Showing preview only (3,567K chars total). Download the full file or copy to clipboard to get everything.
Repository: spdx/spdx-spec
Branch: develop
Commit: e5427e7acc39
Files: 61
Total size: 3.4 MB
Directory structure:
gitextract_dim67c75/
├── .github/
│ ├── dependabot.yml
│ └── workflows/
│ ├── publish_common.yml
│ ├── publish_v3.yml
│ ├── validate_examples.yml
│ └── validate_pull_request.yml
├── .gitignore
├── CHANGELOG.md
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── bin/
│ ├── check-examples.sh
│ ├── make-mkdocs-config.sh
│ └── pull-license-list.py
├── build.md
├── docs/
│ ├── annexes/
│ │ ├── class-hierarchy.md
│ │ ├── license-matching-guidelines-and-templates.md
│ │ ├── pkg-url-specification.md
│ │ ├── rdf-model.md
│ │ ├── spdx-license-expressions.md
│ │ └── spdx-lite.md
│ ├── conformance.md
│ ├── css/
│ │ └── style.css
│ ├── front/
│ │ ├── copyright.md
│ │ └── introduction.md
│ ├── index.md
│ ├── licenses/
│ │ ├── CC-BY-3.0.md
│ │ └── Community-Spec-1.0.md
│ ├── references.md
│ ├── scope.md
│ ├── serializations.md
│ ├── symbols.md
│ └── terms-and-definitions.md
├── etc/
│ ├── redirect-map.csv
│ └── redirect-template.html
├── examples/
│ ├── README.md
│ └── jsonld/
│ ├── package_sbom.json
│ └── spdx-full-example.json
├── mkdocs.yml
├── rdf/
│ ├── spdx-context.jsonld
│ ├── spdx-model.hext
│ ├── spdx-model.json-ld
│ ├── spdx-model.longturtle
│ ├── spdx-model.n3
│ ├── spdx-model.nt
│ ├── spdx-model.pretty-xml
│ ├── spdx-model.trig
│ ├── spdx-model.ttl
│ └── spdx-model.xml
├── requirements.txt
├── serialization/
│ └── jsonld/
│ └── annotations.ttl
├── setup.py
└── submissions/
├── ISO/
│ ├── README.md
│ ├── annexes/
│ │ └── changes-from-previous-iso.md
│ └── front/
│ └── iso-foreword.md
├── OMG/
│ ├── README.md
│ ├── annexes/
│ │ └── omg-history.md
│ ├── front/
│ │ ├── cover.md
│ │ ├── omg-preface.md
│ │ └── second-page.md
│ └── people.md
└── README.md
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/dependabot.yml
================================================
# SPDX-License-Identifier: MIT
# SPDX-FileCopyrightText: Copyright 2024 The SPDX Contributors
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 10
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
================================================
FILE: .github/workflows/publish_common.yml
================================================
# Publish pre-3.0 specs (spec versions that do not require spec-parser)
# This workflow can be triggered manually or by a repository dispatch event.
# It has three parameters:
# - ref: The branch or tag to publish
# - as_version: The version to publish as
# - aliases: Space-delimited aliases
#
# For example, to publish the "support/2.3.1" branch (under development)
# as "v2.3.1-dev" with aliases "v2.3.1", "2.3.1", and "2.3.1-dev",
# you can trigger the workflow with:
# - ref = "refs/heads/support/2.3.1"
# - as_version = "v2.3.1-dev"
# - aliases = "v2.3.1 2.3.1 2.3.1-dev"
on:
repository_dispatch:
types:
- publish_spec
workflow_dispatch:
inputs:
ref:
description: Branch or tag to publish (e.g. refs/heads/support/2.3).
required: true
default: refs/heads/support/2.3
as_version:
description: Version to publish as (e.g. v2.3).
required: true
default: v2.3
aliases:
description: Space-delimited aliases to publish (e.g. v2-latest v2-draft).
required: false
jobs:
build:
runs-on: ubuntu-latest
container: python:3.12
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
ref: ${{ github.event.client_payload.ref || github.event.inputs.ref }}
path: spdx-spec
fetch-depth: 0 # Because we will be pushing the gh-pages branch
- name: Install pre-requisites
run: pip install json-schema-for-humans==1.4.1 mike==2.1.3 mkdocs==1.6.1
- name: Generate schema doc
working-directory: spdx-spec
run: generate-schema-doc schemas/spdx-schema.json chapters/spdx-json-schema.html
- name: Set Git identity
working-directory: spdx-spec
run: |
git config user.name github-actions
git config user.email github-actions@github.com
- name: Build docs
working-directory: spdx-spec
env:
AS_VERSION: ${{ github.event.client_payload.as_version || github.event.inputs.as_version }}
run: |
mike deploy --update-aliases --push $AS_VERSION ${{ github.event.client_payload.as_version || github.event.inputs.as_version }}
================================================
FILE: .github/workflows/publish_v3.yml
================================================
# Publish SPDX specification to https://spdx.github.io/spdx-spec/
#
# This workflow is configured differently for the
# "main", "develop", and "support" branches, each publishing to a unique URL.
#
# For example,
# the workflow in "main" may publish to https://spdx.github.io/spdx-spec/v3.0.1/,
# the workflow in "develop" may publish to https://spdx.github.io/spdx-spec/v3.1-dev/,
# the workflow in "support/3.0" may publish to https://spdx.github.io/spdx-spec/v3.0.x/.
#
# The workflow should be configured to have an URL without a version number
# specified be redirected to an URL published from "main" branch.
#
# ## Workflow overview
#
# 1) Generate model documents and RDFs from model files in spdx-3-model repo
# 2) Combine the model documents from (1) with the chapters in spdx-spec repo
# 3) Generate a website using files from (2)
# 4) Upload RDFs from (1) and a website from (3) to GitHub Pages
# 5) Make URL redirections as needed
#
# See notes at:
# https://github.com/spdx/spdx-spec/issues/1155
# https://github.com/spdx/spdx-spec/pull/1146
# See branch structure at:
# https://github.com/spdx/spdx-spec/blob/develop/README.md#branch-structure
on:
push:
branches:
- develop # This should match with REF_SPEC,
# to automatically publish from a correct branch
repository_dispatch:
types:
- publish_v3_spec
# Manually trigger from https://github.com/spdx/spdx-spec/actions
# Allows specifying inputs for different branches/tags and versions
workflow_dispatch:
inputs:
REF_SPEC:
description: 'Branch or tag of specification documents to publish (e.g., refs/heads/develop, refs/heads/support/3.0, refs/tags/v3.0, refs/tags/v3.1-RC1)'
required: false
default: 'develop'
REF_MODEL:
description: 'Branch or tag of model files to use (e.g., refs/heads/develop, refs/heads/support/3.0, refs/tags/v3.0.1, refs/tags/v3.1-rc1)'
required: false
default: 'develop'
VERSION:
description: 'Version to publish (e.g., v3.1-dev, v3.1-RC1)'
required: false
default: 'v3.1-dev'
VERSION_ALIASES:
description: 'Space-delimited aliases for the version being published (e.g., "v3 latest")'
required: false
default: 'v3.1 develop dev'
VERSION_DEFAULT:
description: 'Default version to redirect to, when no version is specified in the URL (e.g., v3.0)'
required: false
default: 'v3.0.1'
schedule:
# Rebuild periodically, to apply changes from https://github.com/spdx/spdx-3-model/
- cron: "0,30 12-20 * * 1-5" # Every 30 mins during meeting hours (Mon-Fri)
- cron: "0 0,2,4,8,10,22 * * 1-5" # Every 2 hours off meeting hours (Mon-Fri)
- cron: "0 12 * * 6,0" # Noon once on weekends (Sat & Sun)
jobs:
build:
# Don't run scheduled builds for forks
if: >-
github.event_name != 'schedule' || github.repository == 'spdx/spdx-spec'
runs-on: ubuntu-latest
env:
REF_SPEC: "${{ github.event.inputs.REF_SPEC || 'develop' }}" # spdx-spec branch: "main" or "develop" or "support/x.y" or tag/commit ID
REF_MODEL: "${{ github.event.inputs.REF_MODEL || 'develop' }}" # spdx-3-model branch: "main" or "develop" or "support/x.y" or tag/commit ID
REF_PARSER: "main" # spec-parser branch: "main" or tag/commit ID
GH_PAGES_BRANCH: "gh-pages" # spdx-spec branch to publish HTML to
VERSION_DEFAULT: "${{ github.event.inputs.VERSION_DEFAULT || 'v3.0.1' }}" # Default version:
# - A version to be redirected to from the URL without
# a version number specified
# - Should be the latest stable version from the "main" branch
# - VERSION_DEFAULT should be the same across all
# branches/tags
# - VERSION_DEFAULT should also match the
# mike's canonical_version in mkdocs.yml
VERSION: "${{ github.event.inputs.VERSION || 'v3.1-dev' }}" # Publishing version, to be published from this branch:
# - VERSION can be different from VERSION_DEFAULT;
# For example, if VERSION is a draft/release candidate,
# or if VERSION is a stable version that is behind the
# default version (e.g. v3.0.2 vs v3.1)
# - VERSION from "develop" branch should be indicated with
# a suffix ("-dev", "-draft", etc.).
# The content of this version will constantly change.
# - VERSION should match with the version in the copyright
# text defined in mkdocs.yml
# e.g. "SPDX v3.x.x Copyright (c) 2010-2024, ..."
# - A release candidate (with suffix "-RC") may be published
# from a very short-lived "support" branch.
# The content of this version should be kept unchanged,
# so it can be properly referenced during the review period,
# but the URL of the RC version may subjected to be
# redirected to the release version later.
# For example, v3.0-RC1 was redirected to v3.0 and
# will be redirected to v3.0.1 later.
VERSION_ALIASES: "${{ github.event.inputs.VERSION_ALIASES || 'v3.1 develop dev' }}"
# VERSION_ALIASES are names that will be redirected to VERSION
# - Can be empty, can be multiple; separated by space
# - "latest" should be reserved for the latest stable version
# - "develop" should be reserved for the version in "develop" branch
# - Aliases like "v3.0" will be expanded to "v3.0 3.0"
GIT_USER_NAME: "ci-bot" # Username for gh-pages commit
GIT_USER_EMAIL: "ci-bot@spdx.dev" # E-mail for gh-pages commit
MKDOCS_MODEL_YML: "model-files.yml" # Contains list of model Markdown files:
# - relative to PARSER_OUT_BASE_DIR
MKDOCS_BASE_YML: "mkdocs.yml" # Initial MkDocs configuration; from spdx-spec repo
MKDOCS_FULL_YML: "__mkdocs-full.yml" # MkDocs configuration combined with model list:
# - to be generated from MKDOCS_BASE_YML and MKDOCS_MODEL_YML
REDIRECT_MAP_PATH: "etc/redirect-map.csv" # URL redirect map
REDIRECT_TEMPLATE_PATH: "etc/redirect-template.html" # URL redirect HTML template
steps:
- name: Expand version aliases to include a version without 'v' prefix and lowercase aliases
# For example, given
# - VERSION: "v3.0.1"; and
# - Original VERSION_ALIASES: "latest V3.0 v3.0-RC1"
# the expanded VERSION_ALIASES will be "3.0.1 latest v3.0 3.0 v3.0-RC1 3.0-RC1 v3.0-rc1 3.0-rc1"
run: |
echo VERSION: $VERSION
echo Original VERSION_ALIASES: $VERSION_ALIASES
original_aliases="$VERSION_ALIASES"
expanded_aliases=""
add_alias() {
for a in "$@"; do
[ -z "$a" ] && continue
expanded_aliases="$expanded_aliases $a"
done
}
# Add lowercase VERSION and numeric (no 'v') variants, but do NOT add the exact VERSION
lower_version=$(echo "$VERSION" | tr '[:upper:]' '[:lower:]')
add_alias "$lower_version"
if [[ $VERSION =~ ^v[0-9] ]]; then
add_alias "${VERSION#v}"
add_alias "${lower_version#v}"
fi
# Add original aliases and their lowercase and numeric variants
for version in $original_aliases; do
# skip exact match to VERSION
if [ "$version" = "$VERSION" ]; then
continue
fi
add_alias "$version"
lower_alias=$(echo "$version" | tr '[:upper:]' '[:lower:]')
add_alias "$lower_alias"
if [[ $version =~ ^v[0-9] ]]; then
add_alias "${version#v}"
add_alias "${lower_alias#v}"
fi
done
# Deduplicate aliases and remove the exact version from the list
expanded_aliases=$(printf "%s\n" $expanded_aliases | sort -u | grep -Fxv "$VERSION" | tr '\n' ' ' | sed 's/^ *//; s/ *$//')
echo "VERSION_ALIASES=$expanded_aliases" >> $GITHUB_ENV
- name: Check expanded version aliases
run: |
echo Expanded VERSION_ALIASES: $VERSION_ALIASES
- name: Checkout spdx-spec
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
ref: ${{ env.REF_SPEC }}
path: spdx-spec
fetch-depth: 0 # Because we will be pushing the gh-pages branch
- name: Checkout spdx-3-model
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
repository: spdx/spdx-3-model
ref: ${{ env.REF_MODEL }}
path: spdx-3-model
- name: Checkout spec-parser
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
repository: spdx/spec-parser
ref: ${{ env.REF_PARSER }}
path: spec-parser
- name: Set up specific Python version
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
with:
python-version: "3.12"
cache: "pip"
- name: Install pre-requisites for spdx-spec
run: pip install -r spdx-spec/requirements.txt
- name: Install pre-requisites for spec-parser
run: pip install -r spec-parser/requirements.txt
- name: Build model files
# Generates model documents and RDFs
# Move the model file list to spdx-spec/ root
run: |
python3 spec-parser/main.py --force --generate-rdf --output-rdf spdx-spec/docs/rdf --generate-mkdocs --output-mkdocs spdx-spec/docs/model --generate-plantuml --output-plantuml spdx-spec/docs/diagram --generate-jsondump --output-jsondump spdx-spec/docs/jsondump spdx-3-model/model
mv spdx-spec/docs/model/$MKDOCS_MODEL_YML spdx-spec/
- name: Copy JSON annotations
# JSON annotations URL will be redirected
# from https://spdx.org/rdf/<version>/spdx-json-serialize-annotations.ttl
# to https://spdx.github.io/spdx-spec/v<version>/rdf/jsonld-annotations.ttl
#
# To maintain availability of files at the old location at
# https://spdx.github.io/spdx-spec/v3.0/model/<filename>,
# another copy will be made into spdx-spec/docs/model/.
#
# Note: When release a new version, update the content of annotations.ttl to match the version
run: |
cp spdx-spec/serialization/jsonld/annotations.ttl spdx-spec/docs/rdf/jsonld-annotations.ttl
cp spdx-spec/serialization/jsonld/annotations.ttl spdx-spec/docs/model/jsonld-annotations.ttl
- name: Copy JSON-LD context and RDFs
# JSON-LD context and RDF URLs will be redirected
# from https://spdx.org/rdf/<version>/spdx-context.jsonld, spdx-model.ttl, etc.
# to https://spdx.github.io/spdx-spec/v<version>/rdf/spdx-context.jsonld, etc.
#
# Make a copy of spdx-model.json-ld as spdx-model.jsonld,
# because we have spdx-context.jsonld.
run: |
cp spdx-spec/docs/rdf/spdx-model.json-ld spdx-spec/docs/rdf/spdx-model.jsonld
cp spdx-spec/docs/rdf/spdx-context.jsonld spdx-spec/docs/model/
cp spdx-spec/docs/rdf/spdx-model.* spdx-spec/docs/model/
- name: Generate JSON schema
# JSON schema URL will be redirected
# from https://spdx.org/schema/<version>/spdx-json-schema.json
# to https://spdx.github.io/spdx-spec/v<version>/rdf/schema.json
#
# A JSON-LD context document URL is needed to generate the JSON schema.
# The preferred URL is at spdx.org, but for development versions it may not
# be available yet, so spdx.github.io is used as a fallback.
#
# The context URL is resolved by trying the following candidates in order:
#
# 1. https://spdx.org/rdf/<base>/spdx-context.jsonld (e.g. 3.1)
# 2. https://spdx.org/rdf/<full>/spdx-context.jsonld (e.g. 3.1-RC1)
# 3. https://spdx.github.io/spdx-spec/<VERSION>/rdf/spdx-context.jsonld (fallback)
#
# For each spdx.org candidate, availability is confirmed by either:
# a. a GitHub tag in spdx/spdx-spec — deterministic; a tag confirms a release
# b. a curl check — catches the case where spdx.org is live before the tag is created
#
# Note: tags in spdx/spdx-spec may or may not have a "v" prefix (e.g., v3.0 vs 3.0.1),
# so both forms are checked. The spdx-spec repo is checked out with fetch-depth: 0.
run: |
VER_FULL=${VERSION#[vV]}
VER_BASE=$(echo "$VER_FULL" | sed -E 's/-.*//')
URL_RELEASE="https://spdx.org/rdf/$VER_BASE/spdx-context.jsonld"
URL_DEV="https://spdx.org/rdf/$VER_FULL/spdx-context.jsonld"
URL_FALLBACK="https://spdx.github.io/spdx-spec/$VERSION/rdf/spdx-context.jsonld"
has_tag_release() { git -C spdx-spec tag -l "v$VER_BASE" "$VER_BASE" | grep -q .; }
has_tag_dev() { git -C spdx-spec tag -l "v$VER_FULL" "$VER_FULL" | grep -q .; }
url_ok() { curl --output /dev/null --silent --head --fail "$1"; }
if has_tag_release || url_ok "$URL_RELEASE"; then
CONTEXT_URL="$URL_RELEASE"
elif [ "$VER_FULL" != "$VER_BASE" ] && { has_tag_dev || url_ok "$URL_DEV"; }; then
CONTEXT_URL="$URL_DEV"
else
CONTEXT_URL="$URL_FALLBACK"
fi
echo "JSON-LD context document URL:"
echo "$CONTEXT_URL"
shacl2code generate \
--input spdx-spec/docs/rdf/spdx-model.ttl \
--input spdx-spec/docs/rdf/jsonld-annotations.ttl \
--context-url spdx-spec/docs/rdf/spdx-context.jsonld $CONTEXT_URL \
jsonschema \
--output spdx-spec/docs/rdf/schema.json
head spdx-spec/docs/rdf/schema.json
cp spdx-spec/docs/rdf/schema.json spdx-spec/docs/model/schema.json
- name: Set Git identity
working-directory: spdx-spec
run: git config user.name $GIT_USER_NAME; git config user.email $GIT_USER_EMAIL
- name: Sync GitHub Pages
working-directory: spdx-spec
run: git checkout $GH_PAGES_BRANCH && git pull && git checkout $REF_SPEC
- name: Move generated model-related documents to annexes
# Must happen after git sync, because class-hierarchy.md is a tracked file
# in the spec branch; moving it before the sync would cause git checkout to fail
# with "local changes would be overwritten by checkout"
run: |
mv spdx-spec/docs/model/class-hierarchy.md spdx-spec/docs/annexes/
- name: Build complete MkDocs configuration
# Combines model file list (MKDOCS_MODEL_YML, generated by spec-parser)
# with the base MkDocs configuration file (MKDOCS_BASE_YML),
# to produce the full MkDocs configuration file (MKDOCS_FULL_YML).
# The script below finds "__MODEL_PLACEHOLDER__" string in
# MKDOCS_BASE_YML, replaces it with the content from MKDOCS_MODEL_YML.
# MKDOCS_FULL_YML will be used by mike in the deploy step.
working-directory: spdx-spec
run: |
echo "Build $MKDOCS_FULL_YML from $MKDOCS_BASE_YML and $MKDOCS_MODEL_YML"
bin/make-mkdocs-config.sh \
-b "$MKDOCS_BASE_YML" \
-m "$MKDOCS_MODEL_YML" \
-f "$MKDOCS_FULL_YML" \
-p "__MODEL_PLACEHOLDER__"
echo "===================="
echo "Full MkDocs configuration: $MKDOCS_FULL_YML"
echo "--------------------"
cat "$MKDOCS_FULL_YML"
echo "===================="
- name: Deploy and set aliases
# mike is used here to manage multiple versions of MkDocs-powered documentation
# This step does 2 things:
# 1) delete existing aliases (in VERSION_ALIASES), if exists
# 2) deploy as VERSION, with aliases
# If the existing aliases were redirected to other versions,
# it means this VERSION will "steal" the aliases from those versions.
working-directory: spdx-spec
run: |
for alias in $VERSION_ALIASES; do
mike delete --config-file "$MKDOCS_FULL_YML" --branch $GH_PAGES_BRANCH --push --allow-empty "$alias" || true
done
mike deploy --update-aliases --config-file "$MKDOCS_FULL_YML" --branch $GH_PAGES_BRANCH --push $VERSION $VERSION_ALIASES
