenseId will be as specified on the\n[SPDX Exceptions List](https://spdx.org/licenses/exceptions-index.html) for the\nparticular exception.\n\nFor a CustomLicenseAddition, the short-form identifier must begin with the\nprefix `AdditionRef-` and must be unique within the applicable SPDX namespace.\nThe short-form identifier may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", + } + }, + "vocabs": { + "DatasetType": { + "summary": "Enumeration of dataset types.", + "description": "Describes the different structures of data within a given dataset. A dataset can have multiple types of data, or even a single type of data but still match multiple types, for example sensor data could also be timeseries or labeled image data could also be considered categorical.", "metadata": { - "name": "additionId", - "Nature": "DataProperty", - "Range": "xsd:string", + "name": "DatasetType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/additionId" + "id": "https://spdx.org/rdf/v3/Dataset/DatasetType" + }, + "entries": { + "structured": "data is stored in tabular format or retrieved from a relational database.", + "numeric": "data consists only of numeric entries.", + "text": "data consists of unstructured text, such as a book, wikipedia article (without images), or transcript.", + "categorical": "data that is classified into a discrete number of categories, such as the eye color of a population of people.", + "graph": "data is in the form of a graph where entries are somehow related to each other through edges, such a social network of friends.", + "timeseries": "data is recorded in an ordered sequence of timestamped entries, such as the price of a stock over the course of a day.", + "timestamp": "data is recorded with a timestamp for each entry, but not necessarily ordered or at specific intervals, such as when a taxi ride starts and ends.", + "sensor": "data is recorded from a physical sensor, such as a thermometer reading or biometric device.", + "image": "data is a collection of images such as pictures of animals.", + "syntactic": "data describes the syntax or semantics of a language or text, such as a parse tree used for natural language processing.", + "audio": "data is audio based, such as a collection of music from the 80s.", + "video": "data is video based, such as a collection of movie clips featuring Tom Hanks.", + "other": "data is of a type not included in this list.", + "noAssertion": "data type is not known." } }, - "isOsiApproved": { - "summary": "Specifies whether the License is listed as approved by the\n[Open Source Initiative (OSI)](https://opensource.org).", - "description": "isOsiApproved specifies whether the [Open Source Initiative (OSI)](https://opensource.org)\nhas listed this License as \"approved\" in their list of OSI Approved Licenses,\nlocated at the time of this writing at https://opensource.org/licenses/.\n\nA value of \"true\" indicates that the OSI has listed this License as approved.\n\nA value of \"false\" indicates that the OSI has not listed this License as\napproved.\n\nIf the isOsiApproved field is not specified, the SPDX data creator makes no\nassertions about whether the License is approved by the OSI.", + "DatasetAvailabilityType": { + "summary": "Availability of dataset", + "description": "Describes the possible types of availability of a dataset, indicating whether the dataset can be directly downloaded, can be assembled using a script for scraping the data, is only available after a clickthrough or a registration form.", "metadata": { - "name": "isOsiApproved", - "Nature": "DataProperty", - "Range": "xsd:boolean", + "name": "DatasetAvailabilityType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/isOsiApproved", - "Domain": [ - "License" - ] + "id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType" + }, + "entries": { + "Direct-Download": "the dataset is publicly available and can be downloaded directly.", + "Scraping-Script": "the dataset provider is not making available the underlying data and the dataset must be reassembled, typically using the provided script for scraping the data.", + "Query": "the dataset is publicly available, but not all at once, and can only be accessed through queries which return parts of the dataset.", + "Clickthrough": "the dataset is not publicly available and can only be accessed after affirmatively accepting terms on a clickthrough webpage.", + "Registration": "the dataset is not publicly available and an email registration is required before accessing the dataset, although without an affirmative acceptance of terms." } }, - "additionComment": { - "summary": "Identifies general comments about the LicenseAddition.", - "description": "An additionComment for a LicenseAddition describes general factual information\nabout the LicenseAddition. It should not contain information (or links to\ninformation) that includes any kind of interpretation about the meaning or\neffect of the License, even if written by the license addition's author.