diff --git a/README.md b/README.md index a7e5376bc9ff8..e6f7a843d930a 100644 --- a/README.md +++ b/README.md @@ -732,7 +732,7 @@ following formats are supported (reporter names are case-insensitive): * Customizable with [Apache Freemarker](https://freemarker.apache.org/) templates * Opossum input that can be visualized and edited in the [OpossumUI](https://github.com/opossum-tool/opossumUI) (`-f Opossum`) -* [SPDX Document](https://spdx.dev/specifications/), version 2.2 (`-f SpdxDocument`) +* [SPDX Document](https://spdx.dev/specifications/), version 2.3 (`-f SpdxDocument`) * Static HTML (`-f StaticHtml`) * [TrustSource](https://www.trustsource.io/) JSON file (`-f TrustSource`) * Use this as an alternative to [ts-scan](https://github.com/TrustSource/ts-scan) for support of more build systems. diff --git a/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.json b/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.json index a7002a2047470..7fe12aaec4852 100644 --- a/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.json +++ b/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.json @@ -1,6 +1,6 @@ { "SPDXID" : "SPDXRef-DOCUMENT", - "spdxVersion" : "SPDX-2.2", + "spdxVersion" : "SPDX-2.3", "creationInfo" : { "comment" : "some creation info comment", "created" : "", @@ -39,7 +39,7 @@ "copyrightText" : "Copyright 2020 Some copyright holder in VCS\nCopyright 2020 Some copyright holder in source artifact\nCopyright 2020 Some other copyright holder in source artifact", "downloadLocation" : "https://some-host/first-package.jar", "externalRefs" : [ { - "referenceCategory" : "PACKAGE_MANAGER", + "referenceCategory" : "PACKAGE-MANAGER", "referenceType" : "purl", "referenceLocator" : "pkg:maven/first-package-group/first-package@0.0.1" } ], @@ -55,7 +55,7 @@ "copyrightText" : "Copyright 2020 Some copyright holder in VCS\nCopyright 2020 Some copyright holder in source artifact\nCopyright 2020 Some other copyright holder in source artifact", "downloadLocation" : "git+ssh://github.com/path/first-package-repo.git@deadbeef#project-path", "externalRefs" : [ { - "referenceCategory" : "PACKAGE_MANAGER", + "referenceCategory" : "PACKAGE-MANAGER", "referenceType" : "purl", "referenceLocator" : "pkg:maven/first-package-group/first-package@0.0.1" } ], @@ -80,7 +80,7 @@ "copyrightText" : "Copyright 2020 Some copyright holder in VCS\nCopyright 2020 Some copyright holder in source artifact\nCopyright 2020 Some other copyright holder in source artifact", "downloadLocation" : "https://some-host/first-package-sources.jar", "externalRefs" : [ { - "referenceCategory" : "PACKAGE_MANAGER", + "referenceCategory" : "PACKAGE-MANAGER", "referenceType" : "purl", "referenceLocator" : "pkg:maven/first-package-group/first-package@0.0.1" } ], @@ -96,7 +96,7 @@ "copyrightText" : "NONE", "downloadLocation" : "NONE", "externalRefs" : [ { - "referenceCategory" : "PACKAGE_MANAGER", + "referenceCategory" : "PACKAGE-MANAGER", "referenceType" : "purl", "referenceLocator" : "pkg:maven/fourth-package-group/fourth-package@0.0.1" } ], @@ -112,7 +112,7 @@ "copyrightText" : "NONE", "downloadLocation" : "NONE", "externalRefs" : [ { - "referenceCategory" : "PACKAGE_MANAGER", + "referenceCategory" : "PACKAGE-MANAGER", "referenceType" : "purl", "referenceLocator" : "pkg:maven/second-package-group/second-package@0.0.1" } ], @@ -128,7 +128,7 @@ "copyrightText" : "Copyright 2020 Some copyright holder in source artifact", "downloadLocation" : "NONE", "externalRefs" : [ { - "referenceCategory" : "PACKAGE_MANAGER", + "referenceCategory" : "PACKAGE-MANAGER", "referenceType" : "purl", "referenceLocator" : "pkg:maven/seventh-package-group/seventh-package@0.0.1" } ], @@ -148,7 +148,7 @@ "copyrightText" : "Copyright 2020 Some copyright holder in source artifact", "downloadLocation" : "https://some-host/seventh-package-sources.jar", "externalRefs" : [ { - "referenceCategory" : "PACKAGE_MANAGER", + "referenceCategory" : "PACKAGE-MANAGER", "referenceType" : "purl", "referenceLocator" : "pkg:maven/seventh-package-group/seventh-package@0.0.1" } ], @@ -169,7 +169,7 @@ "copyrightText" : "NONE", "downloadLocation" : "NONE", "externalRefs" : [ { - "referenceCategory" : "PACKAGE_MANAGER", + "referenceCategory" : "PACKAGE-MANAGER", "referenceType" : "purl", "referenceLocator" : "pkg:maven/sixth-package-group/sixth-package@0.0.1" } ], @@ -185,7 +185,7 @@ "copyrightText" : "NONE", "downloadLocation" : "NONE", "externalRefs" : [ { - "referenceCategory" : "PACKAGE_MANAGER", + "referenceCategory" : "PACKAGE-MANAGER", "referenceType" : "purl", "referenceLocator" : "pkg:maven/third-package-group/third-package@0.0.1" } ], diff --git