- name: Set default version
# Set default version to VERSION_DEFAULT;
# if not set, the default version will remain the same.
# Should only be done from the "main" branch.
if: github.ref == 'refs/heads/main'
working-directory: spdx-spec
run: |
mike set-default --config-file "$MKDOCS_FULL_YML" --branch $GH_PAGES_BRANCH --push $VERSION_DEFAULT
- name: Copy JSON annotations, JSON schema, JSON-LD context, and RDFs to alias directories
# Fallback for backward compatibility with old URLs before v3.0.1
# This step creates copies of annotations/schema/RDFs to all alias
# directories, so they can be accessible from all old URLs.
# For example,
# - https://spdx.github.io/spdx-spec/v3.0/model/schema.json (old directory structure)
# - https://spdx.github.io/spdx-spec/v3.0.1/rdf/schema.json (new directory structure)
# will all be accessible and have the same content.
# Unlike HTML files, these files have to be a copy,
# since it cannot use the HTML refresh mechanism.
working-directory: spdx-spec
run: |
git checkout -- docs/annexes/class-hierarchy.md
git checkout $GH_PAGES_BRANCH
dirs="$VERSION_ALIASES"
for dir in $dirs; do
mkdir -p "$dir"/rdf
mkdir -p "$dir"/model
cp $VERSION/rdf/* "$dir"/rdf
cp $VERSION/rdf/* "$dir"/model
mkdir -p "$dir"/diagram
cp $VERSION/diagram/* "$dir"/diagram
mkdir -p "$dir"/jsondump
cp $VERSION/jsondump/* "$dir"/jsondump
git add "$dir"/rdf/* "$dir"/model/* "$dir"/diagram/* "$dir"/jsondump/*
done
git commit -m "Copy schema and RDFs to alias directories: $VERSION_ALIASES"
git push origin $GH_PAGES_BRANCH
- name: Make redirections (for renamed model elements and moved annexes)
# Fallback for backward compatibility with old URLs before v3.0.1
# More redirections can be added in etc/redirect-map.csv (from,to)
# See name changes in model at
# https://github.com/spdx/spdx-3-model/blob/main/CHANGELOG.md
#
# This step creates a HTML files to facilitate additional directions.
# It reads a redirect map from /etc/redirect-map.csv; in the CSV,
# first value is 'from' (source) and second value is 'to' (target).
#
# The 'from' and 'to' values will be inserted into a HTML template at
# from /etc/redirect-template.html, to create a redirect HTML
# page (index.html) under a subdirectory with the name of 'from'
# that will refresh the browser to a URL of 'to'.
#
# For example, given:
#
# VERSION = "v3.0.1"
# VERSION_ALIASES = "latest v3.0"
# from = "model/Core/Properties/imports"
# to = "model/Core/Properties/import"
#
# these HTML files will be created for every aliases:
#
# v3.0.1/model/Core/Properties/imports/index.html
# latest/model/Core/Properties/imports/index.html
# v3.0/model/Core/Properties/imports/index.html
#
# and all of them will redirect to
#
# v3.0.1/model/Core/Properties/import/
working-directory: spdx-spec
run: |
ALL_VERSIONS=$(echo "$VERSION" "$VERSION_ALIASES")
INDEX_HTML="index.html"
git checkout $REF_SPEC
maps=$(cat "$REDIRECT_MAP_PATH")
template=$(cat "$REDIRECT_TEMPLATE_PATH")
echo "===================="
echo "Redirect map: $REDIRECT_MAP_PATH"
echo "--------------------"
echo "$maps"
echo "===================="
echo "===================="
echo "Redirect HTML template: $REDIRECT_TEMPLATE_PATH"
echo "--------------------"
echo "$template"
echo "===================="
git checkout $GH_PAGES_BRANCH
for alias in $ALL_VERSIONS; do
echo "$maps" | while read -r line; do
from=$(echo "$line" | cut -d',' -f1)
to=$(echo "$line" | cut -d',' -f2)
slash_count=$(echo "$from" | tr -cd '/' | wc -c)
upper_dirs=".."
if [ -n "$from" ]; then
for i in $(seq 0 $slash_count); do
upper_dirs="$upper_dirs/.."
done
fi
escaped_upper=$(echo "$upper_dirs" | sed 's/[\/&]/\\&/g')
escaped_version=$(echo "$VERSION" | sed 's/[\/&]/\\&/g')
html=""
case "$to" in
http://*|https://*)
echo "Redirect: $alias/$from -> $to"
escaped_to=$(echo "$to" | sed 's/[\/&]/\\&/g')
html=$(echo "$template" | sed -e "s|__UPPER__/__VERSION__/__TO__|$escaped_to|g")
;;
*)
echo "Redirect: $alias/$from -> $VERSION/$to"
escaped_to=$(echo "$to" | sed 's/[\/&]/\\&/g')
html=$(echo "$template" | sed -e "s/__UPPER__/$escaped_upper/g" -e "s/__VERSION__/$escaped_version/g" -e "s/__TO__/$escaped_to/g")
;;
esac
mkdir -p "$alias/$from"
echo "$html" > "$alias/$from/$INDEX_HTML"
git add "$alias/$from/$INDEX_HTML"
done
done
git commit -m "Add redirections for: $ALL_VERSIONS"
git push origin $GH_PAGES_BRANCH
================================================
FILE: .github/workflows/validate_examples.yml
================================================
on:
pull_request:
paths:
- 'examples/**/*.json'
- 'docs/annexes/*.md'
push:
paths:
- 'examples/**/*.json'
- 'docs/annexes/*.md'
jobs:
validate-examples:
runs-on: ubuntu-latest
steps:
- name: Checkout spdx-spec
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- name: Set up specific Python version
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
with:
python-version: "3.12"
cache: "pip"
- name: Install Python dependencies
run: |
python3 -m pip install check-jsonschema==0.34.1 spdx3-validate==0.0.5
- name: Install dependencies
run: |
sudo apt install -y gawk
- name: Check examples
run: |
./bin/check-examples.sh
================================================
FILE: .github/workflows/validate_pull_request.yml
================================================
on: pull_request
jobs:
validate:
name: Validate build
runs-on: ubuntu-latest
steps:
- name: Checkout spdx-spec
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
fetch-depth: 1
- name: Set up specific Python version
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
with:
python-version: "3.12"
cache: "pip"
- name: Install pre-requisites
run: pip install -r requirements.txt
- name: Build the site to validate (use mkdocs.yml, no model files, no PDF export)
run: ENABLE_PDF_EXPORT=0 mkdocs build --clean --verbose
# To validate the PR from within spdx-spec repo, build using mkdocs.yml
# (no model files) and without the time-consuming PDF export
================================================
FILE: .gitignore
================================================
# Generated files for model
docs/model/
docs/rdf/
# GitBook directory and generated docs
_book/
*.epub
*.mobi
*.pdf
# Build output directory
dist/
site/
# Ignore all hidden files/dirs except .gitignore and .github
.*
!/.gitignore
!/.github
# nodeJS
node_modules/
# Ensure deploy SSH key never get committed
.travis/deploy-key
# Operating system files
.DS_Store
._*
Thumbs.db
Thumbs.db:encryptable
*.lnk
# Build temporary directory
.env
logs/
__pycache__/
__mkdocs-full.yml
================================================
FILE: CHANGELOG.md
================================================
# Change log
All notable changes to this project will be documented in this file.
## 3.0.1 (2024-12-17)
* Changes in document structure and location.
The following documents are now located in the
[spdx/using](https://github.com/spdx/using/) repository and are no longer
part of the specification.
* [Cross referencing in SPDX 3](https://github.com/spdx/using/blob/main/docs/cross-reference.md)
* [Differences from previous editions](https://github.com/spdx/using/blob/main/docs/diffs-from-previous-editions.md)
* [Getting started writing SPDX 3](https://github.com/spdx/using/blob/main/docs/getting-started.md)
* [Including Security Information in a SPDX document](https://github.com/spdx/using/blob/main/docs/including-security-information-in-SPDX.md)
* [Using SPDX license list short identifiers in source files](https://github.com/spdx/using/blob/main/docs/using-SPDX-short-identifiers-in-source-files.md)
* [Using SPDX to comply with Norms, Standards and Regulation](https://github.com/spdx/using/blob/main/docs/using-SPDX-to-comply-with-industry-guidance.md)
* The following documents are added for the completeness of the specification:
* [Package URL specification v1](./docs/annexes/pkg-url-specification.md)
* [SPDX License List matching guidelines and templates](./docs/annexes/license-matching-guidelines-and-templates.md)
* [SPDX Lite](./docs/annexes/spdx-lite.md) has been updated with more explicit
sections on "Mandatory" and "Recommended" properties.
* See changes in the model from
[the model change log](https://github.com/spdx/spdx-3-model/blob/main/CHANGELOG.md).
See the 3.0.1 GitHub release notes for changes
[in the spec](https://github.com/spdx/spdx-spec/releases/tag/3.0.1) and
[in the model](https://github.com/spdx/spdx-3-model/releases/tag/3.0.1).
## 3.0 (2024-04-15)
See the v3.0 GitHub release notes for changes
[in the spec](https://github.com/spdx/spdx-spec/releases/tag/v3.0) and
[in the model](https://github.com/spdx/spdx-3-model/releases/tag/3.0).
See also the [SPDX specification 3.0 release announcement](https://www.linuxfoundation.org/press/spdx-3-revolutionizes-software-management-in-systems-with-enhanced-functionality-and-streamlined-use-cases)
## 2.3 (2022-11-03)
See the [v2.3 GitHub release notes](https://github.com/spdx/spdx-spec/releases/tag/v2.3) for changes.
## 2.2 (2020-05-02)
* Added more relationship types to [Relationships](https://github.com/spdx/spdx-spec/blob/development/v2.2/chapters/7-relationships-between-SPDX-elements.md).
* Updated [License Matching Guidelines](https://github.com/spdx/spdx-spec/blob/development/v2.2/chapters/appendix-II-license-matching-guidelines-and-templates.md) to allow embedded rules within optional rules.
* Updated [Charter](https://github.com/spdx/spdx-spec/blob/development/v2.2/chapters/1-rationale.md) to broaden applicable scenarios for SPDX documents.
* Updated [License List](https://github.com/spdx/spdx-spec/blob/development/v2.2/chapters/appendix-I-SPDX-license-list.md) to v3.7.
* Added support for [PURL](https://github.com/package-url/purl-spec) and container images to [External Repository Identifiers](https://github.com/spdx/spdx-spec/blob/development/v2.2/chapters/appendix-VI-external-repository-identifiers.md).
* Added the license matching guideline content to [Appendix II](https://github.com/spdx/spdx-spec/blob/development/v2.2/chapters/appendix-II-license-matching-guidelines-and-templates.md).
* Added sample documents (both for final and draft formats) under `examples/`.
* Added definitions for the `rdf:` and `rdf-schema:` namespaces.
* Added clarification of the meaning of `Package` with an SPDX document.
* Added [SPDX Lite](https://github.com/spdx/spdx-spec/blob/development/v2.2/chapters/appendix-VIII-SPDX-Lite.md) which defines a minimal subset of SPDX for scenarios not requiring full SPDX documents.
* Added [SPDX File Tags](https://github.com/spdx/spdx-spec/blob/development/v2.2/chapters/appendix-IX-file-tags.md) which defines a mechanism to add file-specific information from SPDX-defined fields to source code files.
* Added optional field to be able to convey attribution text information for packages & files.
* Added support for `LicenseRef-` in [short form identifiers](https://github.com/spdx/spdx-spec/blob/development/v2.2/chapters/appendix-V-using-SPDX-short-identifiers-in-source-files.md).
* Added support for relationships to `NOASSERTION` or `NONE` as a way to indicate "known unknown" and "no dependencies" respectively.
* Added YAML, JSON, and .xls as supported formats and XML as an in-development format.
* Removed support for multi-line license expressions.
* Added `swh` as an external reference to support linking to Software Heritage persistent identifiers.
* Added clarification on the case sensitivity of license expressions.
* Numerous formatting, grammatical, and spelling fixes.
See also the [SPDX specification 2.2 release announcement](https://www.linuxfoundation.org/blog/2020/05/spdx-2-2-specification-released/)
## 2.1 (2016-10-04)
* Snippets allow a portion of a file to be identified as having different properties from the file it resides within. The use of snippets is completely optional, and it is not mandatory for snippets to be identified;
* Improvements in referencing external packages and repositories; users can now associate packages with security vulnerability databases as well as component repositories, such as npm, maven, bower, among others; and
* A new appendix has been added to explain how to use SPDX License List identifiers in source files. An increasing number of open source projects are adding these short identifiers to code, as they allow anyone to quickly scan a directory of files to identify the licenses included. SPDX license identifier tags also eliminate common mistakes based on scanning headers to conclude the license of a source file
See also the [SPDX specification 2.1 release announcement](https://www.linuxfoundation.org/press-release/2016/10/the-linux-foundations-open-compliance-initiative-releases-new-spdx-specification)
## 2.0 (2015-05-12)
* The new relationship view makes the SPDX standard more useful for a broader range of uses, including exchanging data about software and modules introduced throughout the supply chain. The improvements are said to ease the exchange of open source and license data, streamline compliance with open source licenses, and help vendors more easily identify obligations or security vulnerabilities before shipment.
* Descriptions of multiple packages in a single SPDX document, allowing aggregation of information that should be kept together
* Expanded annotations that include replacing “review” comments, available for any specific element in an SPDX document
* New license expression syntax with improved license matching guidelines, making the capture of complex licensing within a file easier and more reliable
* Additional file types and checksum algorithms with expanded file types, allowing for more precise identification of a file
* Support for referencing software pulled from version control systems, in addition to software served as downloads
See also the [SPDX specification 2.0 release announcement](https://spdx.dev/milestone-day-spdx-release-version-2-0-release-great-step-forward-greatly-expands-utility-applicability-spec)
## 1.2 (2013-10-22)
* A field to specify license list version and one to describe file dependencies
* More flexibility in locally naming non-standard licenses
* Clarity with respect to case sensitivity for existing fields
* Fields to document notices, project homepage and author credits
* The ability to identify and map standard license headers
See also the [SPDX specification 1.2 release announcement](https://spdx.dev/spdx-releases-version-1-2-specification)
## 1.1 (2012-08-30)
* Optional fields for including license names and cross references to license sites
* New comment fields added to capture important facts in the document, license, and file sections
* Expanded list of licenses, new short form identifiers for all licenses
See also the [SPDX specification 1.1 release announcement](https://www.linuxfoundation.org/press-release/2012/08/the-linux-foundations-spdx-workgroup-releases-new-version-of-software-package-data-exchange-standard-2/)
## 1.0 (2011-08-17)
* The initial release
See also the [SPDX specification 1.0 release announcement](https://www.linuxfoundation.org/press-release/2011/08/spdx-workgroup-releases-software-package-data-exchange-standard-to-widespread-industry-support/)
================================================
FILE: CONTRIBUTING.md
================================================
# Contributing
The SPDX specification is maintained by the SPDX [legal][spdx-legal] and
[tech][spdx-tech] teams.
Design and planning is primarily done via the team [mailing][spdx-legal-list]
[lists][spdx-tech-list] and [meetings][meetings].
## Contribution License Agreement
Contributions to this repo are made pursuant to the
[SPDX Community Specification Contributor License Agreement 1.0][cla]. You do
not need to submit a signed copy of the contributor license agreement; by
making a contribution to this repo, you agree to the terms set forth in that
agreement.
## Submitting changes
Always write a clear log message for your commits. One-line messages are fine
for small changes, but significant changes should look like this:
```shell
$ git commit -m "Subject of the commit
>
> A paragraph describing what changed and its impact.
>
> Signed-off-by: Contributor Name <name@example.com>"
```
Every commit message also needs a sign-off line, or it will not pass a test in
the workflow. This line starts with `Signed-off-by:` and specifies the name and
the email address of the person who submitted the changes. You can also use the
`-s` or `--signoff` option with `git commit` to automatically append the line
to your commit message (it will use `user.name` and `user.email` from your
`.git/config` configuration file).
A properly formed Git commit subject line should always be able to complete the
following sentence: if applied, this commit will "Subject of the commit".
For example :
```text
if applied, this commit will Add chapter on Security Vulnerabilities in SPDX
if applied, this commit will Delete section with deprecated SPDX attributes
if applied, this commit will Fix grammar in Package Version field description
```
Git itself uses this approach. When you merge something it will generate a
commit message like "Merge branch...", or when reverting "Revert...".
The appropriate branch for submitting changes depends on the nature of the
changes, following [Semantic Versioning (SemVer)][semver] conventions.
### Patch changes
Patch-level changes such as markup and typo fixes may be submitted directly
as [issues][] or [pull requests][pull-requests], without previous discussion.
Please submit all patch changes against the `support/3.0` branch.
### Minor changes
Minor changes, including amending, adding, or removing normative and
informative documents, **that do not break backward compatibility,**
can be submitted directly as [issues][] or [pull requests][pull-requests].
However, prior discussion is always encouraged.
Please submit all minor changes against the `develop` branch.
### Major changes
Any change that break backwards compatibility or requires significant tooling
changes is considered a major change.
You may want to discuss major changes on the mailing list first to get design
feedback before investing time in a pull request.
Please submit all major changes against the `develop` branch.
### Target milestones
When submitting an issue or pull request, please add a suggested release
milestone. This will ensure the issue or pull request is reviewed for inclusion
in that release.
If your issue or pull request is independent of a release, you can use the
`release-independent` milestone.
## Contributing to the model
Please see [Contributing to the SPDX 3.0 Model][model-contrib] document.
[cla]: https://github.com/spdx/governance/blob/main/0._SPDX_Contributor_License_Agreement.md
[issues]: https://github.com/spdx/spdx-spec/issues/
[meetings]: https://github.com/spdx/meetings/
[model-contrib]: https://github.com/spdx/spdx-3-model/blob/develop/Contributing.md
[pull-requests]: https://github.com/spdx/spdx-spec/pulls/
[semver]: https://semver.org/
[spdx-legal]: https://wiki.spdx.org/view/Legal_Team
[spdx-legal-list]: https://lists.spdx.org/mailman/listinfo/spdx-legal
[spdx-tech]: https://wiki.spdx.org/view/Technical_Team
[spdx-tech-list]: https://lists.spdx.org/mailman/listinfo/spdx-tech
================================================
FILE: LICENSE
================================================
The SPDX Specification is provided under the Community Specification License 1.0 (Community-Spec-1.0), a copy of which is included below.
Pre-existing portions of the SPDX Specification from copyright holders who have not subsequently contributed under the Community Specification License 1.0 are provided under Creative Commons Attribution 3.0 Unported (CC-BY-3.0), a copy of which is included below.
/bin/pull-license-list.py is licensed under the MIT License (MIT), a copy of which is included below.
= = = = =
Community Specification License 1.0
The Purpose of this License. This License sets forth the terms under which 1) Contributor will participate in and contribute to the development of specifications, standards, best practices, guidelines, and other similar materials under this Working Group, and 2) how the materials developed under this License may be used. It is not intended for source code. Capitalized terms are defined in the License's last section.
1. Copyright.
1.1. Copyright License. Contributor grants everyone a non-sublicensable, perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as expressly stated in this License) copyright license, without any obligation for accounting, to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute any materials it submits to the full extent of its copyright interest in those materials. Contributor also acknowledges that the Working Group may exercise copyright rights in the Specification, including the rights to submit the Specification to another standards organization.
1.2. Copyright Attribution. As a condition, anyone exercising this copyright license must include attribution to the Working Group in any derivative work based on materials developed by the Working Group. That attribution must include, at minimum, the material's name, version number, and source from where the materials were retrieved. Attribution is not required for implementations of the Specification.
2. Patents.
2.1. Patent License.
2.1.1. As a Result of Contributions.
2.1.1.1. As a Result of Contributions to Draft Specifications. Contributor grants Licensee a non-sublicensable, perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as expressly stated in this License) license to its Necessary Claims in 1) Contributor's Contributions and 2) to the Draft Specification that is within Scope as of the date of that Contribution, in both cases for Licensee's Implementation of the Draft Specification, except for those patent claims excluded by Contributor under Section 3.
2.1.1.2. For Approved Specifications. Contributor grants Licensee a non-sublicensable, perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as expressly stated in this License) license to its Necessary Claims included the Approved Specification that are within Scope for Licensee's Implementation of the Approved Specification, except for those patent claims excluded by Contributor under Section 3.
2.1.2. Patent Grant from Licensee. Licensee grants each other Licensee a non-sublicensable, perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as expressly stated in this License) license to its Necessary Claims for its Implementation, except for those patent claims excluded under Section 3.
2.1.3. Licensee Acceptance. The patent grants set forth in Section 2.1 extend only to Licensees that have indicated their agreement to this License as follows:
2.1.3.1. Source Code Distributions. For distribution in source code, by including this License in the root directory of the source code with the Implementation;
2.1.3.2. Non-Source Code Distributions. For distribution in any form other than source code, by including this License in the documentation, legal notices, via notice in the software, and/or other written materials provided with the Implementation; or
2.1.3.3. Via Notices.md. By issuing pull request or commit to the Specification's repository's Notices.md file by the Implementer's authorized representative, including the Implementer's name, authorized individual and system identifier, and Specification version.
2.1.4. Defensive Termination. If any Licensee files or maintains a claim in a court asserting that a Necessary Claim is infringed by an Implementation, any licenses granted under this License to the Licensee are immediately terminated unless 1) that claim is directly in response to a claim against Licensee regarding an Implementation, or 2) that claim was brought to enforce the terms of this License, including intervention in a third-party action by a Licensee.
