System Package Data Exchange (SPDX®)
SPDX – Linux Foundation Projects Site
这是一种开放标准,能够以 SBOM(软件物料清单)和其他人工智能、数据和安全参考资料的形式表示带有软件组件的系统,支持一系列风险管理用例。
SPDX 规范是一项免费提供的国际开放标准(ISO/IEC 5692:2021)。
An open standard capable of representing systems with software components in as SBOMs (Software Bill of Materials) and other AI, data and security references supporting a range of risk management use cases.
The SPDX specification is a freely available international open standard (ISO/IEC 5692:2021).
Overview
SPDX 是一种开放标准,用于交流软件物料清单信息,包括出处、许可证、安全性和其他相关信息。SPDX 通过为组织和社区提供共享重要数据的通用格式,减少了冗余工作,从而简化并提高了合规性、安全性和可靠性。SPDX 规范被公认为是用于安全性、许可证合规性和其他软件供应链工件的国际开放标准 - ISO/IEC 5962:2021。
SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability. The SPDX specification is recognized as the international open standard for security, license compliance, and other software supply chain artifacts as ISO/IEC 5962:2021.
Our Mission
SPDX 的使命是开发和推广用于交流软件物料清单信息(包括出处、许可证、安全性和其他相关信息)的开放标准。
The mission of SPDX is to develop and promote open standards for communicating software bill of material information, including provenance, license, security, and other related information.
Our Vision
SPDX 的愿景是通过为组织和社区提供共享重要数据的通用格式来减少冗余工作,从而简化和提高合规性、安全性和可靠性。
The vision of SPDX is to reduce redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.
About
SPDX 是 Linux 基金会主办的一个开放源代码项目。该基层项目包括来自不同组织的代表--软件、系统和工具供应商、基金会和系统集成商。工作由三个小组完成:技术小组、法律小组和外联小组。此外,每月还举行一次电话会议,概述整个项目的进展情况。有关参与的更多信息,请参阅 "参与 "页面。
SPDX 项目由以下部分组成
-
SPDX 规范本身
-
SPDX 许可证列表(包括例外情况、匹配指南、许可证 ID 和许可证表达式语法)
-
用于处理 SPDX 文档和 SPDX 许可列表的 SPDX 工具和库
SPDX is an open source project hosted by the Linux Foundation. The grass-roots effort includes representatives from a diverse set of organizations—software, systems and tool vendors, foundations and systems integrators. Work is done by three sub-groups: the tech team, the legal team, and the outreach team. There is also a monthly general call which provides an overview of progress on the entire project. For more information about getting involved, see the Participate page.
The SPDX project is composed of:
-
The SPDX Specification itself
-
The SPDX License List (including exceptions, matching guidelines, license IDs, and license expression syntax)
-
SPDX tools and libraries for working with the SPDX documents and SPDX License List
Guiding Principles
-
SPDX 以机器可读和人类可读的格式表示数据。
-
SPDX 侧重于收集和交流事实,并提供一个框架来对这些事实作出断言。
-
SPDX 不做任何法律解释(关于许可证或许可证合规性)。
-
SPDX 促进了供应链中元数据的有效交换
-
SPDX represents data in formats that are both machine- and human-readable.
-
SPDX focuses on collecting and communicating facts; and provides a framework to make assertions about those facts.
-
SPDX makes no legal interpretations (of licenses or license compliance).
-
SPDX facilitates the efficient exchange of metadata in the supply chain
Governance Model
SPDX 治理模式的完整描述和文件可在 SPDX 治理库中获取,网址为 GitHub - spdx/governance: SPDX Governance, based on Community Specification model。
The SPDX Governance model is described in full and documentation is available in the SPDX governance repository at https://github.com/spdx/governance.
SPDX Continuously Improves
2010/02 - Linux 基金会下的 FOSSBazaar 工作组开始起草规范,该工作组后来被称为 "SPDX",最初被称为 "Package Facts"。
2010/08 - "SPDX "宣布成为 Linux 基金会开放合规计划的支柱之一。
2011/08 - SPDX 1.0 规范处理软件包。
......
2024/04 - SPDX 3.0.0 发布
2010/02 — specification drafting began in a work-group of FOSSBazaar under Linux Foundation that came to be called “SPDX,” was originally referred to as Package Facts.
2010/08 — “SPDX” announced as one of the pillars of the Linux Foundation’s Open Compliance Program.
2011/08 — SPDX 1.0 specification handles packages.
......