a/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.yml b/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.yml index d3a2abeeec921..90a72cd0137ec 100644 --- a/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.yml +++ b/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.yml @@ -1,6 +1,6 @@ --- SPDXID: "SPDXRef-DOCUMENT" -spdxVersion: "SPDX-2.2" +spdxVersion: "SPDX-2.3" creationInfo: comment: "some creation info comment" created: "" @@ -49,7 +49,7 @@ packages: \ in source artifact" downloadLocation: "https://some-host/first-package.jar" externalRefs: - - referenceCategory: "PACKAGE_MANAGER" + - referenceCategory: "PACKAGE-MANAGER" referenceType: "purl" referenceLocator: "pkg:maven/first-package-group/first-package@0.0.1" filesAnalyzed: false @@ -67,7 +67,7 @@ packages: \ in source artifact" downloadLocation: "git+ssh://github.com/path/first-package-repo.git@deadbeef#project-path" externalRefs: - - referenceCategory: "PACKAGE_MANAGER" + - referenceCategory: "PACKAGE-MANAGER" referenceType: "purl" referenceLocator: "pkg:maven/first-package-group/first-package@0.0.1" filesAnalyzed: true @@ -95,7 +95,7 @@ packages: \ in source artifact" downloadLocation: "https://some-host/first-package-sources.jar" externalRefs: - - referenceCategory: "PACKAGE_MANAGER" + - referenceCategory: "PACKAGE-MANAGER" referenceType: "purl" referenceLocator: "pkg:maven/first-package-group/first-package@0.0.1" filesAnalyzed: false @@ -111,7 +111,7 @@ packages: copyrightText: "NONE" downloadLocation: "NONE" externalRefs: - - referenceCategory: "PACKAGE_MANAGER" + - referenceCategory: "PACKAGE-MANAGER" referenceType: "purl" referenceLocator: "pkg:maven/fourth-package-group/fourth-package@0.0.1" filesAnalyzed: false @@ -125,7 +125,7 @@ packages: copyrightText: "NONE" downloadLocation: "NONE" externalRefs: - - referenceCategory: "PACKAGE_MANAGER" + - referenceCategory: "PACKAGE-MANAGER" referenceType: "purl" referenceLocator: "pkg:maven/second-package-group/second-package@0.0.1" filesAnalyzed: false @@ -139,7 +139,7 @@ packages: copyrightText: "Copyright 2020 Some copyright holder in source artifact" downloadLocation: "NONE" externalRefs: - - referenceCategory: "PACKAGE_MANAGER" + - referenceCategory: "PACKAGE-MANAGER" referenceType: "purl" referenceLocator: "pkg:maven/seventh-package-group/seventh-package@0.0.1" filesAnalyzed: false @@ -156,7 +156,7 @@ packages: copyrightText: "Copyright 2020 Some copyright holder in source artifact" downloadLocation: "https://some-host/seventh-package-sources.jar" externalRefs: - - referenceCategory: "PACKAGE_MANAGER" + - referenceCategory: "PACKAGE-MANAGER" referenceType: "purl" referenceLocator: "pkg:maven/seventh-package-group/seventh-package@0.0.1" filesAnalyzed: true @@ -177,7 +177,7 @@ packages: copyrightText: "NONE" downloadLocation: "NONE" externalRefs: - - referenceCategory: "PACKAGE_MANAGER" + - referenceCategory: "PACKAGE-MANAGER" referenceType: "purl" referenceLocator: "pkg:maven/sixth-package-group/sixth-package@0.0.1" filesAnalyzed: false @@ -191,7 +191,7 @@ packages: copyrightText: "NONE" downloadLocation: "NONE" externalRefs: - - referenceCategory: "PACKAGE_MANAGER" + - referenceCategory: "PACKAGE-MANAGER" referenceType: "purl" referenceLocator: "pkg:maven/third-package-group/third-package@0.0.1" filesAnalyzed: false diff --git a/plugins/reporters/spdx/src/funTest/assets/spdx-schema.json b/plugins/reporters/spdx/src/funTest/assets/spdx-schema.json index fad3372500f34..89d0c3b48a08d 100644 --- a/plugins/reporters/spdx/src/funTest/assets/spdx-schema.json +++ b/plugins/reporters/spdx/src/funTest/assets/spdx-schema.json @@ -1,7 +1,7 @@ { "$schema" : "http://json-schema.org/draft-07/schema#", - "$id" : "http://spdx.org/rdf/terms", - "title" : "SPDX 2.2.2", + "$id" : "http://spdx.org/rdf/terms/2.3", + "title" : "SPDX 2.3", "type" : "object", "properties" : { "SPDXID" : { @@ -46,15 +46,15 @@ "type" : "string" }, "created" : { - "description" : "Identify when the SPDX file was originally created. The date is to be specified according to combined date and time in UTC format as specified in ISO 8601 standard. This field is distinct from the fields in section 8, which involves the addition of information during a subsequent review.", + "description" : "Identify when the SPDX document was originally created. The date is to be specified according to combined date and time in UTC format as specified in ISO 8601 standard.", "type" : "string" }, "creators" : { - "description" : "Identify who (or what, in the case of a tool) created the SPDX file. If the SPDX file was created by an individual, indicate the person's name. If the SPDX file was created on behalf of a company or