\n\nExamples of information for an additionComment may include the following:\n\n* If the LicenseAddition's identifier is deprecated, it may briefly explain the\n reason for deprecation.\n* It may include the date of release, if identified, for LicenseAdditions with\n multiple versions.\n* It may include links to other official language translations for the\n LicenseAddition.\n* It may include a reference to the License(s) with which this LicenseAddition\n is typically used.", + "ConfidentialityLevelType": { + "summary": "Categories of confidentiality level.", + "description": "Describes the different confidentiality levels as given by the [Traffic Light Protocol](https://en.wikipedia.org/wiki/Traffic_Light_Protocol).", "metadata": { - "name": "additionComment", - "Nature": "DataProperty", - "Range": "xsd:string", + "name": "ConfidentialityLevelType", "Instantiability": "Concrete", "Status": "Stable", - "id": "https://spdx.org/rdf/v3/Licensing/additionComment" + "id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType" + }, + "entries": { + "Red": "Data points in the dataset are highly confidential and can only be shared with named recipients.", + "Amber": "Data points in the dataset can be shared only with specific organizations and their clients on a need to know basis.", + "Green": "Dataset can be shared within a community of peers and partners.", + "Clear": "Dataset may be distributed freely, without restriction." } } - }, - "vocabs": {} + } }, "AI": { "name": "AI", @@ -4437,5 +4368,94 @@ } } } + }, + "SimpleLicensing": { + "name": "SimpleLicensing", + "classes": { + "SimpleLicensingText": { + "summary": "A license or addition that is not listed on the SPDX License List.", + "description": "A SimpleLicensingText represents a License or Addition that is not listed on the SPDX License\nList at https://spdx.org/licenses, and is therefore defined by an SPDX data\ncreator.", + "metadata": { + "name": "SimpleLicensingText", + "SubclassOf": "/Core/Element", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/SimpleLicensing/SimpleLicensingText" + }, + "properties": { + "licenseText": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "LicenseExpression": { + "summary": "An SPDX Element containing an SPDX license expression string.", + "description": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", + "metadata": { + "name": "LicenseExpression", + "SubclassOf": "AnyLicenseInfo", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/SimpleLicensing/LicenseExpression" + }, + "properties": { + "licenseExpression": { + "type": "xsd:string", + "minCount": "1", + "maxCount": "1" + } + }, + "externalPropertyRestrictions": {} + }, + "AnyLicenseInfo": { + "summary": "Abstract class representing a license combination consisting of one or more\nlicenses (optionally including additional text), which may be combined\naccording to the SPDX license expression syntax.", + "description": "An AnyLicenseInfo is used by licensing properties of software artifacts.\nIt can be a NoneLicense, a NoAssertionLicense,\nsingle license (either on the SPDX License List or a custom-defined license);\na single license with an \"or later\" operator applied; the foregoing with\nadditional text applied; or a set of licenses combined by applying \"AND\" and\n\"OR\" operators recursively.", + "metadata": { + "name": "AnyLicenseInfo", + "SubclassOf": "/Core/Element", + "Instantiability": "Abstract", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/SimpleLicensing/AnyLicenseInfo" + }, + "properties": {}, + "externalPropertyRestrictions": {} + } + }, + "properties": { + "licenseText": { + "summary": "Identifies the full text of a License or Addition.", + "description": "A licenseText contains the plain text of the License or Addition,\nwithout templating or other similar markup.\n\nUsers of the licenseText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", + "metadata": { + "name": "licenseText", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/SimpleLicensing/licenseText", + "Domain": [ + "SimpleLicensingText" + ] + } + }, + "licenseExpression": { + "summary": "A string in the license expression format.", + "description": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", + "metadata": { + "name": "licenseExpression", + "Nature": "DataProperty", + "Range": "xsd:string", + "Instantiability": "Concrete", + "Status": "Stable", + "id": "https://spdx.org/rdf/v3/SimpleLicensing/licenseExpression", + "Domain": [ + "LicenseExpression" + ] + } + } + }, + "vocabs": {} } -} +} \ No newline at end of file diff --git a/src/spdx_tools/spdx3/new_model/__init__.py