2024/04 — SPDX 3.0.0 released
What is SPDX?
软件包数据交换 (SPDX) 是一种开放标准(或格式),用于交流软件物料清单 (SBOM) 信息,包括组件、许可证、版权和安全参考。使用标准化格式来展示这些信息可确保不同行业和公司的信息保持一致,这有助于减少重新格式化的工作量,使信息共享更容易,并简化合规活动。
Software Package Data Exchange (SPDX) is an open standard (or format) for communicating software Bill of Materials (SBOM) information including components, licenses, copyrights, and security references. Using a standardized format for presenting this information ensures that it is consistent across industries and companies, which helps reduce reformatting efforts, makes it easier to share information, and streamlines compliance activities.
How does SPDX work?
公司采用 SPDX 来无缝交流与其软件包相关的组件、许可证和版权数据。通过使用标准化的机器可读格式,软件 "成分 "信息的提供和接收都变得非常简单。
Companies adopt SPDX to seamlessly communicate data about the components, licenses, and copyrights associated with their software packages. Giving and receiving information about software “ingredients” is made simple by the use of a standardized and machine-readable format.
Who uses SPDX?
任何人都可以使用它。目前,无论是开源项目还是创建商业软件的组织,对它的采用都在不断增加。随着拜登总统去年颁布的行政命令提高了供应链安全标准,其采用率也持续上升。SPDX 对构建软件或运营企业软件的组织特别有用。
Anyone can use it. Currently, its adoption is growing with both open source projects and organizations creating commercial software. With the increased standards around supply chain security resulting from President Biden’s executive order last year, adoption has continued to increase. SPDX is particularly useful for organizations that build software or operate enterprise software.
What are the benefits of using SPDX?
SPDX 包含可识别软件包、软件包级别以及文件级别许可和版权数据的信息。它还显示文件的创建者、创建时间和创建方式。这些信息对于安全和许可证合规活动和要求至关重要。标准格式化还能更容易地选择标准化工具,从而提高安全流程的效率。
SPDX includes information that identifies the software package, the package level, and the file level licensing and copyright data. It also shows who created the file, and when and how. This information is critical for security and license compliance activities and requirements. Standard formatting also makes it easier to select standardized tooling, which makes security processes more efficient.
Why is SPDX important?
SPDX 解决了 EO 14028 中有关软件物料清单的要求。它提供了一种特定的文件格式,可识别大型软件中的软件组件以及与其组件相关的许可证。
更广泛地说,SPDX 还有助于解决常见的难题。
* SPDX 解决了在使用从供应商处获得的软件和二进制文件时可能出现的许可问题。
* SPDX 消除了创建定制 SBOM 的需要。有了标准化的格式,每个人都能创建一致的文档,因此无需花费时间和精力重新制定格式。
* SPDX 无需为软件供应商和消费者定义和创建 SBOM 格式,从而释放了资源和带宽。
SPDX resolves requirements in EO 14028 pertaining to a software Bill of Materials. It provides a specific file format that identifies the software components within larger pieces of software and the licenses associated with their components.
More generally, SPDX also helps resolve common challenges.
* SPDX addresses the licensing complications that can arise from the use of software and binaries received from suppliers.
* SPDX eliminates the need to create customized SBOMs. With a standardized format, everyone creates consistent documents, so there’s no need to spend time and effort reformatting.
* SPDX removes the need to define and create SBOM formats for both suppliers and consumers of software, freeing up resources and bandwidth.