2.1.5. Additional Conditions. This License is not an assurance (i) that any of Contributor's copyrights or issued patent claims cover an Implementation of the Specification or are enforceable or (ii) that an Implementation of the Specification would not infringe intellectual property rights of any third party.
2.2. Patent Licensing Commitment. In addition to the rights granted in Section 2.1, Contributor agrees to grant everyone a no charge, royalty-free license on reasonable and non-discriminatory terms to Contributor's Necessary Claims that are within Scope for:
1) Implementations of a Draft Specification, where such license applies only to those Necessary Claims infringed by implementing Contributor's Contribution(s) included in that Draft Specification, and
2) Implementations of the Approved Specification.
This patent licensing commitment does not apply to those claims subject to Contributor's Exclusion Notice under Section 3.
2.3. Effect of Withdrawal. Contributor may withdraw from the Working Group by issuing a pull request or commit providing notice of withdrawal to the Working Group repository's Notices.md file. All of Contributor's existing commitments and obligations with respect to the Working Group up to the date of that withdrawal notice will remain in effect, but no new obligations will be incurred.
2.4. Binding Encumbrance. This License is binding on any future owner, assignee, or party who has been given the right to enforce any Necessary Claims against third parties.
3. Patent Exclusion.
3.1. As a Result of Contributions. Contributor may exclude Necessary Claims from its licensing commitments incurred under Section 2.1.1 by issuing an Exclusion Notice within 45 days of the date of that Contribution. Contributor may not issue an Exclusion Notice for any material that has been included in a Draft Deliverable for more than 45 days prior to the date of that Contribution.
3.2. As a Result of a Draft Specification Becoming an Approved Specification. Prior to the adoption of a Draft Specification as an Approved Specification, Contributor may exclude Necessary Claims from its licensing commitments under this Agreement by issuing an Exclusion Notice. Contributor may not issue an Exclusion Notice for patents that were eligible to have been excluded pursuant to Section 3.1.
4. Source Code License. Any source code developed by the Working Group is solely subject the source code license included in the Working Group's repository for that code. If no source code license is included, the source code will be subject to the MIT License.
5. No Other Rights. Except as specifically set forth in this License, no other express or implied patent, trademark, copyright, or other rights are granted under this License, including by implication, waiver, or estoppel.
6. Antitrust Compliance. Contributor acknowledge that it may compete with other participants in various lines of business and that it is therefore imperative that they and their respective representatives act in a manner that does not violate any applicable antitrust laws and regulations. This License does not restrict any Contributor from engaging in similar specification development projects. Each Contributor may design, develop, manufacture, acquire or market competitive deliverables, products, and services, and conduct its business, in whatever way it chooses. No Contributor is obligated to announce or market any products or services. Without limiting the generality of the foregoing, the Contributors agree not to have any discussion relating to any product pricing, methods or channels of product distribution, division of markets, allocation of customers or any other topic that should not be discussed among competitors under the auspices of the Working Group.
7. Non-Circumvention. Contributor agrees that it will not intentionally take or willfully assist any third party to take any action for the purpose of circumventing any obligations under this License.
8. Representations, Warranties and Disclaimers.
8.1. Representations, Warranties and Disclaimers. Contributor and Licensee represents and warrants that 1) it is legally entitled to grant the rights set forth in this License and 2) it will not intentionally include any third party materials in any Contribution unless those materials are available under terms that do not conflict with this License. IN ALL OTHER RESPECTS ITS CONTRIBUTIONS ARE PROVIDED "AS IS." The entire risk as to implementing or otherwise using the Contribution or the Specification is assumed by the implementer and user. Except as stated herein, CONTRIBUTOR AND LICENSEE EXPRESSLY DISCLAIM ANY WARRANTIES (EXPRESS, IMPLIED, OR OTHERWISE), INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, FITNESS FOR A PARTICULAR PURPOSE, CONDITIONS OF QUALITY, OR TITLE, RELATED TO THE CONTRIBUTION OR THE SPECIFICATION. IN NO EVENT WILL ANY PARTY BE LIABLE TO ANY OTHER PARTY FOR LOST PROFITS OR ANY FORM OF INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER FROM ANY CAUSES OF ACTION OF ANY KIND WITH RESPECT TO THIS AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Any obligations regarding the transfer, successors in interest, or assignment of Necessary Claims will be satisfied if Contributor or Licensee notifies the transferee or assignee of any patent that it knows contains Necessary Claims or necessary claims under this License. Nothing in this License requires Contributor to undertake a patent search. If Contributor is 1) employed by or acting on behalf of an employer, 2) is making a Contribution under the direction or control of a third party, or 3) is making the Contribution as a consultant, contractor, or under another similar relationship with a third party, Contributor represents that they have been authorized by that party to enter into this License on its behalf.
8.2. Distribution Disclaimer. Any distributions of technical information to third parties must include a notice materially similar to the following: "THESE MATERIALS ARE PROVIDED "AS IS." The Contributors and Licensees expressly disclaim any warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to the materials. The entire risk as to implementing or otherwise using the materials is assumed by the implementer and user. IN NO EVENT WILL THE CONTRIBUTORS OR LICENSEES BE LIABLE TO ANY OTHER PARTY FOR LOST PROFITS OR ANY FORM OF INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER FROM ANY CAUSES OF ACTION OF ANY KIND WITH RESPECT TO THIS DELIVERABLE OR ITS GOVERNING AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE OTHER MEMBER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
9. Definitions.
9.1. Affiliate. "Affiliate" means an entity that directly or indirectly Controls, is Controlled by, or is under common Control of that party.
9.2. Approved Specification. "Approved Specification" means the final version and contents of any Draft Specification designated as an Approved Specification as set forth in the accompanying Governance.md file.
9.3. Contribution. "Contribution" means any original work of authorship, including any modifications or additions to an existing work, that Contributor submits for inclusion in a Draft Specification, which is included in a Draft Specification or Approved Specification.
9.4. Contributor. "Contributor" means any person or entity that has indicated its acceptance of the License 1) by making a Contribution to the Specification, or 2) by entering into the Community Specification Contributor License Agreement for the Specification. Contributor includes its Affiliates, assigns, agents, and successors in interest.
9.5. Control. "Control" means direct or indirect control of more than 50% of the voting power to elect directors of that corporation, or for any other entity, the power to direct management of such entity.
9.6. Draft Specification. "Draft Specification" means all versions of the material (except an Approved Specification) developed by this Working Group for the purpose of creating, commenting on, revising, updating, modifying, or adding to any document that is to be considered for inclusion in the Approved Specification.
9.7. Exclusion Notice. "Exclusion Notice" means a written notice made by making a pull request or commit to the repository's Notices.md file that identifies patents that Contributor is excluding from its patent licensing commitments under this License. The Exclusion Notice for issued patents and published applications must include the Draft Specification's name, patent number(s) or title and application number(s), as the case may be, for each of the issued patent(s) or pending patent application(s) that the Contributor is excluding from the royalty-free licensing commitment set forth in this License. If an issued patent or pending patent application that may contain Necessary Claims is not set forth in the Exclusion Notice, those Necessary Claims shall continue to be subject to the licensing commitments under this License. The Exclusion Notice for unpublished patent applications must provide either: (i) the text of the filed application; or (ii) identification of the specific part(s) of the Draft Specification whose implementation makes the excluded claim a Necessary Claim. If (ii) is chosen, the effect of the exclusion will be limited to the identified part(s) of the Draft Specification.
9.8. Implementation. "Implementation" means making, using, selling, offering for sale, importing or distributing any implementation of the Specification 1) only to the extent it implements the Specification and 2) so long as all required portions of the Specification are implemented.
9.9. License. "License" means this Community Specification License.
9.10. Licensee. "Licensee" means any person or entity that has indicated its acceptance of the License as set forth in Section 2.1.3. Licensee includes its Affiliates, assigns, agents, and successors in interest.
9.11. Necessary Claims. "Necessary Claims" are those patent claims, if any, that a party owns or controls, including those claims later acquired, that are necessary to implement the required portions (including the required elements of optional portions) of the Specification that are described in detail and not merely referenced in the Specification.
9.12. Specification. "Specification" means a Draft Specification or Approved Specification included in the Working Group's repository subject to this License, and the version of the Specification implemented by the Licensee.
9.13. Scope. "Scope" has the meaning as set forth in the accompanying Scope.md file included in this Specification's repository. Changes to Scope do not apply retroactively. If no Scope is provided, each Contributor's Necessary Claims are limited to that Contributor's Contributions.
9.14. Working Group. "Working Group" means this project to develop specifications, standards, best practices, guidelines, and other similar materials under this License.
The text of this Community Specification License is Copyright 2020 Joint Development Foundation and is licensed under the Creative Commons Attribution 4.0 International License available at https://creativecommons.org/licenses/by/4.0/.
SPDX-License-Identifier: CC-BY-4.0
= = = = =
Creative Commons Attribution 3.0 Unported
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE INFORMATION PROVIDED, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM ITS USE.
License
THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED.
BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.
1. Definitions
a. "Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License.
b. "Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License.
c. "Distribute" means to make available to the public the original and copies of the Work or Adaptation, as appropriate, through sale or other transfer of ownership.
d. "Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License.
e. "Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast.
f. "Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work.
g. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.
h. "Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images.
i. "Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium.
2. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws.
3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:
a. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections;
b. to create and Reproduce Adaptations provided that any such Adaptation, including any translation in any medium, takes reasonable steps to clearly label, demarcate or otherwise identify that changes were made to the original Work. For example, a translation could be marked "The original work was translated from English to Spanish," or a modification could indicate "The original work has been modified.";
c. to Distribute and Publicly Perform the Work including as incorporated in Collections; and,
d. to Distribute and Publicly Perform Adaptations.
e. For the avoidance of doubt:
i. Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;
ii. Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; and,
iii. Voluntary License Schemes. The Licensor waives the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License.
The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. Subject to Section 8(f), all rights not expressly granted by Licensor are hereby reserved.
4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:
a. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(b), as requested. If You create an Adaptation, upon notice from any Licensor You must, to the extent practicable, remove from the Adaptation any credit as required by Section 4(b), as requested.
b. If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Section 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit required by this Section 4 (b) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.
c. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Adaptations or Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation. Licensor agrees that in those jurisdictions (e.g. Japan), in which any exercise of the right granted in Section 3(b) of this License (the right to make Adaptations) would be deemed to be a distortion, mutilation, modification or other derogatory action prejudicial to the Original Author's honor and reputation, the Licensor will waive or not assert, as appropriate, this Section, to the fullest extent permitted by the applicable national law, to enable You to reasonably exercise Your right under Section 3(b) of this License (right to make Adaptations) but not otherwise.
5. Representations, Warranties and Disclaimer
UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.
6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
7. Termination
a. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Adaptations or Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.
b. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.
8. Miscellaneous
a. Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.
b. Each time You Distribute or Publicly Perform an Adaptation, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License.
c. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
d. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You.
e. This License may not be modified without the mutual written agreement of the Licensor and You.
f. The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law.
Creative Commons Notice
Creative Commons is not a party to this License, and makes no warranty whatsoever in connection with the Work. Creative Commons will not be liable to You or any party on any legal theory for any damages whatsoever, including without limitation any general, special, incidental or consequential damages arising in connection to this license. Notwithstanding the foregoing two (2) sentences, if Creative Commons has expressly identified itself as the Licensor hereunder, it shall have all rights and obligations of Licensor.
Except for the limited purpose of indicating to the public that the Work is licensed under the CCPL, Creative Commons does not authorize the use by either party of the trademark "Creative Commons" or any related trademark or logo of Creative Commons without the prior written consent of Creative Commons. Any permitted use will be in compliance with Creative Commons' then-current trademark usage guidelines, as may be published on its website or otherwise made available upon request from time to time. For the avoidance of doubt, this trademark restriction does not form part of this License.
Creative Commons may be contacted at http://creativecommons.org/.
= = = = =
MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
================================================
FILE: README.md
================================================
# The System Package Data Exchange™ (SPDX®) Specification
The System Package Data Exchange™ (SPDX®) specification is an open standard
designed to represent systems containing software components as
Software Bill of Materials (SBOMs).
Additionally, SPDX supports AI, data, and security references,
making it suitable for a wide range of risk management use cases.
The SPDX standard helps facilitate compliance with free and open source
software licenses by standardizing the way license information is shared across
the software supply chain. SPDX reduces redundant work by providing a common
format for companies and communities to share important data about software
licenses and copyrights, thereby streamlining and improving compliance.
Current stable version:
- The current stable specification is available at:
<https://spdx.github.io/spdx-spec/>
Next version (work in progress):
- A preview of the next version, currently under active development, is
available at:
<https://spdx.github.io/spdx-spec/develop/>
(This website is automatically updated with each commit to the `develop`
branch).
Translations of the specification may be available.
English remains the normative language in all cases.
## Specification development
The specification comprised of documents located in the [`docs/`](./docs/)
directory of this `spdx/spdx-spec` repository,
as well as a model documentation generated from Markdown files within the
[spdx/spdx-3-model](https://github.com/spdx/spdx-3-model/) repository.
Contributions, including translations, are welcome.
Contributions to this repository are made pursuant to the
[SPDX Community Specification Contributor License Agreement 1.0][cla].
Please see the contributing guidelines, governance practices,
and build instructions in the
[related documents](#related-documents-and-repositories) section.
[cla]: https://github.com/spdx/governance/blob/main/0._SPDX_Contributor_License_Agreement.md
## Repository structure
This repository consists of these files and directories (partial):
- `.github/workflow` - Workflow definitions.
- [`publish_v3.yml`](.github/workflows/publish_v3.yml)
The website (HTML) generation workflow.
- `bin/` - Scripts for spec generation.
- `docs/` - Specification content:
- `annexes/` - Annexes for the specification.
- `css/` - Style sheets for HTML.
- `front/` - Front matter.
- `images/` - Model diagrams. These image files are to be generated from a
diagram description file
[model.drawio](https://github.com/spdx/spdx-3-model/blob/develop/docs/model.drawio)
in the `spdx/spdx-3-model` repo and manually copied here.
- `licenses/` - Licenses that used by the SPDX specifications.
- `model/` - Model files. This subdirectory _is to be created_ by a script
from `spdx/spec-parser` repo, using model information from
`spdx/spdx-3-model` repo (see the [build instructions](./build.md)).
- `examples/` - Examples of various SPDX serializations for the current version
of the spec.
- `rdf/` - Model RDF files. These ontology files are generated from model
Markdown files in the `spdx/spdx-3-model` repo and manually copied here.
- `mkdocs.yml` - MkDocs recipe for the spec documentation generation. The
inclusion of model files and the order of chapters are defined here.
## Branch structure
The SPDX spec repo follows the [Gitflow][gitflow] workflow with the addition of support branches.
[gitflow]: https://gist.github.com/HeratPatel/271b5d2304de2e2cd1823b9b62bf43e0
The branches in use are:
- `main` - This will always be the latest released specification.
- `develop` - This branch will be where the active development for the next
major or minor version takes place.
Once released, the `develop` branch will be merged into the `main` branch.
- `support/x.y` - These branches will be long-lived and contain any updates to
a minor version of the specification.
`x.y` represents the MAJOR.MINOR version, following Semantic Versioning
(SemVer) conventions.
Once any changes are accepted and released, the support branch will be tagged
and merged into both `develop` and `main` branches.
- General feature or fix branches - there may be feature branches made for
specific enhancements or fixes to the spec.
These will be short-lived and merged into either a `support` branch or the
`develop` branch.
- `gh-pages` - This branch hosts generated HTML websites for all versions of
the specification. It is primarily managed by an automated workflow.
## Related documents and repositories
| Documentation | Link |
| ------------- | ---- |
| Changes between versions | [CHANGELOG.md](./CHANGELOG.md) |
| Contributing guidelines | [CONTRIBUTING.md](./CONTRIBUTING.md) |
| Building the specification website (for testing purpose) | [build.md](build.md) |
| Governance practices | [spdx/governance](https://github.com/spdx/governance/) |
| SPDX 3 model development | [spdx/spdx-3-model](https://github.com/spdx/spdx-3-model/) |
| Model specification parser | [spdx/spec-parser](https://github.com/spdx/spec-parser/) |
| How to use the specification | [spdx/using](https://github.com/spdx/using/) |
| Use cases and scenarios | [spdx/spdx-examples](https://github.com/spdx/spdx-examples/) |
| SPDX website, with more information about the specification | <https://spdx.org> |
| Official releases of the specification, including PDFs | <https://spdx.org/specifications> |
================================================
FILE: bin/check-examples.sh
================================================
#! /bin/bash
#
# Validates SPDX example, both in separate files and inline in the
# documentation
#
# SPDX-License-Identifier: MIT
# SPDX-FileCopyrightText: Copyright 2024 The SPDX Contributors
set -e
THIS_DIR="$(dirname "$0")"
MD_DIR=docs/annexes
JSON_DIR=examples/jsonld
SPDX_VERSION="3.0.1"
SCHEMA_URL="https://spdx.org/schema/${SPDX_VERSION}/spdx-json-schema.json"
RDF_URL="https://spdx.org/rdf/${SPDX_VERSION}/spdx-model.ttl"
CONTEXT_URL="https://spdx.org/rdf/${SPDX_VERSION}/spdx-context.jsonld"
# print validation setup
echo "Checking examples in"
echo "Snippets : $MD_DIR"
echo "Files : $JSON_DIR"
echo "SPDX version : $SPDX_VERSION"
echo "Schema : $SCHEMA_URL"
echo "Schema resolved : $(curl -I "$SCHEMA_URL" 2>/dev/null | grep -i "location:" | awk '{print $2}')"
echo "RDF : $RDF_URL"
echo "RDF resolved : $(curl -I "$RDF_URL" 2>/dev/null | grep -i "location:" | awk '{print $2}')"
echo "Context : $CONTEXT_URL"
echo "Context resolved : $(curl -I "$CONTEXT_URL" 2>/dev/null | grep -i "location:" | awk '{print $2}')"
echo "$(check-jsonschema --version)"
echo "spdx3-validate version: $(spdx3-validate --version)"
echo ""
check_schema() {
echo "Checking schema (check-jsonschema): $1"
check-jsonschema \
--verbose \
--schemafile $SCHEMA_URL \
"$1"
}
check_spdx() {
echo "SPDX 3 Validating (spdx3-validate): $1"
spdx3-validate --json $1
}
# Check examples in JSON files in examples/jsonld/
if [ "$(ls $THIS_DIR/../$JSON_DIR/*.json 2>/dev/null)" ]; then
for f in $THIS_DIR/../$JSON_DIR/*.json; do
check_schema $f
echo ""
check_spdx $f
echo ""
done
fi
# Check examples in inline code snippets in Markdown files in docs/annexes/
TEMP=$(mktemp -d)
for f in $THIS_DIR/../$MD_DIR/*.md; do
if ! grep -q '^```json' $f; then
continue
fi
echo "Extract snippets from $f"
DEST=$TEMP/$(basename $f)
mkdir -p $DEST
# Read inline code snippets and save them in separate, numbered files.
cat $f | awk -v DEST="$DEST" 'BEGIN{flag=0} /^```json/, $0=="```" { if (/^---$/){flag++} else if ($0 !~ /^```.*/ ) print $0 > DEST "/doc-" flag ".spdx.json"}'
# Combine all JSON code snippets into a single file, with SPDX context and creation info.
COMBINED_JSON = $DEST/__combined.jso
echo "[" > $COMBINED_JSON
for doc in $DEST/*.spdx.json; do
if ! grep -q '@context' $doc; then
mv $doc $doc.fragment
cat >> $doc <<HEREDOC
{
"@context": "$CONTEXT_URL",
"@graph": [
HEREDOC
cat $doc.fragment >> $doc
cat >> $doc <<HEREDOC
{
"type": "CreationInfo",
"@id": "_:creationInfo",
"specVersion": "$SPDX_VERSION",
"created": "2024-04-23T00:00:00Z",
"createdBy": [
{
"type": "Agent",
"spdxId": "http://spdx.dev/dummy-agent",
"creationInfo": "_:creationInfo"
}
]
}
]
}
HEREDOC
fi
check_schema $doc
echo ""
cat $doc >> $COMBINED_JSON
echo "," >> $COMBINED_JSON
done
echo "{}]" >> $COMBINED_JSON
check_spdx $COMBINED_JSON
echo ""
done
================================================
FILE: bin/make-mkdocs-config.sh
================================================
#! /bin/sh
#
# SPDX-License-Identifier: MIT
#
# Finds MODEL_PLACEHOLDER string in BASE_YML,
# replaces it with the content from MODEL_YML.
usage() {
echo "Make MkDocs config"
echo ""
echo "Combines model file list (MODEL_YML)"
echo "with the base MkDocs configuration file (BASE_YML),"
echo "to produce the full MkDocs configuration file (FULL_YML)."
