diff --git a/data/SPDXJsonExample.json b/data/SPDXJsonExample.json
index 6e456d602..49b5a13bb 100644
--- a/data/SPDXJsonExample.json
+++ b/data/SPDXJsonExample.json
@@ -1,199 +1,184 @@
{
- "Document": {
- "comment": "This is a sample spreadsheet",
- "name": "Sample_Document-V2.1",
- "documentDescribes": [
- {
- "Package": {
- "SPDXID": "SPDXRef-Package",
- "originator": "Organization: SPDX",
- "files": [
- {
- "File": {
- "comment": "This file belongs to Jena",
- "licenseInfoFromFiles": [
- "LicenseRef-1"
- ],
- "sha1": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125",
- "name": "Jenna-2.6.3/jena-2.6.3-sources.jar",
- "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP",
- "artifactOf" : [
- {
- "name" : "Jena",
- "homePage" : "http://www.openjena.org/",
- "projectUri" : "http://subversion.apache.org/doap.rdf"
- }
- ],
- "licenseConcluded": "LicenseRef-1",
- "licenseComments": "This license is used by Jena",
- "checksums": [
- {
- "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125",
- "algorithm": "checksumAlgorithm_sha1"
- }
- ],
- "fileTypes": [
- "fileType_archive"
- ],
- "SPDXID": "SPDXRef-File1"
- }
- },
- {
- "File": {
- "licenseInfoFromFiles": [
- "Apache-2.0"
- ],
- "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
- "name": "src/org/spdx/parser/DOAPProject.java",
- "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.",
- "licenseConcluded": "Apache-2.0",
- "checksums": [
- {
- "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
- "algorithm": "checksumAlgorithm_sha1"
- }
- ],
- "fileTypes": [
- "fileType_source"
- ],
- "SPDXID": "SPDXRef-File2"
- }
- }
- ],
- "licenseInfoFromFiles": [
- "Apache-1.0",
- "LicenseRef-3",
- "MPL-1.1",
- "LicenseRef-2",
- "LicenseRef-4",
- "Apache-2.0",
- "LicenseRef-1"
- ],
- "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
- "name": "SPDX Translator",
- "packageFileName": "spdxtranslator-1.0.zip",
- "licenseComments": "The declared license information can be found in the NOTICE file at the root of the archive file",
- "summary": "SPDX Translator utility",
- "sourceInfo": "Version 1.0 of the SPDX Translator application",
- "copyrightText": " Copyright 2010, 2011 Source Auditor Inc.",
- "packageVerificationCode": {
- "packageVerificationCodeValue": "4e3211c67a2d28fced849ee1bb76e7391b93feba",
- "packageVerificationCodeExcludedFiles": [
- "SpdxTranslatorSpdx.rdf",
- "SpdxTranslatorSpdx.txt"
- ]
- },
- "licenseConcluded": "(Apache-1.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-3 AND LicenseRef-4 AND Apache-2.0 AND LicenseRef-1)",
- "supplier": "Organization: Linux Foundation",
- "attributionTexts" : [ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ],
- "checksums": [
- {
- "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
- "algorithm": "checksumAlgorithm_sha1"
- }
- ],
- "versionInfo": "Version 0.9.2",
- "licenseDeclared": "(LicenseRef-4 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-1)",
- "downloadLocation": "http://www.spdx.org/tools",
- "description": "This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document."
- }
- }
- ],
- "creationInfo": {
- "comment": "This is an example of an SPDX spreadsheet format",
- "creators": [
- "Tool: SourceAuditor-V1.2",
- "Person: Gary O'Neall",
- "Organization: Source Auditor Inc."
- ],
- "licenseListVersion": "3.6",
- "created": "2010-02-03T00:00:00Z"
- },
- "externalDocumentRefs": [
- {
- "checksum": {
- "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759",
- "algorithm": "checksumAlgorithm_sha1"
- },
- "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301",
- "externalDocumentId": "DocumentRef-spdx-tool-2.1"
- }
- ],
- "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
- "annotations": [
- {
- "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses",
- "annotationType": "REVIEW",
- "SPDXID": "SPDXRef-45",
- "annotationDate": "2012-06-13T00:00:00Z",
- "annotator": "Person: Jim Reviewer"
- }
- ],
- "relationships" : [ {
- "spdxElementId" : "SPDXRef-DOCUMENT",
- "relatedSpdxElement" : "SPDXRef-Package",
- "relationshipType" : "CONTAINS"
- }, {
- "spdxElementId" : "SPDXRef-DOCUMENT",
- "relatedSpdxElement" : "SPDXRef-File",
- "relationshipType" : "DESCRIBES"
- }, {
- "spdxElementId" : "SPDXRef-DOCUMENT",
- "relatedSpdxElement" : "SPDXRef-Package",
- "relationshipType" : "DESCRIBES"
- } ],
- "dataLicense": "CC0-1.0",
- "reviewers": [
- {
- "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses",
- "reviewer": "Person: Joe Reviewer",
- "reviewDate": "2010-02-10T00:00:00Z"
- },
- {
- "comment": "Another example reviewer.",
- "reviewer": "Person: Suzanne Reviewer",
- "reviewDate": "2011-03-13T00:00:00Z"
- }
- ],
- "hasExtractedLicensingInfos": [
- {
- "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ",
- "licenseId": "LicenseRef-2"
- },
- {
- "extractedText": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.",
- "comment": "This is tye CyperNeko License",
- "licenseId": "LicenseRef-3",
- "name": "CyberNeko License",
- "seeAlso": [
- "http://justasample.url.com",
- "http://people.apache.org/~andyc/neko/LICENSE"
- ]
- },
- {
- "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */ ",
- "licenseId": "LicenseRef-4"
- },
- {
- "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */",
- "licenseId": "LicenseRef-1"
- }
- ],
- "spdxVersion": "SPDX-2.1",
- "SPDXID": "SPDXRef-DOCUMENT",
- "snippets": [
- {
- "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later.",
- "name": "from linux kernel",
- "copyrightText": "Copyright 2008-2010 John Smith",
- "licenseConcluded": "Apache-2.0",
- "licenseInfoFromSnippet": [
- "Apache-2.0"
- ],
- "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.",
- "SPDXID": "SPDXRef-Snippet",
- "fileId": "SPDXRef-DoapSource"
- }
+ "comment": "This is a sample spreadsheet",
+ "name": "Sample_Document-V2.1",
+ "documentDescribes": [
+ "SPDXRef-Package"
+ ],
+ "packages": [
+ {
+ "SPDXID": "SPDXRef-Package",
+ "originator": "Organization: SPDX",
+ "hasFiles": [
+ "SPDXRef-File1",
+ "SPDXRef-File2"
+ ],
+ "licenseInfoFromFiles": [
+ "Apache-1.0",
+ "LicenseRef-3",
+ "MPL-1.1",
+ "LicenseRef-2",
+ "LicenseRef-4",
+ "Apache-2.0",
+ "LicenseRef-1"
+ ],
+ "name": "SPDX Translator",
+ "packageFileName": "spdxtranslator-1.0.zip",
+ "licenseComments": "The declared license information can be found in the NOTICE file at the root of the archive file",
+ "summary": "SPDX Translator utility",
+ "sourceInfo": "Version 1.0 of the SPDX Translator application",
+ "copyrightText": " Copyright 2010, 2011 Source Auditor Inc.",
+ "packageVerificationCode": {
+ "packageVerificationCodeValue": "4e3211c67a2d28fced849ee1bb76e7391b93feba",
+ "packageVerificationCodeExcludedFiles": [
+ "SpdxTranslatorSpdx.rdf",
+ "SpdxTranslatorSpdx.txt"
]
+ },
+ "licenseConcluded": "(Apache-1.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-3 AND LicenseRef-4 AND Apache-2.0 AND LicenseRef-1)",
+ "supplier": "Organization: Linux Foundation",
+ "attributionTexts": [
+ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually."
+ ],
+ "checksums": [
+ {
+ "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
+ "algorithm": "SHA1"
+ }
+ ],
+ "versionInfo": "Version 0.9.2",
+ "licenseDeclared": "(LicenseRef-4 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-1)",
+ "downloadLocation": "http://www.spdx.org/tools",
+ "description": "This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document."
}
+ ],
+ "files": [
+ {
+ "comment": "This file belongs to Jena",
+ "licenseInfoInFiles": [
+ "LicenseRef-1"
+ ],
+ "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar",
+ "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP",
+ "artifactOf": [
+ {
+ "name": "Jena",
+ "homePage": "http://www.openjena.org/",
+ "projectUri": "http://subversion.apache.org/doap.rdf"
+ }
+ ],
+ "licenseConcluded": "LicenseRef-1",
+ "licenseComments": "This license is used by Jena",
+ "checksums": [
+ {
+ "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125",
+ "algorithm": "SHA1"
+ }
+ ],
+ "fileTypes": [
+ "fileType_archive"
+ ],
+ "SPDXID": "SPDXRef-File1"
+ },
+ {
+ "licenseInfoInFiles": [
+ "Apache-2.0"
+ ],
+ "fileName": "src/org/spdx/parser/DOAPProject.java",
+ "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.",
+ "licenseConcluded": "Apache-2.0",
+ "checksums": [
+ {
+ "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
+ "algorithm": "SHA1"
+ }
+ ],
+ "fileTypes": [
+ "fileType_source"
+ ],
+ "SPDXID": "SPDXRef-File2"
+ }
+ ],
+ "creationInfo": {
+ "comment": "This is an example of an SPDX spreadsheet format",
+ "creators": [
+ "Tool: SourceAuditor-V1.2",
+ "Person: Gary O'Neall",
+ "Organization: Source Auditor Inc."
+ ],
+ "licenseListVersion": "3.6",
+ "created": "2010-02-03T00:00:00Z"
+ },
+ "externalDocumentRefs": [
+ {
+ "checksum": {
+ "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759",
+ "algorithm": "SHA1"
+ },
+ "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301",
+ "externalDocumentId": "DocumentRef-spdx-tool-2.1"
+ }
+ ],
+ "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
+ "annotations": [
+ {
+ "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses",
+ "annotationType": "REVIEW",
+ "SPDXID": "SPDXRef-45",
+ "annotationDate": "2012-06-13T00:00:00Z",
+ "annotator": "Person: Jim Reviewer"
+ }
+ ],
+ "dataLicense": "CC0-1.0",
+ "reviewers": [
+ {
+ "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses",
+ "reviewer": "Person: Joe Reviewer",
+ "reviewDate": "2010-02-10T00:00:00Z"
+ },
+ {
+ "comment": "Another example reviewer.",
+ "reviewer": "Person: Suzanne Reviewer",
+ "reviewDate": "2011-03-13T00:00:00Z"
+ }
+ ],
+ "hasExtractedLicensingInfos": [
+ {
+ "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:\n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.\nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.\nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.\nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ",
+ "licenseId": "LicenseRef-2"
+ },
+ {
+ "extractedText": "The CyberNeko Software License, Version 1.0\n\n\n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment:\n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior\n written permission. For written permission, please contact\n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,\nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.",
+ "comment": "This is tye CyperNeko License",
+ "licenseId": "LicenseRef-3",
+ "name": "CyberNeko License",
+ "seeAlso": [
+ "http://justasample.url.com",
+ "http://people.apache.org/~andyc/neko/LICENSE"
+ ]
+ },
+ {
+ "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */ ",
+ "licenseId": "LicenseRef-4"
+ },
+ {
+ "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */",
+ "licenseId": "LicenseRef-1"
+ }
+ ],
+ "spdxVersion": "SPDX-2.1",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "snippets": [
+ {
+ "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later.",
+ "name": "from linux kernel",
+ "copyrightText": "Copyright 2008-2010 John Smith",
+ "licenseConcluded": "Apache-2.0",
+ "licenseInfoFromSnippet": [
+ "Apache-2.0"
+ ],
+ "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.",
+ "SPDXID": "SPDXRef-Snippet",
+ "fileId": "SPDXRef-DoapSource"
+ }
+ ]
}
\ No newline at end of file
diff --git a/data/SPDXXmlExample.xml b/data/SPDXXmlExample.xml
index 9707b9832..fceac1a76 100644
--- a/data/SPDXXmlExample.xml
+++ b/data/SPDXXmlExample.xml
@@ -1,82 +1,43 @@
-
This is a sample spreadsheet
Sample_Document-V2.1
-
-
- SPDXRef-Package
- Organization: SPDX
- The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually.
-
-
- Apache-2.0
- 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
- src/org/spdx/parser/DOAPProject.java
- Copyright 2010, 2011 Source Auditor Inc.
- Apache-2.0
-
-
- 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
- checksumAlgorithm_sha1
-
- fileType_source
- SPDXRef-File2
-
-
-
-
- This file belongs to Jena
- LicenseRef-1
- 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
- Jenna-2.6.3/jena-2.6.3-sources.jar
- (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP
-
- Jena
- http://www.openjena.org/
- http://subversion.apache.org/doap.rdf
-
- LicenseRef-1
- This license is used by Jena
-
- 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
- checksumAlgorithm_sha1
-
- fileType_archive
- SPDXRef-File1
-
-
- LicenseRef-3
- LicenseRef-1
- Apache-1.0
- LicenseRef-4
- Apache-2.0
- LicenseRef-2
- MPL-1.1
- 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
- SPDX Translator
- spdxtranslator-1.0.zip
- The declared license information can be found in the NOTICE file at the root of the archive file
- SPDX Translator utility
- Version 1.0 of the SPDX Translator application
- Copyright 2010, 2011 Source Auditor Inc.
-
- 4e3211c67a2d28fced849ee1bb76e7391b93feba
- SpdxTranslatorSpdx.rdf
- SpdxTranslatorSpdx.txt
-
- (LicenseRef-1 AND MPL-1.1 AND LicenseRef-2 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-4 AND Apache-1.0)
- Organization: Linux Foundation
-
- 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
- checksumAlgorithm_sha1
-
- Version 0.9.2
- (LicenseRef-3 AND LicenseRef-2 AND Apache-2.0 AND MPL-1.1 AND LicenseRef-1 AND LicenseRef-4)
- http://www.spdx.org/tools
- This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document.
-
-
+ SPDXRef-Package
+
+ SPDXRef-Package
+ Organization: SPDX
+ The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually.
+ LicenseRef-3
+ LicenseRef-1
+ Apache-1.0
+ LicenseRef-4
+ Apache-2.0
+ LicenseRef-2
+ MPL-1.1
+ SPDX Translator
+ SPDXRef-File1
+ SPDXRef-File2
+ spdxtranslator-1.0.zip
+ The declared license information can be found in the NOTICE file at the root of the archive file
+ SPDX Translator utility
+ Version 1.0 of the SPDX Translator application
+ Copyright 2010, 2011 Source Auditor Inc.
+
+ 4e3211c67a2d28fced849ee1bb76e7391b93feba
+ SpdxTranslatorSpdx.rdf
+ SpdxTranslatorSpdx.txt
+
+ (LicenseRef-1 AND MPL-1.1 AND LicenseRef-2 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-4 AND Apache-1.0)
+ Organization: Linux Foundation
+
+ 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
+ checksumAlgorithm_sha1
+
+ Version 0.9.2
+ (LicenseRef-3 AND LicenseRef-2 AND Apache-2.0 AND MPL-1.1 AND LicenseRef-1 AND LicenseRef-4)
+ http://www.spdx.org/tools
+ This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document.
+
This is an example of an SPDX spreadsheet format
Tool: SourceAuditor-V1.2
@@ -102,7 +63,6 @@
Person: Jim Reviewer
CC0-1.0
-
This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses
Person: Joe Reviewer
@@ -146,26 +106,26 @@
This package includes the GRDDL parser developed by Hewlett Packard under the following license:
© Copyright 2007 Hewlett-Packard Development Company, LP
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.
+Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
LicenseRef-2
The CyberNeko Software License, Version 1.0
-
+
(C) Copyright 2002-2005, Andy Clark. All rights reserved.
-
+
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
+ notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
@@ -173,14 +133,14 @@ are met:
distribution.
3. The end-user documentation included with the redistribution,
- if any, must include the following acknowledgment:
+ if any, must include the following acknowledgment:
"This product includes software developed by Andy Clark."
Alternately, this acknowledgment may appear in the software itself,
if and wherever such third-party acknowledgments normally appear.
4. The names "CyberNeko" and "NekoHTML" must not be used to endorse
- or promote products derived from this software without prior
- written permission. For written permission, please contact
+ or promote products derived from this software without prior
+ written permission. For written permission, please contact
andyc@cyberneko.net.
5. Products derived from this software may not be called "CyberNeko",
@@ -191,12 +151,12 @@ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS
-BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
-OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This is tye CyperNeko License
LicenseRef-3
@@ -235,6 +195,38 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
SPDX-2.1
SPDXRef-DOCUMENT
+
+ Apache-2.0
+ src/org/spdx/parser/DOAPProject.java
+ Copyright 2010, 2011 Source Auditor Inc.
+ Apache-2.0
+
+
+ 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
+ checksumAlgorithm_sha1
+
+ fileType_source
+ SPDXRef-File2
+
+
+ This file belongs to Jena
+ LicenseRef-1
+ Jenna-2.6.3/jena-2.6.3-sources.jar
+ (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP
+
+ Jena
+ http://www.openjena.org/
+ http://subversion.apache.org/doap.rdf
+
+ LicenseRef-1
+ This license is used by Jena
+
+ 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
+ checksumAlgorithm_sha1
+
+ fileType_archive
+ SPDXRef-File1
+
This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later.
from linux kernel
@@ -245,20 +237,4 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
SPDXRef-Snippet
SPDXRef-DoapSource
-
- SPDXRef-DOCUMENT
- SPDXRef-File
- DESCRIBES
-
-
- SPDXRef-DOCUMENT
- SPDXRef-Package
- DESCRIBES
-
-
- SPDXRef-DOCUMENT
- SPDXRef-Package
- CONTAINS
-
-
\ No newline at end of file
diff --git a/data/SPDXYamlExample.yaml b/data/SPDXYamlExample.yaml
index e8a42c8de..404be57e5 100644
--- a/data/SPDXYamlExample.yaml
+++ b/data/SPDXYamlExample.yaml
@@ -1,73 +1,39 @@
----
Document:
annotations:
- - annotationDate: '2012-06-13T00:00:00Z'
- annotationType: REVIEW
- annotator: 'Person: Jim Reviewer'
- comment: This is just an example. Some of the non-standard licenses look like
- they are actually BSD 3 clause licenses
- SPDXID: SPDXRef-45
+ - annotationDate: '2012-06-13T00:00:00Z'
+ annotationType: REVIEW
+ annotator: 'Person: Jim Reviewer'
+ comment: This is just an example. Some of the non-standard licenses look like
+ they are actually BSD 3 clause licenses
+ SPDXID: SPDXRef-45
comment: This is a sample spreadsheet
creationInfo:
comment: This is an example of an SPDX spreadsheet format
created: '2010-02-03T00:00:00Z'
creators:
- - 'Tool: SourceAuditor-V1.2'
- - 'Organization: Source Auditor Inc.'