SPDX(System Package Data Exchange)格式是一种用于描述软件组件(如源代码)的规范,它提供了一种标准化的方法来描述软件组件的元数据,包括其许可证、依赖项和其他属性。SPDX最初由Linux基金会于2010年发起,是一个跨行业的合作项目,旨在促进软件供应链的透明度和合规性。本文将介绍SPDX格式的背景、应用现状及主要内容。
1. 背景
SPDX(System Package Data Exchange)格式的诞生源于对软件许可证的标准化和管理的需求。在开源和共享软件开发环境中,许可证是一个重要的元素,它规定了软件的使用和修改限制。然而,不同的开源项目可能使用不同的许可证,这导致了许可证管理的问题。为了解决这个问题,SPDX 格式应运而生,它提供了一种标准化的方法来描述软件许可证以及其他元数据,如版本控制信息、依赖项等。
2. 应用现状
SPDX格式在开源和共享软件开发环境中得到了广泛的应用。许多开源项目使用SPDX格式来描述其软件组件的许可证和其他元数据。SPDX格式还被用于自动化工具中,如代码审查工具、许可证管理工具和版本控制工具,这些工具可以自动解析SPDX描述文档,从而提高了工作效率和准确性。
SPDX规范被公认为安全性、许可证合规性和其他软件供应链工件的国际开放标准,如ISO/IEC 5962:2021。
SPDX格式还被应用于教育领域。一些教育机构和开源组织将SPDX格式用于教育目的,为学生提供关于软件许可证管理和软件组件元数据的知识。通过使用SPDX格式,学生可以更好地理解开源软件的世界,并学会如何使用标准化的方法来描述和管理软件组件。
3. 版本发展历史
2023/05:发布了新的安全、构建、数据和人工智能配置文件的 SPDX 3.0-rc1。
2022/08:发布SPDX 2.3,以提高与其他格式的互操作性。
2015/05:SPDX 2.0 规范增加了处理多个包、包和文件之间的关系以及注释的能力。
2013/10:SPDX 1.2 规范–改进了与许可证列表的交互,增加了用于记录项目信息的字段。
2011/08:SPDX 1.0 规范处理封装。
2010/02:规范起草工作开始于Linux基金会下属的 FOSSBazaar 工作组,该工作组后来被称为“SPDX”,最初被称为Package Facts。
4. 主要内容
在SPDX格式中,每个元素都有其特定的标签和结构,以便于自动解析和解析。此外,SPDX格式还提供了一种标准化的方法来组织这些元素,使其易于理解和使用。
SPDX格式的主要内容包括许可证、版本控制、依赖项和其他元数据:
软件包信息:记录软件包的基本信息,如名称、版本号、描述等。
许可证信息:详细描述软件包使用的许可证类型及相关要求。这有助于组织遵守不同许可证的规定,确保合规性。
文件级别信息:列出软件包中每个文件的信息,包括文件名、路径、大小等。这有助于识别和跟踪软件组件,管理依赖关系。
依赖关系:记录软件包与其他软件包之间的依赖关系,包括版本要求、兼容性等。这有助于评估软件包的稳定性和安全性。
补丁信息:记录软件包中的补丁信息,包括修复的漏洞、安全更新等。这有助于了解软件包的安全状况。
元数据:包括创建SPDX文档的时间、作者信息等元数据,有助于跟踪和管理SPDX文档的来源和历史。
其他元数据:SPDX格式还包含其他元数据,如许可协议、版权声明、技术规范和文档链接等。
SPDX JSON 格式完整样例:
{
"SPDXID" : "SPDXRef-DOCUMENT",
"spdxVersion" : "SPDX-2.3",
"creationInfo" : {
"comment" : "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.",
"created" : "2010-01-29T18:30:22Z",
"creators" : [ "Tool: LicenseFind-1.0", "Organization: ExampleCodeInspect ()", "Person: Jane Doe ()" ],
"licenseListVersion" : "3.17"
},
"name" : "SPDX-Tools-v2.0",
"dataLicense" : "CC0-1.0",
"comment" : "This document was created using SPDX 2.0 using licenses from the web site.",
"externalDocumentRefs" : [ {
"externalDocumentId" : "DocumentRef-spdx-tool-1.2",
"checksum" : {
"algorithm" : "SHA1",
"checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2759"
},
"spdxDocument" : "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301"
} ],
"hasExtractedLicensingInfos" : [ {
"licenseId" : "LicenseRef-1",
"extractedText" : "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/"
}, {
"licenseId" : "LicenseRef-2",
"extractedText" : "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n© Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
}, {
"licenseId" : "LicenseRef-4",
"extractedText" : "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/"
}, {
"licenseId" : "LicenseRef-Beerware-4.2",
"comment" : "The beerware license has a couple of other standard variants.",
"extractedText" : "\"THE BEER-WARE LICENSE\" (Revision 42):\nphk@FreeBSD.ORG wrote this file. As long as you retain this notice you\ncan do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp",
"name" : "Beer-Ware License (Version 42)",
"seeAlsos" : [ "http://people.freebsd.org/~phk/" ]
}, {
"licenseId" : "LicenseRef-3",
"comment" : "This is tye CyperNeko License",
"extractedText" : "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.",
"name" : "CyberNeko License",
"seeAlsos" : [ "http://people.apache.org/~andyc/neko/LICENSE", "http://justasample.url.com" ]
} ],
"annotations" : [ {
"annotationDate" : "2010-01-29T18:30:22Z",
"annotationType" : "OTHER",
"annotator" : "Person: Jane Doe ()",
"comment" : "Document level annotation"
}, {
"annotationDate" : "2010-02-10T00:00:00Z",
"annotationType" : "REVIEW",
"annotator" : "Person: Joe Reviewer",
"comment" : "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses"
}, {
"annotationDate" : "2011-03-13T00:00:00Z",
"annotationType" : "REVIEW",
"annotator" : "Person: Suzanne Reviewer",
"comment" : "Another example reviewer."