b/src/spdx_tools/spdx3/new_model/__init__.py index e8f012752..31e22bb17 100644 --- a/src/spdx_tools/spdx3/new_model/__init__.py +++ b/src/spdx_tools/spdx3/new_model/__init__.py @@ -4,5 +4,5 @@ # Do not manually edit! # flake8: noqa -from . import expanded_license, core, dataset, licensing, ai, security, build, software +from . import expanded_licensing, core, dataset, ai, security, build, software, simple_licensing from .core import * diff --git a/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py b/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py index 47a1cdfe7..e40539360 100644 --- a/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py +++ b/src/spdx_tools/spdx3/new_model/core/profile_identifier_type.py @@ -23,9 +23,13 @@ class ProfileIdentifierType(Enum): """ the element follows the Software profile specification """ - LICENSING = auto() + SIMPLE_LICENSING = auto() """ - the element follows the Licensing profile specification + the element follows the simple Licensing profile specification + """ + EXPANDED_LICENSING = auto() + """ + the element follows the expanded Licensing profile specification """ SECURITY = auto() """ @@ -57,8 +61,10 @@ def __str__(self) -> str: return "core" if self == ProfileIdentifierType.SOFTWARE: return "software" - if self == ProfileIdentifierType.LICENSING: - return "licensing" + if self == ProfileIdentifierType.SIMPLE_LICENSING: + return "simpleLicensing" + if self == ProfileIdentifierType.EXPANDED_LICENSING: + return "expandedLicensing" if self == ProfileIdentifierType.SECURITY: return "security" if self == ProfileIdentifierType.BUILD: @@ -79,8 +85,10 @@ def from_str(value: str) -> Optional["ProfileIdentifierType"]: return ProfileIdentifierType.CORE if value == "software": return ProfileIdentifierType.SOFTWARE - if value == "licensing": - return ProfileIdentifierType.LICENSING + if value == "simpleLicensing": + return ProfileIdentifierType.SIMPLE_LICENSING + if value == "expandedLicensing": + return ProfileIdentifierType.EXPANDED_LICENSING if value == "security": return ProfileIdentifierType.SECURITY if value == "build": diff --git a/src/spdx_tools/spdx3/new_model/dataset/dataset.py b/src/spdx_tools/spdx3/new_model/dataset/dataset.py index cc49bfd9a..67d92109a 100644 --- a/src/spdx_tools/spdx3/new_model/dataset/dataset.py +++ b/src/spdx_tools/spdx3/new_model/dataset/dataset.py @@ -12,7 +12,6 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..ai.presence_type import PresenceType from ..core.creation_info import CreationInfo from ..core.external_identifier import ExternalIdentifier from ..core.external_reference import ExternalReference @@ -20,6 +19,7 @@ from ..dataset.confidentiality_level_type import ConfidentialityLevelType from ..dataset.dataset_availability_type import DatasetAvailabilityType from ..dataset.dataset_type import DatasetType +from ..dataset.presence_type import PresenceType from ..licensing.any_license_info import AnyLicenseInfo from ..software.package import Package from ..software.software_purpose import SoftwarePurpose diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/__init__.py b/src/spdx_tools/spdx3/new_model/expanded_license/__init__.py deleted file mode 100644 index e05b4baa5..000000000 --- a/src/spdx_tools/spdx3/new_model/expanded_license/__init__.py +++ /dev/null @@ -1,9 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# -# This file was auto-generated by dev/gen_python_model_from_spec.py -# Do not manually edit! -# flake8: noqa - -from .conjunctive_license_set import ConjunctiveLicenseSet -from .disjunctive_license_set import DisjunctiveLicenseSet -from .extendable_license import ExtendableLicense diff --git a/src/spdx_tools/spdx3/new_model/licensing/__init__.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/__init__.py similarity index 75% rename from src/spdx_tools/spdx3/new_model/licensing/__init__.py rename to src/spdx_tools/spdx3/new_model/expanded_licensing/__init__.py index 782338fd0..2aec994e2 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/__init__.py +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/__init__.py @@ -4,12 +4,13 @@ # Do not manually edit! # flake8: noqa -from .any_license_info import AnyLicenseInfo +from .conjunctive_license_set import ConjunctiveLicenseSet from .custom_license import CustomLicense from .custom_license_addition import CustomLicenseAddition +from .disjunctive_license_set import DisjunctiveLicenseSet +from .extendable_license import ExtendableLicense from .license import License from .license_addition import LicenseAddition -from .license_expression import LicenseExpression from .listed_license import ListedLicense from .listed_license_exception import ListedLicenseException from .or_later_operator import OrLaterOperator diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/conjunctive_license_set.py