- - 'Person: Gary O''Neall'
+ - 'Tool: SourceAuditor-V1.2'
+ - 'Organization: Source Auditor Inc.'
+ - 'Person: Gary O''Neall'
licenseListVersion: '3.6'
dataLicense: CC0-1.0
documentDescribes:
- - Package:
- SPDXID: SPDXRef-Package
+ - SPDXRef-Package
+ packages:
+ - SPDXID: SPDXRef-Package
checksums:
- - algorithm: checksumAlgorithm_sha1
- checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
+ - algorithm: checksumAlgorithm_sha1
+ checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
copyrightText: ' Copyright 2010, 2011 Source Auditor Inc.'
description: This utility translates and SPDX RDF XML document to a spreadsheet,
translates a spreadsheet to an SPDX RDF XML document and translates an SPDX
RDFa document to an SPDX RDF XML document.
downloadLocation: http://www.spdx.org/tools
attributionTexts:
- - "The GNU C Library is free software. See the file COPYING.LIB for copying conditions,\
+ - "The GNU C Library is free software. See the file COPYING.LIB for copying conditions,\
\ and LICENSES for notices about a few contributions that require these additional\
\ notices to be distributed. License copyright years may be listed using range\
\ notation, e.g., 1996-2015, indicating that every year in the range, inclusive,\
\ is a copyrightable year that would otherwise be listed individually."
- files:
- - File:
- checksums:
- - algorithm: checksumAlgorithm_sha1
- checksumValue: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
- comment: This file belongs to Jena
- copyrightText: (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
- 2008, 2009 Hewlett-Packard Development Company, LP
- artifactOf:
- - name: "Jena"
- homePage: "http://www.openjena.org/"
- projectUri: "http://subversion.apache.org/doap.rdf"
- fileTypes:
- - fileType_archive
- SPDXID: SPDXRef-File1
- licenseComments: This license is used by Jena
- licenseConcluded: LicenseRef-1
- licenseInfoFromFiles:
- - LicenseRef-1
- name: Jenna-2.6.3/jena-2.6.3-sources.jar
- sha1: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
- - File:
- checksums:
- - algorithm: checksumAlgorithm_sha1
- checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
- copyrightText: Copyright 2010, 2011 Source Auditor Inc.
- fileTypes:
- - fileType_source
- SPDXID: SPDXRef-File2
- licenseConcluded: Apache-2.0
- licenseInfoFromFiles:
- - Apache-2.0
- name: src/org/spdx/parser/DOAPProject.java
- sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
licenseComments: The declared license information can be found in the NOTICE
file at the root of the archive file
licenseConcluded: (LicenseRef-3 AND LicenseRef-1 AND MPL-1.1 AND Apache-2.0
@@ -75,35 +41,37 @@ Document:
licenseDeclared: (MPL-1.1 AND LicenseRef-4 AND LicenseRef-2 AND LicenseRef-1
AND Apache-2.0 AND LicenseRef-3)
licenseInfoFromFiles:
- - Apache-2.0
- - MPL-1.1
- - LicenseRef-3
- - LicenseRef-1
- - LicenseRef-4
- - Apache-1.0
- - LicenseRef-2
+ - Apache-2.0
+ - MPL-1.1
+ - LicenseRef-3
+ - LicenseRef-1
+ - LicenseRef-4
+ - Apache-1.0
+ - LicenseRef-2
name: SPDX Translator
originator: 'Organization: SPDX'
packageFileName: spdxtranslator-1.0.zip
+ hasFiles:
+ - SPDXRef-File1
+ - SPDXRef-File2
packageVerificationCode:
packageVerificationCodeExcludedFiles:
- - SpdxTranslatorSpdx.txt
- - SpdxTranslatorSpdx.rdf
+ - SpdxTranslatorSpdx.txt
+ - SpdxTranslatorSpdx.rdf
packageVerificationCodeValue: 4e3211c67a2d28fced849ee1bb76e7391b93feba
- sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
sourceInfo: Version 1.0 of the SPDX Translator application
summary: SPDX Translator utility
supplier: 'Organization: Linux Foundation'
versionInfo: Version 0.9.2
externalDocumentRefs:
- - checksum:
- algorithm: checksumAlgorithm_sha1
- checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2759
- externalDocumentId: DocumentRef-spdx-tool-2.1
- spdxDocument: https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301
+ - checksum:
+ algorithm: checksumAlgorithm_sha1
+ checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2759
+ externalDocumentId: DocumentRef-spdx-tool-2.1
+ spdxDocument: https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301
hasExtractedLicensingInfos:
- - comment: This is tye CyperNeko License
- extractedText: "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright\
+ - comment: This is tye CyperNeko License
+ extractedText: "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright\
\ 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in\
\ source and binary forms, with or without\nmodification, are permitted provided\
\ that the following conditions\nare met:\n\n1. Redistributions of source code\
@@ -130,12 +98,12 @@ Document:
\ CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY,\
\ OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE\
\ USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
- licenseId: LicenseRef-3
- name: CyberNeko License
- seeAlso:
- - http://justasample.url.com
- - http://people.apache.org/~andyc/neko/LICENSE
- - extractedText: "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006,\
+ licenseId: LicenseRef-3
+ name: CyberNeko License
+ seeAlso:
+ - http://justasample.url.com
+ - http://people.apache.org/~andyc/neko/LICENSE
+ - extractedText: "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006,\
\ 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n\
\ *\n * Redistribution and use in source and binary forms, with or without\n\
\ * modification, are permitted provided that the following conditions\n * are\
@@ -156,8 +124,8 @@ Document:
\ CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE)\
\ ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF\
\ THE POSSIBILITY OF SUCH DAMAGE.\n */"
- licenseId: LicenseRef-1
- - extractedText: "This package includes the GRDDL parser developed by Hewlett Packard\
+ licenseId: LicenseRef-1
+ - extractedText: "This package includes the GRDDL parser developed by Hewlett Packard\
\ under the following license:\n\xA9 Copyright 2007 Hewlett-Packard Development\
\ Company, LP\n\nRedistribution and use in source and binary forms, with or\
\ without modification, are permitted provided that the following conditions\
@@ -177,8 +145,8 @@ Document:
\ IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)\
\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE\
\ POSSIBILITY OF SUCH DAMAGE. "
- licenseId: LicenseRef-2
- - extractedText: "/*\n * (c) Copyright 2009 University of Bristol\n * All rights\
+ licenseId: LicenseRef-2
+ - extractedText: "/*\n * (c) Copyright 2009 University of Bristol\n * All rights\
\ reserved.\n *\n * Redistribution and use in source and binary forms, with\
\ or without\n * modification, are permitted provided that the following conditions\n\
\ * are met:\n * 1. Redistributions of source code must retain the above copyright\n\
@@ -198,40 +166,61 @@ Document:
\ CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE)\
\ ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF\
\ THE POSSIBILITY OF SUCH DAMAGE.\n */ "
- licenseId: LicenseRef-4
+ licenseId: LicenseRef-4
SPDXID: SPDXRef-DOCUMENT
name: Sample_Document-V2.1
documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
- relationships:
- - spdxElementId: "SPDXRef-DOCUMENT"
- relatedSpdxElement: "SPDXRef-Package"
- relationshipType: "DESCRIBES"
- - spdxElementId: "SPDXRef-DOCUMENT"
- relatedSpdxElement: "SPDXRef-Package"
- relationshipType: "CONTAINS"
- - spdxElementId: "SPDXRef-DOCUMENT"
- relatedSpdxElement: "SPDXRef-File"
- relationshipType: "DESCRIBES"
reviewers:
- - comment: Another example reviewer.
- reviewDate: '2011-03-13T00:00:00Z'
- reviewer: 'Person: Suzanne Reviewer'
- - comment: This is just an example. Some of the non-standard licenses look like
- they are actually BSD 3 clause licenses
- reviewDate: '2010-02-10T00:00:00Z'
- reviewer: 'Person: Joe Reviewer'
+ - comment: Another example reviewer.
+ reviewDate: '2011-03-13T00:00:00Z'
+ reviewer: 'Person: Suzanne Reviewer'
+ - comment: This is just an example. Some of the non-standard licenses look like
+ they are actually BSD 3 clause licenses
+ reviewDate: '2010-02-10T00:00:00Z'
+ reviewer: 'Person: Joe Reviewer'
snippets:
- - comment: This snippet was identified as significant and highlighted in this Apache-2.0
- file, when a commercial scanner identified it as being derived from file foo.c
- in package xyz which is licensed under GPL-2.0-or-later.
- copyrightText: Copyright 2008-2010 John Smith
- fileId: SPDXRef-DoapSource
- SPDXID: SPDXRef-Snippet
- licenseComments: The concluded license was taken from package xyz, from which
- the snippet was copied into the current file. The concluded license information
- was found in the COPYING.txt file in package xyz.
- licenseConcluded: Apache-2.0
- licenseInfoFromSnippet:
- - Apache-2.0
- name: from linux kernel
+ - comment: This snippet was identified as significant and highlighted in this Apache-2.0
+ file, when a commercial scanner identified it as being derived from file foo.c
+ in package xyz which is licensed under GPL-2.0-or-later.
+ copyrightText: Copyright 2008-2010 John Smith
+ fileId: SPDXRef-DoapSource
+ SPDXID: SPDXRef-Snippet
+ licenseComments: The concluded license was taken from package xyz, from which
+ the snippet was copied into the current file. The concluded license information
+ was found in the COPYING.txt file in package xyz.
+ licenseConcluded: Apache-2.0
+ licenseInfoFromSnippet:
+ - Apache-2.0
+ name: from linux kernel
spdxVersion: SPDX-2.1
+ files:
+ - SPDXID: SPDXRef-File1
+ checksums:
+ - algorithm: checksumAlgorithm_sha1
+ checksumValue: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
+ comment: This file belongs to Jena
+ copyrightText: (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
+ 2008, 2009 Hewlett-Packard Development Company, LP
+ artifactOf:
+ - name: "Jena"
+ homePage: "http://www.openjena.org/"
+ projectUri: "http://subversion.apache.org/doap.rdf"
+ fileTypes:
+ - fileType_archive
+ licenseComments: This license is used by Jena
+ licenseConcluded: LicenseRef-1
+ licenseInfoInFiles:
+ - LicenseRef-1
+ fileName: Jenna-2.6.3/jena-2.6.3-sources.jar
+
+ - SPDXID: SPDXRef-File2
+ checksums:
+ - algorithm: checksumAlgorithm_sha1
+ checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
+ copyrightText: Copyright 2010, 2011 Source Auditor Inc.
+ fileTypes:
+ - fileType_source
+ licenseConcluded: Apache-2.0
+ licenseInfoInFiles:
+ - Apache-2.0
+ fileName: src/org/spdx/parser/DOAPProject.java
diff --git a/examples/write_tv.py b/examples/write_tv.py
index cf907c2c0..3ed332e6e 100755
--- a/examples/write_tv.py
+++ b/examples/write_tv.py
@@ -34,7 +34,7 @@
testfile1.type = FileType.BINARY
testfile1.spdx_id = "TestFilet#SPDXRef-FILE"
testfile1.comment = "This is a test file."
- testfile1.chk_sum = Algorithm("SHA1", "c537c5d99eca5333f23491d47ededd083fefb7ad")
+ testfile1.chksum = Algorithm("SHA1", "c537c5d99eca5333f23491d47ededd083fefb7ad")
testfile1.conc_lics = License.from_identifier("BSD-2-Clause")
testfile1.add_lics(License.from_identifier("BSD-2-Clause"))
testfile1.copyright = SPDXNone()
@@ -46,7 +46,7 @@
testfile2.type = FileType.SOURCE
testfile2.spdx_id = "TestFile2#SPDXRef-FILE"
testfile2.comment = "This is a test file."
- testfile2.chk_sum = Algorithm("SHA1", "bb154f28d1cf0646ae21bb0bec6c669a2b90e113")
+ testfile2.chksum = Algorithm("SHA1", "bb154f28d1cf0646ae21bb0bec6c669a2b90e113")
testfile2.conc_lics = License.from_identifier("Apache-2.0")
testfile2.add_lics(License.from_identifier("Apache-2.0"))
testfile2.copyright = NoAssert()
@@ -58,7 +58,7 @@
package.file_name = "twt.jar"
package.spdx_id = 'TestPackage#SPDXRef-PACKAGE'
package.download_location = "http://www.tagwritetest.test/download"
- package.check_sum = Algorithm("SHA1", "c537c5d99eca5333f23491d47ededd083fefb7ad")
+ package.checksum = Algorithm("SHA1", "c537c5d99eca5333f23491d47ededd083fefb7ad")
package.homepage = SPDXNone()
package.verif_code = "4e3211c67a2d28fced849ee1bb76e7391b93feba"
license_set = LicenseConjunction(
diff --git a/spdx/cli_tools/parser.py b/spdx/cli_tools/parser.py
index 182ca2db0..2be6d995f 100755
--- a/spdx/cli_tools/parser.py
+++ b/spdx/cli_tools/parser.py
@@ -50,8 +50,8 @@ def main(file, force):
"Package Download Location: {0}".format(doc.package.download_location)
)
print("Package Homepage: {0}".format(doc.package.homepage))
- if doc.package.check_sum:
- print("Package Checksum: {0}".format(doc.package.check_sum.value))
+ if doc.package.checksum:
+ print("Package Checksum: {0}".format(doc.package.checksum.value))
print("Package Attribution Text: {0}".format(doc.package.attribution_text))
print("Package verification code: {0}".format(doc.package.verif_code))
print(
@@ -77,7 +77,7 @@ def main(file, force):
for f in doc.files:
print("\tFile name: {0}".format(f.name))
print("\tFile type: {0}".format(VALUES[f.type]))
- print("\tFile Checksum: {0}".format(f.chk_sum.value))
+ print("\tFile Checksum: {0}".format(f.chksum.value))
print("\tFile license concluded: {0}".format(f.conc_lics))
print(
"\tFile license info in file: {0}".format(
diff --git a/spdx/creationinfo.py b/spdx/creationinfo.py
index 1545a8ab7..54a99e9d3 100644
--- a/spdx/creationinfo.py
+++ b/spdx/creationinfo.py
@@ -44,7 +44,7 @@ class Organization(Creator):
- email: Org's email address. Optional. Type: str.
"""
- def __init__(self, name, email):
+ def __init__(self, name, email=None):
super(Organization, self).__init__(name)
self.email = email
@@ -80,7 +80,7 @@ class Person(Creator):
- email: person's email address. Optional. Type: str.
"""
- def __init__(self, name, email):
+ def __init__(self, name, email=None):
super(Person, self).__init__(name)
self.email = email
diff --git a/spdx/file.py b/spdx/file.py
index d619509ce..df3ac8871 100644
--- a/spdx/file.py
+++ b/spdx/file.py
@@ -42,7 +42,7 @@ class File(object):
- comment: File comment str, Optional zero or one.
- type: one of FileType.SOURCE, FileType.BINARY, FileType.ARCHIVE
and FileType.OTHER, optional zero or one.
- - chk_sum: SHA1, Mandatory one.
+ - chksum: SHA1, Mandatory one.
- conc_lics: Mandatory one. document.License or utils.NoAssert or utils.SPDXNone.
- licenses_in_file: list of licenses found in file, mandatory one or more.
document.License or utils.SPDXNone or utils.NoAssert.
@@ -58,12 +58,12 @@ class File(object):
-attribution_text: optional string.
"""
- def __init__(self, name, spdx_id=None, chk_sum=None):
+ def __init__(self, name, spdx_id=None, chksum=None):
self.name = name
self.spdx_id = spdx_id
self.comment = None
self.type = None
- self.chk_sum = chk_sum
+ self.checksums = [chksum]
self.conc_lics = None
self.licenses_in_file = []
self.license_comment = None
@@ -82,6 +82,18 @@ def __eq__(self, other):
def __lt__(self, other):
return self.name < other.name
+ @property
+ def chksum(self):
+ """
+ Backwards compatibility, return first checksum.
+ """
+ # NOTE Package.check_sum but File.chk_sum
+ return self.checksums[0]
+
+ @chksum.setter
+ def chksum(self, value):
+ self.checksums[0] = value
+
def add_lics(self, lics):
self.licenses_in_file.append(lics)
@@ -178,12 +190,12 @@ def validate_type(self, messages):
return messages
def validate_checksum(self, messages):
- if not isinstance(self.chk_sum, checksum.Algorithm):
+ if not isinstance(self.chksum, checksum.Algorithm):
messages.append(
"File checksum must be instance of spdx.checksum.Algorithm"
)
else:
- if not self.chk_sum.identifier == "SHA1":
+ if not self.chksum.identifier == "SHA1":
messages.append("File checksum algorithm must be SHA1")
return messages
diff --git a/spdx/package.py b/spdx/package.py
index e2533d5f1..f04f1278c 100644
--- a/spdx/package.py
+++ b/spdx/package.py
@@ -84,7 +84,7 @@ def __init__(
self.files_analyzed = None
self.homepage = None
self.verif_code = None
- self.check_sum = None
+ self.checksums = [None]
self.source_info = None
self.conc_lics = None
self.license_declared = None
@@ -105,6 +105,18 @@ def are_files_analyzed(self):
# as default None Value is False, previous line is simplification of
# return self.files_analyzed or self.files_analyzed is None
+ @property
+ def checksum(self):
+ """
+ Backwards compatibility, return first checksum.