organization, indicate the entity name. If the SPDX file was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate.", + "description" : "Identify who (or what, in the case of a tool) created the SPDX document. If the SPDX document was created by an individual, indicate the person's name. If the SPDX document was created on behalf of a company or organization, indicate the entity name. If the SPDX document was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate.", "minItems" : 1, "type" : "array", "items" : { - "description" : "Identify who (or what, in the case of a tool) created the SPDX file. If the SPDX file was created by an individual, indicate the person's name. If the SPDX file was created on behalf of a company or organization, indicate the entity name. If the SPDX file was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate.", + "description" : "Identify who (or what, in the case of a tool) created the SPDX document. If the SPDX document was created by an individual, indicate the person's name. If the SPDX document was created on behalf of a company or organization, indicate the entity name. If the SPDX document was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate.", "type" : "string" } }, @@ -63,12 +63,12 @@ "type" : "string" } }, - "required" : [ "created" ], + "required" : [ "created", "creators" ], "additionalProperties" : false, "description" : "One instance is required for each SPDX file produced. It provides the necessary information for forward and backward compatibility for processing tools." }, "dataLicense" : { - "description" : "License expression for dataLicense. Compliance with the SPDX specification includes populating the SPDX fields therein with data related to such fields (\"SPDX-Metadata\"). The SPDX specification contains numerous fields where an SPDX document creator may provide relevant explanatory text in SPDX-Metadata. Without opining on the lawfulness of \"database rights\" (in jurisdictions where applicable), such explanatory text is copyrightable subject matter in most Berne Convention countries. By using the SPDX specification, or any portion hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any SPDX-Metadata, including without limitation explanatory text, shall be subject to the terms of the Creative Commons CC0 1.0 Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree and acknowledge that the SPDX-Metadata is provided to you \"as-is\" and without any representations or warranties of any kind concerning the SPDX-Metadata, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non-infringement, or the absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.", + "description" : "License expression for dataLicense. See SPDX Annex D for the license expression syntax. Compliance with the SPDX specification includes populating the SPDX fields therein with data related to such fields (\"SPDX-Metadata\"). The SPDX specification contains numerous fields where an SPDX document creator may provide relevant explanatory text in SPDX-Metadata. Without opining on the lawfulness of \"database rights\" (in jurisdictions where applicable), such explanatory text is copyrightable subject matter in most Berne Convention countries. By using the SPDX specification, or any portion hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any SPDX-Metadata, including without limitation explanatory text, shall be subject to the terms of the Creative Commons CC0 1.0 Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree and acknowledge that the SPDX-Metadata is provided to you \"as-is\" and without any representations or warranties of any kind concerning the SPDX-Metadata, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non-infringement, or the absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.", "type" : "string" }, "externalDocumentRefs" : { @@ -83,7 +83,7 @@ "algorithm" : { "description" : "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", "type" : "string", - "enum" : [ "SHA256", "SHA1", "SHA384", "MD2", "MD4", "SHA512", "MD6", "MD5", "SHA224" ] + "enum" : [ "SHA1", "BLAKE3", "SHA3-384", "SHA256", "SHA384", "BLAKE2b-512", "BLAKE2b-256", "SHA3-512", "MD2", "ADLER32", "MD4", "SHA3-256", "BLAKE2b-384", "SHA512", "MD6", "MD5", "SHA224" ] }, "checksumValue" : { "description" : "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", @@ -158,11 +158,11 @@ } }, "extractedText" : { - "description" : "Verbatim license or licensing notice text that was discovered.", + "description" : "Provide a copy of the actual text of the license reference extracted from the package, file or snippet that is associated with the License Identifier to aid in future analysis.", "type" : "string" }, "licenseId" : { - "description" : "A human readable short form license identifier for a license. The license ID is either on the standard license list or the form \"LicenseRef-\"[idString] where [idString] is a unique string containing letters, numbers, \".