similarity index 91% rename from src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py rename to src/spdx_tools/spdx3/new_model/expanded_licensing/conjunctive_license_set.py index c7898993e..db22b28d2 100644 --- a/src/spdx_tools/spdx3/new_model/expanded_license/conjunctive_license_set.py +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/conjunctive_license_set.py @@ -15,7 +15,7 @@ from ..core.external_identifier import ExternalIdentifier from ..core.external_reference import ExternalReference from ..core.integrity_method import IntegrityMethod -from ..licensing.any_license_info import AnyLicenseInfo +from ..simple_licensing.any_license_info import AnyLicenseInfo @dataclass_with_properties @@ -33,8 +33,8 @@ class ConjunctiveLicenseSet(AnyLicenseInfo): member: List[AnyLicenseInfo] = field(default_factory=list) """ - A member is a license expression participating in a conjuctive (of type ConjunctiveLicenseSet) or a disjunctive (of - type DisjunctiveLicenseSet) license set. + A member is a license expression participating in a conjunctive (of type ConjunctiveLicenseSet) or a disjunctive + (of type DisjunctiveLicenseSet) license set. """ def __init__( diff --git a/src/spdx_tools/spdx3/new_model/expanded_licensing/custom_license.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/custom_license.py new file mode 100644 index 000000000..b284c1779 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/custom_license.py @@ -0,0 +1,32 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from beartype.typing import Optional + +from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties +from spdx_tools.common.typing.type_checks import check_types_and_set_values + +from ..expanded_licensing.license import License + + +@dataclass_with_properties +class CustomLicense(License): + """ + A CustomLicense represents a License that is not listed on the SPDX License List at https://spdx.org/licenses, and + is therefore defined by an SPDX data creator. + """ + + def __init__( + self, + license_text: str, + is_osi_approved: Optional[bool] = None, + is_fsf_libre: Optional[bool] = None, + standard_license_header: Optional[str] = None, + standard_license_template: Optional[str] = None, + is_deprecated_license_id: Optional[bool] = None, + obsoleted_by: Optional[str] = None, + ): + check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/custom_license_addition.py similarity index 96% rename from src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py rename to src/spdx_tools/spdx3/new_model/expanded_licensing/custom_license_addition.py index d9978c43b..865ca648f 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/custom_license_addition.py +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/custom_license_addition.py @@ -13,7 +13,7 @@ from ..core.external_identifier import ExternalIdentifier from ..core.external_reference import ExternalReference from ..core.integrity_method import IntegrityMethod -from ..licensing.license_addition import LicenseAddition +from ..expanded_licensing.license_addition import LicenseAddition @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/disjunctive_license_set.py similarity index 90% rename from src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py rename to src/spdx_tools/spdx3/new_model/expanded_licensing/disjunctive_license_set.py index 39e2b9dda..acc9fea25 100644 --- a/src/spdx_tools/spdx3/new_model/expanded_license/disjunctive_license_set.py +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/disjunctive_license_set.py @@ -15,7 +15,7 @@ from ..core.external_identifier import ExternalIdentifier from ..core.external_reference import ExternalReference from ..core.integrity_method import IntegrityMethod -from ..licensing.any_license_info import AnyLicenseInfo +from ..simple_licensing.any_license_info import AnyLicenseInfo @dataclass_with_properties @@ -30,8 +30,8 @@ class DisjunctiveLicenseSet(AnyLicenseInfo): member: List[AnyLicenseInfo] = field(default_factory=list) """ - A member is a license expression participating in a conjuctive (of type ConjunctiveLicenseSet) or a disjunctive (of - type DisjunctiveLicenseSet) license set. + A member is a license expression participating in a conjunctive (of type ConjunctiveLicenseSet) or a disjunctive + (of type DisjunctiveLicenseSet) license set. """ def __init__( diff --git a/src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/extendable_license.py similarity index 100% rename from src/spdx_tools/spdx3/new_model/expanded_license/extendable_license.py rename to src/spdx_tools/spdx3/new_model/expanded_licensing/extendable_license.py diff --git a/src/spdx_tools/spdx3/new_model/licensing/license.