+ """
+ # NOTE Package.check_sum but File.chk_sum
+ return self.checksums[0]
+
+ @checksum.setter
+ def checksum(self, value):
+ self.checksums[0] = value
+
def add_file(self, fil):
self.files.append(fil)
@@ -271,11 +283,15 @@ def validate_str_fields(self, fields, optional, messages):
return messages
def validate_checksum(self, messages):
- if self.check_sum is not None:
- if not isinstance(self.check_sum, checksum.Algorithm):
+ if self.checksum is not None:
+ if not isinstance(self.checksum, checksum.Algorithm):
messages.append(
"Package checksum must be instance of spdx.checksum.Algorithm"
)
+ elif not self.checksum.identifier == "SHA1":
+ messages.append(
+ "First checksum in package must be SHA1."
+ )
return messages
@@ -284,10 +300,10 @@ def calc_verif_code(self):
for file_entry in self.files:
if (
- isinstance(file_entry.chk_sum, checksum.Algorithm)
- and file_entry.chk_sum.identifier == "SHA1"
+ isinstance(file_entry.chksum, checksum.Algorithm)
+ and file_entry.chksum.identifier == "SHA1"
):
- sha1 = file_entry.chk_sum.value
+ sha1 = file_entry.chksum.value
else:
sha1 = file_entry.calc_chksum()
hashes.append(sha1)
diff --git a/spdx/parsers/jsonyamlxml.py b/spdx/parsers/jsonyamlxml.py
index 8942823f4..2f5ca93b7 100644
--- a/spdx/parsers/jsonyamlxml.py
+++ b/spdx/parsers/jsonyamlxml.py
@@ -737,11 +737,11 @@ def parse_file(self, file):
- file: Python dict with File Information fields in it
"""
if isinstance(file, dict):
- self.parse_file_name(file.get("name"))
+ self.parse_file_name(file.get("fileName"))
self.parse_file_id(file.get("SPDXID"))
self.parse_file_types(file.get("fileTypes"))
self.parse_file_concluded_license(file.get("licenseConcluded"))
- self.parse_file_license_info_from_files(file.get("licenseInfoFromFiles"))
+ self.parse_file_license_info_in_files(file.get("licenseInfoInFiles"))
self.parse_file_license_comments(file.get("licenseComments"))
self.parse_file_copyright_text(file.get("copyrightText"))
self.parse_file_artifacts(file.get("artifactOf"))
@@ -836,7 +836,7 @@ def parse_file_concluded_license(self, concluded_license):
else:
self.value_error("FILE_SINGLE_LICS", concluded_license)
- def parse_file_license_info_from_files(self, license_info_from_files):
+ def parse_file_license_info_in_files(self, license_info_from_files):
"""
Parse File license information from files
- license_info_from_files: Python list of licenses information from files (str/unicode)
@@ -1495,6 +1495,32 @@ def parse_pkg_chksum(self, pkg_chksum):
self.value_error("PKG_CHECKSUM", pkg_chksum)
+def flatten_document(document):
+ """
+ Flatten document to match current data model. File objects are nested within packages according to hasFiles-tag.
+ """
+ files_by_id = {}
+ if "files" in document:
+ for f in document.get("files"):
+ for checksum in f["checksums"]:
+ if checksum["algorithm"] == "SHA1" or "sha1" in checksum["algorithm"]:
+ f["sha1"] = checksum["checksumValue"]
+ break
+ files_by_id[f["SPDXID"]] = f
+ if "packages" in document:
+ packages = document.get("packages")
+ for package in packages:
+ if "hasFiles" in package:
+ package["files"] = [{
+ "File": files_by_id[spdxid.split("#")[-1]]} for spdxid in package["hasFiles"]
+ ]
+ for checksum in package.get("checksums", []):
+ if checksum["algorithm"] == "SHA1" or "sha1" in checksum["algorithm"]:
+ package["sha1"] = checksum["checksumValue"]
+ break
+
+ return document
+
class Parser(
CreationInfoParser,
ExternalDocumentRefsParser,
@@ -1522,6 +1548,7 @@ def parse(self):
"""
self.error = False
self.document = document.Document()
+ self.document_object = flatten_document(self.document_object)
if not isinstance(self.document_object, dict):
self.logger.log("Empty or not valid SPDX Document")
self.error = True
@@ -1547,7 +1574,8 @@ def parse(self):
self.parse_packages(self.document_object.get("packages"))
- self.parse_doc_described_objects(self.document_object.get("documentDescribes"))
+ if self.document_object.get("documentDescribes"):
+ self.parse_doc_described_objects(self.document_object.get("documentDescribes"))
validation_messages = ErrorMessages()
# Report extra errors if self.error is False otherwise there will be
@@ -1646,25 +1674,16 @@ def parse_doc_comment(self, doc_comment):
def parse_doc_described_objects(self, doc_described_objects):
"""
- Parse Document documentDescribes (Files and Packages dicts)
- - doc_described_objects: Python list of dicts as in FileParser.parse_file or PackageParser.parse_package
+ Parse Document documentDescribes (SPDXIDs)
+ - doc_described_objects: Python list of strings
"""
if isinstance(doc_described_objects, list):
- packages = filter(
- lambda described: isinstance(described, dict)
- and described.get("Package") is not None,
- doc_described_objects,
- )
- files = filter(
- lambda described: isinstance(described, dict)
- and described.get("File") is not None,
- doc_described_objects,
+ described_spdxids = filter(
+ lambda described: isinstance(described, str), doc_described_objects
)
- # At the moment, only single-package documents are supported, so just the last package will be stored.
- for package in packages:
- self.parse_package(package.get("Package"))
- for file in files:
- self.parse_file(file.get("File"))
+ for spdxid in described_spdxids:
+ self.parse_relationship(self.document.spdx_id, "DESCRIBES", spdxid)
+
return True
else:
self.value_error("DOC_DESCRIBES", doc_described_objects)
diff --git a/spdx/parsers/rdfbuilders.py b/spdx/parsers/rdfbuilders.py
index 3affb7329..1a9966350 100644
--- a/spdx/parsers/rdfbuilders.py
+++ b/spdx/parsers/rdfbuilders.py
@@ -195,7 +195,7 @@ def set_pkg_chk_sum(self, doc, chk_sum):
self.assert_package_exists()
if not self.package_chk_sum_set:
self.package_chk_sum_set = True
- doc.packages[-1].check_sum = checksum.Algorithm("SHA1", chk_sum)
+ doc.packages[-1].checksum = checksum.Algorithm("SHA1", chk_sum)
else:
raise CardinalityError("Package::CheckSum")
@@ -391,7 +391,7 @@ def set_file_chksum(self, doc, chk_sum):
if self.has_package(doc) and self.has_file(doc):
if not self.file_chksum_set:
self.file_chksum_set = True
- self.file(doc).chk_sum = checksum.Algorithm("SHA1", chk_sum)
+ self.file(doc).chksum = checksum.Algorithm("SHA1", chk_sum)
return True
else:
raise CardinalityError("File::CheckSum")
diff --git a/spdx/parsers/tagvaluebuilders.py b/spdx/parsers/tagvaluebuilders.py
index 9c194fe29..46b3b4675 100644
--- a/spdx/parsers/tagvaluebuilders.py
+++ b/spdx/parsers/tagvaluebuilders.py
@@ -780,7 +780,7 @@ def set_pkg_chk_sum(self, doc, chk_sum):
self.assert_package_exists()
if not self.package_chk_sum_set:
self.package_chk_sum_set = True
- doc.packages[-1].check_sum = checksum_from_sha1(chk_sum)
+ doc.packages[-1].checksum = checksum_from_sha1(chk_sum)
return True
else:
raise CardinalityError("Package::CheckSum")
@@ -1130,7 +1130,7 @@ def set_file_chksum(self, doc, chksum):
if self.has_package(doc) and self.has_file(doc):
if not self.file_chksum_set:
self.file_chksum_set = True
- self.file(doc).chk_sum = checksum_from_sha1(chksum)
+ self.file(doc).chksum = checksum_from_sha1(chksum)
return True
else:
raise CardinalityError("File::CheckSum")
diff --git a/spdx/parsers/xmlparser.py b/spdx/parsers/xmlparser.py
index 3fed3cdb7..ea9ea557f 100644
--- a/spdx/parsers/xmlparser.py
+++ b/spdx/parsers/xmlparser.py
@@ -37,12 +37,16 @@ def __init__(self, builder, logger):
"reviewers",
"fileTypes",
"licenseInfoFromFiles",
+ "licenseInfoInFiles",
"artifactOf",
"fileContributors",
"fileDependencies",
"excludedFilesNames",
"files",
"documentDescribes",
+ "packages",
+ "checksums",
+ "hasFiles"
}
def parse(self, file):
@@ -50,7 +54,7 @@ def parse(self, file):
file.read(), strip_whitespace=False, encoding="utf-8"
)
fixed_object = self._set_in_list(parsed_xml, self.LIST_LIKE_FIELDS)
- self.document_object = fixed_object.get("SpdxDocument").get("Document")
+ self.document_object = fixed_object.get("Document")
return super(Parser, self).parse()
def _set_in_list(self, data, keys):
diff --git a/spdx/writers/jsonyamlxml.py b/spdx/writers/jsonyamlxml.py
index 60e9afadc..dec9beb68 100644
--- a/spdx/writers/jsonyamlxml.py
+++ b/spdx/writers/jsonyamlxml.py
@@ -47,7 +47,7 @@ def checksum(self, checksum_field):
"""
checksum_object = dict()
checksum_object["algorithm"] = (
- "checksumAlgorithm_" + checksum_field.identifier.lower()
+ checksum_field.identifier.upper()
)
checksum_object["checksumValue"] = checksum_field.value
return checksum_object
@@ -142,14 +142,13 @@ def create_package_info(self, package):
package_object["packageFileName"] = package.file_name
if package.has_optional_field("supplier"):
- package_object["supplier"] = package.supplier.__str__()
+ package_object["supplier"] = package.supplier.to_value()
if package.has_optional_field("originator"):
- package_object["originator"] = package.originator.__str__()
+ package_object["originator"] = package.originator.to_value()
- if package.has_optional_field("check_sum"):
- package_object["checksums"] = [self.checksum(package.check_sum)]
- package_object["sha1"] = package.check_sum.value
+ if package.has_optional_field("checksum"):
+ package_object["checksums"] = [self.checksum(checksum) for checksum in package.checksums if checksum]
if package.has_optional_field("description"):
package_object["description"] = package.description
@@ -160,7 +159,14 @@ def create_package_info(self, package):
if package.has_optional_field("homepage"):
package_object["homepage"] = package.homepage.__str__()
- return package_object
+ files_in_package = []
+ if package.has_optional_field("files"):
+ package_object["hasFiles"] = []
+ for file in package.files:
+ package_object["hasFiles"].append(file.spdx_id)
+ files_in_package.append(self.create_file_info(file))
+
+ return package_object, files_in_package
class FileWriter(BaseWriter):
@@ -186,64 +192,58 @@ def create_artifact_info(self, file):
return artifact_of_objects
- def create_file_info(self, package):
+ def create_file_info(self, file):
file_types = {
1: "fileType_source",
2: "fileType_binary",
3: "fileType_archive",
4: "fileType_other",
}
- file_objects = []
- files = package.files
- for file in files:
- file_object = dict()
+ file_object = dict()
- file_object["name"] = file.name
- file_object["SPDXID"] = self.spdx_id(file.spdx_id)
- file_object["checksums"] = [self.checksum(file.chk_sum)]
- file_object["licenseConcluded"] = self.license(file.conc_lics)
- file_object["licenseInfoFromFiles"] = list(
- map(self.license, file.licenses_in_file)
- )
- file_object["copyrightText"] = file.copyright.__str__()
- file_object["sha1"] = file.chk_sum.value
+ file_object["fileName"] = file.name
+ file_object["SPDXID"] = self.spdx_id(file.spdx_id)
+ file_object["checksums"] = [self.checksum(file.chksum)]
+ file_object["licenseConcluded"] = self.license(file.conc_lics)
+ file_object["licenseInfoInFiles"] = list(
+ map(self.license, file.licenses_in_file)
+ )
+ file_object["copyrightText"] = file.copyright.__str__()
- if file.has_optional_field("comment"):
- file_object["comment"] = file.comment
+ if file.has_optional_field("comment"):
+ file_object["comment"] = file.comment
- if file.has_optional_field("type"):
- file_object["fileTypes"] = [file_types.get(file.type)]
+ if file.has_optional_field("type"):
+ file_object["fileTypes"] = [file_types.get(file.type)]
- if file.has_optional_field("license_comment"):
- file_object["licenseComments"] = file.license_comment
+ if file.has_optional_field("license_comment"):
+ file_object["licenseComments"] = file.license_comment
- if file.has_optional_field("attribution_text"):
- file_object["attributionTexts"] = [file.attribution_text]
+ if file.has_optional_field("attribution_text"):
+ file_object["attributionTexts"] = [file.attribution_text]
- if file.has_optional_field("notice"):
- file_object["noticeText"] = file.notice
+ if file.has_optional_field("notice"):
+ file_object["noticeText"] = file.notice
- if file.contributors:
- file_object["fileContributors"] = file.contributors.__str__()
+ if file.contributors:
+ file_object["fileContributors"] = file.contributors.__str__()
- if file.dependencies:
- file_object["fileDependencies"] = file.dependencies
+ if file.dependencies:
+ file_object["fileDependencies"] = file.dependencies
- valid_artifacts = (
+ valid_artifacts = (
file.artifact_of_project_name
and len(file.artifact_of_project_name)
== len(file.artifact_of_project_home)
and len(file.artifact_of_project_home)
== len(file.artifact_of_project_uri)
- )
-
- if valid_artifacts:
- file_object["artifactOf"] = self.create_artifact_info(file)
+ )
- file_objects.append({"File": file_object})
+ if valid_artifacts:
+ file_object["artifactOf"] = self.create_artifact_info(file)
- return file_objects
+ return file_object
class ReviewInfoWriter(BaseWriter):
@@ -312,6 +312,10 @@ def create_relationship_info(self):
relationship_objects = []
for relationship_term in self.document.relationships:
+ if relationship_term.relationshiptype == "DESCRIBES":
+ continue
+ if relationship_term.relationshiptype == "CONTAINS":
+ continue
relationship_object = dict()
relationship_object["spdxElementId"] = relationship_term.spdxelementid
relationship_object[
@@ -465,6 +469,22 @@ def create_ext_document_references(self):
return ext_document_reference_objects
+ def create_document_describes(self):
+ """
+ Create a list of SPDXIDs that the document describes according to DESCRIBES-relationship.
+ """
+ document_describes = []
+ remove_rel = []
+ for relationship in self.document.relationships:
+ if relationship.relationshiptype == "DESCRIBES":
+ document_describes.append(relationship.relatedspdxelement)
+ if not relationship.has_comment:
+ remove_rel.append(relationship)
+ for relationship in remove_rel:
+ self.document.relationships.remove(relationship)
+ return document_describes
+
+
def create_document(self):
self.document_object = dict()
@@ -475,15 +495,17 @@ def create_document(self):
self.document_object["SPDXID"] = self.spdx_id(self.document.spdx_id)
self.document_object["name"] = self.document.name
+ document_describes = self.create_document_describes()
+ self.document_object["documentDescribes"] = document_describes
+
package_objects = []
+ file_objects = []
for package in self.document.packages:
- package_info_object = self.create_package_info(package)
- # SPDX 2.2 says to omit if filesAnalyzed = False
- if package.files:
- package_info_object["files"] = self.create_file_info(package)
- package_objects.append({"Package": package_info_object})
-
- self.document_object["documentDescribes"] = package_objects
+ package_info_object, files_in_package = self.create_package_info(package)
+ package_objects.append(package_info_object)
+ file_objects.extend(file for file in files_in_package if file not in file_objects)
+ self.document_object["packages"] = package_objects
+ self.document_object["files"] = file_objects
if self.document.has_comment:
self.document_object["comment"] = self.document.comment
@@ -510,4 +532,5 @@ def create_document(self):
if self.document.relationships:
self.document_object["relationships"] = self.create_relationship_info()
- return {"Document": self.document_object}
+ return self.document_object
+
diff --git a/spdx/writers/rdf.py b/spdx/writers/rdf.py
index 3b167fcc7..7f3002490 100644
--- a/spdx/writers/rdf.py
+++ b/spdx/writers/rdf.py
@@ -22,6 +22,7 @@
from spdx import document
from spdx import config
from spdx import utils
+from spdx.package import Package
from spdx.parsers.loggers import ErrorMessages
from spdx.writers.tagvalue import InvalidDocumentError
@@ -263,7 +264,7 @@ def create_file_node(self, doc_file):
(
file_node,
self.spdx_namespace.checksum,
- self.create_checksum_node(doc_file.chk_sum),
+ self.create_checksum_node(doc_file.chksum),
)
)
@@ -709,7 +710,7 @@ def handle_package_literal_optional(self, package, package_node, predicate, fiel
triple = (package_node, predicate, value_node)
self.graph.add(triple)
- def handle_pkg_optional_fields(self, package, package_node):
+ def handle_pkg_optional_fields(self, package: Package, package_node):
"""
Write package optional fields.