\", \"-\" or \"+\".", + "description" : "A human readable short form license identifier for a license. The license ID is either on the standard license list or the form \"LicenseRef-[idString]\" where [idString] is a unique string containing letters, numbers, \".\" or \"-\". When used within a license expression, the license ID can optionally include a reference to an external document in the form \"DocumentRef-[docrefIdString]:LicenseRef-[idString]\" where docRefIdString is an ID for an external document reference.", "type" : "string" }, "name" : { @@ -199,12 +199,13 @@ "type" : "string" }, "reviewer" : { - "description" : "The name and, optionally, contact information of the person who performed the review. Values of this property must conform to the agent and tool syntax.", + "description" : "The name and, optionally, contact information of the person who performed the review. Values of this property must conform to the agent and tool syntax. The reviewer property is deprecated in favor of Annotation with an annotationType review.", "type" : "string" } }, "required" : [ "reviewDate" ], - "additionalProperties" : false + "additionalProperties" : false, + "description" : "This class has been deprecated in favor of an Annotation with an Annotation type of review." } }, "spdxVersion" : { @@ -269,6 +270,10 @@ "type" : "string" } }, + "builtDate" : { + "description" : "This field provides a place for recording the actual date the package was built.", + "type" : "string" + }, "checksums" : { "description" : "The checksum property provides a mechanism that can be used to verify that the contents of a File or Package have not changed.", "type" : "array", @@ -278,7 +283,7 @@ "algorithm" : { "description" : "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", "type" : "string", - "enum" : [ "SHA256", "SHA1", "SHA384", "MD2", "MD4", "SHA512", "MD6", "MD5", "SHA224" ] + "enum" : [ "SHA1", "BLAKE3", "SHA3-384", "SHA256", "SHA384", "BLAKE2b-512", "BLAKE2b-256", "SHA3-512", "MD2", "ADLER32", "MD4", "SHA3-256", "BLAKE2b-384", "SHA512", "MD6", "MD5", "SHA224" ] }, "checksumValue" : { "description" : "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", @@ -294,7 +299,7 @@ "type" : "string" }, "copyrightText" : { - "description" : "The text of copyright declarations recited in the Package or File.", + "description" : "The text of copyright declarations recited in the package, file or snippet.\n\nIf the copyrightText field is not present, it implies an equivalent meaning to NOASSERTION.", "type" : "string" }, "description" : { @@ -317,7 +322,7 @@ "referenceCategory" : { "description" : "Category for the external reference", "type" : "string", - "enum" : [ "OTHER", "PERSISTENT_ID", "SECURITY", "PACKAGE_MANAGER" ] + "enum" : [ "OTHER", "PERSISTENT-ID", "SECURITY", "PACKAGE-MANAGER" ] }, "referenceLocator" : { "description" : "The unique string with no spaces necessary to access the package-specific information, metadata, or content within the target location. The format of the locator is subject to constraints defined by the .", @@ -353,18 +358,18 @@ "type" : "string" }, "licenseConcluded" : { - "description" : "License expression for licenseConcluded. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the package.", + "description" : "License expression for licenseConcluded. See SPDX Annex D for the license expression syntax. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the SPDX Item.\n\nIf the licenseConcluded field is not present for an SPDX Item, it implies an equivalent meaning to NOASSERTION.", "type" : "string" }, "licenseDeclared" : { - "description" : "License expression for licenseDeclared. The licensing that the creators of the software in the package, or the packager, have declared. Declarations by the original software creator should be preferred, if they exist.", + "description" : "License expression for licenseDeclared. See SPDX Annex D for the license expression syntax. The licensing that the creators of the software in the package, or the packager, have declared. Declarations by the original software creator should be preferred, if they exist.", "type" : "string" }, "licenseInfoFromFiles" : { - "description" : "The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.", + "description" : "The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.