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/license.py similarity index 95% rename from src/spdx_tools/spdx3/new_model/licensing/license.py rename to src/spdx_tools/spdx3/new_model/expanded_licensing/license.py index 03b3e5e2f..7bf2ed6ff 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/license.py +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/license.py @@ -10,7 +10,7 @@ from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties -from ..expanded_license.extendable_license import ExtendableLicense +from ..expanded_licensing.extendable_license import ExtendableLicense @dataclass_with_properties @@ -22,7 +22,7 @@ class License(ExtendableLicense): license_text: str = None """ - A licenseText contains the plain text of the License, without templating or other similar markup. + A licenseText contains the plain text of the License or Addition, without templating or other similar markup. Users of the licenseText for a License can apply the SPDX Matching Guidelines when comparing it to another text for matching purposes. diff --git a/src/spdx_tools/spdx3/new_model/licensing/license_addition.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/license_addition.py similarity index 100% rename from src/spdx_tools/spdx3/new_model/licensing/license_addition.py rename to src/spdx_tools/spdx3/new_model/expanded_licensing/license_addition.py diff --git a/src/spdx_tools/spdx3/new_model/licensing/listed_license.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/listed_license.py similarity index 60% rename from src/spdx_tools/spdx3/new_model/licensing/listed_license.py rename to src/spdx_tools/spdx3/new_model/expanded_licensing/listed_license.py index 184b7e9a2..0ea9e4b57 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/listed_license.py +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/listed_license.py @@ -4,16 +4,12 @@ # Do not manually edit! # flake8: noqa -from beartype.typing import List, Optional +from beartype.typing import Optional from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core.creation_info import CreationInfo -from ..core.external_identifier import ExternalIdentifier -from ..core.external_reference import ExternalReference -from ..core.integrity_method import IntegrityMethod -from ..licensing.license import License +from ..expanded_licensing.license import License @dataclass_with_properties @@ -35,17 +31,7 @@ class ListedLicense(License): def __init__( self, - spdx_id: str, - creation_info: CreationInfo, license_text: str, - name: Optional[str] = None, - summary: Optional[str] = None, - description: Optional[str] = None, - comment: Optional[str] = None, - verified_using: List[IntegrityMethod] = None, - external_reference: List[ExternalReference] = None, - external_identifier: List[ExternalIdentifier] = None, - extension: List[str] = None, is_osi_approved: Optional[bool] = None, is_fsf_libre: Optional[bool] = None, standard_license_header: Optional[str] = None, @@ -55,8 +41,4 @@ def __init__( list_version_added: Optional[str] = None, deprecated_version: Optional[str] = None, ): - verified_using = [] if verified_using is None else verified_using - external_reference = [] if external_reference is None else external_reference - external_identifier = [] if external_identifier is None else external_identifier - extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/listed_license_exception.py similarity index 97% rename from src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py rename to src/spdx_tools/spdx3/new_model/expanded_licensing/listed_license_exception.py index 3cd1c3e99..907cd210c 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/listed_license_exception.py +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/listed_license_exception.py @@ -13,7 +13,7 @@ from ..core.external_identifier import ExternalIdentifier from ..core.external_reference import ExternalReference from ..core.integrity_method import IntegrityMethod -from ..licensing.license_addition import LicenseAddition +from ..expanded_licensing.license_addition import LicenseAddition @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/or_later_operator.py similarity index 52% rename from src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py rename to src/spdx_tools/spdx3/new_model/expanded_licensing/or_later_operator.py index 7668b6df1..831c23ecd 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/or_later_operator.py +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/or_later_operator.py @@ -4,17 +4,11 @@ # Do not manually edit! # flake8: noqa -from beartype.typing import List, Optional - from spdx_tools.common.typing.dataclass_with_properties import dataclass_with_properties from spdx_tools.common.typing.type_checks import check_types_and_set_values -from ..core.creation_info import CreationInfo -from ..core.external_identifier import ExternalIdentifier -from ..core.external_reference