"""
@@ -753,8 +754,8 @@ def handle_pkg_optional_fields(self, package, package_node):
package, package_node, self.spdx_namespace.filesAnalyzed, "files_analyzed"
)
- if package.has_optional_field("check_sum"):
- checksum_node = self.create_checksum_node(package.check_sum)
+ if package.has_optional_field("checksum"):
+ checksum_node = self.create_checksum_node(package.checksum)
self.graph.add((package_node, self.spdx_namespace.checksum, checksum_node))
if package.has_optional_field("homepage"):
diff --git a/spdx/writers/tagvalue.py b/spdx/writers/tagvalue.py
index 5f14ef191..d74b15f2d 100644
--- a/spdx/writers/tagvalue.py
+++ b/spdx/writers/tagvalue.py
@@ -115,7 +115,7 @@ def write_file(spdx_file, out):
write_value("SPDXID", spdx_file.spdx_id, out)
if spdx_file.has_optional_field("type"):
write_file_type(spdx_file.type, out)
- write_value("FileChecksum", spdx_file.chk_sum.to_tv(), out)
+ write_value("FileChecksum", spdx_file.chksum.to_tv(), out)
if isinstance(
spdx_file.conc_lics, (document.LicenseConjunction, document.LicenseDisjunction)
):
@@ -223,8 +223,8 @@ def write_package(package, out):
if package.has_optional_field("originator"):
write_value("PackageOriginator", package.originator, out)
- if package.has_optional_field("check_sum"):
- write_value("PackageChecksum", package.check_sum.to_tv(), out)
+ if package.has_optional_field("checksum"):
+ write_value("PackageChecksum", package.checksum.to_tv(), out)
if package.has_optional_field("verif_code"):
write_value("PackageVerificationCode", format_verif_code(package), out)
diff --git a/spdx/writers/xml.py b/spdx/writers/xml.py
index 43e28f8cf..14bbd4b99 100644
--- a/spdx/writers/xml.py
+++ b/spdx/writers/xml.py
@@ -25,6 +25,6 @@ def write_document(document, out, validate=True):
raise InvalidDocumentError(messages)
writer = Writer(document)
- document_object = {"SpdxDocument": writer.create_document()}
+ document_object = {"Document": writer.create_document()}
xmltodict.unparse(document_object, out, encoding="utf-8", pretty=True)
diff --git a/tests/data/doc_parse/expected.json b/tests/data/doc_parse/expected.json
index 346de7167..64d8ba347 100644
--- a/tests/data/doc_parse/expected.json
+++ b/tests/data/doc_parse/expected.json
@@ -104,7 +104,7 @@
"files": [
{
"id": "SPDXRef-File1",
- "name": "Jenna-2.6.3/jena-2.6.3-sources.jar",
+ "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar",
"type": 3,
"comment": "This file belongs to Jena",
"licenseConcluded": {
@@ -119,7 +119,7 @@
"identifier": "SHA1",
"value": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125"
},
- "licenseInfoFromFiles": [
+ "licenseInfoInFiles": [
{
"type": "Single",
"identifier": "LicenseRef-1",
@@ -140,7 +140,7 @@
},
{
"id": "SPDXRef-File2",
- "name": "src/org/spdx/parser/DOAPProject.java",
+ "fileName": "src/org/spdx/parser/DOAPProject.java",
"type": 1,
"comment": null,
"licenseConcluded": {
@@ -155,7 +155,7 @@
"identifier": "SHA1",
"value": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12"
},
- "licenseInfoFromFiles": [
+ "licenseInfoInFiles": [
{
"type": "Single",
"identifier": "Apache-2.0",
@@ -236,14 +236,14 @@
{
"name": "LicenseRef-2",
"identifier": "LicenseRef-2",
- "text": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ",
+ "text": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:\n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.\nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.\nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.\nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ",
"comment": null,
"cross_refs": []
},
{
"name": "CyberNeko License",
"identifier": "LicenseRef-3",
- "text": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.",
+ "text": "The CyberNeko Software License, Version 1.0\n\n\n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment:\n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior\n written permission. For written permission, please contact\n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,\nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.",
"comment": "This is tye CyperNeko License",
"cross_refs": [
"http://justasample.url.com",
diff --git a/tests/data/doc_parse/spdx-expected.json b/tests/data/doc_parse/spdx-expected.json
index 3514bfcc6..9ef23d0aa 100644
--- a/tests/data/doc_parse/spdx-expected.json
+++ b/tests/data/doc_parse/spdx-expected.json
@@ -104,7 +104,7 @@
"files": [
{
"id": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#SPDXRef-File1",
- "name": "Jenna-2.6.3/jena-2.6.3-sources.jar",
+ "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar",
"type": 3,
"comment": "This file belongs to Jena",
"licenseConcluded": {
@@ -119,7 +119,7 @@
"identifier": "SHA1",
"value": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125"
},
- "licenseInfoFromFiles": [
+ "licenseInfoInFiles": [
{
"type": "Single",
"identifier": "LicenseRef-1",
@@ -138,7 +138,7 @@
},
{
"id": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#SPDXRef-File2",
- "name": "src/org/spdx/parser/DOAPProject.java",
+ "fileName": "src/org/spdx/parser/DOAPProject.java",
"type": 1,
"comment": null,
"licenseConcluded": {
@@ -153,7 +153,7 @@
"identifier": "SHA1",
"value": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12"
},
- "licenseInfoFromFiles": [
+ "licenseInfoInFiles": [
{
"type": "Single",
"identifier": "Apache-2.0",
diff --git a/tests/data/doc_write/json-simple-multi-package.json b/tests/data/doc_write/json-simple-multi-package.json
index 9785bd3ab..61e221c7e 100644
--- a/tests/data/doc_write/json-simple-multi-package.json
+++ b/tests/data/doc_write/json-simple-multi-package.json
@@ -1,98 +1,78 @@
{
- "Document": {
- "spdxVersion": "SPDX-2.1",
- "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
- "creationInfo": {
- "creators": [
- "Tool: ScanCode"
- ],
- "created": "2021-10-21T17:09:37Z",
- "licenseListVersion": "3.6"
- },
- "dataLicense": "CC0-1.0",
- "SPDXID": "SPDXRef-DOCUMENT",
- "name": "Sample_Document-V2.1",
- "documentDescribes": [
- {
- "Package": {
- "SPDXID": "SPDXRef-Package1",
- "name": "some/path1",
- "downloadLocation": "NOASSERTION",
- "filesAnalyzed": false,
- "licenseConcluded": "NOASSERTION",
- "licenseDeclared": "NOASSERTION",
- "copyrightText": "Some copyright"
- }
- },
- {
- "Package": {
- "SPDXID": "SPDXRef-Package2",
- "name": "some/path2",
- "downloadLocation": "NOASSERTION",
- "packageVerificationCode": {
- "packageVerificationCodeValue": "SOME code"
- },
- "licenseInfoFromFiles": [
- "LGPL-2.1-or-later"
- ],
- "licenseConcluded": "NOASSERTION",
- "licenseDeclared": "NOASSERTION",
- "copyrightText": "Some copyright",
- "files": [
- {
- "File": {
- "name": "./some/path/tofile",
- "SPDXID": "SPDXRef-File",
- "checksums": [
- {
- "algorithm": "checksumAlgorithm_sha1",
- "checksumValue": "SOME-SHA1"
- }
- ],
- "licenseConcluded": "NOASSERTION",
- "licenseInfoFromFiles": [
- "LGPL-2.1-or-later"
- ],
- "copyrightText": "NOASSERTION",
- "sha1": "SOME-SHA1"
- }
- }
- ]
- }
- },
- {
- "Package": {
- "SPDXID": "SPDXRef-Package3",
- "name": "some/path3",
- "downloadLocation": "NOASSERTION",
- "licenseInfoFromFiles": [
- "LGPL-2.1-or-later"
- ],
- "licenseConcluded": "NOASSERTION",
- "licenseDeclared": "NOASSERTION",
- "copyrightText": "Some copyright",
- "files": [
- {
- "File": {
- "name": "./some/path/tofile",
- "SPDXID": "SPDXRef-File",
- "checksums": [
- {
- "algorithm": "checksumAlgorithm_sha1",
- "checksumValue": "SOME-SHA1"
- }
- ],
- "licenseConcluded": "NOASSERTION",
- "licenseInfoFromFiles": [
- "LGPL-2.1-or-later"
- ],
- "copyrightText": "NOASSERTION",
- "sha1": "SOME-SHA1"
- }
- }
- ]
- }
- }
- ]
+ "spdxVersion": "SPDX-2.1",
+ "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
+ "creationInfo": {
+ "creators": [
+ "Tool: ScanCode"
+ ],
+ "created": "2021-10-21T17:09:37Z",
+ "licenseListVersion": "3.6"
+ },
+ "dataLicense": "CC0-1.0",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "name": "Sample_Document-V2.1",
+ "documentDescribes": [
+ "SPDXRef-Package1",
+ "SPDXRef-Package2",
+ "SPDXRef-Package3"
+ ],
+ "packages": [
+ {
+ "SPDXID": "SPDXRef-Package1",
+ "name": "some/path1",
+ "downloadLocation": "NOASSERTION",
+ "filesAnalyzed": false,
+ "licenseConcluded": "NOASSERTION",
+ "licenseDeclared": "NOASSERTION",
+ "copyrightText": "Some copyright"
+ },
+ {
+ "SPDXID": "SPDXRef-Package2",
+ "name": "some/path2",
+ "downloadLocation": "NOASSERTION",
+ "packageVerificationCode": {
+ "packageVerificationCodeValue": "SOME code"
+ },
+ "licenseInfoFromFiles": [
+ "LGPL-2.1-or-later"
+ ],
+ "licenseConcluded": "NOASSERTION",
+ "licenseDeclared": "NOASSERTION",
+ "copyrightText": "Some copyright",
+ "hasFiles": [
+ "SPDXRef-File"
+ ]
+ },
+ {
+ "SPDXID": "SPDXRef-Package3",
+ "name": "some/path3",
+ "downloadLocation": "NOASSERTION",
+ "licenseInfoFromFiles": [
+ "LGPL-2.1-or-later"
+ ],
+ "licenseConcluded": "NOASSERTION",
+ "licenseDeclared": "NOASSERTION",
+ "copyrightText": "Some copyright",
+ "hasFiles": [
+ "SPDXRef-File"
+ ]
}
-}
\ No newline at end of file
+ ],
+ "files": [
+ {
+ "fileName": "./some/path/tofile",
+ "SPDXID": "SPDXRef-File",
+ "checksums": [
+ {
+ "algorithm": "SHA1",
+ "checksumValue": "SOME-SHA1"
+ }
+ ],
+ "licenseConcluded": "NOASSERTION",
+ "licenseInfoInFiles": [
+ "LGPL-2.1-or-later"
+ ],
+ "copyrightText": "NOASSERTION"
+ }
+ ]
+}
diff --git a/tests/data/doc_write/json-simple-plus.json b/tests/data/doc_write/json-simple-plus.json
index 11e0929e4..a67c6e324 100644
--- a/tests/data/doc_write/json-simple-plus.json
+++ b/tests/data/doc_write/json-simple-plus.json
@@ -1,50 +1,59 @@
{
- "Document": {
- "spdxVersion": "SPDX-2.1",
- "dataLicense": "CC0-1.0",
- "name": "Sample_Document-V2.1",
- "SPDXID": "SPDXRef-DOCUMENT",
- "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
- "documentDescribes": [
- {
- "Package": {
- "SPDXID": "SPDXRef-Package",
- "name": "some/path",
- "downloadLocation": "NOASSERTION",
- "copyrightText": "Some copyrught",
- "packageVerificationCode": {
- "packageVerificationCodeValue": "SOME code"
- },
- "checksums": [
- {
- "algorithm": "checksumAlgorithm_sha1",
- "checksumValue": "SOME-SHA1"
- }
- ],
- "licenseDeclared": "NOASSERTION",
- "licenseConcluded": "NOASSERTION",
- "files": [
- {
- "File": {
- "name": "./some/path/tofile",
- "SPDXID": "SPDXRef-File",
- "checksums": [
- {
- "algorithm": "checksumAlgorithm_sha1",
- "checksumValue": "SOME-SHA1"
- }
- ],
- "licenseConcluded": "NOASSERTION",
- "copyrightText": "NOASSERTION",
- "licenseInfoFromFiles": ["LGPL-2.1-or-later"],
- "sha1": "SOME-SHA1"
- }
- }
- ],
- "licenseInfoFromFiles": ["LGPL-2.1-or-later"],
- "sha1": "SOME-SHA1"
+ "spdxVersion": "SPDX-2.1",
+ "dataLicense": "CC0-1.0",
+ "name": "Sample_Document-V2.1",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
+ "creationInfo": {
+ "creators": [
+ "Organization: SPDX"
+ ],
+ "created": "2021-11-15T00:00:00Z",
+ "licenseListVersion": "3.6"
+ },
+ "documentDescribes": [
+ "SPDXRef-Package"
+ ],
+ "packages": [
+ {
+ "SPDXID": "SPDXRef-Package",
+ "name": "some/path",
+ "downloadLocation": "NOASSERTION",
+ "copyrightText": "Some copyrught",
+ "packageVerificationCode": {
+ "packageVerificationCodeValue": "SOME code"
+ },
+ "checksums": [
+ {
+ "algorithm": "SHA1",
+ "checksumValue": "SOME-SHA1"
}
- }
- ]
- }
-}
+ ],
+ "licenseDeclared": "NOASSERTION",
+ "licenseConcluded": "NOASSERTION",
+ "licenseInfoFromFiles": [
+ "LGPL-2.1-or-later"
+ ],
+ "hasFiles": [
+ "SPDXRef-File"
+ ]
+ }
+ ],
+ "files": [
+ {
+ "SPDXID": "SPDXRef-File",
+ "checksums": [
+ {
+ "algorithm": "SHA1",
+ "checksumValue": "SOME-SHA1"
+ }
+ ],
+ "licenseConcluded": "NOASSERTION",
+ "copyrightText": "NOASSERTION",
+ "fileName": "./some/path/tofile",
+ "licenseInfoInFiles": [
+ "LGPL-2.1-or-later"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/tests/data/doc_write/json-simple.json b/tests/data/doc_write/json-simple.json
index 246a0cacb..187895621 100644
--- a/tests/data/doc_write/json-simple.json
+++ b/tests/data/doc_write/json-simple.json
@@ -1,50 +1,59 @@
{
- "Document": {
- "spdxVersion": "SPDX-2.1",
- "dataLicense": "CC0-1.0",
- "name": "Sample_Document-V2.1",
- "SPDXID": "SPDXRef-DOCUMENT",
- "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
- "documentDescribes": [
- {
- "Package": {
- "SPDXID": "SPDXRef-Package",
- "name": "some/path",
- "downloadLocation": "NOASSERTION",
- "copyrightText": "Some copyrught",
- "packageVerificationCode": {
- "packageVerificationCodeValue": "SOME code"
- },
- "checksums": [
- {
- "algorithm": "checksumAlgorithm_sha1",
- "checksumValue": "SOME-SHA1"
- }
- ],
- "licenseDeclared": "NOASSERTION",
- "licenseConcluded": "NOASSERTION",
- "files": [
- {
- "File": {
- "name": "./some/path/tofile",
- "SPDXID": "SPDXRef-File",
- "checksums": [
- {
- "algorithm": "checksumAlgorithm_sha1",
- "checksumValue": "SOME-SHA1"
- }
- ],
- "licenseConcluded": "NOASSERTION",
- "copyrightText": "NOASSERTION",
- "licenseInfoFromFiles": ["LGPL-2.1-only"],
- "sha1": "SOME-SHA1"
- }
- }
- ],
- "licenseInfoFromFiles": ["LGPL-2.1-only"],
- "sha1": "SOME-SHA1"
+ "spdxVersion": "SPDX-2.1",
+ "dataLicense": "CC0-1.0",
+ "name": "Sample_Document-V2.1",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
+ "creationInfo": {
+ "creators": [
+ "Organization: SPDX"
+ ],
+ "created": "2021-11-15T00:00:00Z",
+ "licenseListVersion": "3.6"
+ },
+ "documentDescribes": [
+ "SPDXRef-Package"
+ ],
+ "packages": [
+ {
+ "SPDXID": "SPDXRef-Package",
+ "name": "some/path",
+ "downloadLocation": "NOASSERTION",
+ "copyrightText": "Some copyrught",
+ "packageVerificationCode": {
+ "packageVerificationCodeValue": "SOME code"
+ },
+ "checksums": [
+ {
+ "algorithm": "SHA1",
+ "checksumValue": "SOME-SHA1"
}
- }
- ]
- }
-}
+ ],
+ "licenseDeclared": "NOASSERTION",
+ "licenseConcluded": "NOASSERTION",
+ "licenseInfoFromFiles": [
+ "LGPL-2.1-only"
+ ],
+ "hasFiles": [
+ "SPDXRef-File"
+ ]
+ }
+ ],
+ "files": [
+ {
+ "SPDXID": "SPDXRef-File",
+ "checksums": [
+ {
+ "algorithm": "SHA1",
+ "checksumValue": "SOME-SHA1"
+ }
+ ],
+ "licenseConcluded": "NOASSERTION",
+ "copyrightText": "NOASSERTION",
+ "fileName": "./some/path/tofile",
+ "licenseInfoInFiles": [
+ "LGPL-2.1-only"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/tests/data/doc_write/tv-simple-plus.tv b/tests/data/doc_write/tv-simple-plus.tv
index b4c54b347..10bd317eb 100644
--- a/tests/data/doc_write/tv-simple-plus.tv
+++ b/tests/data/doc_write/tv-simple-plus.tv
@@ -5,6 +5,8 @@ DocumentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0
DocumentName: Sample_Document-V2.1
SPDXID: SPDXRef-DOCUMENT
# Creation Info
+# Relationships
+Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package
# Package
PackageName: some/path
SPDXID: SPDXRef-Package
diff --git a/tests/data/doc_write/tv-simple.tv b/tests/data/doc_write/tv-simple.tv
index 7a4383b45..3613e7fe9 100644