\n\nIf the licenseInfoFromFiles field is not present for a package and filesAnalyzed property for that same pacakge is true or omitted, it implies an equivalent meaning to NOASSERTION.", "type" : "array", "items" : { - "description" : "License expression for licenseInfoFromFiles. The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.", + "description" : "License expression for licenseInfoFromFiles. See SPDX Annex D for the license expression syntax. The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.\n\nIf the licenseInfoFromFiles field is not present for a package and filesAnalyzed property for that same pacakge is true or omitted, it implies an equivalent meaning to NOASSERTION.", "type" : "string" } }, @@ -400,6 +405,15 @@ "additionalProperties" : false, "description" : "A manifest based verification code (the algorithm is defined in section 4.7 of the full specification) of the SPDX Item. This allows consumers of this data and/or database to determine if an SPDX item they have in hand is identical to the SPDX item from which the data was produced. This algorithm works even if the SPDX document is included in the SPDX item." }, + "primaryPackagePurpose" : { + "description" : "This field provides information about the primary purpose of the identified package. Package Purpose is intrinsic to how the package is being used rather than the content of the package.", + "type" : "string", + "enum" : [ "OTHER", "INSTALL", "ARCHIVE", "FIRMWARE", "APPLICATION", "FRAMEWORK", "LIBRARY", "CONTAINER", "SOURCE", "DEVICE", "OPERATING_SYSTEM", "FILE" ] + }, + "releaseDate" : { + "description" : "This field provides a place for recording the date the package was released.", + "type" : "string" + }, "sourceInfo" : { "description" : "Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.", "type" : "string" @@ -412,12 +426,16 @@ "description" : "The name and, optionally, contact information of the person or organization who was the immediate supplier of this package to the recipient. The supplier may be different than originator when the software has been repackaged. Values of this property must conform to the agent and tool syntax.", "type" : "string" }, + "validUntilDate" : { + "description" : "This field provides a place for recording the end of the support period for a package from the supplier.", + "type" : "string" + }, "versionInfo" : { "description" : "Provides an indication of the version of the package that is described by this SpdxDocument.", "type" : "string" } }, - "required" : [ "SPDXID", "copyrightText", "downloadLocation", "licenseConcluded", "licenseDeclared", "name" ], + "required" : [ "SPDXID", "downloadLocation", "name" ], "additionalProperties" : false } }, @@ -484,7 +502,7 @@ "algorithm" : { "description" : "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", "type" : "string", - "enum" : [ "SHA256", "SHA1", "SHA384", "MD2", "MD4", "SHA512", "MD6", "MD5", "SHA224" ] + "enum" : [ "SHA1", "BLAKE3", "SHA3-384", "SHA256", "SHA384", "BLAKE2b-512", "BLAKE2b-256", "SHA3-512", "MD2", "ADLER32", "MD4", "SHA3-256", "BLAKE2b-384", "SHA512", "MD6", "MD5", "SHA224" ] }, "checksumValue" : { "description" : "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", @@ -500,7 +518,7 @@ "type" : "string" }, "copyrightText" : { - "description" : "The text of copyright declarations recited in the Package or File.", + "description" : "The text of copyright declarations recited in the package, file or snippet.\n\nIf the copyrightText field is not present, it implies an equivalent meaning to NOASSERTION.", "type" : "string" }, "fileContributors" : { @@ -512,9 +530,10 @@ } }, "fileDependencies" : { + "description" : "This field is deprecated since SPDX 2.0 in favor of using Section 7 which provides more granularity about relationships.", "type" : "array", "items" : { - "description" : "SPDX ID for File", + "description" : "SPDX ID for File. This field is deprecated since SPDX 2.0 in favor of using Section 7 which provides more granularity about relationships.", "type" : "string" } }, @@ -536,15 +555,14 @@ "type" : "string" }, "licenseConcluded" : { - "description" : "License expression for licenseConcluded. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the package.", + "description" : "License expression for licenseConcluded. See SPDX Annex D for the license expression syntax. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the SPDX Item.\n\nIf the licenseConcluded field is not present for an SPDX Item, it implies an equivalent meaning to NOASSERTION.", "type" : "string" }, "licenseInfoInFiles" : { - "description" : "Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.", - "minItems" : 1, + "description" : "Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.