} ],
"documentDescribes" : [ "SPDXRef-File", "SPDXRef-Package" ],
"documentNamespace" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
"packages" : [ {
"SPDXID" : "SPDXRef-Package",
"annotations" : [ {
"annotationDate" : "2011-01-29T18:30:22Z",
"annotationType" : "OTHER",
"annotator" : "Person: Package Commenter",
"comment" : "Package level annotation"
} ],
"attributionTexts" : [ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ],
"builtDate" : "2011-01-29T18:30:22Z",
"checksums" : [ {
"algorithm" : "MD5",
"checksumValue" : "624c1abb3664f4b35547e7c73864ad24"
}, {
"algorithm" : "SHA1",
"checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c"
}, {
"algorithm" : "SHA256",
"checksumValue" : "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd"
}, {
"algorithm" : "BLAKE2b-384",
"checksumValue" : "aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706"
} ],
"copyrightText" : "Copyright 2008-2010 John Smith",
"description" : "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.",
"downloadLocation" : "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz",
"externalRefs" : [ {
"referenceCategory" : "SECURITY",
"referenceLocator" : "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",
"referenceType" : "cpe23Type"
}, {
"comment" : "This is the external ref for Acme",
"referenceCategory" : "OTHER",
"referenceLocator" : "acmecorp/acmenator/4.1.3-alpha",
"referenceType" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge"
} ],
"filesAnalyzed" : true,
"homepage" : "http://ftp.gnu.org/gnu/glibc",
"licenseComments" : "The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change.",
"licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-3)",
"licenseDeclared" : "(LGPL-2.0-only AND LicenseRef-3)",
"licenseInfoFromFiles" : [ "GPL-2.0-only", "LicenseRef-2", "LicenseRef-1" ],
"name" : "glibc",
"originator" : "Organization: ExampleCodeInspect (contact@example.com)",
"packageFileName" : "glibc-2.11.1.tar.gz",
"packageVerificationCode" : {
"packageVerificationCodeExcludedFiles" : [ "./package.spdx" ],
"packageVerificationCodeValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758"
},
"primaryPackagePurpose" : "SOURCE",
"hasFiles" : [ "SPDXRef-Specification", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource" ],
"releaseDate" : "2012-01-29T18:30:22Z",
"sourceInfo" : "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.",
"summary" : "GNU C library.",
"supplier" : "Person: Jane Doe (jane.doe@example.com)",
"validUntilDate" : "2014-01-29T18:30:22Z",
"versionInfo" : "2.11.1"
}, {
"SPDXID" : "SPDXRef-fromDoap-1",
"copyrightText" : "NOASSERTION",
"downloadLocation" : "NOASSERTION",
"filesAnalyzed" : false,
"homepage" : "http://commons.apache.org/proper/commons-lang/",
"licenseConcluded" : "NOASSERTION",
"licenseDeclared" : "NOASSERTION",
"name" : "Apache Commons Lang"
}, {
"SPDXID" : "SPDXRef-fromDoap-0",
"downloadLocation" : "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz",
"externalRefs" : [ {
"referenceCategory" : "PACKAGE-MANAGER",
"referenceLocator" : "pkg:maven/org.apache.jena/apache-jena@3.12.0",
"referenceType" : "purl"
} ],
"filesAnalyzed" : false,
"homepage" : "http://www.openjena.org/",
"name" : "Jena",
"versionInfo" : "3.12.0"
}, {
"SPDXID" : "SPDXRef-Saxon",
"checksums" : [ {
"algorithm" : "SHA1",
"checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c"
} ],
"copyrightText" : "Copyright Saxonica Ltd",
"description" : "The Saxon package is a collection of tools for processing XML documents.",