import ExternalReference -from ..core.integrity_method import IntegrityMethod -from ..expanded_license.extendable_license import ExtendableLicense -from ..licensing.license import License +from ..expanded_licensing.extendable_license import ExtendableLicense +from ..expanded_licensing.license import License @dataclass_with_properties @@ -31,23 +25,13 @@ class OrLaterOperator(ExtendableLicense): """ subject_license: License = None + """ + A subjectLicense is a License which is subject to either an 'or later' effect (OrLaterOperator) or a 'with + additional text' effect (WithAdditionOperator). + """ def __init__( self, - spdx_id: str, - creation_info: CreationInfo, subject_license: License, - name: Optional[str] = None, - summary: Optional[str] = None, - description: Optional[str] = None, - comment: Optional[str] = None, - verified_using: List[IntegrityMethod] = None, - external_reference: List[ExternalReference] = None, - external_identifier: List[ExternalIdentifier] = None, - extension: List[str] = None, ): - verified_using = [] if verified_using is None else verified_using - external_reference = [] if external_reference is None else external_reference - external_identifier = [] if external_identifier is None else external_identifier - extension = [] if extension is None else extension check_types_and_set_values(self, locals()) diff --git a/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py b/src/spdx_tools/spdx3/new_model/expanded_licensing/with_addition_operator.py similarity index 79% rename from src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py rename to src/spdx_tools/spdx3/new_model/expanded_licensing/with_addition_operator.py index 32be86ca7..ab17c656b 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/with_addition_operator.py +++ b/src/spdx_tools/spdx3/new_model/expanded_licensing/with_addition_operator.py @@ -13,9 +13,9 @@ from ..core.external_identifier import ExternalIdentifier from ..core.external_reference import ExternalReference from ..core.integrity_method import IntegrityMethod -from ..expanded_license.extendable_license import ExtendableLicense -from ..licensing.any_license_info import AnyLicenseInfo -from ..licensing.license_addition import LicenseAddition +from ..expanded_licensing.extendable_license import ExtendableLicense +from ..expanded_licensing.license_addition import LicenseAddition +from ..simple_licensing.any_license_info import AnyLicenseInfo @dataclass_with_properties @@ -27,7 +27,14 @@ class WithAdditionOperator(AnyLicenseInfo): """ subject_license: ExtendableLicense = None + """ + A subjectLicense is a License which is subject to either an 'or later' effect (OrLaterOperator) or a 'with + additional text' effect (WithAdditionOperator). + """ subject_addition: LicenseAddition = None + """ + A subjectAddition is a LicenseAddition which is subject to a 'with additional text' effect (WithAdditionOperator). + """ def __init__( self, diff --git a/src/spdx_tools/spdx3/new_model/simple_licensing/__init__.py b/src/spdx_tools/spdx3/new_model/simple_licensing/__init__.py new file mode 100644 index 000000000..b77d4bfd0 --- /dev/null +++ b/src/spdx_tools/spdx3/new_model/simple_licensing/__init__.py @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# This file was auto-generated by dev/gen_python_model_from_spec.py +# Do not manually edit! +# flake8: noqa + +from .any_license_info import AnyLicenseInfo +from .license_expression import LicenseExpression +from .simple_licensing_text import SimpleLicensingText diff --git a/src/spdx_tools/spdx3/new_model/licensing/any_license_info.py b/src/spdx_tools/spdx3/new_model/simple_licensing/any_license_info.py similarity index 100% rename from src/spdx_tools/spdx3/new_model/licensing/any_license_info.py rename to src/spdx_tools/spdx3/new_model/simple_licensing/any_license_info.py diff --git a/src/spdx_tools/spdx3/new_model/licensing/license_expression.py b/src/spdx_tools/spdx3/new_model/simple_licensing/license_expression.py similarity index 98% rename from src/spdx_tools/spdx3/new_model/licensing/license_expression.py rename to src/spdx_tools/spdx3/new_model/simple_licensing/license_expression.py index 0a6cd1d6a..849b3cfcb 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/license_expression.py +++ b/src/spdx_tools/spdx3/new_model/simple_licensing/license_expression.py @@ -13,7 +13,7 @@ from ..core.external_identifier import ExternalIdentifier from ..core.external_reference import ExternalReference from ..core.integrity_method import IntegrityMethod -from ..licensing.any_license_info import AnyLicenseInfo +from ..simple_licensing.any_license_info import AnyLicenseInfo @dataclass_with_properties diff --git a/src/spdx_tools/spdx3/new_model/licensing/custom_license.py b/src/spdx_tools/spdx3/new_model/simple_licensing/simple_licensing_text.py