\n\nIf the licenseInfoInFile field is not present for a file, it implies an equivalent meaning to NOASSERTION.", "type" : "array", "items" : { - "description" : "License expression for licenseInfoInFile. Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.", + "description" : "License expression for licenseInfoInFile. See SPDX Annex D for the license expression syntax. Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.\n\nIf the licenseInfoInFile field is not present for a file, it implies an equivalent meaning to NOASSERTION.", "type" : "string" } }, @@ -553,7 +571,7 @@ "type" : "string" } }, - "required" : [ "SPDXID", "copyrightText", "fileName", "licenseConcluded" ], + "required" : [ "SPDXID", "checksums", "fileName" ], "additionalProperties" : false } }, @@ -607,7 +625,7 @@ "type" : "string" }, "copyrightText" : { - "description" : "The text of copyright declarations recited in the Package or File.", + "description" : "The text of copyright declarations recited in the package, file or snippet.\n\nIf the copyrightText field is not present, it implies an equivalent meaning to NOASSERTION.", "type" : "string" }, "licenseComments" : { @@ -615,14 +633,14 @@ "type" : "string" }, "licenseConcluded" : { - "description" : "License expression for licenseConcluded. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the package.", + "description" : "License expression for licenseConcluded. See SPDX Annex D for the license expression syntax. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the SPDX Item.\n\nIf the licenseConcluded field is not present for an SPDX Item, it implies an equivalent meaning to NOASSERTION.", "type" : "string" }, "licenseInfoInSnippets" : { - "description" : "Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet.", + "description" : "Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet.\n\nIf the licenseInfoInSnippet field is not present for a snippet, it implies an equivalent meaning to NOASSERTION.", "type" : "array", "items" : { - "description" : "License expression for licenseInfoInSnippet. Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet.", + "description" : "License expression for licenseInfoInSnippet. See SPDX Annex D for the license expression syntax. Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet.\n\nIf the licenseInfoInSnippet field is not present for a snippet, it implies an equivalent meaning to NOASSERTION.", "type" : "string" } }, @@ -685,7 +703,7 @@ "type" : "string" } }, - "required" : [ "SPDXID", "copyrightText", "licenseConcluded", "name", "snippetFromFile" ], + "required" : [ "SPDXID", "name", "ranges", "snippetFromFile" ], "additionalProperties" : false } }, @@ -709,7 +727,7 @@ "relationshipType" : { "description" : "Describes the type of relationship between two SPDX elements.", "type" : "string", - "enum" : [ "VARIANT_OF", "COPY_OF", "PATCH_FOR", "TEST_DEPENDENCY_OF", "CONTAINED_BY", "DATA_FILE_OF", "OPTIONAL_COMPONENT_OF", "ANCESTOR_OF", "GENERATES", "CONTAINS", "OPTIONAL_DEPENDENCY_OF", "FILE_ADDED", "DEV_DEPENDENCY_OF", "DEPENDENCY_OF", "BUILD_DEPENDENCY_OF", "DESCRIBES", "PREREQUISITE_FOR", "HAS_PREREQUISITE", "PROVIDED_DEPENDENCY_OF", "DYNAMIC_LINK", "DESCRIBED_BY", "METAFILE_OF", "DEPENDENCY_MANIFEST_OF", "PATCH_APPLIED", "RUNTIME_DEPENDENCY_OF", "TEST_OF", "TEST_TOOL_OF", "DEPENDS_ON", "FILE_MODIFIED", "DISTRIBUTION_ARTIFACT", "DOCUMENTATION_OF", "GENERATED_FROM", "STATIC_LINK", "OTHER", "BUILD_TOOL_OF", "TEST_CASE_OF", "PACKAGE_OF", "DESCENDANT_OF", "FILE_DELETED", "EXPANDED_FROM_ARCHIVE", "DEV_TOOL_OF", "EXAMPLE_OF" ] + "enum" : [ "VARIANT_OF", "COPY_OF", "PATCH_FOR", "TEST_DEPENDENCY_OF", "CONTAINED_BY", "DATA_FILE_OF", "OPTIONAL_COMPONENT_OF", "ANCESTOR_OF", "GENERATES", "CONTAINS", "OPTIONAL_DEPENDENCY_OF", "FILE_ADDED", "REQUIREMENT_DESCRIPTION_FOR", "DEV_DEPENDENCY_OF", "DEPENDENCY_OF", "BUILD_DEPENDENCY_OF", "DESCRIBES", "PREREQUISITE_FOR", "HAS_PREREQUISITE", "PROVIDED_DEPENDENCY_OF", "DYNAMIC_LINK", "DESCRIBED_BY", "METAFILE_OF", "DEPENDENCY_MANIFEST_OF", "PATCH_APPLIED", "RUNTIME_DEPENDENCY_OF", "TEST_OF", "TEST_TOOL_OF", "DEPENDS_ON", "SPECIFICATION_FOR", "FILE_MODIFIED", "DISTRIBUTION_ARTIFACT", "AMENDS", "DOCUMENTATION_OF", "GENERATED_FROM", "STATIC_LINK", "OTHER", "BUILD_TOOL_OF", "TEST_CASE_OF", "PACKAGE_OF", "DESCENDANT_OF", "FILE_DELETED", "EXPANDED_FROM_ARCHIVE", "DEV_TOOL_OF", "EXAMPLE_OF" ] } }, "required" : [ "spdxElementId", "relatedSpdxElement", "relationshipType" ], diff --git a/utils/spdx/src/main/kotlin/model/SpdxChecksum.kt b/utils/spdx/src/main/kotlin/model/SpdxChecksum.kt index