"downloadLocation" : "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download",
"filesAnalyzed" : false,
"homepage" : "http://saxon.sourceforge.net/",
"licenseComments" : "Other versions available for a commercial license",
"licenseConcluded" : "MPL-1.0",
"licenseDeclared" : "MPL-1.0",
"name" : "Saxon",
"packageFileName" : "saxonB-8.8.zip",
"versionInfo" : "8.8"
} ],
"files" : [ {
"SPDXID" : "SPDXRef-DoapSource",
"checksums" : [ {
"algorithm" : "SHA1",
"checksumValue" : "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12"
} ],
"copyrightText" : "Copyright 2010, 2011 Source Auditor Inc.",
"fileContributors" : [ "Protecode Inc.", "SPDX Technical Team Members", "Open Logic Inc.", "Source Auditor Inc.", "Black Duck Software In.c" ],
"fileName" : "./src/org/spdx/parser/DOAPProject.java",
"fileTypes" : [ "SOURCE" ],
"licenseConcluded" : "Apache-2.0",
"licenseInfoInFiles" : [ "Apache-2.0" ]
}, {
"SPDXID" : "SPDXRef-CommonsLangSrc",
"checksums" : [ {
"algorithm" : "SHA1",
"checksumValue" : "c2b4e1c67a2d28fced849ee1bb76e7391b93f125"
} ],
"comment" : "This file is used by Jena",
"copyrightText" : "Copyright 2001-2011 The Apache Software Foundation",
"fileContributors" : [ "Apache Software Foundation" ],
"fileName" : "./lib-source/commons-lang3-3.1-sources.jar",
"fileTypes" : [ "ARCHIVE" ],
"licenseConcluded" : "Apache-2.0",
"licenseInfoInFiles" : [ "Apache-2.0" ],
"noticeText" : "Apache Commons Lang\nCopyright 2001-2011 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software from the Spring Framework,\nunder the Apache License 2.0 (see: StringUtils.containsWhitespace())"
}, {
"SPDXID" : "SPDXRef-JenaLib",
"checksums" : [ {
"algorithm" : "SHA1",
"checksumValue" : "3ab4e1c67a2d28fced849ee1bb76e7391b93f125"
} ],
"comment" : "This file belongs to Jena",
"copyrightText" : "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP",
"fileContributors" : [ "Apache Software Foundation", "Hewlett Packard Inc." ],
"fileName" : "./lib-source/jena-2.6.3-sources.jar",
"fileTypes" : [ "ARCHIVE" ],
"licenseComments" : "This license is used by Jena",
"licenseConcluded" : "LicenseRef-1",
"licenseInfoInFiles" : [ "LicenseRef-1" ]
}, {
"SPDXID" : "SPDXRef-Specification",
"checksums" : [ {
"algorithm" : "SHA1",
"checksumValue" : "fff4e1c67a2d28fced849ee1bb76e7391b93f125"
} ],
"comment" : "Specification Documentation",
"fileName" : "./docs/myspec.pdf",
"fileTypes" : [ "DOCUMENTATION" ]
}, {
"SPDXID" : "SPDXRef-File",
"annotations" : [ {
"annotationDate" : "2011-01-29T18:30:22Z",
"annotationType" : "OTHER",
"annotator" : "Person: File Commenter",
"comment" : "File level annotation"
} ],
"checksums" : [ {
"algorithm" : "SHA1",
"checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758"
}, {
"algorithm" : "MD5",
"checksumValue" : "624c1abb3664f4b35547e7c73864ad24"
} ],
"comment" : "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory.",
"copyrightText" : "Copyright 2008-2010 John Smith",
"fileContributors" : [ "The Regents of the University of California", "Modified by Paul Mundt lethal@linux-sh.org", "IBM Corporation" ],
"fileName" : "./package/foo.c",
"fileTypes" : [ "SOURCE" ],
"licenseComments" : "The concluded license was taken from the package level that the file was included in.",
"licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-2)",
"licenseInfoInFiles" : [ "GPL-2.0-only", "LicenseRef-2" ],
"noticeText" : "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE."