echo ""
echo "Usage: $0 -b <BASE_YML> -m <MODEL_YML> -f <FULL_YML> [-p <MODEL_PLACEHOLDER>]"
echo ""
echo "Inputs:"
echo " BASE_YML : a base MkDocs configuration file (usually, it is 'mkdocs.yml')."
echo " MODEL_YML : a model file list ('mkdocs-files.yml' from spec-parser)."
echo ""
echo "Output:"
echo " FULL_YML : a full MkDocs configuration, combining BASE_YML and MODEL_YML."
echo ""
echo "Option:"
echo " MODEL_PLACEHOLDER : a string inside BASE_YML that will be replaced by"
echo " a content from MODEL_YML. Default: '__MODEL_PLACEHOLDER__'"
echo ""
exit 1
}
while getopts "b:p:m:f:" opt; do
case $opt in
b) BASE_YML="$OPTARG" ;;
m) MODEL_YML="$OPTARG" ;;
f) FULL_YML="$OPTARG" ;;
p) MODEL_PLACEHOLDER="$OPTARG" ;;
*) usage ;;
esac
done
# Set default value for MODEL_PLACEHOLDER if not provided
if [ -z "$MODEL_PLACEHOLDER" ]; then
MODEL_PLACEHOLDER="__MODEL_PLACEHOLDER__"
fi
if [ -z "$BASE_YML" ] || [ -z "$MODEL_PLACEHOLDER" ] || [ -z "$MODEL_YML" ] || [ -z "$FULL_YML" ]; then
usage
fi
sed -e "\|- model.*#.*$MODEL_PLACEHOLDER.*|{
r $MODEL_YML
a\\
d
}" "$BASE_YML" > "$FULL_YML"
TEMP_FILE=$(mktemp)
sed "/$MODEL_PLACEHOLDER/d" "$FULL_YML" > "$TEMP_FILE"
mv "$TEMP_FILE" "$FULL_YML"
================================================
FILE: bin/pull-license-list.py
================================================
#!/usr/bin/env python3
#
# Automatically update the license- and exception-list Markdown based
# on the currently-live JSON.
#
# usage: ./bin/pull-license.py
#
# SPDX-License-Identifier: MIT
import codecs
import itertools
import json
import os.path
import re
import sys
import urllib.request
if sys.version_info < (3, 6):
raise RuntimeError('this script requires Python 3.6+')
VERSION_REGEXP = re.compile(
pattern='(.* SPDX License List, v)([^ ]*)( which was released )([^.]*)(\..*)',
flags=re.DOTALL)
def get_json(url):
with urllib.request.urlopen(url=url) as body:
return json.load(body)
def format_table(headers, rows):
widths = [
max(len(row[i]) for row in rows + [headers])
for i, _ in enumerate(headers)
]
template = '| {} |\n'.format(' | '.join(
('{' + '{}:{{{}}}'.format(2*i, 2*i + 1) + '}')
for i, _ in enumerate(headers)
))
yield template.format(*itertools.chain(*zip(headers, widths)))
yield '|{}|\n'.format('|'.join('-' * (width + 2) for width in widths))
for row in rows:
yield template.format(*itertools.chain(*zip(row, widths)))
yield '\n'
def format_license_table(license_list):
yield from format_table(
headers=['Full Name of License', 'Short Identifier', 'OSI?'],
rows=[
[
license['name'],
'[{0}](https://spdx.org/licenses/{0}.html)'.format(
license['licenseId']),
'Y' if license['isOsiApproved'] else '',
]
for license in sorted(
license_list['licenses'],
key=lambda license: license['licenseId'].lower())
if not license.get('isDeprecatedLicenseId')
],
)
def format_deprecated_license_table(license_list):
yield from format_table(
headers=['Full Name of License', 'Deprecated SDPX Short Identifier'],
rows=[
[
license['name'],
'[{0}](https://spdx.org/licenses/{0}.html)'.format(
license['licenseId']),
]
for license in sorted(
license_list['licenses'],
key=lambda license: license['licenseId'].lower())
if license.get('isDeprecatedLicenseId')
],
)
def format_exception_table(exception_list):
yield from format_table(
headers=['Full Name of Exception', 'SPDX License Exception'],
rows=[
[
exception['name'].replace('\n', ' '),
'[{0}](https://spdx.org/licenses/{0}.html)'.format(
exception['licenseExceptionId']),
]
for exception in sorted(
exception_list['exceptions'],
key=lambda exception: exception['licenseExceptionId'].lower())
if not exception.get('isDeprecatedLicenseId')
],
)
if __name__ == '__main__':
license_list = get_json(url='https://spdx.org/licenses/licenses.json')
exception_list = get_json(url='https://spdx.org/licenses/exceptions.json')
for key in ['licenseListVersion', 'releaseDate']:
if license_list.get(key) != exception_list.get(key):
raise ValueError(
'{} mismatch: {} (license list) != {} (exception list)'
.format(
key,
license_list.get(key),
exception_list.get(key)))
table_content = [
format_license_table(license_list=license_list),
format_exception_table(exception_list=exception_list),
format_deprecated_license_table(license_list=license_list),
]
path = os.path.join('chapters', 'appendix-I-SPDX-license-list.md')
lines = []
with open(path, 'r') as f:
in_table = False
for line in f.readlines():
if in_table:
if not line.startswith('|'):
in_table = False
if table_content:
lines.extend(table_content.pop(0))
elif line.startswith('|'):
in_table = True
else:
match = VERSION_REGEXP.match(line)
if match:
leader, version, middle, release_date, tail = match.groups()
lines.append('{}{}{}{}{}'.format(
leader,
license_list['licenseListVersion'],
middle,
license_list['releaseDate'],
tail,
))
else:
lines.append(line)
if in_table and table_content:
lines.extend(table_content.pop(0))
while lines[-1] == '\n':
lines.pop()
with open(path, 'w') as f:
for line in lines:
f.write(line)
================================================
FILE: build.md
================================================
---
SPDX-FileType: DOCUMENTATION
SPDX-License-Identifier: Community-Spec-1.0
---
# Building the specification website
You may want to build the specification website locally to test your additions
and edits and review if they render as intended.
```text
+-------------------+
|[spdx-3-model] |
| +- model/ ---- Constrained-Markdown files -+
| +- model.drawio -----------------+ |
+-------------------+ | |
| |
+-------------------+ v |
|[spdx-spec] | draw.io |
| +- docs/ | (manual) v
| | +- annexes/ | | spec-parser
| | +- front/ | | |
| | +- images/ <---- PNG images --+ |
| | +- licenses/ | |
| | +- model/ <----- Processed Markdown files ---+
| | +- rdf/ <----- RDF files ------------------+
| | +- *.md |
| | +- index.md |
| +- mkdocs.yml |
+-------------------+
|
MkDocs
|
v
+-------------------+
| HTML website |
| +- annexes/ |
| +- ... |
| +- *.md |
| +- index.html |
+-------------------+
```
## Table of contents
1. [Prerequisites](#1-prerequisites)
1. [Getting input files](#2-getting-input-files)
1. [Processing model files (Markdown and RDF)](#3-processing-model-files-markdown-and-rdf)
- [Generating model files with spec-parser](#31-generating-model-files-with-spec-parser)
- [Generating a complete MkDocs configuration file](#32-generating-a-complete-mkdocs-configuration-file)
1. [Building HTML](#4-building-html)
1. [Configuring the website](#5-configuring-the-website)
1. [Specification versions on spdx.github.io](#6-specification-versions-on-spdxgithubio)
## 1. Prerequisites
Apart from Git and Python, you have to have [MkDocs](http://mkdocs.org)
installed on your machine. If you don't have it yet installed please follow
these [installation instructions](http://www.mkdocs.org/#installation).
`mkdocs.yml` is the configuration file for MkDocs.
<!--
[WeasyPrint](https://doc.courtbouillon.org/weasyprint/stable/first_steps.html#installation)
is also required for generating PDF files. To enable PDF generation, set the
`ENABLE_PDF_EXPORT` environment variable to `1`.
-->
## 2. Getting input files
Next, you have to get the model files, the other specification files
(main chapters, annexes, front matter, and licenses),
and the model parser, by cloning these repositories:
[`spdx/spdx-3-model`](https://github.com/spdx/spdx-3-model),
[`spdx/spdx-spec`](https://github.com/spdx/spdx-spec), and
[`spdx/spec-parser`](https://github.com/spdx/spec-parser)
to these paths: `spdx-3-model`, `spdx-spec`, and `spec-parser`, respectively:
```shell
git clone https://github.com/spdx/spdx-3-model.git
git clone https://github.com/spdx/spdx-spec.git
git clone https://github.com/spdx/spec-parser.git
```
Install their Python prerequisites:
```shell
pip3 install -r spdx-spec/requirements.txt
pip3 install -r spec-parser/requirements.txt
```
## 3. Processing model files (Markdown and RDF)
*If you only want to review the non-model parts of the specification*
*(e.g., chapters and annexes), you can skip to [step 4](#4-building-html).*
Model files in `spdx/spdx-3-model` repository are written in a constrained
Markdown format, with [a predefined set of section headings][format].
The `spec-parser` processes these model files to generate both ontology files
and final Markdown files suitable for MkDocs.
The `spec-parser` also performs automatic formatting on the resulting Markdown
files. For instance, it converts a list under the "Properties" heading into a
table.
[format]: https://github.com/spdx/spdx-3-model/blob/develop/docs/format.md
### 3.1 Generating model files with spec-parser
To verify the formatting of pre-processed model files and
prepare them for MkDocs, run the following command:
```shell
python3 spec-parser/main.py \
--generate-mkdocs --output-mkdocs spdx-spec/docs/model/ \
spdx-3-model/model/
```
The command will instruct the spec-parser to read the input from
`spdx-3-model/model/` and generate processed Markdown files (`.md`),
placing them in the `spdx-spec/docs/model/` directory.
These files will then be used by MkDocs.
An `spdx-spec/docs/model/model-files.yml` file will also be generated.
This file contains a list of the files within `spdx-spec/docs/model/`
and will be used later for MkDocs configuration.
We will move this `model-files.yml` file to the `spdx-spec/` directory
for subsequent use:
```shell
mv spdx-spec/docs/model/model-files.yml spdx-spec/
```
### 3.2 Generating a complete MkDocs configuration file
To ensure MkDocs recognizes the new Markdown files,
insert the model file list from `model-files.yml`
into the MkDocs configuration file in `spdx-spec/mkdocs.yml`,
by using this command:
```shell
spdx-spec/bin/make-mkdocs-config.sh \
-b spdx-spec/mkdocs.yml \
-m spdx-spec/model-files.yml \
-f spdx-spec/mkdocs-full.yml
```
The complete MkDocs configuration will be at `spdx-spec/mkdocs-full.yml`.
## 4. Building HTML
With all specification and model files prepared,
we will use MkDocs to assemble them into a website.
*Note: all the commands below use the configuration file*
*with the model file list, `mkdocs-full.yml`,*
*generated in [step 3.2](#32-generating-a-complete-mkdocs-configuration-file).*
*If you only want to review the non-model part of the specification*
*(have skipped step 3), please use `mkdocs.yml` instead.*
These following commands should run inside the `spdx-spec/` directory.
- To preview the specification in a web browser:
```shell
mkdocs serve --config-file mkdocs-full.yml
```
- To build a static HTML site:
```shell
mkdocs build --config-file mkdocs-full.yml
```
- To get debug messages, enables verbose output:
```shell
mkdocs build --verbose --config-file mkdocs-full.yml
```
## 5. Configuring the website
To make additional adjustments to the website,
you can modify the configuration file at `spdx-spec/mkdocs.yml`.
For example, you can customize website details like the site name
and main URL (canonical URL) in this file.
To include a page in the navigation bar, list its filename under the `nav:`
section. The order of filenames in this section determines the order of the
page in the navigation bar.
After you have modified the configuration file, you may need to rerun
[step 3.2](#32-generating-a-complete-mkdocs-configuration-file)
to incorporate the changes into the complete configuration file.
## 6. Specification versions on spdx.github.io
The SPDX specifications on <https://spdx.github.io/spdx-spec/> are built
by using a workflow in
[`.github/workflows/publish_v3.yml`](.github/workflows/publish_v3.yml).
This workflow uses [mike](https://github.com/jimporter/mike) to publish
multiple versions of MkDocs-powered documentation.
The published versions, their titles, and aliases are listed in the file
[versions.json](https://github.com/spdx/spdx-spec/blob/gh-pages/versions.json)
located in the `gh-pages` branch.
These versions populate the version selector dropdown on the website.
The step `name: Deploy and set aliases` in the GitHub workflow file
determines the title and alias.
mike is not needed for local testing of a specific spec version.
================================================
FILE: docs/annexes/class-hierarchy.md
================================================
# Class hierarchy (Informational)
================================================
FILE: docs/annexes/license-matching-guidelines-and-templates.md
================================================
# SPDX License List matching guidelines and templates (Normative)
## SPDX License List matching guidelines
The SPDX License List Matching Guidelines provide guidelines to be used for the purposes of matching licenses and license exceptions against those included on the [SPDX License List](https://spdx.org/licenses/).
There is no intent here to make a judgment or interpretation, but merely to ensure that when one SPDX user identifies a license as "BSD-3-Clause," for example, it is indeed the same license as what someone else identifies as "BSD-3-Clause" and the same license as what is listed on the SPDX License List.
As noted here, some of the matching guidelines are implemented in the XML files of the SPDX License List repository.
## How these guidelines are applied
### Purpose
To ensure consistent results by different SPDX document creators when matching
license information that will be included in SPDX data.
SPDX document creators or tools may match on the license or exception text
itself, the official license header, or the SPDX License List short identifier.
### Guideline: official license headers
The matching guidelines apply to license and exception text, as well as official license headers.
Official license headers are defined by the SPDX License List as specific text specified within the license itself to be put in the header of files.
(see [explanation of SPDX License List fields](https://github.com/spdx/license-list-XML/blob/v3.25.0/DOCS/license-fields.md) for more info).
The following XML tag is used to implement this guideline: `<standardLicenseHeader>`
## Substantive text
### Purpose
To ensure that when matching licenses and exceptions to the SPDX License List, there is an appropriate balance between matching against the substantive text and disregarding parts of the text that do not alter the substantive text or legal meaning. Further guidelines of what can be disregarded or considered replaceable for purposes of matching are listed below here and in the subsequent specific guidelines. A conservative approach is taken in regard to rules relating to disregarded or replaceable text.
### Guideline: verbatim text
License and exception text shall be the same verbatim text (except for the guidelines stated here). The text shall be in the same order, e.g., differently ordered paragraphs shall not be considered a match.
### Guideline: no additional text
Matched text shall only include that found in the vetted license or exception text. Where a license or exception found includes additional text or clauses, this shall not be considered a match.
### Guideline: replaceable text
Some licenses include text that refers to the specific copyright holder or author, yet the rest of the license is exactly the same. The intent here is to avoid the inclusion of a specific name in one part of the license resulting in a non-match where the license is otherwise an exact match to the legally substantive terms (e.g., the third clause and disclaimer in the BSD licenses, or the third, fourth, and fifth clauses of Apache-1.1). In these cases, there shall be a positive license match.
The text indicated as such can be replaced with similar values (e.g., a different name or generic term; different date) and still be considered a positive match.
This rule also applies to text-matching in official license headers,
see [Guideline: official license headers](#guideline-official-license-headers).
The following XML tag is used to implement this guideline. `<alt>` with 2 attributes:
- `match` - a POSIX extended regular expression (ERE) to match the replaceable text
- `name` - an identifier for the variable text unique to the license XML document
The original text is enclosed within the beginning and ending alt tags.
For example:
`<alt match="(?i:copyright.{0,200})." name="copyright1">Copyright The Linux Foundation</alt>`
The original replaceable text appears on the SPDX License List webpage in red text.
### Guideline: omittable text
Some licenses have text that can simply be ignored. The intent here is to avoid the inclusion of certain text that is superfluous or irrelevant in regard to the substantive license text resulting in a non-match where the license is otherwise an exact match (e.g., directions on how to apply the license or other similar exhibits). In these cases, there shall be a positive license match.
The license shall be considered a match if the text indicated is present and matches, or the text indicated is missing altogether.
The following XML tag is used to implement this guideline: `<optional>`
For example:
`<optional>Apache License Version 2.0, January 2004 http://www.apache.org/licenses/</optional>`
Omittable text appears on the SPDX License List webpage in blue text.
## Whitespace
### Purpose
To avoid the possibility of a non-match due to different spacing of words, line breaks, or paragraphs.
### Guideline
All whitespace shall be treated as a single blank space.
XML files do not require specific markup to implement this guideline.
## Capitalization
### Purpose
To avoid the possibility of a non-match due to lowercase or uppercase letters in otherwise the same words.
### Guideline
All uppercase and lowercase letters shall be treated as lowercase letters.
XML files do not require specific markup to implement this guideline.
## Punctuation
### Purpose
Because punctuation can change the meaning of a sentence, punctuation needs to be included in the matching process.
XML files do not require specific markup to implement this guideline, unless to indicate an exception to the guideline.
### Guideline: punctuation
Punctuation shall be matched, unless otherwise stated in these guidelines or unless specific markup is added.
### Guideline: hyphens, dashes
Any hyphen, dash, en dash, em dash, or other variation shall be considered equivalent.
### Guideline: quotes
Any variation of quotations (single, double, curly, etc.) shall be considered equivalent.
## Code comment indicators or separators
### Purpose
To avoid the possibility of a non-match due to the existence or absence of code
comment indicators placed within the license text, e.g., at the start of each
line of text, or repetitive characters to establish a separation of text,
e.g., `---`, `===`, `___`, or `***`.
### Guideline: prefixes
Any kind of code comment indicator or prefix which occurs at the beginning of each line in a matchable section shall be ignored for matching purposes.
XML files do not require specific markup to implement this guideline.
### Guideline: repeated characters
A non-letter character repeated 3 or more times to establish a visual separation shall be ignored for matching purposes.
XML files do not require specific markup to implement this guideline.
## Bullets and numbering
### Purpose
To avoid the possibility of a non-match due to the otherwise same license using bullets instead of numbers, number instead of letter, or no bullets instead of bullet, etc., for a list of clauses.
### Guideline
Where a line starts with a bullet, number, letter, or some form of a list item (determined where list item is followed by a space, then the text of the sentence), ignore the list item for matching purposes.
The following XML tag is used to implement this guideline: `<bullet>`
For example: `<bullet>1.0</bullet>`
## Varietal word spelling
### Purpose
English uses different spelling for some words. By identifying the spelling variations for words found or likely to be found in licenses, we avoid the possibility of a non-match due to the same word being spelled differently. This list is not meant to be an exhaustive list of all spelling variations, but meant to capture the words most likely to be found in open source software licenses.
### Guideline
The words in each line of the text file available at the
[equivalent words list](https://spdx.org/licenses/equivalentwords.txt)
are considered equivalent and interchangeable.
XML files do not require specific markup to implement this guideline.
## Copyright symbol
### Purpose
By having a rule regarding the use of "©", "(c)", or "copyright", we avoid the possibility of a mismatch based on these variations.
### Guideline
"©", "(C)", "(c)", or "Copyright" shall be considered equivalent and interchangeable.
XML files do not require specific markup to implement this guideline.
The copyright symbol is part of the copyright notice,
see implementation of that guideline in [Copyright notice](#copyright-notice).
## Copyright notice
### Purpose
To avoid a license mismatch merely because the copyright notice (usually found above the actual license or exception text) is different. The copyright notice is important information to be recorded elsewhere in the SPDX document, but for the purposes of matching a license to the SPDX License List, it shall be ignored because it is not part of the substantive license text.
### Guideline
Ignore copyright notices. A copyright notice consists of the following elements, for example: "2012 Copyright, John Doe. All rights reserved." or "(c) 2012 John Doe."
The following XML tag is used to implement this guideline: `<copyrightText>`
For example: `<copyrightText>Copyright 2022 The Linux Foundation</copyrightText>`
## License name or title
### Purpose
To avoid a license mismatch merely because the name or title of the license is different than how the license is usually referred to or different than the SPDX full name. This also avoids a mismatch if the title or name of the license is simply not included.
### Guideline
Ignore the license name or title for matching purposes, so long as what ignored is the title only and there is no additional substantive text added here.
The following XML tag is used to implement this guideline: `<titleText>`
For example: `<titleText>Attribution Assurance License</titleText>`
## Extraneous text at the end of a license
### Purpose
To avoid a license mismatch merely because extraneous text that appears at the end of the terms of a license is different or missing. This also avoids a mismatch if the extraneous text merely serves as a license notice example and includes a specific copyright holder's name.
### Guideline
Ignore any text that occurs after the obvious end of the license and does not include substantive text of the license, for example: text that occurs after a statement such as, "END OF TERMS AND CONDITIONS," or an exhibit or appendix that includes an example or instructions on to how to apply the license to your code. Do not apply this guideline or ignore text that is comprised of additional license terms (e.g., permitted additional terms under GPL-3.0, section 7).
To implement this guideline, use the `<optional>` XML element tag as described
in [Guideline: omittable text](#guideline-omittable-text).
## HTTP protocol
### Purpose
To avoid a license mismatch due to a difference in a hyperlink protocol (e.g. HTTP vs. HTTPS).