ca66dff990890..42a7123fd61e4 100644 --- a/utils/spdx/src/main/kotlin/model/SpdxChecksum.kt +++ b/utils/spdx/src/main/kotlin/model/SpdxChecksum.kt @@ -38,6 +38,11 @@ data class SpdxChecksum( } enum class Algorithm(val checksumHexDigits: Int) { + ADLER32(8), + BLAKE2B_256(64), + BLAKE2B_384(96), + BLAKE2B_512(128), + BLAKE3(64), MD2(32), MD4(32), MD5(32), @@ -46,7 +51,10 @@ data class SpdxChecksum( SHA224(56), SHA256(64), SHA384(96), - SHA512(128) + SHA512(128), + SHA3_256(64), + SHA3_384(96), + SHA3_512(128) } init { diff --git a/utils/spdx/src/main/kotlin/model/SpdxDocument.kt b/utils/spdx/src/main/kotlin/model/SpdxDocument.kt index 650578e4f0d96..ab0065d3492a7 100644 --- a/utils/spdx/src/main/kotlin/model/SpdxDocument.kt +++ b/utils/spdx/src/main/kotlin/model/SpdxDocument.kt @@ -28,13 +28,13 @@ import org.ossreviewtoolkit.utils.spdx.SpdxConstants.REF_PREFIX import org.ossreviewtoolkit.utils.spdx.SpdxLicense private const val SPDX_ID = "${REF_PREFIX}DOCUMENT" -private const val SPDX_VERSION_MAJOR_MINOR = "SPDX-2.2" +private const val SPDX_VERSION_MAJOR_MINOR = "SPDX-2.3" private val DATA_LICENSE = SpdxLicense.CC0_1_0.id /** - * An SPDX document as specified by https://github.com/spdx/spdx-spec/tree/development/v2.2.1/chapters and - * https://github.com/spdx/spdx-spec/blob/development/v2.2.1/examples/ in revision 947271b. + * An SPDX document as specified by https://spdx.github.io/spdx-spec/v2.3/ and + * https://github.com/spdx/spdx-spec/blob/v2.3/examples. */ data class SpdxDocument( /** diff --git a/utils/spdx/src/main/kotlin/model/SpdxExternalReference.kt b/utils/spdx/src/main/kotlin/model/SpdxExternalReference.kt index a08cf672f6781..05ec9fae3f91c 100644 --- a/utils/spdx/src/main/kotlin/model/SpdxExternalReference.kt +++ b/utils/spdx/src/main/kotlin/model/SpdxExternalReference.kt @@ -19,7 +19,9 @@ package org.ossreviewtoolkit.utils.spdx.model +import com.fasterxml.jackson.annotation.JsonAlias import com.fasterxml.jackson.annotation.JsonInclude +import com.fasterxml.jackson.annotation.JsonProperty import com.fasterxml.jackson.annotation.JsonValue import com.fasterxml.jackson.core.JsonParser import com.fasterxml.jackson.databind.DeserializationContext @@ -44,8 +46,7 @@ data class SpdxExternalReference( val referenceCategory: Category, /** - * The references type as specified by - * https://github.com/spdx/spdx-spec/blob/master/chapters/appendix-VI-external-repository-identifiers.md. + * The references type as specified by https://spdx.github.io/spdx-spec/v2.3/external-repository-identifiers/. */ @JsonDeserialize(using = ReferenceTypeDeserializer::class) val referenceType: Type, @@ -58,8 +59,15 @@ data class SpdxExternalReference( ) { enum class Category { SECURITY, + + @JsonAlias("PACKAGE_MANAGER") + @JsonProperty("PACKAGE-MANAGER") PACKAGE_MANAGER, + + @JsonAlias("PERSISTENT_ID") + @JsonProperty("PERSISTENT-ID") PERSISTENT_ID, + OTHER } diff --git a/utils/spdx/src/main/kotlin/model/SpdxPackage.kt b/utils/spdx/src/main/kotlin/model/SpdxPackage.kt index fb625d286b6d9..e05e4595a07e6 100644 --- a/utils/spdx/src/main/kotlin/model/SpdxPackage.kt +++ b/utils/spdx/src/main/kotlin/model/SpdxPackage.kt @@ -51,6 +51,12 @@ data class SpdxPackage( @JsonInclude(JsonInclude.Include.NON_EMPTY) val attributionTexts: List = emptyList(), + /** + * The actual date the package was built in "YYYY-MM-DDThh:mm:ssZ" format. + */ + @JsonInclude(JsonInclude.Include.NON_NULL) + val builtDate: String? = null, + /** * Checksums of the package. */ @@ -160,6 +166,18 @@ data class SpdxPackage( @JsonInclude(JsonInclude.Include.NON_NULL) val packageVerificationCode: SpdxPackageVerificationCode? = null, + /** + * This field provides information about the primary purpose of the identified package. + */ + @JsonInclude(JsonInclude.Include.NON_NULL) + val primaryPackagePurpose: Purpose? = null, + + /** + * The date the package was released in "YYYY-MM-DDThh:mm:ssZ" format. + */ + @JsonInclude(JsonInclude.Include.NON_NULL) + val releaseDate: String? = null, + /** * Any relevant background information or additional comments about the origin of the package. */ @@ -182,12 +200,36 @@ data class SpdxPackage( @JsonInclude(JsonInclude.Include.NON_NULL) val supplier: String? = null, + /** + * The end of the support period for a package from the supplier in "YYYY-MM-DDThh:mm:ssZ" format. + */ + @JsonInclude(JsonInclude.Include.NON_NULL) + val validUntilDate: String? = null, + /** * The version of the package. */ @JsonInclude(JsonInclude.Include.NON_EMPTY) val versionInfo: String = "" ) { + /** + * The primary purpose how the package is being used (rather than the content of the package). + */ + enum class Purpose { + APPLICATION, + ARCHIVE, + CONTAINER, + DEVICE, + FILE, + FIRMWARE, + FRAMEWORK, + INSTALL, + LIBRARY, + OPERATING_SYSTEM, + SOURCE, + OTHER + } + init { require(spdxId.startsWith(SpdxConstants.REF_PREFIX)) { "The SPDX ID '$spdxId' has to start with '${SpdxConstants.REF_PREFIX}'." diff --git a/utils/spdx/src/main/kotlin/model/SpdxRelationship.kt b/utils/spdx/src/main/kotlin/model/SpdxRelationship.kt index b23237fa17cb5..db223c3af90f9 100644 --- a/utils/spdx/src/main/kotlin/model/SpdxRelationship.kt +++ b/utils/spdx/src/main/kotlin/model/SpdxRelationship.kt @@ -225,11 +225,21 @@ data class SpdxRelationship( */ PROVIDED_DEPENDENCY_OF, + /** + * Is to be used when SPDXRef-A describes, illustrates, or specifies a requirement statement for SPDXRef-B. + */ + REQUIREMENT_DESCRIPTION_FOR, + /** * Is to be used when SPDXRef-A is a dependency required for the execution of SPDXRef-B. */ RUNTIME_DEPENDENCY_OF, + /** + * Is to be used when SPDXRef-A describes, illustrates, or defines a design specification for SPDXRef-B. + */ + SPECIFICATION_FOR, + /** * Is to be used when SPDXRef-A statically links to SPDXRef-B. */ diff --git a/utils/spdx/src/test/kotlin/model/SpdxDocumentTest.kt b/utils/spdx/src/test/kotlin/model/SpdxDocumentTest.kt index 64f42888c18b6..395718a403e9d 100644 --- a/utils/spdx/src/test/kotlin/model/SpdxDocumentTest.kt +++ b/utils/spdx/src/test/kotlin/model/SpdxDocumentTest.kt @@ -33,10 +33,10 @@ import org.ossreviewtoolkit.utils.spdx.SpdxModelMapper import org.ossreviewtoolkit.utils.spdx.yamlMapper /** - * This test uses the following test assets copied from the SPDX 2.2.1 specification examples. + * This test uses the following test assets copied from the SPDX 2.2 specification examples. * - * 1. https://github.com/spdx/spdx-spec/blob/development/v2.2.1/examples/SPDXYAMLExample-2.2.spdx.yaml - * 2. https://github.com/spdx/spdx-spec/blob/development/v2.2.1/examples/SPDXJSONExample-v2.2.spdx.json + * 1. https://github.com/spdx/spdx-spec/blob/v2.2.2/examples/SPDXYAMLExample-2.2.spdx.yaml + * 2. https://github.com/spdx/spdx-spec/blob/v2.2.2/examples/SPDXJSONExample-v2.2.spdx.json * * The "*-no-ranges.spdx.*" resource files have the "ranges" property removed, which is actually broken in the * specification and impossible to implement. diff --git a/utils/spdx/src/test/kotlin/model/SpdxExternalReferenceTest.kt b/utils/spdx/src/test/kotlin/model/SpdxExternalReferenceTest.kt new file mode 100644 index 0000000000000..c65c3b77c4335 --- /dev/null +++ b/utils/spdx/src/test/kotlin/model/SpdxExternalReferenceTest.kt @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2023 The ORT Project Authors (see ) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * License-Filename: LICENSE + */ + +package org.ossreviewtoolkit.utils.spdx.model + +import io.kotest.assertions.json.shouldEqualJson +import io.kotest.core.spec.style.WordSpec +import io.kotest.matchers.collections.shouldContainExactly + +import org.ossreviewtoolkit.utils.spdx.SpdxModelMapper + +class SpdxExternalReferenceTest : WordSpec({ + "Serializing a categories" should { + "use dashes in names" { + SpdxModelMapper.toJson(SpdxExternalReference.Category.entries) shouldEqualJson """ + [ + "SECURITY", + "PACKAGE-MANAGER", + "PERSISTENT-ID", + "OTHER" + ] + """.trimIndent() + } + } + + "Deserializing a categories" should { + "accept dashes in names" { + SpdxModelMapper.fromJson>( + """ + [ + "SECURITY", + "PACKAGE-MANAGER", + "PERSISTENT-ID", + "OTHER" + ] + """.trimIndent() + ) shouldContainExactly SpdxExternalReference.Category.entries + } + + "accept underscores in names" { + SpdxModelMapper.fromJson>( + """ + [ + "SECURITY", + "PACKAGE_MANAGER", + "PERSISTENT_ID", + "OTHER" + ] + """.trimIndent() + ) shouldContainExactly SpdxExternalReference.Category.entries + } + } +}) diff --git a/website/docs/tools/reporter.md b/website/docs/tools/reporter.md index e75447ff9672a..37cf57fc34bf0 100644 --- a/website/docs/tools/reporter.md +++ b/website/docs/tools/reporter.md @@ -31,7 +31,7 @@ following formats are supported (reporter names are case-insensitive): * Customizable with [Apache Freemarker](https://freemarker.apache.org/) templates * Opossum input that can be visualized and edited in the [OpossumUI](https://github.com/opossum-tool/opossumUI) (`-f Opossum`) -* [SPDX Document](https://spdx.dev/specifications/), version 2.2 (`-f SpdxDocument`) +* [SPDX Document](https://spdx.dev/specifications/), version 2.3 (`-f SpdxDocument`) * Static HTML (`-f StaticHtml`) * [TrustSource](https://www.trustsource.io/) JSON file (`-f TrustSource`) * Use this as an alternative to [ts-scan](https://github.com/TrustSource/ts-scan) for support of more build systems.