--- a/tests/data/doc_write/tv-simple.tv
+++ b/tests/data/doc_write/tv-simple.tv
@@ -5,6 +5,8 @@ DocumentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0
DocumentName: Sample_Document-V2.1
SPDXID: SPDXRef-DOCUMENT
# Creation Info
+# Relationships
+Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package
# Package
PackageName: some/path
SPDXID: SPDXRef-Package
diff --git a/tests/data/doc_write/xml-simple-multi-package.xml b/tests/data/doc_write/xml-simple-multi-package.xml
index eadaba0fc..4b7e6e85c 100644
--- a/tests/data/doc_write/xml-simple-multi-package.xml
+++ b/tests/data/doc_write/xml-simple-multi-package.xml
@@ -1,79 +1,59 @@
-
-
- SPDX-2.1
- https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
-
- Tool: ScanCode
- 2021-10-21T17:02:23Z
- 3.6
-
- CC0-1.0
- SPDXRef-DOCUMENT
- Sample_Document-V2.1
-
-
- SPDXRef-Package1
- some/path1
- NOASSERTION
- false
- NOASSERTION
- NOASSERTION
- Some copyright
-
-
-
-
- SPDXRef-Package2
- some/path2
- NOASSERTION
-
- SOME code
-
- LGPL-2.1-or-later
- NOASSERTION
- NOASSERTION
- Some copyright
-
-
- ./some/path/tofile
- SPDXRef-File
-
- checksumAlgorithm_sha1
- SOME-SHA1
-
- NOASSERTION
- LGPL-2.1-or-later
- NOASSERTION
- SOME-SHA1
-
-
-
-
-
-
- SPDXRef-Package3
- some/path3
- NOASSERTION
- LGPL-2.1-or-later
- NOASSERTION
- NOASSERTION
- Some copyright
-
-
- ./some/path/tofile
- SPDXRef-File
-
- checksumAlgorithm_sha1
- SOME-SHA1
-
- NOASSERTION
- LGPL-2.1-or-later
- NOASSERTION
- SOME-SHA1
-
-
-
-
-
-
\ No newline at end of file
+
+ SPDX-2.1
+ https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
+
+ Tool: ScanCode
+ 2021-10-21T17:02:23Z
+ 3.6
+
+ CC0-1.0
+ SPDXRef-DOCUMENT
+ Sample_Document-V2.1
+ SPDXRef-Package1
+ SPDXRef-Package2
+ SPDXRef-Package3
+
+ SPDXRef-Package1
+ some/path1
+ NOASSERTION
+ false
+ NOASSERTION
+ NOASSERTION
+ Some copyright
+
+
+ SPDXRef-Package2
+ some/path2
+ NOASSERTION
+
+ SOME code
+
+ LGPL-2.1-or-later
+ NOASSERTION
+ NOASSERTION
+ Some copyright
+ SPDXRef-File
+
+
+ SPDXRef-Package3
+ some/path3
+ NOASSERTION
+ LGPL-2.1-or-later
+ NOASSERTION
+ NOASSERTION
+ Some copyright
+ SPDXRef-File
+
+
+ ./some/path/tofile
+ SPDXRef-File
+
+ SHA1
+ SOME-SHA1
+
+ NOASSERTION
+ LGPL-2.1-or-later
+ NOASSERTION
+
+
\ No newline at end of file
diff --git a/tests/data/doc_write/xml-simple-plus.xml b/tests/data/doc_write/xml-simple-plus.xml
index b69c29f79..f3b2bec73 100644
--- a/tests/data/doc_write/xml-simple-plus.xml
+++ b/tests/data/doc_write/xml-simple-plus.xml
@@ -1,13 +1,13 @@
-
+
SPDX-2.1
CC0-1.0
Sample_Document-V2.1
SPDXRef-DOCUMENT
https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
-
-
+ SPDXRef-Package
+
SPDXRef-Package
some/path
NOASSERTION
@@ -17,27 +17,27 @@
SOME-SHA1
- checksumAlgorithm_sha1
+ SHA1
NOASSERTION
NOASSERTION
+ LGPL-2.1-or-later
+
+ SPDXRef-File
+
-
- ./some/path/tofile
+
+ ./some/path/tofile
SPDXRef-File
SOME-SHA1
- checksumAlgorithm_sha1
+ SHA1
NOASSERTION
NOASSERTION
- LGPL-2.1-or-later
- SOME-SHA1
-
+ LGPL-2.1-or-later
+
- LGPL-2.1-or-later
- SOME-SHA1
-
-
-
-
\ No newline at end of file
+
+
+
\ No newline at end of file
diff --git a/tests/data/doc_write/xml-simple.xml b/tests/data/doc_write/xml-simple.xml
index 2eb292fe8..9eaca485b 100644
--- a/tests/data/doc_write/xml-simple.xml
+++ b/tests/data/doc_write/xml-simple.xml
@@ -1,43 +1,38 @@
-
-
- SPDX-2.1
- CC0-1.0
- Sample_Document-V2.1
- SPDXRef-DOCUMENT
- https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
-
-
- SPDXRef-Package
- some/path
- NOASSERTION
- Some copyrught
-
- SOME code
-
-
- SOME-SHA1
- checksumAlgorithm_sha1
-
- NOASSERTION
- NOASSERTION
-
-
- ./some/path/tofile
- SPDXRef-File
-
- SOME-SHA1
- checksumAlgorithm_sha1
-
- NOASSERTION
- NOASSERTION
- LGPL-2.1-only
- SOME-SHA1
-
-
- LGPL-2.1-only
- SOME-SHA1
-
-
-
-
\ No newline at end of file
+
+ SPDX-2.1
+ CC0-1.0
+ Sample_Document-V2.1
+ SPDXRef-DOCUMENT
+ https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
+ SPDXRef-Package
+
+ SPDXRef-Package
+ some/path
+ NOASSERTION
+ Some copyrught
+
+ SOME code
+
+
+ SOME-SHA1
+ SHA1
+
+ NOASSERTION
+ NOASSERTION
+
+ LGPL-2.1-only
+ SPDXRef-File
+
+
+ ./some/path/tofile
+ SPDXRef-File
+
+ SOME-SHA1
+ SHA1
+
+ NOASSERTION
+ NOASSERTION
+ LGPL-2.1-only
+
+
\ No newline at end of file
diff --git a/tests/data/doc_write/yaml-simple-multi-package.yaml b/tests/data/doc_write/yaml-simple-multi-package.yaml
index d7c4b134e..a6d10db5c 100644
--- a/tests/data/doc_write/yaml-simple-multi-package.yaml
+++ b/tests/data/doc_write/yaml-simple-multi-package.yaml
@@ -1,65 +1,54 @@
----
-Document:
- SPDXID: SPDXRef-DOCUMENT
- creationInfo:
- created: '2021-10-21T16:46:56Z'
- creators:
+SPDXID: SPDXRef-DOCUMENT
+creationInfo:
+ created: '2021-10-21T16:46:56Z'
+ creators:
- 'Tool: ScanCode'
- licenseListVersion: '3.6'
- dataLicense: CC0-1.0
- documentDescribes:
- - Package:
- SPDXID: SPDXRef-Package1
- copyrightText: Some copyright
- downloadLocation: NOASSERTION
- filesAnalyzed: false
- licenseConcluded: NOASSERTION
- licenseDeclared: NOASSERTION
- name: some/path1
- - Package:
- SPDXID: SPDXRef-Package2
- copyrightText: Some copyright
- downloadLocation: NOASSERTION
- files:
- - File:
- SPDXID: SPDXRef-File
- checksums:
- - algorithm: checksumAlgorithm_sha1
- checksumValue: SOME-SHA1
- copyrightText: NOASSERTION
- licenseConcluded: NOASSERTION
- licenseInfoFromFiles:
- - LGPL-2.1-or-later
- name: ./some/path/tofile
- sha1: SOME-SHA1
- licenseConcluded: NOASSERTION
- licenseDeclared: NOASSERTION
- licenseInfoFromFiles:
+ licenseListVersion: '3.6'
+dataLicense: CC0-1.0
+documentDescribes:
+ - SPDXRef-Package1
+ - SPDXRef-Package2
+ - SPDXRef-Package3
+packages:
+ - SPDXID: SPDXRef-Package1
+ copyrightText: Some copyright
+ downloadLocation: NOASSERTION
+ filesAnalyzed: false
+ licenseConcluded: NOASSERTION
+ licenseDeclared: NOASSERTION
+ name: some/path1
+ - SPDXID: SPDXRef-Package2
+ copyrightText: Some copyright
+ downloadLocation: NOASSERTION
+ hasFiles:
+ - SPDXRef-File
+ licenseConcluded: NOASSERTION
+ licenseDeclared: NOASSERTION
+ licenseInfoFromFiles:
- LGPL-2.1-or-later
- name: some/path2
- packageVerificationCode:
- packageVerificationCodeValue: SOME code
- - Package:
- SPDXID: SPDXRef-Package3
- copyrightText: Some copyright
- downloadLocation: NOASSERTION
- files:
- - File:
- SPDXID: SPDXRef-File
- checksums:
- - algorithm: checksumAlgorithm_sha1
- checksumValue: SOME-SHA1
- copyrightText: NOASSERTION
- licenseConcluded: NOASSERTION
- licenseInfoFromFiles:
- - LGPL-2.1-or-later
- name: ./some/path/tofile
- sha1: SOME-SHA1
- licenseConcluded: NOASSERTION
- licenseDeclared: NOASSERTION
- licenseInfoFromFiles:
+ name: some/path2
+ packageVerificationCode:
+ packageVerificationCodeValue: SOME code
+ - SPDXID: SPDXRef-Package3
+ copyrightText: Some copyright
+ downloadLocation: NOASSERTION
+ hasFiles:
+ - SPDXRef-File
+ licenseConcluded: NOASSERTION
+ licenseDeclared: NOASSERTION
+ licenseInfoFromFiles:
- LGPL-2.1-or-later
- name: some/path3
- documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
- name: Sample_Document-V2.1
- spdxVersion: SPDX-2.1
+ name: some/path3
+documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
+name: Sample_Document-V2.1
+spdxVersion: SPDX-2.1
+files:
+ - SPDXID: SPDXRef-File
+ checksums:
+ - algorithm: SHA1
+ checksumValue: SOME-SHA1
+ copyrightText: NOASSERTION
+ licenseConcluded: NOASSERTION
+ licenseInfoInFiles:
+ - LGPL-2.1-or-later
+ fileName: ./some/path/tofile
\ No newline at end of file
diff --git a/tests/data/doc_write/yaml-simple-plus.yaml b/tests/data/doc_write/yaml-simple-plus.yaml
index 9858c8167..1c20a50c4 100644
--- a/tests/data/doc_write/yaml-simple-plus.yaml
+++ b/tests/data/doc_write/yaml-simple-plus.yaml
@@ -1,35 +1,38 @@
----
-Document:
- spdxVersion: "SPDX-2.1"
- dataLicense: "CC0-1.0"
- name: "Sample_Document-V2.1"
- SPDXID: "SPDXRef-DOCUMENT"
- documentNamespace: "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301"
- documentDescribes:
- - Package:
- SPDXID: "SPDXRef-Package"
- name: "some/path"
- downloadLocation: "NOASSERTION"
- copyrightText: "Some copyrught"
- packageVerificationCode:
- packageVerificationCodeValue: "SOME code"
- checksums:
- - algorithm: "checksumAlgorithm_sha1"
- checksumValue: "SOME-SHA1"
- licenseDeclared: "NOASSERTION"
- licenseConcluded: "NOASSERTION"
- files:
- - File:
- name: "./some/path/tofile"
- SPDXID: "SPDXRef-File"
- checksums:
- - algorithm: "checksumAlgorithm_sha1"
- checksumValue: "SOME-SHA1"
- licenseConcluded: "NOASSERTION"
- copyrightText: "NOASSERTION"
- licenseInfoFromFiles:
- - "LGPL-2.1-or-later"
- sha1: "SOME-SHA1"
- licenseInfoFromFiles:
- - "LGPL-2.1-or-later"
- sha1: "SOME-SHA1"
+SPDXID: SPDXRef-DOCUMENT
+creationInfo:
+ created: '2021-11-15T00:00:00Z'
+ creators:
+ - 'Organization: SPDX'
+ licenseListVersion: '3.6'
+dataLicense: CC0-1.0
+documentDescribes:
+- SPDXRef-Package
+documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
+files:
+- SPDXID: SPDXRef-File
+ checksums:
+ - algorithm: SHA1
+ checksumValue: SOME-SHA1
+ copyrightText: NOASSERTION
+ fileName: ./some/path/tofile
+ licenseConcluded: NOASSERTION
+ licenseInfoInFiles:
+ - LGPL-2.1-or-later
+name: Sample_Document-V2.1
+packages:
+- SPDXID: SPDXRef-Package
+ checksums:
+ - algorithm: SHA1
+ checksumValue: SOME-SHA1
+ copyrightText: Some copyrught
+ downloadLocation: NOASSERTION
+ hasFiles:
+ - SPDXRef-File
+ licenseConcluded: NOASSERTION
+ licenseDeclared: NOASSERTION
+ licenseInfoFromFiles:
+ - LGPL-2.1-or-later
+ name: some/path
+ packageVerificationCode:
+ packageVerificationCodeValue: SOME code
+spdxVersion: SPDX-2.1
diff --git a/tests/data/doc_write/yaml-simple.yaml b/tests/data/doc_write/yaml-simple.yaml
index b4946b70f..9cbdc783c 100644
--- a/tests/data/doc_write/yaml-simple.yaml
+++ b/tests/data/doc_write/yaml-simple.yaml
@@ -1,35 +1,38 @@
----
-Document:
- spdxVersion: "SPDX-2.1"
- dataLicense: "CC0-1.0"
- name: "Sample_Document-V2.1"
- SPDXID: "SPDXRef-DOCUMENT"
- documentNamespace: "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301"
- documentDescribes:
- - Package:
- SPDXID: "SPDXRef-Package"
- name: "some/path"
- downloadLocation: "NOASSERTION"
- copyrightText: "Some copyrught"
- packageVerificationCode:
- packageVerificationCodeValue: "SOME code"
- checksums:
- - algorithm: "checksumAlgorithm_sha1"
- checksumValue: "SOME-SHA1"
- licenseDeclared: "NOASSERTION"
- licenseConcluded: "NOASSERTION"
- files:
- - File:
- name: "./some/path/tofile"
- SPDXID: "SPDXRef-File"
- checksums:
- - algorithm: "checksumAlgorithm_sha1"
- checksumValue: "SOME-SHA1"
- licenseConcluded: "NOASSERTION"
- copyrightText: "NOASSERTION"
- licenseInfoFromFiles:
- - "LGPL-2.1-only"
- sha1: "SOME-SHA1"
- licenseInfoFromFiles:
- - "LGPL-2.1-only"
- sha1: "SOME-SHA1"
+SPDXID: SPDXRef-DOCUMENT
+creationInfo:
+ created: '2021-11-15T00:00:00Z'
+ creators:
+ - 'Organization: SPDX'
+ licenseListVersion: '3.6'
+dataLicense: CC0-1.0
+documentDescribes:
+- SPDXRef-Package
+documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
+files:
+- SPDXID: SPDXRef-File
+ checksums:
+ - algorithm: SHA1
+ checksumValue: SOME-SHA1
+ copyrightText: NOASSERTION
+ fileName: ./some/path/tofile
+ licenseConcluded: NOASSERTION
+ licenseInfoInFiles:
+ - LGPL-2.1-only
+name: Sample_Document-V2.1
+packages:
+- SPDXID: SPDXRef-Package
+ checksums:
+ - algorithm: SHA1
+ checksumValue: SOME-SHA1
+ copyrightText: Some copyrught
+ downloadLocation: NOASSERTION
+ hasFiles:
+ - SPDXRef-File
+ licenseConcluded: NOASSERTION
+ licenseDeclared: NOASSERTION
+ licenseInfoFromFiles:
+ - LGPL-2.1-only
+ name: some/path
+ packageVerificationCode:
+ packageVerificationCodeValue: SOME code
+spdxVersion: SPDX-2.1
diff --git a/tests/data/formats/SPDXJsonExample.json b/tests/data/formats/SPDXJsonExample.json
index 0dbce19a4..49b5a13bb 100644
--- a/tests/data/formats/SPDXJsonExample.json
+++ b/tests/data/formats/SPDXJsonExample.json
@@ -1,223 +1,184 @@
{
- "Document": {
- "comment": "This is a sample spreadsheet",
- "name": "Sample_Document-V2.1",
- "documentDescribes": [
- {
- "Package": {
- "SPDXID": "SPDXRef-Package",
- "originator": "Organization: SPDX",
- "files": [
- {
- "File": {
- "comment": "This file belongs to Jena",
- "licenseInfoFromFiles": [
- "LicenseRef-1"
- ],
- "sha1": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125",
- "name": "Jenna-2.6.3/jena-2.6.3-sources.jar",
- "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP",
- "artifactOf" : [
- {
- "name" : "Jena",
- "homePage" : "http://www.openjena.org/",
- "projectUri" : "http://subversion.apache.org/doap.rdf"
- }
- ],
- "licenseConcluded": "LicenseRef-1",
- "licenseComments": "This license is used by Jena",
- "checksums": [
- {
- "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125",
- "algorithm": "checksumAlgorithm_sha1"
- }
- ],
- "fileTypes": [
- "fileType_archive"
- ],
- "SPDXID": "SPDXRef-File1"
- }
- },
- {
- "File": {
- "licenseInfoFromFiles": [
- "Apache-2.0"
- ],
- "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
- "name": "src/org/spdx/parser/DOAPProject.java",
- "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.",
- "licenseConcluded": "Apache-2.0",
- "checksums": [
- {
- "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
- "algorithm": "checksumAlgorithm_sha1"
- }
- ],
- "fileTypes": [
- "fileType_source"
- ],
- "SPDXID": "SPDXRef-File2"
- }
- }
- ],
- "licenseInfoFromFiles": [
- "Apache-1.0",
- "LicenseRef-3",
- "MPL-1.1",
- "LicenseRef-2",
- "LicenseRef-4",
- "Apache-2.0",
- "LicenseRef-1"
- ],
- "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
- "name": "SPDX Translator",
- "packageFileName": "spdxtranslator-1.0.zip",
- "licenseComments": "The declared license information can be found in the NOTICE file at the root of the archive file",
- "summary": "SPDX Translator utility",
- "sourceInfo": "Version 1.0 of the SPDX Translator application",
- "copyrightText": " Copyright 2010, 2011 Source Auditor Inc.",
- "packageVerificationCode": {
- "packageVerificationCodeValue": "4e3211c67a2d28fced849ee1bb76e7391b93feba",
- "packageVerificationCodeExcludedFiles": [
- "SpdxTranslatorSpdx.rdf",
- "SpdxTranslatorSpdx.txt"
- ]
- },
- "licenseConcluded": "(Apache-1.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-3 AND LicenseRef-4 AND Apache-2.0 AND LicenseRef-1)",
- "supplier": "Organization: Linux Foundation",
- "attributionTexts" : [ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ],
- "checksums": [
- {
- "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
- "algorithm": "checksumAlgorithm_sha1"
- }
- ],
- "versionInfo": "Version 0.9.2",
- "licenseDeclared": "(LicenseRef-4 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-1)",
- "downloadLocation": "http://www.spdx.org/tools",
- "description": "This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document."