### Guideline
`http://` and `https://` shall be considered equivalent.
XML files do not require specific markup to implement this guideline.
## SPDX License List
### Template access
The license XML can be accessed in the license-list-data repository under the
license-list-XML directory. Although the license list XML files can also be
found in the
[license-list-XML](https://github.com/spdx/license-list-XML) repository,
users are encouraged to use the published versions in the
[license-list-data](https://github.com/spdx/license-list-data) repository.
The license-list-data repository is tagged by release.
Only tagged released versions of the license list are considered stable.
### License List XML format
A full schema for the License List XML can be found at
[SPDX License List XML Schema](https://github.com/spdx/license-list-XML/blob/v3.25.0/schema/ListedLicense.xsd).
### Legacy Text Template format
Prior to the XML format, a text template was used to express variable and
optional text in licenses.
This text template is still supported, however, users are encouraged to use
the more expressive XML format.
A legacy template is composed of text with zero or more rules embedded in it.
A rule is a variable section of a license wrapped between double angle brackets
`<<>>` and is composed of 4 fields.
Each field is separated with a semi-colon `;`.
Rules shall not be embedded within other rules.
Rule fields begin with a case sensitive tag followed by an equal sign `=`.
Rule fields:
- **type:** indicates whether the text is replaceable or omittable as per
[Substantive text guidelines](#substantive-text).
- Indicated by `<<var; . . . >>` or
- Indicated by `<<beginOptional; . . .>>` and `<<endOptional>>` respectively.
- This field is the first field and is required.
- **name:** name of the field in the template.
- This field is unique within each license template.
- This field is required.
- **original:** the original text of the rule.
- This field is required for a rule type: `<<var; . . . >>`
- **match:** a POSIX extended regular expression (ERE).
- This field is required for a rule type: `<<var; . . . >>`
The [POSIX ERE](http://pubs.opengroup.org/onlinepubs/9699919799/) in the match
field has the following restrictions and extensions:
- Semicolons are escaped with `\;`
- POSIX Bracket Extensions are not allowed
For example:
`<<var;name=organizationClause3;original=the copyright holder;match=.+>>`
================================================
FILE: docs/annexes/pkg-url-specification.md
================================================
# Package URL specification v1 (Normative)
## Introduction
The Package URL core specification defines a versioned and formalized
format, syntax, and rules used to represent and validate package URLs.
A package URL or _purl_ is an attempt to standardize existing approaches
to reliably identify the location of software packages.
A _purl_ is a URL string used to identify the location of a
software package in a mostly universal and uniform way across
programming languages, package managers, packaging conventions, tools,
APIs and databases.
Such a package URL is useful to reliably reference the same software
package using a simple and expressive syntax and conventions based on
familiar URLs.
## Syntax definition
_purl_ stands for **package URL**.
A _purl_ is a URL composed of seven components:
scheme:type/namespace/name@version?qualifiers#subpath
Components are separated by a specific character for unambiguous parsing.
The definition for each component is:
- **scheme**: this is the URL scheme with the constant value of "`pkg`". One of the primary reason for this single scheme is to facilitate the future official registration of the "`pkg`" scheme for package URLs. Required.
- **type**: the package type or package protocol such as maven, npm, nuget, gem, pypi, etc. Required.
- **namespace**: some name prefix such as a Maven groupid, a Docker image owner, a GitHub user or organization. Optional and type-specific.
- **name**: the name of the package. Required.
- **version**: the version of the package. Optional.
- **qualifiers**: extra qualifying data for a package such as an OS, architecture, a distribution, etc. Optional and type-specific.
- **subpath**: extra subpath within a package, relative to the package root. Optional.
Components are designed such that they form a hierarchy from the most
significant on the left to the least significant components on the right.
A _purl_ is a valid URL and URI that conforms to the URL definitions
and specifications in RFC 3986 <https://datatracker.ietf.org/doc/rfc3986/>.
A _purl_ shall not contain a URL Authority i.e. there is no
support for username, password, host and port components.
A `namespace` segment may sometimes look like a host
but its interpretation is specific to a type.
The _purl_ components are mapped to the following URL components:
- _purl_ scheme: this is a URL scheme with a constant value: `pkg`
- _purl_ type, namespace, name and version components: these are collectively mapped to a URL path
- _purl_ qualifiers: this maps to a URL query
- _purl_ subpath: this is a URL fragment
## Character encoding
For clarity and simplicity a _purl_ is always an ASCII string.
To ensure that there is no ambiguity when parsing a _purl_,
separator characters and non-ASCII characters shall be encoded in UTF-8,
and then percent-encoded as defined in RFC 3986 <https://datatracker.ietf.org/doc/rfc3986/>.
Use these rules for percent-encoding and decoding _purl_ components:
- the type shall not be encoded and shall not contain separators
- the `#`, `?`, `@` and `:` characters shall not be encoded when used as separators. They may need to be encoded elsewhere
- the `:` scheme and type separator does not need to and shall not be encoded. It is unambiguous unencoded everywhere
- the `/` used as type/namespace/name and subpath segments separator does not need to and shall not be percent-encoded. It is unambiguous unencoded everywhere
- the `@` version separator shall be encoded as `%40` elsewhere
- the `?` qualifiers separator shall be encoded as `%3F` elsewhere
- the `=` qualifiers key/value separator shall not be encoded
- the `#` subpath separator shall be encoded as `%23` elsewhere
- All non-ASCII characters shall be encoded as UTF-8 and then percent-encoded
It is OK to percent-encode any _purl_ components, except for the type.
Producers and consumers of _purl_ data
shall always percent-decode and percent-encode
components and component segments
as explained in the "How to produce and consume _purl_ data" section.
## Rules for each component
A _purl_ string is an ASCII URL string composed of seven components.
Some components are allowed to use other characters beyond ASCII: these
components shall then be UTF-8-encoded strings and percent-encoded as
defined in the "Character encoding" section.
The rules for each component are:
### Rules for scheme
- The scheme is a constant with the value "`pkg`"
- Since a _purl_ never contains a URL Authority, its scheme shall not be suffixed with double slash as in `pkg://` and shall use instead `pkg:`.
- _purl_ parsers shall accept URLs such as 'pkg://' and shall ignore the '//'.
- _purl_ builders shall not create invalid URLs with such double slash '//'.
- The scheme is followed by a ':' separator.
For example, the two purls `pkg:gem/ruby-advisory-db-check@0.12.4` and `pkg://gem/ruby-advisory-db-check@0.12.4` are strictly equivalent.
The first is in canonical form while the second is an acceptable _purl_ but is an invalid URI/URL per RFC 3986.
### Rules for type
- The package type is composed only of ASCII letters and numbers, `.`, `+` and `-` (period, plus, and dash).
- The type shall not start with a number.
- The type shall not contain spaces.
- The type shall not be percent-encoded.
- The type is case insensitive, with the canonical form being lowercase.
### Rules for namespace
- The optional namespace contains zero or more segments, separated by slash `/`.
- Leading and trailing slashes `/` are not significant and shall be stripped in the canonical form. They are not part of the namespace.
- Each namespace segment shall be a percent-encoded string.
- When percent-decoded, a segment shall not contain a slash `/` and shall not be empty.
- A URL host or Authority shall not be used as a namespace. Use instead a `repository_url` qualifier. Note however that for some types, the namespace may look like a host.
### Rules for name
- The name is prefixed by a slash `/` separator when the namespace is not empty.
- This slash `/` is not part of the name.
- A name shall be a percent-encoded string.
### Rules for version
- The version is prefixed by a at-sign `@` separator when not empty.
- This at-sign `@` is not part of the version.
- A version shall be a percent-encoded string.
- A version is a plain and opaque string. Some package types use versioning conventions such as SemVer for NPMs or NEVRA conventions for RPMS. A type may define a procedure to compare and sort versions, but there is no reliable and uniform way to do such comparison consistently.
### Rules for qualifiers
- The qualifiers string is prefixed by a `?` separator when not empty.
- This `?` is not part of the qualifiers.
- This is a string composed of zero or more key=value pairs each separated by an ampersand `&`. A key and value are separated by an equal `=` character.
- These `&` are not part of the key=value pairs.
- Each key shall be unique within the keys of the qualifiers string.
- A value shall not be an empty string; a key=value pair with an empty value is the same as no key/value at all for this key.
- Each key shall be composed only of ASCII letters and numbers, `.`, `-` and `\_` (period, dash and underscore).
- A key shall not start with a number.
- A key shall not be percent-encoded.
- A key is case insensitive, with the canonical form being lowercase.
- A key shall not contain spaces.
- A value shall be a percent-encoded string.
- The `=` separator is neither part of the key nor of the value.
### Rules for subpath
- The subpath string is prefixed by a `#` separator when not empty.
- This `#` is not part of the subpath.
- The subpath contains zero or more segments, separated by slash `/`.
- Leading and trailing slashes `/` are not significant and shall be stripped in the canonical form.
- Each subpath segment shall be a percent-encoded string.
- When percent-decoded, a segment shall not contain a `/`, shall not be any of `..` or `.`, and shall not be empty.
- The subpath shall be interpreted as relative to the root of the package.
## Known types
There are several known _purl_ package type definitions.
The current list of known types is:
`alpm`,
`apk`,
`bitbucket`,
`bitnami`,
`cargo`,
`cocoapods`,
`composer`,
`conan`,
`conda`,
`cpan`,
`cran`,
`deb`,
`docker`,
`gem`,
`generic`,
`github`,
`golang`,
`hackage`,
`hex`,
`huggingface`,
`luarocks`,
`maven`,
`mlflow`,
`npm`,
`nuget`,
`oci`,
`pub`,
`pypi`,
`qpkg`,
`rpm`,
`swid`, and
`swift`.
The list, with definitions for each type,
is maintained in the file named `PURL-TYPES.rst`
in the online repository
<https://github.com/package-url/purl-spec>.
## Known qualifiers key/value pairs
Qualifiers should be limited to the bare minimum
for proper package identification,
to ensure that a _purl_ stays compact and readable in most cases.
Separate external attributes stored outside of a _purl_
are the preferred mechanism to convey extra long and optional information.
API, database or web form.
The following keys are valid for use in all package types:
- `repository_url` is an extra URL for an alternative, non-default package repository or registry.
The default repository or registry of each type is documented in the "Known types" section.
- `download_url` is an extra URL for a direct package web download URL.
- `vcs_url` is an extra URL for a package version control system URL.
- `file_name` is an extra file name of a package archive.
- `checksum` is a qualifier for one or more checksums stored as a comma-separated list.
Each item in the list is in form of algorithm:hex\_value (all lowercase),
such as `sha1:ad9503c3e994a4f611a4892f2e67ac82df727086`.
## How to produce and consume _purl_ data
The following provides rules to be followed
when building or deconstructing _purl_ instances.
### How to build _purl_ string from its components
Building a _purl_ ASCII string works from left to right, from type to subpath.
To build a _purl_ string from its components:
1. Start a _purl_ string with the "`pkg:`" scheme as a lowercase ASCII string
1. Append the type string to the _purl_ as a lowercase ASCII string
1. Append `/` to the _purl_
1. If the namespace is not empty:
1. Strip the namespace from leading and trailing `/`
1. Split on `/` as segments
1. Apply type-specific normalization to each segment, if needed
1. Encode each segment in UTF-8-encoding
1. Percent-encode each segment
1. Join the segments with `/`
1. Append this to the _purl_
1. Append `/` to the _purl_
1. Strip the name from leading and trailing `/`
1. Apply type-specific normalization to the name, if needed
1. Encode the name in UTF-8-encoding
1. Percent-encode the name
1. Append the percent-encoded name to the _purl_
1. If the version is not empty:
1. Append `@` to the _purl_
1. Encode the version in UTF-8-encoding
1. Percent-encode the version
1. Append the percent-encoded version to the _purl_
1. If the qualifiers are not empty and not composed only of key/value pairs where the value is empty:
1. Append `?` to the _purl_
1. Discard any pair where the value is empty
1. Encode each value in UTF-8-encoding
1. If the key is `checksum` and there is more than one checksum, join the list with `,` to create the qualifier value
1. Create each qualifier string by joining the lowercased key, the equal `=` sign, and the percent-encoded value
1. Sort this list of qualifier strings lexicographically
1. Join this list of sorted qualifier strings with `&`
1. Append this string to the _purl_
1. If the subpath is not empty and not composed only of empty, `.`, and `..` segments:
1. Append `#` to the _purl_
1. Strip the subpath from leading and trailing `/`
1. Split the subpath on `/` as a list of segments
1. Discard empty, `.`, and `..` segments
1. Encode each segment in UTF-8-encoding
1. Percent-encode each segment
1. Join the segments with `/`
1. Append this string to the _purl_
### How to parse a _purl_ string to its components
Parsing a _purl_ ASCII string into its components works
by splitting the string on different characters.
To parse a _purl_ string in its components:
1. Split the _purl_ string once from right on `#`, if present; the left side is the remainder.
1. If the right side is not empty, it contains subpath information:
1. Strip it from leading and trailing `/`.
1. Split this on `/` in a list of segments.
1. Discard empty, `.`, and `..` segments.
1. Percent-decode each segment.
1. UTF-8-decode each of these.
1. Join segments with `/`.
1. This is the subpath.
1. Split the remainder once from right on `?`, if present; the left side is the remainder.
1. If the right side is not empty, it contains qualifiers information:
1. Split it on `&` in a list of key=value pairs.
1. Split each pair once from left on `=` in key and value parts.
1. The key is the lowercase left side.
1. Percent-decode the right side.
1. UTF-8-decode this to get the value.
1. Discard any key/value pairs where the value is empty.
1. If the key is `checksum`, split the value on `,` to create a list of checksums.
1. This list of keys/values is the qualifiers.
1. Split the remainder once from left on `:`; the right side is the remainder.
1. The left side lowercased is the scheme. It shall be exactly "`pkg:`".
1. Strip the remainder from leading and trailing `/`.
1. Split this once from left on `/`; the right side is the remainder.
1. The left side lowercased is the type.
1. Split the remainder once from right on `@`, if present; the left side is the remainder.
1. If the right side is not empty, it contains version information:
1. Percent-decode the string.
1. UTF-8-decode this.
1. This is the version.
1. Split the remainder once from right on `/`, if present; the left side is the remainder.
1. The right side contains name information.
1. Percent-decode the name string.
1. UTF-8-decode this.
1. Apply type-specific normalization, if needed.
1. This is the name.
1. If the remainder is not empty, it contains namespace information:
1. Split the remainder on `/` to a list of segments.
1. Discard any empty segment.
1. Percent-decode each segment.
1. UTF-8-decode each of these.
1. Apply type-specific normalization to each segment, if needed.
1. Join segments with `/`.
1. This is the namespace.
## Examples
The following list includes some valid _purl_ examples:
- `pkg:bitbucket/birkenfeld/pygments-main@244fd47e07d1014f0aed9c`
- `pkg:deb/debian/curl@7.50.3-1?arch=i386&distro=jessie`
- `pkg:gem/ruby-advisory-db-check@0.12.4`
- `pkg:github/package-url/purl-spec@244fd47e07d1004f0aed9c`
- `pkg:golang/google.golang.org/genproto#googleapis/api/annotations`
- `pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?packaging=sources`
- `pkg:npm/foobar@12.3.1`
- `pkg:nuget/EnterpriseLibrary.Common@6.0.1304`
- `pkg:pypi/django@1.11.1`
- `pkg:rpm/fedora/curl@7.50.3-1.fc25?arch=i386&distro=fedora-25`
## Original license
This document is based on the texts published
in the <https://github.com/package-url/purl-spec> online repository.
The original license and attribution are reproduced below:
Copyright (c) the purl authors
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
================================================
FILE: docs/annexes/rdf-model.md
================================================
# RDF model definition and diagrams (Informative)
## Model definition
The SPDX RDF ontology is expressed in RDF/OWL/SHACL format
and is published in online at
[SPDX 3.1 Model](https://spdx.org/rdf/3.1/spdx-model.ttl)
## Diagrams
### Core profile
[![Core profile diagram][fig_core]][fig_core]
### Software profile
[![Software profile diagram][fig_software]][fig_software]
### Security profile
[![Security profile diagram][fig_security]][fig_security]
### Licensing profile
[![Licensing profile diagram][fig_licensing]][fig_licensing]
### Dataset profile
[![Dataset profile diagram][fig_dataset]][fig_dataset]
### AI profile
[![AI profile diagram][fig_ai]][fig_ai]
### Build profile
[![Build profile diagram][fig_build]][fig_build]
### Extension profile
[![Extension profile diagram][fig_extension]][fig_extension]
### Hardware profile
[![Hardware profile diagram][fig_hardware]][fig_hardware]
### Service profile
[![Service profile diagram][fig_service]][fig_service]
### SupplyChain profile
[![SupplyChain profile diagram][fig_supplychain]][fig_supplychain]
### Operations profile
[![Operations profile diagram][fig_operations]][fig_operations]
### FunctionalSafety profile
[![FunctionalSafety profile diagram][fig_functionalsafety]][fig_functionalsafety]
[fig_ai]: ../images/model-AI.png "SPDX 3.1 AI profile diagram"
[fig_build]: ../images/model-Build.png "SPDX 3.1 Build profile diagram"
[fig_core]: ../images/model-Core.png "SPDX 3.1 Core profile diagram"
[fig_dataset]: ../images/model-Dataset.png "SPDX 3.1 Dataset profile diagram"
[fig_extension]: ../images/model-Extension.png "SPDX 3.1 Extension profile diagram"
[fig_licensing]: ../images/model-Licensing.png "SPDX 3.1 Licensing profile diagram"
[fig_security]: ../images/model-Security.png "SPDX 3.1 Security profile diagram"
[fig_software]: ../images/model-Software.png "SPDX 3.1 Software profile diagram"
[fig_hardware]: ../images/model-Hardware.png "SPDX 3.1 Hardware profile diagram"
[fig_service]: ../images/model-Service.png "SPDX 3.1 Service profile diagram"
[fig_supplychain]: ../images/model-SupplyChain.png "SPDX 3.1 SupplyChain profile diagram"
[fig_operations]: ../images/model-Operations.png "SPDX 3.1 Operations profile diagram"
[fig_functionalsafety]: ../images/model-FunctionalSafety.png "SPDX 3.1 FunctionalSafety profile diagram"
================================================
FILE: docs/annexes/spdx-license-expressions.md
================================================
# SPDX license expressions (Normative)
## Overview
Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., `GPL-2.0-only OR BSD-3-Clause`). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., `LGPL-2.1-only AND BSD-3-Clause`).
SPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the "LicenseRef-(idstring)"; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., "AND", "OR", "WITH" and "+"). We provide the definition of what constitutes a valid SPDX License Expression in this section.
The general format of license expressions is described below in ABNF, as defined
in [RFC 5234](https://datatracker.ietf.org/doc/rfc5234/) and expanded
in [RFC 7405](https://datatracker.ietf.org/doc/rfc7405/).
```ABNF
idstring = 1*(ALPHA / DIGIT / "-" / "." )
license-id = <short form license identifier from SPDX License List>
license-exception-id = <short form license exception identifier from SPDX License List>
license-ref = ["DocumentRef-"(idstring)":"]"LicenseRef-"(idstring)
addition-ref = ["DocumentRef-"(idstring)":"]"AdditionRef-"(idstring)
simple-expression = license-id / license-id"+" / license-ref / "NONE" / "NOASSERTION"
addition-expression = license-exception-id / addition-ref
compound-expression = (simple-expression /
simple-expression "WITH" addition-expression /
compound-expression "AND" compound-expression /
compound-expression "OR" compound-expression /
"(" compound-expression ")" )
license-expression = (simple-expression / compound-expression)
```
In the following sections we describe in more detail `<license-expression>` construct, a licensing expression string that enables a more accurate representation of the licensing terms of modern-day software.
A valid `<license-expression>` string consists of either:
(i) a simple license expression, such as a single license identifier; or
(ii) a more complex expression constructed by combining smaller valid expressions using Boolean license operators.
There shall not be any space between a license-id and any following "+". This supports easy parsing and backwards compatibility.
There shall be at least one space on either side of the operators "AND", "OR", and "WITH".
A license expression shall be on a single line, and shall not include a line break in the middle of the expression.
## Case sensitivity
In SPDX 3, license expressions are completely *case-insensitive*.
That includes the operators ("AND", "OR", "WITH"), the special identifiers ("NONE" and "NOASSERTION"), as well as the license identifiers, including the user-defined ones.
For example, the expressions `MIT AND NOASSERTION AND (BSD-3-Clause OR LicenseRef-Name)` and `mit aNd NoaSSerTion AnD (bSd-3-clausE OR licenseref-NAME)` are equivalent.
However, please be aware that it is often important to note the case of the canonical identifier on the [SPDX License List](https://spdx.org/licenses). This is because the canonical identifier's case is used in the URL of the license's or exception's entry on the List, and because the canonical identifier is translated to a URI in RDF documents.