similarity index 72% rename from src/spdx_tools/spdx3/new_model/licensing/custom_license.py rename to src/spdx_tools/spdx3/new_model/simple_licensing/simple_licensing_text.py index 32d6b38d8..e2be1a5b0 100644 --- a/src/spdx_tools/spdx3/new_model/licensing/custom_license.py +++ b/src/spdx_tools/spdx3/new_model/simple_licensing/simple_licensing_text.py @@ -10,17 +10,25 @@ from spdx_tools.common.typing.type_checks import check_types_and_set_values from ..core.creation_info import CreationInfo +from ..core.element import Element from ..core.external_identifier import ExternalIdentifier from ..core.external_reference import ExternalReference from ..core.integrity_method import IntegrityMethod -from ..licensing.license import License @dataclass_with_properties -class CustomLicense(License): +class SimpleLicensingText(Element): """ - A CustomLicense represents a License that is not listed on the SPDX License List at https://spdx.org/licenses, and - is therefore defined by an SPDX data creator. + A SimpleLicensingText represents a License or Addition that is not listed on the SPDX License List at + https://spdx.org/licenses, and is therefore defined by an SPDX data creator. + """ + + license_text: str = None + """ + A licenseText contains the plain text of the License or Addition, without templating or other similar markup. + + Users of the licenseText for a License can apply the SPDX Matching Guidelines when comparing it to another text for + matching purposes. """ def __init__( @@ -36,12 +44,6 @@ def __init__( external_reference: List[ExternalReference] = None, external_identifier: List[ExternalIdentifier] = None, extension: List[str] = None, - is_osi_approved: Optional[bool] = None, - is_fsf_libre: Optional[bool] = None, - standard_license_header: Optional[str] = None, - standard_license_template: Optional[str] = None, - is_deprecated_license_id: Optional[bool] = None, - obsoleted_by: Optional[str] = None, ): verified_using = [] if verified_using is None else verified_using external_reference = [] if external_reference is None else external_reference From 072f6e6ba99612ea6e3ab9092b0898073cb89572 Mon Sep 17 00:00:00 2001 From: Holger Frydrych Date: Fri, 17 Nov 2023 11:37:42 +0100 Subject: [PATCH 33/33] Handle owl:Thing as a parent class in spec Signed-off-by: Holger Frydrych --- dev/model_dump.json | 8 ++++---- dev/model_gen/utils.py | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/dev/model_dump.json b/dev/model_dump.json index 4c8b33f80..76b71d9cd 100644 --- a/dev/model_dump.json +++ b/dev/model_dump.json @@ -565,7 +565,7 @@ "description": "PositiveIntegerRange is a tuple of two positive integers that define a range.\n\"begin\" must be less than or equal to \"end\".", "metadata": { "name": "PositiveIntegerRange", - "SubclassOf": "none", + "SubclassOf": "owl:Thing", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/PositiveIntegerRange" @@ -618,7 +618,7 @@ "description": "An External Reference points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", "metadata": { "name": "ExternalReference", - "SubclassOf": "none", + "SubclassOf": "owl:Thing", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ExternalReference" @@ -889,7 +889,7 @@ "description": "An Element is a representation of a fundamental concept either directly inherent\nto the Bill of Materials (BOM) domain or indirectly related to the BOM domain\nand necessary for contextually characterizing BOM concepts and relationships.\nWithin SPDX-3.0 structure this is the base class acting as a consistent,\nunifying, and interoperable foundation for all explicit\nand inter-relatable content objects.", "metadata": { "name": "Element", - "SubclassOf": "none", + "SubclassOf": "owl:Thing", "Instantiability": "Abstract", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/Element" @@ -1123,7 +1123,7 @@ "description": "An External Map is a map of Element identifiers that are used within a Document\nbut defined external to that Document.\nThe external map provides details about the externally-defined Element\nsuch as its provenance, where to retrieve it, and how to verify its integrity.", "metadata": { "name": "ExternalMap", - "SubclassOf": "none", + "SubclassOf": "owl:Thing", "Instantiability": "Concrete", "Status": "Stable", "id": "https://spdx.org/rdf/v3/Core/ExternalMap" diff --git a/dev/model_gen/utils.py b/dev/model_gen/utils.py index f97c129f8..a745c2bc4 100644 --- a/dev/model_gen/utils.py +++ b/dev/model_gen/utils.py @@ -92,7 +92,7 @@ def to_python_type(typename: str) -> str: def extract_parent_type(cls: dict, namespace: str) -> Optional[str]: parent_class = cls["metadata"].get("SubclassOf") or "none" - if parent_class == "none": + if parent_class == "none" or parent_class == "owl:Thing": return None return get_qualified_name(parent_class, namespace)