- }
- }
- ],
- "creationInfo": {
- "comment": "This is an example of an SPDX spreadsheet format",
- "creators": [
- "Tool: SourceAuditor-V1.2",
- "Person: Gary O'Neall",
- "Organization: Source Auditor Inc."
- ],
- "licenseListVersion": "3.6",
- "created": "2010-02-03T00:00:00Z"
- },
- "externalDocumentRefs": [
- {
- "checksum": {
- "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759",
- "algorithm": "checksumAlgorithm_sha1"
- },
- "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301",
- "externalDocumentId": "DocumentRef-spdx-tool-2.1"
- }
- ],
- "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
- "annotations": [
- {
- "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses",
- "annotationType": "REVIEW",
- "SPDXID": "SPDXRef-45",
- "annotationDate": "2012-06-13T00:00:00Z",
- "annotator": "Person: Jim Reviewer"
- }
- ],
- "relationships" : [ {
- "spdxElementId" : "SPDXRef-DOCUMENT",
- "relatedSpdxElement" : "SPDXRef-Package",
- "relationshipType" : "CONTAINS"
- }, {
- "spdxElementId" : "SPDXRef-DOCUMENT",
- "relatedSpdxElement" : "SPDXRef-File",
- "relationshipType" : "DESCRIBES"
- }, {
- "spdxElementId" : "SPDXRef-DOCUMENT",
- "relatedSpdxElement" : "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement",
- "relationshipType" : "COPY_OF"
- }, {
- "spdxElementId" : "SPDXRef-DOCUMENT",
- "relatedSpdxElement" : "SPDXRef-Package",
- "relationshipType" : "DESCRIBES"
- }, {
- "spdxElementId" : "SPDXRef-Package",
- "relatedSpdxElement" : "SPDXRef-Saxon",
- "relationshipType" : "DYNAMIC_LINK"
- }, {
- "spdxElementId" : "SPDXRef-Package",
- "relatedSpdxElement" : "SPDXRef-JenaLib",
- "relationshipType" : "CONTAINS"
- }, {
- "spdxElementId" : "SPDXRef-CommonsLangSrc",
- "relatedSpdxElement" : "NOASSERTION",
- "relationshipType" : "GENERATED_FROM"
- }, {
- "spdxElementId" : "SPDXRef-JenaLib",
- "relatedSpdxElement" : "SPDXRef-Package",
- "relationshipType" : "CONTAINS"
- }, {
- "spdxElementId" : "SPDXRef-File",
- "relatedSpdxElement" : "SPDXRef-fromDoap-0",
- "relationshipType" : "GENERATED_FROM"
- } ],
- "dataLicense": "CC0-1.0",
- "reviewers": [
- {
- "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses",
- "reviewer": "Person: Joe Reviewer",
- "reviewDate": "2010-02-10T00:00:00Z"
- },
- {
- "comment": "Another example reviewer.",
- "reviewer": "Person: Suzanne Reviewer",
- "reviewDate": "2011-03-13T00:00:00Z"
- }
- ],
- "hasExtractedLicensingInfos": [
- {
- "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ",
- "licenseId": "LicenseRef-2"
- },
- {
- "extractedText": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.",
- "comment": "This is tye CyperNeko License",
- "licenseId": "LicenseRef-3",
- "name": "CyberNeko License",
- "seeAlso": [
- "http://justasample.url.com",
- "http://people.apache.org/~andyc/neko/LICENSE"
- ]
- },
- {
- "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */ ",
- "licenseId": "LicenseRef-4"
- },
- {
- "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */",
- "licenseId": "LicenseRef-1"
- }
- ],
- "spdxVersion": "SPDX-2.1",
- "SPDXID": "SPDXRef-DOCUMENT",
- "snippets": [
- {
- "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later.",
- "name": "from linux kernel",
- "copyrightText": "Copyright 2008-2010 John Smith",
- "licenseConcluded": "Apache-2.0",
- "licenseInfoFromSnippet": [
- "Apache-2.0"
- ],
- "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.",
- "SPDXID": "SPDXRef-Snippet",
- "fileId": "SPDXRef-DoapSource"
- }
+ "comment": "This is a sample spreadsheet",
+ "name": "Sample_Document-V2.1",
+ "documentDescribes": [
+ "SPDXRef-Package"
+ ],
+ "packages": [
+ {
+ "SPDXID": "SPDXRef-Package",
+ "originator": "Organization: SPDX",
+ "hasFiles": [
+ "SPDXRef-File1",
+ "SPDXRef-File2"
+ ],
+ "licenseInfoFromFiles": [
+ "Apache-1.0",
+ "LicenseRef-3",
+ "MPL-1.1",
+ "LicenseRef-2",
+ "LicenseRef-4",
+ "Apache-2.0",
+ "LicenseRef-1"
+ ],
+ "name": "SPDX Translator",
+ "packageFileName": "spdxtranslator-1.0.zip",
+ "licenseComments": "The declared license information can be found in the NOTICE file at the root of the archive file",
+ "summary": "SPDX Translator utility",
+ "sourceInfo": "Version 1.0 of the SPDX Translator application",
+ "copyrightText": " Copyright 2010, 2011 Source Auditor Inc.",
+ "packageVerificationCode": {
+ "packageVerificationCodeValue": "4e3211c67a2d28fced849ee1bb76e7391b93feba",
+ "packageVerificationCodeExcludedFiles": [
+ "SpdxTranslatorSpdx.rdf",
+ "SpdxTranslatorSpdx.txt"
]
+ },
+ "licenseConcluded": "(Apache-1.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-3 AND LicenseRef-4 AND Apache-2.0 AND LicenseRef-1)",
+ "supplier": "Organization: Linux Foundation",
+ "attributionTexts": [
+ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually."
+ ],
+ "checksums": [
+ {
+ "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
+ "algorithm": "SHA1"
+ }
+ ],
+ "versionInfo": "Version 0.9.2",
+ "licenseDeclared": "(LicenseRef-4 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-1)",
+ "downloadLocation": "http://www.spdx.org/tools",
+ "description": "This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document."
}
+ ],
+ "files": [
+ {
+ "comment": "This file belongs to Jena",
+ "licenseInfoInFiles": [
+ "LicenseRef-1"
+ ],
+ "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar",
+ "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP",
+ "artifactOf": [
+ {
+ "name": "Jena",
+ "homePage": "http://www.openjena.org/",
+ "projectUri": "http://subversion.apache.org/doap.rdf"
+ }
+ ],
+ "licenseConcluded": "LicenseRef-1",
+ "licenseComments": "This license is used by Jena",
+ "checksums": [
+ {
+ "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125",
+ "algorithm": "SHA1"
+ }
+ ],
+ "fileTypes": [
+ "fileType_archive"
+ ],
+ "SPDXID": "SPDXRef-File1"
+ },
+ {
+ "licenseInfoInFiles": [
+ "Apache-2.0"
+ ],
+ "fileName": "src/org/spdx/parser/DOAPProject.java",
+ "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.",
+ "licenseConcluded": "Apache-2.0",
+ "checksums": [
+ {
+ "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
+ "algorithm": "SHA1"
+ }
+ ],
+ "fileTypes": [
+ "fileType_source"
+ ],
+ "SPDXID": "SPDXRef-File2"
+ }
+ ],
+ "creationInfo": {
+ "comment": "This is an example of an SPDX spreadsheet format",
+ "creators": [
+ "Tool: SourceAuditor-V1.2",
+ "Person: Gary O'Neall",
+ "Organization: Source Auditor Inc."
+ ],
+ "licenseListVersion": "3.6",
+ "created": "2010-02-03T00:00:00Z"
+ },
+ "externalDocumentRefs": [
+ {
+ "checksum": {
+ "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759",
+ "algorithm": "SHA1"
+ },
+ "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301",
+ "externalDocumentId": "DocumentRef-spdx-tool-2.1"
+ }
+ ],
+ "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
+ "annotations": [
+ {
+ "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses",
+ "annotationType": "REVIEW",
+ "SPDXID": "SPDXRef-45",
+ "annotationDate": "2012-06-13T00:00:00Z",
+ "annotator": "Person: Jim Reviewer"
+ }
+ ],
+ "dataLicense": "CC0-1.0",
+ "reviewers": [
+ {
+ "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses",
+ "reviewer": "Person: Joe Reviewer",
+ "reviewDate": "2010-02-10T00:00:00Z"
+ },
+ {
+ "comment": "Another example reviewer.",
+ "reviewer": "Person: Suzanne Reviewer",
+ "reviewDate": "2011-03-13T00:00:00Z"
+ }
+ ],
+ "hasExtractedLicensingInfos": [
+ {
+ "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:\n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.\nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.\nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.\nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ",
+ "licenseId": "LicenseRef-2"
+ },
+ {
+ "extractedText": "The CyberNeko Software License, Version 1.0\n\n\n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment:\n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior\n written permission. For written permission, please contact\n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,\nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.",
+ "comment": "This is tye CyperNeko License",
+ "licenseId": "LicenseRef-3",
+ "name": "CyberNeko License",
+ "seeAlso": [
+ "http://justasample.url.com",
+ "http://people.apache.org/~andyc/neko/LICENSE"
+ ]
+ },
+ {
+ "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */ ",
+ "licenseId": "LicenseRef-4"
+ },
+ {
+ "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */",
+ "licenseId": "LicenseRef-1"
+ }
+ ],
+ "spdxVersion": "SPDX-2.1",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "snippets": [
+ {
+ "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later.",
+ "name": "from linux kernel",
+ "copyrightText": "Copyright 2008-2010 John Smith",
+ "licenseConcluded": "Apache-2.0",
+ "licenseInfoFromSnippet": [
+ "Apache-2.0"
+ ],
+ "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.",
+ "SPDXID": "SPDXRef-Snippet",
+ "fileId": "SPDXRef-DoapSource"
+ }
+ ]
}
\ No newline at end of file
diff --git a/tests/data/formats/SPDXJsonExample2.2.json b/tests/data/formats/SPDXJsonExample2.2.json
new file mode 100644
index 000000000..2b8661f3c
--- /dev/null
+++ b/tests/data/formats/SPDXJsonExample2.2.json
@@ -0,0 +1,284 @@
+{
+ "SPDXID" : "SPDXRef-DOCUMENT",
+ "spdxVersion" : "SPDX-2.2",
+ "creationInfo" : {
+ "comment" : "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.",
+ "created" : "2010-01-29T18:30:22Z",
+ "creators" : [ "Tool: LicenseFind-1.0", "Organization: ExampleCodeInspect ()", "Person: Jane Doe ()" ],
+ "licenseListVersion" : "3.9"
+ },
+ "name" : "SPDX-Tools-v2.0",
+ "dataLicense" : "CC0-1.0",
+ "comment" : "This document was created using SPDX 2.0 using licenses from the web site.",
+ "externalDocumentRefs" : [ {
+ "externalDocumentId" : "DocumentRef-spdx-tool-1.2",
+ "checksum" : {
+ "algorithm" : "SHA1",
+ "checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2759"
+ },
+ "spdxDocument" : "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301"
+ } ],
+ "hasExtractedLicensingInfos" : [ {
+ "licenseId" : "LicenseRef-1",
+ "extractedText" : "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/"
+ }, {
+ "licenseId" : "LicenseRef-2",
+ "extractedText" : "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n� Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
+ }, {
+ "licenseId" : "LicenseRef-4",
+ "extractedText" : "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/"
+ }, {
+ "licenseId" : "LicenseRef-Beerware-4.2",
+ "comment" : "The beerware license has a couple of other standard variants.",
+ "extractedText" : "\"THE BEER-WARE LICENSE\" (Revision 42):\nphk@FreeBSD.ORG wrote this file. As long as you retain this notice you\ncan do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp",
+ "name" : "Beer-Ware License (Version 42)",
+ "seeAlsos" : [ "http://people.freebsd.org/~phk/" ]
+ }, {
+ "licenseId" : "LicenseRef-3",
+ "comment" : "This is tye CyperNeko License",
+ "extractedText" : "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.",
+ "name" : "CyberNeko License",
+ "seeAlsos" : [ "http://people.apache.org/~andyc/neko/LICENSE", "http://justasample.url.com" ]
+ } ],
+ "annotations" : [ {
+ "annotationDate" : "2010-01-29T18:30:22Z",
+ "annotationType" : "OTHER",
+ "annotator" : "Person: Jane Doe ()",
+ "comment" : "Document level annotation"
+ }, {
+ "annotationDate" : "2010-02-10T00:00:00Z",
+ "annotationType" : "REVIEW",
+ "annotator" : "Person: Joe Reviewer",
+ "comment" : "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses"
+ }, {
+ "annotationDate" : "2011-03-13T00:00:00Z",
+ "annotationType" : "REVIEW",
+ "annotator" : "Person: Suzanne Reviewer",
+ "comment" : "Another example reviewer."
+ } ],
+ "documentNamespace" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
+ "documentDescribes" : [ "SPDXRef-File", "SPDXRef-Package" ],
+ "packages" : [ {
+ "SPDXID" : "SPDXRef-Package",
+ "annotations" : [ {
+ "annotationDate" : "2011-01-29T18:30:22Z",
+ "annotationType" : "OTHER",
+ "annotator" : "Person: Package Commenter",
+ "comment" : "Package level annotation"
+ } ],
+ "attributionTexts" : [ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ],
+ "checksums" : [ {
+ "algorithm" : "MD5",
+ "checksumValue" : "624c1abb3664f4b35547e7c73864ad24"
+ }, {
+ "algorithm" : "SHA1",
+ "checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c"
+ }, {
+ "algorithm" : "SHA256",
+ "checksumValue" : "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd"
+ } ],
+ "copyrightText" : "Copyright 2008-2010 John Smith",
+ "description" : "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.",
+ "downloadLocation" : "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz",
+ "externalRefs" : [ {
+ "referenceCategory" : "SECURITY",
+ "referenceLocator" : "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",
+ "referenceType" : "cpe23Type"
+ }, {
+ "comment" : "This is the external ref for Acme",
+ "referenceCategory" : "OTHER",
+ "referenceLocator" : "acmecorp/acmenator/4.1.3-alpha",
+ "referenceType" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge"
+ } ],
+ "filesAnalyzed" : true,
+ "hasFiles" : [ "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource" ],
+ "homepage" : "http://ftp.gnu.org/gnu/glibc",
+ "licenseComments" : "The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change.",
+ "licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-3)",
+ "licenseDeclared" : "(LGPL-2.0-only AND LicenseRef-3)",
+ "licenseInfoFromFiles" : [ "GPL-2.0-only", "LicenseRef-2", "LicenseRef-1" ],
+ "name" : "glibc",
+ "originator" : "Organization: ExampleCodeInspect (contact@example.com)",
+ "packageFileName" : "glibc-2.11.1.tar.gz",
+ "packageVerificationCode" : {
+ "packageVerificationCodeExcludedFiles" : [ "./package.spdx" ],
+ "packageVerificationCodeValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758"
+ },
+ "sourceInfo" : "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.",
+ "summary" : "GNU C library.",
+ "supplier" : "Person: Jane Doe (jane.doe@example.com)",
+ "versionInfo" : "2.11.1"
+ }, {
+ "SPDXID" : "SPDXRef-fromDoap-1",
+ "copyrightText" : "NOASSERTION",
+ "downloadLocation" : "NOASSERTION",
+ "filesAnalyzed" : false,
+ "homepage" : "http://commons.apache.org/proper/commons-lang/",
+ "licenseConcluded" : "NOASSERTION",
+ "licenseDeclared" : "NOASSERTION",
+ "name" : "Apache Commons Lang"
+ }, {
+ "SPDXID" : "SPDXRef-fromDoap-0",
+ "copyrightText" : "NOASSERTION",
+ "downloadLocation" : "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz",
+ "externalRefs" : [ {
+ "referenceCategory" : "PACKAGE_MANAGER",
+ "referenceLocator" : "pkg:maven/org.apache.jena/apache-jena@3.12.0",
+ "referenceType" : "purl"
+ } ],
+ "filesAnalyzed" : false,
+ "homepage" : "http://www.openjena.org/",
+ "licenseConcluded" : "NOASSERTION",
+ "licenseDeclared" : "NOASSERTION",
+ "name" : "Jena",
+ "versionInfo" : "3.12.0"
+ }, {
+ "SPDXID" : "SPDXRef-Saxon",
+ "checksums" : [ {
+ "algorithm" : "SHA1",
+ "checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c"
+ } ],
+ "copyrightText" : "Copyright Saxonica Ltd",
+ "description" : "The Saxon package is a collection of tools for processing XML documents.",
+ "downloadLocation" : "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download",
+ "filesAnalyzed" : false,
+ "homepage" : "http://saxon.sourceforge.net/",
+ "licenseComments" : "Other versions available for a commercial license",
+ "licenseConcluded" : "MPL-1.0",
+ "licenseDeclared" : "MPL-1.0",
+ "name" : "Saxon",
+ "packageFileName" : "saxonB-8.8.zip",
+ "versionInfo" : "8.8"
+ } ],
+ "files" : [ {
+ "SPDXID" : "SPDXRef-DoapSource",
+ "checksums" : [ {
+ "algorithm" : "SHA1",
+ "checksumValue" : "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12"
+ } ],
+ "copyrightText" : "Copyright 2010, 2011 Source Auditor Inc.",
+ "fileContributors" : [ "Protecode Inc.", "SPDX Technical Team Members", "Open Logic Inc.", "Source Auditor Inc.", "Black Duck Software In.c" ],
+ "fileName" : "./src/org/spdx/parser/DOAPProject.java",
+ "fileTypes" : [ "SOURCE" ],
+ "licenseConcluded" : "Apache-2.0",
+ "licenseInfoInFiles" : [ "Apache-2.0" ]
+ }, {
+ "SPDXID" : "SPDXRef-CommonsLangSrc",
+ "checksums" : [ {
+ "algorithm" : "SHA1",
+ "checksumValue" : "c2b4e1c67a2d28fced849ee1bb76e7391b93f125"
+ } ],
+ "comment" : "This file is used by Jena",
+ "copyrightText" : "Copyright 2001-2011 The Apache Software Foundation",
+ "fileContributors" : [ "Apache Software Foundation" ],
+ "fileName" : "./lib-source/commons-lang3-3.1-sources.jar",
+ "fileTypes" : [ "ARCHIVE" ],
+ "licenseConcluded" : "Apache-2.0",
+ "licenseInfoInFiles" : [ "Apache-2.0" ],
+ "noticeText" : "Apache Commons Lang\nCopyright 2001-2011 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software from the Spring Framework,\nunder the Apache License 2.0 (see: StringUtils.containsWhitespace())"
+ }, {
+ "SPDXID" : "SPDXRef-JenaLib",
+ "checksums" : [ {
+ "algorithm" : "SHA1",
+ "checksumValue" : "3ab4e1c67a2d28fced849ee1bb76e7391b93f125"
+ } ],
+ "comment" : "This file belongs to Jena",
+ "copyrightText" : "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP",
+ "fileContributors" : [ "Apache Software Foundation", "Hewlett Packard Inc." ],
+ "fileName" : "./lib-source/jena-2.6.3-sources.jar",
+ "fileTypes" : [ "ARCHIVE" ],
+ "licenseComments" : "This license is used by Jena",
+ "licenseConcluded" : "LicenseRef-1",
+ "licenseInfoInFiles" : [ "LicenseRef-1" ]
+ }, {
+ "SPDXID" : "SPDXRef-File",
+ "annotations" : [ {
+ "annotationDate" : "2011-01-29T18:30:22Z",
+ "annotationType" : "OTHER",
+ "annotator" : "Person: File Commenter",
+ "comment" : "File level annotation"
+ } ],
+ "checksums" : [ {
+ "algorithm" : "SHA1",
+ "checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758"
+ }, {
+ "algorithm" : "MD5",
+ "checksumValue" : "624c1abb3664f4b35547e7c73864ad24"
+ } ],
+ "comment" : "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory.",
+ "copyrightText" : "Copyright 2008-2010 John Smith",
+ "fileContributors" : [ "The Regents of the University of California", "Modified by Paul Mundt lethal@linux-sh.org", "IBM Corporation" ],
+ "fileName" : "./package/foo.c",
+ "fileTypes" : [ "SOURCE" ],
+ "licenseComments" : "The concluded license was taken from the package level that the file was included in.",
+ "licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-2)",
+ "licenseInfoInFiles" : [ "GPL-2.0-only", "LicenseRef-2" ],
+ "noticeText" : "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the �Software�), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED �AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE."