} ],
"snippets" : [ {
"SPDXID" : "SPDXRef-Snippet",
"comment" : "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0.",
"copyrightText" : "Copyright 2008-2010 John Smith",
"licenseComments" : "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.",
"licenseConcluded" : "GPL-2.0-only",
"licenseInfoInSnippets" : [ "GPL-2.0-only" ],
"name" : "from linux kernel",
"ranges" : [ {
"endPointer" : {
"offset" : 420,
"reference" : "SPDXRef-DoapSource"
},
"startPointer" : {
"offset" : 310,
"reference" : "SPDXRef-DoapSource"
}
}, {
"endPointer" : {
"lineNumber" : 23,
"reference" : "SPDXRef-DoapSource"
},
"startPointer" : {
"lineNumber" : 5,
"reference" : "SPDXRef-DoapSource"
}
} ],
"snippetFromFile" : "SPDXRef-DoapSource"
} ],
"relationships" : [ {
"spdxElementId" : "SPDXRef-DOCUMENT",
"relationshipType" : "CONTAINS",
"relatedSpdxElement" : "SPDXRef-Package"
}, {
"spdxElementId" : "SPDXRef-DOCUMENT",
"relationshipType" : "COPY_OF",
"relatedSpdxElement" : "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement"
}, {
"spdxElementId" : "SPDXRef-Package",
"relationshipType" : "DYNAMIC_LINK",
"relatedSpdxElement" : "SPDXRef-Saxon"
}, {
"spdxElementId" : "SPDXRef-CommonsLangSrc",
"relationshipType" : "GENERATED_FROM",
"relatedSpdxElement" : "NOASSERTION"
}, {
"spdxElementId" : "SPDXRef-JenaLib",
"relationshipType" : "CONTAINS",
"relatedSpdxElement" : "SPDXRef-Package"
}, {
"spdxElementId" : "SPDXRef-Specification",
"relationshipType" : "SPECIFICATION_FOR",
"relatedSpdxElement" : "SPDXRef-fromDoap-0"
}, {
"spdxElementId" : "SPDXRef-File",
"relationshipType" : "GENERATED_FROM",
"relatedSpdxElement" : "SPDXRef-fromDoap-0"
} ]
}
5. 辅助工具
SPDX 官方提供了一些辅助工具,包含在线工具、开源工具及商用工具,可以提供 SPDX 格式文档的校验、转换、对比、生成及解析等功能。
6. 总结
SPDX格式是一种用于描述软件组件的规范,提供了一种标准化的方法来描述软件组件的元数据,包括其许可证、依赖项和其他属性。随着开源和共享软件开发环境的普及,SPDX格式得到了广泛的应用。
通过SPDX格式,组织可以更好地了解和管理软件供应链,降低合规风险,提高软件质量,加强安全性。SPDX作为一个开放的标准格式,为软件行业的合作和创新提供了重要的基础。
7. 资料
[1] SPDX – Linux Foundation Projects Site
[2] SPDXJSONExample-v2.3.spdx.json
SPDX(软件包数据交换,Software Package Data Exchange)是一个标准化的格式,用于记录和交换软件组件的许可信息。SPDX项目由Linux基金会主导,旨在帮助开发人员、法律专业人士和组织更容易地识别、追踪软件包的许可信息,并确保符合许可要求。
SPDX的主要内容
1. 标准化标识符:SPDX许可列表(SPDX License List)中的每个许可都有一个唯一的标识符(例如,MIT、GPL-2.0-only)。这种标准化有助于避免因许可名称的不同变体而引起的歧义和混淆。
2. 机器可读格式:SPDX规范允许将许可信息表示为机器可读的格式,从而便于自动化工具进行分析和验证许可合规性。
3. 全面的列表:SPDX许可列表包括各种常见的开源许可,从广泛使用的许可到一些较少见的许可,确保能够覆盖各种软件组件的许可需求。
4. 元数据和字段:SPDX规范包括详细的字段,用于捕捉许可信息的各个方面,如许可名称、版本、URL和文本,以及可选的元数据,如版权持有者、日期等。
SPDX许可标识符的使用示例
在源代码文件的顶部,你可能会看到一个SPDX许可标识符,表明该文件的许可类型。例如:
/* SPDX-License-Identifier: MIT */
这行代码表示该文件是根据MIT许可证分发的。
使用SPDX的好处
1. 清晰和一致性:使用标准化标识符减少了歧义,确保在不同项目和组织之间一致地表示许可信息。
2. 自动化:机器可读的格式允许开发自动化工具,这些工具可以自动扫描代码库,识别和验证许可信息,从而简化合规审计并减少手动工作量。
3. 透明度:清晰且标准化的许可信息帮助用户了解与软件组件相关的许可条款和义务。
结论
SPDX许可列表和规范是管理和传达软件许可信息的宝贵工具,以标准化和明确的方式。通过使用SPDX标识符,开发人员和组织可以改进许可合规流程的清晰度、一致性和自动化。
参考:
What Is SPDX and How Does It Work? | Synopsys
「 网络安全常用术语解读 」SBOM主流格式SPDX详解-CSDN博客
1316
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