## Simple license expressions
A simple `<license-expression>` is composed one of the following:
- An SPDX License List Short Form Identifier. For example: `CDDL-1.0`
- An SPDX License List Short Form Identifier with a unary "+" operator suffix to represent the current version of the license or any later version. For example: `CDDL-1.0+`
- One of the special identifiers "NONE" or "NOASSERTION"
- A user defined license reference:
`["DocumentRef-"(idstring)":"]"LicenseRef-"(idstring)`.
For example:
`LicenseRef-23`,
`LicenseRef-MIT-Style-1`, and
`DocumentRef-spdx-tool-1.2:LicenseRef-MIT-Style-2`
The current set of valid license identifiers can be found in the SPDX License List.
## Composite license expressions
### Introduction
More expressive composite license expressions can be constructed using "OR", "AND", and "WITH" operators similar to constructing mathematical expressions using arithmetic operators.
Any license expression that consists of more than one license identifier and/or LicenseRef, may optionally be encapsulated by parentheses: "( )".
Nested parentheses can also be used to specify an order of precedence which is discussed in more detail below.
### Disjunctive "OR" operator
If presented with a choice between two or more licenses, use the disjunctive binary "OR" operator to construct a new license expression, where both the left and right operands are valid license expression values.
For example, when given a choice between the LGPL-2.1-only or MIT licenses, a valid expression would be:
```text
LGPL-2.1-only OR MIT
```
The "OR" operator is commutative, meaning that the above expression should be considered equivalent to:
```text
MIT OR LGPL-2.1-only
```
An example representing a choice between three different licenses would be:
```text
LGPL-2.1-only OR MIT OR BSD-3-Clause
```
The special identifiers "NONE" or "NOASSERTION" shall not be used with the "OR" operator.
### Conjunctive "AND" operator
If required to simultaneously comply with two or more licenses, use the conjunctive binary "AND" operator to construct a new license expression, where both the left and right operands are valid license expression values.
For example, when one is required to comply with both the LGPL-2.1-only and MIT licenses, a valid expression would be:
```text
LGPL-2.1-only AND MIT
```
The "AND" operator is commutative, meaning that the above expression should be considered equivalent to:
```text
MIT AND LGPL-2.1-only
```
An example where three different licenses apply would be:
```text
LGPL-2.1-only AND MIT AND BSD-2-Clause
```
The "AND" operator is the only operator that can be used in conjuction with the special identifiers "NONE" or "NOASSERTION".
### Additive "WITH" operator
Sometimes license texts are found with additional text, which might or might not modify the original license terms.
In this case, use the binary "WITH" operator to construct a new license expression to represent the special situation. A valid `<license-expression>` is where the left operand is a `<simple-expression>` value and the right operand is a `<addition-expression>` that represents the additional text.
The `<addition-expression>` can be either a `<license-exception-id>` from the SPDX License List, or a user defined addition reference in the form `["DocumentRef-"(idstring)":"]"AdditionRef-"(idstring)`.
For example, when the Bison exception is to be applied to GPL-2.0-or-later, the expression would be:
```text
GPL-2.0-or-later WITH Bison-exception-2.2
```
The current set of valid license exceptions identifiers can be found in [spdx.org/licenses](https://spdx.org/licenses).
The special identifiers "NONE" or "NOASSERTION" shall not be used with the "WITH" operator.
### Order of precedence and parentheses
The order of application of the operators in an expression matters (similar to mathematical operators). The default operator order of precedence of a `<license-expression>` is:
```text
+
WITH
AND
OR
```
where a lower order operator is applied before a higher order operator.
For example, the following expression:
```text
LGPL-2.1-only OR BSD-3-Clause AND MIT
```
represents a license choice between either LGPL-2.1-only or the expression "BSD-3-Clause AND MIT" because the "AND" operator takes precedence over (is applied before) the "OR" operator.
When required to express an order of precedence that is different from the default order a `<license-expression>` can be encapsulated in pairs of parentheses: ( ), to indicate that the operators found inside the parentheses takes precedence over operators outside. This is also similar to the use of parentheses in an algebraic expression e.g., (5+7)/2.
For instance, the following expression:
```text
(LGPL-2.1-or-later OR BSD-3-Clause) AND MIT
```
states the "OR" operator should be applied before the "AND" operator. That is, one should first select between the LGPL-2.1-or-later or the BSD-3-Clause license before applying the MIT license.
## Complete grammar
The complete syntax of license expressions,
including precedence and whitespace,
is described by the following ABNF:
```ABNF
; ABNF Grammar for License Expressions
SPSX-license-expression = (or-operand *( required-ws "OR" required-ws or-operand )) / special-identifier
or-operand = (term required-ws "AND" required-ws term *( required-ws "AND" required-ws term )) / base-term
term = base-term / special-identifier
base-term = with-expression / identifier / parenthesized-expression
with-expression = identifier required-ws "WITH" required-ws addition-identifier
addition-identifier = license-exception-id / addition-ref
identifier = license-id / or-later-expression / license-ref
or-later-expression = license-id PLUS
parenthesized-expression = LPAREN optional-ws expression optional-ws RPAREN
special-identifier = "NONE" / "NOASSERTION"
; --- SPDX License List contents ---
license-id = <short form license identifier from SPDX License List>
license-exception-id = <short form license exception identifier from SPDX License List>
; --- User-defined identifiers ---
license-ref = [ "DocumentRef-" idstring ":" ] "LicenseRef-" idstring
addition-ref = [ "DocumentRef-" idstring ":" ] "AdditionRef-" idstring
idstring = *id-char alnum *id-char
idchar = alnum / DOT / DASH
alnum = ALPHA / DIGIT
; --- Whitespace and characters ---
optional-ws = *SPACE ; Optional whitespace (zero or more spaces)
required-ws = 1*SPACE ; Required whitespace (one or more spaces)
SPACE = %x20 ; Space character
LPAREN = %x28 ; ( - Left parenthesis
RPAREN = %x29 ; ) - Right parenthesis
PLUS = %2B ; + - Plus
DASH = %2D ; - - Dash, hyphen
DOT = %2E ; . - Dot, fullstop, period
ALPHA = %x41-5A / %x61-7A ; A-Z / a-z
DIGIT = %x30-39 ; 0-9
```
================================================
FILE: docs/annexes/spdx-lite.md
================================================
# SPDX Lite (Normative)
## Explanation of the Lite profile
The Lite profile is designed to make it quick and easy to start a
Software Bill of Materials in situations where a company may have limited
capacity for introducing new items into their processes.
The Lite profile captures the minimum set of information required
for license compliance in the software supply chain.
It contains information about the creation of the SBOM,
package lists with licensing and other related information,
and their relationships.
All elements in Lite profile are essential for complying with licenses.
It is easy to use an SPDX document with the Lite profile
for anyone who does not have enough knowledge about licensing information
and easy to import license information from former versions of SPDX Lite format
files.
The Lite profile offers the flexibility to be used either alone
or in combination with other SPDX profiles
as an SPDX document in the software supply chain.
## Mandatory and recommended properties
The Lite profile specifies that some properties shall be present
and some others should be present, as much as possible.
The following lists collect and present this information
for every class present in the SPDX data,
in a concise and easy-to-follow format.
The lists of properties are in alphabetical order, for easy reference.
### /Core/SpdxDocument
- Mandatory
1. creationInfo
1. element (may be multiple), shall have at least one /Software/Sbom object
1. rootElement (may be multiple), should be objects of type /Software/Sbom
1. spdxId
- Recommended
1. comment
1. dataLicense
1. name
1. namespaceMap (may be multiple)
1. verifiedUsing (may be multiple), should be objects of type /Core/Hash
### /Software/Sbom
- Mandatory
1. creationInfo
1. element (may be multiple), shall have at least one /Software/Package object
1. rootElement (may be multiple), should be objects of type /Software/Package
1. spdxId
- Recommended
1. sbomType (may be multiple)
### /Software/Package
- Mandatory
1. copyrightText
1. creationInfo
1. name
1. packageVersion
1. spdxId
1. suppliedBy, should be an object of type /Core/Agent
- Recommended
1. attributionText (may be multiple)
1. builtTime
1. comment
1. downloadLocation
1. homepage
1. originatedBy (may be multiple), should be objects of type /Core/Agent
1. packageUrl
1. releaseTime
1. supportLevel (may be multiple)
1. validUntilTime
1. verifiedUsing (may be multiple), should be objects of type /Core/Hash
However, there shall be at least a “downloadLocation” or “packageUrl” property.
Additionally:
1. for every `/Software/Package` object shall exist
exactly one `/Core/Relationship` object
of type `hasConcludedLicense`
having that element as its `from` property and
a `/SimpleLicensing/AnyLicenseInfo` object as its `to` property.
1. for every `/Software/Package` object shall exist
exactly one `/Core/Relationship` object
of type `hasDeclaredLicense`
having that element as its `from` property and
a `/SimpleLicensing/AnyLicenseInfo` object as its `to` property.
### /Core/Hash
- Mandatory
1. algorithm
1. hashValue
- Recommended
1. comment
### /SimpleLicensing/LicenseExpression
- Mandatory
1. creationInfo
1. licenseExpression
1. spdxId
- Recommended
1. licenseListVersion
### /SimpleLicensing/SimpleLicensingText
- Mandatory
1. creationInfo
1. licenseText
1. spdxId
- Recommended
1. comment
### /Core/Agent (createdBy, suppliedBy, originatedBy)
- Mandatory
1. creationInfo, should be “BlankNode”
1. name
1. spdxId
- Recommended
1. externalIdentifier (may be multiple)
### /Core/CreationInfo
- Mandatory
1. created
1. createdBy (may be multiple), should be objects of type /Core/Agent
1. specVersion, shall be a fixed string, “3.1.n” - where n is
any supported patch version of the SPDX specification
- Recommended
1. comment
### /Core/ExternalIdentifier
- Mandatory
1. externalIdentifierType
1. identifier
### /Core/NameSpaceMap
- Mandatory
1. namespace
1. prefix
### /Core/Relationship
- Mandatory
1. creationInfo
1. from
1. relationshipType
1. spdxId
1. to (may be multiple)
================================================
FILE: docs/conformance.md
================================================
# Conformance
## Alternate notation for some conformance requirements
This document contains more than a few cardinality assertions, each of which
indicates the minimum and maximum number of times a property may appear.
These are represented by using "minCount" and "maxCount" respectively.
The absolute minimum number of occurrences is zero (0),
while for an unbounded maximum number of occurrences a star (\*) is being used.
Here are some examples:
- minCount: 1
- maxCount: *
- Cardinality: 0..1
- Cardinality: 0..*
- Cardinality: 1..1
- Cardinality: 1..*
Each of these assertions can easily be understood as to whether a feature is
required, and if so, how many occurrences are required; also, whether a feature
is permitted, and if so, in what number. As this is the format long familiar to
the SPDX community, it has been preserved in this document.
## Introduction to profiles
Profile is the term for a compliance point within the SPDX community across The
Linux Foundation and OMG. The System Package Data Exchange (SPDX) specification
defines the following thirteen compliance points, defined as “profiles”:
- Core profile
- Software profile
- Security profile
- Licensing profile
- Dataset profile
- AI profile
- Build profile
- Lite profile
- Extension profile
- Hardware profile
- Service profile
- SupplyChain profile
- Operations profile
- FunctionalSafety profile
The Core profile is mandatory. All others are optional.
## Core profile compliance point
The Core profile includes the definitions of classes properties and
vocabularies usable by all SPDX profiles when producing or consuming SPDX
content. Although the classes, properties and vocabularies are somewhat
extensive, the required fields are rather minimal to allow maximum flexibility
while meeting minimum SBOM requirements. Software that conforms to the SPDX
specification at the Core profile compliance point shall be able to import and
export serialized documents that conform with one of the defined SPDX
serialization formats.
Conformance to the Core profile compliance point is mandatory for all other
SPDX profiles.
This compliance point, in combination with the Software profile compliance
point, provides a baseline of functionality that facilitates interchange of the
bills of materials information produced by tools supporting SPDX.
## Software profile compliance point
The Software profile includes the definitions of classes, properties and
vocabularies for referring to and conveying information about software and is
usable by all SPDX profiles when producing or consuming SPDX content.
Software that conforms to the SPDX specification at the Software profile
compliance point shall be able to import and export serialized documents that
conform with one of the SPDX serialization formats defined SPDX serialization
formats.
Conformance to the Software profile compliance point does not entail support
for the Licensing, Dataset, AI, Build, Lite, or Extension profiles of the
SPDX.
This compliance point, in combination with the Core profile compliance point,
provides a baseline of functionality that facilitates interchange of the bills
of materials information produced by tools supporting SPDX.
## Security profile compliance point
The Security profile captures security-related information when producing or
consuming SPDX content.
Software that conforms to the SPDX specification at the security profile
compliance point shall be able to import and export serialized documents that
conform with one of the SPDX serialization formats defined SPDX serialization
formats, including the properties and relationships specified in the security
profile, which are in support of exchanging information about software
vulnerabilities that may exist, the severity of those vulnerabilities, and a
mechanism to express how a vulnerability may affect a specific software element
including if a fix is available.
Conformance to the Security profile compliance point does not entail support
for the Licensing, Dataset, AI, Build, Lite, or Extension profiles of the
SPDX.
This compliance point facilitates interchange of the security information
produced by tools supporting SPDX.
## Licensing profile compliance point
The Licensing profile includes capturing details relevant to software licensing
and intellectual property information when producing or consuming SPDX content.
Specifically, software that conforms to the SPDX specification at the Licensing
profile compliance point shall be able to import and export serialized
documents that conform with one of the SPDX serialization formats defined SPDX
serialization formats, including the classes and fields that comprise the SPDX
License Expression syntax and that relate to the
[SPDX License List](https://spdx.org/licenses/).
There are two associated profiles, the SimpleLicensing profile
and the ExpandedLicensing profile.
Both allow expression of the same information,
albeit in different ways.
Conformance to the Licensing profile compliance point does not entail support
for the Software, Security, Dataset, AI, Build, Lite, or Extension profiles of
the SPDX.
This compliance point facilitates interchange of the licensing documents
expressing which licenses and copyright notices are determined by persons or
automated tooling to apply to distributions of software that are produced by
tools supporting SPDX.
## Dataset profile compliance point
The Dataset profile captures the relevant information about the datasets used
in an AI system or other applications when producing or consuming SPDX content.
Software that conforms to the SPDX specification at the Dataset profile
compliance point shall be able to import and export serialized documents that
conform with one of the SPDX serialization formats defined SPDX serialization
formats, including details such as dataset names, versions, sources, associated
metadata, licensing information, and any other relevant attributes.
The Dataset profile can covey a description or summary of a dataset, including
metadata, characteristics, and statistical information about the data.
The Dataset profile can convey insights into the structure, format, content,
and properties of a dataset, helping users understand and analyze the data more
effectively.
Conformance to the Dataset profile compliance point does not entail support
for the Software, Licensing, Security, AI, Build, Lite, or Extension profiles
of the SPDX.
This compliance point facilitates interchange of the information about
datasets produced by tools supporting SPDX.
## AI profile compliance point
The AI profile captures an inventory list of software components and
dependencies associated with an AI system when producing or consuming SPDX
content.
Software that conforms to the SPDX specification at the AI profile compliance
point shall be able to import and export serialized documents that conform with
one of the SPDX serialization formats defined SPDX serialization formats,
including the information about software components and dependencies associated
with artificial intelligence and machine learning (AI/ML) models and systems.
This inventory includes the software frameworks, libraries, and other
components used to build or deploy the AI system, along with relevant
information about their versions, licenses, and useful security references
including ethical and security information.
Conformance to the AI profile compliance point does not entail support for the
Software, Licensing, Security, Dataset, Build, Lite, or Extension profiles of
the SPDX.
This compliance point facilitates interchange of the AI model related
information produced by tools supporting SPDX.
## Build profile compliance point
The Build profile captures build-related information when producing or
consuming SPDX content.
Software that conforms to the SPDX specification at the Build profile
compliance point shall be able to import and export serialized documents that
conform with one of the SPDX serialization formats defined SPDX serialization
formats, including associated definitions to help express how software is
generated and transformed. This includes encoding the inputs, outputs,
procedures/instructions, environments and actors from the build process along
with the associated evidence.
Conformance to the Build profile compliance point does not entail support for
the Software, Licensing, Security, Dataset, AI, Lite, or Extension profiles of
the SPDX.
This compliance point facilitates interchange of the build information produced
by tools supporting SPDX.
## Lite profile compliance point
The Lite profile captures the minimum set of information required for license
compliance in the software supply chain for producing or consuming SPDX
content.
Software that conforms to the SPDX specification at the Lite profile
compliance point shall be able to import and export serialized documents that
conform with one of the SPDX serialization formats defined SPDX serialization
formats, including creation of the SBOM, package lists with licensing and other
related items, and their relationships.
Conformance to the Lite profile compliance point does not entail support for
the Software, Licensing, Security, Dataset, AI, Build, or Extension profiles
of the SPDX.
This compliance point facilitates interchange of minimal licensing information
when produced by tools supporting SPDX.
## Extension profile compliance point
The Extension profile captures extended tailored information when producing or
consuming non-standard SPDX content in three ways:
- Support profile-based extended characterization of Elements. Enables
specification and expression of Element characterization extensions within
any profile and namespace of SPDX without requiring changes to other profiles
or namespaces and without requiring local subclassing of remote classes
(which could inhibit ecosystem interoperability in some cases).
- Support extension of SPDX by adopting individuals or communities with Element
characterization details uniquely specialized to their particular context.
Enables adopting individuals or communities to utilize SPDX expressive
capabilities along with expressing more arcane Element characterization
details specific to them and not appropriate for standardization across SPDX.
- Support structured capture of expressive solutions for gaps in SPDX coverage
from real-world use. Enables adopting individuals or communities to express
Element characterization details they require that are not currently defined
in SPDX but likely should be. Enables a practical pipeline that identifies
gaps in SPDX that should be filled, expresses solutions to those gaps in a
way that allows the identifying adopters to use the extended solutions with
SPDX and does not conflict with current SPDX, can be clearly detected among
the SPDX content exchange ecosystem, provides a clear and structured
definition of gap solution that can be used as submission for revision to the
SPDX standard.
Software that conforms to the SPDX specification at the Extension profile
compliance point shall be able to import and export serialized documents that
conform with one of the SPDX serialization formats defined SPDX serialization
formats, including the abstract Extension class serving as the base for all
defined Extension subclasses.
Conformance to the Extension profile compliance point does not entail support
for the Licensing, Security, Dataset, AI, Build, or profiles of the SPDX but
is expected to be used in combination with the other profiles to extend them.
This compliance point facilitates interchange of extended information that goes
beyond the standard SPDX produced by tools supporting SPDX and is used between
cooperating parties that understand the form of the extension and can produce
and consume its non-standard content.
## Trademark compliance
To be designated an SPDX document, a file shall comply with the requirements of the SPDX Trademark
License, as stated in the [SPDX Trademark Page](https://spdx.dev/trademark).
The official copyright notice that shall be used with any verbatim reproduction and/or distribution of
this SPDX Specification 3.1 is:
"Official SPDX® Specification 3.1 Copyright © 2010–2026 Linux Foundation and its Contributors.
Licensed under the Community Specification License 1.0. All other rights are expressly reserved."
The official copyright notice that shall be used with any non-verbatim reproduction and/or distribution
of this SPDX Specification 3.1, including without limitation any partial use or combining this SPDX
Specification with another work, is:
"This is not an official SPDX Specification. Portions herein have been reproduced from SPDX®
Specification 3.1 found at spdx.dev. These portions are Copyright © 2010–2026 Linux Foundation and
its Contributors, and are licensed under the Community Specification License 1.0 by the
Linux Foundation and its Contributors. All other rights are expressly reserved by Linux Foundation and
its Contributors."