+ } ],
+ "snippets" : [ {
+ "SPDXID" : "SPDXRef-Snippet",
+ "comment" : "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0.",
+ "copyrightText" : "Copyright 2008-2010 John Smith",
+ "licenseComments" : "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.",
+ "licenseConcluded" : "GPL-2.0-only",
+ "licenseInfoInSnippets" : [ "GPL-2.0-only" ],
+ "name" : "from linux kernel",
+ "ranges" : [ {
+ "endPointer" : {
+ "offset" : 420,
+ "reference" : "SPDXRef-DoapSource"
+ },
+ "startPointer" : {
+ "offset" : 310,
+ "reference" : "SPDXRef-DoapSource"
+ }
+ }, {
+ "endPointer" : {
+ "lineNumber" : 23,
+ "reference" : "SPDXRef-DoapSource"
+ },
+ "startPointer" : {
+ "lineNumber" : 5,
+ "reference" : "SPDXRef-DoapSource"
+ }
+ } ],
+ "snippetFromFile" : "SPDXRef-DoapSource"
+ } ],
+ "relationships" : [ {
+ "spdxElementId" : "SPDXRef-DOCUMENT",
+ "relatedSpdxElement" : "SPDXRef-Package",
+ "relationshipType" : "CONTAINS"
+ }, {
+ "spdxElementId" : "SPDXRef-DOCUMENT",
+ "relatedSpdxElement" : "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement",
+ "relationshipType" : "COPY_OF"
+ }, {
+ "spdxElementId" : "SPDXRef-DOCUMENT",
+ "relatedSpdxElement" : "SPDXRef-File",
+ "relationshipType" : "DESCRIBES"
+ }, {
+ "spdxElementId" : "SPDXRef-DOCUMENT",
+ "relatedSpdxElement" : "SPDXRef-Package",
+ "relationshipType" : "DESCRIBES"
+ }, {
+ "spdxElementId" : "SPDXRef-Package",
+ "relatedSpdxElement" : "SPDXRef-JenaLib",
+ "relationshipType" : "CONTAINS"
+ }, {
+ "spdxElementId" : "SPDXRef-Package",
+ "relatedSpdxElement" : "SPDXRef-Saxon",
+ "relationshipType" : "DYNAMIC_LINK"
+ }, {
+ "spdxElementId" : "SPDXRef-CommonsLangSrc",
+ "relatedSpdxElement" : "NOASSERTION",
+ "relationshipType" : "GENERATED_FROM"
+ }, {
+ "spdxElementId" : "SPDXRef-JenaLib",
+ "relatedSpdxElement" : "SPDXRef-Package",
+ "relationshipType" : "CONTAINS"
+ }, {
+ "spdxElementId" : "SPDXRef-File",
+ "relatedSpdxElement" : "SPDXRef-fromDoap-0",
+ "relationshipType" : "GENERATED_FROM"
+ } ]
+}
\ No newline at end of file
diff --git a/tests/data/formats/SPDXXmlExample.xml b/tests/data/formats/SPDXXmlExample.xml
index 1c557b281..fceac1a76 100644
--- a/tests/data/formats/SPDXXmlExample.xml
+++ b/tests/data/formats/SPDXXmlExample.xml
@@ -1,83 +1,43 @@
-
This is a sample spreadsheet
Sample_Document-V2.1
-
-
- SPDXRef-Package
- Organization: SPDX
- The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually.
- true
-
-
- Apache-2.0
- 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
- src/org/spdx/parser/DOAPProject.java
- Copyright 2010, 2011 Source Auditor Inc.
- Apache-2.0
-
-
- 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
- checksumAlgorithm_sha1
-
- fileType_source
- SPDXRef-File2
-
-
-
-
- This file belongs to Jena
- LicenseRef-1
- 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
- Jenna-2.6.3/jena-2.6.3-sources.jar
- (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP
-
- Jena
- http://www.openjena.org/
- http://subversion.apache.org/doap.rdf
-
- LicenseRef-1
- This license is used by Jena
-
- 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
- checksumAlgorithm_sha1
-
- fileType_archive
- SPDXRef-File1
-
-
- LicenseRef-3
- LicenseRef-1
- Apache-1.0
- LicenseRef-4
- Apache-2.0
- LicenseRef-2
- MPL-1.1
- 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
- SPDX Translator
- spdxtranslator-1.0.zip
- The declared license information can be found in the NOTICE file at the root of the archive file
- SPDX Translator utility
- Version 1.0 of the SPDX Translator application
- Copyright 2010, 2011 Source Auditor Inc.
-
- 4e3211c67a2d28fced849ee1bb76e7391b93feba
- SpdxTranslatorSpdx.rdf
- SpdxTranslatorSpdx.txt
-
- (LicenseRef-1 AND MPL-1.1 AND LicenseRef-2 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-4 AND Apache-1.0)
- Organization: Linux Foundation
-
- 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
- checksumAlgorithm_sha1
-
- Version 0.9.2
- (LicenseRef-3 AND LicenseRef-2 AND Apache-2.0 AND MPL-1.1 AND LicenseRef-1 AND LicenseRef-4)
- http://www.spdx.org/tools
- This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document.
-
-
+ SPDXRef-Package
+
+ SPDXRef-Package
+ Organization: SPDX
+ The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually.
+ LicenseRef-3
+ LicenseRef-1
+ Apache-1.0
+ LicenseRef-4
+ Apache-2.0
+ LicenseRef-2
+ MPL-1.1
+ SPDX Translator
+ SPDXRef-File1
+ SPDXRef-File2
+ spdxtranslator-1.0.zip
+ The declared license information can be found in the NOTICE file at the root of the archive file
+ SPDX Translator utility
+ Version 1.0 of the SPDX Translator application
+ Copyright 2010, 2011 Source Auditor Inc.
+
+ 4e3211c67a2d28fced849ee1bb76e7391b93feba
+ SpdxTranslatorSpdx.rdf
+ SpdxTranslatorSpdx.txt
+
+ (LicenseRef-1 AND MPL-1.1 AND LicenseRef-2 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-4 AND Apache-1.0)
+ Organization: Linux Foundation
+
+ 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
+ checksumAlgorithm_sha1
+
+ Version 0.9.2
+ (LicenseRef-3 AND LicenseRef-2 AND Apache-2.0 AND MPL-1.1 AND LicenseRef-1 AND LicenseRef-4)
+ http://www.spdx.org/tools
+ This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document.
+
This is an example of an SPDX spreadsheet format
Tool: SourceAuditor-V1.2
@@ -102,7 +62,7 @@
2012-06-13T00:00:00Z
Person: Jim Reviewer
- CC0-1.0
+ CC0-1.0
This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses
Person: Joe Reviewer
@@ -146,26 +106,26 @@
This package includes the GRDDL parser developed by Hewlett Packard under the following license:
© Copyright 2007 Hewlett-Packard Development Company, LP
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.
+Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
LicenseRef-2
The CyberNeko Software License, Version 1.0
-
+
(C) Copyright 2002-2005, Andy Clark. All rights reserved.
-
+
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
+ notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
@@ -173,14 +133,14 @@ are met:
distribution.
3. The end-user documentation included with the redistribution,
- if any, must include the following acknowledgment:
+ if any, must include the following acknowledgment:
"This product includes software developed by Andy Clark."
Alternately, this acknowledgment may appear in the software itself,
if and wherever such third-party acknowledgments normally appear.
4. The names "CyberNeko" and "NekoHTML" must not be used to endorse
- or promote products derived from this software without prior
- written permission. For written permission, please contact
+ or promote products derived from this software without prior
+ written permission. For written permission, please contact
andyc@cyberneko.net.
5. Products derived from this software may not be called "CyberNeko",
@@ -191,12 +151,12 @@ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS
-BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
-OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This is tye CyperNeko License
LicenseRef-3
@@ -235,6 +195,38 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
SPDX-2.1
SPDXRef-DOCUMENT
+
+ Apache-2.0
+ src/org/spdx/parser/DOAPProject.java
+ Copyright 2010, 2011 Source Auditor Inc.
+ Apache-2.0
+
+
+ 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
+ checksumAlgorithm_sha1
+
+ fileType_source
+ SPDXRef-File2
+
+
+ This file belongs to Jena
+ LicenseRef-1
+ Jenna-2.6.3/jena-2.6.3-sources.jar
+ (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP
+
+ Jena
+ http://www.openjena.org/
+ http://subversion.apache.org/doap.rdf
+
+ LicenseRef-1
+ This license is used by Jena
+
+ 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
+ checksumAlgorithm_sha1
+
+ fileType_archive
+ SPDXRef-File1
+
This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later.
from linux kernel
@@ -244,21 +236,5 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.
SPDXRef-Snippet
SPDXRef-DoapSource
-
-
- SPDXRef-DOCUMENT
- SPDXRef-File
- DESCRIBES
-
-
- SPDXRef-DOCUMENT
- SPDXRef-Package
- DESCRIBES
-
-
- SPDXRef-DOCUMENT
- SPDXRef-Package
- CONTAINS
-
+
-
\ No newline at end of file
diff --git a/tests/data/formats/SPDXYamlExample.yaml b/tests/data/formats/SPDXYamlExample.yaml
index e8a42c8de..1aa3e5716 100644
--- a/tests/data/formats/SPDXYamlExample.yaml
+++ b/tests/data/formats/SPDXYamlExample.yaml
@@ -1,73 +1,39 @@
----
Document:
annotations:
- - annotationDate: '2012-06-13T00:00:00Z'
- annotationType: REVIEW
- annotator: 'Person: Jim Reviewer'
- comment: This is just an example. Some of the non-standard licenses look like
- they are actually BSD 3 clause licenses
- SPDXID: SPDXRef-45
+ - annotationDate: '2012-06-13T00:00:00Z'
+ annotationType: REVIEW
+ annotator: 'Person: Jim Reviewer'
+ comment: This is just an example. Some of the non-standard licenses look like
+ they are actually BSD 3 clause licenses
+ SPDXID: SPDXRef-45
comment: This is a sample spreadsheet
creationInfo:
comment: This is an example of an SPDX spreadsheet format
created: '2010-02-03T00:00:00Z'
creators:
- - 'Tool: SourceAuditor-V1.2'
- - 'Organization: Source Auditor Inc.'
- - 'Person: Gary O''Neall'
+ - 'Tool: SourceAuditor-V1.2'
+ - 'Organization: Source Auditor Inc.'
+ - 'Person: Gary O''Neall'
licenseListVersion: '3.6'
dataLicense: CC0-1.0
documentDescribes:
- - Package:
- SPDXID: SPDXRef-Package
+ - SPDXRef-Package
+ packages:
+ - SPDXID: SPDXRef-Package
checksums:
- - algorithm: checksumAlgorithm_sha1
- checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
+ - algorithm: checksumAlgorithm_sha1
+ checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
copyrightText: ' Copyright 2010, 2011 Source Auditor Inc.'
description: This utility translates and SPDX RDF XML document to a spreadsheet,
translates a spreadsheet to an SPDX RDF XML document and translates an SPDX
RDFa document to an SPDX RDF XML document.
downloadLocation: http://www.spdx.org/tools
attributionTexts:
- - "The GNU C Library is free software. See the file COPYING.LIB for copying conditions,\
+ - "The GNU C Library is free software. See the file COPYING.LIB for copying conditions,\
\ and LICENSES for notices about a few contributions that require these additional\
\ notices to be distributed. License copyright years may be listed using range\
\ notation, e.g., 1996-2015, indicating that every year in the range, inclusive,\
\ is a copyrightable year that would otherwise be listed individually."
- files:
- - File:
- checksums:
- - algorithm: checksumAlgorithm_sha1
- checksumValue: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
- comment: This file belongs to Jena
- copyrightText: (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
- 2008, 2009 Hewlett-Packard Development Company, LP
- artifactOf:
- - name: "Jena"
- homePage: "http://www.openjena.org/"
- projectUri: "http://subversion.apache.org/doap.rdf"
- fileTypes:
- - fileType_archive
- SPDXID: SPDXRef-File1
- licenseComments: This license is used by Jena
- licenseConcluded: LicenseRef-1
- licenseInfoFromFiles:
- - LicenseRef-1
- name: Jenna-2.6.3/jena-2.6.3-sources.jar
- sha1: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
- - File:
- checksums:
- - algorithm: checksumAlgorithm_sha1
- checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
- copyrightText: Copyright 2010, 2011 Source Auditor Inc.