================================================
FILE: docs/css/style.css
================================================
.wy-side-nav-search {
background: rgb(250, 250, 250);
padding: 0 0.809em 0 0.809em;
width: 100%;
max-width: 350px;
position: sticky;
top: 0;
z-index: 10;
}
.fa-home:before, .icon-home:before {
content: '';
display: block;
background-position: center center;
background: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAPoAAABTCAYAAAC2/xobAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAABmJLR0QAAAAAAAD5Q7t/AAAACXBIWXMAAAsSAAALEgHS3X78AAANQUlEQVR42u2dPWwbyRXH/1oR549GCowL4uSC3WCRxJeTQ1oHXWVHPCB3F5xlHK+44oBYXJcKEJgG0osG0qQKVQSHVKaKlEGozhcVR9VXmKpSLW63sGuqM2CLm2JnyeFyl5qZneWS4vsBhChyP94s97/vzcybGYAgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCIIgCILIwAo+/lOg/7ABECR8NvwTJGwbfR9wn/OfBeN/h+8BYBD7LPp/9Pmqgde/ev/21//71187BV9zgpg5hv5D8iIPuBf/GfddwH3PCztJ3BMiDzAm8mCQIPIBE/nG1+/d/aJZ9AUniCIo6TlMkPA25tIDSS8+FDUADEbbxQU/Jna23YAJHgFWjZXX5XufNW7c2moCKBd5sQmiKDIKPQCwkhCmxzZRDdUR8/aRkIMB+2qA8VCd8+wYYNUwXpfvftq4cWvrbwDWir7YBFEUGYW+gkmVx727jMi570Xq40OhT9bLS8bK69/e/fTJjfc/IpETS08GoQdjf5LdOi9kfp+kz9l73psHaYKfJvIBrl+98vLD+3+sX333vX+DRE4QskLnxD3mzDPWx1ND9bT6eHKojiDA9SskcoKIIyl0Tt2pDlxD1xkwqodP7ToD+Jb261ffebm5QyIniDjyHl00VAfGPXuS955aH4978/RQPfLkmzsP69dI5AQxgYDQi+464wQNhF1niIv8nZebD0jkBJHGFKELdJ0BOdTHxbrOMAiihrdXmw92F0LktmmtA6jEPu65vtcv2jbicjNF6Lq7zoDUsFwilXXkyQe4dvXKq80HD3fnUeRM1DUAVYTiLk/ZFgBOAPQAdF3f6+RgjwXA0XjIHoC+63td3bZyNjsALI2H7HN29zTbug6gIblbS+Uhb5tWDZMOYxpeitAzdJ0Bk33iGrvOovfXrl559eGD3d1r7/58rkTOBNVEKHIZu7bZ67FtWmcAOgCaru95mkyzAOznUF4AOAXQBtDRaC8QPpi2ddvM2X2C8Dpnttv1vb5tWhUAX0jsVkF4n8jYbSG81jL31pexQS2BWNfZyT9XslwUHXzyzfcVAF3JAuN4bys3223TakK/mJ66vtfUYFsVwHd5lZ3jEEBDR3XENq0uchJ6it2ZHqzMq3uQuyefuL7XyvGaHLm+V2ODWuJiTth86JGLR1XkeWGb1rptWj3k4DEB7Num1WM30SJQB+Cx8HKRqAP4gT2slWAPN0dytybz0hdim1YDciI/i+xhQmcufEzHXGPZ8P/imUeRM3vK2Y40lTJC8VhFl1eQNQD/YXXsRSPTg5W1rxxJ7LKGMBSfCqsWNCXNcaLIyhjv0wYmBD6sP7PvCvTq8yZyRhuzGRW3BqCzQJ4dAJ4tqNjLALoZrrWD0JuKss289TTakLvvj/hGXWNc1xL94zNmHkXOwlOZxpeslCH/VC+aZ8wbLRrKYtcdwrPqhIwzGYbsEckTT0zUx0nkKTQLOOfjBQrhI9pFG6BIGWGrvDSKIfzEudhDUrbtx4k3ho5Cd9lZYGbEvIqc/QCqIfsJe6nSKLr8kpQXNIQHxMLqNBzIhfDlhMbAtuQ5D5LyMMY9+kR9HOPJLkH8gZAvOYj8VKN5VcntjwDccX1vxfW9KnutAPgFgKeSx6ppLMesaBRtQAaaMwzh96Oqjm1aLcg5Ex8pUWaYMKOS5ZYzOYm8qtFES2LbE9f3aklfsH7bpm1aHYnymhrLkWRTaq4Bu+GrCB82dYnDlm3TsjQn1ET4CPuvL6ICtftpDeGDqim7o+t7Hdu0DiF3rdosingseTonLX+BZcbJiDx/oecg8jMAteO9rX7WA3FUJLbtXrSB63s99uM+EzmgbVrVPNNPp9jZB8sms02rDbkknBqAVg5mtUWTiljiUAPyjagNqLfJNBA+HEUf0GXIJzcdTLsfjMkRZRelqCoWVZCcRF493tvy8rV8Ko5I6Of6XrtAG6VhN9YTiV0q82Azi66+hFz9eU01CUgxhJchNWSPGHl0qVFn+ZCjyHs5mNuX2NZEmPDSwsUDGUTr614OZZLG9b0Wa0AS+c2sou3l7O4w7/5CYrca1Fvhu7ZpHUA+HBfBuSjluKQ06iwHFkzkQDgKSib8W0PYTdJg9fFW0ggqHXntBdCDWGpmpWhDeVh16SnEu6+qGU/ZRPiw0NnGciBShTOUFlDQzAKKHFB8srMy1gG8sE3Ls02rtaAJJTxdibLPFezB6gtubmbJYcghhL8wZI8Iu9fiY8DjQ0nHho3qFfqCihzMG4veIGmYCEO5Fyy/WqguP4csos08HYltrSwnYt73QJPdF4bsEUZqqD709PxUT9FDQA+LKnKOhsZjlRG2uEde3ppRGXRQEdwu64MxLzoS21Y1nK+J7NdCKGSPGA1TTaqPR69oiaMAo7nbMnIJRK6S5ijCGkIv/4NtWkqJGgVQEdzOK9rQFHqzPJmGEP7U9b2GzA7G9EkZE2Z+0RC6XwaRczjQm3HHsw+gx1qH5xLW9y/6O3pF25tEEXP2ZQzhHdkdjLH6ONjEi2n96Pz6Z4pcMpFHN0kV+j17hAnguywTIuQFewDJ2NUt2uY5o6Wwz4nKfHfGuIhjgo5NxjhcJUWRyybyCNf3+iwJ4wnkkjBk2GeZaIVim5Zlm1aNy4qT+S27Rds/Z7QV9tlWGSBUSp+VdUrLuwJJIs9z/rYiYMkjHYReTia3WZS6bVpe3n3ttmnlkSxxklOeu47yrhdwzgbU58Nr2abVlbmexmTXGd8IlyDygbxHn9ehpnng+p7n+p6DcFTaYQ6n2F/Qfvd20QZMoSKxbT/rybiZglURmn6Kh41ei/WjD1vX+RBerY4uKvJPvvl+JsPiZhVFsKetw57cDnvpmnKqBb0j8fLmdM7z+GsS2/Y0nK+N7E5v2zathugMssao6yxWL0dKPV1C6MvkydNg9feW63sVAHcQtrRm7UPdXjCv7hRtQBosbJexz8t4vgb0TWEtPIOsMblQAi/suNjPhYVOIp/E9b2e63sN1/cshKI/hHrjXa3o8gjySPeqKJppQPwe9TPO+14B8HeNtguH8MZkSzsn8sGAS5YZCIfuJPKLYaJ3EKZUPoW84CtFl0GAR/McsivMx9bNeMo8rsW2SNdraZQEk1YfHy1oKBK6L4vI2YoZIjSmeTTWDy87wwww3/nlZwjzsDtFG5IGG1veltxNuTwKM7nKsG+bVmfafVaavtZZUhifLvRlETlDtJ5VhUADDhsy2UI+q73MEm1LMuUBl+QjW08+U31wKc7kegY5HbUxJcoriSxoiCAWwiewZCIHxH+Ipm1aPcEBCFbRhVJE22KFijiCacIVqN+fLZWdWGNfW3K3E4RtBzKTYpRt02qm5ViUJhrhwNXPEQ1oOR8f3BJjCUUOiE+2sIYwhfUE4c3SjXs7brkdmYksvBzLdtEsN31WfhQxb10CJvKdMPMM6nPdNaGw+ILre57kpBjAlBC+NNZvPhT9eYI351reOZZU5EDowWTCv+1oe7Zkr49sN2c3r4It6Cw3eaJUFWFRhuzUUcMVXV3fa7K2BJkHRcc2rcrkAg5DYZ9zXWhM1IPz8BV9Hv3PWGKRA2E4liWvPasH6hR9AZaEI5WeA9WQPSEBxpE8homErDsjuT7OCXzA/c8JfclFHrWWtwo6/eG8NnZdMk6hnuzThNzDfGK9NGA4k5HsAh+P420WxrCvfHAeE/WAq5+P3q8aK2+WXeQRLMTNayx6GmdY7FVPFoVTAFXFkL2GDCF7HHafyS7h1eYH6xijkJ0Lz/lwfujd32LVwJtfb9f+AhI5TxWzE/sZFG8+QooTqIt8HXpC9jgO5KqKJriI05gM1wNg8Db04OeRN3+L1RW82fzqz//42dbvD6BH5LLhyFzCTTyRZdFEESKR94ou8yXmDMBTti5eX/EYbcjpIzFkjxMt3SVpSz1adMIYD9tDUQ+Fz3n0jftOZ9281dB0QQ+P97ZkjZ5b2MCVKvKbeOIIgEUiz5VDAJUsPQ5MVDJdpMCUkD0O8/pKIbwxFDnf4h4T+e3PHz7/8W8++krXBT3e23I0HWuuYD+EhVDwOmY8PQLwset7NQrXtXOG8Po+AvAj1/ecjANW1pFPyB7HgeRSUgDapfG+8vPxlvdggNuf7z7/SfneH7Jd0yGnuOQNSVxrfLQwQ5W9LFzcH3qCMBGmizDLrK/RNA+LV11qQ2++QHQsL4cMvgrke2HasidhiTQOJAc1reCX94IJoTORb9zffX6z/DudIq+mrWh62SaemAZ7AKyzf/O46QhijFKiyAfn2Nip6xR5NIljv+gCzwNU1yZmTWlUH2ch+/lbbOw4JHKCuESUhq3sQdidtrHjPL9Z0S7yXtEFJYhlpjRKddUucgBwSOQEUTylqHttY6f+7c3Ktk6RPzre2+oUXUCCIAADg3N8sFP/9uad6mcaj/vkeG+rXXThCIIIMT64X//vT/WK/PB4b6tVdMEIghjxf/xBVQ2BxrgQAAAAAElFTkSuQmCC')
no-repeat;
center center;
height: 88px;
width: 250px;
}
.wy-side-nav-search .icon-home {
display: block;
color: #58595b;
}
.wy-nav-side, .rst-versions .rst-current-version {
background-color: rgb(250, 250, 250);
}
.wy-nav-side input[name=q] {
border-color: #4597cb;
}
.wy-breadcrumbs li, .wy-breadcrumbs li a {
color: #00416b !important;
}
.wy-menu-vertical>ul>li>a {
color: #515151;
}
.wy-menu-vertical li.on a:hover,.wy-menu-vertical li.current>a {
background: #00416b;
color: white !important;
}
.wy-menu-vertical li.on a:hover,.wy-menu-vertical li>a:hover {
background: #00416b !important;
color: white !important;
}
.wy-menu-vertical ul.current li.toctree-l1>a {
color: grey;
}
.wy-menu-vertical li.current a {
color: #58595b;
}
.rst-versions a {
color: #00416b !important;
}
h1, h2, h3, a {
color: #00416b;
}
code {
color: #00416b !important;
}
code, .rst-content tt {
border: 0px;
background-color: #f7f7f7;
font-size: .85em;
padding: .2em;
margin: 0;
}
pre code {
background-color: rgb(247, 247, 247);
}
.hljs-tag, .hljs-tag .hljs-title, .hljs-rule .hljs-property, .django .hljs-tag .hljs-keyword {
color: rgb(51, 51, 51) !important;
}
.hljs-attribute, .hljs-variable, .lisp .hljs-body, .hljs-name, .hljs-keyword, .hljs-constant, .hljs-symbol, .hljs-regexp {
color: rgb(51, 51, 51) !important;
}
.hljs-string, .hljs-tag .hljs-value, .hljs-phpdoc, .hljs-dartdoc, .tex .hljs-formula {
color: rgb(51, 51, 51) !important;
}
.hljs-comment, .diff .hljs-header, .hljs-javadoc {
color: rgb(51, 51, 51) !important;
}
footer {
font-size: 1em;
color: #515151;
}
footer a.btn {
box-shadow: none;
}
footer .rst-footer-buttons {
font-size: 16px;
color: rgb(64, 64, 64);
}
================================================
FILE: docs/front/copyright.md
================================================
# Use of specification - terms, conditions & notices
Copyright © 2010–2026, The Linux Foundation and its Contributors,
including SPDX Model contributions from OMG and its Contributors.
This work is licensed under the
[Community Specification License 1.0](../licenses/Community-Spec-1.0.md)
(Community-Spec-1.0).
Pre-existing portions of this work from copyright holders who have not
subsequently contributed under the Community-Spec-1.0 are provided under
[Creative Commons Attribution License 3.0 Unported](../licenses/CC-BY-3.0.md)
(CC-BY-3.0).
Copies of these licenses are reproduced in their entirety herein.
## Trademarks
SPDX® is a registered trademark of The Linux Foundation.
## Compliance
Use of the SPDX trademarks is subject to the SPDX Trademark License,
currently available at
[SPDX Legal Notices page](https://spdx.dev/about/legal-notices/).
Software developed under the terms of the licenses under which this
specification is issued may claim compliance or conformance with this
specification if and only if the software provider complies with the
SPDX Trademark License given above.
================================================
FILE: docs/front/introduction.md
================================================
# Introduction
Companies and organizations (collectively “Organizations”) are widely using and
reusing open source and other software packages. Accurate identification of
software is key for many supply chain processes. Vulnerability remediation
starts with knowing the details of which version of software is in use on a
system. Compliance with the associated licenses requires a set of analysis
activities and due diligence that each Organization performs independently,
which may include a manual and/or automated scan of software and identification
of associated licenses followed by manual verification.
Software development teams across the globe use the same open source packages,
but little infrastructure exists to facilitate collaboration on the analysis or
share the results of these analysis activities. As a result, many groups are
performing the same work leading to duplicated efforts and redundant
information. With this document, the SPDX workgroup, a combined effort of the
Linux Foundation SPDX group and the OMG/CISQ Tool-to-Tool effort, has created a
data exchange format so that information about software packages and related
content may be collected and shared in a common format with the goal of saving
time and improving data accuracy.
The merged activities of the two groups slid together the beginning weeks of
2021 with activities generally moving forward but occasionally stalling while
the larger group worked through issues that one or the other hadn’t discussed
or had a different opinion about. Eventually, after releasing SPDX 2.3 in
August of 2022 with updates that brought some of the concepts and capabilities
slated for SPDX 3.0 to the community in preparation of the shift that SPDX 3.0
represents, the first release candidate of SPDX 3.0 was released in May of
2023. Within the SPDX community, which is both a standards creation
organization as well as a community of open source developers, a release
candidate offers an opportunity for implementors of SPDX, both new and old, to
review the work and determine whether there were parts that were unclear or
that would be extremely burdensome to implement.
Based on the comments and change requests from the initial candidate release
several areas of the model were revised and reworked, resulting in a release
candidate 2 of SPDX 3.0 in February of 2024. That release candidate gave tool
creators and those who maintain the support libraries for working with SPDX
time to start revising their projects in advance of the final version of
the SPDX 3.0 specification. For those not following the inner workings,
debates, and discussion of the combined 3T-SBOM and SPDX 3.0 working group for
the last 3 years there has been a dramatic change in the SPDX model as it goes
from SPDX 2.3 to SPDX 3.0, shifting the SPDX name from Software Package Data
Exchange to System Package Data Exchange and expanding the scope of items it
can now convey in a bill of materials from software, security, and licensing to
many additional aspects like data sets, AI models, and build information.
Since the release of 3.0.0, we have gathered feedback on the level of
documentation and minor errors in the model which have been addressed in the
3.0.1 release.
================================================
FILE: docs/index.md
================================================
# The System Package Data Exchange™ (SPDX®) Specification Version 3.1-dev
Copyright © 2010-2026, The Linux Foundation and its Contributors,
including SPDX Model contributions from OMG and its Contributors.
With thanks to
Adam Cohn,
Adolfo García Veytia,
Alan Tse,
Alexios Zavras,
Alfred Strauch,
Andrew Back,
Ann Thornton,
Armin Tänzer,
Arthit Suriyawongkul,
Ayumi Watanabe,
Basil Peace,
Bill Schineller,
Bradlee Edmondson,
Brandon Lum,
Bruno Cornec,
Ciaran Farrell,
Daniel German,
David Edelsohn,
David Kemp,
David A. Wheeler,
Debra McGlade,
Dennis Clark,
Dick Brooks,
Ed Warnicke,
Elyas Rashno,
Eran Strod,
Eric Thomas,
Esteban Rockett,
Gary O'Neall,
Gopi Krishnan Rajbahadur,
Guillaume Rousseau,
Hassib Khanafer,
Henk Birkholz,
Hiroyuki Fukuchi,
Itaru Hosomi,
Jack Manbeck,
Jaime Garcia,
Jeff Licquia,
Jeff Luszcz,
Jeff Schutt,
Jilayne Lovejoy,
John Ellis,
Jonas Oberg,
Joshua Watt,
Kamsang Salima,
Karen Bennet,
Karen Copenhaver,
Kate Stewart,
Kevin Mitchell,
Kim Weins,
Kirsten Newcomer,
Kouki Hama,
Kris Reeves,
Liang Cao,
Lon Hohberger,
Marc-Etienne Vargenau,
Mark Gisi,
Marshall Clow,
Martin Michlmayr,
Martin von Willebrand,
Mark Atwood,
Matija Šuklje,
Matt Germonprez,
Maximilian Huber,
Meret Behrens,
Michael J. Herzog,
Michel Ruffin,
Nicole Pappler,
Nisha Kumar,
Nobuyuki Tanaka,
Norio Kobota,
Nuno Brito,
Oliver Fendt,
Paul Madick,
Peter Williams,
Phil Robb,
Philip Koltun,
Philip Odence,
Philippe Ombredanne,
Pierre Lapointe,
Rana Rahal,
Robert Martin,
Robin Gandhi,
Rose Judge,
Sam Ellis,
Sameer Ahmed,
Satoru Koizumi,
Scott K Peterson,
Scott Lamons,
Scott Sterling,
Sean Barnum,
Sebastian Crane,
Shane Coughlan,
Steve Cropper,
Steve Winslow,
Steven Carbno,
Stuart Hughes,
Takashi Ninjouji,
Thomas F. Incorvia,
Thomas Steenbergen,
Tom Callaway,
Tom Vidal,
Toru Taima,
Venkata Krishna,
W. Trevor King,
William Bartholomew,
Yev Bronshteyn,
Yoshiko Ouchi,
Yoshiyuki Ito,
Yuji Nomura,
Yumi Tomita,
and
Zachary McFarland
for their contributions and assistance.
================================================
FILE: docs/licenses/CC-BY-3.0.md
================================================
# Creative Commons Attribution License 3.0 Unported
**License**
THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED.
BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.
1) **Definitions**
a. **"Adaptation"** means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License.
b. **"Collection"** means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License.
c. **"Distribute"** means to make available to the public the original and copies of the Work or Adaptation, as appropriate, through sale or other transfer of ownership.
d. **"Licensor"** means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License.
e. **"Original Author"** means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast.
f. **"Work"** means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work.
g. **"You"** means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.
h. **"Publicly Perform"** means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images.
i. **"Reproduce"** means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium.
2) **Fair Dealing Rights**. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws.
3) **License Grant**. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:
a. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections;
b. to create and Reproduce Adaptations provided that any such Adaptation, including any translation in any medium, takes reasonable steps to clearly label, demarcate or otherwise identify that changes were made to the original Work. For example, a translation could be marked "The original work was translated from English to Spanish," or a modification could indicate "The original work has been modified.";
c. to Distribute and Publicly Perform the Work including as incorporated in Collections; and,
d. to Distribute and Publicly Perform Adaptations.
e. For the avoidance of doubt:
i. **Non-waivable Compulsory License Schemes**. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;
ii. **Waivable Compulsory License Schemes**. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; and,
iii. **Voluntary License Schemes**. The Licensor waives the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License.
The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. Subject to Section 8(f), all rights not expressly granted by Licensor are hereby reserved.
4) **Restrictions**. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:
a. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(b), as requested. If You create an Adaptation, upon notice from any Licensor You must, to the extent practicable, remove from the Adaptation any credit as required by Section 4(b), as requested.
b. If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Section 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit required by this Section 4 (b) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.
c. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Adaptations or Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation. Licensor agrees that in those jurisdictions (e.g. Japan), in which any exercise of the right granted in Section 3(b) of this License (the right to make Adaptations) would be deemed to be a distortion, mutilation, modification or other derogatory action prejudicial to the Original Author's honor and reputation, the Licensor will waive or not assert, as appropriate, this Section, to the fullest extent permitted by the applicable national law, to enable You to reasonably exercise Your right under Section 3(b) of this License (right to make Adaptations) but not otherwise.
5) **Representations, Warranties and Disclaimer**
UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.
6) **Limitation on Liability**. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
7) **Termination**
a. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Adaptations or Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.
b. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.
8) **Miscellaneous**
a. Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.
b. Each time You Distribute or Publicly Perform an Adaptation, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License.
c. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
d. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.
e. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You.
f. The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law.
================================================
FILE: docs/licenses/Community-Spec-1.0.md
================================================
# Community Specification License 1.0
**The Purpose of this License.** This License sets forth the terms under which 1) Contributor will participate in and contribute to the development of specifications, standards, best practices, guidelines, and other similar materials under this Working Group, and 2) how the materials developed under this License may be used. It is not intended for source code. Capitalized terms are defined in the License’s last section.
**1. Copyright.**
**1.1. Copyright License.** Contributor grants everyone a non-sublicensable, perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as expressly stated in this License) copyright license, without any obligation for accounting, to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute any materials it submits to the full extent of its copyright interest in those materials. Contributor also acknowledges that the Working Group may exercise copyright rights in the Specification, including the rights to submit the Specification to another standards organization.