- fileTypes:
- - fileType_source
- SPDXID: SPDXRef-File2
- licenseConcluded: Apache-2.0
- licenseInfoFromFiles:
- - Apache-2.0
- name: src/org/spdx/parser/DOAPProject.java
- sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
licenseComments: The declared license information can be found in the NOTICE
file at the root of the archive file
licenseConcluded: (LicenseRef-3 AND LicenseRef-1 AND MPL-1.1 AND Apache-2.0
@@ -75,67 +41,69 @@ Document:
licenseDeclared: (MPL-1.1 AND LicenseRef-4 AND LicenseRef-2 AND LicenseRef-1
AND Apache-2.0 AND LicenseRef-3)
licenseInfoFromFiles:
- - Apache-2.0
- - MPL-1.1
- - LicenseRef-3
- - LicenseRef-1
- - LicenseRef-4
- - Apache-1.0
- - LicenseRef-2
+ - Apache-2.0
+ - MPL-1.1
+ - LicenseRef-3
+ - LicenseRef-1
+ - LicenseRef-4
+ - Apache-1.0
+ - LicenseRef-2
name: SPDX Translator
originator: 'Organization: SPDX'
packageFileName: spdxtranslator-1.0.zip
+ hasFiles:
+ - SPDXRef-File1
+ - SPDXRef-File2
packageVerificationCode:
packageVerificationCodeExcludedFiles:
- - SpdxTranslatorSpdx.txt
- - SpdxTranslatorSpdx.rdf
+ - SpdxTranslatorSpdx.txt
+ - SpdxTranslatorSpdx.rdf
packageVerificationCodeValue: 4e3211c67a2d28fced849ee1bb76e7391b93feba
- sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
sourceInfo: Version 1.0 of the SPDX Translator application
summary: SPDX Translator utility
supplier: 'Organization: Linux Foundation'
versionInfo: Version 0.9.2
externalDocumentRefs:
- - checksum:
- algorithm: checksumAlgorithm_sha1
- checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2759
- externalDocumentId: DocumentRef-spdx-tool-2.1
- spdxDocument: https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301
+ - checksum:
+ algorithm: checksumAlgorithm_sha1
+ checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2759
+ externalDocumentId: DocumentRef-spdx-tool-2.1
+ spdxDocument: https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301
hasExtractedLicensingInfos:
- - comment: This is tye CyperNeko License
- extractedText: "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright\
- \ 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in\
+ - comment: This is tye CyperNeko License
+ extractedText: "The CyberNeko Software License, Version 1.0\n\n\n(C) Copyright\
+ \ 2002-2005, Andy Clark. All rights reserved.\n\nRedistribution and use in\
\ source and binary forms, with or without\nmodification, are permitted provided\
\ that the following conditions\nare met:\n\n1. Redistributions of source code\
\ must retain the above copyright\n notice, this list of conditions and the\
- \ following disclaimer. \n\n2. Redistributions in binary form must reproduce\
+ \ following disclaimer.\n\n2. Redistributions in binary form must reproduce\
\ the above copyright\n notice, this list of conditions and the following\
\ disclaimer in\n the documentation and/or other materials provided with the\n\
\ distribution.\n\n3. The end-user documentation included with the redistribution,\n\
- \ if any, must include the following acknowledgment: \n \"This product\
+ \ if any, must include the following acknowledgment:\n \"This product\
\ includes software developed by Andy Clark.\"\n Alternately, this acknowledgment\
\ may appear in the software itself,\n if and wherever such third-party acknowledgments\
\ normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be\
\ used to endorse\n or promote products derived from this software without\
- \ prior \n written permission. For written permission, please contact \n \
+ \ prior\n written permission. For written permission, please contact\n \
\ andyc@cyberneko.net.\n\n5. Products derived from this software may not be\
\ called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without\
\ prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS\
\ IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED\
\ TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\
\ PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\n\
- BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL\
- \ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS\
- \ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER\
- \ CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY,\
- \ OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE\
- \ USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
- licenseId: LicenseRef-3
- name: CyberNeko License
- seeAlso:
- - http://justasample.url.com
- - http://people.apache.org/~andyc/neko/LICENSE
- - extractedText: "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006,\
+ BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\nOR CONSEQUENTIAL\
+ \ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\nOF SUBSTITUTE GOODS\
+ \ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\nBUSINESS INTERRUPTION) HOWEVER\
+ \ CAUSED AND ON ANY THEORY OF LIABILITY,\nWHETHER IN CONTRACT, STRICT LIABILITY,\
+ \ OR TORT (INCLUDING NEGLIGENCE\nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE\
+ \ USE OF THIS SOFTWARE,\nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
+ licenseId: LicenseRef-3
+ name: CyberNeko License
+ seeAlso:
+ - http://justasample.url.com
+ - http://people.apache.org/~andyc/neko/LICENSE
+ - extractedText: "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006,\
\ 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n\
\ *\n * Redistribution and use in source and binary forms, with or without\n\
\ * modification, are permitted provided that the following conditions\n * are\
@@ -156,18 +124,18 @@ Document:
\ CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE)\
\ ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF\
\ THE POSSIBILITY OF SUCH DAMAGE.\n */"
- licenseId: LicenseRef-1
- - extractedText: "This package includes the GRDDL parser developed by Hewlett Packard\
+ licenseId: LicenseRef-1
+ - extractedText: "This package includes the GRDDL parser developed by Hewlett Packard\
\ under the following license:\n\xA9 Copyright 2007 Hewlett-Packard Development\
\ Company, LP\n\nRedistribution and use in source and binary forms, with or\
\ without modification, are permitted provided that the following conditions\
- \ are met: \n\nRedistributions of source code must retain the above copyright\
- \ notice, this list of conditions and the following disclaimer. \nRedistributions\
+ \ are met:\n\nRedistributions of source code must retain the above copyright\
+ \ notice, this list of conditions and the following disclaimer.\nRedistributions\
\ in binary form must reproduce the above copyright notice, this list of conditions\
\ and the following disclaimer in the documentation and/or other materials provided\
- \ with the distribution. \nThe name of the author may not be used to endorse\
+ \ with the distribution.\nThe name of the author may not be used to endorse\
\ or promote products derived from this software without specific prior written\
- \ permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS\
+ \ permission.\nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS\
\ OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\
\ OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN\
\ NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\
@@ -177,8 +145,8 @@ Document:
\ IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)\
\ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE\
\ POSSIBILITY OF SUCH DAMAGE. "
- licenseId: LicenseRef-2
- - extractedText: "/*\n * (c) Copyright 2009 University of Bristol\n * All rights\
+ licenseId: LicenseRef-2
+ - extractedText: "/*\n * (c) Copyright 2009 University of Bristol\n * All rights\
\ reserved.\n *\n * Redistribution and use in source and binary forms, with\
\ or without\n * modification, are permitted provided that the following conditions\n\
\ * are met:\n * 1. Redistributions of source code must retain the above copyright\n\
@@ -198,40 +166,61 @@ Document:
\ CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE)\
\ ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF\
\ THE POSSIBILITY OF SUCH DAMAGE.\n */ "
- licenseId: LicenseRef-4
+ licenseId: LicenseRef-4
SPDXID: SPDXRef-DOCUMENT
name: Sample_Document-V2.1
documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
- relationships:
- - spdxElementId: "SPDXRef-DOCUMENT"
- relatedSpdxElement: "SPDXRef-Package"
- relationshipType: "DESCRIBES"
- - spdxElementId: "SPDXRef-DOCUMENT"
- relatedSpdxElement: "SPDXRef-Package"
- relationshipType: "CONTAINS"
- - spdxElementId: "SPDXRef-DOCUMENT"
- relatedSpdxElement: "SPDXRef-File"
- relationshipType: "DESCRIBES"
reviewers:
- - comment: Another example reviewer.
- reviewDate: '2011-03-13T00:00:00Z'
- reviewer: 'Person: Suzanne Reviewer'
- - comment: This is just an example. Some of the non-standard licenses look like
- they are actually BSD 3 clause licenses
- reviewDate: '2010-02-10T00:00:00Z'
- reviewer: 'Person: Joe Reviewer'
+ - comment: Another example reviewer.
+ reviewDate: '2011-03-13T00:00:00Z'
+ reviewer: 'Person: Suzanne Reviewer'
+ - comment: This is just an example. Some of the non-standard licenses look like
+ they are actually BSD 3 clause licenses
+ reviewDate: '2010-02-10T00:00:00Z'
+ reviewer: 'Person: Joe Reviewer'
snippets:
- - comment: This snippet was identified as significant and highlighted in this Apache-2.0
- file, when a commercial scanner identified it as being derived from file foo.c
- in package xyz which is licensed under GPL-2.0-or-later.
- copyrightText: Copyright 2008-2010 John Smith
- fileId: SPDXRef-DoapSource
- SPDXID: SPDXRef-Snippet
- licenseComments: The concluded license was taken from package xyz, from which
- the snippet was copied into the current file. The concluded license information
- was found in the COPYING.txt file in package xyz.
- licenseConcluded: Apache-2.0
- licenseInfoFromSnippet:
- - Apache-2.0
- name: from linux kernel
+ - comment: This snippet was identified as significant and highlighted in this Apache-2.0
+ file, when a commercial scanner identified it as being derived from file foo.c
+ in package xyz which is licensed under GPL-2.0-or-later.
+ copyrightText: Copyright 2008-2010 John Smith
+ fileId: SPDXRef-DoapSource
+ SPDXID: SPDXRef-Snippet
+ licenseComments: The concluded license was taken from package xyz, from which
+ the snippet was copied into the current file. The concluded license information
+ was found in the COPYING.txt file in package xyz.
+ licenseConcluded: Apache-2.0
+ licenseInfoFromSnippet:
+ - Apache-2.0
+ name: from linux kernel
spdxVersion: SPDX-2.1
+ files:
+ - SPDXID: SPDXRef-File1
+ checksums:
+ - algorithm: checksumAlgorithm_sha1
+ checksumValue: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
+ comment: This file belongs to Jena
+ copyrightText: (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
+ 2008, 2009 Hewlett-Packard Development Company, LP
+ artifactOf:
+ - name: "Jena"
+ homePage: "http://www.openjena.org/"
+ projectUri: "http://subversion.apache.org/doap.rdf"
+ fileTypes:
+ - fileType_archive
+ licenseComments: This license is used by Jena
+ licenseConcluded: LicenseRef-1
+ licenseInfoInFiles:
+ - LicenseRef-1
+ fileName: Jenna-2.6.3/jena-2.6.3-sources.jar
+
+ - SPDXID: SPDXRef-File2
+ checksums:
+ - algorithm: checksumAlgorithm_sha1
+ checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
+ copyrightText: Copyright 2010, 2011 Source Auditor Inc.
+ fileTypes:
+ - fileType_source
+ licenseConcluded: Apache-2.0
+ licenseInfoInFiles:
+ - Apache-2.0
+ fileName: src/org/spdx/parser/DOAPProject.java
diff --git a/tests/test_document.py b/tests/test_document.py
index f6518485b..0ffc7443a 100644
--- a/tests/test_document.py
+++ b/tests/test_document.py
@@ -22,6 +22,7 @@
from spdx.file import File
from spdx.package import Package
from spdx.parsers.loggers import ErrorMessages
+from spdx.relationship import Relationship
from spdx.utils import NoAssert
from spdx.version import Version
@@ -77,11 +78,11 @@ def test_document_validate_failures_returns_informative_messages(self):
'Sample_Document-V2.1', spdx_id='SPDXRef-DOCUMENT',
namespace='https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301')
pack = doc.package = Package('some/path', NoAssert())
- pack.check_sum = 'SOME-SHA1'
+ pack.checksum = 'SOME-SHA1'
file1 = File('./some/path/tofile')
file1.name = './some/path/tofile'
file1.spdx_id = 'SPDXRef-File'
- file1.chk_sum = Algorithm('SHA1', 'SOME-SHA1')
+ file1.chksum = Algorithm('SHA1', 'SOME-SHA1')
lic1 = License.from_identifier('LGPL-2.1-only')
file1.add_lics(lic1)
pack.add_lics_from_file(lic1)
@@ -119,7 +120,7 @@ def test_document_is_valid_when_using_or_later_licenses(self):
file1 = File('./some/path/tofile')
file1.name = './some/path/tofile'
file1.spdx_id = 'SPDXRef-File'
- file1.chk_sum = Algorithm('SHA1', 'SOME-SHA1')
+ file1.chksum = Algorithm('SHA1', 'SOME-SHA1')
file1.conc_lics = NoAssert()
file1.copyright = NoAssert()
@@ -172,14 +173,14 @@ def _get_lgpl_doc(self, or_later=False):
package.spdx_id = 'SPDXRef-Package'
package.cr_text = 'Some copyrught'
package.verif_code = 'SOME code'
- package.check_sum = Algorithm('SHA1', 'SOME-SHA1')
+ package.checksum = Algorithm('SHA1', 'SOME-SHA1')
package.license_declared = NoAssert()
package.conc_lics = NoAssert()
file1 = File('./some/path/tofile')
file1.name = './some/path/tofile'
file1.spdx_id = 'SPDXRef-File'
- file1.chk_sum = Algorithm('SHA1', 'SOME-SHA1')
+ file1.chksum = Algorithm('SHA1', 'SOME-SHA1')
file1.conc_lics = NoAssert()
file1.copyright = NoAssert()
@@ -191,6 +192,8 @@ def _get_lgpl_doc(self, or_later=False):
package.add_lics_from_file(lic1)
package.add_file(file1)
+ relationship = doc.spdx_id + " " + "DESCRIBES" + " " + package.spdx_id
+ doc.add_relationships(Relationship(relationship))
return doc
def _get_lgpl_multi_package_doc(self, or_later=False):
@@ -228,7 +231,7 @@ def _get_lgpl_multi_package_doc(self, or_later=False):
file1 = File('./some/path/tofile')
file1.name = './some/path/tofile'
file1.spdx_id = 'SPDXRef-File'
- file1.chk_sum = Algorithm('SHA1', 'SOME-SHA1')
+ file1.chksum = Algorithm('SHA1', 'SOME-SHA1')
file1.conc_lics = NoAssert()
file1.copyright = NoAssert()
@@ -246,6 +249,13 @@ def _get_lgpl_multi_package_doc(self, or_later=False):
doc.add_package(package2)
doc.add_package(package3)
+ relationship = doc.spdx_id + " " + "DESCRIBES" + " " + package1.spdx_id
+ doc.add_relationships(Relationship(relationship))
+ relationship = doc.spdx_id + " " + "DESCRIBES" + " " + package2.spdx_id
+ doc.add_relationships(Relationship(relationship))
+ relationship = doc.spdx_id + " " + "DESCRIBES" + " " + package3.spdx_id
+ doc.add_relationships(Relationship(relationship))
+
return doc
def test_write_document_rdf_with_validate(self):
diff --git a/tests/test_package.py b/tests/test_package.py
index c9076969e..0c8529734 100644
--- a/tests/test_package.py
+++ b/tests/test_package.py
@@ -24,7 +24,7 @@ def test_calc_verif_code(self):
def test_package_with_non_sha1_check_sum(self):
package = Package()
- package.check_sum = Algorithm("SHA256", '')
+ package.checksum = Algorithm("SHA256", '')
# Make sure that validation still works despite the checksum not being SHA1
messages = []
diff --git a/tests/test_parse_anything.py b/tests/test_parse_anything.py
index 7692e5744..7b8679081 100644
--- a/tests/test_parse_anything.py
+++ b/tests/test_parse_anything.py
@@ -16,7 +16,8 @@
dirname = os.path.join(os.path.dirname(__file__), "data", "formats")
-test_files = [os.path.join(dirname, fn) for fn in os.listdir(dirname)]
+test_files = [os.path.join(dirname, fn) for fn in os.listdir(dirname) if "2.2" not in fn]
+# exclude json2.2 file since spec-2.2 is not fully supported yet
@pytest.mark.parametrize("test_file", test_files)
diff --git a/tests/test_write_anything.py b/tests/test_write_anything.py
index b961abb38..3fbee2974 100644
--- a/tests/test_write_anything.py
+++ b/tests/test_write_anything.py
@@ -35,14 +35,16 @@
"SPDXRdfExample.rdf-yaml",
"SPDXRdfExample.rdf-xml",
"SPDXRdfExample.rdf-json",
- "SPDXRdfExample.rdf-tag"
+ "SPDXRdfExample.rdf-tag",
+ "SPDXJsonExample2.2.json-rdf",
+ "SPDXJsonExample2.2.json-tag",
}
@pytest.mark.parametrize("out_format", ['rdf', 'yaml', 'xml', 'json', 'tag'])
@pytest.mark.parametrize("in_file", test_files, ids=lambda x: os.path.basename(x))
def test_write_anything(in_file, out_format, tmpdir):
in_basename = os.path.basename(in_file)
- if in_basename == "SPDXSBOMExample.spdx.yml" or in_basename == "SPDXSBOMExample.tag":
+ if in_basename == "SPDXSBOMExample.spdx.yml" or in_basename == "SPDXSBOMExample.tag" or in_basename == "SPDXJsonExample2.2.json":
# conversion of spdx2.2 is not yet done
return
doc, error = parse_anything.parse_file(in_file)
@@ -56,7 +58,7 @@ def test_write_anything(in_file, out_format, tmpdir):
doc2, error2 = parse_anything.parse_file(out_fn)
result2 = utils_test.TestParserUtils.to_dict(doc2)
assert not error2
-
+
test = in_basename + "-" + out_format
if test not in UNSTABLE_CONVERSIONS:
assert result==result2
diff --git a/tests/utils_test.py b/tests/utils_test.py
index 8f79fb907..3d2c9630a 100644
--- a/tests/utils_test.py
+++ b/tests/utils_test.py
@@ -178,8 +178,8 @@ def load_and_clean_json(location):
content = l.read()
data = json.loads(content)
- if 'creationInfo' in data['Document']:
- del(data['Document']['creationInfo'])
+ if 'creationInfo' in data:
+ del(data['creationInfo'])
return sort_nested(data)
@@ -208,8 +208,8 @@ def load_and_clean_yaml(location):
content = l.read()
data = yaml.safe_load(content)
- if 'creationInfo' in data['Document']:
- del(data['Document']['creationInfo'])
+ if 'creationInfo' in data:
+ del(data['creationInfo'])
return sort_nested(data)
@@ -238,8 +238,8 @@ def load_and_clean_xml(location):
content = l.read()
data = xmltodict.parse(content, encoding='utf-8')
- if 'creationInfo' in data['SpdxDocument']['Document']:
- del(data['SpdxDocument']['Document']['creationInfo'])
+ if 'creationInfo' in data['Document']:
+ del(data['Document']['creationInfo'])
return sort_nested(data)
@@ -360,7 +360,7 @@ def package_to_dict(cls, package):
('licenseDeclared', cls.license_to_dict(package.license_declared)),
('copyrightText', package.cr_text),
('licenseComment', package.license_comment),
- ('checksum', cls.checksum_to_dict(package.check_sum)),
+ ('checksum', cls.checksum_to_dict(package.checksum)),
('files', cls.files_to_list(sorted(package.files))),
('licenseInfoFromFiles', [cls.license_to_dict(lic) for lic in lics_from_files]),
('verificationCode', OrderedDict([
@@ -377,19 +377,19 @@ def files_to_list(cls, files):
files_list = []
for file in files:
- lics_from_files = sorted(file.licenses_in_file, key=lambda lic: lic.identifier)
+ lics_in_files = sorted(file.licenses_in_file, key=lambda lic: lic.identifier)
contributors = sorted(file.contributors, key=lambda c: c.name)
file_dict = OrderedDict([
('id', file.spdx_id),
- ('name', file.name),
+ ('fileName', file.name),
('type', file.type),
('comment', file.comment),
('licenseConcluded', cls.license_to_dict(file.conc_lics)),
('copyrightText', file.copyright),
('licenseComment', file.license_comment),
('notice', file.notice),
- ('checksum', cls.checksum_to_dict(file.chk_sum)),
- ('licenseInfoFromFiles', [cls.license_to_dict(lic) for lic in lics_from_files]),
+ ('checksum', cls.checksum_to_dict(file.chksum)),
+ ('licenseInfoInFiles', [cls.license_to_dict(lic) for lic in lics_in_files]),
('contributors', [cls.entity_to_dict(contributor) for contributor in contributors]),
('dependencies', sorted(file.dependencies)),
('artifactOfProjectName', file.artifact_of_project_name),