**1.2. Copyright Attribution.** As a condition, anyone exercising this copyright license must include attribution to the Working Group in any derivative work based on materials developed by the Working Group. That attribution must include, at minimum, the material’s name, version number, and source from where the materials were retrieved. Attribution is not required for implementations of the Specification.
**2. Patents.**
**2.1. Patent License.**
**2.1.1. As a Result of Contributions.**
**2.1.1.1. As a Result of Contributions to Draft Specifications.** Contributor grants Licensee a non-sublicensable, perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as expressly stated in this License) license to its Necessary Claims in 1) Contributor’s Contributions and 2) to the Draft Specification that is within Scope as of the date of that Contribution, in both cases for Licensee’s Implementation of the Draft Specification, except for those patent claims excluded by Contributor under Section 3.
**2.1.1.2. For Approved Specifications.** Contributor grants Licensee a non-sublicensable, perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as expressly stated in this License) license to its Necessary Claims included the Approved Specification that are within Scope for Licensee’s Implementation of the Approved Specification, except for those patent claims excluded by Contributor under Section 3.
**2.1.2. Patent Grant from Licensee.** Licensee grants each other Licensee a non-sublicensable, perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as expressly stated in this License) license to its Necessary Claims for its Implementation, except for those patent claims excluded under Section 3.
**2.1.3. Licensee Acceptance.** The patent grants set forth in Section 2.1 extend only to Licensees that have indicated their agreement to this License as follows:
**2.1.3.1. Source Code Distributions.** For distribution in source code, by including this License in the root directory of the source code with the Implementation;
**2.1.3.2. Non-Source Code Distributions.** For distribution in any form other than source code, by including this License in the documentation, legal notices, via notice in the software, and/or other written materials provided with the Implementation; or
**2.1.3.3. Via Notices.md.** By issuing pull request or commit to the Specification’s repository’s Notices.md file by the Implementer’s authorized representative, including the Implementer’s name, authorized individual and system identifier, and Specification version.
**2.1.4. Defensive Termination.** If any Licensee files or maintains a claim in a court asserting that a Necessary Claim is infringed by an Implementation, any licenses granted under this License to the Licensee are immediately terminated unless 1) that claim is directly in response to a claim against Licensee regarding an Implementation, or 2) that claim was brought to enforce the terms of this License, including intervention in a third-party action by a Licensee.
**2.1.5. Additional Conditions.** This License is not an assurance (i) that any of Contributor’s copyrights or issued patent claims cover an Implementation of the Specification or are enforceable or (ii) that an Implementation of the Specification would not infringe intellectual property rights of any third party.
**2.2. Patent Licensing Commitment.** In addition to the rights granted in Section 2.1, Contributor agrees to grant everyone a no charge, royalty-free license on reasonable and non-discriminatory terms to Contributor’s Necessary Claims that are within Scope for:
1) Implementations of a Draft Specification, where such license applies only to those Necessary Claims infringed by implementing Contributor's Contribution(s) included in that Draft Specification, and
2) Implementations of the Approved Specification.
This patent licensing commitment does not apply to those claims subject to Contributor’s Exclusion Notice under Section 3.
**2.3. Effect of Withdrawal.** Contributor may withdraw from the Working Group by issuing a pull request or commit providing notice of withdrawal to the Working Group repository’s Notices.md file. All of Contributor’s existing commitments and obligations with respect to the Working Group up to the date of that withdrawal notice will remain in effect, but no new obligations will be incurred.
**2.4. Binding Encumbrance.** This License is binding on any future owner, assignee, or party who has been given the right to enforce any Necessary Claims against third parties.
**3. Patent Exclusion.**
**3.1. As a Result of Contributions.** Contributor may exclude Necessary Claims from its licensing commitments incurred under Section 2.1.1 by issuing an Exclusion Notice within 45 days of the date of that Contribution. Contributor may not issue an Exclusion Notice for any material that has been included in a Draft Deliverable for more than 45 days prior to the date of that Contribution.
**3.2. As a Result of a Draft Specification Becoming an Approved Specification.** Prior to the adoption of a Draft Specification as an Approved Specification, Contributor may exclude Necessary Claims from its licensing commitments under this Agreement by issuing an Exclusion Notice. Contributor may not issue an Exclusion Notice for patents that were eligible to have been excluded pursuant to Section 3.1.
**4. Source Code License.** Any source code developed by the Working Group is solely subject the source code license included in the Working Group’s repository for that code. If no source code license is included, the source code will be
gitextract_dim67c75/
├── .github/
│ ├── dependabot.yml
│ └── workflows/
│ ├── publish_common.yml
│ ├── publish_v3.yml
│ ├── validate_examples.yml
│ └── validate_pull_request.yml
├── .gitignore
├── CHANGELOG.md
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── bin/
│ ├── check-examples.sh
│ ├── make-mkdocs-config.sh
│ └── pull-license-list.py
├── build.md
├── docs/
│ ├── annexes/
│ │ ├── class-hierarchy.md
│ │ ├── license-matching-guidelines-and-templates.md
│ │ ├── pkg-url-specification.md
│ │ ├── rdf-model.md
│ │ ├── spdx-license-expressions.md
│ │ └── spdx-lite.md
│ ├── conformance.md
│ ├── css/
│ │ └── style.css
│ ├── front/
│ │ ├── copyright.md
│ │ └── introduction.md
│ ├── index.md
│ ├── licenses/
│ │ ├── CC-BY-3.0.md
│ │ └── Community-Spec-1.0.md
│ ├── references.md
│ ├── scope.md
│ ├── serializations.md
│ ├── symbols.md
│ └── terms-and-definitions.md
├── etc/
│ ├── redirect-map.csv
│ └── redirect-template.html
├── examples/
│ ├── README.md
│ └── jsonld/
│ ├── package_sbom.json
│ └── spdx-full-example.json
├── mkdocs.yml
├── rdf/
│ ├── spdx-context.jsonld
│ ├── spdx-model.hext
│ ├── spdx-model.json-ld
│ ├── spdx-model.longturtle
│ ├── spdx-model.n3
│ ├── spdx-model.nt
│ ├── spdx-model.pretty-xml
│ ├── spdx-model.trig
│ ├── spdx-model.ttl
│ └── spdx-model.xml
├── requirements.txt
├── serialization/
│ └── jsonld/
│ └── annotations.ttl
├── setup.py
└── submissions/
├── ISO/
│ ├── README.md
│ ├── annexes/
│ │ └── changes-from-previous-iso.md
│ └── front/
│ └── iso-foreword.md
├── OMG/
│ ├── README.md
│ ├── annexes/
│ │ └── omg-history.md
│ ├── front/
│ │ ├── cover.md
│ │ ├── omg-preface.md
│ │ └── second-page.md
│ └── people.md
└── README.md
SYMBOL INDEX (6 symbols across 2 files) FILE: bin/pull-license-list.py function get_json (line 28) | def get_json(url): function format_table (line 33) | def format_table(headers, rows): function format_license_table (line 49) | def format_license_table(license_list): function format_deprecated_license_table (line 67) | def format_deprecated_license_table(license_list): function format_exception_table (line 84) | def format_exception_table(exception_list): FILE: setup.py function read (line 9) | def read(fname):
Condensed preview — 61 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (3,715K chars).
[
{
"path": ".github/dependabot.yml",
"chars": 345,
"preview": "# SPDX-License-Identifier: MIT\n# SPDX-FileCopyrightText: Copyright 2024 The SPDX Contributors\n\nversion: 2\nupdates:\n- pac"
},
{
"path": ".github/workflows/publish_common.yml",
"chars": 2173,
"preview": "# Publish pre-3.0 specs (spec versions that do not require spec-parser)\n# This workflow can be triggered manually or by "
},
{
"path": ".github/workflows/publish_v3.yml",
"chars": 23356,
"preview": "# Publish SPDX specification to https://spdx.github.io/spdx-spec/\n#\n# This workflow is configured differently for the\n# "
},
{
"path": ".github/workflows/validate_examples.yml",
"chars": 845,
"preview": "on:\n pull_request:\n paths:\n - 'examples/**/*.json'\n - 'docs/annexes/*.md'\n push:\n paths:\n - 'exam"
},
{
"path": ".github/workflows/validate_pull_request.yml",
"chars": 806,
"preview": "on: pull_request\n\njobs:\n validate:\n name: Validate build\n runs-on: ubuntu-latest\n steps:\n - name: Checkout "
},
{
"path": ".gitignore",
"chars": 480,
"preview": "# Generated files for model\ndocs/model/\ndocs/rdf/\n\n# GitBook directory and generated docs\n_book/\n*.epub\n*.mobi\n*.pdf\n\n# "
},
{
"path": "CHANGELOG.md",
"chars": 8560,
"preview": "# Change log\n\nAll notable changes to this project will be documented in this file.\n\n## 3.0.1 (2024-12-17)\n\n* Changes in "
},
{
"path": "CONTRIBUTING.md",
"chars": 3966,
"preview": "# Contributing\n\nThe SPDX specification is maintained by the SPDX [legal][spdx-legal] and\n[tech][spdx-tech] teams.\nDesign"
},
{
"path": "LICENSE",
"chars": 35886,
"preview": "The SPDX Specification is provided under the Community Specification License 1.0 (Community-Spec-1.0), a copy of which i"
},
{
"path": "README.md",
"chars": 5419,
"preview": "# The System Package Data Exchange™ (SPDX®) Specification\n\nThe System Package Data Exchange™ (SPDX®) specification is an"
},
{
"path": "bin/check-examples.sh",
"chars": 3310,
"preview": "#! /bin/bash\n#\n# Validates SPDX example, both in separate files and inline in the\n# documentation\n#\n# SPDX-License-Ident"
},
{
"path": "bin/make-mkdocs-config.sh",
"chars": 1710,
"preview": "#! /bin/sh\n#\n# SPDX-License-Identifier: MIT\n#\n# Finds MODEL_PLACEHOLDER string in BASE_YML,\n# replaces it with the conte"
},
{
"path": "bin/pull-license-list.py",
"chars": 4864,
"preview": "#!/usr/bin/env python3\n#\n# Automatically update the license- and exception-list Markdown based\n# on the currently-live J"
},
{
"path": "build.md",
"chars": 7499,
"preview": "---\nSPDX-FileType: DOCUMENTATION\nSPDX-License-Identifier: Community-Spec-1.0\n---\n\n# Building the specification website\n\n"
},
{
"path": "docs/annexes/class-hierarchy.md",
"chars": 34,
"preview": "# Class hierarchy (Informational)\n"
},
{
"path": "docs/annexes/license-matching-guidelines-and-templates.md",
"chars": 13447,
"preview": "# SPDX License List matching guidelines and templates (Normative)\n\n## SPDX License List matching guidelines\n\nThe SPDX Li"
},
{
"path": "docs/annexes/pkg-url-specification.md",
"chars": 16294,
"preview": "# Package URL specification v1 (Normative)\n\n## Introduction\n\nThe Package URL core specification defines a versioned and "
},
{
"path": "docs/annexes/rdf-model.md",
"chars": 2339,
"preview": "# RDF model definition and diagrams (Informative)\n\n## Model definition\n\nThe SPDX RDF ontology is expressed in RDF/OWL/SH"
},
{
"path": "docs/annexes/spdx-license-expressions.md",
"chars": 10695,
"preview": "# SPDX license expressions (Normative)\n\n## Overview\n\nOften a single license can be used to represent the licensing terms"
},
{
"path": "docs/annexes/spdx-lite.md",
"chars": 4329,
"preview": "# SPDX Lite (Normative)\n\n## Explanation of the Lite profile\n\nThe Lite profile is designed to make it quick and easy to s"
},
{
"path": "docs/conformance.md",
"chars": 13060,
"preview": "# Conformance\n\n## Alternate notation for some conformance requirements\n\nThis document contains more than a few cardinali"
},
{
"path": "docs/css/style.css",
"chars": 6811,
"preview": ".wy-side-nav-search {\n background: rgb(250, 250, 250);\n padding: 0 0.809em 0 0.809em;\n width: 100%;\n max-width: 350p"
},
{
"path": "docs/front/copyright.md",
"chars": 1106,
"preview": "# Use of specification - terms, conditions & notices\n\nCopyright © 2010–2026, The Linux Foundation and its Contributors,\n"
},
{
"path": "docs/front/introduction.md",
"chars": 3233,
"preview": "# Introduction\n\nCompanies and organizations (collectively “Organizations”) are widely using and\nreusing open source and "
},
{
"path": "docs/index.md",
"chars": 1973,
"preview": "# The System Package Data Exchange™ (SPDX®) Specification Version 3.1-dev\n\nCopyright © 2010-2026, The Linux Foundation a"
},
{
"path": "docs/licenses/CC-BY-3.0.md",
"chars": 17032,
"preview": "# Creative Commons Attribution License 3.0 Unported\n\n**License**\n\nTHE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERM"
},
{
"path": "docs/licenses/Community-Spec-1.0.md",
"chars": 16023,
"preview": "# Community Specification License 1.0\n\n**The Purpose of this License.** This License sets forth the terms under which 1"
},
{
"path": "docs/references.md",
"chars": 10843,
"preview": "# References\n\n## Normative references\n\nThe following documents are referred to in the text in such a way that some or\nal"
},
{
"path": "docs/scope.md",
"chars": 953,
"preview": "# Scope\n\nThe System Package Data Exchange™ (SPDX®) specification defines an open standard\nfor communicating bill of mate"
},
{
"path": "docs/serializations.md",
"chars": 6149,
"preview": "# Model and serializations\n\n## Overview\n\nThis document defines the data model of the SPDX standard, describing\nevery pie"
},
{
"path": "docs/symbols.md",
"chars": 1633,
"preview": "# Symbols\n\nList of symbols/abbreviations.\n\n| | |\n| - | - |\n| 3T-SBOM | Tool-to-Tool Software Bill of Materials Exchange "
},
{
"path": "docs/terms-and-definitions.md",
"chars": 3884,
"preview": "# Terms and definitions\n\nISO and IEC maintain terminological databases for use in standardization\nat the following addre"
},
{
"path": "etc/redirect-map.csv",
"chars": 2358,
"preview": "introduction,front/introduction\nnormative-references,references\nbibliography,references\nannexes/diffs-from-previous-edit"
},
{
"path": "etc/redirect-template.html",
"chars": 462,
"preview": "<!DOCTYPE html>\n<html>\n<head>\n <meta charset=\"utf-8\">\n <title>Redirecting</title>\n <noscript>\n <meta http-equiv=\"r"
},
{
"path": "examples/README.md",
"chars": 833,
"preview": "# Examples\n\nThe JSONLD directory contains 2 files:\n\n- package_sbom.json - An example of an SBOM containing a single pack"
},
{
"path": "examples/jsonld/package_sbom.json",
"chars": 3370,
"preview": "{\n \"@context\": \"https://spdx.org/rdf/3.0.1/spdx-context.jsonld\",\n \"@graph\": [\n {\n \"type\": \"Creat"
},
{
"path": "examples/jsonld/spdx-full-example.json",
"chars": 38766,
"preview": "{\n \"@context\" : \"https://spdx.org/rdf/3.0.1/spdx-context.jsonld\",\n \"@graph\" : [ {\n \"@id\" : \"_:creationInfo_0\",\n "
},
{
"path": "mkdocs.yml",
"chars": 2806,
"preview": "site_name: SPDX Specification 3.1-dev\nsite_description: The System Package Data Exchange™ (SPDX®) Specification Version "
},
{
"path": "rdf/spdx-context.jsonld",
"chars": 36127,
"preview": "{\n \"@context\": {\n \"Agent\": \"https://spdx.org/rdf/3.0.1/terms/Core/Agent\",\n \"Annotation\": \"https://spdx.org/rdf/3."
},
{
"path": "rdf/spdx-model.hext",
"chars": 657158,
"preview": "[\"_:N2a72f2e0c3d44dd5ac4c0633f336d556\", \"http://www.w3.org/ns/shacl#path\", \"https://spdx.org/rdf/3.0.1/terms/Dataset/sen"
},
{
"path": "rdf/spdx-model.json-ld",
"chars": 458258,
"preview": "[\n {\n \"@id\": \"https://spdx.org/rdf/3.0.1/terms/Dataset/DatasetAvailabilityType/registration\",\n \"@type\": [\n \""
},
{
"path": "rdf/spdx-model.longturtle",
"chars": 212609,
"preview": "PREFIX dcterms: <http://purl.org/dc/terms/>\nPREFIX ns1: <https://spdx.org/rdf/3.0.1/terms/Core/>\nPREFIX omg-ann: <https:"
},
{
"path": "rdf/spdx-model.n3",
"chars": 195794,
"preview": "@prefix dcterms: <http://purl.org/dc/terms/> .\n@prefix ns1: <https://spdx.org/rdf/3.0.1/terms/Core/> .\n@prefix omg-ann: "
},
{
"path": "rdf/spdx-model.nt",
"chars": 545506,
"preview": "_:N2a72f2e0c3d44dd5ac4c0633f336d556 <http://www.w3.org/ns/shacl#path> <https://spdx.org/rdf/3.0.1/terms/Dataset/sensor> "
},
{
"path": "rdf/spdx-model.pretty-xml",
"chars": 327021,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<rdf:RDF\n xmlns:owl=\"http://www.w3.org/2002/07/owl#\"\n xmlns:dcterms=\"http://pur"
},
{
"path": "rdf/spdx-model.trig",
"chars": 235471,
"preview": "@prefix dcterms: <http://purl.org/dc/terms/> .\n@prefix ns1: <https://spdx.org/rdf/3.0.1/terms/Core/> .\n@prefix ns2: <htt"
},
{
"path": "rdf/spdx-model.ttl",
"chars": 179847,
"preview": "@prefix dcterms: <http://purl.org/dc/terms/> .\n@prefix ns1: <https://spdx.org/rdf/3.0.1/terms/Core/> .\n@prefix ns2: <htt"
},
{
"path": "rdf/spdx-model.xml",
"chars": 409548,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<rdf:RDF\n xmlns:dcterms=\"http://purl.org/dc/terms/\"\n xmlns:ns1=\"https://spdx."
},
{
"path": "requirements.txt",
"chars": 93,
"preview": "mike==2.1.4\nmkdocs==1.6.1\n# mkdocs-pdf-export-plugin==0.5.10\nPyYAML==6.0.3\nshacl2code==1.0.0\n"
},
{
"path": "serialization/jsonld/annotations.ttl",
"chars": 238,
"preview": "@base <https://spdx.org/rdf/3.1/terms/> .\n@prefix sh-to-code: <https://jpewdev.github.io/shacl2code/schema#> .\n\n<Core/El"
},
{
"path": "setup.py",
"chars": 1107,
"preview": "# -*- coding: utf-8 -*-\nimport os\nfrom setuptools import setup\n\nwith open('requirements.txt') as f:\n required = f.rea"
},
{
"path": "submissions/ISO/README.md",
"chars": 676,
"preview": "# ISO submission\n\nHere are files that are only relevant to the production of the PDF\nthat will be submitted to ISO.\n\nThe"
},
{
"path": "submissions/ISO/annexes/changes-from-previous-iso.md",
"chars": 433,
"preview": "# Changes from the previous version\n\n## Overview\n\nThe previous published version of this document was ISO/IEC 5962:2021("
},
{
"path": "submissions/ISO/front/iso-foreword.md",
"chars": 2975,
"preview": "# Foreword\n\nISO (the International Organization for Standardization) and IEC (the\nInternational Electrotechnical Commiss"
},
{
"path": "submissions/OMG/README.md",
"chars": 704,
"preview": "# OMG submission\n\nHere are files that are only relevant to the production of the PDF\nthat will be submitted to OMG.\n\nThe"
},
{
"path": "submissions/OMG/annexes/omg-history.md",
"chars": 9178,
"preview": "# History with OMG, Motivation and Rational (Informative)\n\nThe OMG and CISQ involvement in developing this document had "
},
{
"path": "submissions/OMG/front/cover.md",
"chars": 71,
"preview": "\n# The System Package Data Exchange (SPDX) Specification Version 3.0.1\n"
},
{
"path": "submissions/OMG/front/omg-preface.md",
"chars": 2273,
"preview": "# Preface\n\n## OMG\n\nFounded in 1989, the Object Management Group, Inc. (OMG) is an open membership,\nnot-for-profit comput"
},
{
"path": "submissions/OMG/front/second-page.md",
"chars": 1180,
"preview": "# The System Package Data Exchange™ (SPDX®) Specification Version 3.0.1\n\nCopyright © 2010-2024, The Linux Foundation and"
},
{
"path": "submissions/OMG/people.md",
"chars": 1797,
"preview": "# Additional information\n\n## Author acknowledgements\n\nThe following people authored this document:\n\nAdam Cohn,\nAdolfo Ga"
},
{
"path": "submissions/README.md",
"chars": 184,
"preview": "# Submissions\n\nThis directory holds content relevant to the submissions\nof the Specification to various organizations.\n\n"
}
]
About this extraction
This page contains the full source code of the spdx/spdx-spec GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 61 files (3.4 MB), approximately 891.8k tokens, and a symbol index with 6 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.